blob: 52dc8d3c86e9159d1f772b53b914edfaad18f176 [file] [log] [blame]
Filip Pytloun4a72d792015-10-06 16:28:32 +02001
Aleš Komárek72152852017-04-11 13:48:48 +02002============
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03003Usage
Aleš Komárek72152852017-04-11 13:48:48 +02004============
Filip Pytloun4a72d792015-10-06 16:28:32 +02005
Jakub Pavlikfcf34f82016-05-20 09:35:51 +02006OpenStack Nova provides a cloud computing fabric controller, supporting a wide
7variety of virtualization technologies, including KVM, Xen, LXC, VMware, and
8more. In addition to its native API, it includes compatibility with the
9commonly encountered Amazon EC2 and S3 APIs.
Filip Pytloun4a72d792015-10-06 16:28:32 +020010
Aleš Komárek72152852017-04-11 13:48:48 +020011Sample Pillars
Filip Pytloun4a72d792015-10-06 16:28:32 +020012==============
13
14Controller nodes
15----------------
16
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030017Nova services on the controller node:
Filip Pytloun4a72d792015-10-06 16:28:32 +020018
19.. code-block:: yaml
20
21 nova:
22 controller:
23 version: juno
24 enabled: true
25 security_group: true
Lachlan Evensonb72de502016-01-20 15:34:04 -080026 cpu_allocation_ratio: 8.0
27 ram_allocation_ratio: 1.0
Jiri Konecny9344a372016-03-21 19:25:48 +010028 disk_allocation_ratio: 1.0
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +030029 cross_az_attach: false
Jiri Konecnyb5a80e42016-03-22 11:51:01 +010030 workers: 8
Jakub Pavlik617a8962016-09-04 18:50:06 +020031 report_interval: 60
Michel Nederlof8ff99332017-10-23 14:29:15 +020032 dhcp_domain: novalocal
sgarbuzcc02c7f2018-10-25 14:29:30 +030033 consoleauth:
34 token_ttl: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020035 bind:
36 public_address: 10.0.0.122
37 public_name: openstack.domain.com
38 novncproxy_port: 6080
39 database:
40 engine: mysql
41 host: 127.0.0.1
42 port: 3306
43 name: nova
44 user: nova
45 password: pwd
46 identity:
47 engine: keystone
48 host: 127.0.0.1
49 port: 35357
50 user: nova
51 password: pwd
52 tenant: service
53 message_queue:
54 engine: rabbitmq
55 host: 127.0.0.1
56 port: 5672
57 user: openstack
58 password: pwd
59 virtual_host: '/openstack'
Oleh Hryhorovf5093b82018-10-17 11:16:08 +000060 pci:
61 alias:
62 alias1:
63 device_type: "type-PF"
64 name: "a1"
65 product_id: "154d"
66 vendor_id: "8086"
Filip Pytloun4a72d792015-10-06 16:28:32 +020067 network:
68 engine: neutron
69 host: 127.0.0.1
70 port: 9696
Jakub Pavlik617a8962016-09-04 18:50:06 +020071 extension_sync_interval: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020072 identity:
73 engine: keystone
74 host: 127.0.0.1
75 port: 35357
76 user: neutron
77 password: pwd
78 tenant: service
79 metadata:
80 password: password
Petr Michalecaa23dc02016-11-29 16:30:25 +010081 audit:
82 enabled: false
Simon Pasquier8683b7a2017-02-03 16:00:16 +010083 osapi_max_limit: 500
Oleg Iurchenko370c10d2017-10-19 14:03:37 +030084 barbican:
85 enabled: true
Filip Pytloun4a72d792015-10-06 16:28:32 +020086
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030087Nova services from custom package repository:
Filip Pytloun4a72d792015-10-06 16:28:32 +020088
89.. code-block:: yaml
90
91 nova:
92 controller:
93 version: juno
94 source:
95 engine: pkg
96 address: http://...
97 ....
98
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030099Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200100
101.. code-block:: yaml
102
103 nova:
104 controller:
105 ....
106 message_queue:
107 engine: rabbitmq
108 members:
109 - host: 10.0.16.1
110 - host: 10.0.16.2
111 - host: 10.0.16.3
112 user: openstack
113 password: pwd
114 virtual_host: '/openstack'
115 ....
116
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300117Enable auditing filter, i.e: CADF:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100118
119.. code-block:: yaml
120
121 nova:
122 controller:
Simon Pasquier6a3c8f72016-12-19 15:37:24 +0100123 audit:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100124 enabled: true
125 ....
126 filter_factory: 'keystonemiddleware.audit:filter_factory'
127 map_file: '/etc/pycadf/nova_api_audit_map.conf'
128 ....
129
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300130Enable CORS parameters:
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200131
132.. code-block:: yaml
133
134 nova:
135 controller:
136 cors:
137 allowed_origin: https:localhost.local,http:localhost.local
138 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
139 allow_methods: GET,PUT,POST,DELETE,PATCH
140 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
141 allow_credentials: True
142 max_age: 86400
143
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300144Configuration of the ``policy.json`` file:
Dmitry Ukov3562a082017-05-04 00:00:48 +0400145
146.. code-block:: yaml
147
148 nova:
149 controller:
150 ....
