ironic-inspector/ironic_inspector/conf.py
Yuiko Takada 52ef561c9f Use rootwrap to execute iptables instead of requiring root
This patch set adds support for rootwrap in order to execute iptables.

Co-Authored-By: Dmitry Tantsur <dtantsur@redhat.com>
Change-Id: I7c424c17222f119730b8c5ac0daafd9906282e4d
Closes-bug: #1495844
2015-09-23 13:27:15 +02:00

274 lines
12 KiB
Python

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_config import cfg
VALID_ADD_PORTS_VALUES = ('all', 'active', 'pxe')
VALID_KEEP_PORTS_VALUES = ('all', 'present', 'added')
VALID_STORE_DATA_VALUES = ('none', 'swift')
IRONIC_OPTS = [
cfg.StrOpt('os_auth_url',
default='',
help='Keystone authentication endpoint for accessing Ironic '
'API. Use [keystone_authtoken]/auth_uri for keystone '
'authentication.',
deprecated_group='discoverd'),
cfg.StrOpt('os_username',
default='',
help='User name for accessing Ironic API. '
'Use [keystone_authtoken]/admin_user for keystone '
'authentication.',
deprecated_group='discoverd'),
cfg.StrOpt('os_password',
default='',
help='Password for accessing Ironic API. '
'Use [keystone_authtoken]/admin_password for keystone '
'authentication.',
secret=True,
deprecated_group='discoverd'),
cfg.StrOpt('os_tenant_name',
default='',
help='Tenant name for accessing Ironic API. '
'Use [keystone_authtoken]/admin_tenant_name for keystone '
'authentication.',
deprecated_group='discoverd'),
cfg.StrOpt('identity_uri',
default='',
help='Keystone admin endpoint. '
'DEPRECATED: use [keystone_authtoken]/identity_uri.',
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.StrOpt('auth_strategy',
default='keystone',
choices=('keystone', 'noauth'),
help='Method to use for authentication: noauth or keystone.'),
cfg.StrOpt('ironic_url',
default='http://localhost:6385/',
help='Ironic API URL, used to set Ironic API URL when '
'auth_strategy option is noauth to work with standalone '
'Ironic without keystone.'),
cfg.StrOpt('os_service_type',
default='baremetal',
help='Ironic service type.'),
cfg.StrOpt('os_endpoint_type',
default='internalURL',
help='Ironic endpoint type.'),
cfg.IntOpt('retry_interval',
default=2,
help='Interval between retries in case of conflict error '
'(HTTP 409).'),
cfg.IntOpt('max_retries',
default=30,
help='Maximum number of retries in case of conflict error '
'(HTTP 409).'),
]
FIREWALL_OPTS = [
cfg.BoolOpt('manage_firewall',
default=True,
help='Whether to manage firewall rules for PXE port.',
deprecated_group='discoverd'),
cfg.StrOpt('dnsmasq_interface',
default='br-ctlplane',
help='Interface on which dnsmasq listens, the default is for '
'VM\'s.',
deprecated_group='discoverd'),
cfg.IntOpt('firewall_update_period',
default=15,
help='Amount of time in seconds, after which repeat periodic '
'update of firewall.',
deprecated_group='discoverd'),
cfg.StrOpt('firewall_chain',
default='ironic-inspector',
help='iptables chain name to use.'),
]
PROCESSING_OPTS = [
cfg.StrOpt('add_ports',
default='pxe',
help='Which MAC addresses to add as ports during '
'introspection. Possible values: '
'all (all MAC addresses), active (MAC addresses of NIC with IP '
'addresses), pxe (only MAC address of NIC node PXE booted '
'from, falls back to "active" if PXE MAC is not supplied '
'by the ramdisk).',
choices=VALID_ADD_PORTS_VALUES,
deprecated_group='discoverd'),
cfg.StrOpt('keep_ports',
default='all',
help='Which ports (already present on a node) to keep after '
'introspection. Possible values: '
'all (do not delete anything), present (keep ports which MACs '
'were present in introspection data), added (keep only MACs '
'that we added during introspection).',
choices=VALID_KEEP_PORTS_VALUES,
deprecated_group='discoverd'),
cfg.BoolOpt('overwrite_existing',
default=True,
help='Whether to overwrite existing values in node database. '
'Disable this option to make introspection a '
'non-destructive operation.',
deprecated_group='discoverd'),
cfg.BoolOpt('enable_setting_ipmi_credentials',
default=False,
help='Whether to enable setting IPMI credentials during '
'introspection. This is an experimental and not well '
'tested feature, use at your own risk.',
deprecated_group='discoverd'),
cfg.StrOpt('default_processing_hooks',
default='ramdisk_error,root_disk_selection,scheduler,'
'validate_interfaces',
help='Comma-separated list of default hooks for processing '
'pipeline. Hook \'scheduler\' updates the node with the '
'minimum properties required by the Nova scheduler. '
