504 lines
16 KiB
Plaintext
504 lines
16 KiB
Plaintext
[DEFAULT]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Polling interval in seconds for checking subtask or downstream status (integer
|
|
# value)
|
|
# Minimum value: 1
|
|
#poll_interval = 10
|
|
|
|
# How long a leader has to check-in before leadership can be usurped, in seconds
|
|
# (integer value)
|
|
#leader_grace_period = 300
|
|
|
|
# How often will an instance attempt to claim leadership, in seconds (integer
|
|
# value)
|
|
#leadership_claim_interval = 30
|
|
|
|
|
|
[database]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# The URI database connect string. (string value)
|
|
#database_connect_string = <None>
|
|
|
|
# The SQLalchemy database connection pool size. (integer value)
|
|
#pool_size = 15
|
|
|
|
# Should DB connections be validated prior to use. (boolean value)
|
|
#pool_pre_ping = true
|
|
|
|
# How long a request for a connection should wait before one becomes available.
|
|
# (integer value)
|
|
#pool_timeout = 30
|
|
|
|
# How many connections above pool_size are allowed to be open during high usage.
|
|
# (integer value)
|
|
#pool_overflow = 10
|
|
|
|
# Time, in seconds, when a connection should be closed and re-established. -1
|
|
# for no recycling. (integer value)
|
|
#connection_recycle = -1
|
|
|
|
|
|
[keystone_authtoken]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Authentication URL (string value)
