From 673ef24168089555c18ae64982480a3addc39889 Mon Sep 17 00:00:00 2001 From: Alexis Mousset Date: Tue, 24 Oct 2017 11:18:20 +0200 Subject: [PATCH] Fixes #11655: Import old ncf-openstack-technique in contrib --- contrib/ncf-openstack-technique/.gitignore | 1 + contrib/ncf-openstack-technique/LICENSE | 675 +++ contrib/ncf-openstack-technique/README.md | 43 + contrib/ncf-openstack-technique/Vagrantfile | 72 + .../configuration/compute1/ntpd.json | 5 + .../compute1/openstack_nova_compute.json | 7 + .../compute1/openstack_repository.json | 2 + .../configuration/compute2/ntpd.json | 5 + .../compute2/openstack_nova_compute.json | 7 + .../compute2/openstack_repository.json | 2 + .../configuration/controller/ntpd.json | 8 + .../controller/openstack_glance_api.json | 2 + .../controller/openstack_glance_registry.json | 2 + .../controller/openstack_horizon.json | 2 + .../controller/openstack_keystone.json | 2 + .../controller/openstack_mysql.json | 2 + .../controller/openstack_nova_api.json | 6 + .../controller/openstack_repository.json | 2 + .../configuration/controller/rabbitmq.json | 2 + .../scripts/deploy-rudder.sh | 56 + .../tree/30_generic_methods/data_json.cf | 37 + .../tree/30_generic_methods/data_load.cf | 47 + .../tree/30_generic_methods/data_merge.cf | 42 + .../tree/30_generic_methods/data_read.cf | 47 + .../file_from_template_mustache_data.cf | 64 + .../30_generic_methods/openstack_command.cf | 37 + .../30_generic_methods/variable_string.cf | 44 + .../tree/50_techniques/ntpd/defaults.json | 21 + .../tree/50_techniques/ntpd/ntpd.cf | 18 + .../50_techniques/ntpd/templates/ntp.conf.tpl | 28 + .../openstack_glance_api/defaults.json | 13 + .../openstack_glance_api.cf | 24 + .../templates/glance-api.conf.tpl | 820 ++++ .../openstack_glance_registry/defaults.json | 13 + .../openstack_glance_registry.cf | 22 + .../templates/glance-registry.conf.tpl | 274 ++ .../openstack_horizon/defaults.json | 4 + .../openstack_horizon/openstack_horizon.cf | 24 + .../templates/local_settings.tpl | 638 +++ .../openstack_keystone/defaults.json | 37 + .../openstack_keystone/openstack_keystone.cf | 42 + .../templates/identity-init.sh.tpl | 28 + .../templates/keystone-paste.ini.tpl | 106 + .../templates/keystone.conf.tpl | 1735 +++++++ .../templates/openrc.sh.tpl | 7 + .../openstack_mysql/defaults.json | 9 + .../openstack_mysql/openstack_mysql.cf | 26 + .../scripts/init_database_component.sh | 18 + .../scripts/mysql_secure_installation.sh | 9 + .../templates/mariadb_openstack.cnf.tpl | 9 + .../openstack_nova_api/defaults.json | 22 + .../openstack_nova_api/openstack_nova_api.cf | 24 + .../templates/init-network.sh.tpl | 7 + .../templates/nova.conf.tpl | 4015 ++++++++++++++++ .../openstack_nova_compute/defaults.json | 16 + .../openstack_nova_compute.cf | 22 + .../templates/nova.conf.tpl | 4017 +++++++++++++++++ .../openstack_repository.cf | 20 + .../tree/50_techniques/rabbitmq/defaults.json | 7 + .../tree/50_techniques/rabbitmq/rabbitmq.cf | 16 + .../rabbitmq/scripts/set_users.sh | 30 + 61 files changed, 13342 insertions(+) create mode 100644 contrib/ncf-openstack-technique/.gitignore create mode 100644 contrib/ncf-openstack-technique/LICENSE create mode 100644 contrib/ncf-openstack-technique/README.md create mode 100644 contrib/ncf-openstack-technique/Vagrantfile create mode 100644 contrib/ncf-openstack-technique/configuration/compute1/ntpd.json create mode 100644 contrib/ncf-openstack-technique/configuration/compute1/openstack_nova_compute.json create mode 100644 contrib/ncf-openstack-technique/configuration/compute1/openstack_repository.json create mode 100644 contrib/ncf-openstack-technique/configuration/compute2/ntpd.json create mode 100644 contrib/ncf-openstack-technique/configuration/compute2/openstack_nova_compute.json create mode 100644 contrib/ncf-openstack-technique/configuration/compute2/openstack_repository.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/ntpd.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_glance_api.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_glance_registry.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_horizon.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_keystone.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_mysql.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_nova_api.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/openstack_repository.json create mode 100644 contrib/ncf-openstack-technique/configuration/controller/rabbitmq.json create mode 100644 contrib/ncf-openstack-technique/scripts/deploy-rudder.sh create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/data_json.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/data_load.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/data_merge.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/data_read.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/file_from_template_mustache_data.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/openstack_command.cf create mode 100644 contrib/ncf-openstack-technique/tree/30_generic_methods/variable_string.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/ntpd/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/ntpd/ntpd.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/ntpd/templates/ntp.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/openstack_glance_api.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/templates/glance-api.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/openstack_glance_registry.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/templates/glance-registry.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/openstack_horizon.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/templates/local_settings.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/openstack_keystone.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/identity-init.sh.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone-paste.ini.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/openrc.sh.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/openstack_mysql.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/init_database_component.sh create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/mysql_secure_installation.sh create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/templates/mariadb_openstack.cnf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/openstack_nova_api.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/init-network.sh.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/nova.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/openstack_nova_compute.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/templates/nova.conf.tpl create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/openstack_repository/openstack_repository.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/defaults.json create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/rabbitmq.cf create mode 100644 contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/scripts/set_users.sh diff --git a/contrib/ncf-openstack-technique/.gitignore b/contrib/ncf-openstack-technique/.gitignore new file mode 100644 index 00000000..8000dd9d --- /dev/null +++ b/contrib/ncf-openstack-technique/.gitignore @@ -0,0 +1 @@ +.vagrant diff --git a/contrib/ncf-openstack-technique/LICENSE b/contrib/ncf-openstack-technique/LICENSE new file mode 100644 index 00000000..733c0723 --- /dev/null +++ b/contrib/ncf-openstack-technique/LICENSE @@ -0,0 +1,675 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. + diff --git a/contrib/ncf-openstack-technique/README.md b/contrib/ncf-openstack-technique/README.md new file mode 100644 index 00000000..e28b2321 --- /dev/null +++ b/contrib/ncf-openstack-technique/README.md @@ -0,0 +1,43 @@ +# rudder-openstack + +*WARNING*: This configuration is experimental and outdated.* + +The repository contains Rudder techniques to deploy and maintain a simple OpenStack infrastructure. + +The master branch tracks OpenStack Kilo. The deployment has only been tested on CentOS, but should be easy to adapt to Ubuntu. It does not provide choice over the backends, and choses: +* RabbitMQ as message queue +* MariaDB as database + +## Introduction + +There are techniques for each component: + +* ntpd: configure an NTP service +* openstack_repository: configure OpenStack repositories +* rabbitmq: configure RabbitMQ +* opnstack_mysql: configure MySQL/MariaDB +* openstack_keystone: configure the *Identity* service +* openstack_horizon: configure the *Dashboard* service +* openstack_nova_compute: configure the *Compute* service on an hypervisor +* openstack_nova_api: configure the *Compute* service on a controller +* openstack_glance_api: configure the *Image* service on a controller +* openstack_glance_registry: configure the *Image* service on an image node + +The techniques objective: +* KISS: every component is configured separately from the others +* Security: Rudder enforces a secured and hardened configuration +* Compliance: the techniques focus on + +## Installation + +A sample environment for testing and development is provided using Vagrant. Just use + +``` +vagrant up +``` + +to get the demo OpenStack deployment. The dashboard should then be accessible at http://localhost:8082/dashboard. + +It will deploy: +* A controller with the *Identity* and *Image* service +* Two *Compute* nodes as hypervisors diff --git a/contrib/ncf-openstack-technique/Vagrantfile b/contrib/ncf-openstack-technique/Vagrantfile new file mode 100644 index 00000000..3fa54c61 --- /dev/null +++ b/contrib/ncf-openstack-technique/Vagrantfile @@ -0,0 +1,72 @@ +Vagrant.configure("2") do |config| + + # Specify the base box + config.vm.box = "chef/centos-7.0" + + # 10 : Configuration management + # 20 : OpenStack management + # 30 : OpenStack storage (not used) + + config.vm.define "server" do |rudder| + rudder.vm.network "private_network", ip: "192.168.10.10" + rudder.vm.network :forwarded_port, guest: 443, host: 8081 + + rudder.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--memory", 2048] + end + + # Shell provisioning + rudder.vm.provision "shell" do |s| + s.path = "scripts/deploy-rudder.sh" + s.args = "server server" + end + end + + config.vm.define "controller" do |controller| + controller.vm.network "private_network", ip: "192.168.10.2" + controller.vm.network "private_network", ip: "192.168.20.2" + controller.vm.network :forwarded_port, guest: 80, host: 8082 + + controller.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--memory", 2048] + end + + # Shell provisioning + controller.vm.provision "shell" do |s| + s.path = "scripts/deploy-rudder.sh" + s.args = "agent controller" + end + end + + config.vm.define "compute1" do |compute1| + compute1.vm.network "private_network", ip: "192.168.10.3" + compute1.vm.network "private_network", ip: "192.168.20.3" + compute1.vm.network "private_network", ip: "192.168.30.3" + + compute1.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--memory", 1024] + end + + # Shell provisioning + compute1.vm.provision "shell" do |s| + s.path = "scripts/deploy-rudder.sh" + s.args = "agent compute1" + end + end + + config.vm.define "compute2" do |compute2| + compute2.vm.network "private_network", ip: "192.168.10.4" + compute2.vm.network "private_network", ip: "192.168.20.4" + compute2.vm.network "private_network", ip: "192.168.30.4" + + compute2.vm.provider :virtualbox do |vb| + vb.customize ["modifyvm", :id, "--memory", 1024] + end + + # Shell provisioning + compute2.vm.provision "shell" do |s| + s.path = "scripts/deploy-rudder.sh" + s.args = "agent compute2" + end + end +end diff --git a/contrib/ncf-openstack-technique/configuration/compute1/ntpd.json b/contrib/ncf-openstack-technique/configuration/compute1/ntpd.json new file mode 100644 index 00000000..1a53a16b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute1/ntpd.json @@ -0,0 +1,5 @@ +{ + "servers": [ + {"address": "server", "options": "iburst"} + ] +} diff --git a/contrib/ncf-openstack-technique/configuration/compute1/openstack_nova_compute.json b/contrib/ncf-openstack-technique/configuration/compute1/openstack_nova_compute.json new file mode 100644 index 00000000..b88f1135 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute1/openstack_nova_compute.json @@ -0,0 +1,7 @@ +{ + "management_ip": "192.168.20.3", + "rabbit": { + "user": "openstack_compute2", + "password": "rabbitmq_password" + } +} diff --git a/contrib/ncf-openstack-technique/configuration/compute1/openstack_repository.json b/contrib/ncf-openstack-technique/configuration/compute1/openstack_repository.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute1/openstack_repository.json @@ -0,0 +1,2 @@ +{ +} diff --git a/contrib/ncf-openstack-technique/configuration/compute2/ntpd.json b/contrib/ncf-openstack-technique/configuration/compute2/ntpd.json new file mode 100644 index 00000000..1a53a16b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute2/ntpd.json @@ -0,0 +1,5 @@ +{ + "servers": [ + {"address": "server", "options": "iburst"} + ] +} diff --git a/contrib/ncf-openstack-technique/configuration/compute2/openstack_nova_compute.json b/contrib/ncf-openstack-technique/configuration/compute2/openstack_nova_compute.json new file mode 100644 index 00000000..590cedd8 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute2/openstack_nova_compute.json @@ -0,0 +1,7 @@ +{ + "management_ip": "192.168.20.4", + "rabbit": { + "user": "openstack_compute1", + "password": "rabbitmq_password" + } +} diff --git a/contrib/ncf-openstack-technique/configuration/compute2/openstack_repository.json b/contrib/ncf-openstack-technique/configuration/compute2/openstack_repository.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/compute2/openstack_repository.json @@ -0,0 +1,2 @@ +{ +} diff --git a/contrib/ncf-openstack-technique/configuration/controller/ntpd.json b/contrib/ncf-openstack-technique/configuration/controller/ntpd.json new file mode 100644 index 00000000..c1094e61 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/ntpd.json @@ -0,0 +1,8 @@ +{ + "restricts": [ + {"address": "-4", "options": "default kod notrap nomodify"}, + {"address": "-6", "options": "default kod notrap nomodify"}, + {"address": "127.0.0.1", "options": ""}, + {"address": "::1", "options": ""} + ] +} diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_api.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_api.json new file mode 100644 index 00000000..7a73a41b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_api.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_registry.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_registry.json new file mode 100644 index 00000000..7a73a41b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_glance_registry.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_horizon.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_horizon.json new file mode 100644 index 00000000..7a73a41b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_horizon.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_keystone.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_keystone.json new file mode 100644 index 00000000..7a73a41b --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_keystone.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_mysql.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_mysql.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_mysql.json @@ -0,0 +1,2 @@ +{ +} diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_nova_api.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_nova_api.json new file mode 100644 index 00000000..c6db01e6 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_nova_api.json @@ -0,0 +1,6 @@ +{ + "rabbit": { + "user": "openstack_controller1", + "password": "rabbitmq_password" + } +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/configuration/controller/openstack_repository.json b/contrib/ncf-openstack-technique/configuration/controller/openstack_repository.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/openstack_repository.json @@ -0,0 +1,2 @@ +{ +} diff --git a/contrib/ncf-openstack-technique/configuration/controller/rabbitmq.json b/contrib/ncf-openstack-technique/configuration/controller/rabbitmq.json new file mode 100644 index 00000000..2c63c085 --- /dev/null +++ b/contrib/ncf-openstack-technique/configuration/controller/rabbitmq.json @@ -0,0 +1,2 @@ +{ +} diff --git a/contrib/ncf-openstack-technique/scripts/deploy-rudder.sh b/contrib/ncf-openstack-technique/scripts/deploy-rudder.sh new file mode 100644 index 00000000..9530f040 --- /dev/null +++ b/contrib/ncf-openstack-technique/scripts/deploy-rudder.sh @@ -0,0 +1,56 @@ +#!/bin/sh + +role=$1 +hostname=$2 + +install_agent() { + yum install -y rudder-agent + echo 'server.rudder.local' > /var/rudder/cfengine-community/policy_server.dat + rudder agent run + mkdir -p /etc/rudder/openstack && sudo cp -r /vagrant/configuration/${hostname}/* /etc/rudder/openstack/ +} + +install_server() { + setenforce 0 + yum install -y rudder-server-root + /opt/rudder/bin/rudder-init "no" "192.168.10.0/24" + cp -r /vagrant/tree/30_generic_methods/* /usr/share/ncf/tree/30_generic_methods/ + cp -r /vagrant/tree/40_it_ops_knowledge/* /usr/share/ncf/tree/40_it_ops_knowledge/ + cp -r /vagrant/tree/50_techniques /var/rudder/configuration-repository/ncf/ + cd /var/rudder/configuration-repository/ncf/ && sudo chown -R ncf-api-venv:rudder . && sudo git add . && sudo git commit -m 'Add OpenStack techniques' + rudder agent update + rudder agent run +} + +#### + +chkconfig iptables off 2>/dev/null +chkconfig firewalld off 2>/dev/null +service iptables stop 2>/dev/null +service firewalld stop 2>/dev/null + +echo "[Rudder_3.1] +name=Rudder 3.1 EL repository +baseurl=http://www.rudder-project.org/rpm-3.1/RHEL_7/ +gpgcheck=1 +gpgkey=http://www.rudder-project.org/rpm-3.1/RHEL_7/repodata/repomd.xml.key" > /etc/yum.repos.d/rudder.repo + +echo "127.0.0.1 localhost ${hostname} ${hostname}.rudder.local +192.168.10.10 server.rudder.local +192.168.10.2 controller.rudder.local +192.168.10.3 compute1.rudder.local +192.168.10.4 compute2.rudder.local +192.168.20.2 controller +192.168.20.3 compute1 +192.168.20.4 compute2" > /etc/hosts + +echo "${hostname}" > /etc/hostname + +echo "domain rudder.local +search rudder.local +nameserver 8.8.8.8" > /etc/resolv.conf + +case "$role" in + "agent" ) install_agent;; + "server") install_server;; +esac diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/data_json.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_json.cf new file mode 100644 index 00000000..e91957b2 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_json.cf @@ -0,0 +1,37 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name Store data into JSON string +# @description Formats the given data container to a JSON string +# +# @parameter name Name of the created variable +# @parameter default_data Data +# +# @class_prefix data_json +# @class_parameter name +# This bundle will define a class data_son_${name}_{kept,repaired,not_ok,ok,reached} + +bundle agent data_json(name, data) +{ + vars: + "${name}" string => storejson("${data}"); + + reports: + debug:: + "${configuration.debug} Storing '${name}'"; +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/data_load.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_load.cf new file mode 100644 index 00000000..b53380f1 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_load.cf @@ -0,0 +1,47 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name Load standard data +# @description Load default configuration and override with the given file +# +# @parameter prefix Data prefix +# +# @class_prefix data_load +# @class_parameter prefix +# This bundle will define a class data_load_${prefix}_{kept,repaired,not_ok,ok,reached} + +bundle agent data_load(prefix) +{ + vars: + "class_prefix" string => canonify("data_load_${prefix}"); + + methods: + "method_call" usebundle => variable_string("${prefix}", "technique_path", "/var/rudder/ncf/local/50_techniques/${prefix}/"); + "method_call" usebundle => data_read("${prefix}_defaults", "${variable_string.${prefix}_technique_path}/defaults.json"); + "method_call" usebundle => data_read("${prefix}_user", "/etc/rudder/openstack/${prefix}.json"); + "method_call" usebundle => data_merge("${prefix}", "data_read.${prefix}_defaults", "data_read.${prefix}_user"); + "method_call" usebundle => data_json("${prefix}", "data_merge.${prefix}"); + + "report" + usebundle => _logger("Defining standard data for ${prefix}", "${class_prefix}"), + ifvarclass => "${class_prefix}_reached"; + + reports: + debug:: + "${configuration.debug} Define standard data"; +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/data_merge.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_merge.cf new file mode 100644 index 00000000..ba971f16 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_merge.cf @@ -0,0 +1,42 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name Merge data containers +# @description Merges two data containers, the first is the default. +# +# @parameter name Name of the created variable +# @parameter default_data Default data +# @parameter user_data User data +# +# @class_prefix data_merge +# @class_parameter name +# This bundle will define a class data_merge_${name}_{kept,repaired,not_ok,ok,reached} + +bundle agent data_merge(name, default_data, user_data) +{ + vars: + "${name}" data => mergedata("${default_data}", "${user_data}"); + debug:: + "debug_result" string => storejson("${name}"); + "debug_default" string => storejson("${default_data}"); + "debug_config" string => storejson("${user_data}"); + + reports: + debug:: + "${configuration.debug} Merging '${debug_default}' and '${debug_config}' into ${name}:'${debug_result}'"; +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/data_read.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_read.cf new file mode 100644 index 00000000..facf0e75 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/data_read.cf @@ -0,0 +1,47 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name Read configuration +# @description Read a configuration file into a data variable +# +# @parameter name Name of the created variable +# @parameter file Path of the configuration file +# +# @class_prefix file +# @class_parameter file +# This bundle will define a class data_read_${file}_{kept,repaired,not_ok,ok,reached} + +bundle agent data_read(name, file) +{ + vars: + "class_prefix" string => canonify("data_read_${file}"); + + "${name}" data => readjson("${file}", 10k); + + debug:: + "debug_result" string => storejson("${name}"); + + methods: + "report" + usebundle => _logger("Read the file ${file} into ${variable_name}", "${class_prefix}"), + ifvarclass => "${class_prefix}_reached"; + + reports: + debug:: + "${configuration.debug} Read ${file} into ${name}:'${debug_result}'"; +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/file_from_template_mustache_data.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/file_from_template_mustache_data.cf new file mode 100644 index 00000000..b469cb84 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/file_from_template_mustache_data.cf @@ -0,0 +1,64 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name File from a mustache template with data +# @description Writes a mustache template file from data +# +# @parameter source_template Source template +# @parameter destination Destination +# @parameter template_data Template data +# +# @class_prefix file_from_template_mustache_data +# @class_parameter destination +# This bundle will define a class file_from_template_mustache_data_${destination}_{kept,repaired,not_ok,ok,reached} + +bundle agent file_from_template_mustache_data(source_template, destination, template_data) +{ + + vars: + "class_prefix" string => canonify("file_from_template_mustache_data_${destination}"); + + debug:: + "debug_data" string => storejson("${template_data}"); + + classes: + "template_exists" expression => fileexists("${source_template}"); + + files: + "${destination}" + create => "true", + edit_template => "${source_template}", + template_method => "mustache", + template_data => parsejson(storejson("${template_data}")), + ifvarclass => "template_exists", + classes => classes_generic("${class_prefix}"); + + methods: + + !template_exists:: + + "template_absent" usebundle => _classes_failure("${class_prefix}"); + + any:: + + "report" usebundle => _logger("Build file ${destination} from mustache template ${source_template}", "${class_prefix}"); + + reports: + debug:: + "${configuration.debug} JSON data: '${debug_data}'"; +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/openstack_command.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/openstack_command.cf new file mode 100644 index 00000000..912c0863 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/openstack_command.cf @@ -0,0 +1,37 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name Openstack command +# @description Execute an OpenStack command as administrator +# +# @parameter token Admin token +# @parameter url URL of the Keystone endpoint +# @parameter command Command to execute +# +# @class_prefix command +# @class_parameter command +# This bundle will define a class openstack_command_${command}_{kept,repaired,not_ok,ok,reached} + +bundle agent openstack_command(token, url, command) +{ + vars: + "class_prefix" string => canonify("openstack_command_${command}"); + + methods: + "execute" usebundle => command_execution("/usr/bin/openstack --os-token ${token} --os-url ${url} ${command}"); +} diff --git a/contrib/ncf-openstack-technique/tree/30_generic_methods/variable_string.cf b/contrib/ncf-openstack-technique/tree/30_generic_methods/variable_string.cf new file mode 100644 index 00000000..5fac4689 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/30_generic_methods/variable_string.cf @@ -0,0 +1,44 @@ +##################################################################################### +# Copyright 2013 Normation SAS +##################################################################################### +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, Version 3. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +##################################################################################### + +# @name String variable +# @description Define a string variable +# +# @parameter prefix Variable prefix +# @parameter name Name of the created variable +# @parameter value Value of the variable +# +# @class_prefix variable_string +# @class_parameter name +# This bundle will define a class variable_string_${prefix}_${name}_{kept,repaired,not_ok,ok,reached} + +bundle agent variable_string(prefix, name, value) +{ + vars: + "class_prefix" string => canonify("variable_string_${prefix}_${name}"); + "${prefix}_${name}" string => "${value}"; + + methods: + "report" + usebundle => _logger("Define the string variable ${prefix}_${name}:${value}", "${class_prefix}"), + ifvarclass => "${class_prefix}_reached"; + + reports: + debug:: + "${configuration.debug} Define string variable '${prefix}'_'${name}':'${value}'"; +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/defaults.json new file mode 100644 index 00000000..0e12324f --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/defaults.json @@ -0,0 +1,21 @@ +{ + "servers": [ + {"address": "0.pool.ntp.org", "options": ""}, + {"address": "1.pool.ntp.org", "options": ""}, + {"address": "2.pool.ntp.org", "options": ""}, + {"address": "3.pool.ntp.org", "options": ""} + ], + "peers": [ + ], + "broadcasts": [ + ], + "restricts": [ + {"address": "127.0.0.1", "options": ""}, + {"address": "::1", "options": ""}, + {"address": "-4", "options": "default kod notrap nomodify nopeer noquery"}, + {"address": "-6", "options": "default kod notrap nomodify nopeer noquery"}, + ], + "driftfile": "/var/lib/ntp/ntp.drift", + "statsdir": "/var/log/ntpstats/", + "enable_statistics": true, +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/ntpd.cf b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/ntpd.cf new file mode 100644 index 00000000..19133d90 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/ntpd.cf @@ -0,0 +1,18 @@ +# @name ntpd +# @description Install, configure and ensure ntpd is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent ntpd +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("ntp"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/ntp.conf.tpl", "/etc/ntp.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => service_restart("ntpd"), + ifvarclass => concat("any.redhat.file_from_template_mustache_data__etc_ntp_conf_repaired"); + "method_call" usebundle => service_ensure_running("ntpd"), + ifvarclass => concat("any.redhat"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/templates/ntp.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/templates/ntp.conf.tpl new file mode 100644 index 00000000..3c6ad985 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/ntpd/templates/ntp.conf.tpl @@ -0,0 +1,28 @@ +# Managed by ncf +# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help + +driftfile {{driftfile}} + +{{#enable_statistics}} +statsdir {{statsdir}} +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable +{{/enable_statistics}} + +{{#servers}} +server {{address}} {{options}} +{{/servers}} + +{{#peers}} +peer {{address}} {{options}} +{{/peers}} + +{{#broadcasts}} +broadcast {{address}} {{options}} +{{/broadcasts}} + +{{#restricts}} +restrict {{address}} {{options}} +{{/restricts}} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/defaults.json new file mode 100644 index 00000000..98b4a703 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/defaults.json @@ -0,0 +1,13 @@ +{ + "controller": "controller", + "keystone": { + "user": "glance", + "password": "glance_password" + }, + "database": { + "host": "controller", + "name": "glance", + "user": "glance", + "password": "glance_password" + }, +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/openstack_glance_api.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/openstack_glance_api.cf new file mode 100644 index 00000000..8e0fd584 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/openstack_glance_api.cf @@ -0,0 +1,24 @@ +# @name openstack_glance_api +# @description Install, configure and ensure glance-api is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_glance_api +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-glance python-glance python-glanceclient"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/glance-api.conf.tpl", "/etc/glance/glance-api.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => permissions_recurse("/etc/glance/", "640", "glance", "glance"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("su -s /bin/sh -c \"glance-manage db_sync\" glance"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_glance_glance_api_conf_repaired"); + "method_call" usebundle => service_restart("keystone"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_glance_glance_api_conf_repaired"); + "method_call" usebundle => service_ensure_running("openstack-glance-api"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("openstack-glance-api"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/templates/glance-api.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/templates/glance-api.conf.tpl new file mode 100644 index 00000000..edb7c82e --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_api/templates/glance-api.conf.tpl @@ -0,0 +1,820 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose=True + +# Show debugging output in logs (sets DEBUG log level output) +#debug=False + +# Maximum image size (in bytes) that may be uploaded through the +# Glance API server. Defaults to 1 TB. +# WARNING: this value should only be increased after careful consideration +# and must be set to a value under 8 EB (9223372036854775808). +#image_size_cap=1099511627776 + +# Address to bind the API server +#bind_host=0.0.0.0 + +# Port the bind the API server to +#bind_port=9292 + +# Log to this file. Make sure you do not set the same log file for both the API +# and registry servers! +# +# If `log_file` is omitted and `use_syslog` is false, then log messages are +# sent to stdout as a fallback. +#log_file=/var/log/glance/api.log + +# Backlog requests when creating socket +#backlog=4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle=600 + +# API to use for accessing data. Default value points to sqlalchemy +# package, it is also possible to use: glance.db.registry.api +# data_api = glance.db.sqlalchemy.api + +# The number of child process workers that will be +# created to service API requests. The default will be +# equal to the number of CPUs available. (integer value) +#workers=4 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large tokens +# (typically those generated by the Keystone v3 API with big service +# catalogs) +# max_header_line = 16384 + +# Role used to identify an authenticated user as administrator +#admin_role=admin + +# Allow unauthenticated users to access the API with read-only +# privileges. This only applies when using ContextMiddleware. +#allow_anonymous_access=False + +# Allow access to version 1 of glance api +#enable_v1_api=True + +# Allow access to version 2 of glance api +#enable_v2_api=True + +# Return the URL that references where the data is stored on +# the backend storage system. For example, if using the +# file system store a URL of 'file:///path/to/image' will +# be returned to the user in the 'direct_url' meta-data field. +# The default value is false. +#show_image_direct_url=False + +# Send headers containing user and tenant information when making requests to +# the v1 glance registry. This allows the registry to function as if a user is +# authenticated without the need to authenticate a user itself using the +# auth_token middleware. +# The default value is false. +#send_identity_headers=False + +# Supported values for the 'container_format' image attribute +#container_formats=ami,ari,aki,bare,ovf,ova + +# Supported values for the 'disk_format' image attribute +#disk_formats=ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso + +# Property Protections config file +# This file contains the rules for property protections and the roles/policies +# associated with it. +# If this config value is not specified, by default, property protections +# won't be enforced. +# If a value is specified and the file is not found, then the glance-api +# service will not start. +#property_protection_file = + +# Specify whether 'roles' or 'policies' are used in the +# property_protection_file. +# The default value for property_protection_rule_format is 'roles'. +#property_protection_rule_format=roles + +# This value sets what strategy will be used to determine the image location +# order. Currently two strategies are packaged with Glance 'location_order' +# and 'store_type'. +#location_strategy=location_order + + +# Public url to use for versions endpoint. The default is None, +# which will use the request's host_url attribute to populate the URL base. +# If Glance is operating behind a proxy, you will want to change this to +# represent the proxy's URL. +#public_endpoint= + +# http_keepalive option. If False, server will return the header +# "Connection: close", If True, server will return "Connection: Keep-Alive" +# in its responses. In order to close the client socket connection +# explicitly after the response is sent and read successfully by the client, +# you simply have to set this option to False when you create a wsgi server. +#http_keepalive=True + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +#use_syslog=False + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility=LOG_LOCAL0 + +# ================= SSL Options =============================== + +# Certificate file to use when starting API server securely +#cert_file=/path/to/certfile + +# Private key file to use when starting API server securely +#key_file=/path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file=/path/to/cafile + +# ================= Security Options ========================== + +# AES key for encrypting store 'location' metadata, including +# -- if used -- Swift or S3 credentials +# Should be set to a random string of length 16, 24 or 32 bytes +#metadata_encryption_key=<16, 24 or 32 char registry metadata key> + + +# Digest algorithm which will be used for digital signature, the default is +# sha1 in Kilo for a smooth upgrade process, and it will be updated with +# sha256 in next release(L). Use command +# "openssl list-message-digest-algorithms" to get the available algorithms +# supported by the version of OpenSSL on the platform. Examples are 'sha1', +# 'sha256', 'sha512', etc. +#digest_algorithm=sha1 + +# ============ Registry Options =============================== + +# Address to find the registry server +#registry_host=0.0.0.0 + +# Port the registry server is listening on +#registry_port=9191 + +# What protocol to use when connecting to the registry server? +# Set to https for secure HTTP communication +#registry_client_protocol=http + +# The path to the key file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file +#registry_client_key_file=/path/to/key/file + +# The path to the cert file to use in SSL connections to the +# registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file +#registry_client_cert_file=/path/to/cert/file + +# The path to the certifying authority cert file to use in SSL connections +# to the registry server, if any. Alternately, you may set the +# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file +#registry_client_ca_file=/path/to/ca/file + +# When using SSL in connections to the registry server, do not require +# validation via a certifying authority. This is the registry's equivalent of +# specifying --insecure on the command line using glanceclient for the API +# Default: False +#registry_client_insecure=False + +# The period of time, in seconds, that the API server will wait for a registry +# request to complete. A value of '0' implies no timeout. +# Default: 600 +#registry_client_timeout=600 + +# Enable DEBUG log messages from sqlalchemy which prints every database +# query and response. +# Default: False +#sqlalchemy_debug=True + +# Pass the user's token through for API requests to the registry. +# Default: True +#use_user_token=True + +# If 'use_user_token' is not in effect then admin credentials +# can be specified. Requests to the registry on behalf of +# the API will use these credentials. +# Admin user name +#admin_user=%SERVICE_USER% +# Admin password +#admin_password=%SERVICE_PASSWORD% +# Admin tenant name +#admin_tenant_name=%SERVICE_TENANT_NAME% +# Keystone endpoint +#auth_url=None +# Keystone region +#auth_region=None +# Auth strategy +#auth_strategy=keystone + +# ============ Notification System Options ===================== + +# Driver or drivers to handle sending notifications. Set to +# 'messaging' to send notifications to a message queue. +notification_driver = noop + +# Default publisher_id for outgoing notifications. +# default_publisher_id = image.localhost + +# List of disabled notifications. A notification can be given either as a +# notification type to disable a single event, or as a notification group +# prefix to disable all events within a group. +# Example: if this config option is set to +# ["image.create", "metadef_namespace"], then "image.create" notification will +# not be sent after image is created and none of the notifications for +# metadefinition namespaces will be sent. +# disabled_notifications = [] + +# Messaging driver used for 'messaging' notifications driver +# rpc_backend = 'rabbit' + +# Configuration options if sending notifications via rabbitmq (these are +# the defaults) +#rabbit_host=localhost +#rabbit_port=5672 +#rabbit_use_ssl=false +#rabbit_userid=guest +#rabbit_password=guest +#rabbit_virtual_host=/ +#rabbit_notification_exchange=glance +#rabbit_notification_topic=notifications +#rabbit_durable_queues=False + +# Configuration options if sending notifications via Qpid (these are +# the defaults) +#qpid_notification_exchange=glance +#qpid_notification_topic=notifications +#qpid_hostname=localhost +#qpid_port=5672 +#qpid_username= +#qpid_password= +#qpid_sasl_mechanisms= +#qpid_reconnect_timeout=0 +#qpid_reconnect_limit=0 +#qpid_reconnect_interval_min=0 +#qpid_reconnect_interval_max=0 +#qpid_reconnect_interval=0 +#qpid_heartbeat=5 +# Set to 'ssl' to enable SSL +#qpid_protocol=tcp +#qpid_tcp_nodelay=True + +# ============ Delayed Delete Options ============================= + +# Turn on/off delayed delete +#delayed_delete=False + +# Delayed delete time in seconds +#scrub_time=43200 + +# Directory that the scrubber will use to remind itself of what to delete +# Make sure this is also set in glance-scrubber.conf +#scrubber_datadir=/var/lib/glance/scrubber + +# =============== Quota Options ================================== + +# The maximum number of image members allowed per image +#image_member_quota=128 + +# The maximum number of image properties allowed per image +#image_property_quota=128 + +# The maximum number of tags allowed per image +#image_tag_quota=128 + +# The maximum number of locations allowed per image +#image_location_quota=10 + +# Set a system wide quota for every user. This value is the total number +# of bytes that a user can use across all storage systems. A value of +# 0 means unlimited. +#user_storage_quota=0 + +# =============== Image Cache Options ============================= + +# Base directory that the Image Cache uses +#image_cache_dir=/var/lib/glance/image-cache/ + +# =============== Policy Options ================================== + +[oslo_policy] +# The JSON file that defines policies. +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. +# The file defined by policy_file must exist for these +# directories to be searched. +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs=policy.d + +# =============== Database Options ================================= + +[database] +# The file name to use with SQLite (string value) +#sqlite_db=oslo.sqlite + +# If True, SQLite uses synchronous mode (boolean value) +#sqlite_synchronous=True + +# The backend to use for db (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend=sqlalchemy + +# The SQLAlchemy connection string used to connect to the +# database (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = mysql://{{database.user}}:{{database.password}}@{{database.host}}/{{database.name}} + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + +# Timeout before idle sql connections are reaped (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size= + +# Maximum db connection retries during startup. (setting -1 +# implies an infinite retry count) (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries=10 + +# Interval between retries of opening a sql connection +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval=10 + +# If set, use this value for max_overflow with sqlalchemy +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow= + +# Verbosity of SQL debugging information. 