{"id":486,"sha1":"96ca36ac3926a6f79561ca8972f2b0aabc7b7888","playbook":{"id":4,"items":{"plays":107,"tasks":2438,"results":2413,"hosts":13,"files":511,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-14T10:21:40.790759Z","ended":"2025-12-14T11:05:36.775743Z","duration":"00:43:55.984984","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.13.5","server_version":"1.7.4","status":"completed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2014, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n#     http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n# Enable/Disable barbican configurations\nnova_barbican_enabled: \"{{ (groups['barbican_all'] is defined) and (groups['barbican_all'] | length > 0) }}\"\n# Enable/Disable blazar configurations\nnova_blazar_enabled: \"{{ (groups['blazar_all'] is defined) and (groups['blazar_all'] | length > 0) }}\"\n# Enable/Disable designate configurations\nnova_designate_enabled: \"{{ (groups['designate_all'] is defined) and (groups['designate_all'] | length > 0) }}\"\n# Notification topics for designate.\nnova_notifications_designate: notifications_designate\n# Enable/Disable ceilometer configurations\nnova_ceilometer_enabled: \"{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}\"\n# Enable/Disable nova versioned notification\nnova_versioned_notification_enabled: false\n\n# Caching\nnova_cache_servers: \"{{ nova_memcached_servers | default(memcached_servers) }}\"\nnova_cache_backend: \"{{ openstack_cache_backend | default('oslo_cache.memcache_pool') }}\"\nnova_cache_backend_map: \"{{ openstack_cache_backend_map | default(_nova_cache_backend_map) }}\"\n\n## Verbosity Options\ndebug: false\n\n# Set the host which will execute the shade modules\n# for the service setup. The host must already have\n# clouds.yaml properly configured.\nnova_service_setup_host: \"{{ openstack_service_setup_host | default('localhost') }}\"\nnova_service_setup_host_python_interpreter: >-\n  {{\n    openstack_service_setup_host_python_interpreter | default(\n      (nova_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n  }}\n\n# Set the host which will run compute initialization tasks such as checking\n# for a compute node to be up and running cell discovery.\nnova_conductor_setup_host: \"{{ groups[nova_services['nova-conductor']['group']][0] }}\"\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\nnova_package_state: \"{{ package_state | default('latest') }}\"\n\n# Set installation method.\nnova_install_method: \"{{ service_install_method | default('source') }}\"\nnova_venv_python_executable: \"{{ openstack_venv_python_executable | default('python3') }}\"\n\nnova_git_repo: https://opendev.org/openstack/nova\nnova_git_install_branch: master\n\nnova_upper_constraints_url: >-\n  {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}\nnova_git_constraints:\n  - \"--constraint {{ nova_upper_constraints_url }}\"\nnova_pip_install_args: \"{{ pip_install_options | default('') }}\"\n\n# Name of the virtual env to deploy into\nnova_venv_tag: \"{{ venv_tag | default('untagged') }}\"\nnova_bin: \"{{ _nova_bin }}\"\n\n## Nova user information\nnova_system_user_name: nova\nnova_system_group_name: nova\nnova_system_shell: /bin/bash\nnova_system_comment: nova system user\nnova_system_home_folder: \"/var/lib/{{ nova_system_user_name }}\"\nnova_system_slice_name: nova\nnova_libvirt_save_path: \"{{ nova_system_home_folder }}/save\"\n\nnova_lock_dir: \"{{ openstack_lock_dir | default('/run/lock') }}\"\n\nnova_management_address: \"127.0.0.1\"\n\n## Manually specified nova UID/GID\n# Deployers can specify a UID for the nova user as well as the GID for the\n# nova group if needed. This is commonly used in environments where shared\n# storage is used, such as NFS or GlusterFS, and nova UID/GID values must be\n# in sync between multiple servers.\n#\n# WARNING: Changing these values on an existing deployment can lead to\n#          failures, errors, and instability.\n#\n# nova_system_user_uid = <UID>\n# nova_system_group_gid = <GID>\n\n## Database info\nnova_db_setup_host: \"{{ openstack_db_setup_host | default('localhost') }}\"\nnova_db_setup_python_interpreter: >-\n  {{\n    openstack_db_setup_python_interpreter | default(\n      (nova_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n  }}\nnova_galera_address: \"{{ galera_address | default('127.0.0.1') }}\"\nnova_galera_user: nova\nnova_galera_database: nova\nnova_db_max_overflow: \"{{ openstack_db_max_overflow | default('50') }}\"\nnova_db_max_pool_size: \"{{ openstack_db_max_pool_size | default('5') }}\"\nnova_db_pool_timeout: \"{{ openstack_db_pool_timeout | default('30') }}\"\nnova_db_connection_recycle_time: \"{{ openstack_db_connection_recycle_time | default('600') }}\"\nnova_galera_port: \"{{ galera_port | default('3306') }}\"\n# Toggle whether nova connects via an encrypted connection\nnova_galera_use_ssl: \"{{ galera_use_ssl | default(False) }}\"\n# The path where to store the database server CA certificate\nnova_galera_ssl_ca_cert: \"{{ galera_ssl_ca_cert | default('') }}\"\n\n## DB API\nnova_api_galera_address: \"{{ nova_galera_address }}\"\nnova_api_galera_user: nova_api\nnova_api_galera_database: nova_api\nnova_api_galera_port: \"{{ galera_port | default('3306') }}\"\nnova_api_db_max_overflow: \"{{ openstack_db_max_overflow | default('50') }}\"\nnova_api_db_max_pool_size: \"{{ openstack_db_max_pool_size | default('5') }}\"\nnova_api_db_pool_timeout: \"{{ openstack_db_pool_timeout | default('30') }}\"\nnova_api_db_connection_recycle_time: \"{{ openstack_db_connection_recycle_time | default('600') }}\"\n\n## DB Cells\nnova_cell0_database: \"nova_cell0\"\nnova_cell1_name: \"cell1\"\nnova_cell_force_update: false\n\n## Oslo Messaging\n\n# RabbitMQ\nnova_oslomsg_heartbeat_in_pthread: \"{{ oslomsg_heartbeat_in_pthread | default(False) }}\"\n\n# RPC\nnova_oslomsg_rpc_host_group: \"{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}\"\nnova_oslomsg_rpc_setup_host: \"{{ (nova_oslomsg_rpc_host_group in groups) | ternary(groups[nova_oslomsg_rpc_host_group][0], 'localhost') }}\"\nnova_oslomsg_rpc_transport: \"{{ oslomsg_rpc_transport | default('rabbit') }}\"\nnova_oslomsg_rpc_servers: \"{{ oslomsg_rpc_servers | default('127.0.0.1') }}\"\nnova_oslomsg_rpc_port: \"{{ oslomsg_rpc_port | default('5672') }}\"\nnova_oslomsg_rpc_use_ssl: \"{{ oslomsg_rpc_use_ssl | default(False) }}\"\nnova_oslomsg_rpc_userid: nova\nnova_oslomsg_rpc_policies: []\nnova_oslomsg_rpc_vhost:\n  - name: /nova\n    state: \"{{ (nova_oslomsg_rabbit_quorum_queues | bool) | ternary('absent', 'present') }}\"\n  - name: nova\n    state: \"{{ (nova_oslomsg_rabbit_quorum_queues | bool) | ternary('present', 'absent') }}\"\nnova_oslomsg_rpc_ssl_version: \"{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}\"\nnova_oslomsg_rpc_ssl_ca_file: \"{{ oslomsg_rpc_ssl_ca_file | default('') }}\"\n\n# Notify\nnova_oslomsg_notify_configure: \"{{ oslomsg_notify_configure | default(nova_ceilometer_enabled) }}\"\nnova_oslomsg_notify_host_group: \"{{ oslomsg_notify_host_group | default('rabbitmq_all') }}\"\nnova_oslomsg_notify_setup_host: \"{{ (nova_oslomsg_notify_host_group in groups) | ternary(groups[nova_oslomsg_notify_host_group][0], 'localhost') }}\"\nnova_oslomsg_notify_transport: \"{{ oslomsg_notify_transport | default('rabbit') }}\"\nnova_oslomsg_notify_servers: \"{{ oslomsg_notify_servers | default('127.0.0.1') }}\"\nnova_oslomsg_notify_port: \"{{ oslomsg_notify_port | default('5672') }}\"\nnova_oslomsg_notify_use_ssl: \"{{ oslomsg_notify_use_ssl | default(False) }}\"\nnova_oslomsg_notify_userid: \"{{ nova_oslomsg_rpc_userid }}\"\nnova_oslomsg_notify_password: \"{{ nova_oslomsg_rpc_password }}\"\nnova_oslomsg_notify_vhost: \"{{ nova_oslomsg_rpc_vhost }}\"\nnova_oslomsg_notify_ssl_version: \"{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}\"\nnova_oslomsg_notify_ssl_ca_file: \"{{ oslomsg_notify_ssl_ca_file | default('') }}\"\nnova_oslomsg_notify_policies: []\n\n###\n### RabbitMQ info\n###\nnova_oslomsg_rabbit_quorum_queues: \"{{ oslomsg_rabbit_quorum_queues | default(True) }}\"\nnova_oslomsg_rabbit_stream_fanout: \"{{ oslomsg_rabbit_stream_fanout | default(nova_oslomsg_rabbit_quorum_queues) }}\"\nnova_oslomsg_rabbit_transient_quorum_queues: \"{{ oslomsg_rabbit_transient_quorum_queues | default(nova_oslomsg_rabbit_stream_fanout) }}\"\nnova_oslomsg_rabbit_qos_prefetch_count: \"{{ oslomsg_rabbit_qos_prefetch_count | default(nova_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}\"\nnova_oslomsg_rabbit_queue_manager: \"{{ oslomsg_rabbit_queue_manager | default(nova_oslomsg_rabbit_quorum_queues) }}\"\nnova_oslomsg_rabbit_quorum_delivery_limit: \"{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}\"\nnova_oslomsg_rabbit_quorum_max_memory_bytes: \"{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}\"\n\n## Nova virtualization Types\n# The nova_virt_types dictionary contains global overrides used for\n#  specific compute types. Every variable inside of this dictionary\n#  will become an ansible fact. This gives the user the option to set\n#  or customize things based on their needs without having to redefine\n#  this entire data structure. Every supported compute type will be\n#  have its specific variable requirements set under its short name.