{"id":653,"sha1":"d86ed5523da38cb9cce8fd745bfad479281dce8c","playbook":{"id":4,"items":{"plays":32,"tasks":1505,"results":1497,"hosts":12,"files":487,"records":0},"arguments":{"version":null,"verbosity":0,"private_key_file":null,"remote_user":null,"connection":"openstack.osa.ssh","timeout":null,"ssh_common_args":null,"sftp_extra_args":null,"scp_extra_args":null,"ssh_extra_args":null,"ask_pass":false,"connection_password_file":null,"force_handlers":true,"flush_cache":false,"become":false,"become_method":"sudo","become_user":null,"become_ask_pass":false,"become_password_file":null,"tags":["all"],"skip_tags":[],"check":false,"diff":false,"inventory":["/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py","/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini","/etc/openstack_deploy/inventory.ini"],"listhosts":false,"subset":null,"extra_vars":"Not saved by ARA as configured by 'ignored_arguments'","vault_ids":[],"ask_vault_pass":false,"vault_password_files":[],"forks":4,"module_path":null,"syntax":false,"listtasks":false,"listtags":false,"step":false,"start_at_task":null,"args":["setup-openstack.yml"]},"labels":[{"id":1,"name":"check:False"},{"id":2,"name":"tags:all"}],"started":"2025-12-08T13:57:07.871967Z","ended":"2025-12-08T14:21:54.049657Z","duration":"00:24:46.177690","name":null,"ansible_version":"2.18.6","client_version":"1.7.4","python_version":"3.12.11","server_version":"1.7.4","status":"failed","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml","controller":"aio1.openstack.local","user":"root"},"content":"---\n# Copyright 2017, Rackspace US, Inc.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n## Verbosity Options\ndebug: false\n\n# Set the host which will execute the shade modules\n# for the service setup. The host must already have\n# clouds.yaml properly configured.\noctavia_service_setup_host: \"{{ openstack_service_setup_host | default('localhost') }}\"\noctavia_service_setup_host_python_interpreter: >-\n {{\n openstack_service_setup_host_python_interpreter | default(\n (octavia_service_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\n\n# Set installation method.\noctavia_install_method: \"{{ service_install_method | default('source') }}\"\noctavia_venv_python_executable: \"{{ openstack_venv_python_executable | default('python3') }}\"\n\n## Allow TLS listener\noctavia_tls_listener_enabled: true\n\n# Set the package install state for distribution packages\n# Options are 'present' and 'latest'\noctavia_package_state: \"{{ package_state | default('latest') }}\"\n\n# Source git repo/branch settings\noctavia_git_repo: https://opendev.org/openstack/octavia\noctavia_git_install_branch: master\noctavia_upper_constraints_url: >-\n {{ requirements_git_url | default('https://releases.openstack.org/constraints/upper/' ~ requirements_git_install_branch | default('master')) }}\n\noctavia_ovn_octavia_provider_git_repo: https://opendev.org/openstack/ovn-octavia-provider\noctavia_ovn_octavia_provider_git_install_branch: master\n\noctavia_git_constraints:\n - \"--constraint {{ octavia_upper_constraints_url }}\"\n\noctavia_pip_install_args: \"{{ pip_install_options | default('') }}\"\n\n# Name of the virtual env to deploy into\noctavia_venv_tag: \"{{ venv_tag | default('untagged') }}\"\noctavia_bin: \"{{ _octavia_bin }}\"\n\noctavia_clients_endpoint: internal\n\noctavia_auth_strategy: keystone\n\n## Barbican certificates\noctavia_barbican_enabled: false\n\n## Cinder Volume\noctavia_cinder_enabled: false\ncinder_default_availability_zone: \"{{ octavia_amp_availability_zone }}\"\noctavia_cinder_volume_size: 20\noctavia_cinder_volume_type: \"volumes-hdd\"\n\n## Database info\noctavia_db_setup_host: \"{{ openstack_db_setup_host | default('localhost') }}\"\noctavia_db_setup_python_interpreter: >-\n {{\n openstack_db_setup_python_interpreter | default(\n (octavia_db_setup_host == 'localhost') | ternary(ansible_playbook_python, ansible_facts['python']['executable']))\n }}\noctavia_galera_address: \"{{ galera_address | default('127.0.0.1') }}\"\noctavia_galera_user: octavia\noctavia_galera_database: octavia\noctavia_galera_persistence_database: octavia_persistence\noctavia_galera_use_ssl: \"{{ galera_use_ssl | default(False) }}\"\noctavia_galera_ssl_ca_cert: \"{{ galera_ssl_ca_cert | default('') }}\"\noctavia_db_max_overflow: \"{{ openstack_db_max_overflow | default('50') }}\"\noctavia_db_max_pool_size: \"{{ openstack_db_max_pool_size | default('5') }}\"\noctavia_db_pool_timeout: \"{{ openstack_db_pool_timeout | default('30') }}\"\noctavia_db_connection_recycle_time: \"{{ openstack_db_connection_recycle_time | default('600') }}\"\noctavia_galera_port: \"{{ galera_port | default('3306') }}\"\n\n## Coordination info\n# NOTE: Only Zookeeper and Redis are supported for Octavia\noctavia_coordination_driver: \"{{ coordination_driver | default('zookeeper') }}\"\noctavia_coordination_group: \"{{ coordination_host_group | default('zookeeper_all') }}\"\noctavia_coordination_enable: \"{{ octavia_coordination_group in groups and groups[octavia_coordination_group] | length > 0 }}\"\noctavia_coordination_namespace: octavia_jobboard\noctavia_coordination_client_ssl: \"{{ coordination_client_ssl | default(False) }}\"\noctavia_coordination_verify_cert: \"{{ coordination_verify_cert | default(True) }}\"\noctavia_coordination_port: \"{{ coordination_port | default(octavia_coordination_client_ssl | ternary('2281', '2181')) }}\"\n\n## Oslo Messaging\n\n# RPC\noctavia_oslomsg_rpc_host_group: \"{{ oslomsg_rpc_host_group | default('rabbitmq_all') }}\"\noctavia_oslomsg_rpc_setup_host: \"{{ (octavia_oslomsg_rpc_host_group in groups) | ternary(groups[octavia_oslomsg_rpc_host_group][0], 'localhost') }}\"\noctavia_oslomsg_rpc_transport: \"{{ oslomsg_rpc_transport | default('rabbit') }}\"\noctavia_oslomsg_rpc_servers: \"{{ oslomsg_rpc_servers | default('127.0.0.1') }}\"\noctavia_oslomsg_rpc_port: \"{{ oslomsg_rpc_port | default('5672') }}\"\noctavia_oslomsg_rpc_use_ssl: \"{{ oslomsg_rpc_use_ssl | default(False) }}\"\noctavia_oslomsg_rpc_userid: octavia\noctavia_oslomsg_rpc_policies: []\n# vhost name depends on value of oslomsg_rabbit_quorum_queues. In case quorum queues\n# are not used - vhost name will be prefixed with leading `/`.\noctavia_oslomsg_rpc_vhost:\n - name: /octavia\n state: \"{{ octavia_oslomsg_rabbit_quorum_queues | ternary('absent', 'present') }}\"\n - name: octavia\n state: \"{{ octavia_oslomsg_rabbit_quorum_queues | ternary('present', 'absent') }}\"\noctavia_oslomsg_rpc_ssl_version: \"{{ oslomsg_rpc_ssl_version | default('TLSv1_2') }}\"\noctavia_oslomsg_rpc_ssl_ca_file: \"{{ oslomsg_rpc_ssl_ca_file | default('') }}\"\n\n# Notify\noctavia_oslomsg_notify_configure: \"{{ oslomsg_notify_configure | default(octavia_ceilometer_enabled) }}\"\noctavia_oslomsg_notify_host_group: \"{{ oslomsg_notify_host_group | default('rabbitmq_all') }}\"\noctavia_oslomsg_notify_setup_host: >-\n {{ (octavia_oslomsg_notify_host_group in groups) | ternary(groups[octavia_oslomsg_notify_host_group][0], 'localhost') }}\noctavia_oslomsg_notify_transport: \"{{ oslomsg_notify_transport | default('rabbit') }}\"\noctavia_oslomsg_notify_servers: \"{{ oslomsg_notify_servers | default('127.0.0.1') }}\"\noctavia_oslomsg_notify_port: \"{{ oslomsg_notify_port | default('5672') }}\"\noctavia_oslomsg_notify_use_ssl: \"{{ oslomsg_notify_use_ssl | default(False) }}\"\noctavia_oslomsg_notify_userid: \"{{ octavia_oslomsg_rpc_userid }}\"\noctavia_oslomsg_notify_password: \"{{ octavia_oslomsg_rpc_password }}\"\noctavia_oslomsg_notify_vhost: \"{{ octavia_oslomsg_rpc_vhost }}\"\noctavia_oslomsg_notify_ssl_version: \"{{ oslomsg_notify_ssl_version | default('TLSv1_2') }}\"\noctavia_oslomsg_notify_ssl_ca_file: \"{{ oslomsg_notify_ssl_ca_file | default('') }}\"\noctavia_oslomsg_notify_policies: []\n\n## RabbitMQ integration\noctavia_oslomsg_rabbit_quorum_queues: \"{{ oslomsg_rabbit_quorum_queues | default(True) }}\"\noctavia_oslomsg_rabbit_stream_fanout: \"{{ oslomsg_rabbit_stream_fanout | default(octavia_oslomsg_rabbit_quorum_queues) }}\"\noctavia_oslomsg_rabbit_transient_quorum_queues: \"{{ oslomsg_rabbit_transient_quorum_queues | default(octavia_oslomsg_rabbit_stream_fanout) }}\"\noctavia_oslomsg_rabbit_qos_prefetch_count: \"{{ oslomsg_rabbit_qos_prefetch_count | default(octavia_oslomsg_rabbit_stream_fanout | ternary(10, 0)) }}\"\noctavia_oslomsg_rabbit_queue_manager: \"{{ oslomsg_rabbit_queue_manager | default(octavia_oslomsg_rabbit_quorum_queues) }}\"\noctavia_oslomsg_rabbit_quorum_delivery_limit: \"{{ oslomsg_rabbit_quorum_delivery_limit | default(0) }}\"\noctavia_oslomsg_rabbit_quorum_max_memory_bytes: \"{{ oslomsg_rabbit_quorum_max_memory_bytes | default(0) }}\"\n\noctavia_ceilometer_enabled: \"{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}\"\n\n## octavia User / Group\noctavia_system_user_name: octavia\noctavia_system_group_name: octavia\noctavia_system_shell: /bin/false\noctavia_system_comment: octavia system user\noctavia_system_home_folder: \"/var/lib/{{ octavia_system_user_name }}\"\noctavia_system_slice_name: octavia\noctavia_lock_dir: \"{{ openstack_lock_dir | default('/run/lock') }}\"\n\n## Auth\noctavia_service_region: \"{{ service_region | default('RegionOne') }}\"\noctavia_service_project_name: \"service\"\noctavia_service_user_name: \"octavia\"\noctavia_service_role_names:\n - admin\n - service\noctavia_service_token_roles:\n - service\noctavia_service_token_roles_required: \"{{ openstack_service_token_roles_required | default(True) }}\"\noctavia_service_project_domain_id: default\noctavia_service_user_domain_id: default\noctavia_keystone_auth_plugin: \"{{ octavia_keystone_auth_type }}\"\noctavia_keystone_auth_type: password\n\n## octavia api service type and data\noctavia_service_name: octavia\noctavia_service_description: \"Octavia Load Balancing Service\"\noctavia_service_port: 9876\noctavia_service_proto: http\noctavia_service_publicuri_proto: \"{{ openstack_service_publicuri_proto | default(octavia_service_proto) }}\"\noctavia_service_adminuri_proto: \"{{ openstack_service_adminuri_proto | default(octavia_service_proto) }}\"\noctavia_service_internaluri_proto: \"{{ openstack_service_internaluri_proto | default(octavia_service_proto) }}\"\noctavia_service_type: load-balancer\noctavia_service_publicuri: \"{{ octavia_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ octavia_service_port }}\"\noctavia_service_adminuri: \"{{ octavia_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}\"\noctavia_service_internaluri: \"{{ octavia_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ octavia_service_port }}\"\n\noctavia_service_in_ldap: \"{{ service_ldap_backend_enabled | default(False) }}\"\n\n## RPC\noctavia_rpc_thread_pool_size: 64\noctavia_rpc_conn_pool_size: 30\n\n## Timeouts\noctavia_amp_active_retries: 10\n\n## Plugin dirs\noctavia_plugin_dirs:\n - /usr/lib/octavia\n - /usr/local/lib/octavia\n\n###\n### Python code details\n###\n\noctavia_pip_packages:\n - cryptography\n - keystonemiddleware\n - osprofiler\n - PyMySQL\n - pymemcache\n - python-glanceclient\n - python-keystoneclient\n - python-memcached\n - python-neutronclient\n - python-novaclient\n - python-openstackclient\n - python-octaviaclient\n - \"git+{{ octavia_git_repo }}@{{ octavia_git_install_branch }}#egg=octavia\"\n - systemd-python\n - \"tooz[{{ octavia_coordination_driver }}]\"\n\n# Specific pip packages provided by the user\noctavia_user_pip_packages: []\n\noctavia_optional_ovn_octavia_provider_pip_packages:\n - \"git+{{ octavia_ovn_octavia_provider_git_repo }}@{{ octavia_ovn_octavia_provider_git_install_branch }}#egg=ovn-octavia-provider\"\n\n# Memcached override\noctavia_memcached_servers: \"{{ memcached_servers }}\"\n\noctavia_api_init_overrides: {}\noctavia_worker_init_overrides: {}\noctavia_housekeeping_init_overrides: {}\noctavia_health_manager_init_overrides: {}\noctavia_driver_agent_init_overrides:\n Service:\n Killmode: process\n\n## Service Name-Group Mapping\noctavia_services:\n