[DEFAULT] # User name for NSX controller # nsx_user = admin # Password for NSX controller # nsx_password = admin # Time before aborting a request on an unresponsive controller (Seconds) # http_timeout = 75 # Maximum number of times a particular request should be retried # retries = 2 # Maximum number of times a redirect response should be followed # redirects = 2 # Comma-separated list of NSX controller endpoints (:). When port # is omitted, 443 is assumed. This option MUST be specified, e.g.: # nsx_controllers = xx.yy.zz.ww:443, aa.bb.cc.dd, ee.ff.gg.hh.ee:80 # UUID of the pre-existing default NSX Transport zone to be used for creating # tunneled isolated "Neutron" networks. This option MUST be specified, e.g.: # default_tz_uuid = 1e8e52cf-fa7f-46b0-a14a-f99835a9cb53 # (Optional) UUID for the default l3 gateway service to use with this cluster. # To be specified if planning to use logical routers with external gateways. # default_l3_gw_service_uuid = # (Optional) UUID for the default l2 gateway service to use with this cluster. # To be specified for providing a predefined gateway tenant for connecting their networks. # default_l2_gw_service_uuid = # (Optional) UUID for the default service cluster. A service cluster is introduced to # represent a group of gateways and it is needed in order to use Logical Services like # dhcp and metadata in the logical space. NOTE: If agent_mode is set to 'agentless' this # config parameter *MUST BE* set to a valid pre-existent service cluster uuid. # default_service_cluster_uuid = # Name of the default interface name to be used on network-gateway. This value # will be used for any device associated with a network gateway for which an # interface name was not specified # nsx_default_interface_name = breth0 # Reconnect connection to nsx if not used within this amount of time. # conn_idle_timeout = 900 # Specify the class path for the Layer 2 gateway backend driver(i.e. NSXv3/NSX-V). # This field will be used when a L2 Gateway service plugin is configured. # nsx_l2gw_driver = # (Optional) URL for distributed locking coordination resource for lock manager # This value is passed as a parameter to tooz coordinator. # By default, value is None and oslo_concurrency is used for single-node # lock management. # locking_coordinator_url = [quotas] # number of network gateways allowed per tenant, -1 means unlimited # quota_network_gateway = 5 [nsxv] # URL for NSXv manager # manager_uri = https://management_ip # User name for NSXv manager # user = admin # Password for NSXv manager # password = default # Specify a CA bundle file to use in verifying the NSXv server certificate. # ca_file = # If True, the NSXv server certificate is not verified. If False, # then the default CA truststore is used for verification. This option # is ignored if "ca_file" is set. # insecure = True # (Required) Datacenter MoRef ID for Edge deployment # datacenter_moid = # (Required) Cluster MoRef IDs for OpenStack compute clusters, comma separated # cluster_moid = # (Optional) Deployment Container MoRef ID for NSX Edge deployment # If not specified, either a default global container will be used, or # the resource pool and datastore specified below will be used # deployment_container_id = # (Optional) Resource pool MoRef ID for NSX Edge deployment # resource_pool_id = # (Optional) Datastore MoRef ID for NSX Edge deployment # datastore_id = # (Required) Portgroup MoRef ID for Edge physical network connectivity # external_network = # (Optional) Asynchronous task status check interval # default is 2000 (millisecond) # task_status_check_interval = 2000 # (Optional) Transport Zone MoRef ID for VXLAN logical networks # vdn_scope_id = # (Optional) DVS MoRef ID for DVS connected to Management / Edge cluster # dvs_id = # (ListOpt) Define backup edge pool's management range with the four-tuple: # :[edge_size]::. # edge_type:'service'(service edge) or 'vdr'(distributed edge). # edge_size: 'compact', 'large'(by default), 'xlarge' or 'quadlarge'. # # By default, edge pool manager would manage service edge # with compact&&large size and distributed edge with large size as following: # backup_edge_pool = service:large:4:10,service:compact:4:10,vdr:large:4:10 # (Optional) Maximum number of sub interfaces supported per vnic in edge # default is 20 # maximum_tunnels_per_vnic = 20 # Maximum number of API retries # retries = 10 # (Optional) Portgroup MoRef ID for metadata proxy management network # mgt_net_moid = # (Optional) Management network IP address for metadata proxy, comma separated # mgt_net_proxy_ips = # (Optional) Management network netmask for metadata proxy # mgt_net_proxy_netmask = # (Optional) Management network default gateway for metadata proxy # mgt_net_default_gateway = # (Optional) IP addresses used by Nova metadata service # nova_metadata_ips = # (Optional) TCP Port used by Nova metadata server # nova_metadata_port = 8775 # (Optional) Shared secret to sign metadata requests # metadata_shared_secret = # (Optional) If True, the end to end connection for metadata service is # not verified. If False, the default CA truststore is used for verification. # metadata_insecure = # (Optional) Client certificate to use when metadata connection is to be # verified. If not provided, a self signed certificate will be used. # metadata_nova_client_cert = # (Optional) Private key to use for client certificate # metadata_nova_client_priv_key = # (Optional) Indicates if Nsxv spoofguard component is used to implement # port-security feature. # spoofguard_enabled = True # (Optional) Deploys NSX Edges in HA mode # edge_ha = False # (Optional) Edge appliance