blob: b93b0612b84399a548d9a984e7d1e89a99cca52a [file] [log] [blame]
Filip Pytloun4a72d792015-10-06 16:28:32 +02001
Aleš Komárek72152852017-04-11 13:48:48 +02002============
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03003Usage
Aleš Komárek72152852017-04-11 13:48:48 +02004============
Filip Pytloun4a72d792015-10-06 16:28:32 +02005
Jakub Pavlikfcf34f82016-05-20 09:35:51 +02006OpenStack Nova provides a cloud computing fabric controller, supporting a wide
7variety of virtualization technologies, including KVM, Xen, LXC, VMware, and
8more. In addition to its native API, it includes compatibility with the
9commonly encountered Amazon EC2 and S3 APIs.
Filip Pytloun4a72d792015-10-06 16:28:32 +020010
Aleš Komárek72152852017-04-11 13:48:48 +020011Sample Pillars
Filip Pytloun4a72d792015-10-06 16:28:32 +020012==============
13
14Controller nodes
15----------------
16
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030017Nova services on the controller node:
Filip Pytloun4a72d792015-10-06 16:28:32 +020018
19.. code-block:: yaml
20
21 nova:
22 controller:
23 version: juno
24 enabled: true
25 security_group: true
Lachlan Evensonb72de502016-01-20 15:34:04 -080026 cpu_allocation_ratio: 8.0
27 ram_allocation_ratio: 1.0
Jiri Konecny9344a372016-03-21 19:25:48 +010028 disk_allocation_ratio: 1.0
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +030029 cross_az_attach: false
Jiri Konecnyb5a80e42016-03-22 11:51:01 +010030 workers: 8
Jakub Pavlik617a8962016-09-04 18:50:06 +020031 report_interval: 60
Filip Pytloun4a72d792015-10-06 16:28:32 +020032 bind:
33 public_address: 10.0.0.122
34 public_name: openstack.domain.com
35 novncproxy_port: 6080
36 database:
37 engine: mysql
38 host: 127.0.0.1
39 port: 3306
40 name: nova
41 user: nova
42 password: pwd
43 identity:
44 engine: keystone
45 host: 127.0.0.1
46 port: 35357
47 user: nova
48 password: pwd
49 tenant: service
50 message_queue:
51 engine: rabbitmq
52 host: 127.0.0.1
53 port: 5672
54 user: openstack
55 password: pwd
56 virtual_host: '/openstack'
57 network:
58 engine: neutron
59 host: 127.0.0.1
60 port: 9696
Jakub Pavlik617a8962016-09-04 18:50:06 +020061 extension_sync_interval: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020062 identity:
63 engine: keystone
64 host: 127.0.0.1
65 port: 35357
66 user: neutron
67 password: pwd
68 tenant: service
69 metadata:
70 password: password
Petr Michalecaa23dc02016-11-29 16:30:25 +010071 audit:
72 enabled: false
Simon Pasquier8683b7a2017-02-03 16:00:16 +010073 osapi_max_limit: 500
Oleg Iurchenko370c10d2017-10-19 14:03:37 +030074 barbican:
75 enabled: true
Filip Pytloun4a72d792015-10-06 16:28:32 +020076
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030077Nova services from custom package repository:
Filip Pytloun4a72d792015-10-06 16:28:32 +020078
79.. code-block:: yaml
80
81 nova:
82 controller:
83 version: juno
84 source:
85 engine: pkg
86 address: http://...
87 ....
88
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030089Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +020090
91.. code-block:: yaml
92
93 nova:
94 controller:
95 ....
96 message_queue:
97 engine: rabbitmq
98 members:
99 - host: 10.0.16.1
100 - host: 10.0.16.2
101 - host: 10.0.16.3
102 user: openstack
103 password: pwd
104 virtual_host: '/openstack'
105 ....
106
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300107Enable auditing filter, i.e: CADF:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100108
109.. code-block:: yaml
110
111 nova:
112 controller:
Simon Pasquier6a3c8f72016-12-19 15:37:24 +0100113 audit:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100114 enabled: true
115 ....
