4ff0213e87
This allows multiple instances of inspector to try updating dnsmasq configuration simultaneously. The goal is to be able to (test) run an HA inspector on a single node. A new config option `dnsmasq_pxe_filter.purge_dhcp_hostsdir` is introduced to be able to disable purging of the dhcp hosts directory in case multiple inspector instances are expected to run on the same node. Change-Id: I2f7b8d3172f375cf65e759c9b881fcf41649c2f0 Closes-Bug: #1722267
926 lines
30 KiB
Plaintext
926 lines
30 KiB
Plaintext
[DEFAULT]
|
|
|
|
#
|
|
# From ironic_inspector
|
|
#
|
|
|
|
# IP to listen on. (string value)
|
|
#listen_address = 0.0.0.0
|
|
|
|
# Port to listen on. (port value)
|
|
# Minimum value: 0
|
|
# Maximum value: 65535
|
|
#listen_port = 5050
|
|
|
|
# Authentication method used on the ironic-inspector API. Either
|
|
# "noauth" or "keystone" are currently valid options. "noauth" will
|
|
# disable all authentication. (string value)
|
|
# Allowed values: keystone, noauth
|
|
#auth_strategy = keystone
|
|
|
|
# Timeout after which introspection is considered failed, set to 0 to
|
|
# disable. (integer value)
|
|
#timeout = 3600
|
|
|
|
# DEPRECATED: For how much time (in seconds) to keep status
|
|
# information about nodes after introspection was finished for them.
|
|
# Set to 0 (the default) to disable the timeout. (integer value)
|
|
# This option is deprecated for removal.
|
|
# Its value may be silently ignored in the future.
|
|
#node_status_keep_time = 0
|
|
|
|
# Amount of time in seconds, after which repeat clean up of timed out
|
|
# nodes and old nodes status information. (integer value)
|
|
#clean_up_period = 60
|
|
|
|
# SSL Enabled/Disabled (boolean value)
|
|
#use_ssl = false
|
|
|
|
# Path to SSL certificate (string value)
|
|
#ssl_cert_path =
|
|
|
|
# Path to SSL key (string value)
|
|
#ssl_key_path =
|
|
|
|
# The green thread pool size. (integer value)
|
|
# Minimum value: 2
|
|
#max_concurrency = 1000
|
|
|
|
# Delay (in seconds) between two introspections. (integer value)
|
|
#introspection_delay = 5
|
|
|
|
# Ironic driver_info fields that are equivalent to ipmi_address. (list
|
|
# value)
|
|
#ipmi_address_fields = ilo_address,drac_host,drac_address,cimc_address
|
|
|
|
# Path to the rootwrap configuration file to use for running commands
|
|
# as root (string value)
|
|
#rootwrap_config = /etc/ironic-inspector/rootwrap.conf
|
|
|
|
# Limit the number of elements an API list-call returns (integer
|
|
# value)
|
|
# Minimum value: 1
|
|
#api_max_limit = 1000
|
|
|
|
#
|
|
# From oslo.log
|
|
#
|
|
|
|
# If set to true, the logging level will be set to DEBUG instead of
|
|
# the default INFO level. (boolean value)
|
|
# Note: This option can be changed without restarting.
|
|
#debug = false
|
|
|
|
# The name of a logging configuration file. This file is appended to
|
|
# any existing logging configuration files. For details about logging
|
|
# configuration files, see the Python logging module documentation.
|
|
# Note that when logging configuration files are used then all logging
|
|
# configuration is set in the configuration file and other logging
|
|
# configuration options are ignored (for example,
|
|
# logging_context_format_string). (string value)
|
|
# Note: This option can be changed without restarting.
|
|
# Deprecated group/name - [DEFAULT]/log_config
|
|
#log_config_append = <None>
|
|
|
|
# Defines the format string for %%(asctime)s in log records. Default:
|
|
# %(default)s . This option is ignored if log_config_append is set.
|
|
# (string value)
|
|
#log_date_format = %Y-%m-%d %H:%M:%S
|
|
|
|
# (Optional) Name of log file to send logging output to. If no default
|
|
# is set, logging will go to stderr as defined by use_stderr. This
|
|
# option is ignored if log_config_append is set. (string value)
|
|
# Deprecated group/name - [DEFAULT]/logfile
|
|
#log_file = <None>
|
|
|
|
# (Optional) The base directory used for relative log_file paths.
|
|
# This option is ignored if log_config_append is set. (string value)
|
|
# Deprecated group/name - [DEFAULT]/logdir
|
|
#log_dir = <None>
|
|
|
|
# Uses logging handler designed to watch file system. When log file is
|
|
# moved or removed this handler will open a new log file with
|
|
# specified path instantaneously. It makes sense only if log_file
|
|
# option is specified and Linux platform is used. This option is
|
|
# ignored if log_config_append is set. (boolean value)
|
|
#watch_log_file = false
|
|
|
|
