Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/stable/2023.2 / . / charts / neutron / values.yaml
blob: 21964ddd27519d7e79466dc58648878137d22fc3 [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1# Licensed under the Apache License, Version 2.0 (the "License");
2# you may not use this file except in compliance with the License.
3# You may obtain a copy of the License at
4#
5# http://www.apache.org/licenses/LICENSE-2.0
6#
7# Unless required by applicable law or agreed to in writing, software
8# distributed under the License is distributed on an "AS IS" BASIS,
9# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10# See the License for the specific language governing permissions and
11# limitations under the License.
12
13# Default values for neutron.
14# This is a YAML-formatted file.
15# Declare name/value pairs to be passed into your templates.
16# name: value
17
18---
19release_group: null
20
21images:
22 tags:
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]23 bootstrap: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]24 test: docker.io/xrally/xrally-openstack:2.0.0
25 purge_test: docker.io/openstackhelm/ospurge:latest
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]26 db_init: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
27 neutron_db_sync: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
28 db_drop: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
29 rabbit_init: docker.io/rabbitmq:3.13-management
30 ks_user: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
31 ks_service: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
32 ks_endpoints: docker.io/openstackhelm/heat:2024.1-ubuntu_jammy
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]33 netoffload: ghcr.io/vexxhost/netoffload:v1.0.1
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]34 neutron_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]35 neutron_policy_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]36 neutron_rpc_server: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
37 neutron_dhcp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
38 neutron_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
39 neutron_ovn_metadata: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
40 neutron_l3: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
41 neutron_l2gw: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
42 neutron_openvswitch_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
43 neutron_linuxbridge_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]44 neutron_sriov_agent: docker.io/openstackhelm/neutron:stein-18.04-sriov
45 neutron_sriov_agent_init: docker.io/openstackhelm/neutron:stein-18.04-sriov
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]46 neutron_bagpipe_bgp: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
47 neutron_bgp_dragent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Dong Mabd61aa22025-01-16 09:57:50 +0000[diff] [blame]48 neutron_ironic_agent_init: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Rico Linc49f8522024-05-07 17:43:21 +0800[diff] [blame]49 neutron_ironic_agent: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
50 neutron_netns_cleanup_cron: docker.io/openstackhelm/neutron:2024.1-ubuntu_jammy
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]51 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
52 image_repo_sync: docker.io/docker:17.07.0
53 pull_policy: "IfNotPresent"
54 local_registry:
55 active: false
56 exclude:
57 - dep_check
58 - image_repo_sync
59
60labels:
61 agent:
62 dhcp:
63 node_selector_key: openstack-control-plane
64 node_selector_value: enabled
65 l3:
66 node_selector_key: openstack-control-plane
67 node_selector_value: enabled
68 metadata:
69 node_selector_key: openstack-control-plane
70 node_selector_value: enabled
71 l2gw:
72 node_selector_key: openstack-control-plane
73 node_selector_value: enabled
74 job:
75 node_selector_key: openstack-control-plane
76 node_selector_value: enabled
77 lb:
78 node_selector_key: linuxbridge
79 node_selector_value: enabled
80 # openvswitch is a special case, requiring a special
81 # label that can apply to both control hosts
82 # and compute hosts, until we get more sophisticated
83 # with our daemonset scheduling
84 ovs:
85 node_selector_key: openvswitch
86 node_selector_value: enabled
87 sriov:
88 node_selector_key: sriov
89 node_selector_value: enabled
90 bagpipe_bgp:
91 node_selector_key: openstack-compute-node
92 node_selector_value: enabled
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]93 bgp_dragent:
94 node_selector_key: openstack-compute-node
95 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]96 server:
97 node_selector_key: openstack-control-plane
98 node_selector_value: enabled
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]99 rpc_server:
100 node_selector_key: openstack-control-plane
101 node_selector_value: enabled
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]102 ironic_agent:
103 node_selector_key: openstack-control-plane
104 node_selector_value: enabled
105 netns_cleanup_cron:
106 node_selector_key: openstack-control-plane
107 node_selector_value: enabled
108 test:
109 node_selector_key: openstack-control-plane
110 node_selector_value: enabled
111
112network:
113 # provide what type of network wiring will be used
114 backend:
115 - openvswitch
116 # NOTE(Portdirect): Share network namespaces with the host,
117 # allowing agents to be restarted without packet loss and simpler
118 # debugging. This feature requires mount propagation support.
119 share_namespaces: true
120 interface:
121 # Tunnel interface will be used for VXLAN tunneling.
122 tunnel: null
123 # If tunnel is null there is a fallback mechanism to search
124 # for interface with routing using tunnel network cidr.
125 tunnel_network_cidr: "0/0"
126 # To perform setup of network interfaces using the SR-IOV init
127 # container you can use a section similar to:
128 # sriov:
129 # - device: ${DEV}
130 # num_vfs: 8
131 # mtu: 9214
132 # promisc: false
133 # qos:
134 # - vf_num: 0
135 # share: 10
136 # queues_per_vf:
137 # - num_queues: 16
138 # exclude_vf: 0,11,21
139 server:
140 ingress:
141 public: true
142 classes:
143 namespace: "nginx"
144 cluster: "nginx-cluster"
145 annotations:
146 nginx.ingress.kubernetes.io/rewrite-target: /
147 external_policy_local: false
148 node_port:
149 enabled: false
150 port: 30096
151
152bootstrap:
153 enabled: false
154 ks_user: neutron
155 script: |
156 openstack token issue
157
158dependencies:
159 dynamic:
160 common:
161 local_image_registry:
162 jobs:
163 - neutron-image-repo-sync
164 services:
165 - endpoint: node
166 service: local_image_registry
167 targeted:
168 sriov: {}
169 l2gateway: {}
170 bagpipe_bgp: {}
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]171 ovn:
172 server:
173 pod: null
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]174 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]175 openvswitch:
176 dhcp:
177 pod:
178 - requireSameNode: true
179 labels:
180 application: neutron
181 component: neutron-ovs-agent
182 l3:
183 pod:
184 - requireSameNode: true
185 labels:
186 application: neutron
187 component: neutron-ovs-agent
188 metadata:
189 pod:
190 - requireSameNode: true
191 labels:
192 application: neutron
193 component: neutron-ovs-agent
194 linuxbridge:
195 dhcp:
196 pod:
197 - requireSameNode: true
198 labels:
199 application: neutron
200 component: neutron-lb-agent
201 l3:
202 pod:
203 - requireSameNode: true
204 labels:
205 application: neutron
206 component: neutron-lb-agent
207 metadata:
208 pod:
209 - requireSameNode: true
210 labels:
211 application: neutron
212 component: neutron-lb-agent
213 lb_agent:
214 pod: null
215 static:
216 bootstrap:
217 services:
218 - endpoint: internal
219 service: network
220 - endpoint: internal
221 service: compute
222 db_drop:
223 services:
224 - endpoint: internal
225 service: oslo_db
226 db_init:
227 services:
228 - endpoint: internal
229 service: oslo_db
230 db_sync:
231 jobs:
232 - neutron-db-init
233 services:
234 - endpoint: internal
235 service: oslo_db
236 dhcp:
237 pod: null
238 jobs:
239 - neutron-rabbit-init
240 services:
241 - endpoint: internal
242 service: oslo_messaging
243 - endpoint: internal
244 service: network
245 - endpoint: internal
246 service: compute
247 ks_endpoints:
248 jobs:
249 - neutron-ks-service
250 services:
251 - endpoint: internal
252 service: identity
253 ks_service:
254 services:
255 - endpoint: internal
256 service: identity
257 ks_user:
258 services:
259 - endpoint: internal
260 service: identity
261 rabbit_init:
262 services:
263 - service: oslo_messaging
264 endpoint: internal
265 l3:
266 pod: null
267 jobs:
268 - neutron-rabbit-init
269 services:
270 - endpoint: internal
271 service: oslo_messaging
272 - endpoint: internal
273 service: network
274 - endpoint: internal
275 service: compute
276 lb_agent:
277 pod: null
278 jobs:
279 - neutron-rabbit-init
280 services:
281 - endpoint: internal
282 service: oslo_messaging
283 - endpoint: internal
284 service: network
285 metadata:
286 pod: null
287 jobs:
288 - neutron-rabbit-init
289 services:
290 - endpoint: internal
291 service: oslo_messaging
292 - endpoint: internal