\nnova_virt_types:\n  ironic:\n    nova_compute_driver: ironic.IronicDriver\n    nova_reserved_host_memory_mb: 0\n    nova_scheduler_tracks_instance_changes: false\n  kvm:\n    nova_compute_driver: libvirt.LibvirtDriver\n    nova_reserved_host_memory_mb: 2048\n    nova_scheduler_tracks_instance_changes: true\n  qemu:\n    nova_compute_driver: libvirt.LibvirtDriver\n    nova_reserved_host_memory_mb: 2048\n    nova_scheduler_tracks_instance_changes: true\n    nova_cpu_mode: \"none\"\n\n# If this is not set, then the playbook will try to guess it.\n# nova_virt_type: kvm\n\n# Enable Kernel Shared Memory (KSM)\nnova_compute_ksm_enabled: false\n\n# if set, nova_virt_type must be one of these:\nnova_supported_virt_types:\n  - qemu\n  - kvm\n  - ironic\n\n## Nova Auth\nnova_service_region: \"{{ service_region | default('RegionOne') }}\"\nnova_service_project_name: \"service\"\nnova_service_project_domain_id: default\nnova_service_user_domain_id: default\nnova_service_user_name: \"nova\"\nnova_service_role_names:\n  - admin\n  - service\nnova_service_token_roles:\n  - service\nnova_service_token_roles_required: \"{{ openstack_service_token_roles_required | default(True) }}\"\n\n## Keystone authentication middleware\nnova_keystone_auth_plugin: password\n\n## Nova enabled apis\nnova_enabled_apis: \"osapi_compute,metadata\"\n\n## Domain name used to configure FQDN for instances. When empty, only the hostname without\n## a domain will be configured.\nnova_dhcp_domain: \"{{ dhcp_domain | default('') }}\"\n\n## Nova v2.1\nnova_service_name: nova\nnova_service_type: compute\nnova_service_proto: http\nnova_service_publicuri_proto: \"{{ openstack_service_publicuri_proto | default(nova_service_proto) }}\"\nnova_service_adminuri_proto: \"{{ openstack_service_adminuri_proto | default(nova_service_proto) }}\"\nnova_service_internaluri_proto: \"{{ openstack_service_internaluri_proto | default(nova_service_proto) }}\"\nnova_service_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\nnova_service_port: 8774\nnova_service_description: \"Nova Compute Service\"\nnova_service_publicuri: \"{{ nova_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ nova_service_port }}\"\nnova_service_publicurl: \"{{ nova_service_publicuri }}/v2.1\"\nnova_service_adminuri: \"{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}\"\nnova_service_adminurl: \"{{ nova_service_adminuri }}/v2.1\"\nnova_service_internaluri: \"{{ nova_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}\"\nnova_service_internalurl: \"{{ nova_service_internaluri }}/v2.1\"\n\n## Nova spice\nnova_spice_html5proxy_base_proto: \"{{ openstack_service_publicuri_proto | default('http') }}\"\nnova_spice_html5proxy_base_port: 6082\nnova_spice_html5proxy_base_uri: \"{{ nova_spice_html5proxy_base_proto }}://{{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }}\"\nnova_spice_html5proxy_base_url: \"{{ nova_spice_html5proxy_base_uri }}/spice_auto.html\"\nnova_spice_console_agent_enabled: true\nnova_spicehtml5_git_repo: \"{{ spicehtml5_git_repo | default('https://gitlab.freedesktop.org/spice/spice-html5.git') }}\"\nnova_spicehtml5_git_install_branch: \"{{ spicehtml5_git_install_branch | default('master') }}\"\n\n## Nova novnc\nnova_novncproxy_proto: \"{{ openstack_service_publicuri_proto | default('http') }}\"\nnova_novncproxy_port: 6080\nnova_novncproxy_host: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\nnova_novncproxy_base_uri: \"{{ nova_novncproxy_proto }}://{{ external_lb_vip_address }}:{{ nova_novncproxy_port }}\"\nnova_novncproxy_base_url: \"{{ nova_novncproxy_base_uri }}/vnc_lite.html\"\nnova_novncproxy_vncserver_proxyclient_address: \"{{ _nova_my_ip }}\"\nnova_novncproxy_vncserver_listen: \"{{ _nova_my_ip }}\"\nnova_novncproxy_git_repo: \"{{ novncproxy_git_repo | default('https://github.com/novnc/noVNC') }}\"\nnova_novncproxy_git_install_branch: \"{{ novncproxy_git_install_branch | default('master') }}\"\n\n## Nova serialconsole\nnova_serialconsoleproxy_proto: \"ws\"\nnova_serialconsoleproxy_port: 6083\nnova_serialconsoleproxy_port_range: 10000:20000\nnova_serialconsoleproxy_base_uri: \"{{ nova_serialconsoleproxy_proto }}://{{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}\"\nnova_serialconsoleproxy_base_url: \"{{ nova_serialconsoleproxy_base_uri }}\"\nnova_serialconsoleproxy_serialconsole_proxyserver_proxyclient_address: \"{{ nova_management_address }}\"\n\n## Nova metadata\nnova_metadata_proxy_enabled: true\nnova_metadata_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\nnova_metadata_port: 8775\n\n## Nova compute\nnova_nested_virt_enabled: false\n\n# Uwsgi settings\nnova_wsgi_processes_max: 16\nnova_wsgi_processes: \"{{ [[ansible_facts['processor_vcpus'] | default(1), 1] | max * 2, nova_wsgi_processes_max] | min }}\"\nnova_wsgi_threads: 1\nnova_uwsgi_tls:\n  crt: \"{{ nova_ssl_cert }}\"\n  key: \"{{ nova_ssl_key }}\"\n\n## Nova libvirt\n# Warning: If nova_libvirt_inject_key or nova_libvirt_inject_password are enabled for Ubuntu compute hosts\n# then the kernel will be made readable to nova user (a requirement for libguestfs).