# Use syslog for logging. Existing syslog format is DEPRECATED and
|
|
# will be changed later to honor RFC5424. This option is ignored if
|
|
# log_config_append is set. (boolean value)
|
|
#use_syslog = false
|
|
|
|
# Enable journald for logging. If running in a systemd environment you
|
|
# may wish to enable journal support. Doing so will use the journal
|
|
# native protocol which includes structured metadata in addition to
|
|
# log messages.This option is ignored if log_config_append is set.
|
|
# (boolean value)
|
|
#use_journal = false
|
|
|
|
# Syslog facility to receive log lines. This option is ignored if
|
|
# log_config_append is set. (string value)
|
|
#syslog_log_facility = LOG_USER
|
|
|
|
# Log output to standard error. This option is ignored if
|
|
# log_config_append is set. (boolean value)
|
|
#use_stderr = false
|
|
|
|
# Format string to use for log messages with context. (string value)
|
|
#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
|
|
|
|
# Format string to use for log messages when context is undefined.
|
|
# (string value)
|
|
#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
|
|
|
|
# Additional data to append to log message when logging level for the
|
|
# message is DEBUG. (string value)
|
|
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
|
|
|
|
# Prefix each line of exception output with this format. (string
|
|
# value)
|
|
#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
|
|
|
|
# Defines the format string for %(user_identity)s that is used in
|
|
# logging_context_format_string. (string value)
|
|
#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s
|
|
|
|
# List of package logging levels in logger=LEVEL pairs. This option is
|
|
# ignored if log_config_append is set. (list value)
|
|
#default_log_levels = sqlalchemy=WARNING,iso8601=WARNING,requests=WARNING,urllib3.connectionpool=WARNING,keystonemiddleware=WARNING,swiftclient=WARNING,keystoneauth=WARNING,ironicclient=WARNING
|
|
|
|
# Enables or disables publication of error events. (boolean value)
|
|
#publish_errors = false
|
|
|
|
# The format for an instance that is passed with the log message.
|
|
# (string value)
|
|
#instance_format = "[instance: %(uuid)s] "
|
|
|
|
# The format for an instance UUID that is passed with the log message.
|
|
# (string value)
|
|
#instance_uuid_format = "[instance: %(uuid)s] "
|
|
|
|
# Interval, number of seconds, of log rate limiting. (integer value)
|
|
#rate_limit_interval = 0
|
|
|
|
# Maximum number of logged messages per rate_limit_interval. (integer
|
|
# value)
|
|
#rate_limit_burst = 0
|
|
|
|
# Log level name used by rate limiting: CRITICAL, ERROR, INFO,
|
|
# WARNING, DEBUG or empty string. Logs with level greater or equal to
|
|
# rate_limit_except_level are not filtered. An empty string means that
|
|
# all levels are filtered. (string value)
|
|
#rate_limit_except_level = CRITICAL
|
|
|
|
# Enables or disables fatal status of deprecations. (boolean value)
|
|
#fatal_deprecations = false
|
|
|
|
|
|
[capabilities]
|
|
|
|
#
|
|
# From ironic_inspector.plugins.capabilities
|
|
#
|
|
|
|
# Whether to store the boot mode (BIOS or UEFI). (boolean value)
|
|
#boot_mode = false
|
|
|
|
# Mapping between a CPU flag and a capability to set if this flag is
|
|
# present. (dict value)
|
|
#cpu_flags = aes:cpu_aes,pdpe1gb:cpu_hugepages_1g,pse:cpu_hugepages,smx:cpu_txt,svm:cpu_vt,vmx:cpu_vt
|
|
|
|
|
|
[cors]
|
|
|
|
#
|
|
# From oslo.middleware.cors
|
|
#
|
|
|
|
# Indicate whether this resource may be shared with the domain
|
|
# received in the requests "origin" header. Format:
|
|
# "<protocol>://<host>[:<port>]", no trailing slash. Example:
|
|
# https://horizon.example.com (list value)
|
|
#allowed_origin = <None>
|
|
|
|
# Indicate that the actual request can include user credentials
|
|
# (boolean value)
|
|
#allow_credentials = true
|
|
|
|
# Indicate which headers are safe to expose to the API. Defaults to
|
|
# HTTP Simple Headers. (list value)
|
|
#expose_headers =
|
|
|
|
# Maximum cache age of CORS preflight requests. (integer value)
|
|
#max_age = 3600
|
|
|
|
# Indicate which methods can be used during the actual request. (list
|
|
# value)
|
|
#allow_methods = GET,POST,PUT,HEAD,PATCH,DELETE,OPTIONS
|
|
|
|
# Indicate which header field names may be used during the actual
|
|
# request. (list value)
|
|
#allow_headers = X-Auth-Token,X-OpenStack-Ironic-Inspector-API-Minimum-Version,X-OpenStack-Ironic-Inspector-API-Maximum-Version,X-OpenStack-Ironic-Inspector-API-Version
|
|
|
|
|
|
[database]
