--- # Skydive config file # host_id is used to reference the agent, by default set to hostname host_id: {{ ansible_hostname }} tls: # File path to X509 Certificate and Private Key to enable TLS communication # Unique certificate per agent is recommended {% if inventory_hostname in groups['skydive_agents'] %} client_cert: {{ skydive_ssl_cert }} client_key: {{ skydive_ssl_key }} {% endif %} {% if inventory_hostname in groups['skydive_analyzers'] %} server_cert: {{ skydive_ssl_cert }} server_key: {{ skydive_ssl_key }} {% endif %} ca_cert: {{ skydive_ssl_ca_cert }} http: # define the Cookie HTTP Request Header cookie: # : # : rest: # log the HTTP client request and response (to log level DEBUG) # debug: false ws: # WebSocket delay between two pings. # ping_delay: 2 # WebSocket Ping/Pong timeout in second. # pong_timeout: 5 # maximum number of topology aggregated messages before sending # bulk_maxmsgs: 100 # duration in seconds before flushing topology aggregated messages # bulk_maxdelay: 2 # Maximum size of the message queue # queue_size: 10000 # enable write compression enable_write_compression: true {% if inventory_hostname in groups['skydive_analyzers'] %} analyzer: # address and port for the analyzer API, Format: addr:port. # Default addr is 127.0.0.1 listen: {{ (skydive_bind_address | default(hostvars[inventory_hostname]["ansible_" ~ (skydive_network_device | replace('-', '_') | string)]['ipv4']['address'])) ~ ':' ~ skydive_analyzer_port }} auth: # auth section for API request api: # Specify the name of the auth backend definition, see auth section. backend: {{ skydive_auth_type }} cluster: # Specify the name of the auth backend definition, see auth section. backend: {{ skydive_auth_type }} # Specify username, password for cluster authentication. Used for analyzer/analyzer communication. username: {{ skydive_cluster_username }} password: {{ skydive_cluster_password }} # Section defining things to be invoked on startup startup: # By default no capturing, set filter to capture from selected nodes # from the beginning automatically # capture_gremlin: "G.V().has('Name', NE('lo'))" # capture_bpf: "port 80" # Flow storage engine flow: # Storage backend name: myelasticsearch, myorientdb backend: myelasticsearch # Max number of flows in write buffer (after which all flows accumulated are dropped) # max_buffer_size: 100000 topology: # Storage backend name: mymemory, myelasticsearch, myorientdb backend: myelasticsearch # Define static interfaces and links updating Skydive topology # Can be useful to define external resources like : TOR, Router, etc. # # A description language similar to the dot language is used to define # interfaces and links. An arrow (->) is used to define a link between # two interfaces (parent -> child). An arrow with a single dash will # create an OwnerShip and a L2 link between the parent and the child. # An arrow with two dashes (-->) will only create a L2 link between the # parent and the child. # # Square brackets after the arrow is used to define additional metadata # of the link (->[key=value,..]). Each interface described will be # created in the topology excepted interfaces with the local prefix. # In that specific case the interface of the local host will be used. # Attributes of interfaces are declared using square brackets ([]). # The following example creates a TOR node linked to TOR_PORT1 linked # (l2 only) to TOR1_PORT1 linked to the TOR1 node, linked to TOR1_PORT2, # which is linked to the local interface eth0, with an l2 only link. fabric: {{ skydive_fabric | to_json }} # list of probes used by the analyzers probes: # - k8s # - istio k8s: # EXPERIMENTAL: k8s probe is still under development and should not be used # on production systems # kubeconfig resolution order: # - if config_file param is defined then use it; # - else if $KUBECONFIG environment is define then use it; # - else if $HOME/.kube/config file exists then use it; # - else use empty configuration (for accessing