0=None, +# 100=Everything (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug=0 + +# Add python stack traces to SQL as comment strings (boolean +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace=False + +# If set, use this value for pool_timeout with sqlalchemy +# (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout= + +# Enable the experimental use of database reconnect on +# connection lost (boolean value) +#use_db_reconnect=False + +# seconds between db connection retries (integer value) +#db_retry_interval=1 + +# Whether to increase interval between db connection retries, +# up to db_max_retry_interval (boolean value) +#db_inc_retry_interval=True + +# max seconds between db connection retries, if +# db_inc_retry_interval is enabled (integer value) +#db_max_retry_interval=10 + +# maximum db connection retries before error is raised. +# (setting -1 implies an infinite retry count) (integer value) +#db_max_retries=20 + +[oslo_concurrency] + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group/name - [DEFAULT]/disable_process_locking +#disable_process_locking=false + +# Directory to use for lock files. For security, the specified +# directory should only be writable by the user running the processes +# that need locking. It could be read from environment variable +# OSLO_LOCK_PATH. This setting needs to be the same for both +# glance-scrubber and glance-api service. Default to a temp directory. +# Deprecated group/name - [DEFAULT]/lock_path (string value) +#lock_path=/tmp + +[keystone_authtoken] +auth_uri = http://{{controller}}:5000 +auth_url = http://{{controller}}:35357 + +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = {{keystone.user}} +password = {{keystone.password}} + +#admin_tenant_name=%SERVICE_TENANT_NAME% +#admin_user=%SERVICE_USER% +#admin_password=%SERVICE_PASSWORD% +#revocation_cache_time=10 + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file=/usr/share/glance/glance-api-dist-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-api-keystone], you would configure the flavor below +# as 'keystone'. +flavor=keystone + +[store_type_location_strategy] +# The scheme list to use to get store preference order. The scheme must be +# registered by one of the stores defined by the 'stores' config option. +# This option will be applied when you using 'store_type' option as image +# location strategy defined by the 'location_strategy' config option. +#store_type_preference = + +[profiler] +# If False fully disable profiling feature. +#enabled=False + +# If False doesn't trace SQL requests. +#trace_sqlalchemy=False + +[task] +# ================= Glance Tasks Options ============================ + +# Specifies how long (in hours) a task is supposed to live in the tasks DB +# after succeeding or failing before getting soft-deleted. +# The default value for task_time_to_live is 48 hours. +# task_time_to_live = 48 + +# Specifies which task executor to be used to run the task scripts. +# The default value for task_executor is taskflow. +# task_executor = taskflow + +# Work dir for asynchronous task operations. The directory set here +# will be used to operate over images - normally before they are +# imported in the destination store. When providing work dir, make sure +# enough space is provided for concurrent tasks to run efficiently +# without running out of space. A rough estimation can be done by +# multiplying the number of `max_workers` - or the N of workers running +# - by an average image size (e.g 500MB). The image size estimation +# should be done based on the average size in your deployment. Note that +# depending on the tasks running you may need to multiply this number by +# some factor depending on what the task does. For example, you may want +# to double the available size if image conversion is enabled. All this +# being said, remember these are just estimations and you should do them +# based on the worst case scenario and be prepared to act in case they +# were wrong. +# work_dir=None + +# Specifies the maximum number of eventlet threads which can be spun up by +# the eventlet based task executor to perform execution of Glance tasks. +# DEPRECATED: Use [taskflow_executor]/max_workers instead. +# eventlet_executor_pool_size = 1000 + +[taskflow_executor] +# The mode in which the engine will run. Can be 'default', 'serial', +# 'parallel' or 'worker-based' +#engine_mode=serial + +# The number of parallel activities executed at the same time by +# the engine. The value can be greater than one when the engine mode is +# 'parallel' or 'worker-based', otherwise this value will be ignored. +#max_workers=10 + +[glance_store] +# List of which store classes and store class locations are +# currently known to glance at startup. +# Deprecated group/name - [DEFAULT]/known_stores +# Existing but disabled stores: +# glance.store.rbd.Store, +# glance.store.s3.Store, +# glance.store.swift.Store, +# glance.store.sheepdog.Store, +# glance.store.cinder.Store, +# glance.store.gridfs.Store, +# glance.store.vmware_datastore.Store, +#stores=glance.store.filesystem.Store, +# glance.store.http.Store + +# Which backend scheme should Glance use by default is not specified +# in a request to add a new image to Glance? Known schemes are determined +# by the stores option. +# Deprecated group/name - [DEFAULT]/default_store +# Default: 'file' +default_store=file + +# ============ Filesystem Store Options ======================== + +# Directory that the Filesystem backend store +# writes image data to +filesystem_store_datadir=/var/lib/glance/images/ + +# A list of directories where image data can be stored. +# This option may be specified multiple times for specifying multiple store +# directories. Either one of filesystem_store_datadirs or +# filesystem_store_datadir option is required. A priority number may be given +# after each directory entry, separated by a ":". +# When adding an image, the highest priority directory will be selected, unless +# there is not enough space available in cases where the image size is already +# known. If no priority is given, it is assumed to be zero and the directory +# will be considered for selection last. If multiple directories have the same +# priority, then the one with the most free space available is selected. +# If same store is specified multiple times then BadStoreConfiguration +# exception will be raised. +#filesystem_store_datadirs=/var/lib/glance/images/:1 + +# A path to a JSON file that contains metadata describing the storage +# system. When show_multiple_locations is True the information in this +# file will be returned with any location that is contained in this +# store. +#filesystem_store_metadata_file=None + +# ============ Swift Store Options ============================= + +# Version of the authentication service to use +# Valid versions are '2' for keystone and '1' for swauth and rackspace +#swift_store_auth_version=2 + +# Address where the Swift authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'https://' +# For swauth, use something like '127.0.0.1:8080/v1.0/' +#swift_store_auth_address=127.0.0.1:5000/v2.0/ + +# User to authenticate against the Swift authentication service +# If you use Swift authentication service, set it to 'account':'user' +# where 'account' is a Swift storage account and 'user' +# is a user in that account +#swift_store_user=jdoe:jdoe + +# Auth key for the user authenticating against the +# Swift authentication service +#swift_store_key=a86850deb2742ec3cb41518e26aa2d89 + +# Container within the account that the account should use +# for storing images in Swift +#swift_store_container=glance + +# Do we create the container if it does not exist? +#swift_store_create_container_on_put=False + +# What size, in MB, should Glance start chunking image files +# and do a large object manifest in Swift? By default, this is +# the maximum object size in Swift, which is 5GB +#swift_store_large_object_size=5120 + +# swift_store_config_file = glance-swift.conf +# This file contains references for each of the configured +# Swift accounts/backing stores. If used, this option can prevent +# credentials being stored in the database. Using Swift references +# is disabled if this config is left blank. + +# The reference to the default Swift parameters to use for adding new images. +# default_swift_reference = 'ref1' + +# When doing a large object manifest, what size, in MB, should +# Glance write chunks to Swift? This amount of data is written +# to a temporary disk buffer during the process of chunking +# the image file, and the default is 200MB +#swift_store_large_object_chunk_size=200 + +# If set, the configured endpoint will be used. If None, the storage URL +# from the auth response will be used. The location of an object is +# obtained by appending the container and object to the configured URL. +# +# swift_store_endpoint = https://www.example.com/v1/not_a_container +#swift_store_endpoint = + +# If set to True enables multi-tenant storage mode which causes Glance images +# to be stored in tenant specific Swift accounts. +#swift_store_multi_tenant=False + +# If set to an integer value between 1 and 32, a single-tenant store will +# use multiple containers to store images. If set to the default value of 0, +# only a single container will be used. Multi-tenant stores are not affected +# by this option. The max number of containers that will be used to store +# images is approximately 16^N where N is the value of this option. Discuss +# the impact of this with your swift deployment team, as this option is only +# beneficial in the largest of deployments where swift rate limiting can lead +# to unwanted throttling on a single container. +#swift_store_multiple_containers_seed=0 + +# A list of swift ACL strings that will be applied as both read and +# write ACLs to the containers created by Glance in multi-tenant +# mode. This grants the specified tenants/users read and write access +# to all newly created image objects. The standard swift ACL string +# formats are allowed, including: +# : +# : +# *: +# Multiple ACLs can be combined using a comma separated list, for +# example: swift_store_admin_tenants = service:glance,*:admin +#swift_store_admin_tenants = + +# The region of the swift endpoint to be used for single tenant. This setting +# is only necessary if the tenant has multiple swift endpoints. +#swift_store_region = + +# If set to False, disables SSL layer compression of https swift requests. +# Setting to 'False' may improve performance for images which are already +# in a compressed format, eg qcow2. If set to True, enables SSL layer +# compression (provided it is supported by the target swift proxy). +#swift_store_ssl_compression=True + +# The number of times a Swift download will be retried before the +# request fails +#swift_store_retry_get_count=0 + +# Bypass SSL verification for Swift +#swift_store_auth_insecure=False + +# The path to a CA certificate bundle file to use for SSL verification when +# communicating with Swift. +#swift_store_cacert = + +# ============ S3 Store Options ============================= + +# Address where the S3 authentication service lives +# Valid schemes are 'http://' and 'https://' +# If no scheme specified, default to 'http://' +#s3_store_host=s3.amazonaws.com + +# User to authenticate against the S3 authentication service +#s3_store_access_key=<20-charAWSaccesskey> + +# Auth key for the user authenticating against the +# S3 authentication service +#s3_store_secret_key=<40-charAWSsecretkey> + +# Container within the account that the account should use +# for storing images in S3. Note that S3 has a flat namespace, +# so you need a unique bucket name for your glance images. An +# easy way to do this is append your AWS access key to "glance". +# S3 buckets in AWS *must* be lowercased, so remember to lowercase +# your AWS access key if you use it in your bucket name below! +#s3_store_bucket=glance + +# Do we create the bucket if it does not exist? +#s3_store_create_bucket_on_put=False + +# When sending images to S3, the data will first be written to a +# temporary buffer on disk. By default the platform's temporary directory +# will be used. If required, an alternative directory can be specified here. +#s3_store_object_buffer_dir=/path/to/dir + +# When forming a bucket url, boto will either set the bucket name as the +# subdomain or as the first token of the path. Amazon's S3 service will +# accept it as the subdomain, but Swift's S3 middleware requires it be +# in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'. +#s3_store_bucket_url_format=subdomain + +# Size, in MB, should S3 start chunking image files +# and do a multipart upload in S3. The default is 100MB. +#s3_store_large_object_size=100 + +# Multipart upload part size, in MB, should S3 use when uploading +# parts. The size must be greater than or equal to +# 5MB. The default is 10MB. +#s3_store_large_object_chunk_size=10 + +# The number of thread pools to perform a multipart upload +# in S3. The default is 10. +#s3_store_thread_pools=10 + +# ============ RBD Store Options ============================= + +# Ceph configuration file path +# If using cephx authentication, this file should +# include a reference to the right keyring +# in a client. section +#rbd_store_ceph_conf=/etc/ceph/ceph.conf + +# RADOS user to authenticate as (only applicable if using cephx) +# If , a default will be chosen based on the client. section +# in rbd_store_ceph_conf +#rbd_store_user= + +# RADOS pool in which images are stored +#rbd_store_pool=images + +# RADOS images will be chunked into objects of this size (in megabytes). +# For best performance, this should be a power of two +#rbd_store_chunk_size=8 + +# ============ Sheepdog Store Options ============================= + +#sheepdog_store_address=localhost + +#sheepdog_store_port=7000 + +# Images will be chunked into objects of this size (in megabytes). +# For best performance, this should be a power of two +#sheepdog_store_chunk_size=64 + +# ============ Cinder Store Options =============================== + +# Info to match when looking for cinder in the service catalog +# Format is : separated values of the form: +# :: (string value) +#cinder_catalog_info=volume:cinder:publicURL + +# Override service catalog lookup with template for cinder endpoint +# e.g. http://localhost:8776/v1/%(project_id)s (string value) +#cinder_endpoint_template= + +# Region name of this node (string value) +#os_region_name= + +# Location of ca certicates file to use for cinder client requests +# (string value) +#cinder_ca_certificates_file= + +# Number of cinderclient retries on failed http calls (integer value) +#cinder_http_retries=3 + +# Allow to perform insecure SSL requests to cinder (boolean value) +#cinder_api_insecure=False + +# ============ VMware Datastore Store Options ===================== + +# ESX/ESXi or vCenter Server target system. +# The server value can be an IP address or a DNS name +# e.g. 127.0.0.1, 127.0.0.1:443, www.vmware-infra.com +#vmware_server_host= + +# Server username (string value) +#vmware_server_username= + +# Server password (string value) +#vmware_server_password= + +# Inventory path to a datacenter (string value) +# Value optional when vmware_server_ip is an ESX/ESXi host: if specified +# should be `ha-datacenter`. +# Deprecated in favor of vmware_datastores. +#vmware_datacenter_path= + +# Datastore associated with the datacenter (string value) +# Deprecated in favor of vmware_datastores. +#vmware_datastore_name= + +# A list of datastores where the image can be stored. +# This option may be specified multiple times for specifying multiple +# datastores. Either one of vmware_datastore_name or vmware_datastores is +# required. The datastore name should be specified after its datacenter +# path, separated by ":". An optional weight may be given after the datastore +# name, separated again by ":". Thus, the required format becomes +# ::. +# When adding an image, the datastore with highest weight will be selected, +# unless there is not enough free space available in cases where the image size +# is already known. If no weight is given, it is assumed to be zero and the +# directory will be considered for selection last. If multiple datastores have +# the same weight, then the one with the most free space available is selected. +#vmware_datastores= + +# The number of times we retry on failures +# e.g., socket error, etc (integer value) +#vmware_api_retry_count=10 + +# The interval used for polling remote tasks +# invoked on VMware ESX/VC server in seconds (integer value) +#vmware_task_poll_interval=5 + +# Absolute path of the folder containing the images in the datastore +# (string value) +#vmware_store_image_dir=/openstack_glance + +# Allow to perform insecure SSL requests to the target system (boolean value) +#vmware_api_insecure=False \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/defaults.json new file mode 100644 index 00000000..98b4a703 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/defaults.json @@ -0,0 +1,13 @@ +{ + "controller": "controller", + "keystone": { + "user": "glance", + "password": "glance_password" + }, + "database": { + "host": "controller", + "name": "glance", + "user": "glance", + "password": "glance_password" + }, +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/openstack_glance_registry.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/openstack_glance_registry.cf new file mode 100644 index 00000000..6d93b3b1 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/openstack_glance_registry.cf @@ -0,0 +1,22 @@ +# @name openstack_glance_registry +# @description Install, configure and ensure glance-registry is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_glance_registry +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-glance python-glance python-glanceclient"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/glance-registry.conf.tpl", "/etc/glance/glance-registry.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => permissions_recurse("/etc/glance/", "640", "glance", "glance"), + ifvarclass => concat("any"); + "method_call" usebundle => service_restart("openstack-glance-registry"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_glance_glance_registry_conf_repaired"); + "method_call" usebundle => service_ensure_running("openstack-glance-registry"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("openstack-glance-registry"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/templates/glance-registry.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/templates/glance-registry.conf.tpl new file mode 100644 index 00000000..2ccab7a1 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_glance_registry/templates/glance-registry.conf.tpl @@ -0,0 +1,274 @@ +[DEFAULT] +# Show more verbose log output (sets INFO log level output) +#verbose=True + +# Show debugging output in logs (sets DEBUG log level output) +#debug=False + +# Address to bind the registry server +#bind_host=0.0.0.0 + +# Port the bind the registry server to +#bind_port=9191 + +# Log to this file. Make sure you do not set the same log file for both the API +# and registry servers! +# +# If `log_file` is omitted and `use_syslog` is false, then log messages are +# sent to stdout as a fallback. +#log_file=/var/log/glance/registry.log + +# Backlog requests when creating socket +#backlog=4096 + +# TCP_KEEPIDLE value in seconds when creating socket. +# Not supported on OS X. +#tcp_keepidle=600 + +# API to use for accessing data. Default value points to sqlalchemy +# package. +#data_api=glance.db.sqlalchemy.api + +# The number of child process workers that will be +# created to service Registry requests. The default will be +# equal to the number of CPUs available. (integer value) +#workers=None + +# Enable Registry API versions individually or simultaneously +#enable_v1_registry=True +#enable_v2_registry=True + +# Limit the api to return `param_limit_max` items in a call to a container. If +# a larger `limit` query param is provided, it will be reduced to this value. +#api_limit_max=1000 + +# If a `limit` query param is not provided in an api request, it will +# default to `limit_param_default` +#limit_param_default=25 + +# Role used to identify an authenticated user as administrator +#admin_role=admin + +# Enable DEBUG log messages from sqlalchemy which prints every database +# query and response. +# Default: False +#sqlalchemy_debug=True + +# http_keepalive option. If False, server will return the header +# "Connection: close", If True, server will return "Connection: Keep-Alive" +# in its responses. In order to close the client socket connection +# explicitly after the response is sent and read successfully by the client, +# you simply have to set this option to False when you create a wsgi server. +#http_keepalive=True + +# ================= Syslog Options ============================ + +# Send logs to syslog (/dev/log) instead of to file specified +# by `log_file` +#use_syslog=False + +# Facility to use. If unset defaults to LOG_USER. +#syslog_log_facility=LOG_LOCAL1 + +# ================= SSL Options =============================== + +# Certificate file to use when starting registry server securely +#cert_file=/path/to/certfile + +# Private key file to use when starting registry server securely +#key_file=/path/to/keyfile + +# CA certificate file to use to verify connecting clients +#ca_file=/path/to/cafile + +# ============ Notification System Options ===================== + +# Driver or drivers to handle sending notifications. Set to +# 'messaging' to send notifications to a message queue. +notification_driver = noop + +# Default publisher_id for outgoing notifications. +# default_publisher_id = image.localhost + +# Messaging driver used for 'messaging' notifications driver +# rpc_backend = 'rabbit' + +# Configuration options if sending notifications via rabbitmq (these are +# the defaults) +#rabbit_host=localhost +#rabbit_port=5672 +#rabbit_use_ssl=false +#rabbit_userid=guest +#rabbit_password=guest +#rabbit_virtual_host=/ +#rabbit_notification_exchange=glance +#rabbit_notification_topic=notifications +#rabbit_durable_queues=False + +# Configuration options if sending notifications via Qpid (these are +# the defaults) +#qpid_notification_exchange=glance +#qpid_notification_topic=notifications +#qpid_hostname=localhost +#qpid_port=5672 +#qpid_username= +#qpid_password= +#qpid_sasl_mechanisms= +#qpid_reconnect_timeout=0 +#qpid_reconnect_limit=0 +#qpid_reconnect_interval_min=0 +#qpid_reconnect_interval_max=0 +#qpid_reconnect_interval=0 +#qpid_heartbeat=5 +# Set to 'ssl' to enable SSL +#qpid_protocol=tcp +#qpid_tcp_nodelay=True + + +# =============== Policy Options ============================== + +[oslo_policy] +# The JSON file that defines policies. +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. +# The file defined by policy_file must exist for these +# directories to be searched. +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs=policy.d + +# ================= Database Options ========================== + +[database] +# The file name to use with SQLite (string value) +#sqlite_db=glance.sqlite + +# If True, SQLite uses synchronous mode (boolean value) +#sqlite_synchronous=True + +# The backend to use for db (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend=sqlalchemy + +# The SQLAlchemy connection string used to connect to the +# database (string value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = mysql://{{database.user}}:{{database.password}}@{{database.host}}/{{database.name}} + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + +# Timeout before idle sql connections are reaped (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size= + +# Maximum db connection retries during startup. (setting -1 +# implies an infinite retry count) (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries=10 + +# Interval between retries of opening a sql connection +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval=10 + +# If set, use this value for max_overflow with sqlalchemy +# (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow= + +# Verbosity of SQL debugging information. 0=None, +# 100=Everything (integer value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug=0 + +# Add python stack traces to SQL as comment strings (boolean +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace=False + +# If set, use this value for pool_timeout with sqlalchemy +# (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout= + +# Enable the experimental use of database reconnect on +# connection lost (boolean value) +#use_db_reconnect=False + +# seconds between db connection retries (integer value) +#db_retry_interval=1 + +# Whether to increase interval between db connection retries, +# up to db_max_retry_interval (boolean value) +#db_inc_retry_interval=True + +# max seconds between db connection retries, if +# db_inc_retry_interval is enabled (integer value) +#db_max_retry_interval=10 + +# maximum db connection retries before error is raised. +# (setting -1 implies an infinite retry count) (integer value) +#db_max_retries=20 + +[keystone_authtoken] +auth_uri = http://{{controller}}:5000 +auth_url = http://{{controller}}:35357 + +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = {{keystone.user}} +password = {{keystone.password}} +#admin_tenant_name=%SERVICE_TENANT_NAME% +#admin_user=%SERVICE_USER% +#admin_password=%SERVICE_PASSWORD% + +[paste_deploy] +# Name of the paste configuration file that defines the available pipelines +#config_file=/usr/share/glance/glance-registry-dist-paste.ini + +# Partial name of a pipeline in your paste configuration file with the +# service name removed. For example, if your paste section name is +# [pipeline:glance-registry-keystone], you would configure the flavor below +# as 'keystone'. +flavor=keystone + +[profiler] +# If False fully disable profiling feature. +#enabled=False + +# If False doesn't trace SQL requests. +#trace_sqlalchemy=False \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/defaults.json new file mode 100644 index 00000000..3ddc909d --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/defaults.json @@ -0,0 +1,4 @@ +{ + "default_role": "user", + "controller": "127.0.0.1" +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/openstack_horizon.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/openstack_horizon.cf new file mode 100644 index 00000000..a5a25ccb --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/openstack_horizon.cf @@ -0,0 +1,24 @@ +# @name openstack_horizon +# @description Install, configure and ensure horizon is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_horizon +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-dashboard httpd mod_wsgi memcached python-memcached"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/local_settings.tpl", "/etc/openstack-dashboard/local_settings", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("setsebool -P httpd_can_network_connect on"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("chown -R apache:apache /usr/share/openstack-dashboard/static"), + ifvarclass => concat("any"); + "method_call" usebundle => service_restart("httpd memcached"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_openstack_dashboard_local_settings_repaired"); + "method_call" usebundle => service_ensure_running("httpd memcached"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("httpd memcached"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/templates/local_settings.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/templates/local_settings.tpl new file mode 100644 index 00000000..34b8d01c --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_horizon/templates/local_settings.tpl @@ -0,0 +1,638 @@ +import os + +from django.utils.translation import ugettext_lazy as _ + +from openstack_dashboard import exceptions + +DEBUG = False +TEMPLATE_DEBUG = DEBUG + + +# WEBROOT is the location relative to Webserver root +# should end with a slash. +WEBROOT = '/dashboard/' +# LOGIN_URL = WEBROOT + 'auth/login/' +# LOGOUT_URL = WEBROOT + 'auth/logout/' +# +# LOGIN_REDIRECT_URL can be used as an alternative for +# HORIZON_CONFIG.user_home, if user_home is not set. +# Do not set it to '/home/', as this will cause circular redirect loop +# LOGIN_REDIRECT_URL = WEBROOT + + +# Required for Django 1.5. +# If horizon is running in production (DEBUG is False), set this +# with the list of host/domain names that the application can serve. +# For more information see: +# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts +ALLOWED_HOSTS = ['*'] + +# Set SSL proxy settings: +# For Django 1.4+ pass this header from the proxy after terminating the SSL, +# and don't forget to strip it from the client's request. +# For more information see: +# https://docs.djangoproject.com/en/1.4/ref/settings/#secure-proxy-ssl-header +#SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') + +# If Horizon is being served through SSL, then uncomment the following two +# settings to better secure the cookies from security exploits +#CSRF_COOKIE_SECURE = True +#SESSION_COOKIE_SECURE = True + +# Overrides for OpenStack API versions. Use this setting to force the +# OpenStack dashboard to use a specific API version for a given service API. +# Versions specified here should be integers or floats, not strings. +# NOTE: The version should be formatted as it appears in the URL for the +# service API. For example, The identity service APIs have inconsistent +# use of the decimal point, so valid options would be 2.0 or 3. +#OPENSTACK_API_VERSIONS = { +# "data-processing": 1.1, +# "identity": 3, +# "volume": 2, +#} + +# Set this to True if running on multi-domain model. When this is enabled, it +# will require user to enter the Domain name in addition to username for login. +#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False + +# Overrides the default domain used when running on single-domain model +# with Keystone V3. All entities will be created in the default domain. +#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' + +# Set Console type: +# valid options would be "AUTO"(default), "VNC", "SPICE", "RDP", "SERIAL" or None +# Set to None explicitly if you want to deactivate the console. +#CONSOLE_TYPE = "AUTO" + +# Default OpenStack Dashboard configuration. +HORIZON_CONFIG = { + 'user_home': 'openstack_dashboard.views.get_user_home', + 'ajax_queue_limit': 10, + 'auto_fade_alerts': { + 'delay': 3000, + 'fade_duration': 1500, + 'types': ['alert-success', 'alert-info'] + }, + 'help_url': "http://docs.openstack.org", + 'exceptions': {'recoverable': exceptions.RECOVERABLE, + 'not_found': exceptions.NOT_FOUND, + 'unauthorized': exceptions.UNAUTHORIZED}, + 'modal_backdrop': 'static', + 'angular_modules': [], + 'js_files': [], + 'js_spec_files': [], +} + +# Specify a regular expression to validate user passwords. +#HORIZON_CONFIG["password_validator"] = { +# "regex": '.*', +# "help_text": _("Your password does not meet the requirements."), +#} + +# Disable simplified floating IP address management for deployments with +# multiple floating IP pools or complex network requirements. +#HORIZON_CONFIG["simple_ip_management"] = False + +# Turn off browser autocompletion for forms including the login form and +# the database creation workflow if so desired. +#HORIZON_CONFIG["password_autocomplete"] = "off" + +# Setting this to True will disable the reveal button for password fields, +# including on the login form. +#HORIZON_CONFIG["disable_password_reveal"] = False + + +# Set custom secret key: +# You can either set it to a specific value or you can let horizon generate a +# default secret key that is unique on this machine, e.i. regardless of the +# amount of Python WSGI workers (if used behind Apache+mod_wsgi): However, there +# may be situations where you would want to set this explicitly, e.g. when +# multiple dashboard instances are distributed on different machines (usually +# behind a load-balancer). Either you have to make sure that a session gets all +# requests routed to the same dashboard instance or you set the same SECRET_KEY +# for all of them. +LOCAL_PATH = '/tmp' +SECRET_KEY='262f8a9c447919dcdfe3' + +# We recommend you use memcached for development; otherwise after every reload +# of the django development server, you will have to login again. To use +# memcached set CACHES to something like +#CACHES = { +# 'default': { +# 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', +# 'LOCATION': '127.0.0.1:11211', +# } +#} + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '127.0.0.1:11211', + } +} + +# Send email to the console by default +EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend' +# Or send them to /dev/null +#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend' + +# Configure these for your outgoing email host +#EMAIL_HOST = 'smtp.my-company.com' +#EMAIL_PORT = 25 +#EMAIL_HOST_USER = 'djangomail' +#EMAIL_HOST_PASSWORD = 'top-secret!' + +# For multiple regions uncomment this configuration, and add (endpoint, title). +#AVAILABLE_REGIONS = [ +# ('http://cluster1.example.com:5000/v2.0', 'cluster1'), +# ('http://cluster2.example.com:5000/v2.0', 'cluster2'), +#] + +OPENSTACK_HOST = "{{controller}}" +OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST +OPENSTACK_KEYSTONE_DEFAULT_ROLE = "{{default_role}}" + +# Enables keystone web single-sign-on if set to True. +#WEBSSO_ENABLED = False + +# Determines which authentication choice to show as default. +#WEBSSO_INITIAL_CHOICE = "credentials" + +# The list of authentication mechanisms +# which include keystone federation protocols. +# Current supported protocol IDs are 'saml2' and 'oidc' +# which represent SAML 2.0, OpenID Connect respectively. +# Do not remove the mandatory credentials mechanism. +#WEBSSO_CHOICES = ( +# ("credentials", _("Keystone Credentials")), +# ("oidc", _("OpenID Connect")), +# ("saml2", _("Security Assertion Markup Language"))) + +# Disable SSL certificate checks (useful for self-signed certificates): +#OPENSTACK_SSL_NO_VERIFY = True + +# The CA certificate to use to verify SSL connections +#OPENSTACK_SSL_CACERT = '/path/to/cacert.pem' + +# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the +# capabilities of the auth backend for Keystone. +# If Keystone has been configured to use LDAP as the auth backend then set +# can_edit_user to False and name to 'ldap'. +# +# TODO(tres): Remove these once Keystone has an API to identify auth backend. +OPENSTACK_KEYSTONE_BACKEND = { + 'name': 'native', + 'can_edit_user': True, + 'can_edit_group': True, + 'can_edit_project': True, + 'can_edit_domain': True, + 'can_edit_role': True, +} + +# Setting this to True, will add a new "Retrieve Password" action on instance, +# allowing Admin session password retrieval/decryption. +#OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False + +# The Launch Instance user experience has been significantly enhanced. +# You can choose whether to enable the new launch instance experience, +# the legacy experience, or both. The legacy experience will be removed +# in a future release, but is available as a temporary backup setting to ensure +# compatibility with existing deployments. Further development will not be +# done on the legacy experience. Please report any problems with the new +# experience via the Launchpad tracking system. +# +# Toggle LAUNCH_INSTANCE_LEGACY_ENABLED and LAUNCH_INSTANCE_NG_ENABLED to +# determine the experience to enable. Set them both to true to enable +# both. +#LAUNCH_INSTANCE_LEGACY_ENABLED = True +#LAUNCH_INSTANCE_NG_ENABLED = False + +# The Xen Hypervisor has the ability to set the mount point for volumes +# attached to instances (other Hypervisors currently do not). Setting +# can_set_mount_point to True will add the option to set the mount point +# from the UI. +OPENSTACK_HYPERVISOR_FEATURES = { + 'can_set_mount_point': False, + 'can_set_password': False, +} + +# The OPENSTACK_CINDER_FEATURES settings can be used to enable optional +# services provided by cinder that is not exposed by its extension API. +OPENSTACK_CINDER_FEATURES = { + 'enable_backup': False, +} + +# The OPENSTACK_NEUTRON_NETWORK settings can be used to enable optional +# services provided by neutron. Options currently available are load +# balancer service, security groups, quotas, VPN service. +OPENSTACK_NEUTRON_NETWORK = { + 'enable_router': True, + 'enable_quotas': True, + 'enable_ipv6': True, + 'enable_distributed_router': False, + 'enable_ha_router': False, + 'enable_lb': True, + 'enable_firewall': True, + 'enable_vpn': True, + + # The profile_support option is used to detect if an external router can be + # configured via the dashboard. When using specific plugins the + # profile_support can be turned on if needed. + 'profile_support': None, + #'profile_support': 'cisco', + + # Set which provider network types are supported. Only the network types + # in this list will be available to choose from when creating a network. + # Network types include local, flat, vlan, gre, and vxlan. + 'supported_provider_types': ['*'], + + # Set which VNIC types are supported for port binding. Only the VNIC + # types in this list will be available to choose from when creating a + # port. + # VNIC types include 'normal', 'macvtap' and 'direct'. + 'supported_vnic_types': ['*'] +} + +# The OPENSTACK_IMAGE_BACKEND settings can be used to customize features +# in the OpenStack Dashboard related to the Image service, such as the list +# of supported image formats. +#OPENSTACK_IMAGE_BACKEND = { +# 'image_formats': [ +# ('', _('Select format')), +# ('aki', _('AKI - Amazon Kernel Image')), +# ('ami', _('AMI - Amazon Machine Image')), +# ('ari', _('ARI - Amazon Ramdisk Image')), +# ('iso', _('ISO - Optical Disk Image')), +# ('ova', _('OVA - Open Virtual Appliance')), +# ('qcow2', _('QCOW2 - QEMU Emulator')), +# ('raw', _('Raw')), +# ('vdi', _('VDI - Virtual Disk Image')), +# ('vhd', ('VHD - Virtual Hard Disk')), +# ('vmdk', _('VMDK - Virtual Machine Disk')), +# ] +#} + +# The IMAGE_CUSTOM_PROPERTY_TITLES settings is used to customize the titles for +# image custom property attributes that appear on image detail pages. +IMAGE_CUSTOM_PROPERTY_TITLES = { + "architecture": _("Architecture"), + "kernel_id": _("Kernel ID"), + "ramdisk_id": _("Ramdisk ID"), + "image_state": _("Euca2ools state"), + "project_id": _("Project ID"), + "image_type": _("Image Type"), +} + +# The IMAGE_RESERVED_CUSTOM_PROPERTIES setting is used to specify which image +# custom properties should not be displayed in the Image Custom Properties +# table. +IMAGE_RESERVED_CUSTOM_PROPERTIES = [] + +# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is 'publicURL'. +#OPENSTACK_ENDPOINT_TYPE = "publicURL" + +# SECONDARY_ENDPOINT_TYPE specifies the fallback endpoint type to use in the +# case that OPENSTACK_ENDPOINT_TYPE is not present in the endpoints +# in the Keystone service catalog. Use this setting when Horizon is running +# external to the OpenStack environment. The default is None. This +# value should differ from OPENSTACK_ENDPOINT_TYPE if used. +#SECONDARY_ENDPOINT_TYPE = "publicURL" + +# The number of objects (Swift containers/objects or images) to display +# on a single page before providing a paging element (a "more" link) +# to paginate results. +API_RESULT_LIMIT = 1000 +API_RESULT_PAGE_SIZE = 20 + +# The size of chunk in bytes for downloading objects from Swift +SWIFT_FILE_TRANSFER_CHUNK_SIZE = 512 * 1024 + +# Specify a maximum number of items to display in a dropdown. +DROPDOWN_MAX_ITEMS = 30 + +# The timezone of the server. This should correspond with the timezone +# of your entire OpenStack installation, and hopefully be in UTC. +TIME_ZONE = "UTC" + +# When launching an instance, the menu of available flavors is +# sorted by RAM usage, ascending. If you would like a different sort order, +# you can provide another flavor attribute as sorting key. Alternatively, you +# can provide a custom callback method to use for sorting. You can also provide +# a flag for reverse sort. For more info, see +# http://docs.python.org/2/library/functions.html#sorted +#CREATE_INSTANCE_FLAVOR_SORT = { +# 'key': 'name', +# # or +# 'key': my_awesome_callback_method, +# 'reverse': False, +#} + +# Set this to True to display an 'Admin Password' field on the Change Password +# form to verify that it is indeed the admin logged-in who wants to change +# the password. +# ENFORCE_PASSWORD_CHECK = False + +# Modules that provide /auth routes that can be used to handle different types +# of user authentication. Add auth plugins that require extra route handling to +# this list. +#AUTHENTICATION_URLS = [ +# 'openstack_auth.urls', +#] + +# The Horizon Policy Enforcement engine uses these values to load per service +# policy rule files. The content of these files should match the files the +# OpenStack services are using to determine role based access control in the +# target installation. + +# Path to directory containing policy.json files +# POLICY_FILES_PATH = os.path.join(ROOT_PATH, "conf") +POLICY_FILES_PATH = '/etc/openstack-dashboard' +# Map of local copy of service policy files +#POLICY_FILES = { +# 'identity': 'keystone_policy.json', +# 'compute': 'nova_policy.json', +# 'volume': 'cinder_policy.json', +# 'image': 'glance_policy.json', +# 'orchestration': 'heat_policy.json', +# 'network': 'neutron_policy.json', +# 'telemetry': 'ceilometer_policy.json', +#} + +# Trove user and database extension support. By default support for +# creating users and databases on database instances is turned on. +# To disable these extensions set the permission here to something +# unusable such as ["!"]. +# TROVE_ADD_USER_PERMS = [] +# TROVE_ADD_DATABASE_PERMS = [] + +# Change this patch to the appropriate static directory containing +# two files: _variables.scss and _styles.scss +#CUSTOM_THEME_PATH = 'static/themes/default' + +LOGGING = { + 'version': 1, + # When set to True this will disable all logging except + # for loggers specified in this configuration dictionary. Note that + # if nothing is specified here and disable_existing_loggers is True, + # django.db.backends will still log unless it is disabled explicitly. + 'disable_existing_loggers': False, + 'handlers': { + 'null': { + 'level': 'DEBUG', + 'class': 'django.utils.log.NullHandler', + }, + 'console': { + # Set the level to "DEBUG" for verbose output logging. + 'level': 'INFO', + 'class': 'logging.StreamHandler', + }, + }, + 'loggers': { + # Logging from django.db.backends is VERY verbose, send to null + # by default. + 'django.db.backends': { + 'handlers': ['null'], + 'propagate': False, + }, + 'requests': { + 'handlers': ['null'], + 'propagate': False, + }, + 'horizon': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_dashboard': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'novaclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'cinderclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'keystoneclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'glanceclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'neutronclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'heatclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'ceilometerclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'troveclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'swiftclient': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'openstack_auth': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'nose.plugins.manager': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'django': { + 'handlers': ['console'], + 'level': 'DEBUG', + 'propagate': False, + }, + 'iso8601': { + 'handlers': ['null'], + 'propagate': False, + }, + 'scss': { + 'handlers': ['null'], + 'propagate': False, + }, + } +} + +# 'direction' should not be specified for all_tcp/udp/icmp. +# It is specified in the form. +SECURITY_GROUP_RULES = { + 'all_tcp': { + 'name': _('All TCP'), + 'ip_protocol': 'tcp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_udp': { + 'name': _('All UDP'), + 'ip_protocol': 'udp', + 'from_port': '1', + 'to_port': '65535', + }, + 'all_icmp': { + 'name': _('All ICMP'), + 'ip_protocol': 'icmp', + 'from_port': '-1', + 'to_port': '-1', + }, + 'ssh': { + 'name': 'SSH', + 'ip_protocol': 'tcp', + 'from_port': '22', + 'to_port': '22', + }, + 'smtp': { + 'name': 'SMTP', + 'ip_protocol': 'tcp', + 'from_port': '25', + 'to_port': '25', + }, + 'dns': { + 'name': 'DNS', + 'ip_protocol': 'tcp', + 'from_port': '53', + 'to_port': '53', + }, + 'http': { + 'name': 'HTTP', + 'ip_protocol': 'tcp', + 'from_port': '80', + 'to_port': '80', + }, + 'pop3': { + 'name': 'POP3', + 'ip_protocol': 'tcp', + 'from_port': '110', + 'to_port': '110', + }, + 'imap': { + 'name': 'IMAP', + 'ip_protocol': 'tcp', + 'from_port': '143', + 'to_port': '143', + }, + 'ldap': { + 'name': 'LDAP', + 'ip_protocol': 'tcp', + 'from_port': '389', + 'to_port': '389', + }, + 'https': { + 'name': 'HTTPS', + 'ip_protocol': 'tcp', + 'from_port': '443', + 'to_port': '443', + }, + 'smtps': { + 'name': 'SMTPS', + 'ip_protocol': 'tcp', + 'from_port': '465', + 'to_port': '465', + }, + 'imaps': { + 'name': 'IMAPS', + 'ip_protocol': 'tcp', + 'from_port': '993', + 'to_port': '993', + }, + 'pop3s': { + 'name': 'POP3S', + 'ip_protocol': 'tcp', + 'from_port': '995', + 'to_port': '995', + }, + 'ms_sql': { + 'name': 'MS SQL', + 'ip_protocol': 'tcp', + 'from_port': '1433', + 'to_port': '1433', + }, + 'mysql': { + 'name': 'MYSQL', + 'ip_protocol': 'tcp', + 'from_port': '3306', + 'to_port': '3306', + }, + 'rdp': { + 'name': 'RDP', + 'ip_protocol': 'tcp', + 'from_port': '3389', + 'to_port': '3389', + }, +} + +# Deprecation Notice: +# +# The setting FLAVOR_EXTRA_KEYS has been deprecated. +# Please load extra spec metadata into the Glance Metadata Definition Catalog. +# +# The sample quota definitions can be found in: +# /etc/metadefs/compute-quota.json +# +# The metadata definition catalog supports CLI and API: +# $glance --os-image-api-version 2 help md-namespace-import +# $glance-manage db_load_metadefs +# +# See Metadata Definitions on: http://docs.openstack.org/developer/glance/ + +# Indicate to the Sahara data processing service whether or not +# automatic floating IP allocation is in effect. If it is not +# in effect, the user will be prompted to choose a floating IP +# pool for use in their cluster. False by default. You would want +# to set this to True if you were running Nova Networking with +# auto_assign_floating_ip = True. +#SAHARA_AUTO_IP_ALLOCATION_ENABLED = False + +# The hash algorithm to use for authentication tokens. This must +# match the hash algorithm that the identity server and the +# auth_token middleware are using. Allowed values are the +# algorithms supported by Python's hashlib library. +#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5' + +# AngularJS requires some settings to be made available to +# the client side. Some settings are required by in-tree / built-in horizon +# features. These settings must be added to REST_API_REQUIRED_SETTINGS in the +# form of ['SETTING_1','SETTING_2'], etc. +# +# You may remove settings from this list for security purposes, but do so at +# the risk of breaking a built-in horizon feature. These settings are required +# for horizon to function properly. Only remove them if you know what you +# are doing. These settings may in the future be moved to be defined within +# the enabled panel configuration. +# You should not add settings to this list for out of tree extensions. +# See: https://wiki.openstack.org/wiki/Horizon/RESTAPI +REST_API_REQUIRED_SETTINGS = ['OPENSTACK_HYPERVISOR_FEATURES'] + +# Additional settings can be made available to the client side for +# extensibility by specifying them in REST_API_ADDITIONAL_SETTINGS +# !! Please use extreme caution as the settings are transferred via HTTP/S +# and are not encrypted on the browser. This is an experimental API and +# may be deprecated in the future without notice. +#REST_API_ADDITIONAL_SETTINGS = [] \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/defaults.json new file mode 100644 index 00000000..02cef38b --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/defaults.json @@ -0,0 +1,37 @@ +{ + "database": { + "user": "keystone", + "password": "keystone_password", + "name": "keystone", + "host": "192.168.20.2" + }, + "admin": { + "project":"admin", + "tenant":"admin", + "user":"admin", + "password":"admin_password", + "controller":"controller", + "port":"35357", + "token": "myadmintoken" + }, + "demo": { + "project":"demo", + "tenant":"demo", + "user":"demo", + "password":"demo_password", + "controller":"controller", + "port":"5000" + }, + "glance": { + "user":"glance", + "password":"glance_password", + "controller":"controller", + }, + "nova": { + "user":"nova", + "password":"nova_password", + "controller":"controller", + }, + "hash_algorithm": "sha256", + "enable_admin_token": false +} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/openstack_keystone.