116 filter_factory: 'keystonemiddleware.audit:filter_factory'
117 map_file: '/etc/pycadf/nova_api_audit_map.conf'
118 ....
119
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300120Enable CORS parameters:
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200121
122.. code-block:: yaml
123
124 nova:
125 controller:
126 cors:
127 allowed_origin: https:localhost.local,http:localhost.local
128 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
129 allow_methods: GET,PUT,POST,DELETE,PATCH
130 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
131 allow_credentials: True
132 max_age: 86400
133
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300134Configuration of the ``policy.json`` file:
Dmitry Ukov3562a082017-05-04 00:00:48 +0400135
136.. code-block:: yaml
137
138 nova:
139 controller:
140 ....
141 policy:
142 context_is_admin: 'role:admin or role:administrator'
143 'compute:create': 'rule:admin_or_owner'
144 # Add key without value to remove line from policy.json
145 'compute:create:attach_network':
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200146
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300147Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300148
149.. code-block:: yaml
150
151 nova:
152 controller:
153 ....
154 barbican:
155 enabled: true
156
Jiri Broulik789179a2018-02-13 16:16:46 +0100157Enable cells update:
158
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300159.. note:: Useful when upgrading Openstack. To update cells to test
160 sync db agains duplicated production database.
Jiri Broulik789179a2018-02-13 16:16:46 +0100161
162.. code-block:: yaml
163
164 nova:
165 controller:
166 update_cells: true
167
Kirill Bespalov64617172017-07-11 14:43:14 +0300168
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300169Configuring TLS communications
170------------------------------
Kirill Bespalov64617172017-07-11 14:43:14 +0300171
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300172.. note:: By default system wide installed CA certs are used,
173 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300174
175- **RabbitMQ TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300176
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300177 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300178
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300179 nova:
180 compute:
181 message_queue:
182 port: 5671
183 ssl:
184 enabled: True
185 (optional) cacert: cert body if the cacert_file does not exists
186 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
187 (optional) version: TLSv1_2
Kirill Bespalov64617172017-07-11 14:43:14 +0300188
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300189- **MySQL TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300190
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300191 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300192
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300193 nova:
194 controller:
195 database:
196 ssl:
197 enabled: True
198 (optional) cacert: cert body if the cacert_file does not exists
199 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300200
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300201- **Openstack HTTPS API**
202
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300203 Set the ``https`` as protocol at ``nova:compute`` and
204 ``nova:controller`` sections :
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300205
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300206 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300207
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300208 nova:
209 controller :
210 identity:
211 protocol: https
212 (optional) cacert_file: /etc/openstack/proxy.pem
213 network:
214 protocol: https
215 (optional) cacert_file: /etc/openstack/proxy.pem
216 glance:
217 protocol: https
218 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300219
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300220 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300221
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300222 nova:
223 compute:
224 identity:
225 protocol: https
226 (optional) cacert_file: /etc/openstack/proxy.pem
227 network:
228 protocol: https
229 (optional) cacert_file: /etc/openstack/proxy.pem
230 image:
231 protocol: https
232 (optional) cacert_file: /etc/openstack/proxy.pem
233 ironic:
234 protocol: https
235 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300236
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300237.. note:: Barbican, Cinder, and placement url endpoints are discovering
238 using service catalog.