|
|
|
|
#
|
|
# From oslo.db
|
|
#
|
|
|
|
# If True, SQLite uses synchronous mode. (boolean value)
|
|
#sqlite_synchronous = true
|
|
|
|
# The back end to use for the database. (string value)
|
|
# Deprecated group/name - [DEFAULT]/db_backend
|
|
#backend = sqlalchemy
|
|
|
|
# The SQLAlchemy connection string to use to connect to the database.
|
|
# (string value)
|
|
# Deprecated group/name - [DEFAULT]/sql_connection
|
|
# Deprecated group/name - [DATABASE]/sql_connection
|
|
# Deprecated group/name - [sql]/connection
|
|
#connection = <None>
|
|
|
|
# The SQLAlchemy connection string to use to connect to the slave
|
|
# database. (string value)
|
|
#slave_connection = <None>
|
|
|
|
# The SQL mode to be used for MySQL sessions. This option, including
|
|
# the default, overrides any server-set SQL mode. To use whatever SQL
|
|
# mode is set by the server configuration, set this to no value.
|
|
# Example: mysql_sql_mode= (string value)
|
|
#mysql_sql_mode = TRADITIONAL
|
|
|
|
# If True, transparently enables support for handling MySQL Cluster
|
|
# (NDB). (boolean value)
|
|
#mysql_enable_ndb = false
|
|
|
|
# Timeout before idle SQL connections are reaped. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/sql_idle_timeout
|
|
# Deprecated group/name - [DATABASE]/sql_idle_timeout
|
|
# Deprecated group/name - [sql]/idle_timeout
|
|
#idle_timeout = 3600
|
|
|
|
# Minimum number of SQL connections to keep open in a pool. (integer
|
|
# value)
|
|
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
|
|
# Deprecated group/name - [DATABASE]/sql_min_pool_size
|
|
#min_pool_size = 1
|
|
|
|
# Maximum number of SQL connections to keep open in a pool. Setting a
|
|
# value of 0 indicates no limit. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
|
|
# Deprecated group/name - [DATABASE]/sql_max_pool_size
|
|
#max_pool_size = 5
|
|
|
|
# Maximum number of database connection retries during startup. Set to
|
|
# -1 to specify an infinite retry count. (integer value)
|
|
# Deprecated group/name - [DEFAULT]/sql_max_retries
|
|
# Deprecated group/name - [DATABASE]/sql_max_retries
|
|
#max_retries = 10
|
|
|
|
# Interval between retries of opening a SQL connection. (integer
|
|
# value)
|
|
# Deprecated group/name - [DEFAULT]/sql_retry_interval
|
|
# Deprecated group/name - [DATABASE]/reconnect_interval
|
|
#retry_interval = 10
|
|
|
|
# If set, use this value for max_overflow with SQLAlchemy. (integer
|
|
# value)
|
|
# Deprecated group/name - [DEFAULT]/sql_max_overflow
|
|
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
|
|
#max_overflow = 50
|
|
|
|
# Verbosity of SQL debugging information: 0=None, 100=Everything.
|
|
# (integer value)
|
|
# Minimum value: 0
|
|
# Maximum value: 100
|
|
# Deprecated group/name - [DEFAULT]/sql_connection_debug
|
|
#connection_debug = 0
|
|
|
|
# Add Python stack traces to SQL as comment strings. (boolean value)
|
|
# Deprecated group/name - [DEFAULT]/sql_connection_trace
|
|
#connection_trace = false
|
|
|
|
# If set, use this value for pool_timeout with SQLAlchemy. (integer
|
|
# value)
|
|
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
|
|
#pool_timeout = <None>