293 service: network
294 - endpoint: internal
295 service: compute
296 - endpoint: public
297 service: compute_metadata
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]298 ovn_metadata:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]299 pod:
300 - requireSameNode: true
301 labels:
302 application: ovn
303 component: ovn-controller
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]304 services:
305 - endpoint: internal
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]306 service: compute_metadata
Mohammed Naserfd8edcc2023-09-06 22:32:16 +0000[diff] [blame]307 - endpoint: internal
308 service: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]309 ovs_agent:
310 jobs:
311 - neutron-rabbit-init
312 pod:
313 - requireSameNode: true
314 labels:
315 application: openvswitch
316 component: server
317 services:
318 - endpoint: internal
319 service: oslo_messaging
320 - endpoint: internal
321 service: network
322 server:
323 jobs:
324 - neutron-db-sync
325 - neutron-ks-user
326 - neutron-ks-endpoints
327 - neutron-rabbit-init
328 services:
329 - endpoint: internal
330 service: oslo_db
331 - endpoint: internal
332 service: oslo_messaging
333 - endpoint: internal
334 service: oslo_cache
335 - endpoint: internal
336 service: identity
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]337 rpc_server:
338 jobs:
339 - neutron-db-sync
340 - neutron-rabbit-init
341 services:
342 - endpoint: internal
343 service: oslo_db
344 - endpoint: internal
345 service: oslo_messaging
346 - endpoint: internal
347 service: oslo_cache
348 - endpoint: internal
349 service: identity
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]350 ironic_agent:
351 jobs:
352 - neutron-db-sync
353 - neutron-ks-user
354 - neutron-ks-endpoints
355 - neutron-rabbit-init
356 services:
357 - endpoint: internal
358 service: oslo_db
359 - endpoint: internal
360 service: oslo_messaging
361 - endpoint: internal
362 service: oslo_cache
363 - endpoint: internal
364 service: identity
365 tests:
366 services:
367 - endpoint: internal
368 service: network
369 - endpoint: internal
370 service: compute
371 image_repo_sync:
372 services:
373 - endpoint: internal
374 service: local_image_registry
375
376pod:
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]377 priorityClassName:
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]378 bagpipe_bgp: null
379 bgp_dragent: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]380 neutron_dhcp_agent: null
381 neutron_l2gw_agent: null
382 neutron_l3_agent: null
383 neutron_lb_agent: null
384 neutron_metadata_agent: null
385 neutron_netns_cleanup_cron: null
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]386 ovn_vpn_agent: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]387 neutron_ovn_metadata_agent: null
388 neutron_ovs_agent: null
389 neutron_sriov_agent: null
390 neutron_ironic_agent: null
391 neutron_rpc_server: null
392 neutron_server: null
393 neutron_tests: null
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]394 bootstrap: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]395 db_sync: null
396 runtimeClassName:
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]397 bagpipe_bgp: null
398 bgp_dragent: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]399 neutron_dhcp_agent: null
400 neutron_l2gw_agent: null
401 neutron_l3_agent: null
402 neutron_lb_agent: null
403 neutron_metadata_agent: null
404 neutron_netns_cleanup_cron: null
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]405 ovn_vpn_agent: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]406 neutron_ovn_metadata_agent: null
407 neutron_ovs_agent: null
408 neutron_sriov_agent: null
409 neutron_ironic_agent: null
410 neutron_rpc_server: null
411 neutron_server: null
412 neutron_tests: null
Dong Ma0504b3c2025-02-13 16:15:52 +0000[diff] [blame]413 bootstrap: null
Dong Ma9403e982025-02-11 11:03:48 +0000[diff] [blame]414 db_sync: null
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]415 sidecars:
416 neutron_policy_server: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]417 use_fqdn:
418 neutron_agent: true
419 probes:
420 rpc_timeout: 60
421 rpc_retries: 2
422 dhcp_agent:
423 dhcp_agent:
424 readiness:
425 enabled: true
426 params:
427 initialDelaySeconds: 30
428 periodSeconds: 190
429 timeoutSeconds: 185
430 liveness:
431 enabled: true
432 params:
433 initialDelaySeconds: 120
434 periodSeconds: 600
435 timeoutSeconds: 580
436 l3_agent:
437 l3_agent:
438 readiness:
439 enabled: true
440 params:
441 initialDelaySeconds: 30
442 periodSeconds: 190
443 timeoutSeconds: 185
444 liveness:
445 enabled: true
446 params:
447 initialDelaySeconds: 120
448 periodSeconds: 600
449 timeoutSeconds: 580
450 lb_agent:
451 lb_agent:
452 readiness:
453 enabled: true
454 metadata_agent:
455 metadata_agent:
456 readiness:
457 enabled: true
458 params:
459 initialDelaySeconds: 30
460 periodSeconds: 190
461 timeoutSeconds: 185
462 liveness:
463 enabled: true
464 params:
465 initialDelaySeconds: 120
466 periodSeconds: 600
467 timeoutSeconds: 580
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]468 ovn_metadata_agent:
469 ovn_metadata_agent:
470 readiness:
471 enabled: true
472 params:
473 initialDelaySeconds: 30
474 periodSeconds: 190
475 timeoutSeconds: 185
476 liveness:
477 enabled: true
478 params:
479 initialDelaySeconds: 120
480 periodSeconds: 600
481 timeoutSeconds: 580
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]482 ovs_agent:
483 ovs_agent:
484 readiness:
485 enabled: true
486 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]487 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]488 liveness:
489 enabled: true
490 params:
491 initialDelaySeconds: 120
492 periodSeconds: 600
493 timeoutSeconds: 580
494 sriov_agent:
495 sriov_agent:
496 readiness:
497 enabled: true
498 params:
499 initialDelaySeconds: 30
500 periodSeconds: 190
501 timeoutSeconds: 185
502 bagpipe_bgp:
503 bagpipe_bgp:
504 readiness:
505 enabled: true
506 params:
507 liveness:
508 enabled: true
509 params:
510 initialDelaySeconds: 60
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]511 bgp_dragent:
512 bgp_dragent:
513 readiness:
514 enabled: false
515 params:
516 liveness:
517 enabled: true
518 params:
519 initialDelaySeconds: 60
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]520 l2gw_agent:
521 l2gw_agent:
522 readiness:
523 enabled: true
524 params:
525 initialDelaySeconds: 30
526 periodSeconds: 15
527 timeoutSeconds: 65
528 liveness:
529 enabled: true
530 params:
531 initialDelaySeconds: 120
532 periodSeconds: 90
533 timeoutSeconds: 70
534 server:
535 server:
536 readiness:
537 enabled: true
538 params:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]539 periodSeconds: 15
540 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]541 liveness:
542 enabled: true
543 params:
544 initialDelaySeconds: 60
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]545 periodSeconds: 15
546 timeoutSeconds: 10
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]547 rpc_server:
548 rpc_server:
549 readiness:
550 enabled: true
551 params:
552 periodSeconds: 15
553 timeoutSeconds: 10
554 liveness:
555 enabled: true
556 params:
557 initialDelaySeconds: 60
558 periodSeconds: 15
559 timeoutSeconds: 10
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]560 security_context:
561 neutron_dhcp_agent:
562 pod:
563 runAsUser: 42424
564 container:
565 neutron_dhcp_agent:
566 readOnlyRootFilesystem: true
567 privileged: true
568 neutron_l2gw_agent:
569 pod:
570 runAsUser: 42424
571 container:
572 neutron_l2gw_agent:
573 readOnlyRootFilesystem: true
574 privileged: true
575 neutron_bagpipe_bgp:
576 pod:
577 runAsUser: 42424
578 container:
579 neutron_bagpipe_bgp:
580 readOnlyRootFilesystem: true
581 privileged: true
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]582 neutron_bgp_dragent:
583 pod:
584 runAsUser: 42424
585 container:
586 neutron_bgp_dragent:
587 readOnlyRootFilesystem: true
588 privileged: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]589 neutron_l3_agent:
590 pod:
591 runAsUser: 42424
592 container:
593 neutron_l3_agent:
594 readOnlyRootFilesystem: true
595 privileged: true
596 neutron_lb_agent:
597 pod:
598 runAsUser: 42424
599 container:
600 neutron_lb_agent_kernel_modules:
601 capabilities:
602 add:
603 - SYS_MODULE
604 - SYS_CHROOT
605 runAsUser: 0
606 readOnlyRootFilesystem: true
607 neutron_lb_agent_init:
608 privileged: true
609 runAsUser: 0
610 readOnlyRootFilesystem: true
611 neutron_lb_agent:
612 readOnlyRootFilesystem: true
613 privileged: true
614 neutron_metadata_agent:
615 pod:
616 runAsUser: 42424
617 container:
618 neutron_metadata_agent_init:
619 runAsUser: 0
620 readOnlyRootFilesystem: true
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]621 neutron_ovn_metadata_agent:
622 pod:
623 runAsUser: 42424
624 container:
625 neutron_ovn_metadata_agent_init:
626 runAsUser: 0
627 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]628 neutron_ovs_agent:
629 pod:
630 runAsUser: 42424
631 container:
632 neutron_openvswitch_agent_kernel_modules:
633 capabilities:
634 add:
635 - SYS_MODULE
636 - SYS_CHROOT
637 runAsUser: 0
638 readOnlyRootFilesystem: true
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]639 netoffload:
640 privileged: true
641 runAsUser: 0
642 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]643 neutron_ovs_agent_init:
644 privileged: true
645 runAsUser: 0
646 readOnlyRootFilesystem: true
647 neutron_ovs_agent:
648 readOnlyRootFilesystem: true
649 privileged: true
650 neutron_server:
651 pod:
652 runAsUser: 42424
653 container:
654 nginx:
655 runAsUser: 0
656 readOnlyRootFilesystem: false
657 neutron_server:
658 allowPrivilegeEscalation: false
659 readOnlyRootFilesystem: true
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]660 neutron_policy_server:
661 allowPrivilegeEscalation: false
662 readOnlyRootFilesystem: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]663 neutron_rpc_server:
664 pod:
665 runAsUser: 42424
666 container:
667 neutron_rpc_server:
668 allowPrivilegeEscalation: false
669 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]670 neutron_sriov_agent:
671 pod:
672 runAsUser: 42424
673 container:
674 neutron_sriov_agent_init:
675 privileged: true
676 runAsUser: 0
677 readOnlyRootFilesystem: false
678 neutron_sriov_agent:
679 readOnlyRootFilesystem: true
680 privileged: true
681 neutron_ironic_agent:
682 pod:
683 runAsUser: 42424
684 container:
Dong Mabd61aa22025-01-16 09:57:50 +0000[diff] [blame]685 neutron_ironic_agent_init:
686 runAsUser: 0
687 readOnlyRootFilesystem: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]688 neutron_ironic_agent:
689 allowPrivilegeEscalation: false
690 readOnlyRootFilesystem: true
691 neutron_netns_cleanup_cron:
692 pod:
693 runAsUser: 42424
694 container:
695 neutron_netns_cleanup_cron:
696 readOnlyRootFilesystem: true
697 privileged: true
698 affinity:
699 anti:
700 type:
701 default: preferredDuringSchedulingIgnoredDuringExecution
702 topologyKey:
703 default: kubernetes.io/hostname
704 weight:
705 default: 10
706 tolerations:
707 neutron:
708 enabled: false
709 tolerations:
710 - key: node-role.kubernetes.io/master
711 operator: Exists
712 effect: NoSchedule
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]713 - key: node-role.kubernetes.io/control-plane
714 operator: Exists
715 effect: NoSchedule
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]716 mounts:
717 neutron_server:
718 init_container: null
719 neutron_server:
720 volumeMounts:
721 volumes:
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]722 neutron_rpc_server:
723 init_container: null
724 neutron_rpc_server:
725 volumeMounts:
726 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]727 neutron_dhcp_agent:
728 init_container: null
729 neutron_dhcp_agent:
730 volumeMounts:
731 volumes:
732 neutron_l3_agent:
733 init_container: null
734 neutron_l3_agent:
735 volumeMounts:
736 volumes:
737 neutron_lb_agent:
738 init_container: null
739 neutron_lb_agent:
740 volumeMounts:
741 volumes:
742 neutron_metadata_agent:
743 init_container: null
744 neutron_metadata_agent:
745 volumeMounts:
746 volumes:
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]747 neutron_ovn_metadata_agent:
748 init_container: null
749 neutron_ovn_metadata_agent:
750 volumeMounts:
751 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]752 neutron_ovs_agent:
753 init_container: null
754 neutron_ovs_agent:
755 volumeMounts:
756 volumes:
757 neutron_sriov_agent:
758 init_container: null
759 neutron_sriov_agent:
760 volumeMounts:
761 volumes:
762 neutron_l2gw_agent:
763 init_container: null
764 neutron_l2gw_agent:
765 volumeMounts:
766 volumes:
767 bagpipe_bgp:
768 init_container: null
769 bagpipe_bgp:
770 volumeMounts:
771 volumes:
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]772 bgp_dragent:
773 init_container: null
774 bgp_dragent:
775 volumeMounts:
776 volumes:
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]777 neutron_ironic_agent:
778 init_container: null
779 neutron_ironic_agent:
780 volumeMounts:
781 volumes:
782 neutron_netns_cleanup_cron:
783 init_container: null
784 neutron_netns_cleanup_cron:
785 volumeMounts:
786 volumes:
787 neutron_tests:
788 init_container: null
789 neutron_tests:
790 volumeMounts:
791 volumes:
792 neutron_bootstrap:
793 init_container: null
794 neutron_bootstrap:
795 volumeMounts:
796 volumes:
797 neutron_db_sync:
798 neutron_db_sync:
799 volumeMounts:
800 - name: db-sync-conf
801 mountPath: /etc/neutron/plugins/ml2/ml2_conf.ini
802 subPath: ml2_conf.ini
803 readOnly: true
804 volumes:
805 replicas:
806 server: 1
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]807 rpc_server: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]808 ironic_agent: 1
809 lifecycle:
810 upgrades:
811 deployments:
812 revision_history: 3
813 pod_replacement_strategy: RollingUpdate
814 rolling_update:
815 max_unavailable: 1
816 max_surge: 3
817 daemonsets:
818 pod_replacement_strategy: RollingUpdate
819 dhcp_agent:
820 enabled: true
821 min_ready_seconds: 0
822 max_unavailable: 1
823 l3_agent:
824 enabled: true
825 min_ready_seconds: 0
826 max_unavailable: 1
827 lb_agent:
828 enabled: true
829 min_ready_seconds: 0
830 max_unavailable: 1
831 metadata_agent:
832 enabled: true
833 min_ready_seconds: 0
834 max_unavailable: 1
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]835 ovn_metadata_agent:
836 enabled: true
837 min_ready_seconds: 0
838 max_unavailable: 1
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]839 ovs_agent:
840 enabled: true
841 min_ready_seconds: 0
842 max_unavailable: 1
843 sriov_agent:
844 enabled: true
845 min_ready_seconds: 0
846 max_unavailable: 1
847 netns_cleanup_cron:
848 enabled: true
849 min_ready_seconds: 0
850 max_unavailable: 1
851 disruption_budget:
852 server:
853 min_available: 0
854 termination_grace_period:
855 server:
856 timeout: 30
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]857 rpc_server:
858 timeout: 30
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]859 ironic_agent:
860 timeout: 30
861 resources:
862 enabled: false
863 agent:
864 dhcp:
865 requests:
866 memory: "128Mi"
867 cpu: "100m"
868 limits:
869 memory: "1024Mi"
870 cpu: "2000m"
871 l3:
872 requests:
873 memory: "128Mi"
874 cpu: "100m"
875 limits:
876 memory: "1024Mi"
877 cpu: "2000m"
878 lb:
879 requests:
880 memory: "128Mi"
881 cpu: "100m"
882 limits:
883 memory: "1024Mi"
884 cpu: "2000m"
885 metadata:
886 requests:
887 memory: "128Mi"
888 cpu: "100m"
889 limits:
890 memory: "1024Mi"
891 cpu: "2000m"
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]892 ovn_metadata:
893 requests:
894 memory: "128Mi"
895 cpu: "100m"
896 limits:
897 memory: "1024Mi"
898 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]899 ovs:
900 requests:
901 memory: "128Mi"
902 cpu: "100m"
903 limits:
904 memory: "1024Mi"
905 cpu: "2000m"
906 sriov:
907 requests:
908 memory: "128Mi"
909 cpu: "100m"
910 limits:
911 memory: "1024Mi"
912 cpu: "2000m"
913 l2gw:
914 requests:
915 memory: "128Mi"
916 cpu: "100m"
917 limits:
918 memory: "1024Mi"
919 cpu: "2000m"
920 bagpipe_bgp:
921 requests:
922 memory: "128Mi"
923 cpu: "100m"
924 limits:
925 memory: "1024Mi"
926 cpu: "2000m"
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]927 bgp_dragent:
928 requests:
929 memory: "128Mi"
930 cpu: "100m"
931 limits:
932 memory: "1024Mi"
933 cpu: "2000m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]934 server:
935 requests:
936 memory: "128Mi"
937 cpu: "100m"
938 limits:
939 memory: "1024Mi"
940 cpu: "2000m"
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]941 neutron_policy_server:
942 requests:
943 memory: "128Mi"
944 cpu: "100m"
945 limits:
946 memory: "256Mi"
947 cpu: "500m"
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]948 ironic_agent:
949 requests:
950 memory: "128Mi"
951 cpu: "100m"
952 limits:
953 memory: "1024Mi"
954 cpu: "2000m"
955 netns_cleanup_cron:
956 requests:
957 memory: "128Mi"
958 cpu: "100m"
959 limits:
960 memory: "1024Mi"
961 cpu: "2000m"
962 jobs:
963 bootstrap:
964 requests:
965 memory: "128Mi"
966 cpu: "100m"
967 limits:
968 memory: "1024Mi"
969 cpu: "2000m"
970 db_init:
971 requests:
972 memory: "128Mi"
973 cpu: "100m"
974 limits:
975 memory: "1024Mi"
976 cpu: "2000m"
977 rabbit_init:
978 requests:
979 memory: "128Mi"
980 cpu: "100m"
981 limits:
982 memory: "1024Mi"
983 cpu: "2000m"
984 db_sync:
985 requests:
986 memory: "128Mi"
987 cpu: "100m"
988 limits:
989 memory: "1024Mi"
990 cpu: "2000m"
991 db_drop:
992 requests:
993 memory: "128Mi"
994 cpu: "100m"
995 limits:
996 memory: "1024Mi"
997 cpu: "2000m"
998 ks_endpoints:
999 requests:
1000 memory: "128Mi"
1001 cpu: "100m"
1002 limits:
1003 memory: "1024Mi"
1004 cpu: "2000m"
1005 ks_service:
1006 requests:
1007 memory: "128Mi"
1008 cpu: "100m"
1009 limits:
1010 memory: "1024Mi"
1011 cpu: "2000m"
1012 ks_user:
1013 requests:
1014 memory: "128Mi"
1015 cpu: "100m"
1016 limits:
1017 memory: "1024Mi"
1018 cpu: "2000m"
1019 tests:
1020 requests:
1021 memory: "128Mi"
1022 cpu: "100m"
1023 limits:
1024 memory: "1024Mi"
1025 cpu: "2000m"
1026 image_repo_sync:
1027 requests:
1028 memory: "128Mi"
1029 cpu: "100m"
1030 limits:
1031 memory: "1024Mi"
1032 cpu: "2000m"
1033
1034conf:
1035 rally_tests:
1036 force_project_purge: false
1037 run_tempest: false
1038 clean_up: |
1039 # NOTE: We will make the best effort to clean up rally generated networks and routers,
1040 # but should not block further automated deployment.