Kirill Bespalov64617172017-07-11 14:43:14 +0300239
Filip Pytloun4a72d792015-10-06 16:28:32 +0200240Compute nodes
241-------------
242
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300243Nova controller services on compute node:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200244
245.. code-block:: yaml
246
247 nova:
248 compute:
249 version: juno
250 enabled: true
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +0300251 cross_az_attach: false
Dmitry Stremkovskiy35e53b72017-07-29 12:50:39 +0300252 disk_cachemodes: network=writeback,block=none
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100253 availability_zone: availability_zone_01
Damian Szelugae1922412017-04-18 16:36:46 +0200254 aggregates:
255 - hosts_with_fc
256 - hosts_with_ssd
Filip Pytloun4a72d792015-10-06 16:28:32 +0200257 security_group: true
Petr Michalecf03e4882017-04-10 10:26:18 +0200258 resume_guests_state_on_host_boot: False
Michael Polenchuk159c2542018-06-09 15:31:51 +0400259 preallocate_images: space # Default is 'none'
Dmitry Stremkovskiy8a0ff512017-07-25 20:54:13 +0300260 my_ip: 10.1.0.16
Filip Pytloun4a72d792015-10-06 16:28:32 +0200261 bind:
262 vnc_address: 172.20.0.100
263 vnc_port: 6080
264 vnc_name: openstack.domain.com
265 vnc_protocol: http
266 database:
267 engine: mysql
268 host: 127.0.0.1
269 port: 3306
270 name: nova
271 user: nova
272 password: pwd
273 identity:
274 engine: keystone
275 host: 127.0.0.1
276 port: 35357
277 user: nova
278 password: pwd
279 tenant: service
280 message_queue:
281 engine: rabbitmq
282 host: 127.0.0.1
283 port: 5672
284 user: openstack
285 password: pwd
286 virtual_host: '/openstack'
287 image:
288 engine: glance
289 host: 127.0.0.1
290 port: 9292
291 network:
292 engine: neutron
293 host: 127.0.0.1
294 port: 9696
295 identity:
296 engine: keystone
297 host: 127.0.0.1
298 port: 35357
299 user: neutron
300 password: pwd
301 tenant: service
302 qemu:
303 max_files: 4096
304 max_processes: 4096
Dmitry Stremkovskiy96281f52017-07-26 00:39:22 +0300305 host: node-12.domain.tld
Filip Pytloun4a72d792015-10-06 16:28:32 +0200306
Vasyl Saienkocab3a902018-07-12 13:17:17 +0300307Compute with vmware driver. Each vmware cluster requires a separate process of nova-compute.
308Each process should have uniq host identifier. However multiple computes might be running on
309single host. It is not recommended to have multiple computes running on different hosts that
310manage the same vmware cluster. To achive this pacemaker/corosync or keepalived might be used.
311
312.. code-block:: yaml
313
314 nova:
315 compute:
316 compute_driver: vmwareapi.VMwareVCDriver
317 vmware:
318 host_username: vmware
319 host_password: vmware
320 cluster_name: vmware_cluster01
321 host_ip: 1.2.3.4
322
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300323Group and user to be used for QEMU processes run by the system instance:
kkalynovskyif50f0c02017-12-12 17:52:57 +0200324
325.. code-block:: yaml
326
327 nova:
328 compute:
329 enabled: true
330 ...
331 qemu:
332 user: nova
333 group: cinder
334 dynamic_ownership: 1
335
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300336Group membership for user nova (upgrade related):
Dmitry Stremkovskiy3cd6ba82017-07-25 17:15:36 +0300337
338.. code-block:: yaml
339
340 nova:
341 compute:
342 enabled: true
343 ...
344 user:
345 groups:
346 - libvirt
Filip Pytloun4a72d792015-10-06 16:28:32 +0200347
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300348Nova services on compute node with OpenContrail:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200349
350.. code-block:: yaml
351
352 nova:
353 compute:
354 enabled: true
355 ...
356 networking: contrail
357
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300358Nova services on compute node with memcached caching:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200359
360.. code-block:: yaml
361
362 nova:
363 compute:
364 enabled: true
365 ...
366 cache:
367 engine: memcached
368 members:
369 - host: 127.0.0.1
370 port: 11211
371 - host: 127.0.0.1
372 port: 11211
373
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300374Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200375
376.. code-block:: yaml
377
378 nova:
Kirill Bespalov64617172017-07-11 14:43:14 +0300379 compute:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200380 ....
381 message_queue:
382 engine: rabbitmq
383 members:
384 - host: 10.0.16.1
385 - host: 10.0.16.2
386 - host: 10.0.16.3
387 user: openstack
388 password: pwd
389 virtual_host: '/openstack'
390 ....
