blob: b111d84ceb1e4b1f07bd80dfdf7476836bd7f865 [file] [log] [blame]
Filip Pytloun4a72d792015-10-06 16:28:32 +02001
Aleš Komárek72152852017-04-11 13:48:48 +02002============
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03003Usage
Aleš Komárek72152852017-04-11 13:48:48 +02004============
Filip Pytloun4a72d792015-10-06 16:28:32 +02005
Jakub Pavlikfcf34f82016-05-20 09:35:51 +02006OpenStack Nova provides a cloud computing fabric controller, supporting a wide
7variety of virtualization technologies, including KVM, Xen, LXC, VMware, and
8more. In addition to its native API, it includes compatibility with the
9commonly encountered Amazon EC2 and S3 APIs.
Filip Pytloun4a72d792015-10-06 16:28:32 +020010
Aleš Komárek72152852017-04-11 13:48:48 +020011Sample Pillars
Filip Pytloun4a72d792015-10-06 16:28:32 +020012==============
13
14Controller nodes
15----------------
16
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030017Nova services on the controller node:
Filip Pytloun4a72d792015-10-06 16:28:32 +020018
19.. code-block:: yaml
20
21 nova:
22 controller:
23 version: juno
24 enabled: true
25 security_group: true
Lachlan Evensonb72de502016-01-20 15:34:04 -080026 cpu_allocation_ratio: 8.0
27 ram_allocation_ratio: 1.0
Jiri Konecny9344a372016-03-21 19:25:48 +010028 disk_allocation_ratio: 1.0
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +030029 cross_az_attach: false
Jiri Konecnyb5a80e42016-03-22 11:51:01 +010030 workers: 8
Jakub Pavlik617a8962016-09-04 18:50:06 +020031 report_interval: 60
Michel Nederlof8ff99332017-10-23 14:29:15 +020032 dhcp_domain: novalocal
Vasyl Saienko09b6ac32019-01-17 15:23:58 +020033 vif_plugging_timeout: 300
34 vif_plugging_is_fatal: false
Vasyl Saienko2adac3f2019-02-18 12:32:52 +020035 instance_build_timeout: 600
Dzmitry Stremkouski781f59e2020-01-30 18:29:29 +010036 use_cow_images: False
37 force_raw_images: True
38 snapshot_image_format: qcow2
39 images_type: default
Ivan Berezovskiyf1869a32019-11-14 20:17:58 +040040 concurrency:
41 lock_path: '/var/lib/nova/tmp'
sgarbuzcc02c7f2018-10-25 14:29:30 +030042 consoleauth:
43 token_ttl: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020044 bind:
45 public_address: 10.0.0.122
46 public_name: openstack.domain.com
47 novncproxy_port: 6080
48 database:
49 engine: mysql
50 host: 127.0.0.1
51 port: 3306
52 name: nova
53 user: nova
54 password: pwd
55 identity:
56 engine: keystone
57 host: 127.0.0.1
58 port: 35357
59 user: nova
60 password: pwd
61 tenant: service
Dzmitry Stremkouskifb2289a2019-05-26 01:20:42 +020062 interface: internal
63 valid_interfaces:
64 - internal
Filip Pytloun4a72d792015-10-06 16:28:32 +020065 message_queue:
66 engine: rabbitmq
67 host: 127.0.0.1
68 port: 5672
69 user: openstack
70 password: pwd
71 virtual_host: '/openstack'
Oleh Hryhorovf5093b82018-10-17 11:16:08 +000072 pci:
73 alias:
74 alias1:
75 device_type: "type-PF"
76 name: "a1"
77 product_id: "154d"
78 vendor_id: "8086"
Filip Pytloun4a72d792015-10-06 16:28:32 +020079 network:
80 engine: neutron
81 host: 127.0.0.1
82 port: 9696
Jakub Pavlik617a8962016-09-04 18:50:06 +020083 extension_sync_interval: 600
Filip Pytloun4a72d792015-10-06 16:28:32 +020084 identity:
85 engine: keystone
86 host: 127.0.0.1
87 port: 35357
88 user: neutron
89 password: pwd
90 tenant: service
91 metadata:
92 password: password
Petr Michalecaa23dc02016-11-29 16:30:25 +010093 audit:
94 enabled: false
Simon Pasquier8683b7a2017-02-03 16:00:16 +010095 osapi_max_limit: 500
Oleg Iurchenko370c10d2017-10-19 14:03:37 +030096 barbican:
97 enabled: true
Filip Pytloun4a72d792015-10-06 16:28:32 +020098
OlgaGusarenko9dd01c92018-07-31 00:49:30 +030099Nova services from custom package repository:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200100
101.. code-block:: yaml
102
103 nova:
104 controller:
105 version: juno
106 source:
107 engine: pkg
108 address: http://...
109 ....
110
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300111Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200112
113.. code-block:: yaml
114
115 nova:
116 controller:
117 ....
118 message_queue:
119 engine: rabbitmq
120 members:
121 - host: 10.0.16.1
122 - host: 10.0.16.2
123 - host: 10.0.16.3
124 user: openstack
125 password: pwd
126 virtual_host: '/openstack'
127 ....
128
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300129Enable auditing filter, i.e: CADF:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100130
131.. code-block:: yaml
132
133 nova:
134 controller:
Simon Pasquier6a3c8f72016-12-19 15:37:24 +0100135 audit:
Petr Michalecaa23dc02016-11-29 16:30:25 +0100136 enabled: true
137 ....
138 filter_factory: 'keystonemiddleware.audit:filter_factory'
139 map_file: '/etc/pycadf/nova_api_audit_map.conf'
140 ....
141
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300142Enable CORS parameters:
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200143
144.. code-block:: yaml
145
146 nova:
147 controller:
148 cors:
149 allowed_origin: https:localhost.local,http:localhost.local
150 expose_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
151 allow_methods: GET,PUT,POST,DELETE,PATCH
152 allow_headers: X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
153 allow_credentials: True
154 max_age: 86400
155
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300156Configuration of the ``policy.json`` file:
Dmitry Ukov3562a082017-05-04 00:00:48 +0400157
158.. code-block:: yaml
159
160 nova:
161 controller:
162 ....