151 policy:
152 context_is_admin: 'role:admin or role:administrator'
153 'compute:create': 'rule:admin_or_owner'
154 # Add key without value to remove line from policy.json
155 'compute:create:attach_network':
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200156
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300157Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300158
159.. code-block:: yaml
160
161 nova:
162 controller:
163 ....
164 barbican:
165 enabled: true
166
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000167Define aliases for PCI devices:
168.. code-block:: yaml
169
170 nova:
171 controller:
172 ...
173 pci:
174 alias:
175 alias1:
176 device_type: "type-PF"
177 name: "a1"
178 product_id: "154d"
179 vendor_id: "8086"
180
Jiri Broulik789179a2018-02-13 16:16:46 +0100181Enable cells update:
182
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300183.. note:: Useful when upgrading Openstack. To update cells to test
184 sync db agains duplicated production database.
Jiri Broulik789179a2018-02-13 16:16:46 +0100185
186.. code-block:: yaml
187
188 nova:
189 controller:
190 update_cells: true
191
Kirill Bespalov64617172017-07-11 14:43:14 +0300192
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300193Configuring TLS communications
194------------------------------
Kirill Bespalov64617172017-07-11 14:43:14 +0300195
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300196.. note:: By default system wide installed CA certs are used,
197 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300198
199- **RabbitMQ TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300200
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300201 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300202
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300203 nova:
204 compute:
205 message_queue:
206 port: 5671
207 ssl:
208 enabled: True
209 (optional) cacert: cert body if the cacert_file does not exists
210 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
211 (optional) version: TLSv1_2
Kirill Bespalov64617172017-07-11 14:43:14 +0300212
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300213- **MySQL TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300214
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300215 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300216
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300217 nova:
218 controller:
219 database:
220 ssl:
221 enabled: True
222 (optional) cacert: cert body if the cacert_file does not exists
223 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300224
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300225- **Openstack HTTPS API**
226
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300227 Set the ``https`` as protocol at ``nova:compute`` and
228 ``nova:controller`` sections :
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300229
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300230 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300231
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300232 nova:
233 controller :
234 identity:
235 protocol: https
236 (optional) cacert_file: /etc/openstack/proxy.pem
237 network:
238 protocol: https
239 (optional) cacert_file: /etc/openstack/proxy.pem
240 glance:
241 protocol: https
242 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300243
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300244 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300245
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300246 nova:
247 compute:
248 identity:
249 protocol: https
250 (optional) cacert_file: /etc/openstack/proxy.pem
251 network:
252 protocol: https
253 (optional) cacert_file: /etc/openstack/proxy.pem
254 image:
255 protocol: https
256 (optional) cacert_file: /etc/openstack/proxy.pem
257 ironic:
258 protocol: https
259 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300260
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300261.. note:: Barbican, Cinder, and placement url endpoints are discovering
262 using service catalog.
Kirill Bespalov64617172017-07-11 14:43:14 +0300263
Filip Pytloun4a72d792015-10-06 16:28:32 +0200264Compute nodes
265-------------
266
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300267Nova controller services on compute node:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200268
269.. code-block:: yaml
270
271 nova:
272 compute:
273 version: juno
274 enabled: true
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +0300275 cross_az_attach: false
Dmitry Stremkovskiy35e53b72017-07-29 12:50:39 +0300276 disk_cachemodes: network=writeback,block=none
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100277 availability_zone: availability_zone_01
Damian Szelugae1922412017-04-18 16:36:46 +0200278 aggregates:
279 - hosts_with_fc
280 - hosts_with_ssd
Filip Pytloun4a72d792015-10-06 16:28:32 +0200281 security_group: true
Petr Michalecf03e4882017-04-10 10:26:18 +0200282 resume_guests_state_on_host_boot: False
Michael Polenchuk159c2542018-06-09 15:31:51 +0400283 preallocate_images: space # Default is 'none'
Dmitry Stremkovskiy8a0ff512017-07-25 20:54:13 +0300284 my_ip: 10.1.0.16
Filip Pytloun4a72d792015-10-06 16:28:32 +0200285 bind:
286 vnc_address: 172.20.0.100
287 vnc_port: 6080
288 vnc_name: openstack.domain.com
289 vnc_protocol: http
290 database:
291 engine: mysql
292 host: 127.0.0.1
293 port: 3306
294 name: nova
295 user: nova
296 password: pwd
297 identity:
298 engine: keystone
299 host: 127.0.0.1
300 port: 35357
301 user: nova
302 password: pwd
303 tenant: service
304 message_queue:
305 engine: rabbitmq
306 host: 127.0.0.1
307 port: 5672
308 user: openstack
309 password: pwd
310 virtual_host: '/openstack'
311 image:
312 engine: glance
313 host: 127.0.0.1
314 port: 9292
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000315 pci:
316 alias:
317 alias1:
318 device_type: "type-PF"
319 name: "a1"
320 product_id: "154d"
321 vendor_id: "8086"
Filip Pytloun4a72d792015-10-06 16:28:32 +0200322 network:
323 engine: neutron
324 host: 127.0.0.1
325 port: 9696
326 identity:
327 engine: keystone
328 host: 127.0.0.1
329 port: 35357
330 user: neutron
331 password: pwd
332 tenant: service
333 qemu:
334 max_files: 4096
335 max_processes: 4096
Dmitry Stremkovskiy96281f52017-07-26 00:39:22 +0300336 host: node-12.domain.tld
Filip Pytloun4a72d792015-10-06 16:28:32 +0200337
Vasyl Saienkocab3a902018-07-12 13:17:17 +0300338Compute with vmware driver. Each vmware cluster requires a separate process of nova-compute.