391
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300392Nova with ephemeral configured with Ceph:
maxstack39e6aca2016-05-04 13:50:13 +0000393
394.. code-block:: yaml
395
396 nova:
397 compute:
398 enabled: true
399 ...
400 ceph:
401 ephemeral: yes
402 rbd_pool: nova
403 rbd_user: nova
404 secret_uuid: 03006edd-d957-40a3-ac4c-26cd254b3731
Kalynovskyi0bc79692017-07-21 16:22:09 +0300405 ....
maxstack39e6aca2016-05-04 13:50:13 +0000406
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300407Nova with ephemeral configured with LVM:
Kalynovskyi0bc79692017-07-21 16:22:09 +0300408
409.. code-block:: yaml
410
411 nova:
412 compute:
413 enabled: true
414 ...
415 lvm:
416 ephemeral: yes
417 images_volume_group: nova_vg
418
419 linux:
420 storage:
421 lvm:
422 nova_vg:
423 name: nova_vg
424 devices:
425 - /dev/sdf
426 - /dev/sdd
427 - /dev/sdg
428 - /dev/sde
429 - /dev/sdc
430 - /dev/sdj
431 - /dev/sdh
maxstack39e6aca2016-05-04 13:50:13 +0000432
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300433Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300434
435.. code-block:: yaml
436
437 nova:
438 compute:
439 ....
440 barbican:
441 enabled: true
442
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300443Nova metadata custom bindings:
Vasyl Saienko2d591282018-02-05 14:19:02 +0200444
445.. code-block:: yaml
446
447 nova:
448 controller:
449 enabled: true
450 ...
451 metadata:
452 bind:
453 address: 1.2.3.4
454 port: 8776
455
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100456Client role
457-----------
458
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300459Nova configured with NFS:
Dmitry Stremkovskiy665c7282017-07-05 17:36:27 +0300460
461.. code-block:: yaml
462
463 nova:
464 compute:
465 instances_path: /mnt/nova/instances
466
467 linux:
468 storage:
469 enabled: true
470 mount:
471 nfs_nova:
472 enabled: true
473 path: ${nova:compute:instances_path}
474 device: 172.31.35.145:/data
475 file_system: nfs
476 opts: rw,vers=3
477
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300478Nova flavors:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100479
480.. code-block:: yaml
481
482 nova:
483 client:
484 enabled: true
485 server:
486 identity:
487 flavor:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100488 flavor1:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100489 flavor_id: 10
490 ram: 4096
491 disk: 10
492 vcpus: 1
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100493 flavor2:
494 flavor_id: auto
495 ram: 4096
496 disk: 20
497 vcpus: 2
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100498 identity1:
499 flavor:
500 ...
501
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300502Availability zones:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100503
504.. code-block:: yaml
505
506 nova:
507 client:
508 enabled: true
509 server:
510 identity:
511 availability_zones:
512 - availability_zone_01
513 - availability_zone_02
514
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300515Aggregates:
Damian Szeluga5dca0f02017-04-13 17:27:15 +0200516
517.. code-block:: yaml
518
519 nova:
520 client:
521 enabled: true
522 server:
523 identity:
524 aggregates:
525 - aggregate1
526 - aggregate2
527
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300528Upgrade levels:
Dmitry Stremkovskiy91f45852017-07-18 16:22:31 +0300529
530.. code-block:: yaml
531
532 nova:
533 controller:
534 upgrade_levels:
535 compute: juno
536
537 nova:
538 compute:
539 upgrade_levels:
540 compute: juno
541
Petr Jedinýd855ef22017-03-06 22:24:33 +0100542SR-IOV
Jakub Pavlik39a05942017-02-13 23:03:08 +0100543------
544
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300545Add ``PciPassthroughFilter`` into scheduler filters and NICs on
546specific compute nodes:
Jakub Pavlik39a05942017-02-13 23:03:08 +0100547
548.. code-block:: yaml
549
550 nova:
551 controller:
552 sriov: true
sandriichenko4fe321d2018-01-22 17:34:06 +0000553 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter"
Jakub Pavlik39a05942017-02-13 23:03:08 +0100554
555 nova:
556 compute:
557 sriov:
558 nic_one:
559 devname: eth1
560 physical_network: physnet1
561
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100562CPU pinning & Hugepages
563-----------------------
564
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300565CPU pinning of virtual machine instances to dedicated physical
566CPU cores. Hugepages mount point for libvirt.