163 policy:
164 context_is_admin: 'role:admin or role:administrator'
165 'compute:create': 'rule:admin_or_owner'
166 # Add key without value to remove line from policy.json
167 'compute:create:attach_network':
Ondrej Smola25b53cb2017-04-28 10:56:19 +0200168
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300169Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300170
171.. code-block:: yaml
172
173 nova:
174 controller:
175 ....
176 barbican:
177 enabled: true
178
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000179Define aliases for PCI devices:
180.. code-block:: yaml
181
182 nova:
183 controller:
184 ...
185 pci:
186 alias:
187 alias1:
188 device_type: "type-PF"
189 name: "a1"
190 product_id: "154d"
191 vendor_id: "8086"
192
Jiri Broulik789179a2018-02-13 16:16:46 +0100193Enable cells update:
194
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300195.. note:: Useful when upgrading Openstack. To update cells to test
196 sync db agains duplicated production database.
Jiri Broulik789179a2018-02-13 16:16:46 +0100197
198.. code-block:: yaml
199
200 nova:
201 controller:
202 update_cells: true
203
Dzmitry Stremkouskib139f142019-11-03 10:36:46 +0100204Increase number of chunks for online db migrations:
205
206.. note:: This only should be done in offline as large number of
207 rows locked by this process may cause service outage, which
208 may not be expected.
209
210.. code-block:: yaml
211
212 nova:
213 controller:
214 db_migrations:
215 max_count: 5000000
Kirill Bespalov64617172017-07-11 14:43:14 +0300216
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300217Configuring TLS communications
218------------------------------
Kirill Bespalov64617172017-07-11 14:43:14 +0300219
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300220.. note:: By default system wide installed CA certs are used,
221 so ``cacert_file`` param is optional, as well as ``cacert``.
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300222
223- **RabbitMQ TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300224
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300225 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300226
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300227 nova:
228 compute:
229 message_queue:
230 port: 5671
231 ssl:
232 enabled: True
233 (optional) cacert: cert body if the cacert_file does not exists
234 (optional) cacert_file: /etc/openstack/rabbitmq-ca.pem
235 (optional) version: TLSv1_2
Kirill Bespalov64617172017-07-11 14:43:14 +0300236
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300237- **MySQL TLS**
Kirill Bespalov64617172017-07-11 14:43:14 +0300238
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300239 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300240
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300241 nova:
242 controller:
243 database:
244 ssl:
245 enabled: True
246 (optional) cacert: cert body if the cacert_file does not exists
247 (optional) cacert_file: /etc/openstack/mysql-ca.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300248
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300249- **Openstack HTTPS API**
250
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300251 Set the ``https`` as protocol at ``nova:compute`` and
252 ``nova:controller`` sections :
Kirill Bespalova0eaca72017-11-20 13:40:42 +0300253
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300254 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300255
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300256 nova:
257 controller :
258 identity:
259 protocol: https
260 (optional) cacert_file: /etc/openstack/proxy.pem
261 network:
262 protocol: https
263 (optional) cacert_file: /etc/openstack/proxy.pem
264 glance:
265 protocol: https
266 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300267
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300268 .. code-block:: yaml
Kirill Bespalov64617172017-07-11 14:43:14 +0300269
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300270 nova:
271 compute:
272 identity:
273 protocol: https
274 (optional) cacert_file: /etc/openstack/proxy.pem
275 network:
276 protocol: https
277 (optional) cacert_file: /etc/openstack/proxy.pem
278 image:
279 protocol: https
280 (optional) cacert_file: /etc/openstack/proxy.pem
281 ironic:
282 protocol: https
283 (optional) cacert_file: /etc/openstack/proxy.pem
Kirill Bespalov64617172017-07-11 14:43:14 +0300284
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300285.. note:: Barbican, Cinder, and placement url endpoints are discovering
286 using service catalog.
Kirill Bespalov64617172017-07-11 14:43:14 +0300287
Martin Polreich65e2a142019-12-17 14:19:44 +0100288Change default service policy configuration:
289--------------------------------------------
290
291.. code-block:: yaml
292
293 nova:
294 controller:
295 policy:
296 'context_is_admin': 'role:admin or role:administrator'
297 'compute:create': 'rule:admin_or_owner'
298 # Add key without value to remove line from policy.json
299 'compute:create:attach_network':
300
301
Filip Pytloun4a72d792015-10-06 16:28:32 +0200302Compute nodes
303-------------
304
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300305Nova controller services on compute node:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200306
307.. code-block:: yaml
308
309 nova:
310 compute:
311 version: juno
312 enabled: true
Mykyta Karpin5ef9f982019-02-07 18:40:00 +0200313 timeout_nbd: 10
314 heal_instance_info_cache_interval: 60
Dmitry Stremkovskiy2bcba8d2017-07-30 21:43:59 +0300315 cross_az_attach: false
Dmitry Stremkovskiy35e53b72017-07-29 12:50:39 +0300316 disk_cachemodes: network=writeback,block=none
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100317 availability_zone: availability_zone_01
Damian Szelugae1922412017-04-18 16:36:46 +0200318 aggregates:
319 - hosts_with_fc
320 - hosts_with_ssd
Filip Pytloun4a72d792015-10-06 16:28:32 +0200321 security_group: true
Petr Michalecf03e4882017-04-10 10:26:18 +0200322 resume_guests_state_on_host_boot: False
Michael Polenchuk159c2542018-06-09 15:31:51 +0400323 preallocate_images: space # Default is 'none'
Dmitry Stremkovskiy8a0ff512017-07-25 20:54:13 +0300324 my_ip: 10.1.0.16
Vasyl Saienko09b6ac32019-01-17 15:23:58 +0200325 vif_plugging_timeout: 300
326 vif_plugging_is_fatal: false
Ivan Berezovskiyf1869a32019-11-14 20:17:58 +0400327 concurrency:
328 lock_path: '/var/lib/nova/tmp'
Filip Pytloun4a72d792015-10-06 16:28:32 +0200329 bind:
330 vnc_address: 172.20.0.100
331 vnc_port: 6080
332 vnc_name: openstack.domain.com
333 vnc_protocol: http
334 database:
335 engine: mysql
336 host: 127.0.0.1
337 port: 3306
338 name: nova
339 user: nova
340 password: pwd
341 identity:
342 engine: keystone
343 host: 127.0.0.1
344 port: 35357
345 user: nova
346 password: pwd
347 tenant: service
348 message_queue:
349 engine: rabbitmq
350 host: 127.0.0.1
351 port: 5672
352 user: openstack
353 password: pwd
354 virtual_host: '/openstack'
355 image:
356 engine: glance
357 host: 127.0.0.1
358 port: 9292
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000359 pci:
360 alias:
361 alias1:
362 device_type: "type-PF"
363 name: "a1"
364 product_id: "154d"
365 vendor_id: "8086"
Oleksandr Pidrepnyi14f08272019-02-20 12:48:17 +0200366 passthrough_whitelist:
367 - vendor_id: "10de"
368 product_id: "1db4"
Filip Pytloun4a72d792015-10-06 16:28:32 +0200369 network:
370 engine: neutron
371 host: 127.0.0.1
372 port: 9696
373 identity:
374 engine: keystone
375 host: 127.0.0.1
376 port: 35357
377 user: neutron
378 password: pwd
379 tenant: service
380 qemu:
381 max_files: 4096
382 max_processes: 4096
Dmitry Stremkovskiy96281f52017-07-26 00:39:22 +0300383 host: node-12.domain.tld
Filip Pytloun4a72d792015-10-06 16:28:32 +0200384
Vasyl Saienkocab3a902018-07-12 13:17:17 +0300385Compute with vmware driver. Each vmware cluster requires a separate process of nova-compute.