size to be used for creating exclusive router. # Valid values: ['compact', 'large', 'xlarge', 'quadlarge'] # This exclusive_router_appliance_size will be picked up if --router-size # parameter is not specified while doing neutron router-create # exclusive_router_appliance_size = compact # (ListOpt) Ordered list of router_types to allocate as tenant routers. # It limits the router types that the Nsxv can support for tenants: # distributed: router is supported by distributed edge at the backend. # shared: multiple routers share the same service edge at the backend. # exclusive: router exclusively occupies one service edge at the backend. # Nsxv would select the first available router type from tenant_router_types # list if router-type is not specified. # If the tenant defines the router type with "--distributed", # "--router_type exclusive" or "--router_type shared", Nsxv would verify that # the router type is in tenant_router_types. # Admin supports all these three router types # # tenant_router_types = shared, distributed, exclusive # Example: tenant_router_types = distributed, shared # (Optional) Enable an administrator to configure the edge user and password # Username to configure for Edge appliance login # edge_appliance_user = # (Optional) Password to configure for Edge appliance login # edge_appliance_password = # (Optional) DHCP lease time # dhcp_lease_time = 86400 # (Optional) Indicates whether distributed-firewall rule for security-groups # blocked traffic is logged. # log_security_groups_blocked_traffic = False # (Optional) Indicates whether distributed-firewall security-groups rules are # logged. # log_security_groups_allowed_traffic = False [nsx] # Maximum number of ports for each bridged logical switch # The recommended value for this parameter varies with NSX version # Please use: # NSX 2.x -> 64 # NSX 3.0, 3.1 -> 5000 # NSX 3.2 -> 10000 # max_lp_per_bridged_ls = 5000 # Maximum number of ports for each overlay (stt, gre) logical switch # max_lp_per_overlay_ls = 256 # Number of connections to each controller node. # default is 10 # concurrent_connections = 10 # Number of seconds a generation id should be valid for (default -1 meaning do not time out) # nsx_gen_timeout = -1 # Acceptable values for 'metadata_mode' are: # - 'access_network': this enables a dedicated connection to the metadata # proxy for metadata server access via Neutron router. # - 'dhcp_host_route': this enables host route injection via the dhcp agent. # This option is only useful if running on a host that does not support # namespaces otherwise access_network should be used. # metadata_mode = access_network # The default network transport type to use (stt, gre, bridge, ipsec_gre, or ipsec_stt) # default_transport_type = stt # Specifies in which mode the plugin needs to operate in order to provide DHCP and # metadata proxy services to tenant instances. If 'agent' is chosen (default) # the NSX plugin relies on external RPC agents (i.e. dhcp and metadata agents) to # provide such services. In this mode, the plugin supports API extensions 'agent' # and 'dhcp_agent_scheduler'. If 'agentless' is chosen (experimental in Icehouse), # the plugin will use NSX logical services for DHCP and metadata proxy. This # simplifies the deployment model for Neutron, in that the plugin no longer requires # the RPC agents to operate. When 'agentless' is chosen, the config option metadata_mode # becomes ineffective. The 'agentless' mode works only on NSX 4.1. # Furthermore, a 'combined' mode is also provided and is used to support existing # deployments that want to adopt the agentless mode. With this mode, existing networks # keep being served by the existing infrastructure (thus preserving backward # compatibility, whereas new networks will be served by the new infrastructure. # Migration tools are provided to 'move' one network from one model to another; with # agent_mode set to 'combined', option 'network_auto_schedule' in neutron.conf is # ignored, as new networks will no longer be scheduled to existing dhcp agents. # agent_mode = agent # Specifies which mode packet replication should be done in. If set to service # a service node is required in order to perform packet replication. This can # also be set to source if one wants replication to be performed locally (NOTE: # usually only useful for testing if one does not want to deploy a service node). # In order to leverage distributed routers, replication_mode should be set to # "service". # replication_mode = service [nsx_sync] # Interval in seconds between runs of the status synchronization task. # The plugin will aim at resynchronizing operational status for all # resources in this interval, and it should be therefore large enough # to ensure the task is feasible. Otherwise the plugin will be # constantly synchronizing resource status, ie: a new task is started # as soon as the previous is completed. # If this value is set to 0, the state synchronization thread for this # Neutron instance will be disabled. # state_sync_interval = 10 # Random additional delay between two runs of the state synchronization task. # An additional wait time between 0 and max_random_sync_delay seconds # will be added on top of state_sync_interval. # max_random_sync_delay = 0 # Minimum delay, in seconds, between two status synchronization requests for NSX. # Depending on chunk size, controller load, and other factors, state # synchronization requests might be pretty heavy. This means the # controller might take time to respond, and its load might be quite # increased by them. This parameter allows to specify a minimum # interval between two