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100567
568.. code-block:: yaml
569
570 nova:
571 controller:
sandriichenko4fe321d2018-01-22 17:34:06 +0000572 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,NUMATopologyFilter,AggregateInstanceExtraSpecsFilter"
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100573
574 nova:
575 compute:
576 vcpu_pin_set: 2,3,4,5
577 hugepages:
578 mount_points:
579 - path: /mnt/hugepages_1GB
580 - path: /mnt/hugepages_2MB
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100581
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200582Custom Scheduler filters
583------------------------
584
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300585If you have a custom filter, that needs to be included in the
586scheduler, then you can include it like so:
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200587
588.. code-block:: yaml
589
590 nova:
591 controller:
592 scheduler_custom_filters:
593 - my_custom_driver.nova.scheduler.filters.my_custom_filter.MyCustomFilter
594
595 # Then add your custom filter on the end (make sure to include all other ones that you need as well)
sandriichenko4fe321d2018-01-22 17:34:06 +0000596 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter,MyCustomFilter"
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200597
Michel Nederlofeb566f62017-04-21 15:37:47 +0200598Hardware Trip/Unmap Support
599---------------------------
600
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300601To enable TRIM support for ephemeral images (thru nova managed
602images), libvirt has this option:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200603
604.. code-block:: yaml
605
606 nova:
607 compute:
608 libvirt:
609 hw_disk_discard: unmap
610
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300611To actually utilize this feature, the following metadata must be
612set on the image as well, so the SCSI unmap is supported:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200613
614.. code-block:: bash
615
616 glance image-update --property hw_scsi_model=virtio-scsi <image>
617 glance image-update --property hw_disk_bus=scsi <image>
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +0100618
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000619Scheduler Host Manager
620----------------------
621
622Specify a custom host manager.
623
Thom Gerdesec00afd2017-04-07 18:06:59 +0000624libvirt CPU mode
625----------------
626
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300627Allow setting the model of CPU that is exposed to a VM. This
628allows for better support live migration between hypervisors with
629different hardware, among other things. Defaults to host-passthrough.
Jakub Pavlik7046b9c2017-09-19 12:04:19 +0200630
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000631.. code-block:: yaml
632
633 nova:
634 controller:
635 scheduler_host_manager: ironic_host_manager
636
Thom Gerdesec00afd2017-04-07 18:06:59 +0000637 compute:
638 cpu_mode: host-model
639
Dzmitry Stremkouski7da9bf12018-04-25 22:30:37 +0200640Nova compute cpu model
641----------------------
642
643.. code-block:: yaml
644
645 nova:
646 compute:
647 cpu_mode: custom
648 libvirt:
649 cpu_model: IvyBridge
650
651
Michel Nederloff7eefb22017-07-10 11:14:33 +0200652Nova compute workarounds
653------------------------
654
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300655Live snapshotting is disabled by default in nova. To enable
656this, it needs a manual switch.
Michel Nederloff7eefb22017-07-10 11:14:33 +0200657
658From manual:
659
660.. code-block:: yaml
661
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300662 When using libvirt 1.2.2 live snapshots fail intermittently under load
663 (likely related to concurrent libvirt/qemu operations). This config
664 option provides a mechanism to disable live snapshot, in favor of cold
665 snapshot, while this is resolved. Cold snapshot causes an instance
666 outage while the guest is going through the snapshotting process.