1041 set +e
1042 PATTERN="^[sc]_rally_"
1043
1044 ROUTERS=$(openstack router list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1045 NETWORKS=$(openstack network list --format=value -c Name | grep -e $PATTERN | sort | tr -d '\r')
1046
1047 for ROUTER in $ROUTERS
1048 do
1049 openstack router unset --external-gateway $ROUTER
1050 openstack router set --disable --no-ha $ROUTER
1051
1052 SUBNS=$(openstack router show $ROUTER -c interfaces_info --format=value | python -m json.tool | grep -oP '(?<="subnet_id": ")[a-f0-9\-]{36}(?=")' | sort | uniq)
1053 for SUBN in $SUBNS
1054 do
1055 openstack router remove subnet $ROUTER $SUBN
1056 done
1057
1058 for PORT in $(openstack port list --router $ROUTER --format=value -c ID | tr -d '\r')
1059 do
1060 openstack router remove port $ROUTER $PORT
1061 done
1062
1063 openstack router delete $ROUTER
1064 done
1065
1066 for NETWORK in $NETWORKS
1067 do
1068 for PORT in $(openstack port list --network $NETWORK --format=value -c ID | tr -d '\r')
1069 do
1070 openstack port delete $PORT
1071 done
1072 openstack network delete $NETWORK
1073 done
1074 set -e
1075 tests:
1076 NeutronNetworks.create_and_delete_networks:
1077 - args:
1078 network_create_args: {}
1079 context:
1080 quotas:
1081 neutron:
1082 network: -1
1083 runner:
1084 concurrency: 1
1085 times: 1
1086 type: constant
1087 sla:
1088 failure_rate:
1089 max: 0
1090 NeutronNetworks.create_and_delete_ports:
1091 - args:
1092 network_create_args: {}
1093 port_create_args: {}
1094 ports_per_network: 10
1095 context:
1096 network: {}
1097 quotas:
1098 neutron:
1099 network: -1
1100 port: -1
1101 runner:
1102 concurrency: 1
1103 times: 1
1104 type: constant
1105 sla:
1106 failure_rate:
1107 max: 0
1108 NeutronNetworks.create_and_delete_routers:
1109 - args:
1110 network_create_args: {}
1111 router_create_args: {}
1112 subnet_cidr_start: 1.1.0.0/30
1113 subnet_create_args: {}
1114 subnets_per_network: 2
1115 context:
1116 network: {}
1117 quotas:
1118 neutron:
1119 network: -1
1120 router: -1
1121 subnet: -1
1122 runner:
1123 concurrency: 1
1124 times: 1
1125 type: constant
1126 sla:
1127 failure_rate:
1128 max: 0
1129 NeutronNetworks.create_and_delete_subnets:
1130 - args:
1131 network_create_args: {}
1132 subnet_cidr_start: 1.1.0.0/30
1133 subnet_create_args: {}
1134 subnets_per_network: 2
1135 context:
1136 network: {}
1137 quotas:
1138 neutron:
1139 network: -1
1140 subnet: -1
1141 runner:
1142 concurrency: 1
1143 times: 1
1144 type: constant
1145 sla:
1146 failure_rate:
1147 max: 0
1148 NeutronNetworks.create_and_list_routers:
1149 - args:
1150 network_create_args: {}
1151 router_create_args: {}
1152 subnet_cidr_start: 1.1.0.0/30
1153 subnet_create_args: {}
1154 subnets_per_network: 2
1155 context:
1156 network: {}
1157 quotas:
1158 neutron:
1159 network: -1
1160 router: -1
1161 subnet: -1
1162 runner:
1163 concurrency: 1
1164 times: 1
1165 type: constant
1166 sla:
1167 failure_rate:
1168 max: 0
1169 NeutronNetworks.create_and_list_subnets:
1170 - args:
1171 network_create_args: {}
1172 subnet_cidr_start: 1.1.0.0/30
1173 subnet_create_args: {}
1174 subnets_per_network: 2
1175 context:
1176 network: {}
1177 quotas:
1178 neutron:
1179 network: -1
1180 subnet: -1
1181 runner:
1182 concurrency: 1
1183 times: 1
1184 type: constant
1185 sla:
1186 failure_rate:
1187 max: 0
1188 NeutronNetworks.create_and_show_network:
1189 - args:
1190 network_create_args: {}
1191 context:
1192 quotas:
1193 neutron:
1194 network: -1
1195 runner:
1196 concurrency: 1
1197 times: 1
1198 type: constant
1199 sla:
1200 failure_rate:
1201 max: 0
1202 NeutronNetworks.create_and_update_networks:
1203 - args:
1204 network_create_args: {}
1205 network_update_args:
1206 admin_state_up: false
1207 context:
1208 quotas:
1209 neutron:
1210 network: -1
1211 runner:
1212 concurrency: 1
1213 times: 1
1214 type: constant
1215 sla:
1216 failure_rate:
1217 max: 0
1218 NeutronNetworks.create_and_update_ports:
1219 - args:
1220 network_create_args: {}
1221 port_create_args: {}
1222 port_update_args:
1223 admin_state_up: false
1224 device_id: dummy_id
1225 device_owner: dummy_owner
1226 ports_per_network: 5
1227 context:
1228 network: {}
1229 quotas:
1230 neutron:
1231 network: -1
1232 port: -1
1233 runner:
1234 concurrency: 1
1235 times: 1
1236 type: constant
1237 sla:
1238 failure_rate:
1239 max: 0
1240 NeutronNetworks.create_and_update_routers:
1241 - args:
1242 network_create_args: {}
1243 router_create_args: {}
1244 router_update_args:
1245 admin_state_up: false
1246 subnet_cidr_start: 1.1.0.0/30
1247 subnet_create_args: {}
1248 subnets_per_network: 2
1249 context:
1250 network: {}
1251 quotas:
1252 neutron:
1253 network: -1
1254 router: -1
1255 subnet: -1
1256 runner:
1257 concurrency: 1
1258 times: 1
1259 type: constant
1260 sla:
1261 failure_rate:
1262 max: 0
1263 NeutronNetworks.create_and_update_subnets:
1264 - args:
1265 network_create_args: {}
1266 subnet_cidr_start: 1.4.0.0/16
1267 subnet_create_args: {}
1268 subnet_update_args:
1269 enable_dhcp: false
1270 subnets_per_network: 2
1271 context:
1272 network: {}
1273 quotas:
1274 neutron:
1275 network: -1
1276 subnet: -1
1277 runner:
1278 concurrency: 1
1279 times: 1
1280 type: constant
1281 sla:
1282 failure_rate:
1283 max: 0
1284 NeutronNetworks.list_agents:
1285 - args:
1286 agent_args: {}
1287 runner:
1288 concurrency: 1
1289 times: 1
1290 type: constant
1291 sla:
1292 failure_rate:
1293 max: 0
1294 NeutronSecurityGroup.create_and_list_security_groups:
1295 - args:
1296 security_group_create_args: {}
1297 context:
1298 quotas:
1299 neutron:
1300 security_group: -1
1301 runner:
1302 concurrency: 1
1303 times: 1
1304 type: constant
1305 sla:
1306 failure_rate:
1307 max: 0
1308 NeutronSecurityGroup.create_and_update_security_groups:
1309 - args:
1310 security_group_create_args: {}
1311 security_group_update_args: {}
1312 context:
1313 quotas:
1314 neutron:
1315 security_group: -1
1316 runner:
1317 concurrency: 1
1318 times: 1
1319 type: constant
1320 sla:
1321 failure_rate:
1322 max: 0
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1323 paste:
1324 composite:neutron:
1325 use: egg:Paste#urlmap
1326 /: neutronversions_composite
1327 /v2.0: neutronapi_v2_0
1328 composite:neutronapi_v2_0:
1329 use: call:neutron.auth:pipeline_factory
1330 noauth: cors http_proxy_to_wsgi request_id catch_errors extensions neutronapiapp_v2_0
1331 keystone: cors http_proxy_to_wsgi request_id catch_errors authtoken audit keystonecontext extensions neutronapiapp_v2_0
1332 composite:neutronversions_composite:
1333 use: call:neutron.auth:pipeline_factory
1334 noauth: cors http_proxy_to_wsgi neutronversions
1335 keystone: cors http_proxy_to_wsgi neutronversions
1336 filter:request_id:
1337 paste.filter_factory: oslo_middleware:RequestId.factory
1338 filter:catch_errors:
1339 paste.filter_factory: oslo_middleware:CatchErrors.factory
1340 filter:cors:
1341 paste.filter_factory: oslo_middleware.cors:filter_factory
1342 oslo_config_project: neutron
1343 filter:http_proxy_to_wsgi:
1344 paste.filter_factory: oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory
1345 filter:keystonecontext:
1346 paste.filter_factory: neutron.auth:NeutronKeystoneContext.factory
1347 filter:authtoken:
1348 paste.filter_factory: keystonemiddleware.auth_token:filter_factory
1349 filter:audit:
1350 paste.filter_factory: keystonemiddleware.audit:filter_factory
1351 audit_map_file: /etc/neutron/api_audit_map.conf
1352 filter:extensions:
1353 paste.filter_factory: neutron.api.extensions:plugin_aware_extension_middleware_factory
1354 app:neutronversions:
1355 paste.app_factory: neutron.pecan_wsgi.app:versions_factory
1356 app:neutronapiapp_v2_0:
1357 paste.app_factory: neutron.api.v2.router:APIRouter.factory
1358 filter:osprofiler:
1359 paste.filter_factory: osprofiler.web:WsgiMiddleware.factory
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]1360 neutron_api_uwsgi:
1361 uwsgi:
1362 add-header: "Connection: close"
1363 buffer-size: 65535
1364 die-on-term: true
1365 enable-threads: true
1366 exit-on-reload: false
1367 hook-master-start: unix_signal:15 gracefully_kill_them_all
1368 lazy-apps: true
1369 log-x-forwarded-for: true
1370 master: true
1371 procname-prefix-spaced: "neutron-api:"
1372 route-user-agent: '^kube-probe.* donotlog:'
1373 thunder-lock: true
1374 worker-reload-mercy: 80
1375 wsgi-file: /var/lib/openstack/bin/neutron-api
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]1376 neutron_policy_server_uwsgi:
1377 uwsgi:
1378 add-header: "Connection: close"
1379 buffer-size: 65535
1380 die-on-term: true
1381 enable-threads: true
1382 exit-on-reload: false
1383 hook-master-start: unix_signal:15 gracefully_kill_them_all
1384 lazy-apps: true
1385 log-x-forwarded-for: true
1386 master: true
1387 procname-prefix-spaced: "neutron-policy-server:"
1388 route-user-agent: '^kube-probe.* donotlog:'
1389 thunder-lock: true
1390 worker-reload-mercy: 80
1391 wsgi-file: /var/lib/openstack/bin/neutron-policy-server-wsgi
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1392 policy: {}
1393 api_audit_map:
1394 DEFAULT:
1395 target_endpoint_type: None
1396 custom_actions:
1397 add_router_interface: update/add
1398 remove_router_interface: update/remove
1399 path_keywords:
1400 floatingips: ip
1401 healthmonitors: healthmonitor
1402 health_monitors: health_monitor
1403 lb: None
1404 members: member
1405 metering-labels: label
1406 metering-label-rules: rule
1407 networks: network
1408 pools: pool
1409 ports: port
1410 routers: router
1411 quotas: quota
1412 security-groups: security-group
1413 security-group-rules: rule
1414 subnets: subnet
1415 vips: vip
1416 service_endpoints:
1417 network: service/network
1418 neutron_sudoers: |
1419 # This sudoers file supports rootwrap for both Kolla and LOCI Images.
1420 Defaults !requiretty
1421 Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/var/lib/openstack/bin:/var/lib/kolla/venv/bin"
1422 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *, /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *
1423 neutron ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf, /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1424 rootwrap: |
1425 # Configuration for neutron-rootwrap
1426 # This file should be owned by (and only-writeable by) the root user
1427
1428 [DEFAULT]
1429 # List of directories to load filter definitions from (separated by ',').
1430 # These directories MUST all be only writeable by root !
1431 filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/var/lib/openstack/etc/neutron/rootwrap.d
1432
1433 # List of directories to search executables in, in case filters do not
1434 # explicitely specify a full path (separated by ',')
1435 # If not specified, defaults to system PATH environment variable.
1436 # These directories MUST all be only writeable by root !
1437 exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin,/var/lib/openstack/bin,/var/lib/kolla/venv/bin
1438
1439 # Enable logging to syslog
1440 # Default value is False
1441 use_syslog=False
1442
1443 # Which syslog facility to use.
1444 # Valid values include auth, authpriv, syslog, local0, local1...
1445 # Default value is 'syslog'
1446 syslog_log_facility=syslog
1447
1448 # Which messages to log.
1449 # INFO means log all usage
1450 # ERROR means only log unsuccessful attempts
1451 syslog_log_level=ERROR
1452
1453 [xenapi]
1454 # XenAPI configuration is only required by the L2 agent if it is to
1455 # target a XenServer/XCP compute host's dom0.
1456 xenapi_connection_url=<None>
1457 xenapi_connection_username=root
1458 xenapi_connection_password=<None>
1459 rootwrap_filters:
1460 debug:
1461 pods:
1462 - dhcp_agent
1463 - l3_agent
1464 - lb_agent
1465 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1466 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1467 - ovs_agent
1468 - sriov_agent
1469 content: |
1470 # neutron-rootwrap command filters for nodes on which neutron is
1471 # expected to control network
1472 #
1473 # This file should be owned by (and only-writeable by) the root user
1474
1475 # format seems to be
1476 # cmd-name: filter-name, raw-command, user, args
1477
1478 [Filters]
1479
1480 # This is needed because we should ping
1481 # from inside a namespace which requires root
1482 # _alt variants allow to match -c and -w in any order
1483 # (used by NeutronDebugAgent.ping_all)
1484 ping: RegExpFilter, ping, root, ping, -w, \d+, -c, \d+, [0-9\.]+
1485 ping_alt: RegExpFilter, ping, root, ping, -c, \d+, -w, \d+, [0-9\.]+
1486 ping6: RegExpFilter, ping6, root, ping6, -w, \d+, -c, \d+, [0-9A-Fa-f:]+
1487 ping6_alt: RegExpFilter, ping6, root, ping6, -c, \d+, -w, \d+, [0-9A-Fa-f:]+
1488 dibbler:
1489 pods:
1490 - dhcp_agent
1491 - l3_agent
1492 - lb_agent
1493 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1494 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1495 - ovs_agent
1496 - sriov_agent
1497 content: |
1498 # neutron-rootwrap command filters for nodes on which neutron is
1499 # expected to control network
1500 #
1501 # This file should be owned by (and only-writeable by) the root user
1502
1503 # format seems to be
1504 # cmd-name: filter-name, raw-command, user, args
1505
1506 [Filters]
1507
1508 # Filters for the dibbler-based reference implementation of the pluggable
1509 # Prefix Delegation driver. Other implementations using an alternative agent
1510 # should include a similar filter in this folder.
1511
1512 # prefix_delegation_agent
1513 dibbler-client: CommandFilter, dibbler-client, root
1514 ipset_firewall:
1515 pods:
1516 - dhcp_agent
1517 - l3_agent
1518 - lb_agent
1519 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1520 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1521 - ovs_agent
1522 - sriov_agent
1523 content: |
1524 # neutron-rootwrap command filters for nodes on which neutron is
1525 # expected to control network
1526 #
1527 # This file should be owned by (and only-writeable by) the root user
1528
1529 # format seems to be
1530 # cmd-name: filter-name, raw-command, user, args
1531
1532 [Filters]
1533 # neutron/agent/linux/iptables_firewall.py
1534 # "ipset", "-A", ...
1535 ipset: CommandFilter, ipset, root
1536 l3:
1537 pods:
1538 - dhcp_agent
1539 - l3_agent
1540 - lb_agent
1541 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1542 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1543 - ovs_agent
1544 - sriov_agent
1545 content: |
1546 # neutron-rootwrap command filters for nodes on which neutron is
1547 # expected to control network
1548 #
1549 # This file should be owned by (and only-writeable by) the root user
1550
1551 # format seems to be
1552 # cmd-name: filter-name, raw-command, user, args
1553
1554 [Filters]
1555
1556 # arping
1557 arping: CommandFilter, arping, root
1558
1559 # l3_agent
1560 sysctl: CommandFilter, sysctl, root
1561 route: CommandFilter, route, root
1562 radvd: CommandFilter, radvd, root
1563
1564 # haproxy
1565 haproxy: RegExpFilter, haproxy, root, haproxy, -f, .*
1566 kill_haproxy: KillFilter, root, haproxy, -15, -9, -HUP
1567
1568 # metadata proxy
1569 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1570 # RHEL invocation of the metadata proxy will report /usr/bin/python
1571 kill_metadata: KillFilter, root, python, -15, -9
1572 kill_metadata2: KillFilter, root, python2, -15, -9
1573 kill_metadata7: KillFilter, root, python2.7, -15, -9
1574 kill_metadata3: KillFilter, root, python3, -15, -9
1575 kill_metadata35: KillFilter, root, python3.5, -15, -9
1576 kill_metadata36: KillFilter, root, python3.6, -15, -9
1577 kill_metadata37: KillFilter, root, python3.7, -15, -9
1578 kill_radvd_usr: KillFilter, root, /usr/sbin/radvd, -15, -9, -HUP
1579 kill_radvd: KillFilter, root, /sbin/radvd, -15, -9, -HUP
1580
1581 # ip_lib
1582 ip: IpFilter, ip, root
1583 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1584 ip_exec: IpNetnsExecFilter, ip, root
1585
1586 # l3_tc_lib
1587 l3_tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1588 l3_tc_add_qdisc_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress
1589 l3_tc_add_qdisc_egress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, root, handle, 1:, htb
1590 l3_tc_show_filters: RegExpFilter, tc, root, tc, -p, -s, -d, filter, show, dev, .+, parent, .+, prio, 1
1591 l3_tc_delete_filters: RegExpFilter, tc, root, tc, filter, del, dev, .+, parent, .+, prio, 1, handle, .+, u32
1592 l3_tc_add_filter_ingress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, dst, .+, police, rate, .+, burst, .+, drop, flowid, :1
1593 l3_tc_add_filter_egress: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, ip, prio, 1, u32, match, ip, src, .+, police, rate, .+, burst, .+, drop, flowid, :1
1594
1595 # For ip monitor
1596 kill_ip_monitor: KillFilter, root, ip, -9
1597
1598 # ovs_lib (if OVSInterfaceDriver is used)
1599 ovs-vsctl: CommandFilter, ovs-vsctl, root
1600
1601 # iptables_manager
1602 iptables-save: CommandFilter, iptables-save, root
1603 iptables-restore: CommandFilter, iptables-restore, root
1604 ip6tables-save: CommandFilter, ip6tables-save, root
1605 ip6tables-restore: CommandFilter, ip6tables-restore, root
1606
1607 # Keepalived
1608 keepalived: CommandFilter, keepalived, root
1609 kill_keepalived: KillFilter, root, keepalived, -HUP, -15, -9
1610
1611 # l3 agent to delete floatingip's conntrack state
1612 conntrack: CommandFilter, conntrack, root
1613
1614 # keepalived state change monitor
1615 keepalived_state_change: CommandFilter, neutron-keepalived-state-change, root
1616 # The following filters are used to kill the keepalived state change monitor.
1617 # Since the monitor runs as a Python script, the system reports that the
1618 # command of the process to be killed is python.
1619 # TODO(mlavalle) These kill filters will be updated once we come up with a
1620 # mechanism to kill using the name of the script being executed by Python
1621 kill_keepalived_monitor_py: KillFilter, root, python, -15
1622 kill_keepalived_monitor_py27: KillFilter, root, python2.7, -15
1623 kill_keepalived_monitor_py3: KillFilter, root, python3, -15
1624 kill_keepalived_monitor_py35: KillFilter, root, python3.5, -15
1625 kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15
1626 kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15
1627 netns_cleanup:
1628 pods:
1629 - dhcp_agent
1630 - l3_agent
1631 - lb_agent
1632 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1633 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1634 - ovs_agent
1635 - sriov_agent
1636 - netns_cleanup_cron
1637 content: |
1638 # neutron-rootwrap command filters for nodes on which neutron is
1639 # expected to control network
1640 #
1641 # This file should be owned by (and only-writeable by) the root user
1642
1643 # format seems to be
1644 # cmd-name: filter-name, raw-command, user, args
1645
1646 [Filters]
1647
1648 # netns-cleanup
1649 netstat: CommandFilter, netstat, root
1650 dhcp:
1651 pods:
1652 - dhcp_agent
1653 - l3_agent
1654 - lb_agent
1655 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1656 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1657 - ovs_agent
1658 - sriov_agent
1659 - netns_cleanup_cron
1660 content: |
1661 # neutron-rootwrap command filters for nodes on which neutron is
1662 # expected to control network
1663 #
1664 # This file should be owned by (and only-writeable by) the root user
1665
1666 # format seems to be
1667 # cmd-name: filter-name, raw-command, user, args
1668
1669 [Filters]
1670
1671 # dhcp-agent
1672 dnsmasq: CommandFilter, dnsmasq, root
1673 # dhcp-agent uses kill as well, that's handled by the generic KillFilter
1674 # it looks like these are the only signals needed, per
1675 # neutron/agent/linux/dhcp.py
1676 kill_dnsmasq: KillFilter, root, /sbin/dnsmasq, -9, -HUP, -15
1677 kill_dnsmasq_usr: KillFilter, root, /usr/sbin/dnsmasq, -9, -HUP, -15
1678
1679 ovs-vsctl: CommandFilter, ovs-vsctl, root
1680 ivs-ctl: CommandFilter, ivs-ctl, root
1681 mm-ctl: CommandFilter, mm-ctl, root
1682 dhcp_release: CommandFilter, dhcp_release, root
1683 dhcp_release6: CommandFilter, dhcp_release6, root
1684
1685 # metadata proxy
1686 metadata_proxy: CommandFilter, neutron-ns-metadata-proxy, root
1687 # RHEL invocation of the metadata proxy will report /usr/bin/python
1688 kill_metadata: KillFilter, root, python, -9
1689 kill_metadata2: KillFilter, root, python2, -9
1690 kill_metadata7: KillFilter, root, python2.7, -9
1691 kill_metadata3: KillFilter, root, python3, -9
1692 kill_metadata35: KillFilter, root, python3.5, -9
1693 kill_metadata36: KillFilter, root, python3.6, -9
1694 kill_metadata37: KillFilter, root, python3.7, -9
1695
1696 # ip_lib
1697 ip: IpFilter, ip, root
1698 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1699 ip_exec: IpNetnsExecFilter, ip, root
1700 ebtables:
1701 pods:
1702 - dhcp_agent
1703 - l3_agent
1704 - lb_agent
1705 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1706 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1707 - ovs_agent
1708 - sriov_agent
1709 content: |
1710 # neutron-rootwrap command filters for nodes on which neutron is
1711 # expected to control network
1712 #
1713 # This file should be owned by (and only-writeable by) the root user
1714
1715 # format seems to be
1716 # cmd-name: filter-name, raw-command, user, args
1717
1718 [Filters]
1719
1720 ebtables: CommandFilter, ebtables, root
1721 iptables_firewall:
1722 pods:
1723 - dhcp_agent
1724 - l3_agent
1725 - lb_agent
1726 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1727 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1728 - ovs_agent
1729 - sriov_agent
1730 content: |
1731 # neutron-rootwrap command filters for nodes on which neutron is
1732 # expected to control network
1733 #
1734 # This file should be owned by (and only-writeable by) the root user
1735
1736 # format seems to be
1737 # cmd-name: filter-name, raw-command, user, args
1738
1739 [Filters]
1740
1741 # neutron/agent/linux/iptables_firewall.py
1742 # "iptables-save", ...
1743 iptables-save: CommandFilter, iptables-save, root
1744 iptables-restore: CommandFilter, iptables-restore, root
1745 ip6tables-save: CommandFilter, ip6tables-save, root
1746 ip6tables-restore: CommandFilter, ip6tables-restore, root
1747
1748 # neutron/agent/linux/iptables_firewall.py
1749 # "iptables", "-A", ...
1750 iptables: CommandFilter, iptables, root
1751 ip6tables: CommandFilter, ip6tables, root
1752
1753 # neutron/agent/linux/iptables_firewall.py
1754 sysctl: CommandFilter, sysctl, root
1755
1756 # neutron/agent/linux/ip_conntrack.py
1757 conntrack: CommandFilter, conntrack, root
1758 linuxbridge_plugin:
1759 pods:
1760 - dhcp_agent
1761 - l3_agent
1762 - lb_agent
1763 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1764 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1765 - ovs_agent
1766 - sriov_agent
1767 content: |
1768 # neutron-rootwrap command filters for nodes on which neutron is
1769 # expected to control network
1770 #
1771 # This file should be owned by (and only-writeable by) the root user
1772
1773 # format seems to be
1774 # cmd-name: filter-name, raw-command, user, args
1775
1776 [Filters]
1777
1778 # linuxbridge-agent
1779 # unclear whether both variants are necessary, but I'm transliterating
1780 # from the old mechanism
1781 brctl: CommandFilter, brctl, root
1782 bridge: CommandFilter, bridge, root
1783
1784 # ip_lib
1785 ip: IpFilter, ip, root
1786 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1787 ip_exec: IpNetnsExecFilter, ip, root
1788
1789 # tc commands needed for QoS support
1790 tc_replace_tbf: RegExpFilter, tc, root, tc, qdisc, replace, dev, .+, root, tbf, rate, .+, latency, .+, burst, .+
1791 tc_add_ingress: RegExpFilter, tc, root, tc, qdisc, add, dev, .+, ingress, handle, .+
1792 tc_delete: RegExpFilter, tc, root, tc, qdisc, del, dev, .+, .+
1793 tc_show_qdisc: RegExpFilter, tc, root, tc, qdisc, show, dev, .+
1794 tc_show_filters: RegExpFilter, tc, root, tc, filter, show, dev, .+, parent, .+
1795 tc_add_filter: RegExpFilter, tc, root, tc, filter, add, dev, .+, parent, .+, protocol, all, prio, .+, basic, police, rate, .+, burst, .+, mtu, .+, drop
1796 openvswitch_plugin:
1797 pods:
1798 - dhcp_agent
1799 - l3_agent
1800 - lb_agent
1801 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1802 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1803 - ovs_agent
1804 - sriov_agent
1805 content: |
1806 # neutron-rootwrap command filters for nodes on which neutron is
1807 # expected to control network
1808 #
1809 # This file should be owned by (and only-writeable by) the root user
1810
1811 # format seems to be
1812 # cmd-name: filter-name, raw-command, user, args
1813
1814 [Filters]
1815
1816 # openvswitch-agent
1817 # unclear whether both variants are necessary, but I'm transliterating
1818 # from the old mechanism
1819 ovs-vsctl: CommandFilter, ovs-vsctl, root
1820 # NOTE(yamamoto): of_interface=native doesn't use ovs-ofctl
1821 ovs-ofctl: CommandFilter, ovs-ofctl, root
1822 ovs-appctl: CommandFilter, ovs-appctl, root
1823 kill_ovsdb_client: KillFilter, root, /usr/bin/ovsdb-client, -9
1824 ovsdb-client: CommandFilter, ovsdb-client, root
1825 xe: CommandFilter, xe, root
1826
1827 # ip_lib
1828 ip: IpFilter, ip, root
1829 find: RegExpFilter, find, root, find, /sys/class/net, -maxdepth, 1, -type, l, -printf, %.*
1830 ip_exec: IpNetnsExecFilter, ip, root
1831
1832 # needed for FDB extension
1833 bridge: CommandFilter, bridge, root
1834 privsep:
1835 pods:
1836 - dhcp_agent
1837 - l3_agent
1838 - lb_agent
1839 - metadata_agent
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1840 - ovn_metadata_agent
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1841 - ovs_agent
1842 - sriov_agent
1843 - netns_cleanup_cron
1844 content: |
1845 # Command filters to allow privsep daemon to be started via rootwrap.
1846 #
1847 # This file should be owned by (and only-writeable by) the root user
1848
1849 [Filters]
1850
1851 # By installing the following, the local admin is asserting that:
1852 #
1853 # 1. The python module load path used by privsep-helper
1854 # command as root (as started by sudo/rootwrap) is trusted.
1855 # 2. Any oslo.config files matching the --config-file
1856 # arguments below are trusted.
1857 # 3. Users allowed to run sudo/rootwrap with this configuration(*) are
1858 # also allowed to invoke python "entrypoint" functions from
1859 # --privsep_context with the additional (possibly root) privileges
1860 # configured for that context.
1861 #
1862 # (*) ie: the user is allowed by /etc/sudoers to run rootwrap as root
1863 #
1864 # In particular, the oslo.config and python module path must not
1865 # be writeable by the unprivileged user.
1866
1867 # oslo.privsep default neutron context
1868 privsep: PathFilter, privsep-helper, root,
1869 --config-file, /etc,
1870 --privsep_context, neutron.privileged.default,
1871 --privsep_sock_path, /
1872
1873 # NOTE: A second `--config-file` arg can also be added above. Since
1874 # many neutron components are installed like that (eg: by devstack).
1875 # Adjust to suit local requirements.
1876 linux_vxlan:
1877 pods:
1878 - bagpipe_bgp
1879 content: |
1880 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1881 # expected to control VXLAN Linux Bridge dataplane
1882 #
1883 # This file should be owned by (and only-writeable by) the root user
1884
1885 # format seems to be
1886 # cmd-name: filter-name, raw-command, user, args
1887
1888 [Filters]
1889
1890 #
1891 modprobe: CommandFilter, modprobe, root
1892
1893 #
1894 brctl: CommandFilter, brctl, root
1895 bridge: CommandFilter, bridge, root
1896
1897 # ip_lib
1898 ip: IpFilter, ip, root
1899 ip_exec: IpNetnsExecFilter, ip, root
1900
1901 # shell (for piped commands)
1902 sh: CommandFilter, sh, root
1903 mpls_ovs_dataplane:
1904 pods:
1905 - bagpipe_bgp
1906 content: |
1907 # bagpipe-bgp-rootwrap command filters for nodes on which bagpipe-bgp is
1908 # expected to control MPLS OpenVSwitch dataplane
1909 #
1910 # This file should be owned by (and only-writeable by) the root user
1911
1912 # format seems to be
1913 # cmd-name: filter-name, raw-command, user, args
1914
1915 [Filters]
1916
1917 # openvswitch
1918 ovs-vsctl: CommandFilter, ovs-vsctl, root
1919 ovs-ofctl: CommandFilter, ovs-ofctl, root
1920
1921 # ip_lib
1922 ip: IpFilter, ip, root
1923 ip_exec: IpNetnsExecFilter, ip, root
1924
1925 # shell (for piped commands)
1926 sh: CommandFilter, sh, root
1927 neutron:
1928 DEFAULT:
1929 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
1930 log_config_append: /etc/neutron/logging.conf
1931 # NOTE(portdirect): the bind port should not be defined, and is manipulated
1932 # via the endpoints section.
1933 bind_port: null
1934 default_availability_zones: nova
1935 api_workers: 1
1936 rpc_workers: 4
1937 allow_overlapping_ips: True
1938 state_path: /var/lib/neutron
1939 # core_plugin can be: ml2, calico
1940 core_plugin: ml2
1941 # service_plugin can be: router, odl-router, empty for calico,
1942 # networking_ovn.l3.l3_ovn.OVNL3RouterPlugin for OVN
1943 service_plugins: router
1944 allow_automatic_l3agent_failover: True
1945 l3_ha: True
1946 max_l3_agents_per_router: 2
1947 l3_ha_network_type: vxlan
1948 network_auto_schedule: True
1949 router_auto_schedule: True
1950 # (NOTE)portdirect: if unset this is populated dynamically from the value in
1951 # 'network.backend' to sane defaults.
1952 interface_driver: null
1953 oslo_concurrency:
1954 lock_path: /var/lib/neutron/tmp
1955 database:
1956 max_retries: -1
1957 agent:
1958 root_helper: sudo /var/lib/openstack/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
1959 root_helper_daemon: sudo /var/lib/openstack/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
1960 oslo_messaging_notifications:
1961 driver: messagingv2
1962 oslo_messaging_rabbit:
1963 rabbit_ha_queues: true
1964 oslo_middleware:
1965 enable_proxy_headers_parsing: true
1966 oslo_policy:
1967 policy_file: /etc/neutron/policy.yaml
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1968 ovn:
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]1969 ovn_metadata_enabled: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1970 nova:
1971 auth_type: password
1972 auth_version: v3
1973 endpoint_type: internal
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]1974 placement:
1975 auth_type: password
1976 auth_version: v3
1977 endpoint_type: internal
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1978 designate:
1979 auth_type: password
1980 auth_version: v3
1981 endpoint_type: internal
1982 allow_reverse_dns_lookup: true
1983 ironic:
1984 endpoint_type: internal
1985 keystone_authtoken:
okozachenko120317930d42023-09-06 00:24:05 +1000[diff] [blame]1986 service_token_roles: service
1987 service_token_roles_required: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1988 memcache_security_strategy: ENCRYPT
1989 auth_type: password
1990 auth_version: v3
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]1991 service_type: network
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1992 octavia:
1993 request_poll_timeout: 3000
1994 logging:
1995 loggers:
1996 keys:
1997 - root
1998 - neutron
1999 - neutron_taas
2000 handlers:
2001 keys:
2002 - stdout
2003 - stderr
2004 - "null"
2005 formatters:
2006 keys:
2007 - context
2008 - default
2009 logger_root:
2010 level: WARNING
2011 handlers: 'null'
2012 logger_neutron:
2013 level: INFO
2014 handlers:
2015 - stdout
2016 qualname: neutron
2017 logger_neutron_taas:
2018 level: INFO
2019 handlers:
2020 - stdout
2021 qualname: neutron_taas
2022 logger_amqp:
2023 level: WARNING
2024 handlers: stderr
2025 qualname: amqp
2026 logger_amqplib:
2027 level: WARNING
2028 handlers: stderr
2029 qualname: amqplib
2030 logger_eventletwsgi:
2031 level: WARNING
2032 handlers: stderr
2033 qualname: eventlet.wsgi.server
2034 logger_sqlalchemy:
2035 level: WARNING
2036 handlers: stderr
2037 qualname: sqlalchemy
2038 logger_boto:
2039 level: WARNING
2040 handlers: stderr
2041 qualname: boto
2042 handler_null:
2043 class: logging.NullHandler
2044 formatter: default
2045 args: ()
2046 handler_stdout:
2047 class: StreamHandler
2048 args: (sys.stdout,)
2049 formatter: context
2050 handler_stderr:
2051 class: StreamHandler
2052 args: (sys.stderr,)
2053 formatter: context
2054 formatter_context:
2055 class: oslo_log.formatters.ContextFormatter
2056 datefmt: "%Y-%m-%d %H:%M:%S"
2057 formatter_default:
2058 format: "%(message)s"
2059 datefmt: "%Y-%m-%d %H:%M:%S"
2060 plugins:
2061 ml2_conf:
2062 ml2:
2063 extension_drivers: port_security
2064 # (NOTE)portdirect: if unset this is populated dyanmicly from the value
2065 # in 'network.backend' to sane defaults.