386Each process should have uniq host identifier. However multiple computes might be running on
387single host. It is not recommended to have multiple computes running on different hosts that
388manage the same vmware cluster. To achive this pacemaker/corosync or keepalived might be used.
389
390.. code-block:: yaml
391
392 nova:
393 compute:
394 compute_driver: vmwareapi.VMwareVCDriver
395 vmware:
396 host_username: vmware
397 host_password: vmware
398 cluster_name: vmware_cluster01
399 host_ip: 1.2.3.4
400
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300401Group and user to be used for QEMU processes run by the system instance:
kkalynovskyif50f0c02017-12-12 17:52:57 +0200402
403.. code-block:: yaml
404
405 nova:
406 compute:
407 enabled: true
408 ...
409 qemu:
410 user: nova
411 group: cinder
412 dynamic_ownership: 1
413
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300414Group membership for user nova (upgrade related):
Dmitry Stremkovskiy3cd6ba82017-07-25 17:15:36 +0300415
416.. code-block:: yaml
417
418 nova:
419 compute:
420 enabled: true
421 ...
422 user:
423 groups:
424 - libvirt
Filip Pytloun4a72d792015-10-06 16:28:32 +0200425
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300426Nova services on compute node with OpenContrail:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200427
428.. code-block:: yaml
429
430 nova:
431 compute:
432 enabled: true
433 ...
434 networking: contrail
435
Oleksandr Bryndziibb8abfe2018-09-28 22:21:43 +0000436Nova services on compute node with memcached caching and security strategy:
Filip Pytloun4a72d792015-10-06 16:28:32 +0200437
438.. code-block:: yaml
439
440 nova:
441 compute:
442 enabled: true
443 ...
444 cache:
445 engine: memcached
446 members:
447 - host: 127.0.0.1
448 port: 11211
449 - host: 127.0.0.1
450 port: 11211
Oleksandr Bryndziibb8abfe2018-09-28 22:21:43 +0000451 security:
452 enabled: true
453 strategy: ENCRYPT
454 secret_key: secret
Filip Pytloun4a72d792015-10-06 16:28:32 +0200455
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300456Client-side RabbitMQ HA setup:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200457
458.. code-block:: yaml
459
460 nova:
Kirill Bespalov64617172017-07-11 14:43:14 +0300461 compute:
Jiri Konecnye31f2c52016-04-14 17:16:02 +0200462 ....
463 message_queue:
464 engine: rabbitmq
465 members:
466 - host: 10.0.16.1
467 - host: 10.0.16.2
468 - host: 10.0.16.3
469 user: openstack
470 password: pwd
471 virtual_host: '/openstack'
472 ....
473
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300474Nova with ephemeral configured with Ceph:
maxstack39e6aca2016-05-04 13:50:13 +0000475
476.. code-block:: yaml
477
478 nova:
479 compute:
480 enabled: true
481 ...
482 ceph:
483 ephemeral: yes
484 rbd_pool: nova
485 rbd_user: nova
486 secret_uuid: 03006edd-d957-40a3-ac4c-26cd254b3731
Kalynovskyi0bc79692017-07-21 16:22:09 +0300487 ....
maxstack39e6aca2016-05-04 13:50:13 +0000488
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300489Nova with ephemeral configured with LVM:
Kalynovskyi0bc79692017-07-21 16:22:09 +0300490
491.. code-block:: yaml
492
493 nova:
494 compute:
495 enabled: true
496 ...
497 lvm:
498 ephemeral: yes
499 images_volume_group: nova_vg
500
501 linux:
502 storage:
503 lvm:
504 nova_vg:
505 name: nova_vg
506 devices:
507 - /dev/sdf
508 - /dev/sdd
509 - /dev/sdg
510 - /dev/sde
511 - /dev/sdc
512 - /dev/sdj
513 - /dev/sdh
maxstack39e6aca2016-05-04 13:50:13 +0000514
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300515Enable Barbican integration:
Oleg Iurchenko370c10d2017-10-19 14:03:37 +0300516
517.. code-block:: yaml
518
519 nova:
520 compute:
521 ....
522 barbican:
523 enabled: true
524
Oleksandr Pidrepnyi14f08272019-02-20 12:48:17 +0200525Define aliases for a PCI passthrough devices:
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000526.. code-block:: yaml
527
528 nova:
529 compute:
530 ...
531 pci:
532 alias:
533 alias1:
534 device_type: "type-PF"
535 name: "a1"
536 product_id: "154d"
537 vendor_id: "8086"
538
Oleksandr Pidrepnyi14f08272019-02-20 12:48:17 +0200539Define white list of PCI devices available to VMs:
540.. code-block:: yaml
541
542 nova:
543 compute:
544 ...
545 pci:
546 passthrough_whitelist:
547 - vendor_id: "10de"
548 product_id: "1db4"
549
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300550Nova metadata custom bindings:
Vasyl Saienko2d591282018-02-05 14:19:02 +0200551
552.. code-block:: yaml
553
554 nova:
555 controller:
556 enabled: true
557 ...
