blob: 33531319cb3e8e9ab23bcf73cac076a090910a6a [file] [log] [blame]
Filip Pytloun4a72d792015-10-06 16:28:32 +02001
Aleš Komárek72152852017-04-11 13:48:48 +02002============
3Nova Formula
4============
Filip Pytloun4a72d792015-10-06 16:28:32 +02005
Jakub Pavlikfcf34f82016-05-20 09:35:51 +02006OpenStack Nova provides a cloud computing fabric controller, supporting a wide
7variety of virtualization technologies, including KVM, Xen, LXC, VMware, and
8more. In addition to its native API, it includes compatibility with the
9commonly encountered Amazon EC2 and S3 APIs.
Filip Pytloun4a72d792015-10-06 16:28:32 +020010
Aleš Komárek72152852017-04-11 13:48:48 +020011Sample Pillars
Filip Pytloun4a72d792015-10-06 16:28:32 +020012==============
13
14Controller nodes
15----------------
16
17Nova services on the controller node
18
19.. code-block:: yaml
20
21 nova:
22 controller:
23 version: juno
24 enabled: true
25 security_group: true
Lachlan Evensonb72de502016-01-20 15:34:04 -080026 cpu_allocation_ratio: 8.0
27 ram_allocation_ratio: 1.0
Jiri Konecny9344a372016-03-21 19:25:48 +010028 disk_allocation_ratio: 1.0
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +030029 cross_az_attach: false
Jiri Konecnyb5a80e42016-03-22 11:51:01 +010030 workers: 8
Jakub Pavlik617a8962016-09-04 18:50:06 +020031 report_interval: 60
Filip Pytloun4a72d792015-10-06 16:28:32 +020032 bind:
33 public_address: 10.0.0.122
34 public_name: openstack.domain.com
35 novncproxy_port: 6080
36 database:
37 engine: mysql
38 host: 127.0.0.1
39 port: 3306
40 name: nova
41 user: nova
42 password: pwd
43 identity:
44 engine: keystone
45 host: 127.0.0.1
46 port: 35357
47 user: nova
48 password: pwd
49 tenant: service
50 message_queue:
51 engine: rabbitmq
52 host: 127.0.0.1
53 port: 5672
54 user: openstack
55 password: pwd
56 virtual_host: '/openstack'
57 network:
58 engine: neutron
59 host: 127.0.0.1
60 port: 9696
Jakub Pavlik617a8962016-09-04 18:50:06 +020061 extension_sync_interval: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020062 identity:
63 engine: keystone
64 host: 127.0.0.1
65 port: 35357
66 user: neutron
67 password: pwd
68 tenant: service
69 metadata:
70 password: password
Petr Michalecaa23dc02016-11-29 16:30:25 +010071 audit:
72 enabled: false
Simon Pasquier8683b7a2017-02-03 16:00:16 +010073 osapi_max_limit: 500
Oleg Iurchenko370c10d2017-10-19 14:03:37 +030074 barbican:
75 enabled: true
Filip Pytloun4a72d792015-10-06 16:28:32 +020076
Jiri Konecnye31f2c52016-04-14 17:16:02 +020077
Filip Pytloun4a72d792015-10-06 16:28:32 +020078Nova services from custom package repository
79
80.. code-block:: yaml
81
82 nova:
83 controller:
84 version: juno
85 source:
86 engine: pkg
87 address: http://...
88 ....
89
Jiri Konecnye31f2c52016-04-14 17:16:02 +020090
91Client-side RabbitMQ HA setup
92
93.. code-block:: yaml
94
95 nova:
96 controller:
97 ....
98 message_queue:
99 engine: rabbitmq
100 members:
101 - host: 10.0.16.1
102 - host: 10.0.16.2
103 - host: 10.0.16.3
104 user: openstack
105 password: pwd
106 virtual_host: '/openstack'
107 ....
108
109
Petr Michalecaa23dc02016-11-29 16:30:25 +0100110Enable auditing filter, ie: CADF
111
112.. code-block:: yaml
113
114 nova:
115 controller:
Simon Pasquier6a3c8f72016-12-19 15:37:24 +0100116 audit:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100117 enabled: true
118 ....
119 filter_factory: 'keystonemiddleware.audit:filter_factory'
120 map_file: '/etc/pycadf/nova_api_audit_map.conf'
121 ....