|
|
|
|
# Enable the experimental use of database reconnect on connection
|
|
# lost. (boolean value)
|
|
#use_db_reconnect = false
|
|
|
|
# Seconds between retries of a database transaction. (integer value)
|
|
#db_retry_interval = 1
|
|
|
|
# If True, increases the interval between retries of a database
|
|
# operation up to db_max_retry_interval. (boolean value)
|
|
#db_inc_retry_interval = true
|
|
|
|
# If db_inc_retry_interval is set, the maximum seconds between retries
|
|
# of a database operation. (integer value)
|
|
#db_max_retry_interval = 10
|
|
|
|
# Maximum retries in case of connection error or deadlock error before
|
|
# error is raised. Set to -1 to specify an infinite retry count.
|
|
# (integer value)
|
|
#db_max_retries = 20
|
|
|
|
|
|
[discovery]
|
|
|
|
#
|
|
# From ironic_inspector.plugins.discovery
|
|
#
|
|
|
|
# The name of the Ironic driver used by the enroll hook when creating
|
|
# a new node in Ironic. (string value)
|
|
#enroll_node_driver = fake
|
|
|
|
|
|
[dnsmasq_pxe_filter]
|
|
|
|
#
|
|
# From ironic_inspector
|
|
#
|
|
|
|
# The MAC address cache directory, exposed to dnsmasq.This directory
|
|
# is expected to be in exclusive control of the driver. (string value)
|
|
#dhcp_hostsdir = /var/lib/ironic-inspector/dhcp-hostsdir
|
|
|
|
# Purge the hostsdir upon driver initialization. Setting to false
|
|
# makes sense only for deployment of multiple (uncontainerized)
|
|
# inspector instances on a single node. In this case, the Operator is
|
|
# responsible for setting up a custom cleaning facility. (boolean
|
|
# value)
|
|
#purge_dhcp_hostsdir = true
|
|
|
|
# A (shell) command line to start the dnsmasq service upon filter
|
|
# initialization. Default: don't start. (string value)
|
|
#dnsmasq_start_command =
|
|
|
|
# A (shell) command line to stop the dnsmasq service upon inspector
|
|
# (error) exit. Default: don't stop. (string value)
|
|
#dnsmasq_stop_command =
|
|
|
|
|
|
[iptables]
|
|
|
|
#
|
|
# From ironic_inspector
|
|
#
|
|
|
|
# DEPRECATED: Whether to manage firewall rules for PXE port. This
|
|
# configuration option was deprecated in favor of the ``driver``
|
|
# option in the ``pxe_filter`` section. Please, use the ``noop``
|
|
# filter driver to disable the firewall filtering or the ``iptables``
|
|
# filter driver to enable it. (boolean value)
|
|
# This option is deprecated for removal.
|
|
# Its value may be silently ignored in the future.
|
|
#manage_firewall = true
|
|
|
|
# Interface on which dnsmasq listens, the default is for VM's. (string
|
|
# value)
|
|
#dnsmasq_interface = br-ctlplane
|
|
|
|
# iptables chain name to use. (string value)
|
|
#firewall_chain = ironic-inspector
|
|
|
|
# List of Etherent Over InfiniBand interfaces on the Inspector host
|
|
# which are used for physical access to the DHCP network. Multiple
|
|
# interfaces would be attached to a bond or bridge specified in
|
|
# dnsmasq_interface. The MACs of the InfiniBand nodes which are not in
|
|
# desired state are going to be blacklisted based on the list of
|
|
# neighbor MACs on these interfaces. (list value)
|
|
#ethoib_interfaces =
|
|
|
|
|
|
[ironic]
