neutron_ovn_vpn_agent.ini¶
This is a configuration file for the OVN VPN agent.
ipsec¶
- config_base_dir¶
- Type:
string
- Default:
$state_path/ipsec
Location to store ipsec server config files
- ipsec_status_check_interval¶
- Type:
integer
- Default:
60
Interval for checking ipsec status
- enable_detailed_logging¶
- Type:
boolean
- Default:
False
Enable detail logging for ipsec pluto process. If the flag set to True, the detailed logging will be written into config_base_dir/<pid>/log. Note: This setting applies to OpenSwan and LibreSwan only. StrongSwan logs to syslog.
ovn¶
- ovn_nb_connection¶
- Type:
string
- Default:
tcp:127.0.0.1:6641
The connection string for the OVN_Northbound OVSDB. Use tcp:IP:PORT for TCP connection. Use ssl:IP:PORT for SSL connection. The ovn_nb_private_key, ovn_nb_certificate and ovn_nb_ca_cert are mandatory. Use unix:FILE for unix domain socket connection. Multiple connections can be specified by a comma separated string. See also: https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216
- ovn_nb_private_key¶
- Type:
string
- Default:
''
The PEM file with private key for SSL connection to OVN-NB-DB
- ovn_nb_certificate¶
- Type:
string
- Default:
''
The PEM file with certificate that certifies the private key specified in ovn_nb_private_key
- ovn_nb_ca_cert¶
- Type:
string
- Default:
''
The PEM file with CA certificate that OVN should use to verify certificates presented to it by SSL peers
- ovn_sb_connection¶
- Type:
string
- Default:
tcp:127.0.0.1:6642
The connection string for the OVN_Southbound OVSDB. Use tcp:IP:PORT for TCP connection. Use ssl:IP:PORT for SSL connection. The ovn_sb_private_key, ovn_sb_certificate and ovn_sb_ca_cert are mandatory. Use unix:FILE for unix domain socket connection. Multiple connections can be specified by a comma separated string. See also: https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216
- ovn_sb_private_key¶
- Type:
string
- Default:
''
The PEM file with private key for SSL connection to OVN-SB-DB
- ovn_sb_certificate¶
- Type:
string
- Default:
''
The PEM file with certificate that certifies the private key specified in ovn_sb_private_key
- ovn_sb_ca_cert¶
- Type:
string
- Default:
''
The PEM file with CA certificate that OVN should use to verify certificates presented to it by SSL peers
- ovsdb_connection_timeout¶
- Type:
integer
- Default:
180
Timeout, in seconds, for the OVSDB connection transaction
- ovsdb_retry_max_interval¶
- Type:
integer
- Default:
180
Max interval, in seconds ,between each retry to get the OVN NB and SB IDLs
- ovsdb_probe_interval¶
- Type:
integer
- Default:
60000- Minimum Value:
0
The probe interval for the OVSDB session, in milliseconds. If this is zero, it disables the connection keepalive feature. If non-zero the value will be forced to at least 1000 milliseconds. Defaults to 60 seconds.
- neutron_sync_mode¶
- Type:
string
- Default:
log- Valid Values:
off, log, repair, migrate
The synchronization mode of OVN_Northbound OVSDB with Neutron DB. off - synchronization is off log - during neutron-server startup, check to see if OVN is in sync with the Neutron database. Log warnings for any inconsistencies found so that an admin can investigate repair - during neutron-server startup, automatically create resources found in Neutron but not in OVN. Also remove resources from OVN that are no longer in Neutron.migrate - This mode is to OVS to OVN migration. It will sync the DB just like repair mode but it will additionally fix the Neutron DB resource from OVS to OVN.
- ovn_l3_scheduler¶
- Type:
string
- Default:
leastloaded- Valid Values:
leastloaded, chance
The OVN L3 Scheduler type used to schedule router gateway ports on hypervisors/chassis. leastloaded - chassis with fewest gateway ports selected chance - chassis randomly selected
- enable_distributed_floating_ip¶
- Type:
boolean
- Default:
False
Enable distributed floating IP support. If True, the NAT action for floating IPs will be done locally and not in the centralized gateway. This saves the path to the external network. This requires the user to configure the physical network map (i.e. ovn-bridge-mappings) on each compute node.
- vhost_sock_dir¶
- Type:
string
- Default:
/var/run/openvswitch
The directory in which vhost virtio sockets are created by all the vswitch daemons
- dhcp_default_lease_time¶
- Type:
integer
- Default:
43200
Default lease time (in seconds) to use with OVN’s native DHCP service.
- ovsdb_log_level¶
- Type:
string
- Default:
INFO- Valid Values:
CRITICAL, ERROR, WARNING, INFO, DEBUG
The log level used for OVSDB
- ovn_metadata_enabled¶
- Type:
boolean
- Default:
False
Whether to use metadata service.
- dns_servers¶
- Type:
list
- Default:
[]
Comma-separated list of the DNS servers which will be used as forwarders if a subnet’s dns_nameservers field is empty. If both subnet’s dns_nameservers and this option are empty, then the DNS resolvers on the host running the neutron server will be used.
