puppet/services/kernel.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Load kernel modules with kmod and configure kernel options with sysctl.
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29   KernelPidMax:
  30     default: 1048576
  31     description: Configures sysctl kernel.pid_max key
  32     type: number
  33   KernelDisableIPv6:
  34     default: 0
  35     description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
  36     type: number
  37   NeighbourGcThreshold1:
  38     default: 1024
  39     description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
  40                  This is the minimum number of entries to keep in the ARP
  41                  cache. The garbage collector will not run if there are
  42                  fewer than this number of entries in the cache.
  43     type: number
  44   NeighbourGcThreshold2:
  45     default: 2048
  46     description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value.
  47                  This is the soft maximum number of entries to keep in the
  48                  ARP cache. The garbage collector will  allow the number of
  49                  entries to exceed this for 5 seconds before collection will
  50                  be performed.
  51     type: number
  52   NeighbourGcThreshold3:
  53     default: 4096
  54     description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value.
  55                  This is the hard maximum number of entries to keep in the
  56                  ARP cache. The garbage collector will always run if there
  57                  are more than this number of entries in the cache.
  58     type: number
  59
  60 outputs:
  61   role_data:
  62     description: Role data for the Kernel modules
  63     value:
  64       service_name: kernel
  65       config_settings:
  66         kernel_modules:
  67           nf_conntrack: {}
  68           nf_conntrack_proto_sctp: {}
  69         sysctl_settings:
  70           net.ipv4.tcp_keepalive_intvl:
  71             value: 1
  72           net.ipv4.tcp_keepalive_probes:
  73             value: 5
  74           net.ipv4.tcp_keepalive_time:
  75             value: 5
  76           net.ipv4.conf.default.send_redirects:
  77             value: 0
  78           net.ipv4.conf.all.send_redirects:
  79             value: 0
  80           net.ipv4.conf.all.arp_accept:
  81             value: 1
  82           net.ipv4.conf.default.accept_redirects:
  83             value: 0
  84           net.ipv4.conf.default.secure_redirects:
  85             value: 0
  86           net.ipv4.conf.all.secure_redirects:
  87             value: 0
  88           net.ipv4.conf.default.log_martians:
  89             value: 1
  90           net.ipv4.conf.all.log_martians:
  91             value: 1
  92           net.nf_conntrack_max:
  93             value: 500000
  94           net.netfilter.nf_conntrack_max:
  95             value: 500000
  96           net.ipv6.conf.default.disable_ipv6:
  97             value: {get_param: KernelDisableIPv6}
  98           net.ipv6.conf.all.disable_ipv6:
  99             value: {get_param: KernelDisableIPv6}
 100           # prevent neutron bridges from autoconfiguring ipv6 addresses
 101           net.ipv6.conf.all.accept_ra:
 102             value: 0
 103           net.ipv6.conf.default.accept_ra:
 104             value: 0
 105           net.ipv6.conf.all.autoconf:
 106             value: 0
 107           net.ipv6.conf.default.autoconf:
 108             value: 0
 109           net.ipv6.conf.default.accept_redirects:
 110             value: 0
 111           net.ipv6.conf.all.accept_redirects:
 112             value: 0
 113           net.core.netdev_max_backlog:
 114             value: 10000
 115           kernel.pid_max:
 116             value: {get_param: KernelPidMax}
 117           kernel.dmesg_restrict:
 118             value: 1
 119           fs.suid_dumpable:
 120             value: 0
 121           #avoid neighbour table overflow on large deployments
 122           net.ipv4.neigh.default.gc_thresh1:
 123             value: {get_param: NeighbourGcThreshold1}
 124           net.ipv4.neigh.default.gc_thresh2:
 125             value: {get_param: NeighbourGcThreshold2}
 126           net.ipv4.neigh.default.gc_thresh3:
 127             value: {get_param: NeighbourGcThreshold3}
 128       step_config: |
 129         include ::tripleo::profile::base::kernel