339Each process should have uniq host identifier. However multiple computes might be running on
340single host. It is not recommended to have multiple computes running on different hosts that
341manage the same vmware cluster. To achive this pacemaker/corosync or keepalived might be used.
342
343.. code-block:: yaml
344
345 nova:
346 compute:
347 compute_driver: vmwareapi.VMwareVCDriver
348 vmware:
349 host_username: vmware
350 host_password: vmware
351 cluster_name: vmware_cluster01
352 host_ip: 1.2.3.4
353
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300354Group and user to be used for QEMU processes run by the system instance:
kkalynovskyif50f0c02017-12-12 17:52:57 +0200355
356.. code-block:: yaml
357
358 nova:
359 compute:
360 enabled: true
361 ...
362 qemu:
363 user: nova
364 group: cinder
365 dynamic_ownership: 1
366
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300367Group membership for user nova (upgrade related):
Dmitry Stremkovskiy3cd6ba82017-07-25 17:15:36 +0300368
369.. code-block:: yaml
370
371 nova:
372 compute:
373 enabled: true
374 ...
375 user:
376 groups:
377 - libvirt
Filip Pytloun4a72d792015-10-06 16:28:32 +0200378
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300379Nova services on compute node with OpenContrail:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200380
381.. code-block:: yaml
382
383 nova:
384 compute:
385 enabled: true
386 ...
387 networking: contrail
388
Oleksandr Bryndziibb8abfe2018-09-28 22:21:43 +0000389Nova services on compute node with memcached caching and security strategy:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200390
391.. code-block:: yaml
392
393 nova:
394 compute:
395 enabled: true
396 ...
397 cache:
398 engine: memcached
399 members:
400 - host: 127.0.0.1
401 port: 11211
402 - host: 127.0.0.1
403 port: 11211
Oleksandr Bryndziibb8abfe2018-09-28 22:21:43 +0000404 security:
405 enabled: true
406 strategy: ENCRYPT
407 secret_key: secret
Filip Pytloun4a72d792015-10-06 16:28:32 +0200408
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300409Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200410
411.. code-block:: yaml
412
413 nova:
Kirill Bespalov64617172017-07-11 14:43:14 +0300414 compute:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200415 ....
416 message_queue:
417 engine: rabbitmq
418 members:
419 - host: 10.0.16.1
420 - host: 10.0.16.2
421 - host: 10.0.16.3
422 user: openstack
423 password: pwd
424 virtual_host: '/openstack'
425 ....
426
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300427Nova with ephemeral configured with Ceph:
maxstack39e6aca2016-05-04 13:50:13 +0000428
429.. code-block:: yaml
430
431 nova:
432 compute:
433 enabled: true
434 ...
435 ceph:
436 ephemeral: yes
437 rbd_pool: nova
438 rbd_user: nova
439 secret_uuid: 03006edd-d957-40a3-ac4c-26cd254b3731
Kalynovskyi0bc79692017-07-21 16:22:09 +0300440 ....
maxstack39e6aca2016-05-04 13:50:13 +0000441
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300442Nova with ephemeral configured with LVM:
Kalynovskyi0bc79692017-07-21 16:22:09 +0300443
444.. code-block:: yaml
445
446 nova:
447 compute:
448 enabled: true
449 ...
450 lvm:
451 ephemeral: yes
452 images_volume_group: nova_vg
453
454 linux:
455 storage:
456 lvm:
457 nova_vg:
458 name: nova_vg
459 devices:
460 - /dev/sdf
461 - /dev/sdd
462 - /dev/sdg
463 - /dev/sde
464 - /dev/sdc
465 - /dev/sdj
466 - /dev/sdh
maxstack39e6aca2016-05-04 13:50:13 +0000467
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300468Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300469
470.. code-block:: yaml
471
472 nova:
473 compute:
474 ....
475 barbican:
476 enabled: true
477
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000478Define aliases for PCI devices:
479.. code-block:: yaml
480
481 nova:
482 compute:
483 ...
484 pci:
485 alias:
486 alias1:
487 device_type: "type-PF"
488 name: "a1"
489 product_id: "154d"
490 vendor_id: "8086"
491
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300492Nova metadata custom bindings:
Vasyl Saienko2d591282018-02-05 14:19:02 +0200493
494.. code-block:: yaml
495
496 nova:
497 controller:
498 enabled: true
499 ...
500 metadata:
501 bind:
502 address: 1.2.3.4
503 port: 8776
504
Oleh Hryhorov08482aa2018-11-19 14:07:47 +0200505Define multipath for nova compute:
506
507.. code-block:: yaml
508
509 nova:
510 compute:
511 ....
512 libvirt:
513 volume_use_multipath: True
514
Oleh Hryhorov5add3b22019-03-06 17:00:00 +0000515To disable or enable StrictHostKeyChecking and discover
516compute nodes fingerprints the below pillar should be used:
517
518.. code-block:: yaml
519
520 nova:
521 compute:
522 ....