122
123
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200124Enable CORS parameters
125
126.. code-block:: yaml
127
128 nova:
129 controller:
130 cors:
131 allowed_origin: https:localhost.local,http:localhost.local
132 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
133 allow_methods: GET,PUT,POST,DELETE,PATCH
134 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
135 allow_credentials: True
136 max_age: 86400
137
Dmitry Ukov3562a082017-05-04 00:00:48 +0400138Configuration of policy.json file
139
140.. code-block:: yaml
141
142 nova:
143 controller:
144 ....
145 policy:
146 context_is_admin: 'role:admin or role:administrator'
147 'compute:create': 'rule:admin_or_owner'
148 # Add key without value to remove line from policy.json
149 'compute:create:attach_network':
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200150
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300151Enable Barbican integration
152
153.. code-block:: yaml
154
155 nova:
156 controller:
157 ....
158 barbican:
159 enabled: true
160
Kirill Bespalov64617172017-07-11 14:43:14 +0300161
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300162Configuring TLS communications
163------------------------------
Kirill Bespalov64617172017-07-11 14:43:14 +0300164
Kirill Bespalov64617172017-07-11 14:43:14 +0300165
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300166**Note:** by default system wide installed CA certs are used, so ``cacert_file`` param is optional, as well as ``cacert``.
167
168
169
170- **RabbitMQ TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300171
172.. code-block:: yaml
173
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300174 nova:
175 compute:
Kirill Bespalov64617172017-07-11 14:43:14 +0300176 message_queue:
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300177 port: 5671
Kirill Bespalov64617172017-07-11 14:43:14 +0300178 ssl:
179 enabled: True
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300180 (optional) cacert: cert body if the cacert_file does not exists
181 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
182 (optional) version: TLSv1_2
Kirill Bespalov64617172017-07-11 14:43:14 +0300183
184
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300185- **MySQL TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300186
187.. code-block:: yaml
188
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300189 nova:
190 controller:
191 database:
Kirill Bespalov64617172017-07-11 14:43:14 +0300192 ssl:
193 enabled: True
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300194 (optional) cacert: cert body if the cacert_file does not exists
195 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300196
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300197- **Openstack HTTPS API**
198
199
200Set the ``https`` as protocol at ``nova:compute`` and ``nova:controller`` sections :
Kirill Bespalov64617172017-07-11 14:43:14 +0300201
202.. code-block:: yaml
203
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300204 nova:
205 controller :
206 identity:
207 protocol: https
208 (optional) cacert_file: /etc/openstack/proxy.pem
209 network:
210 protocol: https
211 (optional) cacert_file: /etc/openstack/proxy.pem
212 glance:
213 protocol: https
214 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300215
216
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300217.. code-block:: yaml
218
219 nova:
220 compute:
221 identity:
222 protocol: https
223 (optional) cacert_file: /etc/openstack/proxy.pem
224 network:
225 protocol: https
226 (optional) cacert_file: /etc/openstack/proxy.pem
227 image:
228 protocol: https
229 (optional) cacert_file: /etc/openstack/proxy.pem
230 ironic:
231 protocol: https
232 (optional) cacert_file: /etc/openstack/proxy.pem
233
234
235**Note:** the barbican, cinder and placement url endpoints are discovering using service catalog.