2066 mechanism_drivers: null
Oleksandr Kozachenkoc0022be2023-05-23 20:36:21 +0200[diff] [blame]2067 type_drivers: flat,vlan,vxlan,local
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2068 tenant_network_types: vxlan
2069 ml2_type_vxlan:
2070 vni_ranges: 1:1000
2071 vxlan_group: 239.1.1.1
2072 ml2_type_flat:
2073 flat_networks: "*"
2074 # If you want to use the external network as a tagged provider network,
2075 # a range should be specified including the intended VLAN target
2076 # using ml2_type_vlan.network_vlan_ranges:
2077 # ml2_type_vlan:
2078 # network_vlan_ranges: "external:1100:1110"
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2079 ml2_type_geneve:
2080 vni_ranges: 1:65536
2081 max_header_size: 38
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2082 agent:
2083 extensions: ""
2084 ml2_conf_sriov: null
2085 taas:
2086 taas:
2087 enabled: False
2088 openvswitch_agent:
2089 agent:
2090 tunnel_types: vxlan
2091 l2_population: True
2092 arp_responder: True
2093 ovs:
2094 bridge_mappings: "external:br-ex"
2095 securitygroup:
2096 firewall_driver: neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver
2097 linuxbridge_agent:
2098 linux_bridge:
2099 # To define Flat and VLAN connections, in LB we can assign
2100 # specific interface to the flat/vlan network name using:
2101 # physical_interface_mappings: "external:eth3"
2102 # Or we can set the mapping between the network and bridge:
2103 bridge_mappings: "external:br-ex"
2104 # The two above options are exclusive, do not use both of them at once
2105 securitygroup:
2106 firewall_driver: iptables
2107 vxlan:
2108 l2_population: True
2109 arp_responder: True
2110 macvtap_agent: null
2111 sriov_agent:
2112 securitygroup:
2113 firewall_driver: neutron.agent.firewall.NoopFirewallDriver
2114 sriov_nic:
2115 physical_device_mappings: physnet2:enp3s0f1
2116 # NOTE: do not use null here, use an empty string
2117 exclude_devices: ""
2118 dhcp_agent:
2119 DEFAULT:
2120 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2121 # 'network.backend' to sane defaults.
2122 interface_driver: null
2123 dnsmasq_config_file: /etc/neutron/dnsmasq.conf
2124 force_metadata: True
JustHumanzbfee65a2025-02-11 00:09:55 +0700[diff] [blame]2125 # NOTE(mnaser): This has to be here in order for the DHCP agent to work with OVN.
2126 ovs: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2127 dnsmasq: |
2128 #no-hosts
2129 #port=5353
2130 #cache-size=500
2131 #no-negcache
2132 #dns-forward-max=100
2133 #resolve-file=
2134 #strict-order
2135 #bind-interface
2136 #bind-dynamic
2137 #domain=
2138 #dhcp-range=10.10.10.10,10.10.10.100,24h
2139 #dhcp-lease-max=150
2140 #dhcp-host=11:22:33:44:55:66,ignore
2141 #dhcp-option=3,10.10.10.1
2142 #dhcp-option-force=26,1450
2143
2144 l3_agent:
2145 DEFAULT:
2146 # (NOTE)portdirect: if unset this is populated dyanmicly from the value in
2147 # 'network.backend' to sane defaults.
2148 interface_driver: null
2149 agent_mode: legacy
2150 metering_agent: null
2151 metadata_agent:
2152 DEFAULT:
2153 # we cannot change the proxy socket path as it is declared
2154 # as a hostPath volume from agent daemonsets
2155 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2156 metadata_proxy_shared_secret: "password"
2157 cache:
2158 enabled: true
2159 backend: dogpile.cache.memcached
2160 bagpipe_bgp: {}
Mohammed Naser593ec012023-07-23 09:20:05 +0000[diff] [blame]2161 ovn_metadata_agent:
2162 DEFAULT:
2163 # we cannot change the proxy socket path as it is declared
2164 # as a hostPath volume from agent daemonsets
2165 metadata_proxy_socket: /var/lib/neutron/openstack-helm/metadata_proxy
2166 metadata_proxy_shared_secret: "password"
2167 metadata_workers: 2
2168 cache:
2169 enabled: true
2170 backend: dogpile.cache.memcached
2171 ovs:
2172 ovsdb_connection: unix:/run/openvswitch/db.sock
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2173 bgp_dragent: {}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2174
2175 rabbitmq:
2176 # NOTE(rk760n): adding rmq policy to mirror messages from notification queues and set expiration time for the ones
2177 policies:
2178 - vhost: "neutron"
2179 name: "ha_ttl_neutron"
2180 definition:
2181 # mirror messges to other nodes in rmq cluster
2182 ha-mode: "all"
2183 ha-sync-mode: "automatic"
2184 # 70s
2185 message-ttl: 70000
2186 priority: 0
2187 apply-to: all
2188 pattern: '^(?!(amq\.|reply_)).*'
2189 ## NOTE: "besteffort" is meant for dev env with mixed compute type only.
2190 ## This helps prevent sriov init script from failing due to mis-matched NIC
2191 ## For prod env, target NIC should match and init script should fail otherwise.
2192 ## sriov_init:
2193 ## - besteffort
2194 sriov_init:
2195 -
2196 # auto_bridge_add is a table of "bridge: interface" pairs
2197 # To automatically add a physical interfaces to a specific bridges,
2198 # for example eth3 to bridge br-physnet1, if0 to br0 and iface_two
2199 # to br1 do something like:
2200 #
2201 # auto_bridge_add:
2202 # br-physnet1: eth3
2203 # br0: if0
2204 # br1: iface_two
2205 # br-ex will be added by default
2206 auto_bridge_add:
2207 br-ex: null
2208
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2209 # Network off-loading configuration
2210 netoffload:
ricolin18e6fd32023-07-17 06:17:15 +0000[diff] [blame]2211 enabled: false
Mohammed Nasera720f882023-06-30 23:48:02 -0400[diff] [blame]2212 asap2:
2213 # - dev: enp97s0f0
2214 # vfs: 16
2215
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2216 # configuration of OVS DPDK bridges and NICs
2217 # this is a separate section and not part of the auto_bridge_add section
2218 # because additional parameters are needed
2219 ovs_dpdk:
2220 enabled: false
2221 # setting update_dpdk_bond_config to true will have default behavior,
2222 # which may cause disruptions in ovs dpdk traffic in case of neutron
2223 # ovs agent restart or when dpdk nic/bond configurations are changed.
2224 # Setting this to false will configure dpdk in the first run and
2225 # disable nic/bond config on event of restart or config update.
2226 update_dpdk_bond_config: true
2227 driver: uio_pci_generic
2228 # In case bonds are configured, the nics which are part of those bonds
2229 # must NOT be provided here.
2230 nics:
2231 - name: dpdk0
2232 pci_id: '0000:05:00.0'
2233 # Set VF Index in case some particular VF(s) need to be
2234 # used with ovs-dpdk.
2235 # vf_index: 0
2236 bridge: br-phy
2237 migrate_ip: true
2238 n_rxq: 2
2239 n_txq: 2
2240 pmd_rxq_affinity: "0:3,1:27"
2241 ofport_request: 1
2242 # optional parameters for tuning the OVS DPDK config
2243 # in alignment with the available hardware resources
2244 # mtu: 2000
2245 # n_rxq_size: 1024
2246 # n_txq_size: 1024
2247 # vhost-iommu-support: true
2248 bridges:
2249 - name: br-phy
2250 # optional parameter, in case tunnel traffic needs to be transported over a vlan underlay
2251 # - tunnel_underlay_vlan: 45
2252 # Optional parameter for configuring bonding in OVS-DPDK
2253 # - name: br-phy-bond0
2254 # bonds:
2255 # - name: dpdkbond0
2256 # bridge: br-phy-bond0
2257 # # The IP from the first nic in nics list shall be used
2258 # migrate_ip: true
2259 # mtu: 2000
2260 # # Please note that n_rxq is set for each NIC individually
2261 # # rather than denoting the total number of rx queues for
2262 # # the bond as a whole. So setting n_rxq = 2 below for ex.
2263 # # would be 4 rx queues in total for the bond.
2264 # # Same for n_txq
2265 # n_rxq: 2
2266 # n_txq: 2
2267 # ofport_request: 1
2268 # n_rxq_size: 1024
2269 # n_txq_size: 1024
2270 # vhost-iommu-support: true
2271 # ovs_options: "bond_mode=active-backup"
2272 # nics:
2273 # - name: dpdk_b0s0
2274 # pci_id: '0000:06:00.0'
2275 # pmd_rxq_affinity: "0:3,1:27"
2276 # # Set VF Index in case some particular VF(s) need to be
2277 # # used with ovs-dpdk. In which case pci_id of PF must be
2278 # # provided above.
2279 # # vf_index: 0
2280 # - name: dpdk_b0s1
2281 # pci_id: '0000:07:00.0'
2282 # pmd_rxq_affinity: "0:3,1:27"
2283 # # Set VF Index in case some particular VF(s) need to be
2284 # # used with ovs-dpdk. In which case pci_id of PF must be
2285 # # provided above.