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/openstack_keystone.cf new file mode 100644 index 00000000..a434050e --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/openstack_keystone.cf @@ -0,0 +1,42 @@ +# @name openstack_keystone +# @description Install, configure and ensure keystone is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_keystone +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-keystone"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("python-openstackclient"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("memcached"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("python-memcached"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/keystone.conf.tpl", "/etc/keystone/keystone.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/keystone-paste.ini.tpl", "/etc/keystone/keystone-paste.ini", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => permissions_recurse("/etc/keystone/", "640", "keystone", "keystone"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("su -s /bin/sh -c \"keystone-manage db_sync\" keystone"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_keystone_keystone_conf_repaired"); + "method_call" usebundle => service_restart("openstack-keystone"), + ifvarclass => concat("any.(file_from_template_mustache_data__etc_keystone_keystone_conf_repaired|file_from_template_mustache_data__etc_keystone_keystone_paste_ini_repaired)"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/identity-init.sh.tpl", "/root/.openstack/identity-init.sh", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("sh /root/.openstack/identity-init.sh"), + ifvarclass => concat("any.file_from_template_mustache_data__root__openstack_identity_init_sh_repaired"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/openrc.sh.tpl", "/root/.openstack/admin-openrc.sh", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_running("openstack-keystone"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_running("memcached"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("openstack-keystone"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("memcached"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/identity-init.sh.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/identity-init.sh.tpl new file mode 100644 index 00000000..d3e6609d --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/identity-init.sh.tpl @@ -0,0 +1,28 @@ +#!/bin/sh + +openstack="/usr/bin/openstack --os-token {{admin.token}} --os-url http://{{admin.controller}}:{{admin.port}}/v2.0" + +${openstack} service create --name keystone --description "OpenStack Identity" identity +${openstack} endpoint create --publicurl http://{{admin.controller}}:5000/v2.0 --internalurl http://{{admin.controller}}:5000/v2.0 --adminurl http://{{admin.controller}}:35357/v2.0 --region RegionOne identity + +${openstack} project create --description "Admin Project" {{admin.project}} +${openstack} user create --password {{admin.password}} {{admin.user}} +${openstack} role create admin +${openstack} role add --project {{admin.project}} --user {{admin.user}} admin + +${openstack} project create --description "Service Project" service + +${openstack} project create --description "Demo Project" {{demo.project}} +${openstack} user create --password {{demo.password}} {{demo.user}} +${openstack} role create user +${openstack} role add --project {{demo.project}} --user {{demo.user}} user + +${openstack} user create --password {{glance.password}} {{glance.user}} +${openstack} role add --project service --user {{glance.user}} admin +${openstack} service create --name glance --description "OpenStack Image service" image +${openstack} endpoint create --publicurl http://{{admin.controller}}:9292 --internalurl http://{{admin.controller}}:9292 --adminurl http://{{admin.controller}}:9292 --region RegionOne image + +${openstack} user create --password {{nova.password}} {{nova.user}} +${openstack} role add --project service --user {{nova.user}} admin +${openstack} service create --name nova --description "OpenStack Compute" compute +${openstack} endpoint create --publicurl http://{{admin.controller}}:8774/v2/%\(tenant_id\)s --internalurl http://{{admin.controller}}:8774/v2/%\(tenant_id\)s --adminurl http://{{admin.controller}}:8774/v2/%\(tenant_id\)s --region RegionOne compute diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone-paste.ini.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone-paste.ini.tpl new file mode 100644 index 00000000..b5a47fa8 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone-paste.ini.tpl @@ -0,0 +1,106 @@ +# Keystone PasteDeploy configuration file. + +[filter:debug] +paste.filter_factory = keystone.common.wsgi:Debug.factory + +[filter:request_id] +paste.filter_factory = oslo_middleware:RequestId.factory + +[filter:build_auth_context] +paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory + +[filter:token_auth] +paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory + +[filter:admin_token_auth] +paste.filter_factory = {{#enable_admin_token}}keystone.middleware:AdminTokenAuthMiddleware.factory{{/enable_admin_token}} + +[filter:json_body] +paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory + +[filter:user_crud_extension] +paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory + +[filter:crud_extension] +paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory + +[filter:ec2_extension] +paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory + +[filter:ec2_extension_v3] +paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory + +[filter:federation_extension] +paste.filter_factory = keystone.contrib.federation.routers:FederationExtension.factory + +[filter:oauth1_extension] +paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory + +[filter:s3_extension] +paste.filter_factory = keystone.contrib.s3:S3Extension.factory + +[filter:endpoint_filter_extension] +paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory + +[filter:endpoint_policy_extension] +paste.filter_factory = keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory + +[filter:simple_cert_extension] +paste.filter_factory = keystone.contrib.simple_cert:SimpleCertExtension.factory + +[filter:revoke_extension] +paste.filter_factory = keystone.contrib.revoke.routers:RevokeExtension.factory + +[filter:url_normalize] +paste.filter_factory = keystone.middleware:NormalizingFilter.factory + +[filter:sizelimit] +paste.filter_factory = oslo_middleware.sizelimit:RequestBodySizeLimiter.factory + +[app:public_service] +paste.app_factory = keystone.service:public_app_factory + +[app:service_v3] +paste.app_factory = keystone.service:v3_app_factory + +[app:admin_service] +paste.app_factory = keystone.service:admin_app_factory + +[pipeline:public_api] +# The last item in this pipeline must be public_service or an equivalent +# application. It cannot be a filter. +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service + +[pipeline:admin_api] +# The last item in this pipeline must be admin_service or an equivalent +# application. It cannot be a filter. +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service + +[pipeline:api_v3] +# The last item in this pipeline must be service_v3 or an equivalent +# application. It cannot be a filter. +pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension oauth1_extension endpoint_filter_extension endpoint_policy_extension service_v3 + +[app:public_version_service] +paste.app_factory = keystone.service:public_version_app_factory + +[app:admin_version_service] +paste.app_factory = keystone.service:admin_version_app_factory + +[pipeline:public_version_api] +pipeline = sizelimit url_normalize public_version_service + +[pipeline:admin_version_api] +pipeline = sizelimit url_normalize admin_version_service + +[composite:main] +use = egg:Paste#urlmap +/v2.0 = public_api +/v3 = api_v3 +/ = public_version_api + +[composite:admin] +use = egg:Paste#urlmap +/v2.0 = admin_api +/v3 = api_v3 +/ = admin_version_api \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone.conf.tpl new file mode 100644 index 00000000..90b65df4 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/keystone.conf.tpl @@ -0,0 +1,1735 @@ +[DEFAULT] + +# +# From keystone +# + +# A "shared secret" that can be used to bootstrap Keystone. This "token" does +# not represent a user, and carries no explicit authorization. To disable in +# production (highly recommended), remove AdminTokenAuthMiddleware from your +# paste application pipelines (for example, in keystone-paste.ini). (string +# value) +admin_token = {{admin.token}} + +# (Deprecated) The port which the OpenStack Compute service listens on. This +# option was only used for string replacement in the templated catalog backend. +# Templated catalogs should replace the "$(compute_port)s" substitution with +# the static port of the compute service. As of Juno, this option is deprecated +# and will be removed in the L release. (integer value) +#compute_port = 8774 + +# The base public endpoint URL for Keystone that is advertised to clients +# (NOTE: this does NOT affect how Keystone listens for connections). Defaults +# to the base host URL of the request. E.g. a request to +# http://server:5000/v3/users will default to http://server:5000. You should +# only need to set this value if the base URL contains a path (e.g. /prefix/v3) +# or the endpoint should be found on a different server. (string value) +#public_endpoint = + +# The base admin endpoint URL for Keystone that is advertised to clients (NOTE: +# this does NOT affect how Keystone listens for connections). Defaults to the +# base host URL of the request. E.g. a request to http://server:35357/v3/users +# will default to http://server:35357. You should only need to set this value +# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should be +# found on a different server. (string value) +#admin_endpoint = + +# Maximum depth of the project hierarchy. WARNING: setting it to a large value +# may adversely impact performance. (integer value) +#max_project_tree_depth = 5 + +# Limit the sizes of user & project ID/names. (integer value) +#max_param_size = 64 + +# Similar to max_param_size, but provides an exception for token values. +# (integer value) +#max_token_size = 8192 + +# Similar to the member_role_name option, this represents the default role ID +# used to associate users with their default projects in the v2 API. This will +# be used as the explicit role where one is not specified by the v2 API. +# (string value) +#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab + +# This is the role name used in combination with the member_role_id option; see +# that option for more detail. (string value) +#member_role_name = _member_ + +# The value passed as the keyword "rounds" to passlib's encrypt method. +# (integer value) +#crypt_strength = 40000 + +# The maximum number of entities that will be returned in a collection, with no +# limit set by default. This global limit may be then overridden for a specific +# driver, by specifying a list_limit in the appropriate section (e.g. +# [assignment]). (integer value) +#list_limit = + +# Set this to false if you want to enable the ability for user, group and +# project entities to be moved between domains by updating their domain_id. +# Allowing such movement is not recommended if the scope of a domain admin is +# being restricted by use of an appropriate policy file (see +# policy.v3cloudsample as an example). (boolean value) +#domain_id_immutable = true + +# If set to true, strict password length checking is performed for password +# manipulation. If a password exceeds the maximum length, the operation will +# fail with an HTTP 403 Forbidden error. If set to false, passwords are +# automatically truncated to the maximum length. (boolean value) +#strict_password_check = false + +# The HTTP header used to determine the scheme for the original request, even +# if it was removed by an SSL terminating proxy. Typical value is +# "HTTP_X_FORWARDED_PROTO". (string value) +#secure_proxy_ssl_header = + +# +# From keystone.notifications +# + +# Default publisher_id for outgoing notifications (string value) +#default_publisher_id = + +# Define the notification format for Identity Service events. A "basic" +# notification has information about the resource being operated on. A "cadf" +# notification has the same information, as well as information about the +# initiator of the event. Valid options are: basic and cadf (string value) +#notification_format = basic + +# +# From keystone.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, , and +# :, where 0 results in listening on a random tcp port number; +# results in listening on the specified port number (and not enabling +# backdoor if that port is in use); and : results in listening on +# the smallest unused port number within the specified range of port numbers. +# The chosen port is displayed in the service's log file. (string value) +#backdoor_port = + +# +# From oslo.log +# + +# Print debugging output (set logging level to DEBUG instead of default WARNING +# level). (boolean value) +#debug = false + +# Print more verbose output (set logging level to INFO instead of default +# WARNING level). (boolean value) +#verbose = false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. (string value) +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# DEPRECATED. A logging.Formatter log message format string which may use any +# of the available logging.LogRecord attributes. This option is deprecated. +# Please use logging_context_format_string and logging_default_format_string +# instead. (string value) +#log_format = + +# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, logging will +# go to stdout. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative --log-file paths. (string +# value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Use syslog for logging. Existing syslog format is DEPRECATED during I, and +# will change in J to honor RFC5424. (boolean value) +#use_syslog = false + +# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, +# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The +# format without the APP-NAME is deprecated in I, and will be removed in J. +# (boolean value) +#use_syslog_rfc_format = false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. (boolean value) +#use_stderr = true + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. +# The "host" option should point or resolve to this address. (string value) +#rpc_zmq_bind_address = * + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker = oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port = 9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts = 1 + +# Maximum number of ingress messages to locally buffer per topic. Default is +# unlimited. (integer value) +#rpc_zmq_topic_backlog = + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir = /var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match +# "host" option, if running Nova. (string value) +#rpc_zmq_host = localhost + +# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. +# (integer value) +#rpc_cast_timeout = 30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq = 300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl = 600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size = 64 + +# Driver or drivers to handle sending notifications. (multi valued) +#notification_driver = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group/name - [rpc_notifier2]/topics +#notification_topics = notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout = 60 + +# A URL representing the messaging driver to use and its full configuration. If +# not set, we fall back to the rpc_backend option and driver specific +# configuration. (string value) +#transport_url = + +# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# and zmq. (string value) +#rpc_backend = rabbit + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange = keystone + + +[assignment] + +# +# From keystone +# + +# Assignment backend driver. (string value) +#driver = + + +[auth] + +# +# From keystone +# + +# Default auth methods. (list value) +#methods = external,password,token,oauth1 + +# The password auth plugin module. (string value) +#password = keystone.auth.plugins.password.Password + +# The token auth plugin module. (string value) +#token = keystone.auth.plugins.token.Token + +# The external (REMOTE_USER) auth plugin module. (string value) +#external = keystone.auth.plugins.external.DefaultDomain + +# The oAuth1.0 auth plugin module. (string value) +#oauth1 = keystone.auth.plugins.oauth1.OAuth + + +[cache] + +# +# From keystone +# + +# Prefix for building the configuration dictionary for the cache region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = cache.keystone + +# Default TTL, in seconds, for any cached item in the dogpile.cache region. +# This applies to any cached method that doesn't have an explicit cache +# expiration time defined for it. (integer value) +#expiration_time = 600 + +# Dogpile.cache backend module. It is recommended that Memcache with pooling +# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in +# production deployments. Small workloads (single process) like devstack can +# use the dogpile.cache.memory backend. (string value) +#backend = keystone.common.cache.noop + +# Arguments supplied to the backend module. Specify this option once per +# argument to be passed to the dogpile.cache backend. Example format: +# ":". (multi valued) +#backend_argument = + +# Proxy classes to import that will affect the way the dogpile.cache backend +# functions. See the dogpile.cache documentation on changing-backend-behavior. +# (list value) +#proxies = + +# Global toggle for all caching using the should_cache_fn mechanism. (boolean +# value) +#enabled = false + +# Extra debugging from the cache backend (cache keys, get/set/delete/etc +# calls). This is only really useful if you need to see the specific cache- +# backend get/set/delete calls with the keys/values. Typically this should be +# left set to false. (boolean value) +#debug_cache_backend = false + +# Memcache servers in the format of "host:port". (dogpile.cache.memcache and +# keystone.cache.memcache_pool backends only). (list value) +#memcache_servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends +# only). (integer value) +#memcache_dead_retry = 300 + +# Timeout in seconds for every call to a server. (dogpile.cache.memcache and +# keystone.cache.memcache_pool backends only). (integer value) +#memcache_socket_timeout = 3 + +# Max total number of open connections to every memcached server. +# (keystone.cache.memcache_pool backend only). (integer value) +#memcache_pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. (keystone.cache.memcache_pool backend only). (integer value) +#memcache_pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. (integer value) +#memcache_pool_connection_get_timeout = 10 + + +[catalog] + +# +# From keystone +# + +# Catalog template file name for use with the template catalog backend. (string +# value) +#template_file = default_catalog.templates + +# Catalog backend driver. (string value) +#driver = keystone.catalog.backends.sql.Catalog + +# Toggle for catalog caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache catalog data (in seconds). This has no effect unless global and +# catalog caching are enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a catalog collection. +# (integer value) +#list_limit = + + +[credential] + +# +# From keystone +# + +# Credential backend driver. (string value) +#driver = keystone.credential.backends.sql.Credential + + +[database] + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = mysql://{{database.user}}:{{database.password}}@{{database.host}}/{{database.name}} + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +[domain_config] + +# +# From keystone +# + +# Domain config backend driver. (string value) +#driver = keystone.resource.config_backends.sql.DomainConfig + +# Toggle for domain config caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# TTL (in seconds) to cache domain config data. This has no effect unless +# domain config caching is enabled. (integer value) +#cache_time = 300 + + +[endpoint_filter] + +# +# From keystone +# + +# Endpoint Filter backend driver (string value) +#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter + +# Toggle to return all active endpoints if no filter exists. (boolean value) +#return_all_endpoints_if_no_filter = true + + +[endpoint_policy] + +# +# From keystone +# + +# Endpoint policy backend driver (string value) +#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy + + +[eventlet_server] + +# +# From keystone +# + +# The number of worker processes to serve the public eventlet application. +# Defaults to number of CPUs (minimum of 2). (integer value) +# Deprecated group/name - [DEFAULT]/public_workers +#public_workers = + +# The number of worker processes to serve the admin eventlet application. +# Defaults to number of CPUs (minimum of 2). (integer value) +# Deprecated group/name - [DEFAULT]/admin_workers +#admin_workers = + +# The IP address of the network interface for the public service to listen on. +# (string value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/public_bind_host +#public_bind_host = 0.0.0.0 + +# The port number which the public service listens on. (integer value) +# Deprecated group/name - [DEFAULT]/public_port +#public_port = 5000 + +# The IP address of the network interface for the admin service to listen on. +# (string value) +# Deprecated group/name - [DEFAULT]/bind_host +# Deprecated group/name - [DEFAULT]/admin_bind_host +#admin_bind_host = 0.0.0.0 + +# The port number which the admin service listens on. (integer value) +# Deprecated group/name - [DEFAULT]/admin_port +#admin_port = 35357 + +# Set this to true if you want to enable TCP_KEEPALIVE on server sockets, i.e. +# sockets used by the Keystone wsgi server for client connections. (boolean +# value) +# Deprecated group/name - [DEFAULT]/tcp_keepalive +#tcp_keepalive = false + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only +# applies if tcp_keepalive is true. (integer value) +# Deprecated group/name - [DEFAULT]/tcp_keepidle +#tcp_keepidle = 600 + + +[eventlet_server_ssl] + +# +# From keystone +# + +# Toggle for SSL support on the Keystone eventlet servers. (boolean value) +# Deprecated group/name - [ssl]/enable +#enable = false + +# Path of the certfile for SSL. For non-production environments, you may be +# interested in using `keystone-manage ssl_setup` to generate self-signed +# certificates. (string value) +# Deprecated group/name - [ssl]/certfile +#certfile = /etc/keystone/ssl/certs/keystone.pem + +# Path of the keyfile for SSL. (string value) +# Deprecated group/name - [ssl]/keyfile +#keyfile = /etc/keystone/ssl/private/keystonekey.pem + +# Path of the CA cert file for SSL. (string value) +# Deprecated group/name - [ssl]/ca_certs +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# Require client certificate. (boolean value) +# Deprecated group/name - [ssl]/cert_required +#cert_required = false + + +[federation] + +# +# From keystone +# + +# Federation backend driver. (string value) +#driver = keystone.contrib.federation.backends.sql.Federation + +# Value to be used when filtering assertion parameters from the environment. +# (string value) +#assertion_prefix = + +# Value to be used to obtain the entity ID of the Identity Provider from the +# environment (e.g. if using the mod_shib plugin this value is `Shib-Identity- +# Provider`). (string value) +#remote_id_attribute = + +# A domain name that is reserved to allow federated ephemeral users to have a +# domain concept. Note that an admin will not be able to create a domain with +# this name or update an existing domain to this name. You are not advised to +# change this value unless you really have to. Changing this option to empty +# string or None will not have any impact and default name will be used. +# (string value) +#federated_domain_name = Federated + +# A list of trusted dashboard hosts. Before accepting a Single Sign-On request +# to return a token, the origin host must be a member of the trusted_dashboard +# list. This configuration option may be repeated for multiple values. For +# example: trusted_dashboard=http://acme.com trusted_dashboard=http://beta.com +# (multi valued) +#trusted_dashboard = + +# Location of Single Sign-On callback handler, will return a token to a trusted +# dashboard host. (string value) +#sso_callback_template = /etc/keystone/sso_callback_template.html + + +[fernet_tokens] + +# +# From keystone +# + +# Directory containing Fernet token keys. (string value) +#key_repository = /etc/keystone/fernet-keys/ + +# This controls how many keys are held in rotation by keystone-manage +# fernet_rotate before they are discarded. The default value of 3 means that +# keystone will maintain one staged key, one primary key, and one secondary +# key. Increasing this value means that additional secondary keys will be kept +# in the rotation. (integer value) +#max_active_keys = 3 + + +[identity] + +# +# From keystone +# + +# This references the domain to use for all Identity API v2 requests (which are +# not aware of domains). A domain with this ID will be created for you by +# keystone-manage db_sync in migration 008. The domain referenced by this ID +# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. +# There is nothing special about this domain, other than the fact that it must +# exist to order to maintain support for your v2 clients. (string value) +#default_domain_id = default + +# A subset (or all) of domains can have their own identity driver, each with +# their own partial configuration options, stored in either the resource +# backend or in a file in a domain configuration directory (depending on the +# setting of domain_configurations_from_database). Only values specific to the +# domain need to be specified in this manner. This feature is disabled by +# default; set to true to enable. (boolean value) +#domain_specific_drivers_enabled = false + +# Extract the domain specific configuration options from the resource backend +# where they have been stored with the domain data. This feature is disabled by +# default (in which case the domain specific options will be loaded from files +# in the domain configuration directory); set to true to enable. (boolean +# value) +#domain_configurations_from_database = false + +# Path for Keystone to locate the domain specific identity configuration files +# if domain_specific_drivers_enabled is set to true. (string value) +#domain_config_dir = /etc/keystone/domains + +# Identity backend driver. (string value) +#driver = keystone.identity.backends.sql.Identity + +# Toggle for identity caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache identity data (in seconds). This has no effect unless global +# and identity caching are enabled. (integer value) +#cache_time = 600 + +# Maximum supported length for user passwords; decrease to improve performance. +# (integer value) +#max_password_length = 4096 + +# Maximum number of entities that will be returned in an identity collection. +# (integer value) +#list_limit = + + +[identity_mapping] + +# +# From keystone +# + +# Keystone Identity Mapping backend driver. (string value) +#driver = keystone.identity.mapping_backends.sql.Mapping + +# Public ID generator for user and group entities. The Keystone identity mapper +# only supports generators that produce no more than 64 characters. (string +# value) +#generator = keystone.identity.id_generators.sha256.Generator + +# The format of user and group IDs changed in Juno for backends that do not +# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to the +# underlying attribute in LDAP. By default this mapping is disabled, which +# ensures that existing IDs will not change. Even when the mapping is enabled +# by using domain specific drivers, any users and groups from the default +# domain being handled by LDAP will still not be mapped to ensure their IDs +# remain backward compatible. Setting this value to False will enable the +# mapping for even the default LDAP driver. It is only safe to do this if you +# do not already have assignments for users and groups from the default LDAP +# domain, and it is acceptable for Keystone to provide the different IDs to +# clients than it did previously. Typically this means that the only time you +# can set this value to False is when configuring a fresh installation. +# (boolean value) +#backward_compatible_ids = true + + +[kvs] + +# +# From keystone +# + +# Extra dogpile.cache backend modules to register with the dogpile.cache +# library. (list value) +#backends = + +# Prefix for building the configuration dictionary for the KVS region. This +# should not need to be changed unless there is another dogpile.cache region +# with the same configuration name. (string value) +#config_prefix = keystone.kvs + +# Toggle to disable using a key-mangling function to ensure fixed length keys. +# This is toggle-able for debugging purposes, it is highly recommended to +# always leave this set to true. (boolean value) +#enable_key_mangler = true + +# Default lock timeout (in seconds) for distributed locking. (integer value) +#default_lock_timeout = 5 + + +[ldap] + +# +# From keystone +# + +# URL for connecting to the LDAP server. (string value) +#url = ldap://localhost + +# User BindDN to query the LDAP server. (string value) +#user = + +# Password for the BindDN to query the LDAP server. (string value) +#password = + +# LDAP server suffix (string value) +#suffix = cn=example,cn=com + +# If true, will add a dummy member to groups. This is required if the +# objectclass for groups requires the "member" attribute. (boolean value) +#use_dumb_member = false + +# DN of the "dummy member" to use when "use_dumb_member" is enabled. (string +# value) +#dumb_member = cn=dumb,dc=nonexistent + +# Delete subtrees using the subtree delete control. Only enable this option if +# your LDAP server supports subtree deletion. (boolean value) +#allow_subtree_delete = false + +# The LDAP scope for queries, this can be either "one" (onelevel/singleLevel) +# or "sub" (subtree/wholeSubtree). (string value) +#query_scope = one + +# Maximum results per page; a value of zero ("0") disables paging. (integer +# value) +#page_size = 0 + +# The LDAP dereferencing option for queries. This can be either "never", +# "searching", "always", "finding" or "default". The "default" option falls +# back to using default dereferencing configured by your ldap.conf. (string +# value) +#alias_dereferencing = default + +# Sets the LDAP debugging level for LDAP calls. A value of 0 means that +# debugging is not enabled. This value is a bitmask, consult your LDAP +# documentation for possible values. (integer value) +#debug_level = + +# Override the system's default referral chasing behavior for queries. (boolean +# value) +#chase_referrals = + +# Search base for users. (string value) +#user_tree_dn = + +# LDAP search filter for users. (string value) +#user_filter = + +# LDAP objectclass for users. (string value) +#user_objectclass = inetOrgPerson + +# LDAP attribute mapped to user id. WARNING: must not be a multivalued +# attribute. (string value) +#user_id_attribute = cn + +# LDAP attribute mapped to user name. (string value) +#user_name_attribute = sn + +# LDAP attribute mapped to user email. (string value) +#user_mail_attribute = mail + +# LDAP attribute mapped to password. (string value) +#user_pass_attribute = userPassword + +# LDAP attribute mapped to user enabled flag. (string value) +#user_enabled_attribute = enabled + +# Invert the meaning of the boolean enabled values. Some LDAP servers use a +# boolean lock attribute where "true" means an account is disabled. Setting +# "user_enabled_invert = true" will allow these lock attributes to be used. +# This setting will have no effect if "user_enabled_mask" or +# "user_enabled_emulation" settings are in use. (boolean value) +#user_enabled_invert = false + +# Bitmask integer to indicate the bit that the enabled value is stored in if +# the LDAP server represents "enabled" as a bit on an integer rather than a +# boolean. A value of "0" indicates the mask is not used. If this is not set to +# "0" the typical value is "2". This is typically used when +# "user_enabled_attribute = userAccountControl". (integer value) +#user_enabled_mask = 0 + +# Default value to enable users. This should match an appropriate int value if +# the LDAP server uses non-boolean (bitmask) values to indicate if a user is +# enabled or disabled. If this is not set to "True" the typical value is "512". +# This is typically used when "user_enabled_attribute = userAccountControl". +# (string value) +#user_enabled_default = True + +# List of attributes stripped off the user on update. (list value) +#user_attribute_ignore = default_project_id,tenants + +# LDAP attribute mapped to default_project_id for users. (string value) +#user_default_project_id_attribute = + +# Allow user creation in LDAP backend. (boolean value) +#user_allow_create = true + +# Allow user updates in LDAP backend. (boolean value) +#user_allow_update = true + +# Allow user deletion in LDAP backend. (boolean value) +#user_allow_delete = true + +# If true, Keystone uses an alternative method to determine if a user is +# enabled or not by checking if they are a member of the +# "user_enabled_emulation_dn" group. (boolean value) +#user_enabled_emulation = false + +# DN of the group entry to hold enabled users when using enabled emulation. +# (string value) +#user_enabled_emulation_dn = + +# List of additional LDAP attributes used for mapping additional attribute +# mappings for users. Attribute mapping format is :, +# where ldap_attr is the attribute in the LDAP entry and user_attr is the +# Identity API attribute. (list value) +#user_additional_attribute_mapping = + +# Search base for projects (string value) +# Deprecated group/name - [ldap]/tenant_tree_dn +#project_tree_dn = + +# LDAP search filter for projects. (string value) +# Deprecated group/name - [ldap]/tenant_filter +#project_filter = + +# LDAP objectclass for projects. (string value) +# Deprecated group/name - [ldap]/tenant_objectclass +#project_objectclass = groupOfNames + +# LDAP attribute mapped to project id. (string value) +# Deprecated group/name - [ldap]/tenant_id_attribute +#project_id_attribute = cn + +# LDAP attribute mapped to project membership for user. (string value) +# Deprecated group/name - [ldap]/tenant_member_attribute +#project_member_attribute = member + +# LDAP attribute mapped to project name. (string value) +# Deprecated group/name - [ldap]/tenant_name_attribute +#project_name_attribute = ou + +# LDAP attribute mapped to project description. (string value) +# Deprecated group/name - [ldap]/tenant_desc_attribute +#project_desc_attribute = description + +# LDAP attribute mapped to project enabled. (string value) +# Deprecated group/name - [ldap]/tenant_enabled_attribute +#project_enabled_attribute = enabled + +# LDAP attribute mapped to project domain_id. (string value) +# Deprecated group/name - [ldap]/tenant_domain_id_attribute +#project_domain_id_attribute = businessCategory + +# List of attributes stripped off the project on update. (list value) +# Deprecated group/name - [ldap]/tenant_attribute_ignore +#project_attribute_ignore = + +# Allow project creation in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_create +#project_allow_create = true + +# Allow project update in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_update +#project_allow_update = true + +# Allow project deletion in LDAP backend. (boolean value) +# Deprecated group/name - [ldap]/tenant_allow_delete +#project_allow_delete = true + +# If true, Keystone uses an alternative method to determine if a project is +# enabled or not by checking if they are a member of the +# "project_enabled_emulation_dn" group. (boolean value) +# Deprecated group/name - [ldap]/tenant_enabled_emulation +#project_enabled_emulation = false + +# DN of the group entry to hold enabled projects when using enabled emulation. +# (string value) +# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn +#project_enabled_emulation_dn = + +# Additional attribute mappings for projects. Attribute mapping format is +# :, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping +#project_additional_attribute_mapping = + +# Search base for roles. (string value) +#role_tree_dn = + +# LDAP search filter for roles. (string value) +#role_filter = + +# LDAP objectclass for roles. (string value) +#role_objectclass = organizationalRole + +# LDAP attribute mapped to role id. (string value) +#role_id_attribute = cn + +# LDAP attribute mapped to role name. (string value) +#role_name_attribute = ou + +# LDAP attribute mapped to role membership. (string value) +#role_member_attribute = roleOccupant + +# List of attributes stripped off the role on update. (list value) +#role_attribute_ignore = + +# Allow role creation in LDAP backend. (boolean value) +#role_allow_create = true + +# Allow role update in LDAP backend. (boolean value) +#role_allow_update = true + +# Allow role deletion in LDAP backend. (boolean value) +#role_allow_delete = true + +# Additional attribute mappings for roles. Attribute mapping format is +# :, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +#role_additional_attribute_mapping = + +# Search base for groups. (string value) +#group_tree_dn = + +# LDAP search filter for groups. (string value) +#group_filter = + +# LDAP objectclass for groups. (string value) +#group_objectclass = groupOfNames + +# LDAP attribute mapped to group id. (string value) +#group_id_attribute = cn + +# LDAP attribute mapped to group name. (string value) +#group_name_attribute = ou + +# LDAP attribute mapped to show group membership. (string value) +#group_member_attribute = member + +# LDAP attribute mapped to group description. (string value) +#group_desc_attribute = description + +# List of attributes stripped off the group on update. (list value) +#group_attribute_ignore = + +# Allow group creation in LDAP backend. (boolean value) +#group_allow_create = true + +# Allow group update in LDAP backend. (boolean value) +#group_allow_update = true + +# Allow group deletion in LDAP backend. (boolean value) +#group_allow_delete = true + +# Additional attribute mappings for groups. Attribute mapping format is +# :, where ldap_attr is the attribute in the LDAP entry +# and user_attr is the Identity API attribute. (list value) +#group_additional_attribute_mapping = + +# CA certificate file path for communicating with LDAP servers. (string value) +#tls_cacertfile = + +# CA certificate directory path for communicating with LDAP servers. (string +# value) +#tls_cacertdir = + +# Enable TLS for communicating with LDAP servers. (boolean value) +#use_tls = false + +# Valid options for tls_req_cert are demand, never, and allow. (string value) +#tls_req_cert = demand + +# Enable LDAP connection pooling. (boolean value) +#use_pool = false + +# Connection pool size. (integer value) +#pool_size = 10 + +# Maximum count of reconnect trials. (integer value) +#pool_retry_max = 3 + +# Time span in seconds to wait between two reconnect trials. (floating point +# value) +#pool_retry_delay = 0.1 + +# Connector timeout in seconds. Value -1 indicates indefinite wait for +# response. (integer value) +#pool_connection_timeout = -1 + +# Connection lifetime in seconds. (integer value) +#pool_connection_lifetime = 600 + +# Enable LDAP connection pooling for end user authentication. If use_pool is +# disabled, then this setting is meaningless and is not used at all. (boolean +# value) +#use_auth_pool = false + +# End user auth connection pool size. (integer value) +#auth_pool_size = 100 + +# End user auth connection lifetime in seconds. (integer value) +#auth_pool_connection_lifetime = 60 + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host = 127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port = 6379 + +# Password for Redis server (optional). (string value) +#password = + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group/name - [DEFAULT]/matchmaker_ringfile +#ringfile = /etc/oslo/matchmaker_ring.json + + +[memcache] + +# +# From keystone +# + +# Memcache servers in the format of "host:port". (list value) +servers = localhost:11211 + +# Number of seconds memcached server is considered dead before it is tried +# again. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#dead_retry = 300 + +# Timeout in seconds for every call to a server. This is used by the key value +# store system (e.g. token pooled memcached persistence backend). (integer +# value) +#socket_timeout = 3 + +# Max total number of open connections to every memcached server. This is used +# by the key value store system (e.g. token pooled memcached persistence +# backend). (integer value) +#pool_maxsize = 10 + +# Number of seconds a connection to memcached is held unused in the pool before +# it is closed. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#pool_unused_timeout = 60 + +# Number of seconds that an operation will wait to get a memcache client +# connection. This is used by the key value store system (e.g. token pooled +# memcached persistence backend). (integer value) +#pool_connection_get_timeout = 10 + + +[oauth1] + +# +# From keystone +# + +# Credential backend driver. (string value) +#driver = keystone.contrib.oauth1.backends.sql.OAuth1 + +# Duration (in seconds) for the OAuth Request Token. (integer value) +#request_token_duration = 28800 + +# Duration (in seconds) for the OAuth Access Token. (integer value) +#access_token_duration = 86400 + + +[os_inherit] + +# +# From keystone +# + +# role-assignment inheritance to projects from owning domain or from projects +# higher in the hierarchy can be optionally enabled. (boolean value) +#enabled = false + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group/name - [amqp1]/server_request_prefix +#server_request_prefix = exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group/name - [amqp1]/broadcast_prefix +#broadcast_prefix = broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group/name - [amqp1]/group_request_prefix +#group_request_prefix = unicast + +# Name for the AMQP container (string value) +# Deprecated group/name - [amqp1]/container_name +#container_name = + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group/name - [amqp1]/idle_timeout +#idle_timeout = 0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group/name - [amqp1]/trace +#trace = false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group/name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group/name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group/name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group/name - [amqp1]/ssl_key_password +#ssl_key_password = + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group/name - [amqp1]/allow_insecure_clients +#allow_insecure_clients = false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# Qpid broker hostname. (string value) +# Deprecated group/name - [DEFAULT]/qpid_hostname +#qpid_hostname = localhost + +# Qpid broker port. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_port +#qpid_port = 5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/qpid_hosts +#qpid_hosts = $qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group/name - [DEFAULT]/qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_heartbeat +#qpid_heartbeat = 60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group/name - [DEFAULT]/qpid_protocol +#qpid_protocol = tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay +#qpid_tcp_nodelay = true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity +#qpid_receiver_capacity = 1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group/name - [DEFAULT]/qpid_topology_version +#qpid_topology_version = 1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_durable_queues +#amqp_durable_queues = false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group/name - [DEFAULT]/amqp_auto_delete +#amqp_auto_delete = false + +# Size of RPC connection pool. (integer value) +# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size +#rpc_conn_pool_size = 30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay +#kombu_reconnect_delay = 1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_host +#rabbit_host = localhost + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_port +#rabbit_port = 5672 + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group/name - [DEFAULT]/rabbit_hosts +#rabbit_hosts = $rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_use_ssl +#rabbit_use_ssl = false + +# The RabbitMQ userid. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_userid +#rabbit_userid = guest + +# The RabbitMQ password. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_password +#rabbit_password = guest + +# The RabbitMQ login method. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_login_method +#rabbit_login_method = AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group/name - [DEFAULT]/rabbit_virtual_host +#rabbit_virtual_host = / + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval = 1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff +#rabbit_retry_backoff = 2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group/name - [DEFAULT]/rabbit_max_retries +#rabbit_max_retries = 0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group/name - [DEFAULT]/rabbit_ha_queues +#rabbit_ha_queues = false + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) +#heartbeat_timeout_threshold = 60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate = 2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group/name - [DEFAULT]/fake_rabbit +#fake_rabbit = false + + +[oslo_middleware] + +# +# From oslo.middleware +# + +# The maximum body size for each request, in bytes. (integer value) +# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size +# Deprecated group/name - [DEFAULT]/max_request_body_size +#max_request_body_size = 114688 + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + + +[paste_deploy] + +# +# From keystone +# + +# Name of the paste configuration file that defines the available pipelines. +# (string value) + +# https://review.openstack.org/#/c/185464/ +config_file = /etc/keystone/keystone-paste.ini + + +[policy] + +# +# From keystone +# + +# Policy backend driver. (string value) +#driver = keystone.policy.backends.sql.Policy + +# Maximum number of entities that will be returned in a policy collection. +# (integer value) +#list_limit = + + +[resource] + +# +# From keystone +# + +# Resource backend driver. If a resource driver is not specified, the +# assignment driver will choose the resource driver. (string value) +#driver = + +# Toggle for resource caching. This has no effect unless global caching is +# enabled. (boolean value) +# Deprecated group/name - [assignment]/caching +#caching = true + +# TTL (in seconds) to cache resource data. This has no effect unless global +# caching is enabled. (integer value) +# Deprecated group/name - [assignment]/cache_time +#cache_time = + +# Maximum number of entities that will be returned in a resource collection. +# (integer value) +# Deprecated group/name - [assignment]/list_limit +#list_limit = + + +[revoke] + +# +# From keystone +# + +# An implementation of the backend for persisting revocation events. (string +# value) +driver = keystone.contrib.revoke.backends.sql.Revoke + +# This value (calculated in seconds) is added to token expiration before a +# revocation event may be removed from the backend. (integer value) +#expiration_buffer = 1800 + +# Toggle for revocation event caching. This has no effect unless global caching +# is enabled. (boolean value) +#caching = true + +# Time to cache the revocation list and the revocation events (in seconds). +# This has no effect unless global and token caching are enabled. (integer +# value) +# Deprecated group/name - [token]/revocation_cache_time +#cache_time = 3600 + + +[role] + +# +# From keystone +# + +# Role backend driver. (string value) +#driver = + +# Toggle for role caching. This has no effect unless global caching is enabled. +# (boolean value) +#caching = true + +# TTL (in seconds) to cache role data. This has no effect unless global caching +# is enabled. (integer value) +#cache_time = + +# Maximum number of entities that will be returned in a role collection. +# (integer value) +#list_limit = + + +[saml] + +# +# From keystone +# + +# Default TTL, in seconds, for any generated SAML assertion created by +# Keystone. (integer value) +#assertion_expiration_time = 3600 + +# Binary to be called for XML signing. Install the appropriate package, specify +# absolute path or adjust your PATH environment variable if the binary cannot +# be found. (string value) +#xmlsec1_binary = xmlsec1 + +# Path of the certfile for SAML signing. For non-production environments, you +# may be interested in using `keystone-manage pki_setup` to generate self- +# signed certificates. Note, the path cannot contain a comma. (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Path of the keyfile for SAML signing. Note, the path cannot contain a comma. +# (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# Entity ID value for unique Identity Provider identification. Usually FQDN is +# set with a suffix. A value is required to generate IDP Metadata. For example: +# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value) +#idp_entity_id = + +# Identity Provider Single-Sign-On service value, required in the Identity +# Provider's metadata. A value is required to generate IDP Metadata. For +# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string +# value) +#idp_sso_endpoint = + +# Language used by the organization. (string value) +#idp_lang = en + +# Organization name the installation belongs to. (string value) +#idp_organization_name = + +# Organization name to be displayed. (string value) +#idp_organization_display_name = + +# URL of the organization. (string value) +#idp_organization_url = + +# Company of contact person. (string value) +#idp_contact_company = + +# Given name of contact person (string value) +#idp_contact_name = + +# Surname of contact person. (string value) +#idp_contact_surname = + +# Email address of contact person. (string value) +#idp_contact_email = + +# Telephone number of contact person. (string value) +#idp_contact_telephone = + +# Contact type. Allowed values are: technical, support, administrative billing, +# and other (string value) +#idp_contact_type = other + +# Path to the Identity Provider Metadata file. This file should be generated +# with the keystone-manage saml_idp_metadata command. (string value) +#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml + +# The prefix to use for the RelayState SAML attribute, used when generating ECP +# wrapped assertions. (string value) +#relay_state_prefix = ss:mem: + + +[signing] + +# +# From keystone +# + +# Path of the certfile for token signing. For non-production environments, you +# may be interested in using `keystone-manage pki_setup` to generate self- +# signed certificates. (string value) +#certfile = /etc/keystone/ssl/certs/signing_cert.pem + +# Path of the keyfile for token signing. (string value) +#keyfile = /etc/keystone/ssl/private/signing_key.pem + +# Path of the CA for token signing. (string value) +#ca_certs = /etc/keystone/ssl/certs/ca.pem + +# Path of the CA key for token signing. (string value) +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# Key size (in bits) for token signing cert (auto generated certificate). +# (integer value) +#key_size = 2048 + +# Days the token signing cert is valid for (auto generated certificate). +# (integer value) +#valid_days = 3650 + +# Certificate subject (auto generated certificate) for token signing. (string +# value) +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com + + +[ssl] + +# +# From keystone +# + +# Path of the CA key file for SSL. (string value) +#ca_key = /etc/keystone/ssl/private/cakey.pem + +# SSL key length (in bits) (auto generated certificate). (integer value) +#key_size = 1024 + +# Days the certificate is valid for once signed (auto generated certificate). +# (integer value) +#valid_days = 3650 + +# SSL certificate subject (auto generated certificate). (string value) +#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost + + +[token] + +# +# From keystone +# + +# External auth mechanisms that should add bind information to token, e.g., +# kerberos,x509. (list value) +#bind = + +# Enforcement policy on tokens presented to Keystone with bind information. One +# of disabled, permissive, strict, required or a specifically required bind +# mode, e.g., kerberos or x509 to require binding to that authentication. +# (string value) +#enforce_token_bind = permissive + +# Amount of time a token should remain valid (in seconds). (integer value) +#expiration = 3600 + +# Controls the token construction, validation, and revocation operations. Core +# providers are "keystone.token.providers.[fernet|pkiz|pki|uuid].Provider". +# (string value) +provider = keystone.token.providers.uuid.Provider + +# Token persistence backend driver. (string value) +driver = keystone.token.persistence.backends.memcache.Token + +# Toggle for token system caching. This has no effect unless global caching is +# enabled. (boolean value) +#caching = true + +# Time to cache tokens (in seconds). This has no effect unless global and token +# caching are enabled. (integer value) +#cache_time = + +# Revoke token by token identifier. Setting revoke_by_id to true enables +# various forms of enumerating tokens, e.g. `list tokens for user`. These +# enumerations are processed to determine the list of tokens to revoke. Only +# disable if you are switching to using the Revoke extension with a backend +# other than KVS, which stores events in memory. (boolean value) +#revoke_by_id = true + +# Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to false +# prevents a user from exchanging a scoped token for any other token. (boolean +# value) +#allow_rescope_scoped_token = true + +# The hash algorithm to use for PKI tokens. This can be set to any algorithm +# that hashlib supports. WARNING: Before changing this value, the auth_token +# middleware must be configured with the hash_algorithms, otherwise token +# revocation will not be processed correctly. (string value) +hash_algorithm = {{hash_algorithm}} + + +[trust] + +# +# From keystone +# + +# Delegation and impersonation features can be optionally disabled. (boolean +# value) +#enabled = true + +# Enable redelegation feature. (boolean value) +#allow_redelegation = false + +# Maximum depth of trust redelegation. (integer value) +#max_redelegation_count = 3 + +# Trust backend driver. (string value) +#driver = keystone.trust.backends.sql.Trust \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/openrc.sh.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/openrc.sh.tpl new file mode 100644 index 00000000..5bcf3a2c --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_keystone/templates/openrc.sh.tpl @@ -0,0 +1,7 @@ +export OS_PROJECT_DOMAIN_ID=default +export OS_USER_DOMAIN_ID=default +export OS_PROJECT_NAME={{admin.project}} +export OS_TENANT_NAME={{admin.tenant}} +export OS_USERNAME={{admin.user}} +export OS_PASSWORD={{admin.password}} +export OS_AUTH_URL=http://{{admin.controller}}:{{admin.port}}/v3 diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/defaults.json new file mode 100644 index 00000000..253cf386 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/defaults.json @@ -0,0 +1,9 @@ +{ + "users": [ + {"database": "keystone", "username": "keystone", "password": "keystone_password", "host": "192.168.20.2"}, + {"database": "glance", "username": "glance", "password": "glance_password", "host": "192.168.20.2"}, + {"database": "nova", "username": "nova", "password": "nova_password", "host": "192.168.20.2"} + ], + "root_password": "openstack_root", + "bind_address": "192.168.20.2" +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/openstack_mysql.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/openstack_mysql.cf new file mode 100644 index 00000000..b3524936 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/openstack_mysql.cf @@ -0,0 +1,26 @@ +# @name openstack_mysql +# @description Install, configure and ensure MySQL/MariaDB is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_mysql +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("mariadb"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("mariadb-server"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("MySQL-python"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/mariadb_openstack.cnf.tpl", "/etc/my.cnf.d/mariadb_openstack.cnf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("sh ${variable_string.${this.bundle}_technique_path}/scripts/mysql_secure_installation.sh \"`echo '${data_json.${this.bundle}}' | jq -r '.root_password'`\""), + ifvarclass => concat("any.package_install_mariadb_repaired"); + "create_users" usebundle => command_execution("sh ${variable_string.${this.bundle}_technique_path}/scripts/init_database_component.sh \"`echo '${data_json.${this.bundle}}' | jq -r '.'`\""), + ifvarclass => concat("any"); + "method_call" usebundle => service_restart("mariadb"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_my_cnf_d_mariadb_openstack_cnf_repaired"); + "method_call" usebundle => service_ensure_running("mariadb"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/init_database_component.sh b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/init_database_component.sh new file mode 100644 index 00000000..5f830f01 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/init_database_component.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +data=${1} + +length=$((`echo ${data} | jq ".users | length"`-1)) + +for i in `seq 0 ${length}`; do + root_password=`echo ${data} | jq -r ".root_password"` + database=`echo ${data} | jq -r ".users | .[${i}] | .database"` + username=`echo ${data} | jq -r ".users | .[${i}] | .username"` + password=`echo ${data} | jq -r ".users | .[${i}] | .password"` + host=`echo ${data} | jq -r ".users | .[${i}] | .host"` + + mysql -u root -p"${root_password}" -e "CREATE DATABASE IF NOT EXISTS ${database}; + GRANT ALL PRIVILEGES ON ${database}.* TO '${username}'@'${host}' IDENTIFIED BY '${password}';" +done; + +mysql -u root -p"${root_password}" -e "FLUSH PRIVILEGES;" \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/mysql_secure_installation.sh b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/mysql_secure_installation.sh new file mode 100644 index 00000000..f6ab711f --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/scripts/mysql_secure_installation.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +root_password=$1 + +mysql -e "UPDATE mysql.user SET Password = PASSWORD('${root_password}') WHERE User = 'root'; +DELETE FROM mysql.user WHERE User=''; +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); +DROP DATABASE IF EXISTS test; +FLUSH PRIVILEGES;" diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/templates/mariadb_openstack.cnf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/templates/mariadb_openstack.cnf.tpl new file mode 100644 index 00000000..d3add086 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_mysql/templates/mariadb_openstack.cnf.tpl @@ -0,0 +1,9 @@ +[mysqld] +bind-address = {{bind_address}} + +# Added for OpenStack +default-storage-engine = innodb +innodb_file_per_table +collation-server = utf8_general_ci +init-connect = 'SET NAMES utf8' +character-set-server = utf8 diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/defaults.json new file mode 100644 index 00000000..70d602a6 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/defaults.json @@ -0,0 +1,22 @@ +{ + "management_ip": "192.168.20.2", + "controller": "controller", + "keystone": { + "user": "nova", + "password": "nova_password" + }, + "rabbit": { + "user": "openstack", + "password": "rabbitmq_password" + }, + "network": { + "bridge": "br100", + "range": "10.0.2.15/24" + }, + "database": { + "user": "nova", + "password": "nova_password", + "name": "nova", + "host": "192.168.20.2" + } +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/openstack_nova_api.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/openstack_nova_api.cf new file mode 100644 index 00000000..a95aef00 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/openstack_nova_api.cf @@ -0,0 +1,24 @@ +# @name openstack_nova_api +# @description Install, configure and ensure nova-api is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_nova_api +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-nova-api openstack-nova-cert openstack-nova-conductor openstack-nova-console openstack-nova-novncproxy openstack-nova-scheduler python-novaclient"), + ifvarclass => concat("any"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/nova.conf.tpl", "/etc/nova/nova.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => permissions_recurse("/etc/nova/", "640", "nova", "nova"), + ifvarclass => concat("any"); + "method_call" usebundle => command_execution("su -s /bin/sh -c \"nova-manage db sync\" nova"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_nova_nova_conf_repaired"); + "method_call" usebundle => service_restart("openstack-nova-api openstack-nova-cert openstack-nova-consoleauth openstack-nova-scheduler openstack-nova-conductor openstack-nova-novncproxy"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_nova_nova_conf_repaired"); + "method_call" usebundle => service_ensure_running("openstack-nova-api openstack-nova-cert openstack-nova-consoleauth openstack-nova-scheduler openstack-nova-conductor openstack-nova-novncproxy"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("openstack-nova-api openstack-nova-cert openstack-nova-consoleauth openstack-nova-scheduler openstack-nova-conductor openstack-nova-novncproxy"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/init-network.sh.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/init-network.sh.tpl new file mode 100644 index 00000000..e4c878d5 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/init-network.sh.tpl @@ -0,0 +1,7 @@ +#!/bin/sh + +source /root/.openstack/admin-openrc.sh + +nova="/usr/bin/nova" + +${nova} network-create demo-net --bridge {{network.bridge}} --multi-host T --fixed-range-v4 {{network.range}} \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/nova.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/nova.conf.tpl new file mode 100644 index 00000000..5e8d2f95 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_api/templates/nova.conf.tpl @@ -0,0 +1,4015 @@ +[DEFAULT] + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. +# The "host" option should point or resolve to this address. (string value) +#rpc_zmq_bind_address=* + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker=oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port=9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts=1 + +# Maximum number of ingress messages to locally buffer per topic. Default is +# unlimited. (integer value) +#rpc_zmq_topic_backlog= + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir=/var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match +# "host" option, if running Nova. (string value) +#rpc_zmq_host=localhost + +# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. +# (integer value) +#rpc_cast_timeout=30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl=600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size=64 + +# Driver or drivers to handle sending notifications. (multi valued) +#notification_driver = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group;name - [rpc_notifier2]/topics +#notification_topics=notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout=60 + +# A URL representing the messaging driver to use and its full configuration. If +# not set, we fall back to the rpc_backend option and driver specific +# configuration. (string value) +#transport_url= + +# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# and zmq. (string value) +rpc_backend=rabbit + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange=openstack + + +# +# Options defined in nova.availability_zones +# + +# The availability_zone to show internal services under +# (string value) +#internal_service_availability_zone=internal + +# Default compute node availability_zone (string value) +#default_availability_zone=nova + + +# +# Options defined in nova.crypto +# + +# Filename of root CA (string value) +#ca_file=cacert.pem + +# Filename of private key (string value) +#key_file=private/cakey.pem + +# Filename of root Certificate Revocation List (string value) +#crl_file=crl.pem + +# Where we keep our keys (string value) +#keys_path=$state_path/keys + +# Where we keep our root CA (string value) +#ca_path=$state_path/CA + +# Should we use a CA for each project? (boolean value) +#use_project_ca=false + +# Subject for certificate for users, %s for project, user, +# timestamp (string value) +#user_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=%.16s-%.16s-%s + +# Subject for certificate for projects, %s for project, +# timestamp (string value) +#project_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=project-ca-%.16s-%s + + +# +# Options defined in nova.exception +# + +# Make exception message format errors fatal (boolean value) +#fatal_exception_format_errors=false + + +# +# Options defined in nova.netconf +# + +# IP address of this host (string value) +my_ip={{management_ip}} + +# Block storage IP address of this host (string value) +#my_block_storage_ip=$my_ip + +# Name of this node. This can be an opaque identifier. It is +# not necessarily a hostname, FQDN, or IP address. However, +# the node name must be valid within an AMQP key, and if using +# ZeroMQ, a valid hostname, FQDN, or IP address (string value) +#host=nova + +# Use IPv6 (boolean value) +#use_ipv6=false + + +# +# Options defined in nova.notifications +# + +# If set, send compute.instance.update notifications on +# instance state changes. Valid values are None for no +# notifications, "vm_state" for notifications on VM state +# changes, or "vm_and_task_state" for notifications on VM and +# task state changes. (string value) +#notify_on_state_change= + +# If set, send api.fault notifications on caught exceptions in +# the API service. (boolean value) +#notify_api_faults=false + +# Default notification level for outgoing notifications +# (string value) +#default_notification_level=INFO + +# Default publisher_id for outgoing notifications (string +# value) +#default_publisher_id= + + +# +# Options defined in nova.paths +# + +# Directory where the nova python module is installed (string +# value) +#pybasedir=/usr/lib/python/site-packages + +# Directory where nova binaries are installed (string value) +#bindir=/usr/local/bin + +# Top-level directory for maintaining nova's state (string +# value) +#state_path=/var/lib/nova + + +# +# Options defined in nova.quota +# + +# Number of instances allowed per project (integer value) +#quota_instances=10 + +# Number of instance cores allowed per project (integer value) +#quota_cores=20 + +# Megabytes of instance RAM allowed per project (integer +# value) +#quota_ram=51200 + +# Number of floating IPs allowed per project (integer value) +#quota_floating_ips=10 + +# Number of fixed IPs allowed per project (this should be at +# least the number of instances allowed) (integer value) +#quota_fixed_ips=-1 + +# Number of metadata items allowed per instance (integer +# value) +#quota_metadata_items=128 + +# Number of injected files allowed (integer value) +#quota_injected_files=5 + +# Number of bytes allowed per injected file (integer value) +#quota_injected_file_content_bytes=10240 + +# Length of injected file path (integer value) +#quota_injected_file_path_length=255 + +# Number of security groups per project (integer value) +#quota_security_groups=10 + +# Number of security rules per security group (integer value) +#quota_security_group_rules=20 + +# Number of key pairs per user (integer value) +#quota_key_pairs=100 + +# Number of server groups per project (integer value) +#quota_server_groups=10 + +# Number of servers per server group (integer value) +#quota_server_group_members=10 + +# Number of seconds until a reservation expires (integer +# value) +#reservation_expire=86400 + +# Count of reservations until usage is refreshed. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. (integer value) +#until_refresh=0 + +# Number of seconds between subsequent usage refreshes. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. Note that quotas are +# not updated on a periodic task, they will update on a new +# reservation if max_age has passed since the last reservation +# (integer value) +#max_age=0 + +# Default driver to use for quota checks (string value) +#quota_driver=nova.quota.DbQuotaDriver + + +# +# Options defined in nova.service +# + +# Seconds between nodes reporting state to datastore (integer +# value) +#report_interval=10 + +# Enable periodic tasks (boolean value) +#periodic_enable=true + +# Range of seconds to randomly delay when starting the +# periodic task scheduler to reduce stampeding. (Disable by +# setting to 0) (integer value) +#periodic_fuzzy_delay=60 + +# A list of APIs to enable by default (list value) +#enabled_apis=ec2,osapi_compute,metadata + +# A list of APIs with enabled SSL (list value) +#enabled_ssl_apis= + +# The IP address on which the EC2 API will listen. (string +# value) +#ec2_listen=0.0.0.0 + +# The port on which the EC2 API will listen. (integer value) +#ec2_listen_port=8773 + +# Number of workers for EC2 API service. The default will be +# equal to the number of CPUs available. (integer value) +#ec2_workers= + +# The IP address on which the OpenStack API will listen. +# (string value) +#osapi_compute_listen=0.0.0.0 + +# The port on which the OpenStack API will listen. (integer +# value) +#osapi_compute_listen_port=8774 + +# Number of workers for OpenStack API service. The default +# will be the number of CPUs available. (integer value) +#osapi_compute_workers= + +# OpenStack metadata service manager (string value) +#metadata_manager=nova.api.manager.MetadataManager + +# The IP address on which the metadata API will listen. +# (string value) +#metadata_listen=0.0.0.0 + +# The port on which the metadata API will listen. (integer +# value) +#metadata_listen_port=8775 + +# Number of workers for metadata service. The default will be +# the number of CPUs available. (integer value) +#metadata_workers= + +# Full class name for the Manager for compute (string value) +#compute_manager=nova.compute.manager.ComputeManager + +# Full class name for the Manager for console proxy (string +# value) +#console_manager=nova.console.manager.ConsoleProxyManager + +# Manager for console auth (string value) +#consoleauth_manager=nova.consoleauth.manager.ConsoleAuthManager + +# Full class name for the Manager for cert (string value) +#cert_manager=nova.cert.manager.CertManager + +# Full class name for the Manager for network (string value) +#network_manager=nova.network.manager.FlatDHCPManager + +# Full class name for the Manager for scheduler (string value) +#scheduler_manager=nova.scheduler.manager.SchedulerManager + +# Maximum time since last check-in for up service (integer +# value) +#service_down_time=60 + + +# +# Options defined in nova.utils +# + +# Whether to log monkey patching (boolean value) +#monkey_patch=false + +# List of modules/decorators to monkey patch (list value) +#monkey_patch_modules=nova.api.ec2.cloud:nova.notifications.notify_decorator,nova.compute.api:nova.notifications.notify_decorator + +# Length of generated instance admin passwords (integer value) +#password_length=12 + +# Time period to generate instance usages for. Time period +# must be hour, day, month or year (string value) +#instance_usage_audit_period=month + +# Path to the rootwrap configuration file to use for running +# commands as root (string value) +#rootwrap_config=/etc/nova/rootwrap.conf + +# Explicitly specify the temporary working directory (string +# value) +#tempdir= + + +# +# Options defined in nova.wsgi +# + +# File name for the paste.deploy config for nova-api (string +# value) +#api_paste_config=api-paste.ini + +# A python format string that is used as the template to +# generate log lines. The following values can be formatted +# into it: client_ip, date_time, request_line, status_code, +# body_length, wall_seconds. (string value) +#wsgi_log_format=%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f + +# CA certificate file to use to verify connecting clients +# (string value) +#ssl_ca_file= + +# SSL certificate of API server (string value) +#ssl_cert_file= + +# SSL private key of API server (string value) +#ssl_key_file= + +# Sets the value of TCP_KEEPIDLE in seconds for each server +# socket. Not supported on OS X. (integer value) +#tcp_keepidle=600 + +# Size of the pool of greenthreads used by wsgi (integer +# value) +#wsgi_default_pool_size=1000 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + +# If False, closes the client socket connection explicitly. +# (boolean value) +#wsgi_keep_alive=true + +# Timeout for client connections' socket operations. If an +# incoming connection is idle for this number of seconds it +# will be closed. A value of '0' means wait forever. (integer +# value) +#client_socket_timeout=900 + + +# +# Options defined in nova.api.auth +# + +# Whether to use per-user rate limiting for the api. This +# option is only used by v2 api. Rate limiting is removed from +# v3 api. (boolean value) +#api_rate_limit=false + +# The strategy to use for auth: keystone, noauth +# (deprecated), or noauth2. Both noauth and noauth2 are +# designed for testing only, as they do no actual credential +# checking. noauth provides administrative credentials +# regardless of the passed in user, noauth2 only does if +# 'admin' is specified as the username. (string value) +auth_strategy=keystone + +# Treat X-Forwarded-For as the canonical remote address. Only +# enable this if you have a sanitizing proxy. (boolean value) +#use_forwarded_for=false + + +# +# Options defined in nova.api.ec2 +# + +# Number of failed auths before lockout. (integer value) +#lockout_attempts=5 + +# Number of minutes to lockout if triggered. (integer value) +#lockout_minutes=15 + +# Number of minutes for lockout window. (integer value) +#lockout_window=15 + +# URL to get token from ec2 request. (string value) +#keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens + +# Return the IP address as private dns hostname in describe +# instances (boolean value) +#ec2_private_dns_show_ip=false + +# Validate security group names according to EC2 specification +# (boolean value) +#ec2_strict_validation=true + +# Time in seconds before ec2 timestamp expires (integer value) +#ec2_timestamp_expiry=300 + +# Disable SSL certificate verification. (boolean value) +#keystone_ec2_insecure=false + + +# +# Options defined in nova.api.ec2.cloud +# + +# The IP address of the EC2 API server (string value) +#ec2_host=$my_ip + +# The internal IP address of the EC2 API server (string value) +#ec2_dmz_host=$my_ip + +# The port of the EC2 API server (integer value) +#ec2_port=8773 + +# The protocol to use when connecting to the EC2 API server +# (http, https) (string value) +#ec2_scheme=http + +# The path prefix used to call the ec2 API server (string +# value) +#ec2_path=/ + +# List of region=fqdn pairs separated by commas (list value) +#region_list= + + +# +# Options defined in nova.api.metadata.base +# + +# List of metadata versions to skip placing into the config +# drive (string value) +#config_drive_skip_versions=1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 + +# Driver to use for vendor data (string value) +#vendordata_driver=nova.api.metadata.vendordata_json.JsonFileVendorData + + +# +# Options defined in nova.api.metadata.handler +# + +# Time in seconds to cache metadata; 0 to disable metadata +# caching entirely (not recommended). Increasingthis should +# improve response times of the metadata API when under heavy +# load. Higher values may increase memoryusage and result in +# longer times for host metadata changes to take effect. +# (integer value) +#metadata_cache_expiration=15 + + +# +# Options defined in nova.api.metadata.vendordata_json +# + +# File to load JSON formatted vendor data from (string value) +#vendordata_jsonfile_path= + + +# +# Options defined in nova.api.openstack.common +# + +# The maximum number of items returned in a single response +# from a collection resource (integer value) +#osapi_max_limit=1000 + +# Base URL that will be presented to users in links to the +# OpenStack Compute API (string value) +#osapi_compute_link_prefix= + +# Base URL that will be presented to users in links to glance +# resources (string value) +#osapi_glance_link_prefix= + + +# +# Options defined in nova.api.openstack.compute +# + +# Permit instance snapshot operations. (boolean value) +#allow_instance_snapshots=true + + +# +# Options defined in nova.api.openstack.compute.contrib +# + +# Specify list of extensions to load when using +# osapi_compute_extension option with +# nova.api.openstack.compute.contrib.select_extensions (list +# value) +#osapi_compute_ext_list= + + +# +# Options defined in nova.api.openstack.compute.contrib.fping +# + +# Full path to fping. (string value) +#fping_path=/usr/sbin/fping + + +# +# Options defined in nova.api.openstack.compute.contrib.os_tenant_networks +# + +# Enables or disables quota checking for tenant networks +# (boolean value) +#enable_network_quota=false + +# Control for checking for default networks (string value) +#use_neutron_default_nets=False + +# Default tenant id when creating neutron networks (string +# value) +#neutron_default_tenant_id=default + +# Number of private networks allowed per project (integer +# value) +#quota_networks=3 + + +# +# Options defined in nova.api.openstack.compute.extensions +# + +# osapi compute extension to load (multi valued) +#osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions + + +# +# Options defined in nova.api.openstack.compute.plugins.v3.hide_server_addresses +# + +# List of instance states that should hide network info (list +# value) +#osapi_hide_server_address_states=building + + +# +# Options defined in nova.api.openstack.compute.servers +# + +# Enables returning of the instance password by the relevant +# server API calls such as create, rebuild or rescue, If the +# hypervisor does not support password injection then the +# password returned will not be correct (boolean value) +#enable_instance_password=true + + +# +# Options defined in nova.cert.rpcapi +# + +# The topic cert nodes listen on (string value) +#cert_topic=cert + + +# +# Options defined in nova.cloudpipe.pipelib +# + +# Image ID used when starting up a cloudpipe vpn server +# (string value) +#vpn_image_id=0 + +# Flavor for vpn instances (string value) +#vpn_flavor=m1.tiny + +# Template for cloudpipe instance boot script (string value) +#boot_script_template=$pybasedir/nova/cloudpipe/bootscript.template + +# Network to push into openvpn config (string value) +#dmz_net=10.0.0.0 + +# Netmask to push into openvpn config (string value) +#dmz_mask=255.255.255.0 + +# Suffix to add to project name for vpn key and secgroups +# (string value) +#vpn_key_suffix=-vpn + + +# +# Options defined in nova.cmd.novnc +# + +# Record sessions to FILE.[session_number] (boolean value) +#record=false + +# Become a daemon (background process) (boolean value) +#daemon=false + +# Disallow non-encrypted connections (boolean value) +#ssl_only=false + +# Source is ipv6 (boolean value) +#source_is_ipv6=false + +# SSL certificate file (string value) +#cert=self.pem + +# SSL key file (if separate from cert) (string value) +#key= + +# Run webserver on same port. Serve files from DIR. (string +# value) +#web=/usr/share/spice-html5 + + +# +# Options defined in nova.cmd.novncproxy +# + +# Host on which to listen for incoming requests (string value) +#novncproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#novncproxy_port=6080 + + +# +# Options defined in nova.compute.api +# + +# Allow destination machine to match source for resize. Useful +# when testing in single-host environments. (boolean value) +#allow_resize_to_same_host=false + +# Allow migrate machine to the same host. Useful when testing +# in single-host environments. (boolean value) +#allow_migrate_to_same_host=false + +# Availability zone to use when user doesn't specify one +# (string value) +#default_schedule_zone= + +# These are image properties which a snapshot should not +# inherit from an instance (list value) +#non_inheritable_image_properties=cache_in_nova,bittorrent + +# Kernel image that indicates not to use a kernel, but to use +# a raw disk image instead (string value) +#null_kernel=nokernel + +# When creating multiple instances with a single request using +# the os-multiple-create API extension, this template will be +# used to build the display name for each instance. The +# benefit is that the instances end up with different +# hostnames. To restore legacy behavior of every instance +# having the same name, set this option to "%(name)s". Valid +# keys for the template are: name, uuid, count. (string value) +#multi_instance_display_name_template=%(name)s-%(count)d + +# Maximum number of devices that will result in a local image +# being created on the hypervisor node. Setting this to 0 +# means nova will allow only boot from volume. A negative +# number means unlimited. (integer value) +#max_local_block_devices=3 + + +# +# Options defined in nova.compute.flavors +# + +# Default flavor to use for the EC2 API only. The Nova API +# does not support a default flavor. (string value) +#default_flavor=m1.small + + +# +# Options defined in nova.compute.manager +# + +# Console proxy host to use to connect to instances on this +# host. (string value) +#console_host=nova + +# Name of network to use to set access IPs for instances +# (string value) +#default_access_ip_network_name= + +# Whether to batch up the application of IPTables rules during +# a host restart and apply all at the end of the init phase +# (boolean value) +#defer_iptables_apply=false + +# Where instances are stored on disk (string value) +#instances_path=$state_path/instances + +# Generate periodic compute.instance.exists notifications +# (boolean value) +#instance_usage_audit=false + +# Number of 1 second retries needed in live_migration (integer +# value) +#live_migration_retry_count=30 + +# Whether to start guests that were running before the host +# rebooted (boolean value) +#resume_guests_state_on_host_boot=false + +# Number of times to retry network allocation on failures +# (integer value) +#network_allocate_retries=0 + +# Maximum number of instance builds to run concurrently +# (integer value) +#max_concurrent_builds=10 + +# Number of times to retry block device allocation on failures +# (integer value) +#block_device_allocate_retries=60 + +# The number of times to attempt to reap an instance's files. +# (integer value) +#maximum_instance_delete_attempts=5 + +# Interval to pull network bandwidth usage info. Not supported +# on all hypervisors. Set to -1 to disable. Setting this to 0 +# will run at the default rate. (integer value) +#bandwidth_poll_interval=600 + +# Interval to sync power states between the database and the +# hypervisor. Set to -1 to disable. Setting this to 0 will run +# at the default rate. (integer value) +#sync_power_state_interval=600 + +# Number of seconds between instance network information cache +# updates (integer value) +#heal_instance_info_cache_interval=60 + +# Interval in seconds for reclaiming deleted instances +# (integer value) +#reclaim_instance_interval=0 + +# Interval in seconds for gathering volume usages (integer +# value) +#volume_usage_poll_interval=0 + +# Interval in seconds for polling shelved instances to +# offload. Set to -1 to disable.Setting this to 0 will run at +# the default rate. (integer value) +#shelved_poll_interval=3600 + +# Time in seconds before a shelved instance is eligible for +# removing from a host. -1 never offload, 0 offload when +# shelved (integer value) +#shelved_offload_time=0 + +# Interval in seconds for retrying failed instance file +# deletes. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#instance_delete_interval=300 + +# Waiting time interval (seconds) between block device +# allocation retries on failures (integer value) +#block_device_allocate_retries_interval=3 + +# Waiting time interval (seconds) between sending the +# scheduler a list of current instance UUIDs to verify that +# its view of instances is in sync with nova. If the CONF +# option `scheduler_tracks_instance_changes` is False, +# changing this option will have no effect. (integer value) +#scheduler_instance_sync_interval=120 + +# Action to take if a running deleted instance is detected. +# Valid options are 'noop', 'log', 'shutdown', or 'reap'. Set +# to 'noop' to take no action. (string value) +#running_deleted_instance_action=reap + +# Number of seconds to wait between runs of the cleanup task. +# (integer value) +#running_deleted_instance_poll_interval=1800 + +# Number of seconds after being deleted when a running +# instance should be considered eligible for cleanup. (integer +# value) +#running_deleted_instance_timeout=0 + +# Automatically hard reboot an instance if it has been stuck +# in a rebooting state longer than N seconds. Set to 0 to +# disable. (integer value) +#reboot_timeout=0 + +# Amount of time in seconds an instance can be in BUILD before +# going into ERROR status. Set to 0 to disable. (integer +# value) +#instance_build_timeout=0 + +# Automatically unrescue an instance after N seconds. Set to 0 +# to disable. (integer value) +#rescue_timeout=0 + +# Automatically confirm resizes after N seconds. Set to 0 to +# disable. (integer value) +#resize_confirm_window=0 + +# Total amount of time to wait in seconds for an instance to +# perform a clean shutdown. (integer value) +#shutdown_timeout=60 + + +# +# Options defined in nova.compute.monitors +# + +# Monitor classes available to the compute which may be +# specified more than once. (multi valued) +#compute_available_monitors=nova.compute.monitors.all_monitors + +# A list of monitors that can be used for getting compute +# metrics. (list value) +#compute_monitors= + + +# +# Options defined in nova.compute.resource_tracker +# + +# Amount of disk in MB to reserve for the host (integer value) +#reserved_host_disk_mb=0 + +# Amount of memory in MB to reserve for the host (integer +# value) +#reserved_host_memory_mb=512 + +# Class that will manage stats for the local compute host +# (string value) +#compute_stats_class=nova.compute.stats.Stats + +# The names of the extra resources to track. (list value) +#compute_resources=vcpu + + +# +# Options defined in nova.compute.rpcapi +# + +# The topic compute nodes listen on (string value) +#compute_topic=compute + + +# +# Options defined in nova.conductor.tasks.live_migrate +# + +# Number of times to retry live-migration before failing. If +# == -1, try until out of hosts. If == 0, only try once, no +# retries. (integer value) +#migrate_max_retries=-1 + + +# +# Options defined in nova.console.manager +# + +# Driver to use for the console proxy (string value) +#console_driver=nova.console.xvp.XVPConsoleProxy + +# Stub calls to compute worker for tests (boolean value) +#stub_compute=false + +# Publicly visible name for this console host (string value) +#console_public_hostname=nova + + +# +# Options defined in nova.console.rpcapi +# + +# The topic console proxy nodes listen on (string value) +#console_topic=console + + +# +# Options defined in nova.console.xvp +# + +# XVP conf template (string value) +#console_xvp_conf_template=$pybasedir/nova/console/xvp.conf.template + +# Generated XVP conf file (string value) +#console_xvp_conf=/etc/xvp.conf + +# XVP master process pid file (string value) +#console_xvp_pid=/var/run/xvp.pid + +# XVP log file (string value) +#console_xvp_log=/var/log/xvp.log + +# Port for XVP to multiplex VNC connections on (integer value) +#console_xvp_multiplex_port=5900 + + +# +# Options defined in nova.consoleauth +# + +# The topic console auth proxy nodes listen on (string value) +#consoleauth_topic=consoleauth + + +# +# Options defined in nova.consoleauth.manager +# + +# How many seconds before deleting tokens (integer value) +#console_token_ttl=600 + + +# +# Options defined in nova.db.api +# + +# Services to be added to the available pool on create +# (boolean value) +#enable_new_services=true + +# Template string to be used to generate instance names +# (string value) +#instance_name_template=instance-%08x + +# Template string to be used to generate snapshot names +# (string value) +#snapshot_name_template=snapshot-%s + + +# +# Options defined in nova.db.base +# + +# The driver to use for database access (string value) +#db_driver=nova.db + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# When set, compute API will consider duplicate hostnames +# invalid within the specified scope, regardless of case. +# Should be empty, "project" or "global". (string value) +#osapi_compute_unique_server_name_scope= + + +# +# Options defined in nova.image.s3 +# + +# Parent directory for tempdir used for image decryption +# (string value) +#image_decryption_dir=/tmp + +# Hostname or IP for OpenStack to use when accessing the S3 +# api (string value) +#s3_host=$my_ip + +# Port used when accessing the S3 api (integer value) +#s3_port=3333 + +# Access key to use for S3 server for images (string value) +#s3_access_key=notchecked + +# Secret key to use for S3 server for images (string value) +#s3_secret_key=notchecked + +# Whether to use SSL when talking to S3 (boolean value) +#s3_use_ssl=false + +# Whether to affix the tenant id to the access key when +# downloading from S3 (boolean value) +#s3_affix_tenant=false + + +# +# Options defined in nova.ipv6.api +# + +# Backend to use for IPv6 generation (string value) +#ipv6_backend=rfc2462 + + +# +# Options defined in nova.network +# + +# The full class name of the network API class to use (string +# value) +network_api_class=nova.network.api.API + + +# +# Options defined in nova.network.driver +# + +# Driver to use for network creation (string value) +#network_driver=nova.network.linux_net + + +# +# Options defined in nova.network.floating_ips +# + +# Default pool for floating IPs (string value) +#default_floating_pool=nova + +# Autoassigning floating IP to VM (boolean value) +#auto_assign_floating_ip=false + +# Full class name for the DNS Manager for floating IPs (string +# value) +#floating_ip_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Manager for instance IPs (string +# value) +#instance_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Zone for instance IPs (string +# value) +#instance_dns_domain= + + +# +# Options defined in nova.network.ldapdns +# + +# URL for LDAP server which will store DNS entries (string +# value) +#ldap_dns_url=ldap://ldap.example.com:389 + +# User for LDAP DNS (string value) +#ldap_dns_user=uid=admin,ou=people,dc=example,dc=org + +# Password for LDAP DNS (string value) +#ldap_dns_password=password + +# Hostmaster for LDAP DNS driver Statement of Authority +# (string value) +#ldap_dns_soa_hostmaster=hostmaster@example.org + +# DNS Servers for LDAP DNS driver (multi valued) +#ldap_dns_servers=dns.example.org + +# Base DN for DNS entries in LDAP (string value) +#ldap_dns_base_dn=ou=hosts,dc=example,dc=org + +# Refresh interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_refresh=1800 + +# Retry interval (in seconds) for LDAP DNS driver Statement of +# Authority (string value) +#ldap_dns_soa_retry=3600 + +# Expiry interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_expiry=86400 + +# Minimum interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_minimum=7200 + + +# +# Options defined in nova.network.linux_net +# + +# Location of flagfiles for dhcpbridge (multi valued) +#dhcpbridge_flagfile=/etc/nova/nova.conf + +# Location to keep network config files (string value) +#networks_path=$state_path/networks + +# Interface for public IP addresses (string value) +#public_interface=eth0 + +# Location of nova-dhcpbridge (string value) +#dhcpbridge=/usr/bin/nova-dhcpbridge + +# Public IP of network host (string value) +#routing_source_ip=$my_ip + +# Lifetime of a DHCP lease in seconds (integer value) +#dhcp_lease_time=86400 + +# If set, uses specific DNS server for dnsmasq. Can be +# specified multiple times. (multi valued) +#dns_server= + +# If set, uses the dns1 and dns2 from the network ref. as dns +# servers. (boolean value) +#use_network_dns_servers=false + +# A list of dmz ranges that should be accepted (list value) +#dmz_cidr= + +# Traffic to this range will always be snatted to the fallback +# ip, even if it would normally be bridged out of the node. +# Can be specified multiple times. (multi valued) +#force_snat_range= + +# Override the default dnsmasq settings with this file (string +# value) +#dnsmasq_config_file= + +# Driver used to create ethernet devices. (string value) +#linuxnet_interface_driver=nova.network.linux_net.LinuxBridgeInterfaceDriver + +# Name of Open vSwitch bridge used with linuxnet (string +# value) +#linuxnet_ovs_integration_bridge=br-int + +# Send gratuitous ARPs for HA setup (boolean value) +#send_arp_for_ha=false + +# Send this many gratuitous ARPs for HA setup (integer value) +#send_arp_for_ha_count=3 + +# Use single default gateway. Only first nic of vm will get +# default gateway from dhcp server (boolean value) +#use_single_default_gateway=false + +# An interface that bridges can forward to. If this is set to +# all then all traffic will be forwarded. Can be specified +# multiple times. (multi valued) +#forward_bridge_interface=all + +# The IP address for the metadata API server (string value) +#metadata_host=$my_ip + +# The port for the metadata API port (integer value) +#metadata_port=8775 + +# Regular expression to match the iptables rule that should +# always be on the top. (string value) +#iptables_top_regex= + +# Regular expression to match the iptables rule that should +# always be on the bottom. (string value) +#iptables_bottom_regex= + +# The table that iptables to jump to when a packet is to be +# dropped. (string value) +#iptables_drop_action=DROP + +# Amount of time, in seconds, that ovs_vsctl should wait for a +# response from the database. 