558 metadata:
559 bind:
560 address: 1.2.3.4
561 port: 8776
562
Oleh Hryhorov08482aa2018-11-19 14:07:47 +0200563Define multipath for nova compute:
564
565.. code-block:: yaml
566
567 nova:
568 compute:
569 ....
570 libvirt:
571 volume_use_multipath: True
572
Oleh Hryhorovce1f2142019-03-06 17:00:00 +0000573To disable or enable StrictHostKeyChecking and discover
574compute nodes fingerprints the below pillar should be used:
575
576.. code-block:: yaml
577
578 nova:
579 compute:
580 ....
581 openssh:
582 stricthostkeychecking: True
583 discover_compute_hosts: True
584
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100585Client role
586-----------
587
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300588Nova configured with NFS:
Dmitry Stremkovskiy665c7282017-07-05 17:36:27 +0300589
590.. code-block:: yaml
591
592 nova:
593 compute:
594 instances_path: /mnt/nova/instances
595
596 linux:
597 storage:
598 enabled: true
599 mount:
600 nfs_nova:
601 enabled: true
602 path: ${nova:compute:instances_path}
603 device: 172.31.35.145:/data
604 file_system: nfs
605 opts: rw,vers=3
606
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300607Nova flavors:
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100608
609.. code-block:: yaml
610
611 nova:
612 client:
613 enabled: true
Dzmitry Stremkouskib202adb2019-11-22 20:14:21 +0100614 resources:
615 v21:
616 admin_identity:
617 endpoint_type: internalURL
618 flavor:
619 flavor1:
620 flavor_id: 10
621 ram: 4096
622 disk: 10
623 vcpus: 1
624 flavor2:
625 flavor_id: auto
626 ram: 4096
627 disk: 20
628 vcpus: 2
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100629
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300630Availability zones:
Jiri Broulik70d9e3f2017-02-15 18:37:13 +0100631
632.. code-block:: yaml
633
634 nova:
635 client:
636 enabled: true
637 server:
638 identity:
639 availability_zones:
640 - availability_zone_01
641 - availability_zone_02
642
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300643Aggregates:
Damian Szeluga5dca0f02017-04-13 17:27:15 +0200644
645.. code-block:: yaml
646
647 nova:
648 client:
649 enabled: true
Dzmitry Stremkouskib202adb2019-11-22 20:14:21 +0100650 resources:
651 v21:
652 admin_identity:
653 aggregates:
654 aggregate1: {}
655 aggregate2:
656 metadata: "..."
Damian Szeluga5dca0f02017-04-13 17:27:15 +0200657
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300658Upgrade levels:
Dmitry Stremkovskiy91f45852017-07-18 16:22:31 +0300659
660.. code-block:: yaml
661
662 nova:
663 controller:
664 upgrade_levels:
665 compute: juno
666
667 nova:
668 compute:
669 upgrade_levels:
670 compute: juno
671
Petr Jedinýd855ef22017-03-06 22:24:33 +0100672SR-IOV
Jakub Pavlik39a05942017-02-13 23:03:08 +0100673------
674
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300675Add ``PciPassthroughFilter`` into scheduler filters and NICs on
676specific compute nodes:
Jakub Pavlik39a05942017-02-13 23:03:08 +0100677
678.. code-block:: yaml
679
680 nova:
681 controller:
682 sriov: true
sandriichenko4fe321d2018-01-22 17:34:06 +0000683 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter"
Jakub Pavlik39a05942017-02-13 23:03:08 +0100684
685 nova:
686 compute:
687 sriov:
688 nic_one:
689 devname: eth1
690 physical_network: physnet1
691
Oleh Hryhorovf5093b82018-10-17 11:16:08 +0000692.. note:: Parameters located under nova:compute:sriov:<nic_name> are copied to passthrough_whitelist parameter into
693 nova.conf file in appropriate format.
694
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100695CPU pinning & Hugepages
696-----------------------
697
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300698CPU pinning of virtual machine instances to dedicated physical
699CPU cores. Hugepages mount point for libvirt.
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100700
701.. code-block:: yaml
702
703 nova:
704 controller:
sandriichenko4fe321d2018-01-22 17:34:06 +0000705 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,NUMATopologyFilter,AggregateInstanceExtraSpecsFilter"
Jakub Pavlik26fb85c2017-02-16 22:29:22 +0100706
707 nova:
708 compute:
709 vcpu_pin_set: 2,3,4,5
710 hugepages:
711 mount_points:
712 - path: /mnt/hugepages_1GB
713 - path: /mnt/hugepages_2MB
Jiri Broulik0ce9fc92017-02-01 23:10:40 +0100714
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200715Custom Scheduler filters
716------------------------
717
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300718If you have a custom filter, that needs to be included in the
719scheduler, then you can include it like so:
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200720
721.. code-block:: yaml
722
723 nova:
724 controller:
725 scheduler_custom_filters:
726 - my_custom_driver.nova.scheduler.filters.my_custom_filter.MyCustomFilter
727
728 # Then add your custom filter on the end (make sure to include all other ones that you need as well)
sandriichenko4fe321d2018-01-22 17:34:06 +0000729 scheduler_default_filters: "DifferentHostFilter,SameHostFilter,RetryFilter,AvailabilityZoneFilter,RamFilter,CoreFilter,DiskFilter,ComputeFilter,ComputeCapabilitiesFilter,ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter,PciPassthroughFilter,MyCustomFilter"
Michel Nederlof171c7ac2017-04-13 12:54:14 +0200730
Michael Polenchuk2bce2cb2018-09-17 16:05:43 +0400731 # Since Queens version a sequence could be used as well:
732 ~scheduler_default_filters:
733 - DifferentHostFilter
734 - SameHostFilter
735 ...
736 - MyCustomFilter
737
738
Michel Nederlofeb566f62017-04-21 15:37:47 +0200739Hardware Trip/Unmap Support
740---------------------------
741
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300742To enable TRIM support for ephemeral images (thru nova managed
743images), libvirt has this option:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200744
745.. code-block:: yaml
746
747 nova:
748 compute:
749 libvirt:
750 hw_disk_discard: unmap
751
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300752To actually utilize this feature, the following metadata must be
753set on the image as well, so the SCSI unmap is supported:
Michel Nederlofeb566f62017-04-21 15:37:47 +0200754
755.. code-block:: bash
756
757 glance image-update --property hw_scsi_model=virtio-scsi <image>
758 glance image-update --property hw_disk_bus=scsi <image>
Filip Pytloun5bc9e9f2017-02-02 13:05:40 +0100759
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000760Scheduler Host Manager
761----------------------
762
763Specify a custom host manager.
764
Thom Gerdesec00afd2017-04-07 18:06:59 +0000765libvirt CPU mode
766----------------
767
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300768Allow setting the model of CPU that is exposed to a VM. This
769allows for better support live migration between hypervisors with
770different hardware, among other things. Defaults to host-passthrough.
Jakub Pavlik7046b9c2017-09-19 12:04:19 +0200771
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000772.. code-block:: yaml
773
774 nova:
775 controller:
776 scheduler_host_manager: ironic_host_manager
777
Thom Gerdesec00afd2017-04-07 18:06:59 +0000778 compute:
779 cpu_mode: host-model
780
Dzmitry Stremkouski7da9bf12018-04-25 22:30:37 +0200781Nova compute cpu model
782----------------------
783
784.. code-block:: yaml
785
786 nova:
787 compute:
788 cpu_mode: custom
789 libvirt:
790 cpu_model: IvyBridge
791
Oleksandr Pidrepnyid9020082019-03-04 19:18:19 +0200792RNG (Random Number Generator) device path
793----------------------
794
795The path to an RNG (Random Number Generator) device that will be used
796as the source of entropy on the host.
797The recommended source of entropy is /dev/urandom.
798Permitted options are: /dev/random, /dev/urandom or /dev/hwrng.
799Default: /dev/urandom
800
801.. code-block:: yaml
802
803 nova:
804 controller:
805 libvirt:
806 rng_dev_path: /dev/random
807
808 compute:
809 libvirt:
810 rng_dev_path: /dev/random
811
Dzmitry Stremkouski7da9bf12018-04-25 22:30:37 +0200812
Michel Nederloff7eefb22017-07-10 11:14:33 +0200813Nova compute workarounds
814------------------------
815
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300816Live snapshotting is disabled by default in nova. To enable
817this, it needs a manual switch.
Michel Nederloff7eefb22017-07-10 11:14:33 +0200818
819From manual:
820
821.. code-block:: yaml
822
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300823 When using libvirt 1.2.2 live snapshots fail intermittently under load
824 (likely related to concurrent libvirt/qemu operations). This config
825 option provides a mechanism to disable live snapshot, in favor of cold
826 snapshot, while this is resolved. Cold snapshot causes an instance
827 outage while the guest is going through the snapshotting process.
828
829 For more information, refer to the bug report:
830
831 https://bugs.launchpad.net/nova/+bug/1334398
Michel Nederloff7eefb22017-07-10 11:14:33 +0200832
833Configurable pillar data:
834
835.. code-block:: yaml
836
837 nova:
838 compute:
Michel Nederlofe322ebb2017-07-10 12:29:21 +0200839 workaround:
Michel Nederloff7eefb22017-07-10 11:14:33 +0200840 disable_libvirt_livesnapshot: False
841
Michel Nederlofb51a5142017-06-27 08:31:35 +0200842Config drive options
843--------------------
844
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300845See example below on how to configure the options for the
846config drive:
Michel Nederlofb51a5142017-06-27 08:31:35 +0200847
848.. code-block:: yaml
849
850 nova:
851 compute:
852 config_drive:
853 forced: True # Default: True
854 cdrom: True # Default: False
855 format: iso9660 # Default: vfat
856 inject_password: False # Default: False
857
Michel Nederloff81919b2017-11-20 09:37:07 +0100858Number of concurrent live migrates
859----------------------------------
860
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300861Default is to have no concurrent live migrations (so 1
862live-migration at a time).
Michel Nederloff81919b2017-11-20 09:37:07 +0100863
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300864Excerpt from config options page
865https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Michel Nederloff81919b2017-11-20 09:37:07 +0100866
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300867Maximum number of live migrations to run concurrently. This limit is
868enforced to avoid outbound live migrations overwhelming the host/network
869and causing failures. It is not recommended that you change this unless
870you are very sure that doing so is safe and stable in your environment.
Michel Nederloff81919b2017-11-20 09:37:07 +0100871
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300872Possible values:
Michel Nederloff81919b2017-11-20 09:37:07 +0100873
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300874- 0 : treated as unlimited.
875- Negative value defaults to 0.
876- Any positive integer representing maximum number of live migrations
877 to run concurrently.
Michel Nederloff81919b2017-11-20 09:37:07 +0100878
879To configure this option:
880
881.. code-block:: yaml
882
883 nova:
884 compute:
885 max_concurrent_live_migrations: 1 # (1 is the default)
886
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300887Live migration with auto converge
888----------------------------------
889
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300890Auto converge throttles down CPU if a progress of on-going live
891migration is slow
892https://docs.openstack.org/ocata/config-reference/compute/config-options.html:
Sergio Lystopad9d31cba2018-05-15 11:29:11 +0300893
894.. code-block:: yaml
895
896 nova:
897 compute:
898 libvirt:
899 live_migration_permit_auto_converge: False # (False is the default)
900
901.. code-block:: yaml
902
903 nova:
904 controller:
905 libvirt:
906 live_migration_permit_auto_converge: False # (False is the default)
907
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400908Enhanced logging with logging.conf
909----------------------------------
910
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300911By default ``logging.conf`` is disabled.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400912
913That is possible to enable per-binary logging.conf with new variables:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400914
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300915* ``openstack_log_appender``
916 Set to true to enable log_config_append for all OpenStack services
917
918* ``openstack_fluentd_handler_enabled``
919 Set to true to enable FluentHandler for all Openstack services
920
921* ``openstack_ossyslog_handler_enabled``
922 Set to true to enable OSSysLogHandler for all Openstack services
923
924Only ``WatchedFileHandler``, ``OSSysLogHandler``, and ``FluentHandler``
925are available.