from within the k8s cluster). # specify the path of k8s configuration YAML file. # config_file: /etc/skydive/kubeconfig # list of (sub) probes comprising k8s probe. # if list is empty then will resolve to all existing (sub) probes. probes: - cluster - container - cronjob - deployment - endpoints - ingress - job - namespace - networkpolicy - node - persistentvolume - persistentvolumeclaim - pod - replicaset - replicationcontroller - service - statefulset - storageclass istio: # specify the path of istio configuration YAML file. # config_file: /etc/skydive/kubeconfig # EXPERIMENTAL: istio probe is still under development and should not be used # on production systems probes: - destinationrule - gateway - quotaspec - quotaspecbinding - serviceentry - virtualservice replication: # debug: false {% endif %} # list of analyzers used by analyzers and agents {% set analyzers = [] %} {% for node in groups['skydive_analyzers'] %} {% set _ansible_interface_name = hostvars[node]['skydive_network_device'] | default(hostvars[node]['ansible_default_ipv4']['interface']) | replace('-', '_') %} {% set _ = analyzers.append((hostvars[node]['skydive_bind_address'] | default(hostvars[node]["ansible_" ~ _ansible_interface_name]['ipv4']['address'])) ~ ':' ~ skydive_analyzer_port) %} {% endfor %} analyzers: {{ analyzers | to_json }} {% if inventory_hostname in groups['skydive_agents'] %} agent: # address and port for the agent API, Format: addr:port. # Default addr is 127.0.0.1 listen: {{ (skydive_bind_address | default(hostvars[inventory_hostname]["ansible_" ~ (skydive_network_device | replace('-', '_') | string)]['ipv4']['address'])) ~ ':' ~ skydive_agent_port }} auth: # auth section for API request api: # Specify the name of the auth backend definition, see auth section. backend: {{ skydive_auth_type }} cluster: # Specify username, password for cluster authentication. Used for agent/analyzer communication. username: {{ skydive_cluster_username }} password: {{ skydive_cluster_password }} topology: # Probes used to capture topology information like interfaces, # bridges, namespaces, etc... # Available: ovsdb, docker, neutron, opencontrail, socketinfo, lxd, lldp {% if skydive_docker_exists | bool %} {% set _ = skydive_probes.append('docker') %} {% endif %} {% if skydive_ovs_db_exists | bool %} {% set _ = skydive_probes.append('ovsdb') %} {% endif %} {% if skydive_openstack_enabled | bool %} {% set _ = skydive_probes.append('neutron') %} {% endif %} probes: {{ skydive_probes | to_json }} netlink: # delay in seconds between two metric updates metrics_update: 30 {% if skydive_openstack_enabled | bool %} # Define OpenStack Neutron credentials and the enpoint type # used by the neutron probe neutron: auth_url: {{ skydive_os_auth_url | default(clouds_yaml['clouds'][skydive_os_cloud]['auth']['auth_url']) }} username: {{ skydive_os_service_user }} password: {{ skydive_os_service_password }} tenant_name: {{ skydive_os_project_name }} region_name: {{ skydive_os_region_name | default(clouds_yaml['clouds'][skydive_os_cloud]['region_name']) }} domain_name: {{ skydive_os_domain_name }} ssl_insecure: {{ not (skydive_os_service_insecure | bool) }} endpoint_type: {{ skydive_os_endpoint_type | default(clouds_yaml['clouds'][skydive_os_cloud]['interface']) }} {% endif %} lldp: # Interfaces to listen for LLDP frames. If no list is specified, # use all interfaces interfaces: {% if skydive_libvirt_exists | bool %} libvirt: url: qemu:///system {% endif %} {% if skydive_runc_exists | bool %} runc: run_path: - /var/run/runc {% endif %} capture: # Period in second to get capture stats from the probe. Note this # stats_update: 1 metadata: # info: This is compute node dpdk: # DPDK port listening flows from ports: # - 0 # - 1 # nb workers per port # workers: 4 # debug message every n seconds # debug: 1 {% if skydive_ovs_db_exists | bool %} sflow: # Default listening address is 127.0.0.1 # bind_address: 127.0.0.1 # Port min/max used when starting a sflow probe, a agent will be started # with a port from this range # port_min: 6345 # port_max: 6355 ovs: # ovsdb connection, Format supported : # * addr:port # * tcp://addr:port # * unix:///var/run/openvswitch/db.sock # If you use the tcp connection you need to authorize connexion to ovsdb agent # at least locally # % sudo ovs-appctl -t ovsdb-server ovsdb-server/add-remote ptcp:6400:127.0.0.1 ovsdb: unix://{{ skydive_ovs_db_socket }} oflow: # Enable the parsing of openflow rules (disabled by default) # enable: false # Openflow versions used by ovs-ofctl when queries are made to the # switch. 