|
|
#auth_url = <None>
|
|
|
|
# Scope for system operations (string value)
|
|
#system_scope = <None>
|
|
|
|
# Domain ID to scope to (string value)
|
|
#domain_id = <None>
|
|
|
|
# Domain name to scope to (string value)
|
|
#domain_name = <None>
|
|
|
|
# Project ID to scope to (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/tenant_id
|
|
#project_id = <None>
|
|
|
|
# Project name to scope to (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/tenant_name
|
|
#project_name = <None>
|
|
|
|
# Domain ID containing project (string value)
|
|
#project_domain_id = <None>
|
|
|
|
# Domain name containing project (string value)
|
|
#project_domain_name = <None>
|
|
|
|
# ID of the trust to use as a trustee use (string value)
|
|
#trust_id = <None>
|
|
|
|
# Optional domain ID to use with v3 and v2 parameters. It will be used for both
|
|
# the user and project domain in v3 and ignored in v2 authentication. (string
|
|
# value)
|
|
#default_domain_id = <None>
|
|
|
|
# Optional domain name to use with v3 API and v2 parameters. It will be used for
|
|
# both the user and project domain in v3 and ignored in v2 authentication.
|
|
# (string value)
|
|
#default_domain_name = <None>
|
|
|
|
# User id (string value)
|
|
#user_id = <None>
|
|
|
|
# Username (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/user_name
|
|
#username = <None>
|
|
|
|
# User's domain id (string value)
|
|
#user_domain_id = <None>
|
|
|
|
# User's domain name (string value)
|
|
#user_domain_name = <None>
|
|
|
|
# User's password (string value)
|
|
#password = <None>
|
|
|
|
#
|
|
# From keystonemiddleware.auth_token
|
|
#
|
|
|
|
# Complete "public" Identity API endpoint. This endpoint should not be an
|
|
# "admin" endpoint, as it should be accessible by all end users. Unauthenticated
|
|
# clients are redirected to this endpoint to authenticate. Although this
|
|
# endpoint should ideally be unversioned, client support in the wild varies. If
|
|
# you're using a versioned v2 endpoint here, then this should *not* be the same
|
|
# endpoint the service user utilizes for validating tokens, because normal end
|
|
# users may not be able to reach that endpoint. (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/auth_uri
|
|
#www_authenticate_uri = <None>
|
|
|
|
# DEPRECATED: Complete "public" Identity API endpoint. This endpoint should not
|
|
# be an "admin" endpoint, as it should be accessible by all end users.
|
|
# Unauthenticated clients are redirected to this endpoint to authenticate.
|
|
# Although this endpoint should ideally be unversioned, client support in the
|
|
# wild varies. If you're using a versioned v2 endpoint here, then this should
|
|
# *not* be the same endpoint the service user utilizes for validating tokens,
|
|
# because normal end users may not be able to reach that endpoint. This option
|
|
# is deprecated in favor of www_authenticate_uri and will be removed in the S
|
|
# release. (string value)
|
|
# This option is deprecated for removal since Queens.
|
|
# Its value may be silently ignored in the future.
|
|
# Reason: The auth_uri option is deprecated in favor of www_authenticate_uri and
|
|
# will be removed in the S release.
|
|
#auth_uri = <None>
|
|
|
|
# API version of the Identity API endpoint. (string value)
|
|
#auth_version = <None>
|
|
|
|
# Interface to use for the Identity API endpoint. Valid values are "public",
|
|
# "internal" (default) or "admin". (string value)
|
|
#interface = internal
|
|
|
|
# Do not handle authorization requests within the middleware, but delegate the
|
|
# authorization decision to downstream WSGI components. (boolean value)
|
|
#delay_auth_decision = false
|
|
|
|
# Request timeout value for communicating with Identity API server. (integer
|
|
# value)
|
|
#http_connect_timeout = <None>
|
|
|
|
# How many times are we trying to reconnect when communicating with Identity API
|
|
# Server. (integer value)
|
|
#http_request_max_retries = 3
|
|
|
|
# Request environment key where the Swift cache object is stored. When
|
|
# auth_token middleware is deployed with a Swift cache, use this option to have
|
|
# the middleware share a caching backend with swift. Otherwise, use the
|
|
# ``memcached_servers`` option instead. (string value)
|
|
#cache = <None>
|
|
|
|
# Required if identity server requires client certificate (string value)
|
|
#certfile = <None>
|
|
|
|
# Required if identity server requires client certificate (string value)
|
|
#keyfile = <None>
|
|
|
|
# A PEM encoded Certificate Authority to use when verifying HTTPs connections.
|
|
# Defaults to system CAs. (string value)
|
|
#cafile = <None>
|
|
|
|
# Verify HTTPS connections. (boolean value)
|
|
#insecure = false
|
|
|
|
# The region in which the identity server can be found. (string value)
|
|
#region_name = <None>
|
|
|
|
# Optionally specify a list of memcached server(s) to use for caching. If left
|
|
# undefined, tokens will instead be cached in-process. (list value)
|
|
# Deprecated group/name - [keystone_authtoken]/memcache_servers
|
|
#memcached_servers = <None>
|
|
|
|
# In order to prevent excessive effort spent validating tokens, the middleware
|
|
# caches previously-seen tokens for a configurable duration (in seconds). Set to
|
|
# -1 to disable caching completely. (integer value)
|
|
#token_cache_time = 300
|
|
|
|
# (Optional) If defined, indicate whether token data should be authenticated or
|
|
# authenticated and encrypted. If MAC, token data is authenticated (with HMAC)
|
|
# in the cache. If ENCRYPT, token data is encrypted and authenticated in the
|
