[DEFAULT] [ipsec] # # From neutron.vpnaas.ovn_agent # # Location to store ipsec server config files (string value) #config_base_dir = $state_path/ipsec # Interval for checking ipsec status (integer value) #ipsec_status_check_interval = 60 # Enable detail logging for ipsec pluto process. If the flag set to True, the # detailed logging will be written into config_base_dir//log. Note: This # setting applies to OpenSwan and LibreSwan only. StrongSwan logs to syslog. # (boolean value) #enable_detailed_logging = false [ovn] # # From neutron.vpnaas.ovn_agent # # The connection string for the OVN_Northbound OVSDB. # Use tcp:IP:PORT for TCP connection. # Use ssl:IP:PORT for SSL connection. The ovn_nb_private_key, # ovn_nb_certificate and ovn_nb_ca_cert are mandatory. # Use unix:FILE for unix domain socket connection. # Multiple connections can be specified by a comma separated string. See also: # https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216 # (string value) #ovn_nb_connection = tcp:127.0.0.1:6641 # The PEM file with private key for SSL connection to OVN-NB-DB (string value) #ovn_nb_private_key = # The PEM file with certificate that certifies the private key specified in # ovn_nb_private_key (string value) #ovn_nb_certificate = # The PEM file with CA certificate that OVN should use to verify certificates # presented to it by SSL peers (string value) #ovn_nb_ca_cert = # The connection string for the OVN_Southbound OVSDB. # Use tcp:IP:PORT for TCP connection. # Use ssl:IP:PORT for SSL connection. The ovn_sb_private_key, # ovn_sb_certificate and ovn_sb_ca_cert are mandatory. # Use unix:FILE for unix domain socket connection. # Multiple connections can be specified by a comma separated string. See also: # https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216 # (string value) #ovn_sb_connection = tcp:127.0.0.1:6642 # The PEM file with private key for SSL connection to OVN-SB-DB (string value) #ovn_sb_private_key = # The PEM file with certificate that certifies the private key specified in # ovn_sb_private_key (string value) #ovn_sb_certificate = # The PEM file with CA certificate that OVN should use to verify certificates # presented to it by SSL peers (string value) #ovn_sb_ca_cert = # Timeout, in seconds, for the OVSDB connection transaction (integer value) #ovsdb_connection_timeout = 180 # Max interval, in seconds ,between each retry to get the OVN NB and SB IDLs # (integer value) #ovsdb_retry_max_interval = 180 # The probe interval for the OVSDB session, in milliseconds. If this is zero, # it disables the connection keepalive feature. If non-zero the value will be # forced to at least 1000 milliseconds. Defaults to 60 seconds. (integer value) # Minimum value: 0 #ovsdb_probe_interval = 60000 # The synchronization mode of OVN_Northbound OVSDB with Neutron DB. # off - synchronization is off # log - during neutron-server startup, check to see if OVN is in sync with the # Neutron database. Log warnings for any inconsistencies found so that an # admin can investigate # repair - during neutron-server startup, automatically create resources found # in Neutron but not in OVN. Also remove resources from OVN that are no longer # in Neutron.migrate - This mode is to OVS to OVN migration. It will sync the # DB just like repair mode but it will additionally fix the Neutron DB resource # from OVS to OVN. (string value) # Possible values: # off - # log - # repair - # migrate - #neutron_sync_mode = log # The OVN L3 Scheduler type used to schedule router gateway ports on # hypervisors/chassis. # leastloaded - chassis with fewest gateway ports selected # chance - chassis randomly selected (string value) # Possible values: # leastloaded - # chance - #ovn_l3_scheduler = leastloaded # Enable distributed floating IP support. # If True, the NAT action for floating IPs will be done locally and not in the # centralized gateway. This saves the path to the external network. This # requires the user to configure the physical network map (i.e. ovn-bridge- # mappings) on each compute node. (boolean value) #enable_distributed_floating_ip = false # The directory in which vhost virtio sockets are created by all the vswitch # daemons (string value) #vhost_sock_dir = /var/run/openvswitch # Default lease time (in seconds) to use with OVN's native DHCP service. # (integer value) #dhcp_default_lease_time = 43200 # The log level used for OVSDB (string value) # Possible values: # CRITICAL - # ERROR - # WARNING - # INFO - # DEBUG - #ovsdb_log_level = INFO # Whether to use metadata service. (boolean value) #ovn_metadata_enabled = false # Comma-separated list of the DNS servers which will be used as forwarders if a # subnet's dns_nameservers field is empty. If both subnet's dns_nameservers and # this option are empty, then the DNS resolvers on the host running the neutron # server will be used. (list value) #dns_servers = # Dictionary of global DHCPv4 options which will be automatically set on each # subnet upon creation