1.0 should always be supported. 1.3 gives a nicer output and # it is recommended to add it if it is supported. # 1.4 can be broken on some switch, 1.5 and 1.6 are still considered # as experimental. # openflow_versions: # - OpenFlow10 # The probe can connect to remote bridge over TLS (ssl url). # The default value is empty for those options. # Path to the private key file (TLS connection) # key: /etc/ssl/private/agent.key # Path to the certificate associated to the key (TLS connection) # cert: /etc/ssl/certs/agent.crt # Path to certificate authority validating bridge connections (TLS connection) # ca: /etc/ssl/certs/ca.crt address: # Map translating bridge names into URL for remote connection # - bridge: ssl:xxx.yyy.zzz.ttt:port {% endif %} {% if skydive_docker_exists | bool %} docker: url: unix://{{ skydive_docker_socket }} {% endif %} netns: # allow to specify where the netns probe is watching network namespace run_path: /var/run/netns opencontrail: # Host address of the OpenContrail vrouter agent # host: localhost # TCP port of the OpenContrail vrouter agent # port: 8086 # UDP dest port for MPLS traffic # mpls_udp_port: 51234 {% endif %} {% if inventory_hostname in groups['skydive_analyzers'] %} storage: # Elasticsearch backend information. myelasticsearch: driver: elasticsearch host: "127.0.0.1:19200" # Define the maximum delay before flushing document # bulk_maxdelay: 5 # If a limit is specified, when the index reaches it, it is rolled. # index_entries_limit specifies the maximum number of entries allowed in an index. # index_age_limit specifies the maximum age (in minutes) allowed for an index. # For both limits, a value of 0 specifies that there is no limitation. # index_entries_limit: 0 # index_age_limit: 0 # The number of indices to keep before deleting. # A value of 0 specifies no limit (i.e. indices will never be deleted) # indices_to_keep: 0 # OrientDB backend information. myorientdb: # driver: orientdb # addr: http://127.0.0.1:2480 # database: Skydive # username: root # password: hello # Memory backend mymemory: # driver: memory {% endif %} logging: level: {{ skydive_log_level }} # Default backend used: stderr backends: # - stderr # - stdout - file # - syslog # configuration of the 'file' backend {% if (inventory_hostname in groups['skydive_analyzers']) and (inventory_hostname in groups['skydive_agents']) %} {% set _log_segment = 'aio' %} {% elif (inventory_hostname in groups['skydive_analyzers']) %} {% set _log_segment = 'analyzer' %} {% else %} {% set _log_segment = 'agent' %} {% endif %} file: path: /var/log/skydive-{{ _log_segment }}.log # configuration encoder could be for all backends or for specific one # encoder: json # color: false auth: mybasic: # Define a basic auth authentication backend type: basic # Specify the htpassword file to be used file: {{ skydive_basic_auth_file }} # Users can be declared in this section instead of using a file. # users: # user1: secret1 # user2: secret2 {% if skydive_openstack_enabled | bool %} mykeystone: # Define a basic auth authentication backend type: keystone auth_url: {{ skydive_os_auth_url | default(clouds_yaml['clouds'][skydive_os_cloud]['auth']['auth_url']) }} # define the tenant and the domain that the users have to belong to tenant_name: {{ skydive_os_project_name }} domain_name: {{ skydive_os_domain_name }} # define which role an authenticated user will have. Only used for API authentication. # two roles are predefined, admin and guest. role: {{ skydive_os_user_role }} {% endif %} {% if inventory_hostname in groups['skydive_analyzers'] %} etcd: # server parameters # when 'embedded' is set to true, the analyzer will start an embedded etcd server embedded: {{ skydive_etcd_embedded }} listen: {{ skydive_etcd_listen_uri }} # maximum number of WAL and snapshot files. 