puppet/services/kernel.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Load kernel modules with kmod and configure kernel options with sysctl.
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33   KernelPidMax:
  34     default: 1048576
  35     description: Configures sysctl kernel.pid_max key
  36     type: number
  37   KernelDisableIPv6:
  38     default: 0
  39     description: Configures sysctl net.ipv6.{default/all}.disable_ipv6 keys
  40     type: number
  41   NeighbourGcThreshold1:
  42     default: 1024
  43     description: Configures sysctl net.ipv4.neigh.default.gc_thresh1 value.
  44                  This is the minimum number of entries to keep in the ARP
  45                  cache. The garbage collector will not run if there are
  46                  fewer than this number of entries in the cache.
  47     type: number
  48   NeighbourGcThreshold2:
  49     default: 2048
  50     description: Configures sysctl net.ipv4.neigh.default.gc_thresh2 value.
  51                  This is the soft maximum number of entries to keep in the
  52                  ARP cache. The garbage collector will  allow the number of
  53                  entries to exceed this for 5 seconds before collection will
  54                  be performed.
  55     type: number
  56   NeighbourGcThreshold3:
  57     default: 4096
  58     description: Configures sysctl net.ipv4.neigh.default.gc_thresh3 value.
  59                  This is the hard maximum number of entries to keep in the
  60                  ARP cache. The garbage collector will always run if there
  61                  are more than this number of entries in the cache.
  62     type: number
  63   InotifyIntancesMax:
  64     default: 1024
  65     description: Configures sysctl fs.inotify.max_user_instances key
  66     type: number
  67
  68
  69 outputs:
  70   role_data:
  71     description: Role data for the Kernel modules
  72     value:
  73       service_name: kernel
  74       config_settings:
  75         kernel_modules:
  76           nf_conntrack: {}
  77           nf_conntrack_proto_sctp: {}
  78         sysctl_settings:
  79           net.ipv4.tcp_keepalive_intvl:
  80             value: 1
  81           net.ipv4.tcp_keepalive_probes:
  82             value: 5
  83           net.ipv4.tcp_keepalive_time:
  84             value: 5
  85           net.ipv4.conf.default.send_redirects:
  86             value: 0
  87           net.ipv4.conf.all.send_redirects:
  88             value: 0
  89           net.ipv4.conf.all.arp_accept:
  90             value: 1
  91           net.ipv4.conf.default.accept_redirects:
  92             value: 0
  93           net.ipv4.conf.default.secure_redirects:
  94             value: 0
  95           net.ipv4.conf.all.secure_redirects:
  96             value: 0
  97           net.ipv4.conf.default.log_martians:
  98             value: 1
  99           net.ipv4.conf.all.log_martians:
 100             value: 1
 101           net.nf_conntrack_max:
 102             value: 500000
 103           net.netfilter.nf_conntrack_max:
 104             value: 500000
 105           net.ipv6.conf.default.disable_ipv6:
 106             value: {get_param: KernelDisableIPv6}
 107           net.ipv6.conf.all.disable_ipv6:
 108             value: {get_param: KernelDisableIPv6}
 109           # prevent neutron bridges from autoconfiguring ipv6 addresses
 110           net.ipv6.conf.all.accept_ra:
 111             value: 0
 112           net.ipv6.conf.default.accept_ra:
 113             value: 0
 114           net.ipv6.conf.all.autoconf:
 115             value: 0
 116           net.ipv6.conf.default.autoconf:
 117             value: 0
 118           net.ipv6.conf.default.accept_redirects:
 119             value: 0
 120           net.ipv6.conf.all.accept_redirects:
 121             value: 0
 122           net.core.netdev_max_backlog:
 123             value: 10000
 124           kernel.pid_max:
 125             value: {get_param: KernelPidMax}
 126           kernel.dmesg_restrict:
 127             value: 1
 128           fs.suid_dumpable:
 129             value: 0
 130           #avoid neighbour table overflow on large deployments
 131           net.ipv4.neigh.default.gc_thresh1:
 132             value: {get_param: NeighbourGcThreshold1}
 133           net.ipv4.neigh.default.gc_thresh2:
 134             value: {get_param: NeighbourGcThreshold2}
 135           net.ipv4.neigh.default.gc_thresh3:
 136             value: {get_param: NeighbourGcThreshold3}
 137           # set inotify value for neutron/dnsmasq scale
 138           fs.inotify.max_user_instances:
 139             value: {get_param: InotifyIntancesMax}
 140
 141       step_config: |
 142         include ::tripleo::profile::base::kernel