subsequent requests. # The value for this parameter must never exceed state_sync_interval. # If this does, an error will be raised at startup. # min_sync_req_delay = 1 # Minimum number of resources to be retrieved from NSX in a single status # synchronization request. # The actual size of the chunk will increase if the number of resources is such # that using the minimum chunk size will cause the interval between two # requests to be less than min_sync_req_delay # min_chunk_size = 500 # Enable this option to allow punctual state synchronization on show # operations. In this way, show operations will always fetch the operational # status of the resource from the NSX backend, and this might have # a considerable impact on overall performance. # always_read_status = False [nsx_lsn] # Pull LSN information from NSX in case it is missing from the local # data store. This is useful to rebuild the local store in case of # server recovery # sync_on_missing_data = False [nsx_dhcp] # (Optional) Comma separated list of additional dns servers. Default is an empty list # extra_domain_name_servers = # Domain to use for building the hostnames # domain_name = openstacklocal # Default DHCP lease time # default_lease_time = 43200 [nsx_metadata] # IP address used by Metadata server # metadata_server_address = 127.0.0.1 # TCP Port used by Metadata server # metadata_server_port = 8775 # When proxying metadata requests, Neutron signs the Instance-ID header with a # shared secret to prevent spoofing. You may select any string for a secret, # but it MUST match with the configuration used by the Metadata server # metadata_shared_secret = [nsx_v3] # IP address of one or more NSX managers separated by commas. # The IP address should be of the form: # [://][:] # If scheme is not provided https is used. If port is not provided # port 80 is used for http and port 443 for https. # nsx_api_managers = 1.2.3.4 # User name of NSX Manager # nsx_api_user = admin # Password of NSX Manager # nsx_api_password = default # UUID of the default NSX overlay transport zone that will be used for creating # tunneled isolated Neutron networks. If no physical network is specified when # creating a logical network, this transport zone will be used by default # default_overlay_tz_uuid = afc40f8a-4967-477e-a17a-9d560d1786c7 # (Optional) Only required when creating VLAN or flat provider networks. UUID # of default NSX VLAN transport zone that will be used for bridging between # Neutron networks, if no physical network has been specified # default_vlan_tz_uuid = afc40f8a-4967-477e-a17a-9d560d1786c7 # Maximum number of times to retry API requests upon stale revision errors. # retries = 10 # Specify a CA bundle file to use in verifying the NSX Manager # server certificate. This option is ignored if "insecure" is set to True. # If "insecure" is set to False and ca_file is unset, the system root CAs # will be used to verify the server certificate. # ca_file = # If true, the NSX Manager server certificate is not verified. If false # the CA bundle specified via "ca_file" will be used or if unset the # default system root CAs will be used. # insecure = True # The time in seconds before aborting a HTTP connection to a NSX manager. # http_timeout = 10 # The time in seconds before aborting a HTTP read response from a NSX manager. # http_read_timeout = 180 # Maximum number of times to retry a HTTP connection. # http_retries = 3 # Maximum number of connection connections to each NSX manager. # concurrent_connections = 10 # The amount of time in seconds to wait before ensuring connectivity to # the NSX manager if no manager connection has been used. # conn_idle_timeout = 10 # UUID of the default tier0 router that will be used for connecting to # tier1 logical routers and configuring external networks # default_tier0_router_uuid = 412983fd-9016-45e5-93f2-48ba2a931225 # (Optional) UUID of the default NSX bridge cluster that will be used to # perform L2 gateway bridging between VXLAN and VLAN networks. It is an # optional field. If default bridge cluster UUID is not specified, admin will # have to manually create a L2 gateway corresponding to a NSX Bridge Cluster # using L2 gateway APIs. This field must be specified on one of the active # neutron servers only. # default_bridge_cluster_uuid = # (Optional) The number of nested groups which are used by the plugin, # each Neutron security-groups is added to one nested group, and each nested # group can contain as maximum as 500 security-groups, therefore, the maximum # number of security groups that can be created is # 500 * number_of_nested_groups. # The default is 8 nested groups, which allows a maximum of 4k security-groups, # to allow creation of more security-groups, modify this figure. # number_of_nested_groups = # Acceptable values for 'metadata_mode' are: # - 'access_network': this enables a dedicated connection to the metadata # proxy for metadata server access via Neutron router. # - 'dhcp_host_route': this enables host route injection via the dhcp agent. # This option is only useful if running on a host that does not support # namespaces otherwise access_network should be used. # metadata_mode = access_network # If True, an internal metadata network will be created for a router only when # the router is attached to a DHCP-disabled subnet. # metadata_on_demand = False # (Optional) Indicates whether distributed-firewall rule for security-groups # blocked traffic is logged. # log_security_groups_blocked_traffic = False # (Optional) Indicates whether distributed-firewall security-groups rules are # logged. # log_security_groups_allowed_traffic = False