'Hook \'validate_interfaces\' ensures that valid NIC '
'data was provided by the ramdisk.'
'Do not exclude these two unless you really know what '
'you\'re doing.'),
cfg.StrOpt('processing_hooks',
default='$default_processing_hooks',
help='Comma-separated list of enabled hooks for processing '
'pipeline. The default for this is '
'$default_processing_hooks, hooks can be added before '
'or after the defaults like this: '
'"prehook,$default_processing_hooks,posthook".',
deprecated_group='discoverd'),
cfg.StrOpt('ramdisk_logs_dir',
help='If set, logs from ramdisk will be stored in this '
'directory.',
deprecated_group='discoverd'),
cfg.BoolOpt('always_store_ramdisk_logs',
default=False,
help='Whether to store ramdisk logs even if it did not return '
'an error message (dependent upon "ramdisk_logs_dir" option '
'being set).',
deprecated_group='discoverd'),
cfg.StrOpt('node_not_found_hook',
default=None,
help='The name of the hook to run when inspector receives '
'inspection information from a node it isn\'t already '
'aware of. This hook is ignored by default.'),
cfg.StrOpt('store_data',
default='none',
choices=VALID_STORE_DATA_VALUES,
help='Method for storing introspection data. If set to \'none'
'\', introspection data will not be stored.'),
cfg.StrOpt('store_data_location',
default=None,
help='Name of the key to store the location of stored data in '
'the extra column of the Ironic database.'),
cfg.BoolOpt('disk_partitioning_spacing',
default=True,
help='Whether to leave 1 GiB of disk size untouched for '
'partitioning. Only has effect when used with the IPA '
'as a ramdisk, for older ramdisk local_gb is '
'calculated on the ramdisk side.'),
]
DISCOVERD_OPTS = [
cfg.StrOpt('database',
default='',
help='SQLite3 database to store nodes under introspection, '
'required. Do not use :memory: here, it won\'t work. '
'DEPRECATED: use [database]/connection.',
deprecated_for_removal=True),
]
SERVICE_OPTS = [
cfg.StrOpt('listen_address',
default='0.0.0.0',
help='IP to listen on.',
deprecated_group='discoverd'),
cfg.IntOpt('listen_port',
default=5050,
help='Port to listen on.',
deprecated_group='discoverd'),
cfg.StrOpt('auth_strategy',
default='keystone',
choices=('keystone', 'noauth'),
help='Authentication method used on the ironic-inspector '
'API. Either "noauth" or "keystone" are currently valid '
'options. "noauth" will disable all authentication.'),
cfg.BoolOpt('authenticate',
default=None,
help='DEPRECATED: use auth_strategy.',
deprecated_group='discoverd',
deprecated_for_removal=True),
cfg.IntOpt('timeout',
default=3600,
help='Timeout after which introspection is considered failed, '
'set to 0 to disable.',
deprecated_group='discoverd'),
cfg.IntOpt('node_status_keep_time',
default=604800,
help='For how much time (in seconds) to keep status '
'information about nodes after introspection was '
'finished for them. Default value is 1 week.',
deprecated_group='discoverd'),
cfg.IntOpt('clean_up_period',
default=60,
help='Amount of time in seconds, after which repeat clean up '
'of timed out nodes and old nodes status information.',
deprecated_group='discoverd'),
cfg.BoolOpt('use_ssl',
default=False,
help='SSL Enabled/Disabled'),
cfg.StrOpt('ssl_cert_path',
default='',
help='Path to SSL certificate'),
cfg.StrOpt('ssl_key_path',
default='',
help='Path to SSL key'),
cfg.IntOpt('max_concurrency',
default=1000,
help='The green thread pool size.'),
cfg.IntOpt('introspection_delay',
default=5,
help='Delay (in seconds) between two introspections.'),
cfg.StrOpt('introspection_delay_drivers',
default='^.*_ssh$',
help='Only node with drivers matching this regular expression '
'will be affected by introspection_delay setting.'),
cfg.ListOpt('ipmi_address_fields',
default=['ilo_address', 'drac_host', 'cimc_address'],
help='Ironic driver_info fields that are equivalent '
'to ipmi_address.'),
cfg.StrOpt('rootwrap_config',
default="/etc/ironic-inspector/rootwrap.conf",
help='Path to the rootwrap configuration file to use for '
'running commands as root'),
]
cfg.CONF.register_opts(SERVICE_OPTS)
cfg.CONF.register_opts(FIREWALL_OPTS, group='firewall')
cfg.CONF.register_opts(PROCESSING_OPTS, group='processing')
cfg.CONF.register_opts(IRONIC_OPTS, group='ironic')
cfg.CONF.register_opts(DISCOVERD_OPTS, group='discoverd')
def list_opts():
return [
('', SERVICE_OPTS),
('firewall', FIREWALL_OPTS),
('ironic', IRONIC_OPTS),
('processing', PROCESSING_OPTS),
('discoverd', DISCOVERD_OPTS),
]