Kirill Bespalov64617172017-07-11 14:43:14 +0300236
237
Filip Pytloun4a72d792015-10-06 16:28:32 +0200238Compute nodes
239-------------
240
241Nova controller services on compute node
242
243.. code-block:: yaml
244
245 nova:
246 compute:
247 version: juno
248 enabled: true
249 virtualization: kvm
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +0300250 cross_az_attach: false
Dmitry Stremkovskiy35e53b72017-07-29 12:50:39 +0300251 disk_cachemodes: network=writeback,block=none
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100252 availability_zone: availability_zone_01
Damian Szelugae1922412017-04-18 16:36:46 +0200253 aggregates:
254 - hosts_with_fc
255 - hosts_with_ssd
Filip Pytloun4a72d792015-10-06 16:28:32 +0200256 security_group: true
Petr Michalecf03e4882017-04-10 10:26:18 +0200257 resume_guests_state_on_host_boot: False
Dmitry Stremkovskiy8a0ff512017-07-25 20:54:13 +0300258 my_ip: 10.1.0.16
Filip Pytloun4a72d792015-10-06 16:28:32 +0200259 bind:
260 vnc_address: 172.20.0.100
261 vnc_port: 6080
262 vnc_name: openstack.domain.com
263 vnc_protocol: http
264 database:
265 engine: mysql
266 host: 127.0.0.1
267 port: 3306
268 name: nova
269 user: nova
270 password: pwd
271 identity:
272 engine: keystone
273 host: 127.0.0.1
274 port: 35357
275 user: nova
276 password: pwd
277 tenant: service
278 message_queue:
279 engine: rabbitmq
280 host: 127.0.0.1
281 port: 5672
282 user: openstack
283 password: pwd
284 virtual_host: '/openstack'
285 image:
286 engine: glance
287 host: 127.0.0.1
288 port: 9292
289 network:
290 engine: neutron
291 host: 127.0.0.1
292 port: 9696
293 identity:
294 engine: keystone
295 host: 127.0.0.1
296 port: 35357
297 user: neutron
298 password: pwd
299 tenant: service
300 qemu:
301 max_files: 4096
302 max_processes: 4096
Dmitry Stremkovskiy96281f52017-07-26 00:39:22 +0300303 host: node-12.domain.tld
Filip Pytloun4a72d792015-10-06 16:28:32 +0200304
kkalynovskyif50f0c02017-12-12 17:52:57 +0200305Group and user to be used for QEMU processes run by the system instance
306
307.. code-block:: yaml
308
309 nova:
310 compute:
311 enabled: true
312 ...
313 qemu:
314 user: nova
315 group: cinder
316 dynamic_ownership: 1
317
Dmitry Stremkovskiy3cd6ba82017-07-25 17:15:36 +0300318Group membership for user nova (upgrade related)
319
320.. code-block:: yaml
321
322 nova:
323 compute:
324 enabled: true
325 ...
326 user:
327 groups:
328 - libvirt
Filip Pytloun4a72d792015-10-06 16:28:32 +0200329
330Nova services on compute node with OpenContrail
331
332.. code-block:: yaml
333
334 nova:
335 compute:
336 enabled: true
337 ...
338 networking: contrail
339
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200340
Filip Pytloun4a72d792015-10-06 16:28:32 +0200341Nova services on compute node with memcached caching
342
343.. code-block:: yaml
344
345 nova:
346 compute:
347 enabled: true
348 ...
349 cache:
350 engine: memcached
351 members:
352 - host: 127.0.0.1
353 port: 11211
354 - host: 127.0.0.1
355 port: 11211
356
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200357
358Client-side RabbitMQ HA setup
359
360.. code-block:: yaml
361
362 nova:
Kirill Bespalov64617172017-07-11 14:43:14 +0300363 compute:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200364 ....
365 message_queue:
366 engine: rabbitmq
367 members:
368 - host: 10.0.16.1
369 - host: 10.0.16.2
370 - host: 10.0.16.3
371 user: openstack
372 password: pwd
373 virtual_host: '/openstack'
374 ....
375
maxstack39e6aca2016-05-04 13:50:13 +0000376Nova with ephemeral configured with Ceph
377
378.. code-block:: yaml
379
380 nova:
381 compute:
382 enabled: true
383 ...
384 ceph:
385 ephemeral: yes
386 rbd_pool: nova
387 rbd_user: nova
388 secret_uuid: 03006edd-d957-40a3-ac4c-26cd254b3731
Kalynovskyi0bc79692017-07-21 16:22:09 +0300389 ....
maxstack39e6aca2016-05-04 13:50:13 +0000390
Kalynovskyi0bc79692017-07-21 16:22:09 +0300391Nova with ephemeral configured with LVM
392
393.. code-block:: yaml
394
395 nova:
396 compute:
397 enabled: true
398 ...
399 lvm:
400 ephemeral: yes
401 images_volume_group: nova_vg
402
403 linux:
404 storage:
405 lvm:
406 nova_vg:
407 name: nova_vg
408 devices:
409 - /dev/sdf
410 - /dev/sdd
411 - /dev/sdg
412 - /dev/sde
413 - /dev/sdc
414 - /dev/sdj
415 - /dev/sdh
maxstack39e6aca2016-05-04 13:50:13 +0000416
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300417Enable Barbican integration
418
419.. code-block:: yaml
420
421 nova:
422 compute:
423 ....