|
# cache. If the value is not one of these options or empty, auth_token will
|
|
# raise an exception on initialization. (string value)
|
|
# Possible values:
|
|
# None - <No description provided>
|
|
# MAC - <No description provided>
|
|
# ENCRYPT - <No description provided>
|
|
#memcache_security_strategy = None
|
|
|
|
# (Optional, mandatory if memcache_security_strategy is defined) This string is
|
|
# used for key derivation. (string value)
|
|
#memcache_secret_key = <None>
|
|
|
|
# (Optional) Number of seconds memcached server is considered dead before it is
|
|
# tried again. (integer value)
|
|
#memcache_pool_dead_retry = 300
|
|
|
|
# (Optional) Maximum total number of open connections to every memcached server.
|
|
# (integer value)
|
|
#memcache_pool_maxsize = 10
|
|
|
|
# (Optional) Socket timeout in seconds for communicating with a memcached
|
|
# server. (integer value)
|
|
#memcache_pool_socket_timeout = 3
|
|
|
|
# (Optional) Number of seconds a connection to memcached is held unused in the
|
|
# pool before it is closed. (integer value)
|
|
#memcache_pool_unused_timeout = 60
|
|
|
|
# (Optional) Number of seconds that an operation will wait to get a memcached
|
|
# client connection from the pool. (integer value)
|
|
#memcache_pool_conn_get_timeout = 10
|
|
|
|
# (Optional) Use the advanced (eventlet safe) memcached client pool. (boolean
|
|
# value)
|
|
#memcache_use_advanced_pool = true
|
|
|
|
# (Optional) Indicate whether to set the X-Service-Catalog header. If False,
|
|
# middleware will not ask for service catalog on token validation and will not
|
|
# set the X-Service-Catalog header. (boolean value)
|
|
#include_service_catalog = true
|
|
|
|
# Used to control the use and type of token binding. Can be set to: "disabled"
|
|
# to not check token binding. "permissive" (default) to validate binding
|
|
# information if the bind type is of a form known to the server and ignore it if
|
|
# not. "strict" like "permissive" but if the bind type is unknown the token will
|
|
# be rejected. "required" any form of token binding is needed to be allowed.
|
|
# Finally the name of a binding method that must be present in tokens. (string
|
|
# value)
|
|
#enforce_token_bind = permissive
|
|
|
|
# A choice of roles that must be present in a service token. Service tokens are
|
|
# allowed to request that an expired token can be used and so this check should
|
|
# tightly control that only actual services should be sending this token. Roles
|
|
# here are applied as an ANY check so any role in this list must be present. For
|
|
# backwards compatibility reasons this currently only affects the allow_expired
|
|
# check. (list value)
|
|
#service_token_roles = service
|
|
|
|
# For backwards compatibility reasons we must let valid service tokens pass that
|
|
# don't pass the service_token_roles check as valid. Setting this true will
|
|
# become the default in a future release and should be enabled if possible.
|
|
# (boolean value)
|
|
#service_token_roles_required = false
|
|
|
|
# The name or type of the service as it appears in the service catalog. This is
|
|
# used to validate tokens that have restricted access rules. (string value)
|
|
#service_type = <None>
|
|
|
|
# Authentication type to load (string value)
|
|
# Deprecated group/name - [keystone_authtoken]/auth_plugin
|
|
#auth_type = <None>
|
|
|
|
# Config Section from which to load plugin specific options (string value)
|
|
#auth_section = <None>
|
|
|
|
|
|
[libvirt_driver]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Polling interval in seconds for querying libvirt status (integer value)
|
|
#poll_interval = 10
|
|
|
|
|
|
[logging]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Global log level for Drydock (string value)
|
|
#log_level = INFO
|
|
|
|
# Logger name for the top-level logger (string value)
|
|
#global_logger_name = drydock_provisioner
|
|
|
|
# Logger name for OOB driver logging (string value)
|
|
#oobdriver_logger_name = ${global_logger_name}.oobdriver
|
|
|
|
# Logger name for Node driver logging (string value)
|
|
#nodedriver_logger_name = ${global_logger_name}.nodedriver
|
|
|
|
# Logger name for Kubernetes driver logging (string value)
|
|
#kubernetesdriver_logger_name = ${global_logger_name}.kubernetesdriver
|
|
|
|
# Logger name for API server logging (string value)
|
|
#control_logger_name = ${global_logger_name}.control
|
|
|
|
|
|
[maasdriver]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# The API key for accessing MaaS (string value)
|
|
#maas_api_key = <None>
|
|
|
|
# The URL for accessing MaaS API (string value)
|
|
#maas_api_url = <None>
|
|
|
|
# Update MAAS to use the provided Node OOB params, overwriting discovered values
|
|
# (boolean value)
|
|
#use_node_oob_params = false
|
|
|
|
# Skip BMC reconfiguration during commissioning (requires MAAS 2.7+) (boolean
|
|
# value)
|
|
#skip_bmc_config = false
|
|
|
|
# Polling interval for querying MaaS status in seconds (integer value)
|
|
#poll_interval = 10
|
|
|
|
|
|
[network]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Timeout for initial read of outgoing HTTP calls from Drydock in seconds.
|
|
# (integer value)
|
|
#http_client_connect_timeout = 16
|
|
|
|
# Timeout for initial read of outgoing HTTP calls from Drydock in seconds.
|
|
# (integer value)
|
|
#http_client_read_timeout = 300
|
|
|
|
# Number of retries for transient errors of outgoing HTTP calls from Drydock.
|
|
# (integer value)
|
|
#http_client_retries = 3
|
|
|
|
|
|
[oslo_policy]