0 is to wait forever. (integer +# value) +#ovs_vsctl_timeout=120 + +# If passed, use fake network devices and addresses (boolean +# value) +#fake_network=false + +# Number of times to retry ebtables commands on failure. +# (integer value) +#ebtables_exec_attempts=3 + +# Number of seconds to wait between ebtables retries. +# (floating point value) +#ebtables_retry_interval=1.0 + + +# +# Options defined in nova.network.manager +# + +# Bridge for simple network instances (string value) +#flat_network_bridge= + +# DNS server for simple network (string value) +#flat_network_dns=8.8.4.4 + +# Whether to attempt to inject network setup into guest +# (boolean value) +#flat_injected=false + +# FlatDhcp will bridge into this interface if set (string +# value) +#flat_interface= + +# First VLAN for private networks (integer value) +#vlan_start=100 + +# VLANs will bridge into this interface if set (string value) +#vlan_interface= + +# Number of networks to support (integer value) +#num_networks=1 + +# Public IP for the cloudpipe VPN servers (string value) +#vpn_ip=$my_ip + +# First Vpn port for private networks (integer value) +#vpn_start=1000 + +# Number of addresses in each private subnet (integer value) +#network_size=256 + +# Fixed IPv6 address block (string value) +#fixed_range_v6=fd00::/48 + +# Default IPv4 gateway (string value) +#gateway= + +# Default IPv6 gateway (string value) +#gateway_v6= + +# Number of addresses reserved for vpn clients (integer value) +#cnt_vpn_clients=0 + +# Seconds after which a deallocated IP is disassociated +# (integer value) +#fixed_ip_disassociate_timeout=600 + +# Number of attempts to create unique mac address (integer +# value) +#create_unique_mac_address_attempts=5 + +# If True, skip using the queue and make local calls (boolean +# value) +#fake_call=false + +# If True, unused gateway devices (VLAN and bridge) are +# deleted in VLAN network mode with multi hosted networks +# (boolean value) +#teardown_unused_network_gateway=false + +# If True, send a dhcp release on instance termination +# (boolean value) +#force_dhcp_release=True + +# If True, when a DNS entry must be updated, it sends a fanout +# cast to all network hosts to update their DNS entries in +# multi host mode (boolean value) +#update_dns_entries=false + +# Number of seconds to wait between runs of updates to DNS +# entries. (integer value) +#dns_update_periodic_interval=-1 + +# Domain to use for building the hostnames (string value) +#dhcp_domain=novalocal + +# Indicates underlying L3 management library (string value) +#l3_lib=nova.network.l3.LinuxNetL3 + + +# +# Options defined in nova.network.rpcapi +# + +# The topic network nodes listen on (string value) +#network_topic=network + +# Default value for multi_host in networks. Also, if set, some +# rpc network calls will be sent directly to host. (boolean +# value) +#multi_host=false + + +# +# Options defined in nova.network.security_group.openstack_driver +# + +# The full class name of the security API class (string value) +security_group_api=nova + + +# +# Options defined in nova.objects.network +# + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. If True in multi_host mode, all compute hosts share +# the same dhcp address. The same IP address used for DHCP +# will be added on each nova-network node which is only +# visible to the vms on the same host. (boolean value) +#share_dhcp_address=false + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. MTU setting for network interface. (integer value) +#network_device_mtu= + + +# +# Options defined in nova.objectstore.s3server +# + +# Path to S3 buckets (string value) +#buckets_path=$state_path/buckets + +# IP address for S3 API to listen (string value) +#s3_listen=0.0.0.0 + +# Port for S3 API to listen (integer value) +#s3_listen_port=3333 + + +# +# From oslo.log +# + +# Print debugging output (set logging level to DEBUG instead of default WARNING +# level). (boolean value) +#debug=false + +# Print more verbose output (set logging level to INFO instead of default +# WARNING level). (boolean value) +#verbose=false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. (string value) +# Deprecated group;name - DEFAULT;log_config +#log_config_append= + +# DEPRECATED. A logging.Formatter log message format string which may use any +# of the available logging.LogRecord attributes. This option is deprecated. +# Please use logging_context_format_string and logging_default_format_string +# instead. (string value) +#log_format= + +# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# value) +#log_date_format=%Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, logging will +# go to stdout. (string value) +# Deprecated group;name - DEFAULT;logfile +#log_file= + +# (Optional) The base directory used for relative --log-file paths. (string +# value) +# Deprecated group;name - DEFAULT;logdir +#log_dir=/var/log/nova + +# Use syslog for logging. Existing syslog format is DEPRECATED during I, and +# will change in J to honor RFC5424. (boolean value) +#use_syslog=false + +# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, +# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The +# format without the APP-NAME is deprecated in I, and will be removed in J. +# (boolean value) +#use_syslog_rfc_format=false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility=LOG_USER + +# Log output to standard error. (boolean value) +#use_stderr=False + +# Format string to use for log messages with context. (string value) +#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string value) +#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors=false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations=false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format="[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format="[instance: %(uuid)s] " + + +# +# Options defined in nova.pci.request +# + +# An alias for a PCI passthrough device requirement. This +# allows users to specify the alias in the extra_spec for a +# flavor, without needing to repeat all the PCI property +# requirements. For example: pci_alias = { "name": +# "QuicAssist", "product_id": "0443", "vendor_id": "8086", +# "device_type": "ACCEL" } defines an alias for the Intel +# QuickAssist card. (multi valued) (multi valued) +#pci_alias= + + +# +# Options defined in nova.pci.whitelist +# + +# White list of PCI devices available to VMs. For example: +# pci_passthrough_whitelist = [{"vendor_id": "8086", +# "product_id": "0443"}] (multi valued) +#pci_passthrough_whitelist= + + +# +# Options defined in nova.scheduler.driver +# + +# The scheduler host manager class to use (string value) +#scheduler_host_manager=nova.scheduler.host_manager.HostManager + + +# +# Options defined in nova.scheduler.filter_scheduler +# + +# New instances will be scheduled on a host chosen randomly +# from a subset of the N best hosts. This property defines the +# subset size that a host is chosen from. A value of 1 chooses +# the first host returned by the weighing functions. This +# value must be at least 1. Any value less than 1 will be +# ignored, and 1 will be used instead (integer value) +#scheduler_host_subset_size=1 + + +# +# Options defined in nova.scheduler.filters.aggregate_image_properties_isolation +# + +# Force the filter to consider only keys matching the given +# namespace. (string value) +#aggregate_image_properties_isolation_namespace= + +# The separator used between the namespace and keys (string +# value) +#aggregate_image_properties_isolation_separator=. + + +# +# Options defined in nova.scheduler.filters.core_filter +# + +# Virtual CPU to physical CPU allocation ratio which affects +# all CPU filters. This configuration specifies a global ratio +# for CoreFilter. For AggregateCoreFilter, it will fall back +# to this configuration value if no per-aggregate setting +# found. (floating point value) +#cpu_allocation_ratio=16.0 + + +# +# Options defined in nova.scheduler.filters.disk_filter +# + +# Virtual disk to physical disk allocation ratio (floating +# point value) +#disk_allocation_ratio=1.0 + + +# +# Options defined in nova.scheduler.filters.io_ops_filter +# + +# Tells filters to ignore hosts that have this many or more +# instances currently in build, resize, snapshot, migrate, +# rescue or unshelve task states (integer value) +#max_io_ops_per_host=8 + + +# +# Options defined in nova.scheduler.filters.isolated_hosts_filter +# + +# Images to run on isolated host (list value) +#isolated_images= + +# Host reserved for specific images (list value) +#isolated_hosts= + +# Whether to force isolated hosts to run only isolated images +# (boolean value) +#restrict_isolated_hosts_to_isolated_images=true + + +# +# Options defined in nova.scheduler.filters.num_instances_filter +# + +# Ignore hosts that have too many instances (integer value) +#max_instances_per_host=50 + + +# +# Options defined in nova.scheduler.filters.ram_filter +# + +# Virtual ram to physical ram allocation ratio which affects +# all ram filters. This configuration specifies a global ratio +# for RamFilter. For AggregateRamFilter, it will fall back to +# this configuration value if no per-aggregate setting found. +# (floating point value) +#ram_allocation_ratio=1.5 + + +# +# Options defined in nova.scheduler.host_manager +# + +# Filter classes available to the scheduler which may be +# specified more than once. An entry of +# "nova.scheduler.filters.all_filters" maps to all filters +# included with nova. (multi valued) +#scheduler_available_filters=nova.scheduler.filters.all_filters + +# Which filter class names to use for filtering hosts when not +# specified in the request. (list value) +#scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter + +# Which weight class names to use for weighing hosts (list +# value) +#scheduler_weight_classes=nova.scheduler.weights.all_weighers + +# Determines if the Scheduler tracks changes to instances to +# help with its filtering decisions. (boolean value) +#scheduler_tracks_instance_changes=true + + +# +# Options defined in nova.scheduler.ironic_host_manager +# + +# Which filter class names to use for filtering baremetal +# hosts when not specified in the request. (list value) +#baremetal_scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ExactRamFilter,ExactDiskFilter,ExactCoreFilter + +# Flag to decide whether to use +# baremetal_scheduler_default_filters or not. (boolean value) +#scheduler_use_baremetal_filters=false + + +# +# Options defined in nova.scheduler.manager +# + +# Default driver to use for the scheduler (string value) +#scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler + +# How often (in seconds) to run periodic tasks in the +# scheduler driver of your choice. Please note this is likely +# to interact with the value of service_down_time, but exactly +# how they interact will depend on your choice of scheduler +# driver. (integer value) +#scheduler_driver_task_period=60 + + +# +# Options defined in nova.scheduler.rpcapi +# + +# The topic scheduler nodes listen on (string value) +#scheduler_topic=scheduler + + +# +# Options defined in nova.scheduler.scheduler_options +# + +# Absolute path to scheduler configuration JSON file. (string +# value) +#scheduler_json_config_location= + + +# +# Options defined in nova.scheduler.utils +# + +# Maximum number of attempts to schedule an instance (integer +# value) +#scheduler_max_attempts=3 + + +# +# Options defined in nova.scheduler.weights.io_ops +# + +# Multiplier used for weighing host io ops. Negative numbers +# mean a preference to choose light workload compute hosts. +# (floating point value) +#io_ops_weight_multiplier=-1.0 + + +# +# Options defined in nova.scheduler.weights.ram +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=1.0 + + +# +# Options defined in nova.servicegroup.api +# + +# The driver for servicegroup service (valid options are: db, +# zk, mc) (string value) +#servicegroup_driver=db + + +# +# Options defined in nova.virt.configdrive +# + +# Config drive format. One of iso9660 (default) or vfat +# (string value) +#config_drive_format=iso9660 + +# Set to "always" to force injection to take place on a config +# drive. NOTE: The "always" will be deprecated in the Liberty +# release cycle. (string value) +#force_config_drive= + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#mkisofs_cmd=genisoimage + + +# +# Options defined in nova.virt.disk.api +# + +# Name of the mkfs commands for ephemeral device. The format +# is = (multi valued) +#virt_mkfs= + +# Attempt to resize the filesystem by accessing the image over +# a block device. This is done by the host and may not be +# necessary if the image contains a recent version of cloud- +# init. Possible mechanisms require the nbd driver (for qcow +# and raw), or loop (for raw). (boolean value) +#resize_fs_using_block_device=false + + +# +# Options defined in nova.virt.disk.mount.nbd +# + +# Amount of time, in seconds, to wait for NBD device start up. +# (integer value) +#timeout_nbd=10 + + +# +# Options defined in nova.virt.driver +# + +# Driver to use for controlling virtualization. Options +# include: libvirt.LibvirtDriver, xenapi.XenAPIDriver, +# fake.FakeDriver, baremetal.BareMetalDriver, +# vmwareapi.VMwareVCDriver, hyperv.HyperVDriver (string value) +#compute_driver=libvirt.LibvirtDriver + +# The default format an ephemeral_volume will be formatted +# with on creation. (string value) +#default_ephemeral_format= + +# VM image preallocation mode: "none" => no storage +# provisioning is done up front, "space" => storage is fully +# allocated at instance start (string value) +#preallocate_images=none + +# Whether to use cow images (boolean value) +#use_cow_images=true + +# Fail instance boot if vif plugging fails (boolean value) +#vif_plugging_is_fatal=true + +# Number of seconds to wait for neutron vif plugging events to +# arrive before continuing or failing (see +# vif_plugging_is_fatal). If this is set to zero and +# vif_plugging_is_fatal is False, events should not be +# expected to arrive at all. (integer value) +#vif_plugging_timeout=300 + + +# +# Options defined in nova.virt.firewall +# + +# Firewall driver (defaults to hypervisor specific iptables +# driver) (string value) +#firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver + +# Whether to allow network traffic from same network (boolean +# value) +#allow_same_net_traffic=true + + +# +# Options defined in nova.virt.hardware +# + +# Defines which pcpus that instance vcpus can use. For +# example, "4-12,^8,15" (string value) +#vcpu_pin_set= + + +# +# Options defined in nova.virt.imagecache +# + +# Number of seconds to wait between runs of the image cache +# manager. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#image_cache_manager_interval=2400 + +# Where cached images are stored under $instances_path. This +# is NOT the full path - just a folder name. For per-compute- +# host cached images, set to _base_$my_ip (string value) +#image_cache_subdirectory_name=_base + +# Should unused base images be removed? (boolean value) +#remove_unused_base_images=true + +# Unused unresized base images younger than this will not be +# removed (integer value) +#remove_unused_original_minimum_age_seconds=86400 + + +# +# Options defined in nova.virt.images +# + +# Force backing images to raw format (boolean value) +#force_raw_images=true + + +# +# Options defined in nova.virt.netutils +# + +# Template file for injected network (string value) +#injected_network_template=/usr/share/nova/interfaces.template + + +# +# Options defined in nova.vnc +# + +# Location of VNC console proxy, in the form +# "http://127.0.0.1:6080/vnc_auto.html" (string value) +#novncproxy_base_url=http://127.0.0.1:6080/vnc_auto.html + +# Location of nova xvp VNC console proxy, in the form +# "http://127.0.0.1:6081/console" (string value) +#xvpvncproxy_base_url=http://127.0.0.1:6081/console + +# IP address on which instance vncservers should listen +# (string value) +vncserver_listen={{management_ip}} + +# The address to which proxy clients (like nova-xvpvncproxy) +# should connect (string value) +vncserver_proxyclient_address={{management_ip}} + +# Enable VNC related features (boolean value) +#vnc_enabled=true + +# Keymap for VNC (string value) +#vnc_keymap=en-us + + +# +# Options defined in nova.vnc.xvp_proxy +# + +# Port that the XCP VNC proxy should bind to (integer value) +#xvpvncproxy_port=6081 + +# Address that the XCP VNC proxy should bind to (string value) +#xvpvncproxy_host=0.0.0.0 + + +# +# Options defined in nova.volume +# + +# The full class name of the volume API class to use (string +# value) +#volume_api_class=nova.volume.cinder.API + + +# +# Options defined in nova.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, , +# and :, where 0 results in listening on a random +# tcp port number; results in listening on the +# specified port number (and not enabling backdoor if that +# port is in use); and : results in listening on +# the smallest unused port number within the specified range +# of port numbers. The chosen port is displayed in the +# service's log file. (string value) +#backdoor_port= + + +# +# Options defined in nova.openstack.common.memorycache +# + +# Memcached servers or None for in process cache. (list value) +#memcached_servers= + + +# +# Options defined in nova.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# +# Options defined in nova.openstack.common.policy +# + +# The JSON file that defines policies. (string value) +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# (string value) +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. The +# file defined by policy_file must exist for these directories +# to be searched. Missing or empty directories are ignored. +# (multi valued) +#policy_dirs=policy.d + + +# +# Options defined in nova.openstack.common.versionutils +# + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + + +[api_database] + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# Nova API database. (string value) +#connection=mysql://nova:nova@localhost/nova + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous=true + +# Timeout before idle SQL connections are reaped. (integer +# value) +#idle_timeout=3600 + +# Maximum number of SQL connections to keep open in a pool. +# (integer value) +#max_pool_size= + +# Maximum number of database connection retries during +# startup. Set to -1 to specify an infinite retry count. +# (integer value) +#max_retries=-1 + +# Interval between retries of opening a SQL connection. +# (integer value) +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. +# (integer value) +#max_overflow= + +# Verbosity of SQL debugging information: 0=None, +# 100=Everything. (integer value) +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean +# value) +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. +# (integer value) +#pool_timeout= + + +[barbican] + +# +# Options defined in nova.keymgr.barbican +# + +# Info to match when looking for barbican in the service +# catalog. Format is: separated values of the form: +# :: (string value) +#catalog_info=key-manager:barbican:public + +# Override service catalog lookup with template for barbican +# endpoint e.g. http://localhost:9311/v1/%(project_id)s +# (string value) +#endpoint_template= + +# Region name of this node (string value) +#os_region_name= + + +# +# Options defined in nova.volume.cinder +# + +# Region name of this node (string value) +#os_region_name= + + +[cells] + +# +# Options defined in nova.cells.manager +# + +# Cells communication driver to use (string value) +#driver=nova.cells.rpc_driver.CellsRPCDriver + +# Number of seconds after an instance was updated or deleted +# to continue to update cells (integer value) +#instance_updated_at_threshold=3600 + +# Number of instances to update per periodic task run (integer +# value) +#instance_update_num_instances=1 + + +# +# Options defined in nova.cells.messaging +# + +# Maximum number of hops for cells routing. (integer value) +#max_hop_count=10 + +# Cells scheduler to use (string value) +#scheduler=nova.cells.scheduler.CellsScheduler + + +# +# Options defined in nova.cells.opts +# + +# Enable cell functionality (boolean value) +#enable=false + +# The topic cells nodes listen on (string value) +#topic=cells + +# Manager for cells (string value) +#manager=nova.cells.manager.CellsManager + +# Name of this cell (string value) +#name=nova + +# Key/Multi-value list with the capabilities of the cell (list +# value) +#capabilities=hypervisor=xenserver;kvm,os=linux;windows + +# Seconds to wait for response from a call to a cell. (integer +# value) +#call_timeout=60 + +# Percentage of cell capacity to hold in reserve. Affects both +# memory and disk utilization (floating point value) +#reserve_percent=10.0 + +# Type of cell: api or compute (string value) +#cell_type=compute + +# Number of seconds after which a lack of capability and +# capacity updates signals the child cell is to be treated as +# a mute. (integer value) +#mute_child_interval=300 + +# Seconds between bandwidth updates for cells. (integer value) +#bandwidth_update_interval=600 + + +# +# Options defined in nova.cells.rpc_driver +# + +# Base queue name to use when communicating between cells. +# Various topics by message type will be appended to this. +# (string value) +#rpc_driver_queue_base=cells.intercell + + +# +# Options defined in nova.cells.scheduler +# + +# Filter classes the cells scheduler should use. An entry of +# "nova.cells.filters.all_filters" maps to all cells filters +# included with nova. (list value) +#scheduler_filter_classes=nova.cells.filters.all_filters + +# Weigher classes the cells scheduler should use. An entry of +# "nova.cells.weights.all_weighers" maps to all cell weighers +# included with nova. (list value) +#scheduler_weight_classes=nova.cells.weights.all_weighers + +# How many retries when no cells are available. (integer +# value) +#scheduler_retries=10 + +# How often to retry in seconds when no cells are available. +# (integer value) +#scheduler_retry_delay=2 + + +# +# Options defined in nova.cells.state +# + +# Interval, in seconds, for getting fresh cell information +# from the database. (integer value) +#db_check_interval=60 + +# Configuration file from which to read cells configuration. +# If given, overrides reading cells from the database. (string +# value) +#cells_config= + + +# +# Options defined in nova.cells.weights.mute_child +# + +# Multiplier used to weigh mute children. (The value should be +# negative.) (floating point value) +#mute_weight_multiplier=-10.0 + +# Weight value assigned to mute children. (The value should be +# positive.) (floating point value) +#mute_weight_value=1000.0 + + +# +# Options defined in nova.cells.weights.ram_by_instance_type +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=10.0 + + +# +# Options defined in nova.cells.weights.weight_offset +# + +# Multiplier used to weigh offset weigher. (floating point +# value) +#offset_weight_multiplier=1.0 + + +[cinder] + +# +# Options defined in nova.volume.cinder +# + +# Info to match when looking for cinder in the service +# catalog. Format is: separated values of the form: +# :: (string value) +#catalog_info=volumev2:cinderv2:publicURL + +# Override service catalog lookup with template for cinder +# endpoint e.g. http://localhost:8776/v1/%(project_id)s +# (string value) +#endpoint_template= + +# Number of cinderclient retries on failed http calls (integer +# value) +#http_retries=3 + +# Allow attach between instance and volume in different +# availability zones. (boolean value) +#cross_az_attach=true + + +[conductor] + +# +# Options defined in nova.conductor.api +# + +# Perform nova-conductor operations locally (boolean value) +#use_local=false + +# The topic on which conductor nodes listen (string value) +#topic=conductor + +# Full class name for the Manager for conductor (string value) +#manager=nova.conductor.manager.ConductorManager + +# Number of workers for OpenStack Conductor service. The +# default will be the number of CPUs available. (integer +# value) +#workers= + + +[database] + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group;name - DEFAULT;sqlite_db +#sqlite_db=oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group;name - DEFAULT;sqlite_synchronous +#sqlite_synchronous=true + +# The back end to use for the database. (string value) +# Deprecated group;name - DEFAULT;db_backend +#backend=sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group;name - DEFAULT;sql_connection +# Deprecated group;name - [DATABASE]/sql_connection +# Deprecated group;name - [sql]/connection +connection = mysql://{{database.user}}:{{database.password}}@{{database.host}}/{{database.name}} + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection= + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode=TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group;name - DEFAULT;sql_idle_timeout +# Deprecated group;name - [DATABASE]/sql_idle_timeout +# Deprecated group;name - [sql]/idle_timeout +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group;name - DEFAULT;sql_min_pool_size +# Deprecated group;name - [DATABASE]/sql_min_pool_size +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group;name - DEFAULT;sql_max_pool_size +# Deprecated group;name - [DATABASE]/sql_max_pool_size +#max_pool_size= + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group;name - DEFAULT;sql_max_retries +# Deprecated group;name - [DATABASE]/sql_max_retries +#max_retries=10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group;name - DEFAULT;sql_retry_interval +# Deprecated group;name - [DATABASE]/reconnect_interval +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group;name - DEFAULT;sql_max_overflow +# Deprecated group;name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow= + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Deprecated group;name - DEFAULT;sql_connection_debug +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group;name - DEFAULT;sql_connection_trace +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group;name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout= + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect=false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval=1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval=true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval=10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries=20 + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# slave database. (string value) +#slave_connection= + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + + +[ephemeral_storage_encryption] + +# +# Options defined in nova.compute.api +# + +# Whether to encrypt ephemeral storage (boolean value) +#enabled=false + +# The cipher and mode to be used to encrypt ephemeral storage. +# Which ciphers are available ciphers depends on kernel +# support. See /proc/crypto for the list of available options. +# (string value) +#cipher=aes-xts-plain64 + +# The bit length of the encryption key to be used to encrypt +# ephemeral storage (in XTS mode only half of the bits are +# used for encryption key) (integer value) +#key_size=512 + + +[glance] + +# +# Options defined in nova.image.glance +# + +# Default glance hostname or IP address (string value) +host={{controller}} + +# Default glance port (integer value) +#port=9292 + +# Default protocol to use when connecting to glance. Set to +# https for SSL. (string value) +#protocol=http + +# A list of the glance api servers available to nova. Prefix +# with https:// for ssl-based glance api servers. +# ([hostname|ip]:port) (list value) +#api_servers= + +# Allow to perform insecure SSL (https) requests to glance +# (boolean value) +#api_insecure=false + +# Number of retries when uploading / downloading an image to / +# from glance. (integer value) +#num_retries=0 + +# A list of url scheme that can be downloaded directly via the +# direct_url. Currently supported schemes: [file]. (list +# value) +#allowed_direct_url_schemes= + + +[guestfs] + +# +# Options defined in nova.virt.disk.vfs.guestfs +# + +# Enable guestfs debug (boolean value) +#debug=false + + +[hyperv] + +# +# Options defined in nova.virt.hyperv.pathutils +# + +# The name of a Windows share name mapped to the +# "instances_path" dir and used by the resize feature to copy +# files to the target host. If left blank, an administrative +# share will be used, looking for the same "instances_path" +# used locally (string value) +#instances_path_share= + + +# +# Options defined in nova.virt.hyperv.utilsfactory +# + +# Force V1 WMI utility classes (boolean value) +#force_hyperv_utils_v1=false + +# Force V1 volume utility class (boolean value) +#force_volumeutils_v1=false + + +# +# Options defined in nova.virt.hyperv.vif +# + +# External virtual switch Name, if not provided, the first +# external virtual switch is used (string value) +#vswitch_name= + + +# +# Options defined in nova.virt.hyperv.vmops +# + +# Required for live migration among hosts with different CPU +# features (boolean value) +#limit_cpu_features=false + +# Sets the admin password in the config drive image (boolean +# value) +#config_drive_inject_password=false + +# Path of qemu-img command which is used to convert between +# different image types (string value) +#qemu_img_cmd=qemu-img.exe + +# Attaches the Config Drive image as a cdrom drive instead of +# a disk drive (boolean value) +#config_drive_cdrom=false + +# Enables metrics collections for an instance by using +# Hyper-V's metric APIs. Collected data can by retrieved by +# other apps and services, e.g.: Ceilometer. Requires Hyper-V +# / Windows Server 2012 and above (boolean value) +#enable_instance_metrics_collection=false + +# Enables dynamic memory allocation (ballooning) when set to a +# value greater than 1. The value expresses the ratio between +# the total RAM assigned to an instance and its startup RAM +# amount. For example a ratio of 2.0 for an instance with +# 1024MB of RAM implies 512MB of RAM allocated at startup +# (floating point value) +#dynamic_memory_ratio=1.0 + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=60 + + +# +# Options defined in nova.virt.hyperv.volumeops +# + +# The number of times to retry to attach a volume (integer +# value) +#volume_attach_retry_count=10 + +# Interval between volume attachment attempts, in seconds +# (integer value) +#volume_attach_retry_interval=5 + +# The number of times to retry checking for a disk mounted via +# iSCSI. (integer value) +#mounted_disk_query_retry_count=10 + +# Interval between checks for a mounted iSCSI disk, in +# seconds. (integer value) +#mounted_disk_query_retry_interval=5 + + +[image_file_url] + +# +# Options defined in nova.image.download.file +# + +# List of file systems that are configured in this file in the +# image_file_url: sections (list value) +#filesystems= + + +[ironic] + +# +# Options defined in nova.virt.ironic.driver +# + +# Version of Ironic API service endpoint. (integer value) +#api_version=1 + +# URL for Ironic API endpoint. (string value) +#api_endpoint= + +# Ironic keystone admin name (string value) +#admin_username= + +# Ironic keystone admin password. (string value) +#admin_password=%SERVICE_PASSWORD% + +# Ironic keystone auth token. (string value) +#admin_auth_token= + +# Keystone public API endpoint. (string value) +#admin_url= + +# Log level override for ironicclient. Set this in order to +# override the global "default_log_levels", "verbose", and +# "debug" settings. DEPRECATED: use standard logging +# configuration. (string value) +#client_log_level= + +# Ironic keystone tenant name. (string value) +#admin_tenant_name=%SERVICE_TENANT_NAME% + +# How many retries when a request does conflict. (integer +# value) +#api_max_retries=60 + +# How often to retry in seconds when a request does conflict +# (integer value) +#api_retry_interval=2 + + +[keymgr] + +# +# Options defined in nova.keymgr +# + +# The full class name of the key manager API class (string +# value) +#api_class=nova.keymgr.conf_key_mgr.ConfKeyManager + + +# +# Options defined in nova.keymgr.conf_key_mgr +# + +# Fixed key returned by key manager, specified in hex (string +# value) +#fixed_key= + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri = http://{{controller}}:5000 +auth_url = http://{{controller}}:35357 + +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = {{keystone.user}} +password = {{keystone.password}} + +# API version of the admin Identity API endpoint. (string value) +#auth_version=v2.0 + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision=false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout= + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries=3 + +# Env key for the swift cache. (string value) +#cache= + +# Required if identity server requires client certificate (string value) +#certfile= + +# Required if identity server requires client certificate (string value) +#keyfile= + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile= + +# Verify HTTPS connections. (boolean value) +#insecure=false + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir= + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group;name - DEFAULT;memcache_servers +#memcached_servers= + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time=300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. +# (integer value) +#revocation_cache_time=10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, +# token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data +# is encrypted and authenticated in the cache. If the value is not one of these +# options or empty, auth_token will raise an exception on initialization. +# (string value) +#memcache_security_strategy= + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key= + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry=300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize=10 + +# (Optional) Socket timeout in seconds for communicating with a memcache +# server. (integer value) +#memcache_pool_socket_timeout=3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout=60 + +# (Optional) Number of seconds that an operation will wait to get a memcache +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout=10 + +# (Optional) Use the advanced (eventlet safe) memcache client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool=false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog=true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind=permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached=false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms=md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. +# (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use identity_uri. +# (string value) +#auth_host=127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use identity_uri. +# (integer value) +#auth_port=35357 + +# Protocol of the admin Identity API endpoint (http or https). Deprecated, use +# identity_uri. (string value) +#auth_protocol=http + +# Complete admin Identity API endpoint. This should specify the unversioned +# root endpoint e.g. https://localhost:35357/ (string value) +#identity_uri= + +# This option is deprecated and may be removed in a future release. Single +# shared secret with the Keystone configuration used for bootstrapping a +# Keystone installation, or otherwise bypassing the normal authentication +# process. This option should not be used, use `admin_user` and +# `admin_password` instead. (string value) +#admin_token= + +# Service username. (string value) +#admin_user=%SERVICE_USER% + +# Service user password. (string value) +#admin_password= + +# Service tenant name. (string value) +#admin_tenant_name=admin + + +[libvirt] + +# +# Options defined in nova.virt.libvirt.driver +# + +# Rescue ami image. This will not be used if an image id is +# provided by the user. (string value) +#rescue_image_id= + +# Rescue aki image (string value) +#rescue_kernel_id= + +# Rescue ari image (string value) +#rescue_ramdisk_id= + +# Libvirt domain type (valid options are: kvm, lxc, qemu, uml, +# xen and parallels) (string value) +#virt_type=kvm + +# Override the default libvirt URI (which is dependent on +# virt_type) (string value) +#connection_uri= + +# Inject the admin password at boot time, without an agent. +# (boolean value) +#inject_password=false + +# Inject the ssh public key at boot time (boolean value) +#inject_key=false + +# The partition to inject to : -2 => disable, -1 => inspect +# (libguestfs only), 0 => not partitioned, >0 => partition +# number (integer value) +#inject_partition=-2 + +# Sync virtual and real mouse cursors in Windows VMs (boolean +# value) +#use_usb_tablet=true + +# Migration target URI (any included "%s" is replaced with the +# migration target hostname) (string value) +#live_migration_uri=qemu+tcp://%s/system + +# Migration flags to be set for live migration (string value) +#live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED + +# Migration flags to be set for block migration (string value) +#block_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC + +# Maximum bandwidth to be used during migration, in Mbps +# (integer value) +#live_migration_bandwidth=0 + +# Snapshot image format (valid options are : raw, qcow2, vmdk, +# vdi). Defaults to same as source image (string value) +#snapshot_image_format= + +# Override the default disk prefix for the devices attached to +# a server, which is dependent on virt_type. (valid options +# are: sd, xvd, uvd, vd) (string value) +#disk_prefix= + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=120 + +# Set to "host-model" to clone the host CPU feature flags; to +# "host-passthrough" to use the host CPU model exactly; to +# "custom" to use a named CPU model; to "none" to not set any +# CPU model. If virt_type="kvm|qemu", it will default to +# "host-model", otherwise it will default to "none" (string +# value) +#cpu_mode= + +# Set to a named libvirt CPU model (see names listed in +# /usr/share/libvirt/cpu_map.xml). Only has effect if +# cpu_mode="custom" and virt_type="kvm|qemu" (string value) +#cpu_model= + +# Location where libvirt driver will store snapshots before +# uploading them to image service (string value) +#snapshots_directory=$instances_path/snapshots + +# Location where the Xen hvmloader is kept (string value) +#xen_hvmloader_path=/usr/lib/xen/boot/hvmloader + +# Specific cachemodes to use for different disk types e.g: +# file=directsync,block=none (list value) +#disk_cachemodes= + +# A path to a device that will be used as source of entropy on +# the host. Permitted options are: /dev/random or /dev/hwrng +# (string value) +#rng_dev_path= + +# For qemu or KVM guests, set this option to specify a default +# machine type per host architecture. You can find a list of +# supported machine types in your environment by checking the +# output of the "virsh capabilities"command. The format of the +# value for this config option is host-arch=machine-type. For +# example: x86_64=machinetype1,armv7l=machinetype2 (list +# value) +#hw_machine_type= + +# The data source used to the populate the host "serial" UUID +# exposed to guest in the virtual BIOS. Permitted options are +# "hardware", "os", "none" or "auto" (default). (string value) +#sysinfo_serial=auto + +# A number of seconds to memory usage statistics period. Zero +# or negative value mean to disable memory usage statistics. +# (integer value) +#mem_stats_period_seconds=10 + +# List of uid targets and ranges.Syntax is guest-uid:host- +# uid:countMaximum of 5 allowed. (list value) +#uid_maps= + +# List of guid targets and ranges.Syntax is guest-gid:host- +# gid:countMaximum of 5 allowed. (list value) +#gid_maps= + + +# +# Options defined in nova.virt.libvirt.imagebackend +# + +# VM Images format. Acceptable values are: raw, qcow2, lvm, +# rbd, default. If default is specified, then use_cow_images +# flag is used instead of this one. (string value) +#images_type=default + +# LVM Volume Group that is used for VM images, when you +# specify images_type=lvm. (string value) +#images_volume_group= + +# Create sparse logical volumes (with virtualsize) if this +# flag is set to True. (boolean value) +#sparse_logical_volumes=false + +# The RADOS pool in which rbd volumes are stored (string +# value) +#images_rbd_pool=rbd + +# Path to the ceph configuration file to use (string value) +#images_rbd_ceph_conf= + +# Discard option for nova managed disks (valid options are: +# ignore, unmap). Need Libvirt(1.0.6) Qemu1.5 (raw format) +# Qemu1.6(qcow2 format) (string value) +#hw_disk_discard= + + +# +# Options defined in nova.virt.libvirt.imagecache +# + +# Allows image information files to be stored in non-standard +# locations (string value) +#image_info_filename_pattern=$instances_path/$image_cache_subdirectory_name/%(image)s.info + +# Should unused kernel images be removed? This is only safe to +# enable if all compute nodes have been updated to support +# this option. This will be enabled by default in future. +# (boolean value) +#remove_unused_kernels=false + +# Unused resized base images younger than this will not be +# removed (integer value) +#remove_unused_resized_minimum_age_seconds=3600 + +# Write a checksum for files in _base to disk (boolean value) +#checksum_base_images=false + +# How frequently to checksum base images (integer value) +#checksum_interval_seconds=3600 + + +# +# Options defined in nova.virt.libvirt.lvm +# + +# Method used to wipe old volumes (valid options are: none, +# zero, shred) (string value) +#volume_clear=zero + +# Size in MiB to wipe at start of old volumes. 