523 openssh:
524 stricthostkeychecking: True
525 discover_compute_hosts: True
526
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100527Client role
528-----------
529
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300530Nova configured with NFS:
Dmitry Stremkovskiy665c7282017-07-05 17:36:27 +0300531
532.. code-block:: yaml
533
534 nova:
535 compute:
536 instances_path: /mnt/nova/instances
537
538 linux:
539 storage:
540 enabled: true
541 mount:
542 nfs_nova:
543 enabled: true
544 path: ${nova:compute:instances_path}
545 device: 172.31.35.145:/data
546 file_system: nfs
547 opts: rw,vers=3
548
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300549Nova flavors:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100550
551.. code-block:: yaml
552
553 nova:
554 client:
555 enabled: true
556 server:
557 identity:
558 flavor:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100559 flavor1:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100560 flavor_id: 10
561 ram: 4096
562 disk: 10
563 vcpus: 1
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100564 flavor2:
565 flavor_id: auto
566 ram: 4096
567 disk: 20
568 vcpus: 2
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100569 identity1:
570 flavor:
571 ...
572
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300573Availability zones:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100574
575.. code-block:: yaml
576
577 nova:
578 client:
579 enabled: true
580 server:
581 identity:
582 availability_zones:
583 - availability_zone_01
584 - availability_zone_02
585
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300586Aggregates:
Damian Szeluga5dca0f02017-04-13 17:27:15 +0200587
588.. code-block:: yaml
589
590 nova:
591 client:
592 enabled: true
593 server:
594 identity:
595 aggregates:
596 - aggregate1
597 - aggregate2
598
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300599Upgrade levels:
Dmitry Stremkovskiy91f45852017-07-18 16:22:31 +0300600
601.. code-block:: yaml
602
603 nova:
604 controller:
605 upgrade_levels:
606 compute: juno
607
608 nova:
609 compute:
610 upgrade_levels:
611 compute: juno
612
Petr Jedinýd855ef22017-03-06 22:24:33 +0100613SR-IOV
Jakub Pavlik39a05942017-02-13 23:03:08 +0100614------
615
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300616Add ``PciPassthroughFilter`` into scheduler filters and NICs on
617specific compute nodes:
Jakub Pavlik39a05942017-02-13 23:03:08 +0100618
619.. code-block:: yaml
620
621 nova:
622 controller:
623 sriov: true
sandriichenko4fe321d2018-01-22 17:34:06 +0000624 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter"
Jakub Pavlik39a05942017-02-13 23:03:08 +0100625
626 nova:
627 compute:
628 sriov:
629 nic_one:
630 devname: eth1
631 physical_network: physnet1
632
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000633.. note:: Parameters located under nova:compute:sriov:<nic_name> are copied to passthrough_whitelist parameter into
634 nova.conf file in appropriate format.
635
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100636CPU pinning & Hugepages
637-----------------------
638
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300639CPU pinning of virtual machine instances to dedicated physical
640CPU cores. Hugepages mount point for libvirt.
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100641
642.. code-block:: yaml
643
644 nova:
645 controller:
sandriichenko4fe321d2018-01-22 17:34:06 +0000646 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,NUMATopologyFilter,AggregateInstanceExtraSpecsFilter"
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100647
648 nova:
649 compute:
650 vcpu_pin_set: 2,3,4,5
651 hugepages:
652 mount_points:
653 - path: /mnt/hugepages_1GB
654 - path: /mnt/hugepages_2MB
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100655
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200656Custom Scheduler filters
657------------------------
658
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300659If you have a custom filter, that needs to be included in the
660scheduler, then you can include it like so:
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200661
662.. code-block:: yaml
663
664 nova:
665 controller:
666 scheduler_custom_filters:
667 - my_custom_driver.nova.scheduler.filters.my_custom_filter.MyCustomFilter
668
669 # Then add your custom filter on the end (make sure to include all other ones that you need as well)
sandriichenko4fe321d2018-01-22 17:34:06 +0000670 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter,MyCustomFilter"
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200671
Michael Polenchuk2bce2cb2018-09-17 16:05:43 +0400672 # Since Queens version a sequence could be used as well:
673 ~scheduler_default_filters:
674 - DifferentHostFilter
675 - SameHostFilter
676 ...
677 - MyCustomFilter
678
679
Michel Nederlofeb566f62017-04-21 15:37:47 +0200680Hardware Trip/Unmap Support
681---------------------------
682
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300683To enable TRIM support for ephemeral images (thru nova managed
684images), libvirt has this option:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200685
686.. code-block:: yaml
687
688 nova:
689 compute:
690 libvirt:
691 hw_disk_discard: unmap
692
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300693To actually utilize this feature, the following metadata must be
694set on the image as well, so the SCSI unmap is supported:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200695
696.. code-block:: bash
697
698 glance image-update --property hw_scsi_model=virtio-scsi <image>
699 glance image-update --property hw_disk_bus=scsi <image>
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +0100700
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000701Scheduler Host Manager
702----------------------
703
704Specify a custom host manager.
705
Thom Gerdesec00afd2017-04-07 18:06:59 +0000706libvirt CPU mode
707----------------
708
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300709Allow setting the model of CPU that is exposed to a VM. This
710allows for better support live migration between hypervisors with
711different hardware, among other things. Defaults to host-passthrough.