|
|
|
|
#
|
|
# From oslo.policy
|
|
#
|
|
|
|
# This option controls whether or not to enforce scope when evaluating policies.
|
|
# If ``True``, the scope of the token used in the request is compared to the
|
|
# ``scope_types`` of the policy being enforced. If the scopes do not match, an
|
|
# ``InvalidScope`` exception will be raised. If ``False``, a message will be
|
|
# logged informing operators that policies are being invoked with mismatching
|
|
# scope. (boolean value)
|
|
#enforce_scope = false
|
|
|
|
# This option controls whether or not to use old deprecated defaults when
|
|
# evaluating policies. If ``True``, the old deprecated defaults are not going to
|
|
# be evaluated. This means if any existing token is allowed for old defaults but
|
|
# is disallowed for new defaults, it will be disallowed. It is encouraged to
|
|
# enable this flag along with the ``enforce_scope`` flag so that you can get the
|
|
# benefits of new defaults and ``scope_type`` together. If ``False``, the
|
|
# deprecated policy check string is logically OR'd with the new policy check
|
|
# string, allowing for a graceful upgrade experience between releases with new
|
|
# policies, which is the default behavior. (boolean value)
|
|
#enforce_new_defaults = false
|
|
|
|
# The relative or absolute path of a file that maps roles to permissions for a
|
|
# given service. Relative paths must be specified in relation to the
|
|
# configuration file setting this option. (string value)
|
|
#policy_file = policy.json
|
|
|
|
# Default rule. Enforced when a requested rule is not found. (string value)
|
|
#policy_default_rule = default
|
|
|
|
# Directories where policy configuration files are stored. They can be relative
|
|
# to any directory in the search path defined by the config_dir option, or
|
|
# absolute paths. The file defined by policy_file must exist for these
|
|
# directories to be searched. Missing or empty directories are ignored. (multi
|
|
# valued)
|
|
#policy_dirs = policy.d
|
|
|
|
# Content Type to send and receive data for REST based policy check (string
|
|
# value)
|
|
# Possible values:
|
|
# application/x-www-form-urlencoded - <No description provided>
|
|
# application/json - <No description provided>
|
|
#remote_content_type = application/x-www-form-urlencoded
|
|
|
|
# server identity verification for REST based policy check (boolean value)
|
|
#remote_ssl_verify_server_crt = false
|
|
|
|
# Absolute path to ca cert file for REST based policy check (string value)
|
|
#remote_ssl_ca_crt_file = <None>
|
|
|
|
# Absolute path to client cert for REST based policy check (string value)
|
|
#remote_ssl_client_crt_file = <None>
|
|
|
|
# Absolute path client key file REST based policy check (string value)
|
|
#remote_ssl_client_key_file = <None>
|
|
|
|
|
|
[plugins]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Module path string of a input ingester to enable (string value)
|
|
#ingester = drydock_provisioner.ingester.plugins.yaml.YamlIngester
|
|
|
|
# List of module path strings of OOB drivers to enable (list value)
|
|
#oob_driver = drydock_provisioner.drivers.oob.pyghmi_driver.PyghmiDriver
|
|
|
|
# Module path string of the Node driver to enable (string value)
|
|
#node_driver = drydock_provisioner.drivers.node.maasdriver.driver.MaasNodeDriver
|
|
|
|
# Module path string of the Kubernetes driver to enable (string value)
|
|
#kubernetes_driver = drydock_provisioner.drivers.kubernetes.promenade_driver.driver.PromenadeDriver
|
|
|
|
# Module path string of the Network driver enable (string value)
|
|
#network_driver = <None>
|
|
|
|
|
|
[pyghmi_driver]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Polling interval in seconds for querying IPMI status (integer value)
|
|
#poll_interval = 10
|
|
|
|
|
|
[redfish_driver]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Maximum number of connection retries to Redfish server (integer value)
|
|
# Minimum value: 1
|
|
#max_retries = 10
|
|
|
|
# Maximum reties to wait for power state change (integer value)
|
|
# Minimum value: 1
|
|
#power_state_change_max_retries = 18
|
|
|
|
# Polling interval in seconds between retries for power state change (integer
|
|
# value)
|
|
#power_state_change_retry_interval = 10
|
|
|
|
# Use SSL to communicate with Redfish API server (boolean value)
|
|
#use_ssl = true
|
|
|
|
|
|
[timeouts]
|
|
|
|
#
|
|
# From drydock_provisioner
|
|
#
|
|
|
|
# Fallback timeout when a specific one is not configured (integer value)
|
|
#drydock_timeout = 5
|
|
|
|
# Timeout in minutes for creating site network templates (integer value)
|
|
#create_network_template = 2
|
|
|
|
# Timeout in minutes for creating user credentials (integer value)
|
|
#configure_user_credentials = 2
|
|
|
|
# Timeout in minutes for initial node identification (integer value)
|
|
#identify_node = 10
|
|
|
|
# Timeout in minutes for node commissioning and hardware configuration (integer
|
|
# value)
|
|
#configure_hardware = 30
|
|
|
|
# Timeout in minutes for configuring node networking (integer value)
|
|
#apply_node_networking = 5
|
|
|
|
# Timeout in minutes for configuring node storage (integer value)
|
|
#apply_node_storage = 5
|
|
|
|
# Timeout in minutes for configuring node platform (integer value)
|
|
#apply_node_platform = 5
|
|
|
|
# Timeout in minutes for deploying a node (integer value)
|
|
#deploy_node = 45
|
|
|
|
# Timeout in minutes between deployment completion and the all boot actions
|
|
# reporting status (integer value)
|
|
#bootaction_final_status = 15
|
|
|
|
# Timeout in minutes for releasing a node (integer value)
|
|
#destroy_node = 30
|
|
|
|
# Timeout in minutes for relabeling a node (integer value)
|
|
#relabel_node = 5
|