667
668 For more information, refer to the bug report:
669
670 https://bugs.launchpad.net/nova/+bug/1334398
Michel Nederloff7eefb22017-07-10 11:14:33 +0200671
672Configurable pillar data:
673
674.. code-block:: yaml
675
676 nova:
677 compute:
Michel Nederlofe322ebb2017-07-10 12:29:21 +0200678 workaround:
Michel Nederloff7eefb22017-07-10 11:14:33 +0200679 disable_libvirt_livesnapshot: False
680
Michel Nederlofb51a5142017-06-27 08:31:35 +0200681Config drive options
682--------------------
683
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300684See example below on how to configure the options for the
685config drive:
Michel Nederlofb51a5142017-06-27 08:31:35 +0200686
687.. code-block:: yaml
688
689 nova:
690 compute:
691 config_drive:
692 forced: True # Default: True
693 cdrom: True # Default: False
694 format: iso9660 # Default: vfat
695 inject_password: False # Default: False
696
Michel Nederloff81919b2017-11-20 09:37:07 +0100697Number of concurrent live migrates
698----------------------------------
699
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300700Default is to have no concurrent live migrations (so 1
701live-migration at a time).
Michel Nederloff81919b2017-11-20 09:37:07 +0100702
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300703Excerpt from config options page
704https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Michel Nederloff81919b2017-11-20 09:37:07 +0100705
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300706Maximum number of live migrations to run concurrently. This limit is
707enforced to avoid outbound live migrations overwhelming the host/network
708and causing failures. It is not recommended that you change this unless
709you are very sure that doing so is safe and stable in your environment.
Michel Nederloff81919b2017-11-20 09:37:07 +0100710
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300711Possible values:
Michel Nederloff81919b2017-11-20 09:37:07 +0100712
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300713- 0 : treated as unlimited.
714- Negative value defaults to 0.
715- Any positive integer representing maximum number of live migrations
716 to run concurrently.
Michel Nederloff81919b2017-11-20 09:37:07 +0100717
718To configure this option:
719
720.. code-block:: yaml
721
722 nova:
723 compute:
724 max_concurrent_live_migrations: 1 # (1 is the default)
725
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300726Live migration with auto converge
727----------------------------------
728
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300729Auto converge throttles down CPU if a progress of on-going live
730migration is slow
731https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300732
733.. code-block:: yaml
734
735 nova:
736 compute:
737 libvirt:
738 live_migration_permit_auto_converge: False # (False is the default)
739
740.. code-block:: yaml
741
742 nova:
743 controller:
744 libvirt:
745 live_migration_permit_auto_converge: False # (False is the default)
746
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400747Enhanced logging with logging.conf
748----------------------------------
749
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300750By default ``logging.conf`` is disabled.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400751
752That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400753
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300754* ``openstack_log_appender``
755 Set to true to enable log_config_append for all OpenStack services
756
757* ``openstack_fluentd_handler_enabled``
758 Set to true to enable FluentHandler for all Openstack services
759
760* ``openstack_ossyslog_handler_enabled``
761 Set to true to enable OSSysLogHandler for all Openstack services
762
763Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
764are available.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400765
Dmitry Kalashnik8da249c2018-01-16 17:58:00 +0400766Also it is possible to configure this with pillar:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400767
768.. code-block:: yaml
769
770 nova:
771 controller:
772 logging:
773 log_appender: true
774 log_handlers:
775 watchedfile:
776 enabled: true
777 fluentd:
778 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200779 ossyslog:
780 enabled: true
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400781
782 compute:
783 logging:
784 log_appender: true
785 log_handlers:
786 watchedfile:
787 enabled: true
788 fluentd:
789 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200790 ossyslog:
791 enabled: true
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000792
Vasyl Saienko7243a952018-05-11 21:26:54 +0300793The log level might be configured per logger by using the
794following pillar structure:
795
796.. code-block:: yaml
797
798 nova:
799 compute:
800 logging:
801 loggers:
802 <logger_name>:
803 level: WARNING
804
805 nova:
806 compute:
807 logging:
808 loggers:
809 <logger_name>:
810 level: WARNING
811
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000812Configure syslog parameters for libvirtd
813----------------------------------------
814
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300815To configure syslog parameters for libvirtd the below pillar
816structure should be used with values which are supported
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000817by libvirtd. These values might be known from the documentation.