|
|
|
|
#
|
|
# From ironic_inspector.common.ironic
|
|
#
|
|
|
|
# Authentication URL (string value)
|
|
#auth_url = <None>
|
|
|
|
# Method to use for authentication: noauth or keystone. (string value)
|
|
# Allowed values: keystone, noauth
|
|
#auth_strategy = keystone
|
|
|
|
# Authentication type to load (string value)
|
|
# Deprecated group/name - [ironic]/auth_plugin
|
|
#auth_type = <None>
|
|
|
|
# PEM encoded Certificate Authority to use when verifying HTTPs
|
|
# connections. (string value)
|
|
#cafile = <None>
|
|
|
|
# PEM encoded client certificate cert file (string value)
|
|
#certfile = <None>
|
|
|
|
# Optional domain ID to use with v3 and v2 parameters. It will be used
|
|
# for both the user and project domain in v3 and ignored in v2
|
|
# authentication. (string value)
|
|
#default_domain_id = <None>
|
|
|
|
# Optional domain name to use with v3 API and v2 parameters. It will
|
|
# be used for both the user and project domain in v3 and ignored in v2
|
|
# authentication. (string value)
|
|
#default_domain_name = <None>
|
|
|
|
# Domain ID to scope to (string value)
|
|
#domain_id = <None>
|
|
|
|
# Domain name to scope to (string value)
|
|
#domain_name = <None>
|
|
|
|
# Verify HTTPS connections. (boolean value)
|
|
#insecure = false
|
|
|
|
# Ironic API URL, used to set Ironic API URL when auth_strategy option
|
|
# is noauth to work with standalone Ironic without keystone. (string
|
|
# value)
|
|
#ironic_url = http://localhost:6385/
|
|
|
|
# PEM encoded client certificate key file (string value)
|
|
#keyfile = <None>
|
|
|
|
# Maximum number of retries in case of conflict error (HTTP 409).
|
|
# (integer value)
|
|
#max_retries = 30
|
|
|
|
# Ironic endpoint type. (string value)
|
|
#os_endpoint_type = internalURL
|
|
|
|
# Keystone region used to get Ironic endpoints. (string value)
|
|
#os_region = <None>
|
|
|
|
# Ironic service type. (string value)
|
|
#os_service_type = baremetal
|
|
|
|
# User's password (string value)
|
|
#password = <None>
|
|
|
|
# Domain ID containing project (string value)
|
|
#project_domain_id = <None>
|
|
|
|
# Domain name containing project (string value)
|
|
#project_domain_name = <None>
|
|
|
|
# Project ID to scope to (string value)
|
|
# Deprecated group/name - [ironic]/tenant_id
|
|
#project_id = <None>
|
|
|
|
# Project name to scope to (string value)
|
|
# Deprecated group/name - [ironic]/tenant_name
|
|
#project_name = <None>
|
|
|
|
# Interval between retries in case of conflict error (HTTP 409).
|
|
# (integer value)
|
|
#retry_interval = 2
|
|
|
|
# Tenant ID (string value)
|
|
#tenant_id = <None>
|
|
|
|
# Tenant Name (string value)
|
|
#tenant_name = <None>
|
|
|
|
# Timeout value for http requests (integer value)
|
|
#timeout = <None>
|
|
|
|
# Trust ID (string value)
|
|
#trust_id = <None>
|
|
|
|
# User's domain id (string value)
|
|
#user_domain_id = <None>
|
|
|
|
# User's domain name (string value)
|
|
#user_domain_name = <None>
|
|
|
|
# User id (string value)
|
|
#user_id = <None>
|
|
|
|
# Username (string value)
|
|
# Deprecated group/name - [ironic]/user_name
|
|
#username = <None>
|
|
|
|
|
|
[keystone_authtoken]