424 barbican:
425 enabled: true
426
427
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100428Client role
429-----------
430
Dmitry Stremkovskiy665c7282017-07-05 17:36:27 +0300431Nova configured with NFS
432
433.. code-block:: yaml
434
435 nova:
436 compute:
437 instances_path: /mnt/nova/instances
438
439 linux:
440 storage:
441 enabled: true
442 mount:
443 nfs_nova:
444 enabled: true
445 path: ${nova:compute:instances_path}
446 device: 172.31.35.145:/data
447 file_system: nfs
448 opts: rw,vers=3
449
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100450Nova flavors
451
452.. code-block:: yaml
453
454 nova:
455 client:
456 enabled: true
457 server:
458 identity:
459 flavor:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100460 flavor1:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100461 flavor_id: 10
462 ram: 4096
463 disk: 10
464 vcpus: 1
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100465 flavor2:
466 flavor_id: auto
467 ram: 4096
468 disk: 20
469 vcpus: 2
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100470 identity1:
471 flavor:
472 ...
473
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100474
475Availability zones
476
477.. code-block:: yaml
478
479 nova:
480 client:
481 enabled: true
482 server:
483 identity:
484 availability_zones:
485 - availability_zone_01
486 - availability_zone_02
487
Damian Szeluga5dca0f02017-04-13 17:27:15 +0200488
489
490Aggregates
491
492.. code-block:: yaml
493
494 nova:
495 client:
496 enabled: true
497 server:
498 identity:
499 aggregates:
500 - aggregate1
501 - aggregate2
502
Dmitry Stremkovskiy91f45852017-07-18 16:22:31 +0300503Upgrade levels
504
505.. code-block:: yaml
506
507 nova:
508 controller:
509 upgrade_levels:
510 compute: juno
511
512 nova:
513 compute:
514 upgrade_levels:
515 compute: juno
516
Petr Jedinýd855ef22017-03-06 22:24:33 +0100517SR-IOV
Jakub Pavlik39a05942017-02-13 23:03:08 +0100518------
519
520Add PciPassthroughFilter into scheduler filters and NICs on specific compute nodes.
521
522.. code-block:: yaml
523
524 nova:
525 controller:
526 sriov: true
527 scheduler_default_filters: "DifferentHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter"
528
529 nova:
530 compute:
531 sriov:
532 nic_one:
533 devname: eth1
534 physical_network: physnet1
535
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100536CPU pinning & Hugepages
537-----------------------
538
539CPU pinning of virtual machine instances to dedicated physical CPU cores.
540Hugepages mount point for libvirt.
541
542.. code-block:: yaml
543
544 nova:
545 controller:
546 scheduler_default_filters: "DifferentHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,NUMATopologyFilter,AggregateInstanceExtraSpecsFilter"
547
548 nova:
549 compute:
550 vcpu_pin_set: 2,3,4,5
551 hugepages:
552 mount_points:
553 - path: /mnt/hugepages_1GB
554 - path: /mnt/hugepages_2MB
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100555
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200556Custom Scheduler filters
557------------------------
558
559If you have a custom filter, that needs to be included in the scheduler, then you can include it like so:
560
561.. code-block:: yaml
562
563 nova:
564 controller:
565 scheduler_custom_filters:
566 - my_custom_driver.nova.scheduler.filters.my_custom_filter.MyCustomFilter
567
568 # Then add your custom filter on the end (make sure to include all other ones that you need as well)
569 scheduler_default_filters: "DifferentHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter,MyCustomFilter"
570
Michel Nederlofeb566f62017-04-21 15:37:47 +0200571Hardware Trip/Unmap Support
572---------------------------
573
574To enable TRIM support for ephemeral images (thru nova managed images), libvirt has this option.
575
576.. code-block:: yaml
577
578 nova:
579 compute:
580 libvirt:
581 hw_disk_discard: unmap
582
583In order to actually utilize this feature, the following metadata must be set on the image as well, so the SCSI unmap is supported.