and on all existing subnets when Neutron starts. # An empty value for a DHCP option will cause that option to be unset globally. # EXAMPLES: # - ntp_server:1.2.3.4,wpad:1.2.3.5 - Set ntp_server and wpad # - ntp_server:,wpad:1.2.3.5 - Unset ntp_server and set wpad # See the ovn-nb(5) man page for available options. (dict value) #ovn_dhcp4_global_options = # Dictionary of global DHCPv6 options which will be automatically set on each # subnet upon creation and on all existing subnets when Neutron starts. # An empty value for a DHCPv6 option will cause that option to be unset # globally. # See the ovn-nb(5) man page for available options. (dict value) #ovn_dhcp6_global_options = # Configure OVN to emit "need to frag" packets in case of MTU mismatches. # Before enabling this option make sure that it is supported by the host kernel # (version >= 5.2) or by checking the output of the following command: # ovs-appctl -t ovs-vswitchd dpif/show-dp-features br-int | grep "Check pkt # length action". (boolean value) #ovn_emit_need_to_frag = false # Disable OVN's built-in DHCP for baremetal ports (VNIC type "baremetal"). This # allows operators to plug their own DHCP server of choice for PXE booting # baremetal nodes. OVN 23.06.0 and newer also supports baremetal ``PXE`` based # provisioning over IPv6. If an older version of OVN is used for baremetal # provisioning over IPv6 this option should be set to "True" and neutron-dhcp- # agent should be used instead. Defaults to "False". (boolean value) #disable_ovn_dhcp_for_baremetal_ports = false # DEPRECATED: If OVN older than 21.06 is used together with Neutron, this # option should be set to ``False`` in order to disable the ``stateful- # security-group`` API extension as ``allow-stateless`` keyword is only # supported by OVN >= 21.06. (boolean value) # This option is deprecated for removal since 2023.1. # Its value may be silently ignored in the future. #allow_stateless_action_supported = true # If enabled it will allow localnet ports to learn MAC addresses and store them # in FDB SB table. This avoids flooding for traffic towards unknown IPs when # port security is disabled. It requires OVN 22.09 or newer. (boolean value) #localnet_learn_fdb = false # The number of seconds to keep FDB entries in the OVN DB. The value defaults # to 0, which means disabled. This is supported by OVN >= 23.09. (integer # value) # Minimum value: 0 #fdb_age_threshold = 0 # The number of seconds to keep MAC_Binding entries in the OVN DB. 0 to disable # aging. (integer value) # Minimum value: 0 #mac_binding_age_threshold = 0 # If enabled (default) OVN will flood ARP requests to all attached ports on a # network. If set to False, ARP requests are only sent to routers on that # network if the target MAC address matches. ARP requests that do not match a # router will only be forwarded to non-router ports. Supported by OVN >= 23.06. # (boolean value) #broadcast_arps_to_all_routers = true # Whether to configure SNAT for all nested subnets connected to the router # through any other routers, similar to the default ML2/OVS behavior. Defaults # to "False". (boolean value) #ovn_router_indirect_snat = false [ovs] # # From neutron.vpnaas.ovn_agent # # The connection string for the native OVSDB backend. # Use tcp:IP:PORT for TCP connection. # Use unix:FILE for unix domain socket connection. (string value) #ovsdb_connection = unix:/usr/local/var/run/openvswitch/db.sock # Timeout in seconds for the OVSDB connection transaction (integer value) #ovsdb_connection_timeout = 180 [pluto] # # From neutron.vpnaas.ovn_agent # # Initial interval in seconds for checking if pluto daemon is shutdown (integer # value) #shutdown_check_timeout = 1 # The maximum number of retries for checking for pluto daemon shutdown (integer # value) #shutdown_check_retries = 5 # A factor to increase the retry interval for each retry (floating point value) #shutdown_check_back_off = 1.5 # Enable this flag to avoid from unnecessary restart (boolean value) #restart_check_config = false [strongswan] # # From neutron.vpnaas.ovn_agent # # Template file for ipsec configuration. (string value) #ipsec_config_template = /home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template # Template file for strongswan configuration. (string value) #strongswan_config_template = /home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/strongswan.conf.template # Template file for ipsec secret configuration. (string value) #ipsec_secret_template = /home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.secret.template # The area where default StrongSwan configuration files are located. (string # value) #default_config_area = /etc/strongswan.d [vpnagent] # # From neutron.vpnaas.ovn_agent # # The OVN VPN device drivers Neutron will use (multi valued) # # This option has a sample default set, which means that # its actual default value may vary from the one documented # below. #vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver