puppet/services/kernel.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Load kernel modules with kmod and configure kernel options with sysctl.
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33   KernelPidMax:
  34     default: 1048576
  35     description: Configures sysctl kernel.pid_max key
  36     type: number
  37   KernelDisableIPv6:
  38     default: 0
  39     description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
  40     type: number
  41   NeighbourGcThreshold1:
  42     default: 1024
  43     description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
  44                  This is the minimum number of entries to keep in the ARP
  45                  cache. The garbage collector will not run if there are
  46                  fewer than this number of entries in the cache.
  47     type: number
  48   NeighbourGcThreshold2:
  49     default: 2048
  50     description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value.
  51                  This is the soft maximum number of entries to keep in the
  52                  ARP cache. The garbage collector will  allow the number of
  53                  entries to exceed this for 5 seconds before collection will
  54                  be performed.
  55     type: number
  56   NeighbourGcThreshold3:
  57     default: 4096
  58     description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value.
  59                  This is the hard maximum number of entries to keep in the
  60                  ARP cache. The garbage collector will always run if there
  61                  are more than this number of entries in the cache.
  62     type: number
  63
  64 outputs:
  65   role_data:
  66     description: Role data for the Kernel modules
  67     value:
  68       service_name: kernel
  69       config_settings:
  70         kernel_modules:
  71           nf_conntrack: {}
  72           nf_conntrack_proto_sctp: {}
  73         sysctl_settings:
  74           net.ipv4.tcp_keepalive_intvl:
  75             value: 1
  76           net.ipv4.tcp_keepalive_probes:
  77             value: 5
  78           net.ipv4.tcp_keepalive_time:
  79             value: 5
  80           net.ipv4.conf.default.send_redirects:
  81             value: 0
  82           net.ipv4.conf.all.send_redirects:
  83             value: 0
  84           net.ipv4.conf.all.arp_accept:
  85             value: 1
  86           net.ipv4.conf.default.accept_redirects:
  87             value: 0
  88           net.ipv4.conf.default.secure_redirects:
  89             value: 0
  90           net.ipv4.conf.all.secure_redirects:
  91             value: 0
  92           net.ipv4.conf.default.log_martians:
  93             value: 1
  94           net.ipv4.conf.all.log_martians:
  95             value: 1
  96           net.nf_conntrack_max:
  97             value: 500000
  98           net.netfilter.nf_conntrack_max:
  99             value: 500000
 100           net.ipv6.conf.default.disable_ipv6:
 101             value: {get_param: KernelDisableIPv6}
 102           net.ipv6.conf.all.disable_ipv6:
 103             value: {get_param: KernelDisableIPv6}
 104           # prevent neutron bridges from autoconfiguring ipv6 addresses
 105           net.ipv6.conf.all.accept_ra:
 106             value: 0
 107           net.ipv6.conf.default.accept_ra:
 108             value: 0
 109           net.ipv6.conf.all.autoconf:
 110             value: 0
 111           net.ipv6.conf.default.autoconf:
 112             value: 0
 113           net.ipv6.conf.default.accept_redirects:
 114             value: 0
 115           net.ipv6.conf.all.accept_redirects:
 116             value: 0
 117           net.core.netdev_max_backlog:
 118             value: 10000
 119           kernel.pid_max:
 120             value: {get_param: KernelPidMax}
 121           kernel.dmesg_restrict:
 122             value: 1
 123           fs.suid_dumpable:
 124             value: 0
 125           #avoid neighbour table overflow on large deployments
 126           net.ipv4.neigh.default.gc_thresh1:
 127             value: {get_param: NeighbourGcThreshold1}
 128           net.ipv4.neigh.default.gc_thresh2:
 129             value: {get_param: NeighbourGcThreshold2}
 130           net.ipv4.neigh.default.gc_thresh3:
 131             value: {get_param: NeighbourGcThreshold3}
 132       step_config: |
 133         include ::tripleo::profile::base::kernel