818
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300819.. code-block:: yaml
820
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000821 nova:
822 compute:
823 libvirt:
824 logging:
825 level: 3
826 filters: '3:remote 4:event'
827 outputs: '3:syslog:libvirtd'
828 buffer_size: 64
829
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300830Logging controls:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000831
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300832Logging level: 4 errors, 3 warnings, 2 information, 1 debug
833basically 1 will log everything possible ``log_level = 3``
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000834
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300835Logging filters:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000836
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300837A filter allows to select a different logging level for a given category
838of logs.
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000839
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300840The format for a filter is one of:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000841
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300842* ``x:name``
843* ``x:+name``
844 where name is a string which is matched against source file name,
845 e.g., ``remote``, ``qemu``, or ``util/json``, the optional ``+`` prefix
846 tells libvirt to log stack trace for each message matching name,
847 and x is the minimal level where matching messages should be logged:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000848
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300849* ``1: DEBUG``
850* ``2: INFO``
851* ``3: WARNING``
852* ``4: ERROR``
853
854Multiple filter can be defined in a single @filters, they just
855need to be separated by spaces.
856
857For example, to only get warning or errors from the remote layer
858and only errors from the event layer: ``log_filters="3:remote 4:event``
859
860Logging outputs:
861
862An output is one of the places to save logging information
863The format for an output can be:
864
865* ``x:stderr``
866 Output goes to stderr
867
868* ``x:syslog:name``
869 Use syslog for the output and use the given name as the ident
870
871* ``x:file:file_path``
872 output to a file, with the given filepath
873
874 In all case the x prefix is the minimal level, acting as a filter
875
876* ``1: DEBUG``
877* ``2: INFO``
878* ``3: WARNING``
879* ``4: ERROR``
880
881Multiple output can be defined, they just need to be separated by spaces.
882For example, to log all warnings and errors to syslog under the libvirt
883dident: ``log_outputs="3:syslog:libvirtd``
884
885Log debug buffer size: default 64
886The daemon keeps an internal debug log buffer which will be dumped
887in case of crash or upon receiving a ``SIGUSR2`` signal. This setting
888allows to override the default buffer size in kilobytes.
889If value is ``0`` or less the debug log buffer is deactivated
890``log_buffer_size = 64``
891
892To configure the logging parameters for QEMU, the below pillar
893structure and logging parameters should be used:
894
895.. code-block:: yaml
896
897 nova:
898 compute:
899 qemu:
900 logging:
901 handler: logd
902 virtlog:
903 enabled: true
904 level: 4
905 filters: '3:remote 3:event'
906 outputs: '4:syslog:virtlogd'
907 max_clients: 512
908 max_size: 2097100
909 max_backups: 2
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000910
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300911Inject password to VM
912---------------------
913
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300914By default nova blocks up any inject to VM because
915``inject_partition`` param is equal to ``-2``.
916If you want to inject password to VM, you will need to
917define ``inject_partition`` greater or equal to ``-1`` and
918define ``inject_password`` to ``True``
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300919
920For example:
921
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300922.. code-block:: yaml
923
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300924 nova:
925 compute:
926 inject_partition: '-1'
927 inject_password: True
928
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300929Allow the injection of an admin password for instance only at
930``create`` and ``rebuild`` process.
931
932There is no agent needed within the image to do this. If *libguestfs* is
933available on the host, it will be used. Otherwise *nbd* is used. The file
934system of the image will be mounted and the admin password, which is provided
935in the REST API call will be injected as password for the root user. If no
936root user is available, the instance won't be launched and an error is thrown.
937Be aware that the injection is *not* possible when the instance gets launched
938from a volume.
939
940Possible values:
941
942* ``True``
943 Allows the injection
944
945* ``False`` (default)
946 Disallows the injection. Any via the REST API provided
947 admin password will be silently ignored.
948
949Related options:
950
951* ``inject_partition``
952 Decides about the discovery and usage of the file system.
953 It also can disable the injection at all.
954 (boolean value)
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300955
956You can read more about injecting the administrator password here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300957https://docs.openstack.org/nova/queens/admin/admin-password-injection.html
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300958
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +0300959Enable libvirt control channel over TLS
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300960---------------------------------------
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +0300961
962By default TLS is disabled.
963
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300964Enable TLS transport:
965
966.. code-block:: yaml
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +0300967
968 compute:
969 libvirt:
970 tls:
971 enabled: True
972
973You able to set custom certificates in pillar:
974
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300975.. code-block:: yaml
976
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +0300977 nova:
978 compute:
979 libvirt:
980 tls:
981 key: (certificate content)
982 cert: (certificate content)
983 cacert: (certificate content)
984 client:
985 key: (certificate content)
986 cert: (certificate content)
987
988You can read more about live migration over TLS here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300989https://wiki.libvirt.org/page/TLSCreateServerCerts
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +0300990
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +0300991Enable transport + authentication for VNC over TLS
992---------------------
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +0300993# Only for Queens. Communication between noVNC proxy service and QEMU
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +0300994
995By default communication between nova-novncproxy and qemu service is unsecure.
996
997compute:
998 qemu:
999 vnc:
1000 tls:
1001 enabled: True
1002
1003controller:
1004 novncproxy:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001005 # This section responsible for communication between noVNC proxy and client machine
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001006 tls:
1007 enabled: True
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001008 # This section responsible for communication between nova-novncproxy and qemu service
1009 vencrypt:
1010 tls:
1011 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001012
1013You able to set custom certificates in pillar:
1014
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001015nova:
1016 compute:
1017 qemu:
1018 vnc:
1019 tls:
1020 cacert (certificate content)
1021 cert (certificate content)
1022 key (certificate content)
1023
1024nova:
1025 controller:
1026 novncproxy:
1027 tls:
1028 server:
1029 cert (certificate content)
1030 key (certificate content)
1031 vencrypt:
1032 tls:
1033 cacert (certificate content)
1034 cert (certificate content)
1035 key (certificate content)
1036
1037
1038You can read more about it here:
1039 https://docs.openstack.org/nova/queens/admin/remote-console-access.html
1040
1041Enable communication between noVNC proxy and client machine over TLS
1042---------------------
1043
1044By default communication between noVNC proxy and client machine is unsecure.
1045
1046 controller:
1047 novncproxy:
1048 tls:
1049 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001050
1051 nova:
1052 controller:
1053 novncproxy:
1054 tls:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001055 server:
1056 cert (certificate content)
1057 key (certificate content)
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001058
1059You can read more about it here:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001060 https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001061
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001062Enable x509 and ssl communication between Nova and Galera cluster.
1063---------------------
1064By default communication between Nova and Galera is unsecure.
1065
1066You able to set custom certificates in pillar:
1067controller:
1068 database:
1069 x509:
1070 enabled: True
1071
1072nova:
1073 controller:
1074 database:
1075 x509:
1076 cacert (certificate content)
1077 cert (certificate content)
1078 key (certificate content)
1079
1080You can read more about it here:
1081 https://docs.openstack.org/security-guide/databases/database-access-control.html
1082
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001083Documentation and Bugs
1084======================
1085
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001086* http://salt-formulas.readthedocs.io/
1087 Learn how to install and update salt-formulas
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001088
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001089* https://github.com/salt-formulas/salt-formula-nova/issues
1090 In the unfortunate event that bugs are discovered, report the issue to the
1091 appropriate issue tracker. Use the Github issue tracker for a specific salt
1092 formula
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001093
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001094* https://launchpad.net/salt-formulas
1095 For feature requests, bug reports, or blueprints affecting the entire
1096 ecosystem, use the Launchpad salt-formulas project
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001097
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001098* https://launchpad.net/~salt-formulas-users
1099 Join the salt-formulas-users team and subscribe to mailing list if required
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001100
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001101* https://github.com/salt-formulas/salt-formula-nova
1102 Develop the salt-formulas projects in the master branch and then submit pull
1103 requests against a specific formula
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +01001104
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001105* #salt-formulas @ irc.freenode.net
1106 Use this IRC channel in case of any questions or feedback which is always
1107 welcome