\n# See Launchpad bugs 1507915 (Nova), 759725 (Ubuntu), and http://libguestfs.org/guestfs-faq.1.html\nnova_libvirt_inject_key: false\n# inject partition options:\n#  -2 => disable, -1 => inspect (libguestfs only), 0 => not partitioned, >0 => partition number\nnova_libvirt_inject_partition: -2\nnova_libvirt_inject_password: false\nnova_libvirt_disk_cachemodes: '{{ (nova_libvirt_images_rbd_pool | length > 0) | ternary(\"network=writeback\", \"\") }}'\nnova_libvirt_hw_disk_discard: '{{ (nova_libvirt_images_rbd_pool | length > 0) | ternary(\"unmap\", \"ignore\") }}'\nnova_libvirt_live_migration_inbound_addr: \"{{ _nova_my_ip }}\"\n\n## Nova console\n# Set the console type for the compute host. Presently the only options are [\"spice\", \"novnc\", \"serialconsole\", \"disabled\"].\nnova_console_type_mapping:\n  x86_64: novnc\n  ppc64le: novnc\n  aarch64: serialconsole\n\nnova_console_type: \"{{ nova_console_type_mapping[ansible_facts['architecture']] }}\"\n\n## Nova ironic console\n# Set the console type. Presently the only options are [\"serialconsole\", \"disabled\"].\nnova_ironic_console_type: \"disabled\"\nnova_ironic_used: \"{{ _nova_ironic_used }}\"\n\n## Nova console proxies\n# Set the console proxy types.\nnova_console_proxy_types: \"{{ _nova_console_proxy_types }}\"\n\n# Nova console ssl info, presently only used by novnc console type\nnova_console_ssl_dir: \"{{ nova_system_home_folder }}/console_ssl\"\nnova_console_ssl_cert: \"{{ nova_console_ssl_dir }}/nova-console.pem\"\nnova_console_ssl_key: \"{{ nova_console_ssl_dir }}/nova-console.key\"\n\n# Enable TLS on VNC connection from novnc to compute hosts\nnova_qemu_vnc_tls: 1\nnova_vencrypt_client_key: \"/etc/pki/nova-novncproxy/client-key.pem\"\nnova_vencrypt_client_cert: \"/etc/pki/nova-novncproxy/client-cert.pem\"\nnova_vencrypt_ca_certs: \"/etc/pki/nova-novncproxy/ca-cert.pem\"\n# The auth_schemes values should be listed in order of preference.\n# If enabling VeNCrypt on an existing deployment which already has instances running,\n# the noVNC proxy server must initially be allowed to use vencrypt and none.\n# Once it is confirmed that all Compute nodes have VeNCrypt enabled for VNC,\n# it is possible to remove the none option from the list\nnova_vencrypt_auth_scheme: \"vencrypt,none\"\n\n## Nova global config\nnova_image_cache_manager_interval: 0\n\n# Nova Scheduler\nnova_cpu_allocation_ratio: 2.0\nnova_disk_allocation_ratio: 1.0\nnova_max_io_ops_per_host: 10\nnova_ram_allocation_ratio: 1.0\nnova_reserved_host_disk_mb: 2048\n\nnova_scheduler_host_subset_size: \"{{ ((((groups['compute_hosts'] | default([]) | length) * 0.3) | round | int, 10) | min, 1) | max }}\"\nnova_scheduler_max_attempts: 5\nnova_scheduler_default_filters:\n  - ComputeFilter\n  - AggregateNumInstancesFilter\n  - AggregateIoOpsFilter\n  - ComputeCapabilitiesFilter\n  - ImagePropertiesFilter\n  - ServerGroupAntiAffinityFilter\n  - ServerGroupAffinityFilter\n  - NUMATopologyFilter\n\nnova_blazar_scheduler_filters:\n  - BlazarFilter\n\nnova_scheduler_extra_filters: []\n\n# This should be tuned depending on the number of compute hosts present in the\n# deployment. Large clouds may wish to disable automatic discovery by setting\n# this value to -1.\nnova_discover_hosts_in_cells_interval: \"{{ 300 if groups['nova_compute'] | length > 10 else 60 }}\"\n\n# Define nfs information to enable nfs shares as mounted directories for\n# nova. The ``nova_nfs_client`` value is a list of dictionaries that must\n# be filled out completely to enable the persistent NFS mounts.\n#\n# Example of the expected dict structure:\n# nova_nfs_client:\n#   - server: \"127.0.0.1\"                   ## Hostname or IP address of NFS Server\n#     remote_path: \"/instances\"             ## Remote path from the NFS server's export\n#     local_path: \"/var/lib/nova/instances\" ## Local path on machine\n#     type: \"nfs\"                           ## This can be nfs or nfs4\n#     options: \"_netdev,auto\"               ## Mount options\n#     config_overrides: \"{}\"                ## Override dictionary for unit file\nnova_nfs_client: []\n\n# Nova Ceph rbd\n# Enble and define nova_libvirt_images_rbd_pool to use rbd as nova backend\n# nova_libvirt_images_rbd_pool: vms\nnova_libvirt_images_rbd_pool: \"\"\nnova_ceph_client: \"{{ cinder_ceph_client }}\"\n\n# Enabled upstream if RBD is in use on cinder backends, which requires that\n# ceph be deployed on the nova compute hosts to enable volume backed instances.\nnova_cinder_rbd_inuse: false\n\n# Enable compute nodes to retrieve images from RBD directly rather then through\n# HTTP if images_type is NOT set to RBD. Must be False if nova images stored in RBD.\nnova_glance_rbd_inuse: false\nnova_glance_images_rbd_pool: \"{{ glance_rbd_store_pool | default('images') }}\"\n\n# Used to determine if we need a Ceph client\nnova_rbd_inuse: \"{{ (nova_libvirt_images_rbd_pool | length > 0) or (nova_cinder_rbd_inuse | bool) }}\"\n\n## General Nova configuration\n# If ``nova_conductor_workers`` is unset the system will use half the number of available VCPUS to\n# compute the number of api workers to use.\n# nova_conductor_workers: 16\n\n# If ``nova_scheduler_workers`` is unset the system will use half the number of available VCPUS to\n# compute the number of api workers to use.\n# nova_scheduler_workers: 16\n\n## Cap the maximun number of threads / workers when a user value is unspecified.\nnova_api_threads_max: 16\nnova_api_threads: >-\n  {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, nova_api_threads_max] | min }}\n\n## Policy vars\n# Provide a list of access controls to update the default policy.json with. These changes will be merged\n# with the access controls in the default policy.json. E.g.\n# nova_policy_overrides:\n#   \"compute:create\": \"\"\n#   \"compute:create:attach_network\": \"\"\n\n## Resource provider vars\n# Optionally specify a set of resource providers that a particular compute node exposes\n# See https://docs.openstack.org/nova/latest/admin/managing-resource-providers.html\nnova_provider_overrides: []\n# nova_provider_overrides:\n#   - name: my_provider\n#     content:\n#       meta:\n#         schema_version: '1.0'\n#       providers:\n#         - identification:\n#             name: 'EXAMPLE_RESOURCE_PROVIDER'\n#           inventories:\n#             additional:\n#               - CUSTOM_EXAMPLE_RESOURCE_CLASS:\n#                  total: 100\n#                  reserved: 0\n#                  min_unit: 1\n#                  max_unit: 10\n#                  step_size: 1\n#                  allocation_ratio: 1.0\n#           traits:\n#             additional:\n#               - 'CUSTOM_EXAMPLE_TRAIT'\n\nnova_service_in_ldap: \"{{ service_ldap_backend_enabled | default(False) }}\"\n\n## libvirtd config options\nnova_libvirtd_listen_tls: 1\nnova_libvirtd_listen_tcp: 0\nnova_libvirtd_auth_tcp: sasl\nnova_libvirtd_debug_log_filters: \"3:remote 4:event 3:json 3:rpc\"\n\nnova_api_metadata_init_overrides: {}\nnova_api_os_compute_init_overrides: {}\nnova_compute_init_overrides: {}\nnova_conductor_init_overrides: {}\nnova_novncproxy_init_overrides: {}\nnova_scheduler_init_overrides: {}\nnova_spicehtml5proxy_init_overrides: {}\nnova_serialproxy_init_overrides: {}\n\n## Service Name-Group Mapping\nnova_services:\n  nova-api-metadata:\n    group: nova_api_metadata\n    service_name: nova-api-metadata\n    init_config_overrides: \"{{ nova_api_metadata_init_overrides }}\"\n    start_order: 5\n    wsgi_app: true\n    uwsgi_overrides: \"{{ nova_api_metadata_uwsgi_ini_overrides }}\"\n    uwsgi_bind_address: \"{{ nova_metadata_bind_address }}\"\n    uwsgi_port: \"{{ nova_metadata_port }}\"\n    uwsgi_tls: \"{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}\"\n    wsgi: \"nova.wsgi.metadata:application\"\n  nova-api-os-compute:\n    group: nova_api_os_compute\n    service_name: nova-api-os-compute\n    init_config_overrides: \"{{ {'Install': {'Alias': 'nova-api.service'}} | combine(nova_api_os_compute_init_overrides, recursive=True) }}\"\n    start_order: 4\n    wsgi_app: true\n    uwsgi_overrides: \"{{ nova_api_os_compute_uwsgi_ini_overrides }}\"\n    uwsgi_bind_address: \"{{ nova_service_bind_address }}\"\n    uwsgi_port: \"{{ nova_service_port }}\"\n    uwsgi_tls: \"{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}\"\n    wsgi: \"nova.wsgi.osapi_compute:application\"\n  nova-compute:\n    group: nova_compute\n    service_name: nova-compute\n    init_config_overrides: \"{{ nova_compute_init_overrides }}\"\n    start_order: 6\n    execstarts: \"{{ nova_bin }}/nova-compute\"\n    execreloads: \"/bin/kill -HUP $MAINPID\"\n    after_targets:\n      - libvirtd.service\n      - syslog.target\n      - network.target\n  nova-conductor:\n    group: nova_conductor\n    service_name: nova-conductor\n    init_config_overrides: \"{{ nova_conductor_init_overrides }}\"\n    start_order: 2\n    execstarts: \"{{ nova_bin }}/nova-conductor\"\n    execreloads: \"/bin/kill -HUP $MAINPID\"\n  nova-novncproxy:\n    group: nova_console\n    service_name: nova-novncproxy\n    init_config_overrides: \"{{ nova_novncproxy_init_overrides }}\"\n    condition: \"{{ 'novnc' in nova_console_proxy_types }}\"\n    start_order: 5\n    execstarts: \"{{ nova_bin }}/nova-novncproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}\"\n  nova-scheduler:\n    group: nova_scheduler\n    service_name: nova-scheduler\n    init_config_overrides: \"{{ nova_scheduler_init_overrides }}\"\n    start_order: 3\n    execstarts: \"{{ nova_bin }}/nova-scheduler\"\n    execreloads: \"/bin/kill -HUP $MAINPID\"\n  nova-spicehtml5proxy:\n    group: nova_console\n    service_name: nova-spicehtml5proxy\n    init_config_overrides: \"{{ {'Install': {'Alias': 'nova-spiceproxy.service'}} | combine(nova_spicehtml5proxy_init_overrides, recursive=True) }}\"\n    condition: \"{{ 'spice' in nova_console_proxy_types }}\"\n    start_order: 5\n    execstarts: \"{{ nova_bin }}/nova-spicehtml5proxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}\"\n  nova-serialconsole-proxy:\n    group: nova_console\n    service_name: nova-serialproxy\n    init_config_overrides: \"{{ nova_serialproxy_init_overrides }}\"\n    condition: \"{{ 'serialconsole' in nova_console_proxy_types }}\"\n    start_order: 5\n    execstarts: \"{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}\"\n  nova_ironic_sericalconsole-proxy:\n    group: ironic_console\n    service_name: nova-serialproxy\n    init_config_overrides: \"{{ nova_serialproxy_init_overrides }}\"\n    condition: \"{{ 'serialconsole' in nova_console_proxy_types }}\"\n    start_order: 5\n    execstarts: \"{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}\"\n\nnova_blazar_pip_packages:\n  - blazar-nova\n\nnova_novnc_pip_packages:\n  - websockify\n\nnova_compute_ironic_pip_packages:\n  - python-ironicclient\n\n# Common pip packages\nnova_pip_packages:\n  - \"git+{{ nova_git_repo }}@{{ nova_git_install_branch }}#egg=nova\"\n  - osprofiler\n  - PyMySQL\n  - \"{{ _nova_cache_backend_package }}\"\n  - systemd-python\n\n# Specific pip packages provided by the user\nnova_user_pip_packages: []\n\nnova_qemu_user: libvirt-qemu\nnova_qemu_group: kvm\n\n# Define the following variable to drop a replacement\n# file for /etc/libvirt/qemu.conf\nqemu_conf_dict: {}\n\n## Tunable overrides\nnova_nova_conf_overrides: {}\nnova_rootwrap_conf_overrides: {}\nnova_api_paste_ini_overrides: {}\nnova_policy_overrides: {}\nnova_vendor_data_overrides: {}\nnova_api_metadata_uwsgi_ini_overrides: {}\nnova_api_os_compute_uwsgi_ini_overrides: {}\n\n# Attempt to auto-discover available vGPU devices.\n# It is recommended to define them explicitly through ``nova_enabled_mdev_types``.\n# Doing so has precedence over discovered ones and does not require to\n# disable the variable explicitly.\nnova_discover_mdev_types: true\n\n# Enabled vGPU Types - dict defining 'type' and 'address' (optional) of vGPU\n# an address is only required when supporting more than one physical GPU on the host\n# Example 1:\n# nova_enabled_mdev_types:\n#   - type: nvidia-35\n#\n# Example 2:\n# nova_enabled_mdev_types:\n#   - type: nvidia-35\n#     address: \"<device address.0>,<device address.1>\"\n#   - type: nvidia-36\n#     address:\n#       - \"<another device address.0>\"\n#       - \"<another device address.1>\"\nnova_enabled_mdev_types: \"{{ nova_enabled_vgpu_types | default({}) }}\"\n\n# PCI devices passthrough to nova\n# Example:\n# nova_device_spec:\n#   - '{ \"physical_network\": \"physnet1\", \"devname\": \"p1p1\" }'\nnova_device_spec: \"{{ nova_pci_passthrough_whitelist | default([]) }}\"\n\n# PCI alias,\n# Example:\n# nova_pci_alias:\n#  - '{ \"name\": \"card-alias1\", \"product_id\": \"XXXX\", \"vendor_id\": \"XXXX\" }'\n#  - '{ \"name\": \"card-alias2\", \"product_id\": \"XXXY\", \"vendor_id\": \"XXXY\" }'\nnova_pci_alias: []\n\n# Storage location for SSL certificate authority\nnova_pki_dir: \"{{ openstack_pki_dir }}\"\n\n# Delegated host for operating the certificate authority\nnova_pki_setup_host: \"{{ openstack_pki_setup_host | default('localhost') }}\"\n\n# Nova server certificate\nnova_pki_keys_path: \"{{ nova_pki_dir ~ '/certs/private/' }}\"\nnova_pki_certs_path: \"{{ nova_pki_dir ~ '/certs/certs/' }}\"\nnova_pki_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name }}\"\nnova_pki_intermediate_chain_path: >-\n  {{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }}\nnova_pki_regen_cert: \"\"\nnova_pki_san: \"{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}\"\nnova_pki_compute_san: >-\n  {{\n    'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ _nova_my_ip ~ (\n      nova_libvirt_live_migration_inbound_addr != nova_management_address) |ternary(',IP:' ~ nova_libvirt_live_migration_inbound_addr, '')\n  }}\n# Create client and server cert for compute hosts\n# This certiticate is used to secure TLS live migrations and VNC sessions\nnova_pki_compute_certificates:\n  - name: \"nova_{{ ansible_facts['hostname'] }}\"\n    provider: ownca\n    cn: \"{{ ansible_facts['nodename'] }}\"\n    san: \"{{ nova_pki_compute_san }}\"\n    signed_by: \"{{ nova_pki_intermediate_cert_name }}\"\n    key_usage:\n      - digitalSignature\n      - keyAgreement\n      - keyEncipherment\n    extended_key_usage:\n      - clientAuth\n      - serverAuth\n\n# libvirt default destination files for SSL certificates\nnova_libvirt_ssl_dir: /etc/pki/libvirt\n# QEMU default destination files for SSL certificates\nnova_qemu_ssl_dir: /etc/pki/qemu\n\n# Installation details for SSL certificates for compute hosts TLS live migration\nnova_pki_compute_install_certificates:\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n    dest: \"{{ nova_libvirt_ssl_dir }}/servercert.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0640\"\n  # Server certificate key used by libvirt for live migrations\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n    dest: \"{{ nova_libvirt_ssl_dir }}/private/serverkey.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0640\"\n  # Client certificate used by libvirt for live migrations\n  # Defaults to using the server certificate which is signed for both clientAuth and serverAuth\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n    dest: \"{{ nova_libvirt_ssl_dir }}/clientcert.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0640\"\n  # Client certificate key used by libvirt for live migrations\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n    dest: \"{{ nova_libvirt_ssl_dir }}/private/clientkey.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0640\"\n  # Server certificate used by QEMU for live migrations\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n    dest: \"{{ nova_qemu_ssl_dir }}/server-cert.pem\"\n    owner: \"root\"\n    group: \"{{ nova_qemu_group }}\"\n    mode: \"0640\"\n  # Server certificate key used by QEMU for live migrations\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n    dest: \"{{ nova_qemu_ssl_dir }}/server-key.pem\"\n    owner: \"root\"\n    group: \"{{ nova_qemu_group }}\"\n    mode: \"0640\"\n  # Client certificate used by QEMU for live migrations\n  # Defaults to using the server certificate which is signed for both clientAuth and serverAuth\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n    dest: \"{{ nova_qemu_ssl_dir }}/client-cert.pem\"\n    owner: \"root\"\n    group: \"{{ nova_qemu_group }}\"\n    mode: \"0640\"\n  # Client certificate key used by QEMU for live migrations\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n    dest: \"{{ nova_qemu_ssl_dir }}/client-key.pem\"\n    owner: \"root\"\n    group: \"{{ nova_qemu_group }}\"\n    mode: \"0640\"\n  # Root CA for libvirt\n  # libvirt requires that the CA cert file has any intermediate certificates for the server cert,\n  # so defaults to using the intermediate chain, which contains the intermediate and Root CA\n  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}\"\n    dest: \"/etc/pki/CA/cacert.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0644\"\n  # Root CA for qemu\n  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}\"\n    dest: \"{{ nova_qemu_ssl_dir }}/ca-cert.pem\"\n    owner: \"root\"\n    group: \"root\"\n    mode: \"0644\"\n\n# Define user-provided SSL certificates in:\n# /etc/openstack_deploy/user_variables.yml\n# nova_user_ssl_cert: <path to cert on ansible deployment host>\n# nova_user_ssl_key: <path to cert on ansible deployment host>\n# nova_user_ssl_ca_cert: <path to cert on ansible deployment host>\n\n# TLS certficates for console hosts\nnova_pki_console_condition: \"{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' and 'nova_console' in group_names }}\"\nnova_pki_console_certificates:\n  # Client certificate used by novnv proxy to authenticate with compute hosts using vencrypt\n  - name: \"nova_{{ ansible_facts['hostname'] }}-client\"\n    provider: ownca\n    cn: \"{{ ansible_facts['nodename'] }}\"\n    san: \"{{ nova_pki_compute_san }}\"\n    signed_by: \"{{ nova_pki_intermediate_cert_name }}\"\n    key_usage:\n      - digitalSignature\n      - keyAgreement\n      - keyEncipherment\n    extended_key_usage:\n      - clientAuth\n    condition: \"{{ nova_pki_console_condition | bool }}\"\n\n# Installation details for SSL certificates for console hosts\nnova_pki_console_install_certificates:\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client-chain.crt') }}\"\n    dest: \"{{ nova_vencrypt_client_cert }}\"\n    owner: \"root\"\n    group: \"{{ nova_system_group_name }}\"\n    mode: \"0640\"\n    condition: \"{{ nova_pki_console_condition | bool }}\"\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}\"\n    dest: \"{{ nova_vencrypt_client_key }}\"\n    owner: \"root\"\n    group: \"{{ nova_system_group_name }}\"\n    mode: \"0640\"\n    condition: \"{{ nova_pki_console_condition | bool }}\"\n  - src: \"{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}\"\n    dest: \"{{ nova_vencrypt_ca_certs }}\"\n    owner: \"root\"\n    group: \"{{ nova_system_group_name }}\"\n    mode: \"0640\"\n    condition: \"{{ nova_pki_console_condition | bool }}\"\n\n# Extra settings which will be applied for `nova` user for offline\n# migrations and resizes. Example:\n# nova_ssh_custom_config:\n#    Port: 2022\nnova_ssh_custom_config: {}\n\n# host which holds the ssh certificate authority\nnova_ssh_keypairs_setup_host: \"{{ openstack_ssh_keypairs_setup_host | default('localhost') }}\"\n\n# directory on the deploy host to create and store SSH keypairs\nnova_ssh_keypairs_dir: \"{{ openstack_ssh_keypairs_dir | default('/etc/openstack_deploy/ssh_keypairs') }}\"\n\n# Each compute host needs a signed ssh certificate to log into the others\nnova_ssh_keypairs:\n  - name: \"nova-{{ inventory_hostname }}\"\n    cert:\n      signed_by: \"{{ openstack_ssh_signing_key }}\"\n      principals: \"{{ nova_ssh_key_principals | default('nova') }}\"\n      valid_from: \"{{ nova_ssh_key_valid_from | default('always') }}\"\n      valid_to: \"{{ nova_ssh_key_valid_to | default('forever') }}\"\n\n# Each compute host needs the signed ssh certificate installing to the nova user\nnova_ssh_keypairs_install_keys:\n  owner: \"{{ nova_system_user_name }}\"\n  group: \"{{ nova_system_group_name }}\"\n  keys:\n    - cert: \"nova-{{ inventory_hostname }}\"\n      dest: \"{{ nova_system_home_folder }}/.ssh/id_rsa\"\n\n# Each compute host must trust the SSHD certificate authoritiy in the sshd configuration\nnova_ssh_keypairs_install_ca: \"{{ openstack_ssh_keypairs_authorities }}\"\n\n# Each compute host must allow SSH certificates with the appropriate principal to log into the nova user\nnova_ssh_keypairs_principals:\n  - user: \"{{ nova_system_user_name }}\"\n    principals: \"{{ nova_ssh_key_principals | default(['nova']) }}\"\n\n###\n### Backend TLS\n###\n\n# Define if communication between haproxy and service backends should be\n# encrypted with TLS.\nnova_backend_ssl: \"{{ openstack_service_backend_ssl | default(False) }}\"\nnova_pki_certificates_condition: >-\n  {{\n    nova_backend_ssl and (\n      'nova_console' in group_names or\n      'nova_api_metadata' in group_names or\n      'nova_api_os_compute' in group_names\n    )\n  }}\n\nnova_pki_certificates:\n  # Used to encrypt traffic between haproxy and nova backends\n  - name: \"nova_{{ ansible_facts['hostname'] }}_api\"\n    provider: ownca\n    cn: \"{{ ansible_facts['hostname'] }}\"\n    san: \"{{ nova_pki_san }}\"\n    signed_by: \"{{ nova_pki_intermediate_cert_name }}\"\n    condition: \"{{ nova_pki_certificates_condition | bool }}\"\n\n# nova destination files for SSL certificates\nnova_ssl_cert: \"{{ nova_system_home_folder }}/nova.pem\"\nnova_ssl_key: \"{{ nova_system_home_folder }}/nova.key\"\n\n# Installation details for SSL certificates\nnova_pki_install_certificates:\n  - src: \"{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api-chain.crt') }}\"\n    dest: \"{{ nova_ssl_cert }}\"\n    owner: \"{{ nova_system_user_name }}\"\n    group: \"{{ nova_system_user_name }}\"\n    mode: \"0644\"\n    condition: \"{{ nova_pki_certificates_condition | bool }}\"\n  - src: \"{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '_api.key.pem') }}\"\n    dest: \"{{ nova_ssl_key }}\"\n    owner: \"{{ nova_system_user_name }}\"\n    group: \"{{ nova_system_user_name }}\"\n    mode: \"0600\"\n    condition: \"{{ nova_pki_certificates_condition | bool }}\"\n\n# Periodically move records for deleted resources to shadow tables\nnova_archive_deleted: false\n# When to start archive task. Reffer to Systemd Calendar Events for guidance\n# on format:\n# https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events\nnova_archive_deleted_on_calendar: \"*-*-* 00:00:00\"\n# Archive events that are older then the timeframe below.\n# Should be in a format of bash date string\nnova_archive_deleted_before: \"6 month ago\"\n# Delete records instead of moving them to shadow tables\nnova_archive_deleted_purge: false\n# Archive instance task log\nnova_archive_task_log: false\n# Delay the timer by a randomly selected amount of time.\nnova_archive_deleted_randomized_delay_sec: 0\n\n# Periodically purge shadow tables, where archived records are stored\nnova_purge_deleted: false\n# When to start purge task.\nnova_purge_deleted_on_calendar: \"*-*-* 01:00:00\"\n# Purge events that are older then the timeframe below.\nnova_purge_deleted_before: \"24 month ago\"\n# Delay the timer by a randomly selected amount of time.\nnova_purge_deleted_randomized_delay_sec: 0\n","created":"2025-12-14T10:21:44.954152Z","updated":"2025-12-14T10:21:44.954162Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_nova/defaults/main.yml"}