0 => all +# (integer value) +#volume_clear_size=0 + + +# +# Options defined in nova.virt.libvirt.utils +# + +# Compress snapshot images when possible. This currently +# applies exclusively to qcow2 images (boolean value) +#snapshot_compression=false + + +# +# Options defined in nova.virt.libvirt.vif +# + +# Use virtio for bridge interfaces with KVM/QEMU (boolean +# value) +#use_virtio_for_bridges=true + + +# +# Options defined in nova.virt.libvirt.volume +# + +# Number of times to rescan iSCSI target to find volume +# (integer value) +#num_iscsi_scan_tries=5 + +# Number of times to rescan iSER target to find volume +# (integer value) +#num_iser_scan_tries=5 + +# The RADOS client name for accessing rbd volumes (string +# value) +#rbd_user= + +# The libvirt UUID of the secret for the rbd_uservolumes +# (string value) +#rbd_secret_uuid= + +# Directory where the NFS volume is mounted on the compute +# node (string value) +#nfs_mount_point_base=$state_path/mnt + +# Mount options passed to the NFS client. See section of the +# nfs man page for details (string value) +#nfs_mount_options= + +# Directory where the SMBFS shares are mounted on the compute +# node (string value) +#smbfs_mount_point_base=$state_path/mnt + +# Mount options passed to the SMBFS client. See mount.cifs man +# page for details. Note that the libvirt-qemu uid and gid +# must be specified. (string value) +#smbfs_mount_options= + +# Number of times to rediscover AoE target to find volume +# (integer value) +#num_aoe_discover_tries=3 + +# Directory where the glusterfs volume is mounted on the +# compute node (string value) +#glusterfs_mount_point_base=$state_path/mnt + +# Use multipath connection of the iSCSI volume (boolean value) +#iscsi_use_multipath=false + +# Use multipath connection of the iSER volume (boolean value) +#iser_use_multipath=false + +# Path or URL to Scality SOFS configuration file (string +# value) +#scality_sofs_config= + +# Base dir where Scality SOFS shall be mounted (string value) +#scality_sofs_mount_point=$state_path/scality + +# Protocols listed here will be accessed directly from QEMU. +# Currently supported protocols: [gluster] (list value) +#qemu_allowed_storage_drivers= + +# Directory where the Quobyte volume is mounted on the compute +# node (string value) +#quobyte_mount_point_base=$state_path/mnt + +# Path to a Quobyte Client configuration file. (string value) +#quobyte_client_cfg= + +# The iSCSI transport iface to use to connect to target in +# case offload support is desired. Supported transports are +# be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx and ocs. Default +# format is transport_name.hwaddress and can be generated +# manually or via iscsiadm -m iface (string value) +# Deprecated group;name - DEFAULT;iscsi_transport +#iscsi_iface= + + +[metrics] + +# +# Options defined in nova.scheduler.weights.metrics +# + +# Multiplier used for weighing metrics. (floating point value) +#weight_multiplier=1.0 + +# How the metrics are going to be weighed. This should be in +# the form of "=, =, ...", where +# is one of the metrics to be weighed, and is +# the corresponding ratio. So for "name1=1.0, name2=-1.0" The +# final weight would be name1.value * 1.0 + name2.value * +# -1.0. (list value) +#weight_setting= + +# How to treat the unavailable metrics. When a metric is NOT +# available for a host, if it is set to be True, it would +# raise an exception, so it is recommended to use the +# scheduler filter MetricFilter to filter out those hosts. If +# it is set to be False, the unavailable metric would be +# treated as a negative factor in weighing process, the +# returned value would be set by the option +# weight_of_unavailable. (boolean value) +#required=true + +# The final weight value to be returned if required is set to +# False and any one of the metrics set by weight_setting is +# unavailable. (floating point value) +#weight_of_unavailable=-10000.0 + + +[neutron] + +# +# Options defined in nova.api.metadata.handler +# + +# Set flag to indicate Neutron will proxy metadata requests +# and resolve instance ids. (boolean value) +#service_metadata_proxy=false + +# Shared secret to validate proxies Neutron metadata requests +# (string value) +#metadata_proxy_shared_secret= + + +# +# Options defined in nova.network.neutronv2.api +# + +# URL for connecting to neutron (string value) +#url=http://127.0.0.1:9696 + +# User id for connecting to neutron in admin context. +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_user_id= + +# Username for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_username= + +# Password for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_password= + +# Tenant id for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_tenant_id= + +# Tenant name for connecting to neutron in admin context. This +# option will be ignored if neutron_admin_tenant_id is set. +# Note that with Keystone V3 tenant names are only unique +# within a domain. DEPRECATED: specify an auth_plugin and +# appropriate credentials instead. (string value) +#admin_tenant_name= + +# Region name for connecting to neutron in admin context +# (string value) +#region_name= + +# Authorization URL for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_auth_url=http://localhost:5000/v2.0 + +# Authorization strategy for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. If an auth_plugin is specified strategy +# will be ignored. (string value) +auth_strategy=keystone + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_bridge=br-int + +# Number of seconds before querying neutron for extensions +# (integer value) +#extension_sync_interval=600 + +# DEPRECATED: Allow an instance to have multiple vNICs +# attached to the same Neutron network. This option is +# deprecated in the 2015.1 release and will be removed in the +# 2015.2 release where the default behavior will be to always +# allow multiple ports from the same network to be attached to +# an instance. (boolean value) +#allow_duplicate_networks=false + + +[osapi_v3] + +# +# Options defined in nova.api.openstack +# + +# Whether the V3 API is enabled or not (boolean value) +#enabled=false + +# A list of v3 API extensions to never load. Specify the +# extension aliases here. (list value) +#extensions_blacklist= + +# If the list is not empty then a v3 API extension will only +# be loaded if it exists in this list. Specify the extension +# aliases here. (list value) +#extensions_whitelist= + + +[rdp] + +# +# Options defined in nova.rdp +# + +# Location of RDP html5 console proxy, in the form +# "http://127.0.0.1:6083/" (string value) +#html5_proxy_base_url=http://127.0.0.1:6083/ + +# Enable RDP related features (boolean value) +#enabled=false + + +[serial_console] + +# +# Options defined in nova.cmd.serialproxy +# + +# Host on which to listen for incoming requests (string value) +#serialproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#serialproxy_port=6083 + + +# +# Options defined in nova.console.serial +# + +# Enable serial console related features (boolean value) +#enabled=false + +# Range of TCP ports to use for serial ports on compute hosts +# (string value) +#port_range=10000:20000 + +# Location of serial console proxy. (string value) +#base_url=ws://127.0.0.1:6083/ + +# IP address on which instance serial console should listen +# (string value) +#listen=127.0.0.1 + +# The address to which proxy clients (like nova-serialproxy) +# should connect (string value) +#proxyclient_address=127.0.0.1 + + +[spice] + +# +# Options defined in nova.cmd.spicehtml5proxy +# + +# Host on which to listen for incoming requests (string value) +#html5proxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#html5proxy_port=6082 + + +# +# Options defined in nova.spice +# + +# Location of spice HTML5 console proxy, in the form +# "http://127.0.0.1:6082/spice_auto.html" (string value) +#html5proxy_base_url=http://127.0.0.1:6082/spice_auto.html + +# IP address on which instance spice server should listen +# (string value) +#server_listen=127.0.0.1 + +# The address to which proxy clients (like nova- +# spicehtml5proxy) should connect (string value) +#server_proxyclient_address=127.0.0.1 + +# Enable spice related features (boolean value) +#enabled=false + +# Enable spice guest agent support (boolean value) +#agent_enabled=true + +# Keymap for spice (string value) +#keymap=en-us + + +[ssl] + +# +# Options defined in nova.openstack.common.sslutils +# + +# CA certificate file to use to verify connecting clients. +# (string value) +#ca_file= + +# Certificate file to use when starting the server securely. +# (string value) +#cert_file= + +# Private key file to use when starting the server securely. +# (string value) +#key_file= + + +[trusted_computing] + +# +# Options defined in nova.scheduler.filters.trusted_filter +# + +# Attestation server HTTP (string value) +#attestation_server= + +# Attestation server Cert file for Identity verification +# (string value) +#attestation_server_ca_file= + +# Attestation server port (string value) +#attestation_port=8443 + +# Attestation web API URL (string value) +#attestation_api_url=/OpenAttestationWebServices/V1.0 + +# Attestation authorization blob - must change (string value) +#attestation_auth_blob= + +# Attestation status cache valid period length (integer value) +#attestation_auth_timeout=60 + +# Disable SSL cert verification for Attestation service +# (boolean value) +#attestation_insecure_ssl=false + + +[upgrade_levels] + +# +# Options defined in nova.baserpc +# + +# Set a version cap for messages sent to the base api in any +# service (string value) +#baseapi= + + +# +# Options defined in nova.cells.rpc_driver +# + +# Set a version cap for messages sent between cells services +# (string value) +#intercell= + + +# +# Options defined in nova.cells.rpcapi +# + +# Set a version cap for messages sent to local cells services +# (string value) +#cells= + + +# +# Options defined in nova.cert.rpcapi +# + +# Set a version cap for messages sent to cert services (string +# value) +#cert= + + +# +# Options defined in nova.compute.rpcapi +# + +# Set a version cap for messages sent to compute services. If +# you plan to do a live upgrade from havana to icehouse, you +# should set this option to "icehouse-compat" before beginning +# the live upgrade procedure. (string value) +#compute= + + +# +# Options defined in nova.conductor.rpcapi +# + +# Set a version cap for messages sent to conductor services +# (string value) +#conductor= + + +# +# Options defined in nova.console.rpcapi +# + +# Set a version cap for messages sent to console services +# (string value) +#console= + + +# +# Options defined in nova.consoleauth.rpcapi +# + +# Set a version cap for messages sent to consoleauth services +# (string value) +#consoleauth= + + +# +# Options defined in nova.network.rpcapi +# + +# Set a version cap for messages sent to network services +# (string value) +#network= + + +# +# Options defined in nova.scheduler.rpcapi +# + +# Set a version cap for messages sent to scheduler services +# (string value) +#scheduler= + + +[vmware] + +# +# Options defined in nova.virt.vmwareapi.driver +# + +# The PBM status. (boolean value) +#pbm_enabled=false + +# PBM service WSDL file location URL. e.g. +# file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not setting this +# will disable storage policy based placement of instances. +# (string value) +#pbm_wsdl_location= + +# The PBM default policy. If pbm_wsdl_location is set and +# there is no defined storage policy for the specific request +# then this policy will be used. (string value) +#pbm_default_policy= + +# Hostname or IP address for connection to VMware VC host. +# (string value) +#host_ip= + +# Port for connection to VMware VC host. (integer value) +#host_port=443 + +# Username for connection to VMware VC host. (string value) +#host_username= + +# Password for connection to VMware VC host. (string value) +#host_password= + +# Name of a VMware Cluster ComputeResource. (multi valued) +#cluster_name= + +# Regex to match the name of a datastore. (string value) +#datastore_regex= + +# The interval used for polling of remote tasks. (floating +# point value) +#task_poll_interval=0.5 + +# The number of times we retry on failures, e.g., socket +# error, etc. (integer value) +#api_retry_count=10 + +# VNC starting port (integer value) +#vnc_port=5900 + +# Total number of VNC ports (integer value) +#vnc_port_total=10000 + +# Whether to use linked clone (boolean value) +#use_linked_clone=true + +# Optional VIM Service WSDL Location e.g +# http:///vimService.wsdl. Optional over-ride to +# default location for bug work-arounds (string value) +#wsdl_location= + + +# +# Options defined in nova.virt.vmwareapi.vif +# + +# Physical ethernet adapter name for vlan networking (string +# value) +#vlan_interface=vmnic0 + +# Name of Integration Bridge (string value) +#integration_bridge=br-int + + +# +# Options defined in nova.virt.vmwareapi.vim_util +# + +# The maximum number of ObjectContent data objects that should +# be returned in a single result. A positive value will cause +# the operation to suspend the retrieval when the count of +# objects reaches the specified maximum. The server may still +# limit the count to something less than the configured value. +# Any remaining objects may be retrieved with additional +# requests. (integer value) +#maximum_objects=100 + + +# +# Options defined in nova.virt.vmwareapi.vmops +# + +# The prefix for Where cached images are stored. This is NOT +# the full path - just a folder prefix. This should only be +# used when a datastore cache should be shared between compute +# nodes. Note: this should only be used when the compute nodes +# have a shared file system. (string value) +#cache_prefix= + + +[workarounds] + +# +# Options defined in nova.utils +# + +# This option allows a fallback to sudo for performance +# reasons. For example see +# https://bugs.launchpad.net/nova/+bug/1415106 (boolean value) +#disable_rootwrap=false + +# When using libvirt 1.2.2 fails live snapshots intermittently +# under load. This config option provides mechanism to +# disable livesnapshot while this is resolved. See +# https://bugs.launchpad.net/nova/+bug/1334398 (boolean value) +#disable_libvirt_livesnapshot=true + +# Whether to destroy instances on startup when we suspect they +# have previously been evacuated. This can result in data loss +# if undesired. See https://launchpad.net/bugs/1419785 +# (boolean value) +#destroy_after_evacuate=true + + +[xenserver] + +# +# Options defined in nova.virt.xenapi.agent +# + +# Number of seconds to wait for agent reply (integer value) +#agent_timeout=30 + +# Number of seconds to wait for agent to be fully operational +# (integer value) +#agent_version_timeout=300 + +# Number of seconds to wait for agent reply to resetnetwork +# request (integer value) +#agent_resetnetwork_timeout=60 + +# Specifies the path in which the XenAPI guest agent should be +# located. If the agent is present, network configuration is +# not injected into the image. Used if +# compute_driver=xenapi.XenAPIDriver and flat_injected=True +# (string value) +#agent_path=usr/sbin/xe-update-networking + +# Disables the use of the XenAPI agent in any image regardless +# of what image properties are present. (boolean value) +#disable_agent=false + +# Determines if the XenAPI agent should be used when the image +# used does not contain a hint to declare if the agent is +# present or not. The hint is a glance property +# "xenapi_use_agent" that has the value "True" or "False". +# Note that waiting for the agent when it is not present will +# significantly increase server boot times. (boolean value) +#use_agent_default=false + + +# +# Options defined in nova.virt.xenapi.client.session +# + +# Timeout in seconds for XenAPI login. (integer value) +#login_timeout=10 + +# Maximum number of concurrent XenAPI connections. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#connection_concurrent=5 + + +# +# Options defined in nova.virt.xenapi.driver +# + +# URL for connection to XenServer/Xen Cloud Platform. A +# special value of unix://local can be used to connect to the +# local unix socket. Required if +# compute_driver=xenapi.XenAPIDriver (string value) +#connection_url= + +# Username for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_username=root + +# Password for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_password= + +# The interval used for polling of coalescing vhds. Used only +# if compute_driver=xenapi.XenAPIDriver (floating point value) +#vhd_coalesce_poll_interval=5.0 + +# Ensure compute service is running on host XenAPI connects +# to. (boolean value) +#check_host=true + +# Max number of times to poll for VHD to coalesce. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#vhd_coalesce_max_attempts=20 + +# Base path to the storage repository (string value) +#sr_base_path=/var/run/sr-mount + +# The iSCSI Target Host (string value) +#target_host= + +# The iSCSI Target Port, default is port 3260 (string value) +#target_port=3260 + +# IQN Prefix (string value) +#iqn_prefix=iqn.2010-10.org.openstack + +# Used to enable the remapping of VBD dev (Works around an +# issue in Ubuntu Maverick) (boolean value) +#remap_vbd_dev=false + +# Specify prefix to remap VBD dev to (ex. /dev/xvdb -> +# /dev/sdb) (string value) +#remap_vbd_dev_prefix=sd + + +# +# Options defined in nova.virt.xenapi.image.bittorrent +# + +# Base URL for torrent files. (string value) +#torrent_base_url= + +# Probability that peer will become a seeder. (1.0 = 100%) +# (floating point value) +#torrent_seed_chance=1.0 + +# Number of seconds after downloading an image via BitTorrent +# that it should be seeded for other peers. (integer value) +#torrent_seed_duration=3600 + +# Cached torrent files not accessed within this number of +# seconds can be reaped (integer value) +#torrent_max_last_accessed=86400 + +# Beginning of port range to listen on (integer value) +#torrent_listen_port_start=6881 + +# End of port range to listen on (integer value) +#torrent_listen_port_end=6891 + +# Number of seconds a download can remain at the same progress +# percentage w/o being considered a stall (integer value) +#torrent_download_stall_cutoff=600 + +# Maximum number of seeder processes to run concurrently +# within a given dom0. (-1 = no limit) (integer value) +#torrent_max_seeder_processes_per_host=1 + + +# +# Options defined in nova.virt.xenapi.pool +# + +# To use for hosts with different CPUs (boolean value) +#use_join_force=true + + +# +# Options defined in nova.virt.xenapi.vif +# + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_integration_bridge=xapi1 + + +# +# Options defined in nova.virt.xenapi.vm_utils +# + +# Cache glance images locally. `all` will cache all images, +# `some` will only cache images that have the image_property +# `cache_in_nova=True`, and `none` turns off caching entirely +# (string value) +#cache_images=all + +# Compression level for images, e.g., 9 for gzip -9. Range is +# 1-9, 9 being most compressed but most CPU intensive on dom0. +# (integer value) +#image_compression_level= + +# Default OS type (string value) +#default_os_type=linux + +# Time to wait for a block device to be created (integer +# value) +#block_device_creation_timeout=10 + +# Maximum size in bytes of kernel or ramdisk images (integer +# value) +#max_kernel_ramdisk_size=16777216 + +# Filter for finding the SR to be used to install guest +# instances on. To use the Local Storage in default +# XenServer/XCP installations set this flag to other-config +# :i18n-key=local-storage. To select an SR with a different +# matching criteria, you could set it to other- +# config:my_favorite_sr=true. On the other hand, to fall back +# on the Default SR, as displayed by XenCenter, set this flag +# to: default-sr:true (string value) +#sr_matching_filter=default-sr:true + +# Whether to use sparse_copy for copying data on a resize down +# (False will use standard dd). This speeds up resizes down +# considerably since large runs of zeros won't have to be +# rsynced (boolean value) +#sparse_copy=true + +# Maximum number of retries to unplug VBD. if <=0, should try +# once and no retry (integer value) +#num_vbd_unplug_retries=10 + +# Whether or not to download images via Bit Torrent +# (all|some|none). (string value) +#torrent_images=none + +# Name of network to use for booting iPXE ISOs (string value) +#ipxe_network_name= + +# URL to the iPXE boot menu (string value) +#ipxe_boot_menu_url= + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#ipxe_mkisofs_cmd=mkisofs + + +# +# Options defined in nova.virt.xenapi.vmops +# + +# Number of seconds to wait for instance to go to running +# state (integer value) +#running_timeout=60 + +# The XenAPI VIF driver using XenServer Network APIs. (string +# value) +#vif_driver=nova.virt.xenapi.vif.XenAPIBridgeDriver + +# Dom0 plugin driver used to handle image uploads. (string +# value) +#image_upload_handler=nova.virt.xenapi.image.glance.GlanceStore + + +# +# Options defined in nova.virt.xenapi.volume_utils +# + +# Number of seconds to wait for an SR to settle if the VDI +# does not exist when first introduced (integer value) +#introduce_vdi_retry_wait=20 + + +[zookeeper] + +# +# Options defined in nova.servicegroup.drivers.zk +# + +# The ZooKeeper addresses for servicegroup service in the +# format of host1:port,host2:port,host3:port (string value) +#address= + +# The recv_timeout parameter for the zk session (integer +# value) +#recv_timeout=4000 + +# The prefix used in ZooKeeper to store ephemeral nodes +# (string value) +#sg_prefix=/servicegroups + +# Number of seconds to wait until retrying to join the session +# (integer value) +#sg_retry_interval=5 + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port=6379 + +# Password for Redis server (optional). (string value) +#password= + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group;name - DEFAULT;matchmaker_ringfile +#ringfile=/etc/oslo/matchmaker_ring.json + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group;name - DEFAULT;disable_process_locking +#disable_process_locking=false + +# Directory to use for lock files. For security, the specified directory +# should only be writable by the user running the processes that need locking. +# Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, +# a lock path must be set. (string value) +# Deprecated group;name - DEFAULT;lock_path +lock_path=/var/lib/nova/tmp + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group;name - [amqp1]/server_request_prefix +#server_request_prefix=exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group;name - [amqp1]/broadcast_prefix +#broadcast_prefix=broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group;name - [amqp1]/group_request_prefix +#group_request_prefix=unicast + +# Name for the AMQP container (string value) +# Deprecated group;name - [amqp1]/container_name +#container_name= + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group;name - [amqp1]/idle_timeout +#idle_timeout=0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group;name - [amqp1]/trace +#trace=false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group;name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group;name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group;name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group;name - [amqp1]/ssl_key_password +#ssl_key_password= + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group;name - [amqp1]/allow_insecure_clients +#allow_insecure_clients=false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;amqp_auto_delete +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +# Deprecated group;name - DEFAULT;rpc_conn_pool_size +#rpc_conn_pool_size=30 + +# Qpid broker hostname. (string value) +# Deprecated group;name - DEFAULT;qpid_hostname +#qpid_hostname=localhost + +# Qpid broker port. (integer value) +# Deprecated group;name - DEFAULT;qpid_port +#qpid_port=5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group;name - DEFAULT;qpid_hosts +#qpid_hosts=$qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group;name - DEFAULT;qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group;name - DEFAULT;qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group;name - DEFAULT;qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group;name - DEFAULT;qpid_heartbeat +#qpid_heartbeat=60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group;name - DEFAULT;qpid_protocol +#qpid_protocol=tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group;name - DEFAULT;qpid_tcp_nodelay +#qpid_tcp_nodelay=true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group;name - DEFAULT;qpid_receiver_capacity +#qpid_receiver_capacity=1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group;name - DEFAULT;qpid_topology_version +#qpid_topology_version=1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;amqp_auto_delete +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +# Deprecated group;name - DEFAULT;rpc_conn_pool_size +#rpc_conn_pool_size=30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group;name - DEFAULT;kombu_reconnect_delay +#kombu_reconnect_delay=1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group;name - DEFAULT;rabbit_host +rabbit_host = {{controller}} + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group;name - DEFAULT;rabbit_port +#rabbit_port=5672 + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group;name - DEFAULT;rabbit_hosts +#rabbit_hosts=$rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_use_ssl +#rabbit_use_ssl=false + +# The RabbitMQ userid. (string value) +# Deprecated group;name - DEFAULT;rabbit_userid +rabbit_userid={{rabbit.user}} + +# The RabbitMQ password. (string value) +# Deprecated group;name - DEFAULT;rabbit_password +rabbit_password={{rabbit.password}} + +# The RabbitMQ login method. (string value) +# Deprecated group;name - DEFAULT;rabbit_login_method +#rabbit_login_method=AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group;name - DEFAULT;rabbit_virtual_host +#rabbit_virtual_host=/ + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval=1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group;name - DEFAULT;rabbit_retry_backoff +#rabbit_retry_backoff=2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group;name - DEFAULT;rabbit_max_retries +#rabbit_max_retries=0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_ha_queues +#rabbit_ha_queues=false + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) +#heartbeat_timeout_threshold=60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate=2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group;name - DEFAULT;fake_rabbit +#fake_rabbit=false \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/defaults.json new file mode 100644 index 00000000..c0e9c773 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/defaults.json @@ -0,0 +1,16 @@ +{ + "bridge": "br100", + "virt_type": "qemu", + "management_ip": "127.0.0.1", + "external_interface": "enp0s3", + "controller": "controller", + "vnc_enabled": true, + "keystone": { + "user": "nova", + "password": "nova_password" + }, + "rabbit": { + "user": "openstack", + "password": "rabbitmq_password" + } +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/openstack_nova_compute.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/openstack_nova_compute.cf new file mode 100644 index 00000000..062999c0 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/openstack_nova_compute.cf @@ -0,0 +1,22 @@ +# @name openstack_nova_compute +# @description Install, configure and ensure compute is running. Uses a template file for configuration. +# @version 0.1 + +bundle agent openstack_nova_compute +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("openstack-nova-compute sysfsutils openstack-nova-network openstack-nova-api"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => file_from_template_mustache_data("${variable_string.${this.bundle}_technique_path}/templates/nova.conf.tpl", "/etc/nova/nova.conf", "data_merge.${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => permissions_recurse("/etc/nova/", "640", "nova", "nova"), + ifvarclass => concat("any"); + "method_call" usebundle => service_restart("libvirtd openstack-nova-compute openstack-nova-network openstack-nova-metadata-api"), + ifvarclass => concat("any.file_from_template_mustache_data__etc_nova_nova_conf_repaired"); + "method_call" usebundle => service_ensure_running("libvirtd openstack-nova-compute openstack-nova-network openstack-nova-metadata-api"), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_started_at_boot("libvirtd openstack-nova-compute openstack-nova-network openstack-nova-metadata-api"), + ifvarclass => concat("any"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/templates/nova.conf.tpl b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/templates/nova.conf.tpl new file mode 100644 index 00000000..3ed52615 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_nova_compute/templates/nova.conf.tpl @@ -0,0 +1,4017 @@ +[DEFAULT] + +# +# From oslo.messaging +# + +# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. +# The "host" option should point or resolve to this address. (string value) +#rpc_zmq_bind_address=* + +# MatchMaker driver. (string value) +#rpc_zmq_matchmaker=oslo_messaging._drivers.matchmaker.MatchMakerLocalhost + +# ZeroMQ receiver listening port. (integer value) +#rpc_zmq_port=9501 + +# Number of ZeroMQ contexts, defaults to 1. (integer value) +#rpc_zmq_contexts=1 + +# Maximum number of ingress messages to locally buffer per topic. Default is +# unlimited. (integer value) +#rpc_zmq_topic_backlog= + +# Directory for holding IPC sockets. (string value) +#rpc_zmq_ipc_dir=/var/run/openstack + +# Name of this node. Must be a valid hostname, FQDN, or IP address. Must match +# "host" option, if running Nova. (string value) +#rpc_zmq_host=localhost + +# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq. +# (integer value) +#rpc_cast_timeout=30 + +# Heartbeat frequency. (integer value) +#matchmaker_heartbeat_freq=300 + +# Heartbeat time-to-live. (integer value) +#matchmaker_heartbeat_ttl=600 + +# Size of RPC thread pool. (integer value) +#rpc_thread_pool_size=64 + +# Driver or drivers to handle sending notifications. (multi valued) +#notification_driver = + +# AMQP topic used for OpenStack notifications. (list value) +# Deprecated group;name - [rpc_notifier2]/topics +#notification_topics=notifications + +# Seconds to wait for a response from a call. (integer value) +#rpc_response_timeout=60 + +# A URL representing the messaging driver to use and its full configuration. If +# not set, we fall back to the rpc_backend option and driver specific +# configuration. (string value) +#transport_url= + +# The messaging driver to use, defaults to rabbit. Other drivers include qpid +# and zmq. (string value) +rpc_backend=rabbit + +# The default exchange under which topics are scoped. May be overridden by an +# exchange name specified in the transport_url option. (string value) +#control_exchange=openstack + + +# +# Options defined in nova.availability_zones +# + +# The availability_zone to show internal services under +# (string value) +#internal_service_availability_zone=internal + +# Default compute node availability_zone (string value) +#default_availability_zone=nova + + +# +# Options defined in nova.crypto +# + +# Filename of root CA (string value) +#ca_file=cacert.pem + +# Filename of private key (string value) +#key_file=private/cakey.pem + +# Filename of root Certificate Revocation List (string value) +#crl_file=crl.pem + +# Where we keep our keys (string value) +#keys_path=$state_path/keys + +# Where we keep our root CA (string value) +#ca_path=$state_path/CA + +# Should we use a CA for each project? (boolean value) +#use_project_ca=false + +# Subject for certificate for users, %s for project, user, +# timestamp (string value) +#user_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=%.16s-%.16s-%s + +# Subject for certificate for projects, %s for project, +# timestamp (string value) +#project_cert_subject=/C=US/ST=California/O=OpenStack/OU=NovaDev/CN=project-ca-%.16s-%s + + +# +# Options defined in nova.exception +# + +# Make exception message format errors fatal (boolean value) +#fatal_exception_format_errors=false + + +# +# Options defined in nova.netconf +# + +# IP address of this host (string value) +my_ip={{management_ip}} + +# Block storage IP address of this host (string value) +#my_block_storage_ip=$my_ip + +# Name of this node. This can be an opaque identifier. It is +# not necessarily a hostname, FQDN, or IP address. However, +# the node name must be valid within an AMQP key, and if using +# ZeroMQ, a valid hostname, FQDN, or IP address (string value) +#host=nova + +# Use IPv6 (boolean value) +#use_ipv6=false + + +# +# Options defined in nova.notifications +# + +# If set, send compute.instance.update notifications on +# instance state changes. Valid values are None for no +# notifications, "vm_state" for notifications on VM state +# changes, or "vm_and_task_state" for notifications on VM and +# task state changes. (string value) +#notify_on_state_change= + +# If set, send api.fault notifications on caught exceptions in +# the API service. (boolean value) +#notify_api_faults=false + +# Default notification level for outgoing notifications +# (string value) +#default_notification_level=INFO + +# Default publisher_id for outgoing notifications (string +# value) +#default_publisher_id= + + +# +# Options defined in nova.paths +# + +# Directory where the nova python module is installed (string +# value) +#pybasedir=/usr/lib/python/site-packages + +# Directory where nova binaries are installed (string value) +#bindir=/usr/local/bin + +# Top-level directory for maintaining nova's state (string +# value) +#state_path=/var/lib/nova + + +# +# Options defined in nova.quota +# + +# Number of instances allowed per project (integer value) +#quota_instances=10 + +# Number of instance cores allowed per project (integer value) +#quota_cores=20 + +# Megabytes of instance RAM allowed per project (integer +# value) +#quota_ram=51200 + +# Number of floating IPs allowed per project (integer value) +#quota_floating_ips=10 + +# Number of fixed IPs allowed per project (this should be at +# least the number of instances allowed) (integer value) +#quota_fixed_ips=-1 + +# Number of metadata items allowed per instance (integer +# value) +#quota_metadata_items=128 + +# Number of injected files allowed (integer value) +#quota_injected_files=5 + +# Number of bytes allowed per injected file (integer value) +#quota_injected_file_content_bytes=10240 + +# Length of injected file path (integer value) +#quota_injected_file_path_length=255 + +# Number of security groups per project (integer value) +#quota_security_groups=10 + +# Number of security rules per security group (integer value) +#quota_security_group_rules=20 + +# Number of key pairs per user (integer value) +#quota_key_pairs=100 + +# Number of server groups per project (integer value) +#quota_server_groups=10 + +# Number of servers per server group (integer value) +#quota_server_group_members=10 + +# Number of seconds until a reservation expires (integer +# value) +#reservation_expire=86400 + +# Count of reservations until usage is refreshed. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. (integer value) +#until_refresh=0 + +# Number of seconds between subsequent usage refreshes. This +# defaults to 0(off) to avoid additional load but it is useful +# to turn on to help keep quota usage up to date and reduce +# the impact of out of sync usage issues. Note that quotas are +# not updated on a periodic task, they will update on a new +# reservation if max_age has passed since the last reservation +# (integer value) +#max_age=0 + +# Default driver to use for quota checks (string value) +#quota_driver=nova.quota.DbQuotaDriver + + +# +# Options defined in nova.service +# + +# Seconds between nodes reporting state to datastore (integer +# value) +#report_interval=10 + +# Enable periodic tasks (boolean value) +#periodic_enable=true + +# Range of seconds to randomly delay when starting the +# periodic task scheduler to reduce stampeding. (Disable by +# setting to 0) (integer value) +#periodic_fuzzy_delay=60 + +# A list of APIs to enable by default (list value) +#enabled_apis=ec2,osapi_compute,metadata + +# A list of APIs with enabled SSL (list value) +#enabled_ssl_apis= + +# The IP address on which the EC2 API will listen. (string +# value) +#ec2_listen=0.0.0.0 + +# The port on which the EC2 API will listen. (integer value) +#ec2_listen_port=8773 + +# Number of workers for EC2 API service. The default will be +# equal to the number of CPUs available. (integer value) +#ec2_workers= + +# The IP address on which the OpenStack API will listen. +# (string value) +#osapi_compute_listen=0.0.0.0 + +# The port on which the OpenStack API will listen. (integer +# value) +#osapi_compute_listen_port=8774 + +# Number of workers for OpenStack API service. The default +# will be the number of CPUs available. (integer value) +#osapi_compute_workers= + +# OpenStack metadata service manager (string value) +#metadata_manager=nova.api.manager.MetadataManager + +# The IP address on which the metadata API will listen. +# (string value) +#metadata_listen=0.0.0.0 + +# The port on which the metadata API will listen. (integer +# value) +#metadata_listen_port=8775 + +# Number of workers for metadata service. The default will be +# the number of CPUs available. (integer value) +#metadata_workers= + +# Full class name for the Manager for compute (string value) +#compute_manager=nova.compute.manager.ComputeManager + +# Full class name for the Manager for console proxy (string +# value) +#console_manager=nova.console.manager.ConsoleProxyManager + +# Manager for console auth (string value) +#consoleauth_manager=nova.consoleauth.manager.ConsoleAuthManager + +# Full class name for the Manager for cert (string value) +#cert_manager=nova.cert.manager.CertManager + +# Full class name for the Manager for network (string value) +network_manager=nova.network.manager.FlatDHCPManager + +# Full class name for the Manager for scheduler (string value) +#scheduler_manager=nova.scheduler.manager.SchedulerManager + +# Maximum time since last check-in for up service (integer +# value) +#service_down_time=60 + + +# +# Options defined in nova.utils +# + +# Whether to log monkey patching (boolean value) +#monkey_patch=false + +# List of modules/decorators to monkey patch (list value) +#monkey_patch_modules=nova.api.ec2.cloud:nova.notifications.notify_decorator,nova.compute.api:nova.notifications.notify_decorator + +# Length of generated instance admin passwords (integer value) +#password_length=12 + +# Time period to generate instance usages for. Time period +# must be hour, day, month or year (string value) +#instance_usage_audit_period=month + +# Path to the rootwrap configuration file to use for running +# commands as root (string value) +#rootwrap_config=/etc/nova/rootwrap.conf + +# Explicitly specify the temporary working directory (string +# value) +#tempdir= + + +# +# Options defined in nova.wsgi +# + +# File name for the paste.deploy config for nova-api (string +# value) +#api_paste_config=api-paste.ini + +# A python format string that is used as the template to +# generate log lines. The following values can be formatted +# into it: client_ip, date_time, request_line, status_code, +# body_length, wall_seconds. (string value) +#wsgi_log_format=%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f + +# CA certificate file to use to verify connecting clients +# (string value) +#ssl_ca_file= + +# SSL certificate of API server (string value) +#ssl_cert_file= + +# SSL private key of API server (string value) +#ssl_key_file= + +# Sets the value of TCP_KEEPIDLE in seconds for each server +# socket. Not supported on OS X. (integer value) +#tcp_keepidle=600 + +# Size of the pool of greenthreads used by wsgi (integer +# value) +#wsgi_default_pool_size=1000 + +# Maximum line size of message headers to be accepted. +# max_header_line may need to be increased when using large +# tokens (typically those generated by the Keystone v3 API +# with big service catalogs). (integer value) +#max_header_line=16384 + +# If False, closes the client socket connection explicitly. +# (boolean value) +#wsgi_keep_alive=true + +# Timeout for client connections' socket operations. If an +# incoming connection is idle for this number of seconds it +# will be closed. A value of '0' means wait forever. (integer +# value) +#client_socket_timeout=900 + + +# +# Options defined in nova.api.auth +# + +# Whether to use per-user rate limiting for the api. This +# option is only used by v2 api. Rate limiting is removed from +# v3 api. (boolean value) +#api_rate_limit=false + +# The strategy to use for auth: keystone, noauth +# (deprecated), or noauth2. Both noauth and noauth2 are +# designed for testing only, as they do no actual credential +# checking. noauth provides administrative credentials +# regardless of the passed in user, noauth2 only does if +# 'admin' is specified as the username. (string value) +auth_strategy=keystone + +# Treat X-Forwarded-For as the canonical remote address. Only +# enable this if you have a sanitizing proxy. (boolean value) +#use_forwarded_for=false + + +# +# Options defined in nova.api.ec2 +# + +# Number of failed auths before lockout. (integer value) +#lockout_attempts=5 + +# Number of minutes to lockout if triggered. (integer value) +#lockout_minutes=15 + +# Number of minutes for lockout window. (integer value) +#lockout_window=15 + +# URL to get token from ec2 request. (string value) +#keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens + +# Return the IP address as private dns hostname in describe +# instances (boolean value) +#ec2_private_dns_show_ip=false + +# Validate security group names according to EC2 specification +# (boolean value) +#ec2_strict_validation=true + +# Time in seconds before ec2 timestamp expires (integer value) +#ec2_timestamp_expiry=300 + +# Disable SSL certificate verification. (boolean value) +#keystone_ec2_insecure=false + + +# +# Options defined in nova.api.ec2.cloud +# + +# The IP address of the EC2 API server (string value) +#ec2_host=$my_ip + +# The internal IP address of the EC2 API server (string value) +#ec2_dmz_host=$my_ip + +# The port of the EC2 API server (integer value) +#ec2_port=8773 + +# The protocol to use when connecting to the EC2 API server +# (http, https) (string value) +#ec2_scheme=http + +# The path prefix used to call the ec2 API server (string +# value) +#ec2_path=/ + +# List of region=fqdn pairs separated by commas (list value) +#region_list= + + +# +# Options defined in nova.api.metadata.base +# + +# List of metadata versions to skip placing into the config +# drive (string value) +#config_drive_skip_versions=1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 + +# Driver to use for vendor data (string value) +#vendordata_driver=nova.api.metadata.vendordata_json.JsonFileVendorData + + +# +# Options defined in nova.api.metadata.handler +# + +# Time in seconds to cache metadata; 0 to disable metadata +# caching entirely (not recommended). Increasingthis should +# improve response times of the metadata API when under heavy +# load. Higher values may increase memoryusage and result in +# longer times for host metadata changes to take effect. +# (integer value) +#metadata_cache_expiration=15 + + +# +# Options defined in nova.api.metadata.vendordata_json +# + +# File to load JSON formatted vendor data from (string value) +#vendordata_jsonfile_path= + + +# +# Options defined in nova.api.openstack.common +# + +# The maximum number of items returned in a single response +# from a collection resource (integer value) +#osapi_max_limit=1000 + +# Base URL that will be presented to users in links to the +# OpenStack Compute API (string value) +#osapi_compute_link_prefix= + +# Base URL that will be presented to users in links to glance +# resources (string value) +#osapi_glance_link_prefix= + + +# +# Options defined in nova.api.openstack.compute +# + +# Permit instance snapshot operations. (boolean value) +#allow_instance_snapshots=true + + +# +# Options defined in nova.api.openstack.compute.contrib +# + +# Specify list of extensions to load when using +# osapi_compute_extension option with +# nova.api.openstack.compute.contrib.select_extensions (list +# value) +#osapi_compute_ext_list= + + +# +# Options defined in nova.api.openstack.compute.contrib.fping +# + +# Full path to fping. (string value) +#fping_path=/usr/sbin/fping + + +# +# Options defined in nova.api.openstack.compute.contrib.os_tenant_networks +# + +# Enables or disables quota checking for tenant networks +# (boolean value) +#enable_network_quota=false + +# Control for checking for default networks (string value) +#use_neutron_default_nets=False + +# Default tenant id when creating neutron networks (string +# value) +#neutron_default_tenant_id=default + +# Number of private networks allowed per project (integer +# value) +#quota_networks=3 + + +# +# Options defined in nova.api.openstack.compute.extensions +# + +# osapi compute extension to load (multi valued) +#osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions + + +# +# Options defined in nova.api.openstack.compute.plugins.v3.hide_server_addresses +# + +# List of instance states that should hide network info (list +# value) +#osapi_hide_server_address_states=building + + +# +# Options defined in nova.api.openstack.compute.servers +# + +# Enables returning of the instance password by the relevant +# server API calls such as create, rebuild or rescue, If the +# hypervisor does not support password injection then the +# password returned will not be correct (boolean value) +#enable_instance_password=true + + +# +# Options defined in nova.cert.rpcapi +# + +# The topic cert nodes listen on (string value) +#cert_topic=cert + + +# +# Options defined in nova.cloudpipe.pipelib +# + +# Image ID used when starting up a cloudpipe vpn server +# (string value) +#vpn_image_id=0 + +# Flavor for vpn instances (string value) +#vpn_flavor=m1.tiny + +# Template for cloudpipe instance boot script (string value) +#boot_script_template=$pybasedir/nova/cloudpipe/bootscript.template + +# Network to push into openvpn config (string value) +#dmz_net=10.0.0.0 + +# Netmask to push into openvpn config (string value) +#dmz_mask=255.255.255.0 + +# Suffix to add to project name for vpn key and secgroups +# (string value) +#vpn_key_suffix=-vpn + + +# +# Options defined in nova.cmd.novnc +# + +# Record sessions to FILE.