Jakub Pavlik7046b9c2017-09-19 12:04:19 +0200712
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000713.. code-block:: yaml
714
715 nova:
716 controller:
717 scheduler_host_manager: ironic_host_manager
718
Thom Gerdesec00afd2017-04-07 18:06:59 +0000719 compute:
720 cpu_mode: host-model
721
Dzmitry Stremkouski7da9bf12018-04-25 22:30:37 +0200722Nova compute cpu model
723----------------------
724
725.. code-block:: yaml
726
727 nova:
728 compute:
729 cpu_mode: custom
730 libvirt:
731 cpu_model: IvyBridge
732
Oleksandr Pidrepnyief9fd782019-03-04 19:18:19 +0200733RNG (Random Number Generator) device path
734----------------------
735
736The path to an RNG (Random Number Generator) device that will be used
737as the source of entropy on the host.
738The recommended source of entropy is /dev/urandom.
739Permitted options are: /dev/random, /dev/urandom or /dev/hwrng.
740Default: /dev/urandom
741
742.. code-block:: yaml
743
744 nova:
745 controller:
746 libvirt:
747 rng_dev_path: /dev/random
748
749 compute:
750 libvirt:
751 rng_dev_path: /dev/random
752
Dzmitry Stremkouski7da9bf12018-04-25 22:30:37 +0200753
Michel Nederloff7eefb22017-07-10 11:14:33 +0200754Nova compute workarounds
755------------------------
756
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300757Live snapshotting is disabled by default in nova. To enable
758this, it needs a manual switch.
Michel Nederloff7eefb22017-07-10 11:14:33 +0200759
760From manual:
761
762.. code-block:: yaml
763
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300764 When using libvirt 1.2.2 live snapshots fail intermittently under load
765 (likely related to concurrent libvirt/qemu operations). This config
766 option provides a mechanism to disable live snapshot, in favor of cold
767 snapshot, while this is resolved. Cold snapshot causes an instance
768 outage while the guest is going through the snapshotting process.
769
770 For more information, refer to the bug report:
771
772 https://bugs.launchpad.net/nova/+bug/1334398
Michel Nederloff7eefb22017-07-10 11:14:33 +0200773
774Configurable pillar data:
775
776.. code-block:: yaml
777
778 nova:
779 compute:
Michel Nederlofe322ebb2017-07-10 12:29:21 +0200780 workaround:
Michel Nederloff7eefb22017-07-10 11:14:33 +0200781 disable_libvirt_livesnapshot: False
782
Michel Nederlofb51a5142017-06-27 08:31:35 +0200783Config drive options
784--------------------
785
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300786See example below on how to configure the options for the
787config drive:
Michel Nederlofb51a5142017-06-27 08:31:35 +0200788
789.. code-block:: yaml
790
791 nova:
792 compute:
793 config_drive:
794 forced: True # Default: True
795 cdrom: True # Default: False
796 format: iso9660 # Default: vfat
797 inject_password: False # Default: False
798
Michel Nederloff81919b2017-11-20 09:37:07 +0100799Number of concurrent live migrates
800----------------------------------
801
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300802Default is to have no concurrent live migrations (so 1
803live-migration at a time).
Michel Nederloff81919b2017-11-20 09:37:07 +0100804
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300805Excerpt from config options page
806https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Michel Nederloff81919b2017-11-20 09:37:07 +0100807
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300808Maximum number of live migrations to run concurrently. This limit is
809enforced to avoid outbound live migrations overwhelming the host/network
810and causing failures. It is not recommended that you change this unless
811you are very sure that doing so is safe and stable in your environment.
Michel Nederloff81919b2017-11-20 09:37:07 +0100812
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300813Possible values:
Michel Nederloff81919b2017-11-20 09:37:07 +0100814
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300815- 0 : treated as unlimited.
816- Negative value defaults to 0.
817- Any positive integer representing maximum number of live migrations
818 to run concurrently.
Michel Nederloff81919b2017-11-20 09:37:07 +0100819
820To configure this option:
821
822.. code-block:: yaml
823
824 nova:
825 compute:
826 max_concurrent_live_migrations: 1 # (1 is the default)
827
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300828Live migration with auto converge
829----------------------------------
830
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300831Auto converge throttles down CPU if a progress of on-going live
832migration is slow
833https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300834
835.. code-block:: yaml
836
837 nova:
838 compute:
839 libvirt:
840 live_migration_permit_auto_converge: False # (False is the default)
841
842.. code-block:: yaml
843
844 nova:
845 controller:
846 libvirt:
847 live_migration_permit_auto_converge: False # (False is the default)
848
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400849Enhanced logging with logging.conf
850----------------------------------
851
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300852By default ``logging.conf`` is disabled.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400853
854That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400855
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300856* ``openstack_log_appender``
857 Set to true to enable log_config_append for all OpenStack services
858
859* ``openstack_fluentd_handler_enabled``
860 Set to true to enable FluentHandler for all Openstack services
861
862* ``openstack_ossyslog_handler_enabled``
863 Set to true to enable OSSysLogHandler for all Openstack services
864
865Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
866are available.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400867
Dmitry Kalashnik8da249c2018-01-16 17:58:00 +0400868Also it is possible to configure this with pillar:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400869
870.. code-block:: yaml
871
872 nova:
873 controller:
874 logging:
875 log_appender: true
876 log_handlers:
877 watchedfile:
878 enabled: true
879 fluentd:
880 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200881 ossyslog:
882 enabled: true
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400883
884 compute:
885 logging:
886 log_appender: true
887 log_handlers:
888 watchedfile:
889 enabled: true
890 fluentd:
891 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200892 ossyslog:
893 enabled: true
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000894
Vasyl Saienko7243a952018-05-11 21:26:54 +0300895The log level might be configured per logger by using the
896following pillar structure:
897
898.. code-block:: yaml
899
900 nova:
901 compute:
902 logging:
903 loggers:
904 <logger_name>:
905 level: WARNING
906
907 nova:
908 compute:
909 logging:
910 loggers:
911 <logger_name>:
912 level: WARNING
913
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000914Configure syslog parameters for libvirtd
915----------------------------------------
916
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300917To configure syslog parameters for libvirtd the below pillar
918structure should be used with values which are supported
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000919by libvirtd. These values might be known from the documentation.
920
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300921.. code-block:: yaml
922
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000923 nova:
924 compute:
925 libvirt:
926 logging:
927 level: 3
928 filters: '3:remote 4:event'
929 outputs: '3:syslog:libvirtd'
930 buffer_size: 64
931
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300932Logging controls:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000933
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300934Logging level: 4 errors, 3 warnings, 2 information, 1 debug
935basically 1 will log everything possible ``log_level = 3``
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000936
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300937Logging filters:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000938
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300939A filter allows to select a different logging level for a given category
940of logs.
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000941
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300942The format for a filter is one of:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000943
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300944* ``x:name``
945* ``x:+name``
946 where name is a string which is matched against source file name,
947 e.g., ``remote``, ``qemu``, or ``util/json``, the optional ``+`` prefix
948 tells libvirt to log stack trace for each message matching name,
949 and x is the minimal level where matching messages should be logged:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000950
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300951* ``1: DEBUG``
952* ``2: INFO``
953* ``3: WARNING``
954* ``4: ERROR``
955
956Multiple filter can be defined in a single @filters, they just
957need to be separated by spaces.
958
959For example, to only get warning or errors from the remote layer
960and only errors from the event layer: ``log_filters="3:remote 4:event``
961
962Logging outputs:
963
964An output is one of the places to save logging information
965The format for an output can be:
966
967* ``x:stderr``
968 Output goes to stderr
969
970* ``x:syslog:name``
971 Use syslog for the output and use the given name as the ident
972
973* ``x:file:file_path``
974 output to a file, with the given filepath
975
976 In all case the x prefix is the minimal level, acting as a filter
977
978* ``1: DEBUG``
979* ``2: INFO``
980* ``3: WARNING``
981* ``4: ERROR``
982
983Multiple output can be defined, they just need to be separated by spaces.
984For example, to log all warnings and errors to syslog under the libvirt
985dident: ``log_outputs="3:syslog:libvirtd``
986
987Log debug buffer size: default 64
988The daemon keeps an internal debug log buffer which will be dumped
989in case of crash or upon receiving a ``SIGUSR2`` signal. This setting
990allows to override the default buffer size in kilobytes.
991If value is ``0`` or less the debug log buffer is deactivated
992``log_buffer_size = 64``
993
994To configure the logging parameters for QEMU, the below pillar
995structure and logging parameters should be used:
996
997.. code-block:: yaml
998
999 nova:
1000 compute:
1001 qemu:
1002 logging:
1003 handler: logd
1004 virtlog:
1005 enabled: true
1006 level: 4
1007 filters: '3:remote 3:event'
1008 outputs: '4:syslog:virtlogd'
1009 max_clients: 512
1010 max_size: 2097100
1011 max_backups: 2
Oleh Hryhorove38525d2018-05-15 08:58:59 +00001012
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001013Inject password to VM
1014---------------------
1015
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001016By default nova blocks up any inject to VM because
1017``inject_partition`` param is equal to ``-2``.
1018If you want to inject password to VM, you will need to
1019define ``inject_partition`` greater or equal to ``-1`` and
1020define ``inject_password`` to ``True``
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001021
1022For example:
1023
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001024.. code-block:: yaml
1025
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001026 nova:
1027 compute:
1028 inject_partition: '-1'
1029 inject_password: True
1030
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001031Allow the injection of an admin password for instance only at
1032``create`` and ``rebuild`` process.
1033
1034There is no agent needed within the image to do this. If *libguestfs* is
1035available on the host, it will be used. Otherwise *nbd* is used. The file
1036system of the image will be mounted and the admin password, which is provided
1037in the REST API call will be injected as password for the root user. If no
1038root user is available, the instance won't be launched and an error is thrown.
1039Be aware that the injection is *not* possible when the instance gets launched
1040from a volume.
1041
1042Possible values:
1043
1044* ``True``
1045 Allows the injection
1046
1047* ``False`` (default)
1048 Disallows the injection. Any via the REST API provided
1049 admin password will be silently ignored.
1050
1051Related options:
1052
1053* ``inject_partition``
1054 Decides about the discovery and usage of the file system.
1055 It also can disable the injection at all.
1056 (boolean value)
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001057
1058You can read more about injecting the administrator password here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001059https://docs.openstack.org/nova/queens/admin/admin-password-injection.html
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001060
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001061Enable libvirt control channel over TLS
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001062---------------------------------------
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001063
1064By default TLS is disabled.
1065
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001066Enable TLS transport:
1067
1068.. code-block:: yaml
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001069
1070 compute:
1071 libvirt:
1072 tls:
1073 enabled: True
1074
1075You able to set custom certificates in pillar:
1076
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001077.. code-block:: yaml
1078
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001079 nova:
1080 compute:
1081 libvirt:
1082 tls:
1083 key: (certificate content)
1084 cert: (certificate content)
1085 cacert: (certificate content)
1086 client:
1087 key: (certificate content)
1088 cert: (certificate content)
1089
Dmitry Teselkin70862022019-04-18 16:43:50 +03001090It is possible to limit allowed SSL / TLS ciphers using libvirt's tls_priority:
1091
1092.. code-block:: yaml
1093
1094 nova:
1095 compute:
1096 libvirt:
1097 tls:
1098 priority: <TLS priority string>
1099
1100Example priority strings are:
1101
1102- The system imposed security level:
1103
1104.. code-block:: text
1105
1106 "SYSTEM"
1107
1108- The default priority without the HMAC-MD5:
1109
1110.. code-block:: text
1111
1112 "NORMAL:-MD5"
1113
1114- Specifying RSA with AES-128-CBC:
1115
1116.. code-block:: text
1117
1118 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
1119
1120- Specifying the defaults plus ARCFOUR-128:
1121
1122.. code-block:: text
1123
1124 "NORMAL:+ARCFOUR-128"
1125
1126- Enabling the 128-bit secure ciphers, while disabling TLS 1.0:
1127
1128.. code-block:: text
1129
1130 "SECURE128:-VERS-TLS1.0"
1131
1132- Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS
1133 versions except TLS 1.2:
1134
1135.. code-block:: text
1136
1137 "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
1138
1139More on TLS Priority Strings:
1140
1141- https://gnutls.org/manual/html_node/Priority-Strings.html
1142
Vasyl Saienko11ac9732018-10-02 17:04:33 +00001143Controlling access by `tls_allowed_dn_list`.
1144Enable an access control list of client certificate Distinguished Names (DNs)
1145which can connect to the TLS port on this server. The default is that DNs are
1146not checked. This list may contain wildcards such as
1147"C=GB,ST=London,L=London,O=Libvirt Project,CN=*" See the POSIX fnmatch function
1148for the format of the wildcards.
1149Note that if this is an empty list, no client can connect.
1150Note also that GnuTLS returns DNs without spaces after commas between
1151the fields (and this is what we check against), but the openssl x509 tool
1152shows spaces.
1153
1154.. code-block:: yaml
1155
1156 nova:
1157 compute:
1158 libvirt:
1159 tls:
1160 tls_allowed_dn_list:
1161 host1:
1162 enabled: true
1163 value: 'C=foo,CN=cmp1'
1164 host2:
1165 enabled: true
1166 value: 'C=foo,CN=cmp2'
1167
1168
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001169You can read more about live migration over TLS here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001170https://wiki.libvirt.org/page/TLSCreateServerCerts
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001171
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001172Enable transport + authentication for VNC over TLS
1173---------------------
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001174# Only for Queens. Communication between noVNC proxy service and QEMU
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001175
1176By default communication between nova-novncproxy and qemu service is unsecure.
1177
1178compute:
1179 qemu:
1180 vnc:
1181 tls:
1182 enabled: True
1183
1184controller:
1185 novncproxy:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001186 # This section responsible for communication between noVNC proxy and client machine
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001187 tls:
1188 enabled: True
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001189 # This section responsible for communication between nova-novncproxy and qemu service
1190 vencrypt:
1191 tls:
1192 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001193
1194You able to set custom certificates in pillar:
1195
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001196nova:
1197 compute:
1198 qemu:
1199 vnc:
1200 tls:
1201 cacert (certificate content)
1202 cert (certificate content)
1203 key (certificate content)
1204
1205nova:
1206 controller:
1207 novncproxy:
1208 tls:
1209 server:
1210 cert (certificate content)
1211 key (certificate content)
1212 vencrypt:
1213 tls:
1214 cacert (certificate content)
1215 cert (certificate content)
1216 key (certificate content)
1217
1218
1219You can read more about it here:
1220 https://docs.openstack.org/nova/queens/admin/remote-console-access.html
1221
1222Enable communication between noVNC proxy and client machine over TLS
1223---------------------
1224
1225By default communication between noVNC proxy and client machine is unsecure.
1226
1227 controller:
1228 novncproxy:
1229 tls:
1230 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001231
1232 nova:
1233 controller:
1234 novncproxy:
1235 tls:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001236 server:
1237 cert (certificate content)
1238 key (certificate content)
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001239
1240You can read more about it here:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001241 https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001242
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001243Enable x509 and ssl communication between Nova and Galera cluster.
1244---------------------
1245By default communication between Nova and Galera is unsecure.