|
|
|
|
#
|
|
# From keystonemiddleware.auth_token
|
|
#
|
|
|
|
# Complete "public" Identity API endpoint. This endpoint should not be
|
|
# an "admin" endpoint, as it should be accessible by all end users.
|
|
# Unauthenticated clients are redirected to this endpoint to
|
|
# authenticate. Although this endpoint should ideally be unversioned,
|
|
# client support in the wild varies. If you're using a versioned v2
|
|
# endpoint here, then this should *not* be the same endpoint the
|
|
# service user utilizes for validating tokens, because normal end
|
|
# users may not be able to reach that endpoint. (string value)
|
|
#auth_uri = <None>
|
|
|
|
# API version of the admin Identity API endpoint. (string value)
|
|
#auth_version = <None>
|
|
|
|
# Do not handle authorization requests within the middleware, but
|
|
# delegate the authorization decision to downstream WSGI components.
|
|
# (boolean value)
|
|
#delay_auth_decision = false
|
|
|
|
# Request timeout value for communicating with Identity API server.
|
|
# (integer value)
|
|
#http_connect_timeout = <None>
|
|
|
|
# How many times are we trying to reconnect when communicating with
|
|
# Identity API Server. (integer value)
|
|
#http_request_max_retries = 3
|
|
|
|
# Request environment key where the Swift cache object is stored. When
|
|
# auth_token middleware is deployed with a Swift cache, use this
|
|
# option to have the middleware share a caching backend with swift.
|
|
# Otherwise, use the ``memcached_servers`` option instead. (string
|
|
# value)
|
|
#cache = <None>
|
|
|
|
# Required if identity server requires client certificate (string
|
|
# value)
|
|
#certfile = <None>
|
|
|
|
# Required if identity server requires client certificate (string
|
|
# value)
|
|
#keyfile = <None>
|
|
|
|
# A PEM encoded Certificate Authority to use when verifying HTTPs
|
|
# connections. Defaults to system CAs. (string value)
|
|
#cafile = <None>
|
|
|
|
# Verify HTTPS connections. (boolean value)
|
|
#insecure = false
|
|
|
|
# The region in which the identity server can be found. (string value)
|
|
#region_name = <None>
|
|
|
|
# DEPRECATED: Directory used to cache files related to PKI tokens.
|
|
# This option has been deprecated in the Ocata release and will be
|
|
# removed in the P release. (string value)
|
|
# This option is deprecated for removal since Ocata.
|
|
# Its value may be silently ignored in the future.
|
|
# Reason: PKI token format is no longer supported.
|
|
#signing_dir = <None>
|
|
|
|
# Optionally specify a list of memcached server(s) to use for caching.
|
|
# If left undefined, tokens will instead be cached in-process. (list
|
|
# value)
|
|
# Deprecated group/name - [keystone_authtoken]/memcache_servers
|
|
#memcached_servers = <None>
|
|
|
|
# In order to prevent excessive effort spent validating tokens, the
|
|
# middleware caches previously-seen tokens for a configurable duration
|
|
# (in seconds). Set to -1 to disable caching completely. (integer
|
|
# value)
|
|
#token_cache_time = 300
|
|
|
|
# DEPRECATED: Determines the frequency at which the list of revoked
|
|
# tokens is retrieved from the Identity service (in seconds). A high
|
|
# number of revocation events combined with a low cache duration may
|
|
# significantly reduce performance. Only valid for PKI tokens. This
|
|
# option has been deprecated in the Ocata release and will be removed
|
|
# in the P release. (integer value)
|
|
# This option is deprecated for removal since Ocata.
|
|
# Its value may be silently ignored in the future.
|
|
# Reason: PKI token format is no longer supported.
|
|
#revocation_cache_time = 10
|
|
|
|
# (Optional) If defined, indicate whether token data should be
|
|
# authenticated or authenticated and encrypted. If MAC, token data is
|
|
# authenticated (with HMAC) in the cache. If ENCRYPT, token data is
|
|
# encrypted and authenticated in the cache. If the value is not one of
|
|
# these options or empty, auth_token will raise an exception on
|
|
# initialization. (string value)
|
|
# Allowed values: None, MAC, ENCRYPT
|
|
#memcache_security_strategy = None
|
|
|
|
# (Optional, mandatory if memcache_security_strategy is defined) This
|
|
# string is used for key derivation. (string value)
|
|
#memcache_secret_key = <None>
|
|
|
|
# (Optional) Number of seconds memcached server is considered dead
|
|
# before it is tried again. (integer value)
|
|
#memcache_pool_dead_retry = 300
|
|
|
|
# (Optional) Maximum total number of open connections to every
|
|
# memcached server. (integer value)
|
|
#memcache_pool_maxsize = 10
|
|
|
|
# (Optional) Socket timeout in seconds for communicating with a
|
|
# memcached server. (integer value)
|
|
#memcache_pool_socket_timeout = 3
|
|
|
|
# (Optional) Number of seconds a connection to memcached is held
|
|
# unused in the pool before it is closed. (integer value)
|
|
#memcache_pool_unused_timeout = 60
|
|
|
|
# (Optional) Number of seconds that an operation will wait to get a
|
|
# memcached client connection from the pool. (integer value)
|
|
#memcache_pool_conn_get_timeout = 10
|
|
|
|
# (Optional) Use the advanced (eventlet safe) memcached client pool.
|
|
# The advanced pool will only work under python 2.x. (boolean value)
|
|
#memcache_use_advanced_pool = false
|
|
|
|
# (Optional) Indicate whether to set the X-Service-Catalog header. If
|
|