[session_number] (boolean value) +#record=false + +# Become a daemon (background process) (boolean value) +#daemon=false + +# Disallow non-encrypted connections (boolean value) +#ssl_only=false + +# Source is ipv6 (boolean value) +#source_is_ipv6=false + +# SSL certificate file (string value) +#cert=self.pem + +# SSL key file (if separate from cert) (string value) +#key= + +# Run webserver on same port. Serve files from DIR. (string +# value) +#web=/usr/share/spice-html5 + + +# +# Options defined in nova.cmd.novncproxy +# + +# Host on which to listen for incoming requests (string value) +#novncproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#novncproxy_port=6080 + + +# +# Options defined in nova.compute.api +# + +# Allow destination machine to match source for resize. Useful +# when testing in single-host environments. (boolean value) +#allow_resize_to_same_host=false + +# Allow migrate machine to the same host. Useful when testing +# in single-host environments. (boolean value) +#allow_migrate_to_same_host=false + +# Availability zone to use when user doesn't specify one +# (string value) +#default_schedule_zone= + +# These are image properties which a snapshot should not +# inherit from an instance (list value) +#non_inheritable_image_properties=cache_in_nova,bittorrent + +# Kernel image that indicates not to use a kernel, but to use +# a raw disk image instead (string value) +#null_kernel=nokernel + +# When creating multiple instances with a single request using +# the os-multiple-create API extension, this template will be +# used to build the display name for each instance. The +# benefit is that the instances end up with different +# hostnames. To restore legacy behavior of every instance +# having the same name, set this option to "%(name)s". Valid +# keys for the template are: name, uuid, count. (string value) +#multi_instance_display_name_template=%(name)s-%(count)d + +# Maximum number of devices that will result in a local image +# being created on the hypervisor node. Setting this to 0 +# means nova will allow only boot from volume. A negative +# number means unlimited. (integer value) +#max_local_block_devices=3 + + +# +# Options defined in nova.compute.flavors +# + +# Default flavor to use for the EC2 API only. The Nova API +# does not support a default flavor. (string value) +#default_flavor=m1.small + + +# +# Options defined in nova.compute.manager +# + +# Console proxy host to use to connect to instances on this +# host. (string value) +#console_host=nova + +# Name of network to use to set access IPs for instances +# (string value) +#default_access_ip_network_name= + +# Whether to batch up the application of IPTables rules during +# a host restart and apply all at the end of the init phase +# (boolean value) +#defer_iptables_apply=false + +# Where instances are stored on disk (string value) +#instances_path=$state_path/instances + +# Generate periodic compute.instance.exists notifications +# (boolean value) +#instance_usage_audit=false + +# Number of 1 second retries needed in live_migration (integer +# value) +#live_migration_retry_count=30 + +# Whether to start guests that were running before the host +# rebooted (boolean value) +#resume_guests_state_on_host_boot=false + +# Number of times to retry network allocation on failures +# (integer value) +#network_allocate_retries=0 + +# Maximum number of instance builds to run concurrently +# (integer value) +#max_concurrent_builds=10 + +# Number of times to retry block device allocation on failures +# (integer value) +#block_device_allocate_retries=60 + +# The number of times to attempt to reap an instance's files. +# (integer value) +#maximum_instance_delete_attempts=5 + +# Interval to pull network bandwidth usage info. Not supported +# on all hypervisors. Set to -1 to disable. Setting this to 0 +# will run at the default rate. (integer value) +#bandwidth_poll_interval=600 + +# Interval to sync power states between the database and the +# hypervisor. Set to -1 to disable. Setting this to 0 will run +# at the default rate. (integer value) +#sync_power_state_interval=600 + +# Number of seconds between instance network information cache +# updates (integer value) +#heal_instance_info_cache_interval=60 + +# Interval in seconds for reclaiming deleted instances +# (integer value) +#reclaim_instance_interval=0 + +# Interval in seconds for gathering volume usages (integer +# value) +#volume_usage_poll_interval=0 + +# Interval in seconds for polling shelved instances to +# offload. Set to -1 to disable.Setting this to 0 will run at +# the default rate. (integer value) +#shelved_poll_interval=3600 + +# Time in seconds before a shelved instance is eligible for +# removing from a host. -1 never offload, 0 offload when +# shelved (integer value) +#shelved_offload_time=0 + +# Interval in seconds for retrying failed instance file +# deletes. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#instance_delete_interval=300 + +# Waiting time interval (seconds) between block device +# allocation retries on failures (integer value) +#block_device_allocate_retries_interval=3 + +# Waiting time interval (seconds) between sending the +# scheduler a list of current instance UUIDs to verify that +# its view of instances is in sync with nova. If the CONF +# option `scheduler_tracks_instance_changes` is False, +# changing this option will have no effect. (integer value) +#scheduler_instance_sync_interval=120 + +# Action to take if a running deleted instance is detected. +# Valid options are 'noop', 'log', 'shutdown', or 'reap'. Set +# to 'noop' to take no action. (string value) +#running_deleted_instance_action=reap + +# Number of seconds to wait between runs of the cleanup task. +# (integer value) +#running_deleted_instance_poll_interval=1800 + +# Number of seconds after being deleted when a running +# instance should be considered eligible for cleanup. (integer +# value) +#running_deleted_instance_timeout=0 + +# Automatically hard reboot an instance if it has been stuck +# in a rebooting state longer than N seconds. Set to 0 to +# disable. (integer value) +#reboot_timeout=0 + +# Amount of time in seconds an instance can be in BUILD before +# going into ERROR status. Set to 0 to disable. (integer +# value) +#instance_build_timeout=0 + +# Automatically unrescue an instance after N seconds. Set to 0 +# to disable. (integer value) +#rescue_timeout=0 + +# Automatically confirm resizes after N seconds. Set to 0 to +# disable. (integer value) +#resize_confirm_window=0 + +# Total amount of time to wait in seconds for an instance to +# perform a clean shutdown. (integer value) +#shutdown_timeout=60 + + +# +# Options defined in nova.compute.monitors +# + +# Monitor classes available to the compute which may be +# specified more than once. (multi valued) +#compute_available_monitors=nova.compute.monitors.all_monitors + +# A list of monitors that can be used for getting compute +# metrics. (list value) +#compute_monitors= + + +# +# Options defined in nova.compute.resource_tracker +# + +# Amount of disk in MB to reserve for the host (integer value) +#reserved_host_disk_mb=0 + +# Amount of memory in MB to reserve for the host (integer +# value) +#reserved_host_memory_mb=512 + +# Class that will manage stats for the local compute host +# (string value) +#compute_stats_class=nova.compute.stats.Stats + +# The names of the extra resources to track. (list value) +#compute_resources=vcpu + + +# +# Options defined in nova.compute.rpcapi +# + +# The topic compute nodes listen on (string value) +#compute_topic=compute + + +# +# Options defined in nova.conductor.tasks.live_migrate +# + +# Number of times to retry live-migration before failing. If +# == -1, try until out of hosts. If == 0, only try once, no +# retries. (integer value) +#migrate_max_retries=-1 + + +# +# Options defined in nova.console.manager +# + +# Driver to use for the console proxy (string value) +#console_driver=nova.console.xvp.XVPConsoleProxy + +# Stub calls to compute worker for tests (boolean value) +#stub_compute=false + +# Publicly visible name for this console host (string value) +#console_public_hostname=nova + + +# +# Options defined in nova.console.rpcapi +# + +# The topic console proxy nodes listen on (string value) +#console_topic=console + + +# +# Options defined in nova.console.xvp +# + +# XVP conf template (string value) +#console_xvp_conf_template=$pybasedir/nova/console/xvp.conf.template + +# Generated XVP conf file (string value) +#console_xvp_conf=/etc/xvp.conf + +# XVP master process pid file (string value) +#console_xvp_pid=/var/run/xvp.pid + +# XVP log file (string value) +#console_xvp_log=/var/log/xvp.log + +# Port for XVP to multiplex VNC connections on (integer value) +#console_xvp_multiplex_port=5900 + + +# +# Options defined in nova.consoleauth +# + +# The topic console auth proxy nodes listen on (string value) +#consoleauth_topic=consoleauth + + +# +# Options defined in nova.consoleauth.manager +# + +# How many seconds before deleting tokens (integer value) +#console_token_ttl=600 + + +# +# Options defined in nova.db.api +# + +# Services to be added to the available pool on create +# (boolean value) +#enable_new_services=true + +# Template string to be used to generate instance names +# (string value) +#instance_name_template=instance-%08x + +# Template string to be used to generate snapshot names +# (string value) +#snapshot_name_template=snapshot-%s + + +# +# Options defined in nova.db.base +# + +# The driver to use for database access (string value) +#db_driver=nova.db + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# When set, compute API will consider duplicate hostnames +# invalid within the specified scope, regardless of case. +# Should be empty, "project" or "global". (string value) +#osapi_compute_unique_server_name_scope= + + +# +# Options defined in nova.image.s3 +# + +# Parent directory for tempdir used for image decryption +# (string value) +#image_decryption_dir=/tmp + +# Hostname or IP for OpenStack to use when accessing the S3 +# api (string value) +#s3_host=$my_ip + +# Port used when accessing the S3 api (integer value) +#s3_port=3333 + +# Access key to use for S3 server for images (string value) +#s3_access_key=notchecked + +# Secret key to use for S3 server for images (string value) +#s3_secret_key=notchecked + +# Whether to use SSL when talking to S3 (boolean value) +#s3_use_ssl=false + +# Whether to affix the tenant id to the access key when +# downloading from S3 (boolean value) +#s3_affix_tenant=false + + +# +# Options defined in nova.ipv6.api +# + +# Backend to use for IPv6 generation (string value) +#ipv6_backend=rfc2462 + + +# +# Options defined in nova.network +# + +# The full class name of the network API class to use (string +# value) +network_api_class=nova.network.api.API + + +# +# Options defined in nova.network.driver +# + +# Driver to use for network creation (string value) +#network_driver=nova.network.linux_net + + +# +# Options defined in nova.network.floating_ips +# + +# Default pool for floating IPs (string value) +#default_floating_pool=nova + +# Autoassigning floating IP to VM (boolean value) +#auto_assign_floating_ip=false + +# Full class name for the DNS Manager for floating IPs (string +# value) +#floating_ip_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Manager for instance IPs (string +# value) +#instance_dns_manager=nova.network.noop_dns_driver.NoopDNSDriver + +# Full class name for the DNS Zone for instance IPs (string +# value) +#instance_dns_domain= + + +# +# Options defined in nova.network.ldapdns +# + +# URL for LDAP server which will store DNS entries (string +# value) +#ldap_dns_url=ldap://ldap.example.com:389 + +# User for LDAP DNS (string value) +#ldap_dns_user=uid=admin,ou=people,dc=example,dc=org + +# Password for LDAP DNS (string value) +#ldap_dns_password=password + +# Hostmaster for LDAP DNS driver Statement of Authority +# (string value) +#ldap_dns_soa_hostmaster=hostmaster@example.org + +# DNS Servers for LDAP DNS driver (multi valued) +#ldap_dns_servers=dns.example.org + +# Base DN for DNS entries in LDAP (string value) +#ldap_dns_base_dn=ou=hosts,dc=example,dc=org + +# Refresh interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_refresh=1800 + +# Retry interval (in seconds) for LDAP DNS driver Statement of +# Authority (string value) +#ldap_dns_soa_retry=3600 + +# Expiry interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_expiry=86400 + +# Minimum interval (in seconds) for LDAP DNS driver Statement +# of Authority (string value) +#ldap_dns_soa_minimum=7200 + + +# +# Options defined in nova.network.linux_net +# + +# Location of flagfiles for dhcpbridge (multi valued) +#dhcpbridge_flagfile=/etc/nova/nova.conf + +# Location to keep network config files (string value) +#networks_path=$state_path/networks + +# Interface for public IP addresses (string value) +public_interface={{external_interface}} + +# Location of nova-dhcpbridge (string value) +#dhcpbridge=/usr/bin/nova-dhcpbridge + +# Public IP of network host (string value) +#routing_source_ip=$my_ip + +# Lifetime of a DHCP lease in seconds (integer value) +#dhcp_lease_time=86400 + +# If set, uses specific DNS server for dnsmasq. Can be +# specified multiple times. (multi valued) +#dns_server= + +# If set, uses the dns1 and dns2 from the network ref. as dns +# servers. (boolean value) +#use_network_dns_servers=false + +# A list of dmz ranges that should be accepted (list value) +#dmz_cidr= + +# Traffic to this range will always be snatted to the fallback +# ip, even if it would normally be bridged out of the node. +# Can be specified multiple times. (multi valued) +#force_snat_range= + +# Override the default dnsmasq settings with this file (string +# value) +#dnsmasq_config_file= + +# Driver used to create ethernet devices. (string value) +#linuxnet_interface_driver=nova.network.linux_net.LinuxBridgeInterfaceDriver + +# Name of Open vSwitch bridge used with linuxnet (string +# value) +#linuxnet_ovs_integration_bridge=br-int + +# Send gratuitous ARPs for HA setup (boolean value) +send_arp_for_ha=true + +# Send this many gratuitous ARPs for HA setup (integer value) +#send_arp_for_ha_count=3 + +# Use single default gateway. Only first nic of vm will get +# default gateway from dhcp server (boolean value) +#use_single_default_gateway=false + +# An interface that bridges can forward to. If this is set to +# all then all traffic will be forwarded. Can be specified +# multiple times. (multi valued) +#forward_bridge_interface=all + +# The IP address for the metadata API server (string value) +#metadata_host=$my_ip + +# The port for the metadata API port (integer value) +#metadata_port=8775 + +# Regular expression to match the iptables rule that should +# always be on the top. (string value) +#iptables_top_regex= + +# Regular expression to match the iptables rule that should +# always be on the bottom. (string value) +#iptables_bottom_regex= + +# The table that iptables to jump to when a packet is to be +# dropped. (string value) +#iptables_drop_action=DROP + +# Amount of time, in seconds, that ovs_vsctl should wait for a +# response from the database. 0 is to wait forever. (integer +# value) +#ovs_vsctl_timeout=120 + +# If passed, use fake network devices and addresses (boolean +# value) +#fake_network=false + +# Number of times to retry ebtables commands on failure. +# (integer value) +#ebtables_exec_attempts=3 + +# Number of seconds to wait between ebtables retries. +# (floating point value) +#ebtables_retry_interval=1.0 + + +# +# Options defined in nova.network.manager +# + +# Bridge for simple network instances (string value) +flat_network_bridge={{bridge}} + +# DNS server for simple network (string value) +#flat_network_dns=8.8.4.4 + +# Whether to attempt to inject network setup into guest +# (boolean value) +#flat_injected=false + +# FlatDhcp will bridge into this interface if set (string +# value) +flat_interface={{external_interface}} + +# First VLAN for private networks (integer value) +#vlan_start=100 + +# VLANs will bridge into this interface if set (string value) +#vlan_interface= + +# Number of networks to support (integer value) +#num_networks=1 + +# Public IP for the cloudpipe VPN servers (string value) +#vpn_ip=$my_ip + +# First Vpn port for private networks (integer value) +#vpn_start=1000 + +# Number of addresses in each private subnet (integer value) +network_size=254 + +# Fixed IPv6 address block (string value) +#fixed_range_v6=fd00::/48 + +# Default IPv4 gateway (string value) +#gateway= + +# Default IPv6 gateway (string value) +#gateway_v6= + +# Number of addresses reserved for vpn clients (integer value) +#cnt_vpn_clients=0 + +# Seconds after which a deallocated IP is disassociated +# (integer value) +#fixed_ip_disassociate_timeout=600 + +# Number of attempts to create unique mac address (integer +# value) +#create_unique_mac_address_attempts=5 + +# If True, skip using the queue and make local calls (boolean +# value) +#fake_call=false + +# If True, unused gateway devices (VLAN and bridge) are +# deleted in VLAN network mode with multi hosted networks +# (boolean value) +#teardown_unused_network_gateway=false + +# If True, send a dhcp release on instance termination +# (boolean value) +force_dhcp_release=True + +# If True, when a DNS entry must be updated, it sends a fanout +# cast to all network hosts to update their DNS entries in +# multi host mode (boolean value) +#update_dns_entries=false + +# Number of seconds to wait between runs of updates to DNS +# entries. (integer value) +#dns_update_periodic_interval=-1 + +# Domain to use for building the hostnames (string value) +#dhcp_domain=novalocal + +# Indicates underlying L3 management library (string value) +#l3_lib=nova.network.l3.LinuxNetL3 + + +# +# Options defined in nova.network.rpcapi +# + +# The topic network nodes listen on (string value) +#network_topic=network + +# Default value for multi_host in networks. Also, if set, some +# rpc network calls will be sent directly to host. (boolean +# value) +multi_host=true + + +# +# Options defined in nova.network.security_group.openstack_driver +# + +# The full class name of the security API class (string value) +security_group_api=nova + + +# +# Options defined in nova.objects.network +# + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. If True in multi_host mode, all compute hosts share +# the same dhcp address. The same IP address used for DHCP +# will be added on each nova-network node which is only +# visible to the vms on the same host. (boolean value) +share_dhcp_address=true + +# DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE +# NETWORK. MTU setting for network interface. (integer value) +#network_device_mtu= + + +# +# Options defined in nova.objectstore.s3server +# + +# Path to S3 buckets (string value) +#buckets_path=$state_path/buckets + +# IP address for S3 API to listen (string value) +#s3_listen=0.0.0.0 + +# Port for S3 API to listen (integer value) +#s3_listen_port=3333 + + +# +# From oslo.log +# + +# Print debugging output (set logging level to DEBUG instead of default WARNING +# level). (boolean value) +#debug=false + +# Print more verbose output (set logging level to INFO instead of default +# WARNING level). (boolean value) +#verbose=false + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. (string value) +# Deprecated group;name - DEFAULT;log_config +#log_config_append= + +# DEPRECATED. A logging.Formatter log message format string which may use any +# of the available logging.LogRecord attributes. This option is deprecated. +# Please use logging_context_format_string and logging_default_format_string +# instead. (string value) +#log_format= + +# Format string for %%(asctime)s in log records. Default: %(default)s . (string +# value) +#log_date_format=%Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to output to. If no default is set, logging will +# go to stdout. (string value) +# Deprecated group;name - DEFAULT;logfile +#log_file= + +# (Optional) The base directory used for relative --log-file paths. (string +# value) +# Deprecated group;name - DEFAULT;logdir +#log_dir=/var/log/nova + +# Use syslog for logging. Existing syslog format is DEPRECATED during I, and +# will change in J to honor RFC5424. (boolean value) +#use_syslog=false + +# (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, +# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The +# format without the APP-NAME is deprecated in I, and will be removed in J. +# (boolean value) +#use_syslog_rfc_format=false + +# Syslog facility to receive log lines. (string value) +#syslog_log_facility=LOG_USER + +# Log output to standard error. (boolean value) +#use_stderr=False + +# Format string to use for log messages with context. (string value) +#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages without context. (string value) +#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Data to append to log format when level is DEBUG. (string value) +#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s + +# List of logger=LEVEL pairs. (list value) +#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN + +# Enables or disables publication of error events. (boolean value) +#publish_errors=false + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations=false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format="[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format="[instance: %(uuid)s] " + + +# +# Options defined in nova.pci.request +# + +# An alias for a PCI passthrough device requirement. This +# allows users to specify the alias in the extra_spec for a +# flavor, without needing to repeat all the PCI property +# requirements. For example: pci_alias = { "name": +# "QuicAssist", "product_id": "0443", "vendor_id": "8086", +# "device_type": "ACCEL" } defines an alias for the Intel +# QuickAssist card. (multi valued) (multi valued) +#pci_alias= + + +# +# Options defined in nova.pci.whitelist +# + +# White list of PCI devices available to VMs. For example: +# pci_passthrough_whitelist = [{"vendor_id": "8086", +# "product_id": "0443"}] (multi valued) +#pci_passthrough_whitelist= + + +# +# Options defined in nova.scheduler.driver +# + +# The scheduler host manager class to use (string value) +#scheduler_host_manager=nova.scheduler.host_manager.HostManager + + +# +# Options defined in nova.scheduler.filter_scheduler +# + +# New instances will be scheduled on a host chosen randomly +# from a subset of the N best hosts. This property defines the +# subset size that a host is chosen from. A value of 1 chooses +# the first host returned by the weighing functions. This +# value must be at least 1. Any value less than 1 will be +# ignored, and 1 will be used instead (integer value) +#scheduler_host_subset_size=1 + + +# +# Options defined in nova.scheduler.filters.aggregate_image_properties_isolation +# + +# Force the filter to consider only keys matching the given +# namespace. (string value) +#aggregate_image_properties_isolation_namespace= + +# The separator used between the namespace and keys (string +# value) +#aggregate_image_properties_isolation_separator=. + + +# +# Options defined in nova.scheduler.filters.core_filter +# + +# Virtual CPU to physical CPU allocation ratio which affects +# all CPU filters. This configuration specifies a global ratio +# for CoreFilter. For AggregateCoreFilter, it will fall back +# to this configuration value if no per-aggregate setting +# found. (floating point value) +#cpu_allocation_ratio=16.0 + + +# +# Options defined in nova.scheduler.filters.disk_filter +# + +# Virtual disk to physical disk allocation ratio (floating +# point value) +#disk_allocation_ratio=1.0 + + +# +# Options defined in nova.scheduler.filters.io_ops_filter +# + +# Tells filters to ignore hosts that have this many or more +# instances currently in build, resize, snapshot, migrate, +# rescue or unshelve task states (integer value) +#max_io_ops_per_host=8 + + +# +# Options defined in nova.scheduler.filters.isolated_hosts_filter +# + +# Images to run on isolated host (list value) +#isolated_images= + +# Host reserved for specific images (list value) +#isolated_hosts= + +# Whether to force isolated hosts to run only isolated images +# (boolean value) +#restrict_isolated_hosts_to_isolated_images=true + + +# +# Options defined in nova.scheduler.filters.num_instances_filter +# + +# Ignore hosts that have too many instances (integer value) +#max_instances_per_host=50 + + +# +# Options defined in nova.scheduler.filters.ram_filter +# + +# Virtual ram to physical ram allocation ratio which affects +# all ram filters. This configuration specifies a global ratio +# for RamFilter. For AggregateRamFilter, it will fall back to +# this configuration value if no per-aggregate setting found. +# (floating point value) +#ram_allocation_ratio=1.5 + + +# +# Options defined in nova.scheduler.host_manager +# + +# Filter classes available to the scheduler which may be +# specified more than once. An entry of +# "nova.scheduler.filters.all_filters" maps to all filters +# included with nova. (multi valued) +#scheduler_available_filters=nova.scheduler.filters.all_filters + +# Which filter class names to use for filtering hosts when not +# specified in the request. (list value) +#scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter + +# Which weight class names to use for weighing hosts (list +# value) +#scheduler_weight_classes=nova.scheduler.weights.all_weighers + +# Determines if the Scheduler tracks changes to instances to +# help with its filtering decisions. (boolean value) +#scheduler_tracks_instance_changes=true + + +# +# Options defined in nova.scheduler.ironic_host_manager +# + +# Which filter class names to use for filtering baremetal +# hosts when not specified in the request. (list value) +#baremetal_scheduler_default_filters=RetryFilter,AvailabilityZoneFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ExactRamFilter,ExactDiskFilter,ExactCoreFilter + +# Flag to decide whether to use +# baremetal_scheduler_default_filters or not. (boolean value) +#scheduler_use_baremetal_filters=false + + +# +# Options defined in nova.scheduler.manager +# + +# Default driver to use for the scheduler (string value) +#scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler + +# How often (in seconds) to run periodic tasks in the +# scheduler driver of your choice. Please note this is likely +# to interact with the value of service_down_time, but exactly +# how they interact will depend on your choice of scheduler +# driver. (integer value) +#scheduler_driver_task_period=60 + + +# +# Options defined in nova.scheduler.rpcapi +# + +# The topic scheduler nodes listen on (string value) +#scheduler_topic=scheduler + + +# +# Options defined in nova.scheduler.scheduler_options +# + +# Absolute path to scheduler configuration JSON file. (string +# value) +#scheduler_json_config_location= + + +# +# Options defined in nova.scheduler.utils +# + +# Maximum number of attempts to schedule an instance (integer +# value) +#scheduler_max_attempts=3 + + +# +# Options defined in nova.scheduler.weights.io_ops +# + +# Multiplier used for weighing host io ops. Negative numbers +# mean a preference to choose light workload compute hosts. +# (floating point value) +#io_ops_weight_multiplier=-1.0 + + +# +# Options defined in nova.scheduler.weights.ram +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=1.0 + + +# +# Options defined in nova.servicegroup.api +# + +# The driver for servicegroup service (valid options are: db, +# zk, mc) (string value) +#servicegroup_driver=db + + +# +# Options defined in nova.virt.configdrive +# + +# Config drive format. One of iso9660 (default) or vfat +# (string value) +#config_drive_format=iso9660 + +# Set to "always" to force injection to take place on a config +# drive. NOTE: The "always" will be deprecated in the Liberty +# release cycle. (string value) +#force_config_drive= + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#mkisofs_cmd=genisoimage + + +# +# Options defined in nova.virt.disk.api +# + +# Name of the mkfs commands for ephemeral device. The format +# is = (multi valued) +#virt_mkfs= + +# Attempt to resize the filesystem by accessing the image over +# a block device. This is done by the host and may not be +# necessary if the image contains a recent version of cloud- +# init. Possible mechanisms require the nbd driver (for qcow +# and raw), or loop (for raw). (boolean value) +#resize_fs_using_block_device=false + + +# +# Options defined in nova.virt.disk.mount.nbd +# + +# Amount of time, in seconds, to wait for NBD device start up. +# (integer value) +#timeout_nbd=10 + + +# +# Options defined in nova.virt.driver +# + +# Driver to use for controlling virtualization. Options +# include: libvirt.LibvirtDriver, xenapi.XenAPIDriver, +# fake.FakeDriver, baremetal.BareMetalDriver, +# vmwareapi.VMwareVCDriver, hyperv.HyperVDriver (string value) +#compute_driver=libvirt.LibvirtDriver + +# The default format an ephemeral_volume will be formatted +# with on creation. (string value) +#default_ephemeral_format= + +# VM image preallocation mode: "none" => no storage +# provisioning is done up front, "space" => storage is fully +# allocated at instance start (string value) +#preallocate_images=none + +# Whether to use cow images (boolean value) +#use_cow_images=true + +# Fail instance boot if vif plugging fails (boolean value) +#vif_plugging_is_fatal=true + +# Number of seconds to wait for neutron vif plugging events to +# arrive before continuing or failing (see +# vif_plugging_is_fatal). If this is set to zero and +# vif_plugging_is_fatal is False, events should not be +# expected to arrive at all. (integer value) +#vif_plugging_timeout=300 + + +# +# Options defined in nova.virt.firewall +# + +# Firewall driver (defaults to hypervisor specific iptables +# driver) (string value) +firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver + +# Whether to allow network traffic from same network (boolean +# value) +allow_same_net_traffic=false + + +# +# Options defined in nova.virt.hardware +# + +# Defines which pcpus that instance vcpus can use. For +# example, "4-12,^8,15" (string value) +#vcpu_pin_set= + + +# +# Options defined in nova.virt.imagecache +# + +# Number of seconds to wait between runs of the image cache +# manager. Set to -1 to disable. Setting this to 0 will run at +# the default rate. (integer value) +#image_cache_manager_interval=2400 + +# Where cached images are stored under $instances_path. This +# is NOT the full path - just a folder name. For per-compute- +# host cached images, set to _base_$my_ip (string value) +#image_cache_subdirectory_name=_base + +# Should unused base images be removed? (boolean value) +#remove_unused_base_images=true + +# Unused unresized base images younger than this will not be +# removed (integer value) +#remove_unused_original_minimum_age_seconds=86400 + + +# +# Options defined in nova.virt.images +# + +# Force backing images to raw format (boolean value) +#force_raw_images=true + + +# +# Options defined in nova.virt.netutils +# + +# Template file for injected network (string value) +#injected_network_template=/usr/share/nova/interfaces.template + + +# +# Options defined in nova.vnc +# + +# Location of VNC console proxy, in the form +# "http://127.0.0.1:6080/vnc_auto.html" (string value) +novncproxy_base_url=http://{{controller}}:6080/vnc_auto.html + +# Location of nova xvp VNC console proxy, in the form +# "http://127.0.0.1:6081/console" (string value) +#xvpvncproxy_base_url=http://127.0.0.1:6081/console + +# IP address on which instance vncservers should listen +# (string value) +vncserver_listen=0.0.0.0 + +# The address to which proxy clients (like nova-xvpvncproxy) +# should connect (string value) +vncserver_proxyclient_address={{management_ip}} + +# Enable VNC related features (boolean value) +{{#vnc_enabled}} +vnc_enabled=true +{{/vnc_enabled}} + +# Keymap for VNC (string value) +#vnc_keymap=en-us + + +# +# Options defined in nova.vnc.xvp_proxy +# + +# Port that the XCP VNC proxy should bind to (integer value) +#xvpvncproxy_port=6081 + +# Address that the XCP VNC proxy should bind to (string value) +#xvpvncproxy_host=0.0.0.0 + + +# +# Options defined in nova.volume +# + +# The full class name of the volume API class to use (string +# value) +#volume_api_class=nova.volume.cinder.API + + +# +# Options defined in nova.openstack.common.eventlet_backdoor +# + +# Enable eventlet backdoor. Acceptable values are 0, , +# and :, where 0 results in listening on a random +# tcp port number; results in listening on the +# specified port number (and not enabling backdoor if that +# port is in use); and : results in listening on +# the smallest unused port number within the specified range +# of port numbers. The chosen port is displayed in the +# service's log file. (string value) +#backdoor_port= + + +# +# Options defined in nova.openstack.common.memorycache +# + +# Memcached servers or None for in process cache. (list value) +#memcached_servers= + + +# +# Options defined in nova.openstack.common.periodic_task +# + +# Some periodic tasks can be run in a separate process. Should +# we run them here? (boolean value) +#run_external_periodic_tasks=true + + +# +# Options defined in nova.openstack.common.policy +# + +# The JSON file that defines policies. (string value) +#policy_file=policy.json + +# Default rule. Enforced when a requested rule is not found. +# (string value) +#policy_default_rule=default + +# Directories where policy configuration files are stored. +# They can be relative to any directory in the search path +# defined by the config_dir option, or absolute paths. The +# file defined by policy_file must exist for these directories +# to be searched. Missing or empty directories are ignored. +# (multi valued) +#policy_dirs=policy.d + + +# +# Options defined in nova.openstack.common.versionutils +# + +# Enables or disables fatal status of deprecations. (boolean +# value) +#fatal_deprecations=false + + +[api_database] + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# Nova API database. (string value) +#connection=mysql://nova:nova@localhost/nova + +# If True, SQLite uses synchronous mode. (boolean value) +#sqlite_synchronous=true + +# Timeout before idle SQL connections are reaped. (integer +# value) +#idle_timeout=3600 + +# Maximum number of SQL connections to keep open in a pool. +# (integer value) +#max_pool_size= + +# Maximum number of database connection retries during +# startup. Set to -1 to specify an infinite retry count. +# (integer value) +#max_retries=-1 + +# Interval between retries of opening a SQL connection. +# (integer value) +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. +# (integer value) +#max_overflow= + +# Verbosity of SQL debugging information: 0=None, +# 100=Everything. (integer value) +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean +# value) +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. +# (integer value) +#pool_timeout= + + +[barbican] + +# +# Options defined in nova.keymgr.barbican +# + +# Info to match when looking for barbican in the service +# catalog. Format is: separated values of the form: +# :: (string value) +#catalog_info=key-manager:barbican:public + +# Override service catalog lookup with template for barbican +# endpoint e.g. http://localhost:9311/v1/%(project_id)s +# (string value) +#endpoint_template= + +# Region name of this node (string value) +#os_region_name= + + +# +# Options defined in nova.volume.cinder +# + +# Region name of this node (string value) +#os_region_name= + + +[cells] + +# +# Options defined in nova.cells.manager +# + +# Cells communication driver to use (string value) +#driver=nova.cells.rpc_driver.CellsRPCDriver + +# Number of seconds after an instance was updated or deleted +# to continue to update cells (integer value) +#instance_updated_at_threshold=3600 + +# Number of instances to update per periodic task run (integer +# value) +#instance_update_num_instances=1 + + +# +# Options defined in nova.cells.messaging +# + +# Maximum number of hops for cells routing. (integer value) +#max_hop_count=10 + +# Cells scheduler to use (string value) +#scheduler=nova.cells.scheduler.CellsScheduler + + +# +# Options defined in nova.cells.opts +# + +# Enable cell functionality (boolean value) +#enable=false + +# The topic cells nodes listen on (string value) +#topic=cells + +# Manager for cells (string value) +#manager=nova.cells.manager.CellsManager + +# Name of this cell (string value) +#name=nova + +# Key/Multi-value list with the capabilities of the cell (list +# value) +#capabilities=hypervisor=xenserver;kvm,os=linux;windows + +# Seconds to wait for response from a call to a cell. (integer +# value) +#call_timeout=60 + +# Percentage of cell capacity to hold in reserve. Affects both +# memory and disk utilization (floating point value) +#reserve_percent=10.0 + +# Type of cell: api or compute (string value) +#cell_type=compute + +# Number of seconds after which a lack of capability and +# capacity updates signals the child cell is to be treated as +# a mute. (integer value) +#mute_child_interval=300 + +# Seconds between bandwidth updates for cells. (integer value) +#bandwidth_update_interval=600 + + +# +# Options defined in nova.cells.rpc_driver +# + +# Base queue name to use when communicating between cells. +# Various topics by message type will be appended to this. +# (string value) +#rpc_driver_queue_base=cells.intercell + + +# +# Options defined in nova.cells.scheduler +# + +# Filter classes the cells scheduler should use. An entry of +# "nova.cells.filters.all_filters" maps to all cells filters +# included with nova. (list value) +#scheduler_filter_classes=nova.cells.filters.all_filters + +# Weigher classes the cells scheduler should use. An entry of +# "nova.cells.weights.all_weighers" maps to all cell weighers +# included with nova. (list value) +#scheduler_weight_classes=nova.cells.weights.all_weighers + +# How many retries when no cells are available. (integer +# value) +#scheduler_retries=10 + +# How often to retry in seconds when no cells are available. +# (integer value) +#scheduler_retry_delay=2 + + +# +# Options defined in nova.cells.state +# + +# Interval, in seconds, for getting fresh cell information +# from the database. (integer value) +#db_check_interval=60 + +# Configuration file from which to read cells configuration. +# If given, overrides reading cells from the database. (string +# value) +#cells_config= + + +# +# Options defined in nova.cells.weights.mute_child +# + +# Multiplier used to weigh mute children. (The value should be +# negative.) (floating point value) +#mute_weight_multiplier=-10.0 + +# Weight value assigned to mute children. (The value should be +# positive.) (floating point value) +#mute_weight_value=1000.0 + + +# +# Options defined in nova.cells.weights.ram_by_instance_type +# + +# Multiplier used for weighing ram. Negative numbers mean to +# stack vs spread. (floating point value) +#ram_weight_multiplier=10.0 + + +# +# Options defined in nova.cells.weights.weight_offset +# + +# Multiplier used to weigh offset weigher. (floating point +# value) +#offset_weight_multiplier=1.0 + + +[cinder] + +# +# Options defined in nova.volume.cinder +# + +# Info to match when looking for cinder in the service +# catalog. Format is: separated values of the form: +# :: (string value) +#catalog_info=volumev2:cinderv2:publicURL + +# Override service catalog lookup with template for cinder +# endpoint e.g. http://localhost:8776/v1/%(project_id)s +# (string value) +#endpoint_template= + +# Number of cinderclient retries on failed http calls (integer +# value) +#http_retries=3 + +# Allow attach between instance and volume in different +# availability zones. (boolean value) +#cross_az_attach=true + + +[conductor] + +# +# Options defined in nova.conductor.api +# + +# Perform nova-conductor operations locally (boolean value) +#use_local=false + +# The topic on which conductor nodes listen (string value) +#topic=conductor + +# Full class name for the Manager for conductor (string value) +#manager=nova.conductor.manager.ConductorManager + +# Number of workers for OpenStack Conductor service. The +# default will be the number of CPUs available. (integer +# value) +#workers= + + +[database] + +# +# From oslo.db +# + +# The file name to use with SQLite. (string value) +# Deprecated group;name - DEFAULT;sqlite_db +#sqlite_db=oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group;name - DEFAULT;sqlite_synchronous +#sqlite_synchronous=true + +# The back end to use for the database. (string value) +# Deprecated group;name - DEFAULT;db_backend +#backend=sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group;name - DEFAULT;sql_connection +# Deprecated group;name - [DATABASE]/sql_connection +# Deprecated group;name - [sql]/connection +#connection= + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection= + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode=TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group;name - DEFAULT;sql_idle_timeout +# Deprecated group;name - [DATABASE]/sql_idle_timeout +# Deprecated group;name - [sql]/idle_timeout +#idle_timeout=3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group;name - DEFAULT;sql_min_pool_size +# Deprecated group;name - [DATABASE]/sql_min_pool_size +#min_pool_size=1 + +# Maximum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group;name - DEFAULT;sql_max_pool_size +# Deprecated group;name - [DATABASE]/sql_max_pool_size +#max_pool_size= + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group;name - DEFAULT;sql_max_retries +# Deprecated group;name - [DATABASE]/sql_max_retries +#max_retries=10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group;name - DEFAULT;sql_retry_interval +# Deprecated group;name - [DATABASE]/reconnect_interval +#retry_interval=10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group;name - DEFAULT;sql_max_overflow +# Deprecated group;name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow= + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Deprecated group;name - DEFAULT;sql_connection_debug +#connection_debug=0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group;name - DEFAULT;sql_connection_trace +#connection_trace=false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group;name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout= + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect=false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval=1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval=true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval=10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries=20 + + +# +# Options defined in nova.db.sqlalchemy.api +# + +# The SQLAlchemy connection string to use to connect to the +# slave database. (string value) +#slave_connection= + +# The SQL mode to be used for MySQL sessions. This option, +# including the default, overrides any server-set SQL mode. To +# use whatever SQL mode is set by the server configuration, +# set this to no value. Example: mysql_sql_mode= (string +# value) +#mysql_sql_mode=TRADITIONAL + + +[ephemeral_storage_encryption] + +# +# Options defined in nova.compute.api +# + +# Whether to encrypt ephemeral storage (boolean value) +#enabled=false + +# The cipher and mode to be used to encrypt ephemeral storage. +# Which ciphers are available ciphers depends on kernel +# support. See /proc/crypto for the list of available options. +# (string value) +#cipher=aes-xts-plain64 + +# The bit length of the encryption key to be used to encrypt +# ephemeral storage (in XTS mode only half of the bits are +# used for encryption key) (integer value) +#key_size=512 + + +[glance] + +# +# Options defined in nova.image.glance +# + +# Default glance hostname or IP address (string value) +host={{controller}} + +# Default glance port (integer value) +#port=9292 + +# Default protocol to use when connecting to glance. Set to +# https for SSL. (string value) +#protocol=http + +# A list of the glance api servers available to nova. Prefix +# with https:// for ssl-based glance api servers. +# ([hostname|ip]:port) (list value) +#api_servers= + +# Allow to perform insecure SSL (https) requests to glance +# (boolean value) +#api_insecure=false + +# Number of retries when uploading / downloading an image to / +# from glance. (integer value) +#num_retries=0 + +# A list of url scheme that can be downloaded directly via the +# direct_url. Currently supported schemes: [file]. (list +# value) +#allowed_direct_url_schemes= + + +[guestfs] + +# +# Options defined in nova.virt.disk.vfs.guestfs +# + +# Enable guestfs debug (boolean value) +#debug=false + + +[hyperv] + +# +# Options defined in nova.virt.hyperv.pathutils +# + +# The name of a Windows share name mapped to the +# "instances_path" dir and used by the resize feature to copy +# files to the target host. If left blank, an administrative +# share will be used, looking for the same "instances_path" +# used locally (string value) +#instances_path_share= + + +# +# Options defined in nova.virt.hyperv.utilsfactory +# + +# Force V1 WMI utility classes (boolean value) +#force_hyperv_utils_v1=false + +# Force V1 volume utility class (boolean value) +#force_volumeutils_v1=false + + +# +# Options defined in nova.virt.hyperv.vif +# + +# External virtual switch Name, if not provided, the first +# external virtual switch is used (string value) +#vswitch_name= + + +# +# Options defined in nova.virt.hyperv.vmops +# + +# Required for live migration among hosts with different CPU +# features (boolean value) +#limit_cpu_features=false + +# Sets the admin password in the config drive image (boolean +# value) +#config_drive_inject_password=false + +# Path of qemu-img command which is used to convert between +# different image types (string value) +#qemu_img_cmd=qemu-img.exe + +# Attaches the Config Drive image as a cdrom drive instead of +# a disk drive (boolean value) +#config_drive_cdrom=false + +# Enables metrics collections for an instance by using +# Hyper-V's metric APIs. Collected data can by retrieved by +# other apps and services, e.g.: Ceilometer. Requires Hyper-V +# / Windows Server 2012 and above (boolean value) +#enable_instance_metrics_collection=false + +# Enables dynamic