1246
Oleksandr Shyshkocbe87352018-09-07 13:42:57 +03001247nova:
1248 controller:
1249 database:
1250 x509:
1251 enabled: True
1252
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001253You able to set custom certificates in pillar:
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001254
1255nova:
1256 controller:
1257 database:
1258 x509:
Oleksandr Shyshkocbe87352018-09-07 13:42:57 +03001259 cacert: (certificate content)
1260 cert: (certificate content)
1261 key: (certificate content)
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001262
1263You can read more about it here:
1264 https://docs.openstack.org/security-guide/databases/database-access-control.html
1265
Oleksandr Bryndzii687b6542019-02-20 15:51:15 +02001266Configure nova to use service user tokens:
1267========
1268Long-running operations such as live migration or snapshot can sometimes overrun the
1269expiry of the user token. In such cases, post operations such as cleaning up after a
1270live migration can fail when the nova-compute service needs to cleanup resources in
1271other services, such as in the block-storage (cinder) or networking (neutron) services.
1272
1273This patch enables nova to use service user tokens to supplement the regular user token
1274used to initiate the operation. The identity service (keystone) will then authenticate
1275a request using the service user token if the user token has already expired.
1276
1277.. code-block:: yaml
1278
1279 nova:
1280 controller:
1281 enabled: True
1282 ...
1283 service_user:
1284 enabled: True
1285 user_domain_id: default
1286 project_domain_id: default
1287 project_name: service
1288 username: nova
1289 password: pswd
1290
1291
obryndzii2ea61412019-01-31 00:55:56 +00001292Nova database connection setup:
1293========
1294
1295.. code-block:: yaml
1296
1297 nova:
1298 controller:
1299 enabled: True
1300 ...
1301 min_pool_size: 100
1302 max_pool_size: 700
1303 max_overflow: 100
1304 retry_interval: 5
1305 max_retries: '-1'
1306 db_max_retries: 3
1307 db_retry_interval: 1
1308 connection_debug: 10
1309 pool_timeout: 120
Oleksandr Bryndzii687b6542019-02-20 15:51:15 +02001310
Oleksandr Bryndziife715df2019-04-23 15:34:42 +03001311Change default resource quotas using configmap template settings
1312========
1313
1314.. code-block:: yaml
1315
1316 nova:
1317 controller:
1318 configmap:
1319 quota:
1320 instances: 10
1321 cores: 20
1322 ram: 51200
1323 metadata_items: 128
1324 injected_files: 5
1325 injected_file_content_bytes: 10240
1326 injected_file_path_length: 255
1327 key_pairs: 100
1328 server_groups: 10
1329 server_group_members: 10
1330 reservation_expire: 86400
1331 until_refresh: 0
1332 max_age: 0
1333
Oleh Hryhorov63ee8452018-08-14 09:16:02 +00001334Upgrades
1335========
1336
1337Each openstack formula provide set of phases (logical bloks) that will help to
1338build flexible upgrade orchestration logic for particular components. The list
1339of phases might and theirs descriptions are listed in table below:
1340
1341+-------------------------------+------------------------------------------------------+
1342| State | Description |
1343+===============================+======================================================+
1344| <app>.upgrade.service_running | Ensure that all services for particular application |
1345| | are enabled for autostart and running |
1346+-------------------------------+------------------------------------------------------+
1347| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1348| | disabled for autostart and dead |
1349+-------------------------------+------------------------------------------------------+
1350| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
1351| | are installed to latest available version. |
1352| | This will not upgrade data plane packages like qemu |
1353| | and openvswitch as usually minimal required version |
1354| | in openstack services is really old. The data plane |
1355| | packages should be upgraded separately by `apt-get |
1356| | upgrade` or `apt-get dist-upgrade` |
1357| | Applying this state will not autostart service. |
1358+-------------------------------+------------------------------------------------------+
1359| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1360+-------------------------------+------------------------------------------------------+
1361| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1362| | cloud before running upgrade. |
1363| | Only non destructive actions will be applied during |
1364| | this phase. Perform service built in service check |
1365| | like (keystone-manage doctor and nova-status upgrade)|
1366+-------------------------------+------------------------------------------------------+
1367| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1368| | phase resources will be gracefully removed from |
1369| | current node if it is allowed. Services for upgraded |
1370| | application will be set to admin disabled state to |
1371| | make sure node will not participate in resources |
1372| | scheduling. For example on gtw nodes this will set |
1373| | all agents to admin disable state and will move all |
1374| | routers to other agents. |
1375+-------------------------------+------------------------------------------------------+
1376| <app>.upgrade.upgrade | This state will basically upgrade application on |
1377| | particular target. Stop services, render |
1378| | configuration, install new packages, run offline |
1379| | dbsync (for ctl), start services. Data plane should |
1380| | not be affected, only OpenStack python services. |
1381+-------------------------------+------------------------------------------------------+
1382| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1383+-------------------------------+------------------------------------------------------+
1384| <app>.upgrade.post | This phase should be launched only when upgrade of |
1385| | the cloud is completed. Cleanup temporary files, |
1386| | perform other post upgrade tasks. |
1387+-------------------------------+------------------------------------------------------+
1388| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1389| | operations, verify do not have dead network |
1390| | agents/compute services) |
1391+-------------------------------+------------------------------------------------------+