0 means unlimited # max_wal_files: 0 # max_snap_files: 0 # path where the etcd files will be stored. data_dir: /var/lib/skydive/etcd # client parameters {% if skydive_etcd_servers %} servers: {{ skydive_etcd_servers | to_json }} {% endif %} # name to use for clustering, by default it is set to the host id name: {{ inventory_hostname }} # list of peers for etcd clustering between analyzers # each entry is composed of the peer name and the endpoints for this peer {% set peers = {} %} {% for node in groups['skydive_analyzers'] %} {% if node in ansible_play_hosts %} {% set _ansible_interface_name = hostvars[node]['skydive_network_device'] | default(hostvars[node]['ansible_default_ipv4']['interface']) | replace('-', '_') %} {% set _ = peers.__setitem__(inventory_hostname, 'http://' ~ (hostvars[node]['skydive_bind_address'] | default(hostvars[node]["ansible_" ~ _ansible_interface_name]['ipv4']['address'])) ~ ':' ~ skydive_etcd_port) %} {% endif %} {% endfor %} peers: {{ skydive_etcd_peers | default(peers) | to_json }} # client_timeout: 5 {% endif %} {% if inventory_hostname in groups['skydive_agents'] %} flow: # Without any new packets, a flow expires after flow.expire # seconds # expire: 600 # Seconds between flow updates (metrics, enhancements,...) # update: 60 # Protocol to use to send flows to the analyzer: websocket or udp protocol: {{ skydive_flow_protocol }} # Define the layer key mode used by default for captures. The key mode defines # the layers used to identify a unique flow. # * L2, this mode includes layer 2 and beyond. # * L3, this mode includes layer 3 and beyond and takes layer 2 if there is no layer 3. # default_layer_key_mode: L2 # Set the application field according to the following port mapping application_ports: tcp: # 80: HTTP # 8080: HTTP # 443: HTTPS # 1194: OPENVPN udp: # 1194: OPENVPN {% endif %} {% if inventory_hostname in groups['skydive_analyzers'] %} ui: # Specify the extra assets folder. Javascript and CSS files present in this # folder will be added to the WebUI. # extra_assets: /usr/share/skydive/assets # select between light, dark themes theme: light # Settings specific to the topology view topology: # Pre-defined Gremlin expression used in the WebUI for Filtering and Highlighting. # Note: Key should be in lower case favorites: # namespaces: "g.V().Has('Type', 'netns').OutE().BothV()" # layer2: "g.E().Has('RelationType', 'layer2')" # Highlight Gremlin expression used by default and applied on WebUI load. # default_highlight: "layer2" # Filter Gremlin expression used by default and applied on WebUI load. # default_filter: "layer2" # update rate of links in seconds bandwidth_update_rate: 5 # 'absolute' - thresholds in Kbit # 'relative' - thresholds in % relative to link speed reported by netlink bandwidth_threshold: absolute bandwidth_absolute_active: 1 bandwidth_absolute_warning: 10 bandwidth_absolute_alert: 100 bandwidth_relative_active: 0.1 bandwidth_relative_warning: 0.4 bandwidth_relative_alert: 0.8 # Enable/disable ssh to hosts # ssh_enabled: false # Enable/disable k8s related elements # k8s_enabled: false bpf: # Pre-defined BPF filters favorites: # filter1: ip broadcast # filter2: ip multicast rbac: model: # RBAC model # request_definition: # - sub, obj, act # policy_definition: # - sub, obj, act, eft # role_definition: # - _, _ # policy_effect: # - some(where (p_eft == allow)) && !some(where (p_eft == deny)) # matchers: # - g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act policy: # additional RBAC policy: # - p, myuser, capture, write, deny # - g, myuser, myrole {% endif %}