584
585.. code-block:: bash
586
587 glance image-update --property hw_scsi_model=virtio-scsi <image>
588 glance image-update --property hw_disk_bus=scsi <image>
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +0100589
Jakub Pavlik7046b9c2017-09-19 12:04:19 +0200590
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000591Scheduler Host Manager
592----------------------
593
594Specify a custom host manager.
595
Thom Gerdesec00afd2017-04-07 18:06:59 +0000596libvirt CPU mode
597----------------
598
599Allow setting the model of CPU that is exposed to a VM. This allows better
600support live migration between hypervisors with different hardware, among other
601things. Defaults to host-passthrough.
602
Jakub Pavlik7046b9c2017-09-19 12:04:19 +0200603
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000604.. code-block:: yaml
605
606 nova:
607 controller:
608 scheduler_host_manager: ironic_host_manager
609
Thom Gerdesec00afd2017-04-07 18:06:59 +0000610 compute:
611 cpu_mode: host-model
612
Michel Nederloff7eefb22017-07-10 11:14:33 +0200613Nova compute workarounds
614------------------------
615
616Live snapshotting is disabled by default in nova. To enable this, it needs a manual switch.
617
618From manual:
619
620.. code-block:: yaml
621
622 # When using libvirt 1.2.2 live snapshots fail intermittently under load
623 # (likely related to concurrent libvirt/qemu operations). This config
624 # option provides a mechanism to disable live snapshot, in favor of cold
625 # snapshot, while this is resolved. Cold snapshot causes an instance
626 # outage while the guest is going through the snapshotting process.
627 #
628 # For more information, refer to the bug report:
629 #
630 # https://bugs.launchpad.net/nova/+bug/1334398
631
632Configurable pillar data:
633
634.. code-block:: yaml
635
636 nova:
637 compute:
Michel Nederlofe322ebb2017-07-10 12:29:21 +0200638 workaround:
Michel Nederloff7eefb22017-07-10 11:14:33 +0200639 disable_libvirt_livesnapshot: False
640
Michel Nederlofb51a5142017-06-27 08:31:35 +0200641Config drive options
642--------------------
643
644See example below on how to configure the options for the config drive.
645
646.. code-block:: yaml
647
648 nova:
649 compute:
650 config_drive:
651 forced: True # Default: True
652 cdrom: True # Default: False
653 format: iso9660 # Default: vfat
654 inject_password: False # Default: False
655
Michel Nederloff81919b2017-11-20 09:37:07 +0100656Number of concurrent live migrates
657----------------------------------
658
659Default is to have no concurrent live migrations (so 1 live-migration at a time).
660
661Excerpt from config options page (https://docs.openstack.org/ocata/config-reference/compute/config-options.html):
662
663 Maximum number of live migrations to run concurrently. This limit is
664 enforced to avoid outbound live migrations overwhelming the host/network
665 and causing failures. It is not recommended that you change this unless
666 you are very sure that doing so is safe and stable in your environment.
667
668 Possible values:
669
670 - 0 : treated as unlimited.
671 - Negative value defaults to 0.
672 - Any positive integer representing maximum number of live migrations to run concurrently.
673
674To configure this option:
675
676.. code-block:: yaml
677
678 nova:
679 compute:
680 max_concurrent_live_migrations: 1 # (1 is the default)
681
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000682
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +0100683Documentation and Bugs
684======================
685
686To learn how to install and update salt-formulas, consult the documentation
687available online at:
688
689 http://salt-formulas.readthedocs.io/
690
691In the unfortunate event that bugs are discovered, they should be reported to
692the appropriate issue tracker. Use Github issue tracker for specific salt
693formula:
694
695 https://github.com/salt-formulas/salt-formula-nova/issues
696
697For feature requests, bug reports or blueprints affecting entire ecosystem,
698use Launchpad salt-formulas project:
699
700 https://launchpad.net/salt-formulas
701
702You can also join salt-formulas-users team and subscribe to mailing list:
703
704 https://launchpad.net/~salt-formulas-users
705
706Developers wishing to work on the salt-formulas projects should always base
707their work on master branch and submit pull request against specific formula.
708
709 https://github.com/salt-formulas/salt-formula-nova
710
711Any questions or feedback is always welcome so feel free to join our IRC
712channel:
713
714 #salt-formulas @ irc.freenode.net