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400926
Dmitry Kalashnik8da249c2018-01-16 17:58:00 +0400927Also it is possible to configure this with pillar:
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400928
929.. code-block:: yaml
930
931 nova:
932 controller:
933 logging:
934 log_appender: true
935 log_handlers:
936 watchedfile:
937 enabled: true
938 fluentd:
939 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200940 ossyslog:
941 enabled: true
Dmitry Kalashnike58fe082017-12-01 16:31:14 +0400942
943 compute:
944 logging:
945 log_appender: true
946 log_handlers:
947 watchedfile:
948 enabled: true
949 fluentd:
950 enabled: true
Oleksii Chupryn99e35032018-02-06 01:59:40 +0200951 ossyslog:
952 enabled: true
Thom Gerdesf582f1e2017-05-02 18:05:50 +0000953
Vasyl Saienko7243a952018-05-11 21:26:54 +0300954The log level might be configured per logger by using the
955following pillar structure:
956
957.. code-block:: yaml
958
959 nova:
960 compute:
961 logging:
962 loggers:
963 <logger_name>:
964 level: WARNING
965
966 nova:
967 compute:
968 logging:
969 loggers:
970 <logger_name>:
971 level: WARNING
972
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000973Configure syslog parameters for libvirtd
974----------------------------------------
975
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300976To configure syslog parameters for libvirtd the below pillar
977structure should be used with values which are supported
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000978by libvirtd. These values might be known from the documentation.
979
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300980.. code-block:: yaml
981
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000982 nova:
983 compute:
984 libvirt:
985 logging:
986 level: 3
987 filters: '3:remote 4:event'
988 outputs: '3:syslog:libvirtd'
989 buffer_size: 64
990
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300991Logging controls:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000992
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300993Logging level: 4 errors, 3 warnings, 2 information, 1 debug
994basically 1 will log everything possible ``log_level = 3``
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000995
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300996Logging filters:
Oleh Hryhorove38525d2018-05-15 08:58:59 +0000997
OlgaGusarenko9dd01c92018-07-31 00:49:30 +0300998A filter allows to select a different logging level for a given category
999of logs.
Oleh Hryhorove38525d2018-05-15 08:58:59 +00001000
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001001The format for a filter is one of:
Oleh Hryhorove38525d2018-05-15 08:58:59 +00001002
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001003* ``x:name``
1004* ``x:+name``
1005 where name is a string which is matched against source file name,
1006 e.g., ``remote``, ``qemu``, or ``util/json``, the optional ``+`` prefix
1007 tells libvirt to log stack trace for each message matching name,
1008 and x is the minimal level where matching messages should be logged:
Oleh Hryhorove38525d2018-05-15 08:58:59 +00001009
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001010* ``1: DEBUG``
1011* ``2: INFO``
1012* ``3: WARNING``
1013* ``4: ERROR``
1014
1015Multiple filter can be defined in a single @filters, they just
1016need to be separated by spaces.
1017
1018For example, to only get warning or errors from the remote layer
1019and only errors from the event layer: ``log_filters="3:remote 4:event``
1020
1021Logging outputs:
1022
1023An output is one of the places to save logging information
1024The format for an output can be:
1025
1026* ``x:stderr``
1027 Output goes to stderr
1028
1029* ``x:syslog:name``
1030 Use syslog for the output and use the given name as the ident
1031
1032* ``x:file:file_path``
1033 output to a file, with the given filepath
1034
1035 In all case the x prefix is the minimal level, acting as a filter
1036
1037* ``1: DEBUG``
1038* ``2: INFO``
1039* ``3: WARNING``
1040* ``4: ERROR``
1041
1042Multiple output can be defined, they just need to be separated by spaces.
1043For example, to log all warnings and errors to syslog under the libvirt
1044dident: ``log_outputs="3:syslog:libvirtd``
1045
1046Log debug buffer size: default 64
1047The daemon keeps an internal debug log buffer which will be dumped
1048in case of crash or upon receiving a ``SIGUSR2`` signal. This setting
1049allows to override the default buffer size in kilobytes.
1050If value is ``0`` or less the debug log buffer is deactivated
1051``log_buffer_size = 64``
1052
1053To configure the logging parameters for QEMU, the below pillar
1054structure and logging parameters should be used:
1055
1056.. code-block:: yaml
1057
1058 nova:
1059 compute:
1060 qemu:
1061 logging:
1062 handler: logd
1063 virtlog:
1064 enabled: true
1065 level: 4
1066 filters: '3:remote 3:event'
1067 outputs: '4:syslog:virtlogd'
1068 max_clients: 512
1069 max_size: 2097100
1070 max_backups: 2
Oleh Hryhorove38525d2018-05-15 08:58:59 +00001071
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001072Inject password to VM
1073---------------------
1074
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001075By default nova blocks up any inject to VM because
1076``inject_partition`` param is equal to ``-2``.
1077If you want to inject password to VM, you will need to
1078define ``inject_partition`` greater or equal to ``-1`` and
1079define ``inject_password`` to ``True``
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001080
1081For example:
1082
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001083.. code-block:: yaml
1084
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001085 nova:
1086 compute:
1087 inject_partition: '-1'
1088 inject_password: True
1089
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001090Allow the injection of an admin password for instance only at
1091``create`` and ``rebuild`` process.
1092
1093There is no agent needed within the image to do this. If *libguestfs* is
1094available on the host, it will be used. Otherwise *nbd* is used. The file
1095system of the image will be mounted and the admin password, which is provided
1096in the REST API call will be injected as password for the root user. If no
1097root user is available, the instance won't be launched and an error is thrown.
1098Be aware that the injection is *not* possible when the instance gets launched
1099from a volume.
1100
1101Possible values:
1102
1103* ``True``
1104 Allows the injection
1105
1106* ``False`` (default)
1107 Disallows the injection. Any via the REST API provided
1108 admin password will be silently ignored.
1109
1110Related options:
1111
1112* ``inject_partition``
1113 Decides about the discovery and usage of the file system.
1114 It also can disable the injection at all.
1115 (boolean value)
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001116
1117You can read more about injecting the administrator password here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001118https://docs.openstack.org/nova/queens/admin/admin-password-injection.html
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001119
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001120Enable libvirt control channel over TLS
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001121---------------------------------------
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001122
1123By default TLS is disabled.