# False, middleware will not ask for service catalog on token
|
|
# validation and will not set the X-Service-Catalog header. (boolean
|
|
# value)
|
|
#include_service_catalog = true
|
|
|
|
# Used to control the use and type of token binding. Can be set to:
|
|
# "disabled" to not check token binding. "permissive" (default) to
|
|
# validate binding information if the bind type is of a form known to
|
|
# the server and ignore it if not. "strict" like "permissive" but if
|
|
# the bind type is unknown the token will be rejected. "required" any
|
|
# form of token binding is needed to be allowed. Finally the name of a
|
|
# binding method that must be present in tokens. (string value)
|
|
#enforce_token_bind = permissive
|
|
|
|
# DEPRECATED: If true, the revocation list will be checked for cached
|
|
# tokens. This requires that PKI tokens are configured on the identity
|
|
# server. (boolean value)
|
|
# This option is deprecated for removal since Ocata.
|
|
# Its value may be silently ignored in the future.
|
|
# Reason: PKI token format is no longer supported.
|
|
#check_revocations_for_cached = false
|
|
|
|
# DEPRECATED: Hash algorithms to use for hashing PKI tokens. This may
|
|
# be a single algorithm or multiple. The algorithms are those
|
|
# supported by Python standard hashlib.new(). The hashes will be tried
|
|
# in the order given, so put the preferred one first for performance.
|
|
# The result of the first hash will be stored in the cache. This will
|
|
# typically be set to multiple values only while migrating from a less
|
|
# secure algorithm to a more secure one. Once all the old tokens are
|
|
# expired this option should be set to a single value for better
|
|
# performance. (list value)
|
|
# This option is deprecated for removal since Ocata.
|
|
# Its value may be silently ignored in the future.
|
|
# Reason: PKI token format is no longer supported.
|
|
#hash_algorithms = md5
|
|
|
|
# A choice of roles that must be present in a service token. Service
|
|
# tokens are allowed to request that an expired token can be used and
|
|
# so this check should tightly control that only actual services
|
|
# should be sending this token. Roles here are applied as an ANY check
|
|
# so any role in this list must be present. For backwards
|
|
# compatibility reasons this currently only affects the allow_expired
|
|
# check. (list value)
|
|
#service_token_roles = service
|
|
|
|
# For backwards compatibility reasons we must let valid service tokens
|
|
# pass that don't pass the service_token_roles check as valid. Setting
|
|
# this true will become the default in a future release and should be
|
|
# enabled if possible. (boolean value)
|
|
#service_token_roles_required = false
|
|
|
|
# Authentication type to load (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/auth_plugin
|
|
#auth_type = <None>
|
|
|
|
# Config Section from which to load plugin specific options (string
|
|
# value)
|
|
#auth_section = <None>
|
|
|
|
|
|
[oslo_policy]
|
|
|
|
#
|
|
# From oslo.policy
|
|
#
|
|
|
|
# The file that defines policies. (string value)
|
|
#policy_file = policy.json
|
|
|
|
# Default rule. Enforced when a requested rule is not found. (string
|
|
# value)
|
|
#policy_default_rule = default
|
|
|
|
# Directories where policy configuration files are stored. They can be
|
|
# relative to any directory in the search path defined by the
|
|
# config_dir option, or absolute paths. The file defined by
|
|
# policy_file must exist for these directories to be searched.
|
|
# Missing or empty directories are ignored. (multi valued)
|
|
#policy_dirs = policy.d
|
|
|
|
|
|
[pci_devices]
|
|
|
|
#
|
|
# From ironic_inspector.plugins.pci_devices
|
|
#
|
|
|
|
# An alias for PCI device identified by 'vendor_id' and 'product_id'
|
|
# fields. Format: {"vendor_id": "1234", "product_id": "5678", "name":
|
|
# "pci_dev1"} (multi valued)
|
|
#alias =
|
|
|
|
|
|
[processing]
|
|
|
|
#
|
|
# From ironic_inspector
|
|
#
|
|
|
|
# Which MAC addresses to add as ports during introspection. Possible
|
|
# values: all (all MAC addresses), active (MAC addresses of NIC with
|
|
# IP addresses), pxe (only MAC address of NIC node PXE booted from,
|
|
# falls back to "active" if PXE MAC is not supplied by the ramdisk).
|
|
# (string value)
|
|
# Allowed values: all, active, pxe, disabled
|
|
#add_ports = pxe
|
|
|
|
# Which ports (already present on a node) to keep after introspection.
|
|
# Possible values: all (do not delete anything), present (keep ports
|
|
# which MACs were present in introspection data), added (keep only
|
|
# MACs that we added during introspection). (string value)
|
|
# Allowed values: all, present, added
|
|
#keep_ports = all
|
|
|
|
# Whether to overwrite existing values in node database. Disable this
|
|
# option to make introspection a non-destructive operation. (boolean
|
|
# value)
|
|
#overwrite_existing = true
|
|
|
|
# Comma-separated list of default hooks for processing pipeline. Hook
|
|
# 'scheduler' updates the node with the minimum properties required by
|
|
# the Nova scheduler. Hook 'validate_interfaces' ensures that valid
|
|
# NIC data was provided by the ramdisk. Do not exclude these two
|
|
# unless you really know what you're doing. (string value)
|
|
#default_processing_hooks = ramdisk_error,root_disk_selection,scheduler,validate_interfaces,capabilities,pci_devices