memory allocation (ballooning) when set to a +# value greater than 1. The value expresses the ratio between +# the total RAM assigned to an instance and its startup RAM +# amount. For example a ratio of 2.0 for an instance with +# 1024MB of RAM implies 512MB of RAM allocated at startup +# (floating point value) +#dynamic_memory_ratio=1.0 + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=60 + + +# +# Options defined in nova.virt.hyperv.volumeops +# + +# The number of times to retry to attach a volume (integer +# value) +#volume_attach_retry_count=10 + +# Interval between volume attachment attempts, in seconds +# (integer value) +#volume_attach_retry_interval=5 + +# The number of times to retry checking for a disk mounted via +# iSCSI. (integer value) +#mounted_disk_query_retry_count=10 + +# Interval between checks for a mounted iSCSI disk, in +# seconds. (integer value) +#mounted_disk_query_retry_interval=5 + + +[image_file_url] + +# +# Options defined in nova.image.download.file +# + +# List of file systems that are configured in this file in the +# image_file_url: sections (list value) +#filesystems= + + +[ironic] + +# +# Options defined in nova.virt.ironic.driver +# + +# Version of Ironic API service endpoint. (integer value) +#api_version=1 + +# URL for Ironic API endpoint. (string value) +#api_endpoint= + +# Ironic keystone admin name (string value) +#admin_username= + +# Ironic keystone admin password. (string value) +#admin_password=%SERVICE_PASSWORD% + +# Ironic keystone auth token. (string value) +#admin_auth_token= + +# Keystone public API endpoint. (string value) +#admin_url= + +# Log level override for ironicclient. Set this in order to +# override the global "default_log_levels", "verbose", and +# "debug" settings. DEPRECATED: use standard logging +# configuration. (string value) +#client_log_level= + +# Ironic keystone tenant name. (string value) +#admin_tenant_name=%SERVICE_TENANT_NAME% + +# How many retries when a request does conflict. (integer +# value) +#api_max_retries=60 + +# How often to retry in seconds when a request does conflict +# (integer value) +#api_retry_interval=2 + + +[keymgr] + +# +# Options defined in nova.keymgr +# + +# The full class name of the key manager API class (string +# value) +#api_class=nova.keymgr.conf_key_mgr.ConfKeyManager + + +# +# Options defined in nova.keymgr.conf_key_mgr +# + +# Fixed key returned by key manager, specified in hex (string +# value) +#fixed_key= + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete public Identity API endpoint. (string value) +auth_uri = http://{{controller}}:5000 +auth_url = http://{{controller}}:35357 + +auth_plugin = password +project_domain_id = default +user_domain_id = default +project_name = service +username = {{keystone.user}} +password = {{keystone.password}} + +# API version of the admin Identity API endpoint. (string value) +#auth_version=v2.0 + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision=false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout= + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries=3 + +# Env key for the swift cache. (string value) +#cache= + +# Required if identity server requires client certificate (string value) +#certfile= + +# Required if identity server requires client certificate (string value) +#keyfile= + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile= + +# Verify HTTPS connections. (boolean value) +#insecure=false + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir= + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group;name - DEFAULT;memcache_servers +#memcached_servers= + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time=300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. +# (integer value) +#revocation_cache_time=10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, +# token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data +# is encrypted and authenticated in the cache. If the value is not one of these +# options or empty, auth_token will raise an exception on initialization. +# (string value) +#memcache_security_strategy= + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key= + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry=300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize=10 + +# (Optional) Socket timeout in seconds for communicating with a memcache +# server. (integer value) +#memcache_pool_socket_timeout=3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout=60 + +# (Optional) Number of seconds that an operation will wait to get a memcache +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout=10 + +# (Optional) Use the advanced (eventlet safe) memcache client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool=false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog=true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind=permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached=false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms=md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. +# (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use identity_uri. +# (string value) +#auth_host=127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use identity_uri. +# (integer value) +#auth_port=35357 + +# Protocol of the admin Identity API endpoint (http or https). Deprecated, use +# identity_uri. (string value) +#auth_protocol=http + +# Complete admin Identity API endpoint. This should specify the unversioned +# root endpoint e.g. https://localhost:35357/ (string value) +#identity_uri= + +# This option is deprecated and may be removed in a future release. Single +# shared secret with the Keystone configuration used for bootstrapping a +# Keystone installation, or otherwise bypassing the normal authentication +# process. This option should not be used, use `admin_user` and +# `admin_password` instead. (string value) +#admin_token= + +# Service username. (string value) +#admin_user=%SERVICE_USER% + +# Service user password. (string value) +#admin_password= + +# Service tenant name. (string value) +#admin_tenant_name=admin + + +[libvirt] + +# +# Options defined in nova.virt.libvirt.driver +# + +# Rescue ami image. This will not be used if an image id is +# provided by the user. (string value) +#rescue_image_id= + +# Rescue aki image (string value) +#rescue_kernel_id= + +# Rescue ari image (string value) +#rescue_ramdisk_id= + +# Libvirt domain type (valid options are: kvm, lxc, qemu, uml, +# xen and parallels) (string value) +virt_type={{virt_type}} + +# Override the default libvirt URI (which is dependent on +# virt_type) (string value) +#connection_uri= + +# Inject the admin password at boot time, without an agent. +# (boolean value) +#inject_password=false + +# Inject the ssh public key at boot time (boolean value) +#inject_key=false + +# The partition to inject to : -2 => disable, -1 => inspect +# (libguestfs only), 0 => not partitioned, >0 => partition +# number (integer value) +#inject_partition=-2 + +# Sync virtual and real mouse cursors in Windows VMs (boolean +# value) +#use_usb_tablet=true + +# Migration target URI (any included "%s" is replaced with the +# migration target hostname) (string value) +#live_migration_uri=qemu+tcp://%s/system + +# Migration flags to be set for live migration (string value) +#live_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED + +# Migration flags to be set for block migration (string value) +#block_migration_flag=VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC + +# Maximum bandwidth to be used during migration, in Mbps +# (integer value) +#live_migration_bandwidth=0 + +# Snapshot image format (valid options are : raw, qcow2, vmdk, +# vdi). Defaults to same as source image (string value) +#snapshot_image_format= + +# Override the default disk prefix for the devices attached to +# a server, which is dependent on virt_type. (valid options +# are: sd, xvd, uvd, vd) (string value) +#disk_prefix= + +# Number of seconds to wait for instance to shut down after +# soft reboot request is made. We fall back to hard reboot if +# instance does not shutdown within this window. (integer +# value) +#wait_soft_reboot_seconds=120 + +# Set to "host-model" to clone the host CPU feature flags; to +# "host-passthrough" to use the host CPU model exactly; to +# "custom" to use a named CPU model; to "none" to not set any +# CPU model. If virt_type="kvm|qemu", it will default to +# "host-model", otherwise it will default to "none" (string +# value) +#cpu_mode= + +# Set to a named libvirt CPU model (see names listed in +# /usr/share/libvirt/cpu_map.xml). Only has effect if +# cpu_mode="custom" and virt_type="kvm|qemu" (string value) +#cpu_model= + +# Location where libvirt driver will store snapshots before +# uploading them to image service (string value) +#snapshots_directory=$instances_path/snapshots + +# Location where the Xen hvmloader is kept (string value) +#xen_hvmloader_path=/usr/lib/xen/boot/hvmloader + +# Specific cachemodes to use for different disk types e.g: +# file=directsync,block=none (list value) +#disk_cachemodes= + +# A path to a device that will be used as source of entropy on +# the host. Permitted options are: /dev/random or /dev/hwrng +# (string value) +#rng_dev_path= + +# For qemu or KVM guests, set this option to specify a default +# machine type per host architecture. You can find a list of +# supported machine types in your environment by checking the +# output of the "virsh capabilities"command. The format of the +# value for this config option is host-arch=machine-type. For +# example: x86_64=machinetype1,armv7l=machinetype2 (list +# value) +#hw_machine_type= + +# The data source used to the populate the host "serial" UUID +# exposed to guest in the virtual BIOS. Permitted options are +# "hardware", "os", "none" or "auto" (default). (string value) +#sysinfo_serial=auto + +# A number of seconds to memory usage statistics period. Zero +# or negative value mean to disable memory usage statistics. +# (integer value) +#mem_stats_period_seconds=10 + +# List of uid targets and ranges.Syntax is guest-uid:host- +# uid:countMaximum of 5 allowed. (list value) +#uid_maps= + +# List of guid targets and ranges.Syntax is guest-gid:host- +# gid:countMaximum of 5 allowed. (list value) +#gid_maps= + + +# +# Options defined in nova.virt.libvirt.imagebackend +# + +# VM Images format. Acceptable values are: raw, qcow2, lvm, +# rbd, default. If default is specified, then use_cow_images +# flag is used instead of this one. (string value) +#images_type=default + +# LVM Volume Group that is used for VM images, when you +# specify images_type=lvm. (string value) +#images_volume_group= + +# Create sparse logical volumes (with virtualsize) if this +# flag is set to True. (boolean value) +#sparse_logical_volumes=false + +# The RADOS pool in which rbd volumes are stored (string +# value) +#images_rbd_pool=rbd + +# Path to the ceph configuration file to use (string value) +#images_rbd_ceph_conf= + +# Discard option for nova managed disks (valid options are: +# ignore, unmap). Need Libvirt(1.0.6) Qemu1.5 (raw format) +# Qemu1.6(qcow2 format) (string value) +#hw_disk_discard= + + +# +# Options defined in nova.virt.libvirt.imagecache +# + +# Allows image information files to be stored in non-standard +# locations (string value) +#image_info_filename_pattern=$instances_path/$image_cache_subdirectory_name/%(image)s.info + +# Should unused kernel images be removed? This is only safe to +# enable if all compute nodes have been updated to support +# this option. This will be enabled by default in future. +# (boolean value) +#remove_unused_kernels=false + +# Unused resized base images younger than this will not be +# removed (integer value) +#remove_unused_resized_minimum_age_seconds=3600 + +# Write a checksum for files in _base to disk (boolean value) +#checksum_base_images=false + +# How frequently to checksum base images (integer value) +#checksum_interval_seconds=3600 + + +# +# Options defined in nova.virt.libvirt.lvm +# + +# Method used to wipe old volumes (valid options are: none, +# zero, shred) (string value) +#volume_clear=zero + +# Size in MiB to wipe at start of old volumes. 0 => all +# (integer value) +#volume_clear_size=0 + + +# +# Options defined in nova.virt.libvirt.utils +# + +# Compress snapshot images when possible. This currently +# applies exclusively to qcow2 images (boolean value) +#snapshot_compression=false + + +# +# Options defined in nova.virt.libvirt.vif +# + +# Use virtio for bridge interfaces with KVM/QEMU (boolean +# value) +#use_virtio_for_bridges=true + + +# +# Options defined in nova.virt.libvirt.volume +# + +# Number of times to rescan iSCSI target to find volume +# (integer value) +#num_iscsi_scan_tries=5 + +# Number of times to rescan iSER target to find volume +# (integer value) +#num_iser_scan_tries=5 + +# The RADOS client name for accessing rbd volumes (string +# value) +#rbd_user= + +# The libvirt UUID of the secret for the rbd_uservolumes +# (string value) +#rbd_secret_uuid= + +# Directory where the NFS volume is mounted on the compute +# node (string value) +#nfs_mount_point_base=$state_path/mnt + +# Mount options passed to the NFS client. See section of the +# nfs man page for details (string value) +#nfs_mount_options= + +# Directory where the SMBFS shares are mounted on the compute +# node (string value) +#smbfs_mount_point_base=$state_path/mnt + +# Mount options passed to the SMBFS client. See mount.cifs man +# page for details. Note that the libvirt-qemu uid and gid +# must be specified. (string value) +#smbfs_mount_options= + +# Number of times to rediscover AoE target to find volume +# (integer value) +#num_aoe_discover_tries=3 + +# Directory where the glusterfs volume is mounted on the +# compute node (string value) +#glusterfs_mount_point_base=$state_path/mnt + +# Use multipath connection of the iSCSI volume (boolean value) +#iscsi_use_multipath=false + +# Use multipath connection of the iSER volume (boolean value) +#iser_use_multipath=false + +# Path or URL to Scality SOFS configuration file (string +# value) +#scality_sofs_config= + +# Base dir where Scality SOFS shall be mounted (string value) +#scality_sofs_mount_point=$state_path/scality + +# Protocols listed here will be accessed directly from QEMU. +# Currently supported protocols: [gluster] (list value) +#qemu_allowed_storage_drivers= + +# Directory where the Quobyte volume is mounted on the compute +# node (string value) +#quobyte_mount_point_base=$state_path/mnt + +# Path to a Quobyte Client configuration file. (string value) +#quobyte_client_cfg= + +# The iSCSI transport iface to use to connect to target in +# case offload support is desired. Supported transports are +# be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx and ocs. Default +# format is transport_name.hwaddress and can be generated +# manually or via iscsiadm -m iface (string value) +# Deprecated group;name - DEFAULT;iscsi_transport +#iscsi_iface= + + +[metrics] + +# +# Options defined in nova.scheduler.weights.metrics +# + +# Multiplier used for weighing metrics. (floating point value) +#weight_multiplier=1.0 + +# How the metrics are going to be weighed. This should be in +# the form of "=, =, ...", where +# is one of the metrics to be weighed, and is +# the corresponding ratio. So for "name1=1.0, name2=-1.0" The +# final weight would be name1.value * 1.0 + name2.value * +# -1.0. (list value) +#weight_setting= + +# How to treat the unavailable metrics. When a metric is NOT +# available for a host, if it is set to be True, it would +# raise an exception, so it is recommended to use the +# scheduler filter MetricFilter to filter out those hosts. If +# it is set to be False, the unavailable metric would be +# treated as a negative factor in weighing process, the +# returned value would be set by the option +# weight_of_unavailable. (boolean value) +#required=true + +# The final weight value to be returned if required is set to +# False and any one of the metrics set by weight_setting is +# unavailable. (floating point value) +#weight_of_unavailable=-10000.0 + + +[neutron] + +# +# Options defined in nova.api.metadata.handler +# + +# Set flag to indicate Neutron will proxy metadata requests +# and resolve instance ids. (boolean value) +#service_metadata_proxy=false + +# Shared secret to validate proxies Neutron metadata requests +# (string value) +#metadata_proxy_shared_secret= + + +# +# Options defined in nova.network.neutronv2.api +# + +# URL for connecting to neutron (string value) +#url=http://127.0.0.1:9696 + +# User id for connecting to neutron in admin context. +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_user_id= + +# Username for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_username= + +# Password for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_password= + +# Tenant id for connecting to neutron in admin context +# DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_tenant_id= + +# Tenant name for connecting to neutron in admin context. This +# option will be ignored if neutron_admin_tenant_id is set. +# Note that with Keystone V3 tenant names are only unique +# within a domain. DEPRECATED: specify an auth_plugin and +# appropriate credentials instead. (string value) +#admin_tenant_name= + +# Region name for connecting to neutron in admin context +# (string value) +#region_name= + +# Authorization URL for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. (string value) +#admin_auth_url=http://localhost:5000/v2.0 + +# Authorization strategy for connecting to neutron in admin +# context. DEPRECATED: specify an auth_plugin and appropriate +# credentials instead. If an auth_plugin is specified strategy +# will be ignored. (string value) +#auth_strategy=keystone + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_bridge=br-int + +# Number of seconds before querying neutron for extensions +# (integer value) +#extension_sync_interval=600 + +# DEPRECATED: Allow an instance to have multiple vNICs +# attached to the same Neutron network. This option is +# deprecated in the 2015.1 release and will be removed in the +# 2015.2 release where the default behavior will be to always +# allow multiple ports from the same network to be attached to +# an instance. (boolean value) +#allow_duplicate_networks=false + + +[osapi_v3] + +# +# Options defined in nova.api.openstack +# + +# Whether the V3 API is enabled or not (boolean value) +#enabled=false + +# A list of v3 API extensions to never load. Specify the +# extension aliases here. (list value) +#extensions_blacklist= + +# If the list is not empty then a v3 API extension will only +# be loaded if it exists in this list. Specify the extension +# aliases here. (list value) +#extensions_whitelist= + + +[rdp] + +# +# Options defined in nova.rdp +# + +# Location of RDP html5 console proxy, in the form +# "http://127.0.0.1:6083/" (string value) +#html5_proxy_base_url=http://127.0.0.1:6083/ + +# Enable RDP related features (boolean value) +#enabled=false + + +[serial_console] + +# +# Options defined in nova.cmd.serialproxy +# + +# Host on which to listen for incoming requests (string value) +#serialproxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#serialproxy_port=6083 + + +# +# Options defined in nova.console.serial +# + +# Enable serial console related features (boolean value) +#enabled=false + +# Range of TCP ports to use for serial ports on compute hosts +# (string value) +#port_range=10000:20000 + +# Location of serial console proxy. (string value) +#base_url=ws://127.0.0.1:6083/ + +# IP address on which instance serial console should listen +# (string value) +#listen=127.0.0.1 + +# The address to which proxy clients (like nova-serialproxy) +# should connect (string value) +#proxyclient_address=127.0.0.1 + + +[spice] + +# +# Options defined in nova.cmd.spicehtml5proxy +# + +# Host on which to listen for incoming requests (string value) +#html5proxy_host=0.0.0.0 + +# Port on which to listen for incoming requests (integer +# value) +#html5proxy_port=6082 + + +# +# Options defined in nova.spice +# + +# Location of spice HTML5 console proxy, in the form +# "http://127.0.0.1:6082/spice_auto.html" (string value) +#html5proxy_base_url=http://127.0.0.1:6082/spice_auto.html + +# IP address on which instance spice server should listen +# (string value) +#server_listen=127.0.0.1 + +# The address to which proxy clients (like nova- +# spicehtml5proxy) should connect (string value) +#server_proxyclient_address=127.0.0.1 + +# Enable spice related features (boolean value) +#enabled=false + +# Enable spice guest agent support (boolean value) +#agent_enabled=true + +# Keymap for spice (string value) +#keymap=en-us + + +[ssl] + +# +# Options defined in nova.openstack.common.sslutils +# + +# CA certificate file to use to verify connecting clients. +# (string value) +#ca_file= + +# Certificate file to use when starting the server securely. +# (string value) +#cert_file= + +# Private key file to use when starting the server securely. +# (string value) +#key_file= + + +[trusted_computing] + +# +# Options defined in nova.scheduler.filters.trusted_filter +# + +# Attestation server HTTP (string value) +#attestation_server= + +# Attestation server Cert file for Identity verification +# (string value) +#attestation_server_ca_file= + +# Attestation server port (string value) +#attestation_port=8443 + +# Attestation web API URL (string value) +#attestation_api_url=/OpenAttestationWebServices/V1.0 + +# Attestation authorization blob - must change (string value) +#attestation_auth_blob= + +# Attestation status cache valid period length (integer value) +#attestation_auth_timeout=60 + +# Disable SSL cert verification for Attestation service +# (boolean value) +#attestation_insecure_ssl=false + + +[upgrade_levels] + +# +# Options defined in nova.baserpc +# + +# Set a version cap for messages sent to the base api in any +# service (string value) +#baseapi= + + +# +# Options defined in nova.cells.rpc_driver +# + +# Set a version cap for messages sent between cells services +# (string value) +#intercell= + + +# +# Options defined in nova.cells.rpcapi +# + +# Set a version cap for messages sent to local cells services +# (string value) +#cells= + + +# +# Options defined in nova.cert.rpcapi +# + +# Set a version cap for messages sent to cert services (string +# value) +#cert= + + +# +# Options defined in nova.compute.rpcapi +# + +# Set a version cap for messages sent to compute services. If +# you plan to do a live upgrade from havana to icehouse, you +# should set this option to "icehouse-compat" before beginning +# the live upgrade procedure. (string value) +#compute= + + +# +# Options defined in nova.conductor.rpcapi +# + +# Set a version cap for messages sent to conductor services +# (string value) +#conductor= + + +# +# Options defined in nova.console.rpcapi +# + +# Set a version cap for messages sent to console services +# (string value) +#console= + + +# +# Options defined in nova.consoleauth.rpcapi +# + +# Set a version cap for messages sent to consoleauth services +# (string value) +#consoleauth= + + +# +# Options defined in nova.network.rpcapi +# + +# Set a version cap for messages sent to network services +# (string value) +#network= + + +# +# Options defined in nova.scheduler.rpcapi +# + +# Set a version cap for messages sent to scheduler services +# (string value) +#scheduler= + + +[vmware] + +# +# Options defined in nova.virt.vmwareapi.driver +# + +# The PBM status. (boolean value) +#pbm_enabled=false + +# PBM service WSDL file location URL. e.g. +# file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not setting this +# will disable storage policy based placement of instances. +# (string value) +#pbm_wsdl_location= + +# The PBM default policy. If pbm_wsdl_location is set and +# there is no defined storage policy for the specific request +# then this policy will be used. (string value) +#pbm_default_policy= + +# Hostname or IP address for connection to VMware VC host. +# (string value) +#host_ip= + +# Port for connection to VMware VC host. (integer value) +#host_port=443 + +# Username for connection to VMware VC host. (string value) +#host_username= + +# Password for connection to VMware VC host. (string value) +#host_password= + +# Name of a VMware Cluster ComputeResource. (multi valued) +#cluster_name= + +# Regex to match the name of a datastore. (string value) +#datastore_regex= + +# The interval used for polling of remote tasks. (floating +# point value) +#task_poll_interval=0.5 + +# The number of times we retry on failures, e.g., socket +# error, etc. (integer value) +#api_retry_count=10 + +# VNC starting port (integer value) +#vnc_port=5900 + +# Total number of VNC ports (integer value) +#vnc_port_total=10000 + +# Whether to use linked clone (boolean value) +#use_linked_clone=true + +# Optional VIM Service WSDL Location e.g +# http:///vimService.wsdl. Optional over-ride to +# default location for bug work-arounds (string value) +#wsdl_location= + + +# +# Options defined in nova.virt.vmwareapi.vif +# + +# Physical ethernet adapter name for vlan networking (string +# value) +#vlan_interface=vmnic0 + +# Name of Integration Bridge (string value) +#integration_bridge=br-int + + +# +# Options defined in nova.virt.vmwareapi.vim_util +# + +# The maximum number of ObjectContent data objects that should +# be returned in a single result. A positive value will cause +# the operation to suspend the retrieval when the count of +# objects reaches the specified maximum. The server may still +# limit the count to something less than the configured value. +# Any remaining objects may be retrieved with additional +# requests. (integer value) +#maximum_objects=100 + + +# +# Options defined in nova.virt.vmwareapi.vmops +# + +# The prefix for Where cached images are stored. This is NOT +# the full path - just a folder prefix. This should only be +# used when a datastore cache should be shared between compute +# nodes. Note: this should only be used when the compute nodes +# have a shared file system. (string value) +#cache_prefix= + + +[workarounds] + +# +# Options defined in nova.utils +# + +# This option allows a fallback to sudo for performance +# reasons. For example see +# https://bugs.launchpad.net/nova/+bug/1415106 (boolean value) +#disable_rootwrap=false + +# When using libvirt 1.2.2 fails live snapshots intermittently +# under load. This config option provides mechanism to +# disable livesnapshot while this is resolved. See +# https://bugs.launchpad.net/nova/+bug/1334398 (boolean value) +#disable_libvirt_livesnapshot=true + +# Whether to destroy instances on startup when we suspect they +# have previously been evacuated. This can result in data loss +# if undesired. See https://launchpad.net/bugs/1419785 +# (boolean value) +#destroy_after_evacuate=true + + +[xenserver] + +# +# Options defined in nova.virt.xenapi.agent +# + +# Number of seconds to wait for agent reply (integer value) +#agent_timeout=30 + +# Number of seconds to wait for agent to be fully operational +# (integer value) +#agent_version_timeout=300 + +# Number of seconds to wait for agent reply to resetnetwork +# request (integer value) +#agent_resetnetwork_timeout=60 + +# Specifies the path in which the XenAPI guest agent should be +# located. If the agent is present, network configuration is +# not injected into the image. Used if +# compute_driver=xenapi.XenAPIDriver and flat_injected=True +# (string value) +#agent_path=usr/sbin/xe-update-networking + +# Disables the use of the XenAPI agent in any image regardless +# of what image properties are present. (boolean value) +#disable_agent=false + +# Determines if the XenAPI agent should be used when the image +# used does not contain a hint to declare if the agent is +# present or not. The hint is a glance property +# "xenapi_use_agent" that has the value "True" or "False". +# Note that waiting for the agent when it is not present will +# significantly increase server boot times. (boolean value) +#use_agent_default=false + + +# +# Options defined in nova.virt.xenapi.client.session +# + +# Timeout in seconds for XenAPI login. (integer value) +#login_timeout=10 + +# Maximum number of concurrent XenAPI connections. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#connection_concurrent=5 + + +# +# Options defined in nova.virt.xenapi.driver +# + +# URL for connection to XenServer/Xen Cloud Platform. A +# special value of unix://local can be used to connect to the +# local unix socket. Required if +# compute_driver=xenapi.XenAPIDriver (string value) +#connection_url= + +# Username for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_username=root + +# Password for connection to XenServer/Xen Cloud Platform. +# Used only if compute_driver=xenapi.XenAPIDriver (string +# value) +#connection_password= + +# The interval used for polling of coalescing vhds. Used only +# if compute_driver=xenapi.XenAPIDriver (floating point value) +#vhd_coalesce_poll_interval=5.0 + +# Ensure compute service is running on host XenAPI connects +# to. (boolean value) +#check_host=true + +# Max number of times to poll for VHD to coalesce. Used only +# if compute_driver=xenapi.XenAPIDriver (integer value) +#vhd_coalesce_max_attempts=20 + +# Base path to the storage repository (string value) +#sr_base_path=/var/run/sr-mount + +# The iSCSI Target Host (string value) +#target_host= + +# The iSCSI Target Port, default is port 3260 (string value) +#target_port=3260 + +# IQN Prefix (string value) +#iqn_prefix=iqn.2010-10.org.openstack + +# Used to enable the remapping of VBD dev (Works around an +# issue in Ubuntu Maverick) (boolean value) +#remap_vbd_dev=false + +# Specify prefix to remap VBD dev to (ex. /dev/xvdb -> +# /dev/sdb) (string value) +#remap_vbd_dev_prefix=sd + + +# +# Options defined in nova.virt.xenapi.image.bittorrent +# + +# Base URL for torrent files. (string value) +#torrent_base_url= + +# Probability that peer will become a seeder. (1.0 = 100%) +# (floating point value) +#torrent_seed_chance=1.0 + +# Number of seconds after downloading an image via BitTorrent +# that it should be seeded for other peers. (integer value) +#torrent_seed_duration=3600 + +# Cached torrent files not accessed within this number of +# seconds can be reaped (integer value) +#torrent_max_last_accessed=86400 + +# Beginning of port range to listen on (integer value) +#torrent_listen_port_start=6881 + +# End of port range to listen on (integer value) +#torrent_listen_port_end=6891 + +# Number of seconds a download can remain at the same progress +# percentage w/o being considered a stall (integer value) +#torrent_download_stall_cutoff=600 + +# Maximum number of seeder processes to run concurrently +# within a given dom0. (-1 = no limit) (integer value) +#torrent_max_seeder_processes_per_host=1 + + +# +# Options defined in nova.virt.xenapi.pool +# + +# To use for hosts with different CPUs (boolean value) +#use_join_force=true + + +# +# Options defined in nova.virt.xenapi.vif +# + +# Name of Integration Bridge used by Open vSwitch (string +# value) +#ovs_integration_bridge=xapi1 + + +# +# Options defined in nova.virt.xenapi.vm_utils +# + +# Cache glance images locally. `all` will cache all images, +# `some` will only cache images that have the image_property +# `cache_in_nova=True`, and `none` turns off caching entirely +# (string value) +#cache_images=all + +# Compression level for images, e.g., 9 for gzip -9. Range is +# 1-9, 9 being most compressed but most CPU intensive on dom0. +# (integer value) +#image_compression_level= + +# Default OS type (string value) +#default_os_type=linux + +# Time to wait for a block device to be created (integer +# value) +#block_device_creation_timeout=10 + +# Maximum size in bytes of kernel or ramdisk images (integer +# value) +#max_kernel_ramdisk_size=16777216 + +# Filter for finding the SR to be used to install guest +# instances on. To use the Local Storage in default +# XenServer/XCP installations set this flag to other-config +# :i18n-key=local-storage. To select an SR with a different +# matching criteria, you could set it to other- +# config:my_favorite_sr=true. On the other hand, to fall back +# on the Default SR, as displayed by XenCenter, set this flag +# to: default-sr:true (string value) +#sr_matching_filter=default-sr:true + +# Whether to use sparse_copy for copying data on a resize down +# (False will use standard dd). This speeds up resizes down +# considerably since large runs of zeros won't have to be +# rsynced (boolean value) +#sparse_copy=true + +# Maximum number of retries to unplug VBD. if <=0, should try +# once and no retry (integer value) +#num_vbd_unplug_retries=10 + +# Whether or not to download images via Bit Torrent +# (all|some|none). (string value) +#torrent_images=none + +# Name of network to use for booting iPXE ISOs (string value) +#ipxe_network_name= + +# URL to the iPXE boot menu (string value) +#ipxe_boot_menu_url= + +# Name and optionally path of the tool used for ISO image +# creation (string value) +#ipxe_mkisofs_cmd=mkisofs + + +# +# Options defined in nova.virt.xenapi.vmops +# + +# Number of seconds to wait for instance to go to running +# state (integer value) +#running_timeout=60 + +# The XenAPI VIF driver using XenServer Network APIs. (string +# value) +#vif_driver=nova.virt.xenapi.vif.XenAPIBridgeDriver + +# Dom0 plugin driver used to handle image uploads. (string +# value) +#image_upload_handler=nova.virt.xenapi.image.glance.GlanceStore + + +# +# Options defined in nova.virt.xenapi.volume_utils +# + +# Number of seconds to wait for an SR to settle if the VDI +# does not exist when first introduced (integer value) +#introduce_vdi_retry_wait=20 + + +[zookeeper] + +# +# Options defined in nova.servicegroup.drivers.zk +# + +# The ZooKeeper addresses for servicegroup service in the +# format of host1:port,host2:port,host3:port (string value) +#address= + +# The recv_timeout parameter for the zk session (integer +# value) +#recv_timeout=4000 + +# The prefix used in ZooKeeper to store ephemeral nodes +# (string value) +#sg_prefix=/servicegroups + +# Number of seconds to wait until retrying to join the session +# (integer value) +#sg_retry_interval=5 + + +[matchmaker_redis] + +# +# From oslo.messaging +# + +# Host to locate redis. (string value) +#host=127.0.0.1 + +# Use this port to connect to redis host. (integer value) +#port=6379 + +# Password for Redis server (optional). (string value) +#password= + + +[matchmaker_ring] + +# +# From oslo.messaging +# + +# Matchmaker ring file (JSON). (string value) +# Deprecated group;name - DEFAULT;matchmaker_ringfile +#ringfile=/etc/oslo/matchmaker_ring.json + + +[oslo_concurrency] + +# +# From oslo.concurrency +# + +# Enables or disables inter-process locks. (boolean value) +# Deprecated group;name - DEFAULT;disable_process_locking +#disable_process_locking=false + +# Directory to use for lock files. For security, the specified directory +# should only be writable by the user running the processes that need locking. +# Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, +# a lock path must be set. (string value) +# Deprecated group;name - DEFAULT;lock_path +lock_path=/var/lib/nova/tmp + + +[oslo_messaging_amqp] + +# +# From oslo.messaging +# + +# address prefix used when sending to a specific server (string value) +# Deprecated group;name - [amqp1]/server_request_prefix +#server_request_prefix=exclusive + +# address prefix used when broadcasting to all servers (string value) +# Deprecated group;name - [amqp1]/broadcast_prefix +#broadcast_prefix=broadcast + +# address prefix when sending to any server in group (string value) +# Deprecated group;name - [amqp1]/group_request_prefix +#group_request_prefix=unicast + +# Name for the AMQP container (string value) +# Deprecated group;name - [amqp1]/container_name +#container_name= + +# Timeout for inactive connections (in seconds) (integer value) +# Deprecated group;name - [amqp1]/idle_timeout +#idle_timeout=0 + +# Debug: dump AMQP frames to stdout (boolean value) +# Deprecated group;name - [amqp1]/trace +#trace=false + +# CA certificate PEM file for verifing server certificate (string value) +# Deprecated group;name - [amqp1]/ssl_ca_file +#ssl_ca_file = + +# Identifying certificate PEM file to present to clients (string value) +# Deprecated group;name - [amqp1]/ssl_cert_file +#ssl_cert_file = + +# Private key PEM file used to sign cert_file certificate (string value) +# Deprecated group;name - [amqp1]/ssl_key_file +#ssl_key_file = + +# Password for decrypting ssl_key_file (if encrypted) (string value) +# Deprecated group;name - [amqp1]/ssl_key_password +#ssl_key_password= + +# Accept clients using either SSL or plain TCP (boolean value) +# Deprecated group;name - [amqp1]/allow_insecure_clients +#allow_insecure_clients=false + + +[oslo_messaging_qpid] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;amqp_auto_delete +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +# Deprecated group;name - DEFAULT;rpc_conn_pool_size +#rpc_conn_pool_size=30 + +# Qpid broker hostname. (string value) +# Deprecated group;name - DEFAULT;qpid_hostname +#qpid_hostname=localhost + +# Qpid broker port. (integer value) +# Deprecated group;name - DEFAULT;qpid_port +#qpid_port=5672 + +# Qpid HA cluster host:port pairs. (list value) +# Deprecated group;name - DEFAULT;qpid_hosts +#qpid_hosts=$qpid_hostname:$qpid_port + +# Username for Qpid connection. (string value) +# Deprecated group;name - DEFAULT;qpid_username +#qpid_username = + +# Password for Qpid connection. (string value) +# Deprecated group;name - DEFAULT;qpid_password +#qpid_password = + +# Space separated list of SASL mechanisms to use for auth. (string value) +# Deprecated group;name - DEFAULT;qpid_sasl_mechanisms +#qpid_sasl_mechanisms = + +# Seconds between connection keepalive heartbeats. (integer value) +# Deprecated group;name - DEFAULT;qpid_heartbeat +#qpid_heartbeat=60 + +# Transport to use, either 'tcp' or 'ssl'. (string value) +# Deprecated group;name - DEFAULT;qpid_protocol +#qpid_protocol=tcp + +# Whether to disable the Nagle algorithm. (boolean value) +# Deprecated group;name - DEFAULT;qpid_tcp_nodelay +#qpid_tcp_nodelay=true + +# The number of prefetched messages held by receiver. (integer value) +# Deprecated group;name - DEFAULT;qpid_receiver_capacity +#qpid_receiver_capacity=1 + +# The qpid topology version to use. Version 1 is what was originally used by +# impl_qpid. Version 2 includes some backwards-incompatible changes that allow +# broker federation to work. Users should update to version 2 when they are +# able to take everything down, as it requires a clean break. (integer value) +# Deprecated group;name - DEFAULT;qpid_topology_version +#qpid_topology_version=1 + + +[oslo_messaging_rabbit] + +# +# From oslo.messaging +# + +# Use durable queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_durable_queues +#amqp_durable_queues=false + +# Auto-delete queues in AMQP. (boolean value) +# Deprecated group;name - DEFAULT;amqp_auto_delete +#amqp_auto_delete=false + +# Size of RPC connection pool. (integer value) +# Deprecated group;name - DEFAULT;rpc_conn_pool_size +#rpc_conn_pool_size=30 + +# SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and +# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some +# distributions. (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_version +#kombu_ssl_version = + +# SSL key file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_keyfile +#kombu_ssl_keyfile = + +# SSL cert file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_certfile +#kombu_ssl_certfile = + +# SSL certification authority file (valid only if SSL enabled). (string value) +# Deprecated group;name - DEFAULT;kombu_ssl_ca_certs +#kombu_ssl_ca_certs = + +# How long to wait before reconnecting in response to an AMQP consumer cancel +# notification. (floating point value) +# Deprecated group;name - DEFAULT;kombu_reconnect_delay +#kombu_reconnect_delay=1.0 + +# The RabbitMQ broker address where a single node is used. (string value) +# Deprecated group;name - DEFAULT;rabbit_host +rabbit_host={{controller}} + +# The RabbitMQ broker port where a single node is used. (integer value) +# Deprecated group;name - DEFAULT;rabbit_port +#rabbit_port=5672 + +# RabbitMQ HA cluster host:port pairs. (list value) +# Deprecated group;name - DEFAULT;rabbit_hosts +#rabbit_hosts=$rabbit_host:$rabbit_port + +# Connect over SSL for RabbitMQ. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_use_ssl +#rabbit_use_ssl=false + +# The RabbitMQ userid. (string value) +# Deprecated group;name - DEFAULT;rabbit_userid +rabbit_userid={{rabbit.user}} + +# The RabbitMQ password. (string value) +# Deprecated group;name - DEFAULT;rabbit_password +rabbit_password={{rabbit.password}} + +# The RabbitMQ login method. (string value) +# Deprecated group;name - DEFAULT;rabbit_login_method +#rabbit_login_method=AMQPLAIN + +# The RabbitMQ virtual host. (string value) +# Deprecated group;name - DEFAULT;rabbit_virtual_host +#rabbit_virtual_host=/ + +# How frequently to retry connecting with RabbitMQ. (integer value) +#rabbit_retry_interval=1 + +# How long to backoff for between retries when connecting to RabbitMQ. (integer +# value) +# Deprecated group;name - DEFAULT;rabbit_retry_backoff +#rabbit_retry_backoff=2 + +# Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry +# count). (integer value) +# Deprecated group;name - DEFAULT;rabbit_max_retries +#rabbit_max_retries=0 + +# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you +# must wipe the RabbitMQ database. (boolean value) +# Deprecated group;name - DEFAULT;rabbit_ha_queues +#rabbit_ha_queues=false + +# Number of seconds after which the Rabbit broker is considered down if +# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value) +#heartbeat_timeout_threshold=60 + +# How often times during the heartbeat_timeout_threshold we check the +# heartbeat. (integer value) +#heartbeat_rate=2 + +# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean value) +# Deprecated group;name - DEFAULT;fake_rabbit +#fake_rabbit=false \ No newline at end of file diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/openstack_repository/openstack_repository.cf b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_repository/openstack_repository.cf new file mode 100644 index 00000000..59493a35 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/openstack_repository/openstack_repository.cf @@ -0,0 +1,20 @@ +# @name openstack_repository +# @description Install OpenStack repository. +# @version 0.1 + +bundle agent openstack_repository +{ + methods: + "method_call" usebundle => file_download("http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm", "/root/.openstack/epel-release-7-5.noarch.rpm"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => package_install("/root/.openstack/epel-release-7-5.noarch.rpm"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => file_download("http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm", "/root/.openstack/rdo-release-kilo.rpm"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => package_install("/root/.openstack/rdo-release-kilo.rpm"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => package_install("openstack-selinux"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => package_install("jq"), + ifvarclass => concat("any.redhat"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/defaults.json b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/defaults.json new file mode 100644 index 00000000..b83472fe --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/defaults.json @@ -0,0 +1,7 @@ +{ + "users": [ + {"username": "openstack_compute1", "password": "rabbitmq_password"}, + {"username": "openstack_compute2", "password": "rabbitmq_password"}, + {"username": "openstack_controller1", "password": "rabbitmq_password"} + ] +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/rabbitmq.cf b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/rabbitmq.cf new file mode 100644 index 00000000..4ef2ef62 --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/rabbitmq.cf @@ -0,0 +1,16 @@ +# @name rabbitmq +# @description Install, configure and ensure rabbitmq is running. +# @version 0.1 + +bundle agent rabbitmq +{ + methods: + "method_call" usebundle => data_load("${this.bundle}"), + ifvarclass => concat("any"); + "method_call" usebundle => package_install("rabbitmq-server"), + ifvarclass => concat("any.redhat"); + "method_call" usebundle => command_execution("sh ${variable_string.${this.bundle}_technique_path}/scripts/set_users.sh \"`echo '${data_json.${this.bundle}}' | jq -c '.users'`\""), + ifvarclass => concat("any"); + "method_call" usebundle => service_ensure_running("rabbitmq-server"), + ifvarclass => concat("any.redhat"); +} diff --git a/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/scripts/set_users.sh b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/scripts/set_users.sh new file mode 100644 index 00000000..35af541b --- /dev/null +++ b/contrib/ncf-openstack-technique/tree/50_techniques/rabbitmq/scripts/set_users.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +data=${1} + +rabbitmqctl="/usr/sbin/rabbitmqctl -q" +length=$((`echo ${data} | jq ". | length"`-1)) +users=`${rabbitmqctl} list_users | cut -f1` + +# Remove other users +for user in $users; do + echo ${data} | jq -r ".[] | select(.username | contains(\"${user}\")) | .username" | grep ${user} + if [ $? -eq 0 ]; then + break + else + ${rabbitmqctl} delete_user ${user} + fi +done; + +# Add given users if necessary +for i in `seq 0 ${length}`; do + username=`echo ${data} | jq -r ".[${i}] | .username"` + password=`echo ${data} | jq -r ".[${i}] | .password"` + ${rabbitmqctl} list_user_permissions ${username} + if [ $? -eq 0 ]; then + break + else + ${rabbitmqctl} add_user ${username} ${password} + ${rabbitmqctl} set_permissions ${username} ".*" ".*" ".*" + fi +done; \ No newline at end of file