- ovn_dhcp4_global_options¶
- Type:
dict
- Default:
{}
Dictionary of global DHCPv4 options which will be automatically set on each subnet upon creation and on all existing subnets when Neutron starts. An empty value for a DHCP option will cause that option to be unset globally. EXAMPLES: - ntp_server:1.2.3.4,wpad:1.2.3.5 - Set ntp_server and wpad - ntp_server:,wpad:1.2.3.5 - Unset ntp_server and set wpad See the ovn-nb(5) man page for available options.
- ovn_dhcp6_global_options¶
- Type:
dict
- Default:
{}
Dictionary of global DHCPv6 options which will be automatically set on each subnet upon creation and on all existing subnets when Neutron starts. An empty value for a DHCPv6 option will cause that option to be unset globally. See the ovn-nb(5) man page for available options.
- ovn_emit_need_to_frag¶
- Type:
boolean
- Default:
False
Configure OVN to emit “need to frag” packets in case of MTU mismatches. Before enabling this option make sure that it is supported by the host kernel (version >= 5.2) or by checking the output of the following command: ovs-appctl -t ovs-vswitchd dpif/show-dp-features br-int | grep “Check pkt length action”.
- disable_ovn_dhcp_for_baremetal_ports¶
- Type:
boolean
- Default:
False
Disable OVN’s built-in DHCP for baremetal ports (VNIC type “baremetal”). This allows operators to plug their own DHCP server of choice for PXE booting baremetal nodes. OVN 23.06.0 and newer also supports baremetal
PXEbased provisioning over IPv6. If an older version of OVN is used for baremetal provisioning over IPv6 this option should be set to “True” and neutron-dhcp-agent should be used instead. Defaults to “False”.
- allow_stateless_action_supported¶
- Type:
boolean
- Default:
True
If OVN older than 21.06 is used together with Neutron, this option should be set to
Falsein order to disable thestateful-security-groupAPI extension asallow-statelesskeyword is only supported by OVN >= 21.06.Warning
This option is deprecated for removal since 2023.1. Its value may be silently ignored in the future.
- localnet_learn_fdb¶
- Type:
boolean
- Default:
False
If enabled it will allow localnet ports to learn MAC addresses and store them in FDB SB table. This avoids flooding for traffic towards unknown IPs when port security is disabled. It requires OVN 22.09 or newer.
- fdb_age_threshold¶
- Type:
integer
- Default:
0- Minimum Value:
0
The number of seconds to keep FDB entries in the OVN DB. The value defaults to 0, which means disabled. This is supported by OVN >= 23.09.
- mac_binding_age_threshold¶
- Type:
integer
- Default:
0- Minimum Value:
0
The number of seconds to keep MAC_Binding entries in the OVN DB. 0 to disable aging.
ovs¶
- ovsdb_connection¶
- Type:
string
- Default:
unix:/usr/local/var/run/openvswitch/db.sock
The connection string for the native OVSDB backend. Use tcp:IP:PORT for TCP connection. Use unix:FILE for unix domain socket connection.
- ovsdb_connection_timeout¶
- Type:
integer
- Default:
180
Timeout in seconds for the OVSDB connection transaction
pluto¶
- shutdown_check_timeout¶
- Type:
integer
- Default:
1
Initial interval in seconds for checking if pluto daemon is shutdown
Deprecated Variations¶ Group
Name
libreswan
shutdown_check_timeout
- shutdown_check_retries¶
- Type:
integer
- Default:
5
The maximum number of retries for checking for pluto daemon shutdown
Deprecated Variations¶ Group
Name
libreswan
shutdown_check_retries
- shutdown_check_back_off¶
- Type:
floating point
- Default:
1.5
A factor to increase the retry interval for each retry
Deprecated Variations¶ Group
Name
libreswan
shutdown_check_back_off
- restart_check_config¶
- Type:
boolean
- Default:
False
Enable this flag to avoid from unnecessary restart
Deprecated Variations¶ Group
Name
libreswan
restart_check_config
strongswan¶
- ipsec_config_template¶
- Type:
string
- Default:
/home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template
Template file for ipsec configuration.
- strongswan_config_template¶
- Type:
string
- Default:
/home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/strongswan.conf.template
Template file for strongswan configuration.
- ipsec_secret_template¶
- Type:
string
- Default:
/home/zuul/src/opendev.org/openstack/neutron-vpnaas/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.secret.template
Template file for ipsec secret configuration.
- default_config_area¶
- Type:
string
- Default:
/etc/strongswan.d
The area where default StrongSwan configuration files are located.
vpnagent¶
- vpn_device_driver¶
- Type:
multi-valued
- Default:
neutron_vpnaas.services.vpn.device_drivers.ovn_ipsec.OvnStrongSwanDriver
This option has a sample default set, which means that its actual default value may vary from the one documented above.
The OVN VPN device drivers Neutron will use