|
|
|
|
# Comma-separated list of enabled hooks for processing pipeline. The
|
|
# default for this is $default_processing_hooks, hooks can be added
|
|
# before or after the defaults like this:
|
|
# "prehook,$default_processing_hooks,posthook". (string value)
|
|
#processing_hooks = $default_processing_hooks
|
|
|
|
# If set, logs from ramdisk will be stored in this directory. (string
|
|
# value)
|
|
#ramdisk_logs_dir = <None>
|
|
|
|
# Whether to store ramdisk logs even if it did not return an error
|
|
# message (dependent upon "ramdisk_logs_dir" option being set).
|
|
# (boolean value)
|
|
#always_store_ramdisk_logs = false
|
|
|
|
# The name of the hook to run when inspector receives inspection
|
|
# information from a node it isn't already aware of. This hook is
|
|
# ignored by default. (string value)
|
|
#node_not_found_hook = <None>
|
|
|
|
# Method for storing introspection data. If set to 'none',
|
|
# introspection data will not be stored. (string value)
|
|
# Allowed values: none, swift
|
|
#store_data = none
|
|
|
|
# Name of the key to store the location of stored data in the extra
|
|
# column of the Ironic database. (string value)
|
|
#store_data_location = <None>
|
|
|
|
# Whether to leave 1 GiB of disk size untouched for partitioning. Only
|
|
# has effect when used with the IPA as a ramdisk, for older ramdisk
|
|
# local_gb is calculated on the ramdisk side. (boolean value)
|
|
#disk_partitioning_spacing = true
|
|
|
|
# File name template for storing ramdisk logs. The following
|
|
# replacements can be used: {uuid} - node UUID or "unknown", {bmc} -
|
|
# node BMC address or "unknown", {dt} - current UTC date and time,
|
|
# {mac} - PXE booting MAC or "unknown". (string value)
|
|
#ramdisk_logs_filename_format = {uuid}_{dt:%Y%m%d-%H%M%S.%f}.tar.gz
|
|
|
|
# Whether to power off a node after introspection. (boolean value)
|
|
#power_off = true
|
|
|
|
|
|
[pxe_filter]
|
|
|
|
#
|
|
# From ironic_inspector
|
|
#
|
|
|
|
# PXE boot filter driver to use, such as iptables (string value)
|
|
#driver = iptables
|
|
|
|
# Amount of time in seconds, after which repeat periodic update of the
|
|
# filter. (integer value)
|
|
# Minimum value: 0
|
|
# Deprecated group/name - [firewall]/firewall_update_period
|
|
#sync_period = 15
|
|
|
|
|
|
[swift]
|
|
|
|
#
|
|
# From ironic_inspector.common.swift
|
|
#
|
|
|
|
# Authentication URL (string value)
|
|
#auth_url = <None>
|
|
|
|
# Authentication type to load (string value)
|
|
# Deprecated group/name - [swift]/auth_plugin
|
|
#auth_type = <None>
|
|
|
|
# PEM encoded Certificate Authority to use when verifying HTTPs
|
|
# connections. (string value)
|
|
#cafile = <None>
|
|
|
|
# PEM encoded client certificate cert file (string value)
|
|
#certfile = <None>
|
|
|
|
# Default Swift container to use when creating objects. (string value)
|
|
#container = ironic-inspector
|
|
|
|
# Optional domain ID to use with v3 and v2 parameters. It will be used
|
|
# for both the user and project domain in v3 and ignored in v2
|
|
# authentication. (string value)
|
|
#default_domain_id = <None>
|
|
|
|
# Optional domain name to use with v3 API and v2 parameters. It will
|
|
# be used for both the user and project domain in v3 and ignored in v2
|
|
# authentication. (string value)
|
|
#default_domain_name = <None>
|
|
|
|
# Number of seconds that the Swift object will last before being
|
|
# deleted. (set to 0 to never delete the object). (integer value)
|
|
#delete_after = 0
|
|
|
|
# Domain ID to scope to (string value)
|
|
#domain_id = <None>
|
|
|
|
# Domain name to scope to (string value)
|
|
#domain_name = <None>
|
|
|
|
# Verify HTTPS connections. (boolean value)
|
|
#insecure = false
|
|
|
|
# PEM encoded client certificate key file (string value)
|
|
#keyfile = <None>
|
|
|
|
# Maximum number of times to retry a Swift request, before failing.
|
|
# (integer value)
|
|
#max_retries = 2
|
|
|
|
# Swift endpoint type. (string value)
|
|
#os_endpoint_type = internalURL
|
|
|
|
# Keystone region to get endpoint for. (string value)
|
|
#os_region = <None>
|
|
|
|
# Swift service type. (string value)
|
|
#os_service_type = object-store
|
|
|
|
# User's password (string value)
|
|
#password = <None>
|
|
|
|
# Domain ID containing project (string value)
|
|
#project_domain_id = <None>
|
|
|
|
# Domain name containing project (string value)
|
|
#project_domain_name = <None>
|
|
|
|
# Project ID to scope to (string value)
|
|
# Deprecated group/name - [swift]/tenant_id
|
|
#project_id = <None>
|
|
|
|
# Project name to scope to (string value)
|
|
# Deprecated group/name - [swift]/tenant_name
|
|
#project_name = <None>
|
|
|
|
# Tenant ID (string value)
|
|
#tenant_id = <None>
|
|
|
|
# Tenant Name (string value)
|
|
#tenant_name = <None>
|
|
|
|
# Timeout value for http requests (integer value)
|
|
#timeout = <None>
|
|
|
|
# Trust ID (string value)
|
|
#trust_id = <None>
|
|
|
|
# User's domain id (string value)
|
|
#user_domain_id = <None>
|
|
|
|
# User's domain name (string value)
|
|
#user_domain_name = <None>
|
|
|
|
# User id (string value)
|
|
#user_id = <None>
|
|
|
|
# Username (string value)
|
|
# Deprecated group/name - [swift]/user_name
|
|
#username = <None>
|