1124
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001125Enable TLS transport:
1126
1127.. code-block:: yaml
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001128
1129 compute:
1130 libvirt:
1131 tls:
1132 enabled: True
1133
1134You able to set custom certificates in pillar:
1135
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001136.. code-block:: yaml
1137
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001138 nova:
1139 compute:
1140 libvirt:
1141 tls:
1142 key: (certificate content)
1143 cert: (certificate content)
1144 cacert: (certificate content)
1145 client:
1146 key: (certificate content)
1147 cert: (certificate content)
1148
Dmitry Teselkin77d9dac2019-04-18 16:43:50 +03001149It is possible to limit allowed SSL / TLS ciphers using libvirt's tls_priority:
1150
1151.. code-block:: yaml
1152
1153 nova:
1154 compute:
1155 libvirt:
1156 tls:
1157 priority: <TLS priority string>
1158
1159Example priority strings are:
1160
1161- The system imposed security level:
1162
1163.. code-block:: text
1164
1165 "SYSTEM"
1166
1167- The default priority without the HMAC-MD5:
1168
1169.. code-block:: text
1170
1171 "NORMAL:-MD5"
1172
1173- Specifying RSA with AES-128-CBC:
1174
1175.. code-block:: text
1176
1177 "NONE:+VERS-TLS-ALL:+MAC-ALL:+RSA:+AES-128-CBC:+SIGN-ALL:+COMP-NULL"
1178
1179- Specifying the defaults plus ARCFOUR-128:
1180
1181.. code-block:: text
1182
1183 "NORMAL:+ARCFOUR-128"
1184
1185- Enabling the 128-bit secure ciphers, while disabling TLS 1.0:
1186
1187.. code-block:: text
1188
1189 "SECURE128:-VERS-TLS1.0"
1190
1191- Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS
1192 versions except TLS 1.2:
1193
1194.. code-block:: text
1195
1196 "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.2"
1197
1198More on TLS Priority Strings:
1199
1200- https://gnutls.org/manual/html_node/Priority-Strings.html
1201
Vasyl Saienko11ac9732018-10-02 17:04:33 +00001202Controlling access by `tls_allowed_dn_list`.
1203Enable an access control list of client certificate Distinguished Names (DNs)
1204which can connect to the TLS port on this server. The default is that DNs are
1205not checked. This list may contain wildcards such as
1206"C=GB,ST=London,L=London,O=Libvirt Project,CN=*" See the POSIX fnmatch function
1207for the format of the wildcards.
1208Note that if this is an empty list, no client can connect.
1209Note also that GnuTLS returns DNs without spaces after commas between
1210the fields (and this is what we check against), but the openssl x509 tool
1211shows spaces.
1212
1213.. code-block:: yaml
1214
1215 nova:
1216 compute:
1217 libvirt:
1218 tls:
1219 tls_allowed_dn_list:
1220 host1:
1221 enabled: true
1222 value: 'C=foo,CN=cmp1'
1223 host2:
1224 enabled: true
1225 value: 'C=foo,CN=cmp2'
1226
1227
Oleksandr Shyshko1c020d12018-05-24 12:47:08 +03001228You can read more about live migration over TLS here:
OlgaGusarenko9dd01c92018-07-31 00:49:30 +03001229https://wiki.libvirt.org/page/TLSCreateServerCerts
Oleksandr Shyshko981b4fa2018-05-02 15:39:30 +03001230
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001231Enable transport + authentication for VNC over TLS
1232---------------------
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001233# Only for Queens. Communication between noVNC proxy service and QEMU
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001234
1235By default communication between nova-novncproxy and qemu service is unsecure.
1236
1237compute:
1238 qemu:
1239 vnc:
1240 tls:
1241 enabled: True
1242
1243controller:
1244 novncproxy:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001245 # This section responsible for communication between noVNC proxy and client machine
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001246 tls:
1247 enabled: True
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001248 # This section responsible for communication between nova-novncproxy and qemu service
1249 vencrypt:
1250 tls:
1251 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001252
1253You able to set custom certificates in pillar:
1254
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001255nova:
1256 compute:
1257 qemu:
1258 vnc:
1259 tls:
1260 cacert (certificate content)
1261 cert (certificate content)
1262 key (certificate content)
1263
1264nova:
1265 controller:
1266 novncproxy:
1267 tls:
1268 server:
1269 cert (certificate content)
1270 key (certificate content)
1271 vencrypt:
1272 tls:
1273 cacert (certificate content)
1274 cert (certificate content)
1275 key (certificate content)
1276
1277
1278You can read more about it here:
1279 https://docs.openstack.org/nova/queens/admin/remote-console-access.html
1280
1281Enable communication between noVNC proxy and client machine over TLS
1282---------------------
1283
1284By default communication between noVNC proxy and client machine is unsecure.
1285
1286 controller:
1287 novncproxy:
1288 tls:
1289 enabled: True
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001290
1291 nova:
1292 controller:
1293 novncproxy:
1294 tls:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001295 server:
1296 cert (certificate content)
1297 key (certificate content)
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001298
1299You can read more about it here:
Oleksandr Shyshkod8337cf2018-07-11 17:55:58 +03001300 https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
Oleksandr Shyshko1195fca2018-07-09 18:22:59 +03001301
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001302Enable x509 and ssl communication between Nova and Galera cluster.
1303---------------------
1304By default communication between Nova and Galera is unsecure.
1305
Oleksandr Shyshkocbe87352018-09-07 13:42:57 +03001306nova:
1307 controller:
1308 database:
1309 x509:
1310 enabled: True
1311
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001312You able to set custom certificates in pillar:
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001313
1314nova:
1315 controller:
1316 database:
1317 x509:
Oleksandr Shyshkocbe87352018-09-07 13:42:57 +03001318 cacert: (certificate content)
1319 cert: (certificate content)
1320 key: (certificate content)
Oleksandr Shyshko55eeac72018-08-03 18:23:28 +03001321
1322You can read more about it here:
1323 https://docs.openstack.org/security-guide/databases/database-access-control.html
1324
Oleksandr Shyshkod96a0992019-03-29 11:18:25 +00001325Define config option which allows to use nova-api service behind proxy.(Only Mitaka)
1326---------------------
1327The HTTP Header that will be used to determine what the original request protocol
1328scheme was, even if it was hidden by a SSL termination proxy.