2286 # # vf_index: 0
2287 #
2288 # Set the log level for each target module (default level is always dbg)
2289 # Supported log levels are: off, emer, err, warn, info, dbg
2290 #
2291 # modules:
2292 # - name: dpdk
2293 # log_level: info
2294
2295# Names of secrets used by bootstrap and environmental checks
2296secrets:
2297 identity:
2298 admin: neutron-keystone-admin
2299 neutron: neutron-keystone-user
2300 test: neutron-keystone-test
2301 oslo_db:
2302 admin: neutron-db-admin
2303 neutron: neutron-db-user
2304 oslo_messaging:
2305 admin: neutron-rabbitmq-admin
2306 neutron: neutron-rabbitmq-user
2307 tls:
2308 compute_metadata:
2309 metadata:
2310 internal: metadata-tls-metadata
2311 network:
2312 server:
2313 public: neutron-tls-public
2314 internal: neutron-tls-server
2315 oci_image_registry:
2316 neutron: neutron-oci-image-registry
2317
2318# typically overridden by environmental
2319# values, but should include all endpoints
2320# required by this chart
2321endpoints:
2322 cluster_domain_suffix: cluster.local
2323 local_image_registry:
2324 name: docker-registry
2325 namespace: docker-registry
2326 hosts:
2327 default: localhost
2328 internal: docker-registry
2329 node: localhost
2330 host_fqdn_override:
2331 default: null
2332 port:
2333 registry:
2334 node: 5000
2335 oci_image_registry:
2336 name: oci-image-registry
2337 namespace: oci-image-registry
2338 auth:
2339 enabled: false
2340 neutron:
2341 username: neutron
2342 password: password
2343 hosts:
2344 default: localhost
2345 host_fqdn_override:
2346 default: null
2347 port:
2348 registry:
2349 default: null
2350 oslo_db:
2351 auth:
2352 admin:
2353 username: root
2354 password: password
2355 secret:
2356 tls:
2357 internal: mariadb-tls-direct
2358 neutron:
2359 username: neutron
2360 password: password
2361 hosts:
2362 default: mariadb
2363 host_fqdn_override:
2364 default: null
2365 path: /neutron
2366 scheme: mysql+pymysql
2367 port:
2368 mysql:
2369 default: 3306
2370 oslo_messaging:
2371 auth:
2372 admin:
2373 username: rabbitmq
2374 password: password
2375 secret:
2376 tls:
2377 internal: rabbitmq-tls-direct
2378 neutron:
2379 username: neutron
2380 password: password
2381 statefulset:
2382 replicas: 2
2383 name: rabbitmq-rabbitmq
2384 hosts:
2385 default: rabbitmq
2386 host_fqdn_override:
2387 default: null
2388 path: /neutron
2389 scheme: rabbit
2390 port:
2391 amqp:
2392 default: 5672
2393 http:
2394 default: 15672
2395 oslo_cache:
2396 auth:
2397 # NOTE(portdirect): this is used to define the value for keystone
2398 # authtoken cache encryption key, if not set it will be populated
2399 # automatically with a random value, but to take advantage of
2400 # this feature all services should be set to use the same key,
2401 # and memcache service.
2402 memcache_secret_key: null
2403 hosts:
2404 default: memcached
2405 host_fqdn_override:
2406 default: null
2407 port:
2408 memcache:
2409 default: 11211
2410 compute:
2411 name: nova
2412 hosts:
2413 default: nova-api
2414 public: nova
2415 host_fqdn_override:
2416 default: null
2417 path:
2418 default: "/v2.1/%(tenant_id)s"
2419 scheme:
2420 default: 'http'
2421 port:
2422 api:
2423 default: 8774
2424 public: 80
2425 novncproxy:
2426 default: 6080
2427 compute_metadata:
2428 name: nova
2429 hosts:
2430 default: nova-metadata
2431 public: metadata
2432 host_fqdn_override:
2433 default: null
2434 path:
2435 default: /
2436 scheme:
2437 default: 'http'
2438 port:
2439 metadata:
2440 default: 8775
2441 public: 80
2442 identity:
2443 name: keystone
2444 auth:
2445 admin:
2446 region_name: RegionOne
2447 username: admin
2448 password: password
2449 project_name: admin
2450 user_domain_name: default
2451 project_domain_name: default
2452 neutron:
Mohammed Naserda994232024-04-13 12:34:01 -0400[diff] [blame]2453 role: admin,service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2454 region_name: RegionOne
2455 username: neutron
2456 password: password
2457 project_name: service
2458 user_domain_name: service
2459 project_domain_name: service
2460 nova:
2461 region_name: RegionOne
2462 project_name: service
2463 username: nova
2464 password: password
2465 user_domain_name: service
2466 project_domain_name: service
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]2467 placement:
2468 region_name: RegionOne
2469 project_name: service
2470 username: placement
2471 password: password
2472 user_domain_name: service
2473 project_domain_name: service
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2474 designate:
2475 region_name: RegionOne
2476 project_name: service
2477 username: designate
2478 password: password
2479 user_domain_name: service
2480 project_domain_name: service
2481 ironic:
2482 region_name: RegionOne
2483 project_name: service
2484 username: ironic
2485 password: password
2486 user_domain_name: service
2487 project_domain_name: service
2488 test:
2489 role: admin
2490 region_name: RegionOne
2491 username: neutron-test
2492 password: password
2493 # NOTE: this project will be purged and reset if
2494 # conf.rally_tests.force_project_purge is set to true
2495 # which may be required upon test failure, but be aware that this will
2496 # expunge all openstack objects, so if this is used a seperate project
2497 # should be used for each helm test, and also it should be ensured
2498 # that this project is not in use by other tenants
2499 project_name: test
2500 user_domain_name: service
2501 project_domain_name: service
2502 hosts:
2503 default: keystone
2504 internal: keystone-api
2505 host_fqdn_override:
2506 default: null
2507 path:
2508 default: /v3
2509 scheme:
2510 default: http
2511 port:
2512 api:
2513 default: 80
2514 internal: 5000
2515 network:
2516 name: neutron
2517 hosts:
2518 default: neutron-server
2519 public: neutron
2520 host_fqdn_override:
2521 default: null
2522 # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
2523 # endpoints using the following format:
2524 # public:
2525 # host: null
2526 # tls:
2527 # crt: null
2528 # key: null
2529 path:
2530 default: null
2531 scheme:
2532 default: 'http'
2533 service: 'http'
2534 port:
2535 api:
2536 default: 9696
2537 public: 80
2538 service: 9696
Mohammed Naser1c8e53f2024-07-03 13:04:36 -0400[diff] [blame]2539 policy_server:
2540 default: 9697
2541 public: 80
2542 service: 9697
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2543 load_balancer:
2544 name: octavia
2545 hosts:
2546 default: octavia-api
2547 public: octavia
2548 host_fqdn_override:
2549 default: null
2550 path:
2551 default: null
2552 scheme:
2553 default: http
2554 port:
2555 api:
2556 default: 9876
2557 public: 80
2558 fluentd:
2559 namespace: osh-infra
2560 name: fluentd
2561 hosts:
2562 default: fluentd-logging
2563 host_fqdn_override:
2564 default: null
2565 path:
2566 default: null
2567 scheme: 'http'
2568 port:
2569 service:
2570 default: 24224
2571 metrics:
2572 default: 24220
2573 dns:
2574 name: designate
2575 hosts:
2576 default: designate-api
2577 public: designate
2578 host_fqdn_override:
2579 default: null
2580 path:
2581 default: /
2582 scheme:
2583 default: 'http'
2584 port:
2585 api:
2586 default: 9001
2587 public: 80
2588 baremetal:
2589 name: ironic
2590 hosts:
2591 default: ironic-api
2592 public: ironic
2593 host_fqdn_override:
2594 default: null
2595 path:
2596 default: null
2597 scheme:
2598 default: 'http'
2599 port:
2600 api:
2601 default: 6385
2602 public: 80
2603 # NOTE(tp6510): these endpoints allow for things like DNS lookups and ingress
2604 # They are using to enable the Egress K8s network policy.
2605 kube_dns:
2606 namespace: kube-system
2607 name: kubernetes-dns
2608 hosts:
2609 default: kube-dns
2610 host_fqdn_override:
2611 default: null
2612 path:
2613 default: null
2614 scheme: http
2615 port:
2616 dns:
2617 default: 53
2618 protocol: UDP
2619 ingress:
2620 namespace: null
2621 name: ingress
2622 hosts:
2623 default: ingress
2624 port:
2625 ingress:
2626 default: 80
2627
2628network_policy:
2629 neutron:
2630 # TODO(lamt): Need to tighten this ingress for security.
2631 ingress:
2632 - {}
2633 egress:
2634 - {}
2635
2636helm3_hook: true
2637
2638health_probe:
2639 logging:
2640 level: ERROR
2641
2642tls:
2643 identity: false
2644 oslo_messaging: false
2645 oslo_db: false
2646
2647manifests:
2648 certificates: false
2649 configmap_bin: true
2650 configmap_etc: true
2651 daemonset_dhcp_agent: true
2652 daemonset_l3_agent: true
2653 daemonset_lb_agent: true
2654 daemonset_metadata_agent: true
2655 daemonset_ovs_agent: true
2656 daemonset_sriov_agent: true
2657 daemonset_l2gw_agent: false
2658 daemonset_bagpipe_bgp: false
Rico Lincf86b122023-11-02 01:29:14 +0800[diff] [blame]2659 daemonset_bgp_dragent: false
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2660 daemonset_netns_cleanup_cron: true
2661 deployment_ironic_agent: false
2662 deployment_server: true
Rico Lin0e153482024-05-03 03:29:14 +0800[diff] [blame]2663 deployment_rpc_server: true
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]2664 ingress_server: true
2665 job_bootstrap: true
2666 job_db_init: true
2667 job_db_sync: true
2668 job_db_drop: false
2669 job_image_repo_sync: true
2670 job_ks_endpoints: true
2671 job_ks_service: true
2672 job_ks_user: true
2673 job_rabbit_init: true
2674 pdb_server: true
2675 pod_rally_test: true
2676 network_policy: false
2677 secret_db: true
2678 secret_ingress_tls: true
2679 secret_keystone: true
2680 secret_rabbitmq: true
2681 secret_registry: true
2682 service_ingress_server: true
2683 service_server: true
2684...