1329
1330 nova:
1331 controller:
1332 secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
1333
1334You can read more about it here:
1335 https://docs.openstack.org/mitaka/config-reference/compute/config-options.html
1336
obryndziif7957912019-01-31 00:55:56 +00001337Nova database connection setup:
1338========
1339
1340.. code-block:: yaml
1341
1342 nova:
1343 controller:
1344 enabled: True
1345 ...
1346 database:
1347 idle_timeout: 180
1348 min_pool_size: 100
1349 max_pool_size: 700
1350 max_overflow: 100
1351 retry_interval: 5
1352 max_retries: '-1'
1353 db_max_retries: 3
1354 db_retry_interval: 1
1355 connection_debug: 10
1356 pool_timeout: 120
1357
Oleksandr Bryndzii6d821f52019-02-20 15:51:15 +02001358
1359Configure nova to use service user tokens:
1360========
1361Long-running operations such as live migration or snapshot can sometimes overrun the
1362expiry of the user token. In such cases, post operations such as cleaning up after a
1363live migration can fail when the nova-compute service needs to cleanup resources in
1364other services, such as in the block-storage (cinder) or networking (neutron) services.
1365
1366This patch enables nova to use service user tokens to supplement the regular user token
1367used to initiate the operation. The identity service (keystone) will then authenticate
1368a request using the service user token if the user token has already expired.
1369
1370.. code-block:: yaml
1371
1372 nova:
1373 controller:
1374 enabled: True
1375 ...
1376 service_user:
1377 enabled: True
1378 user_domain_id: default
1379 project_domain_id: default
1380 project_name: service
1381 username: nova
1382 password: pswd
1383
Oleksandr Bryndzii6af347b2019-04-23 15:34:42 +03001384Change default resource quotas using configmap template settings
1385========
1386
1387.. code-block:: yaml
1388
1389 nova:
1390 controller:
1391 configmap:
1392 quota:
1393 instances: 10
1394 cores: 20
1395 ram: 51200
1396 metadata_items: 128
1397 injected_files: 5
1398 injected_file_content_bytes: 10240
1399 injected_file_path_length: 255
1400 key_pairs: 100
1401 server_groups: 10
1402 server_group_members: 10
1403 reservation_expire: 86400
1404 until_refresh: 0
1405 max_age: 0
1406
Roman Lubianyif57af872020-03-26 14:08:10 +02001407Set use_db_reconnect for Nova
1408========
1409
1410.. code-block:: yaml
1411
1412 nova:
1413 controller:
1414 database:
1415 use_db_reconnect: true
1416
1417.. code-block:: yaml
1418
1419 nova:
1420 compute:
1421 database:
1422 use_db_reconnect: true
1423
Oleh Hryhorov63ee8452018-08-14 09:16:02 +00001424Upgrades
1425========
1426
1427Each openstack formula provide set of phases (logical bloks) that will help to
1428build flexible upgrade orchestration logic for particular components. The list
1429of phases might and theirs descriptions are listed in table below:
1430
1431+-------------------------------+------------------------------------------------------+
1432| State | Description |
1433+===============================+======================================================+
1434| <app>.upgrade.service_running | Ensure that all services for particular application |
1435| | are enabled for autostart and running |
1436+-------------------------------+------------------------------------------------------+
1437| <app>.upgrade.service_stopped | Ensure that all services for particular application |
1438| | disabled for autostart and dead |
1439+-------------------------------+------------------------------------------------------+
1440| <app>.upgrade.pkgs_latest | Ensure that packages used by particular application |
1441| | are installed to latest available version. |
1442| | This will not upgrade data plane packages like qemu |
1443| | and openvswitch as usually minimal required version |
1444| | in openstack services is really old. The data plane |
1445| | packages should be upgraded separately by `apt-get |
1446| | upgrade` or `apt-get dist-upgrade` |
1447| | Applying this state will not autostart service. |
1448+-------------------------------+------------------------------------------------------+
1449| <app>.upgrade.render_config | Ensure configuration is rendered actual version. +
1450+-------------------------------+------------------------------------------------------+
1451| <app>.upgrade.pre | We assume this state is applied on all nodes in the |
1452| | cloud before running upgrade. |
1453| | Only non destructive actions will be applied during |
1454| | this phase. Perform service built in service check |
1455| | like (keystone-manage doctor and nova-status upgrade)|
1456+-------------------------------+------------------------------------------------------+
1457| <app>.upgrade.upgrade.pre | Mostly applicable for data plane nodes. During this |
1458| | phase resources will be gracefully removed from |
1459| | current node if it is allowed. Services for upgraded |
1460| | application will be set to admin disabled state to |
1461| | make sure node will not participate in resources |
1462| | scheduling. For example on gtw nodes this will set |
1463| | all agents to admin disable state and will move all |
1464| | routers to other agents. |
1465+-------------------------------+------------------------------------------------------+
1466| <app>.upgrade.upgrade | This state will basically upgrade application on |
1467| | particular target. Stop services, render |
1468| | configuration, install new packages, run offline |
1469| | dbsync (for ctl), start services. Data plane should |
1470| | not be affected, only OpenStack python services. |
1471+-------------------------------+------------------------------------------------------+
1472| <app>.upgrade.upgrade.post | Add services back to scheduling. |
1473+-------------------------------+------------------------------------------------------+
1474| <app>.upgrade.post | This phase should be launched only when upgrade of |
1475| | the cloud is completed. Cleanup temporary files, |
1476| | perform other post upgrade tasks. |
1477+-------------------------------+------------------------------------------------------+
1478| <app>.upgrade.verify | Here we will do basic health checks (API CRUD |
1479| | operations, verify do not have dead network |
1480| | agents/compute services) |
1481+-------------------------------+------------------------------------------------------+
Oleksandr Pidrepnyi60df8722019-06-07 16:18:11 +03001482
1483
1484Don't manage services scheduling while upgrade
1485----------------------------------------------
1486For some special cases, don't manage services scheduling both enable and disable
1487before and after upgrade procedure.
1488
1489If 'manage_service_maintenance: true' or not present - default behavior, disable services
1490before upgrade and enable it after upgrade.
1491If 'manage_service_maintenance: false' - don't disable and don't enable upgraded services
1492scheduling before and after upgrade.
1493
1494.. code-block:: yaml
1495
1496 nova:
1497 upgrade:
1498 manage_service_maintenance: false