octavia-api:\n group: octavia-api\n service_name: octavia-api\n start_order: 4\n init_config_overrides: \"{{ octavia_api_init_overrides }}\"\n wsgi_app: true\n wsgi: \"octavia.wsgi.api:application\"\n uwsgi_overrides: \"{{ octavia_api_uwsgi_ini_overrides }}\"\n uwsgi_port: \"{{ octavia_service_port }}\"\n uwsgi_bind_address: \"{{ octavia_uwsgi_bind_address }}\"\n uwsgi_tls: \"{{ octavia_backend_ssl | ternary(octavia_uwsgi_tls, {}) }}\"\n octavia-worker:\n group: octavia-worker\n service_name: octavia-worker\n start_order: 1\n init_config_overrides: \"{{ octavia_worker_init_overrides }}\"\n execstarts: \"{{ octavia_bin }}/octavia-worker\"\n execreloads: \"/bin/kill -HUP $MAINPID\"\n octavia-housekeeping:\n group: octavia-housekeeping\n service_name: octavia-housekeeping\n start_order: 3\n init_config_overrides: \"{{ octavia_housekeeping_init_overrides }}\"\n execstarts: \"{{ octavia_bin }}/octavia-housekeeping\"\n execreloads: \"/bin/kill -HUP $MAINPID\"\n octavia-health-manager:\n group: octavia-health-manager\n service_name: octavia-health-manager\n start_order: 2\n init_config_overrides: \"{{ octavia_health_manager_init_overrides }}\"\n execstarts: \"{{ octavia_bin }}/octavia-health-manager\"\n execreloads: \"/bin/kill -HUP $MAINPID\"\n octavia-driver-agent:\n group: octavia-api\n service_name: octavia-driver-agent\n service_en: \"{{ octavia_ovn_enabled }}\"\n start_order: 5\n init_config_overrides: \"{{ octavia_driver_agent_init_overrides }}\"\n execstarts: \"{{ octavia_bin }}/octavia-driver-agent --config-file /etc/octavia/octavia.conf\"\n execreloads: \"/bin/kill -HUP $MAINPID\"\n\n# Required secrets for the role\noctavia_required_secrets:\n - keystone_auth_admin_password\n - octavia_container_mysql_password\n - octavia_oslomsg_rpc_password\n - octavia_oslomsg_notify_password\n - octavia_service_password\n - memcached_encryption_key\n\n## Octavia configs\n# Load balancer topology options are SINGLE, ACTIVE_STANDBY\noctavia_loadbalancer_topology: ACTIVE_STANDBY\n\n# Image tag for the amphora image in glance\noctavia_glance_image_tag: octavia-amphora-image\n# add here the id of the image owner to avoid faked images being used\noctavia_amp_image_owner_id:\n# download the image from an artefact server\n# Note: The default is the Octavia test image so don't use that in prod\noctavia_download_artefact: true\n# The URL to download from\noctavia_artefact_url: http://tarballs.openstack.org/octavia/test-images/test-only-amphora-x64-haproxy-ubuntu-noble.qcow2\n# Set the directory where the downloaded image will be stored\n# on the octavia_service_setup_host host. If the host is localhost,\n# then the user running the playbook must have access to it.\noctavia_amp_image_path: \"{{ lookup('env', 'HOME', default='/root') }}/openstack-ansible/octavia\"\noctavia_amp_image_path_owner: \"{{ lookup('env', 'USER', default='root') }}\"\n# enable uploading image to glance automatically\noctavia_amp_image_upload_enabled: \"{{ octavia_download_artefact }}\"\noctavia_amp_image_resource:\n - name: amphora-x64-haproxy\n url: \"{{ octavia_artefact_url }}\"\n # Image checksum is required for rotating old images\n # checksum:\n disk_format: qcow2\n keep_copies: 1\n tags:\n - \"{{ octavia_glance_image_tag }}\"\n owner: \"{{ octavia_service_project_name }}\"\n owner_domain: \"{{ octavia_service_project_domain_id }}\"\n image_download_path: \"{{ octavia_amp_image_path }}\"\n\n# Name of the Octavia security group\noctavia_security_group_name: octavia_sec_grp\n# Additional rules to add to the security group for the amphora\noctavia_security_group_additional_rules: []\n# Restrict access to only authorized hosts\noctavia_security_group_rule_cidr: \"{{ octavia_management_net_subnet_cidr }}\"\n\noctavia_resources_deploy_host: localhost\noctavia_resources_deploy_python_interpreter: \"{{ ansible_playbook_python }}\"\n# ssh enabled - switch to True if you need ssh access to the amphora\noctavia_ssh_enabled: false\noctavia_ssh_key_manage: true\noctavia_ssh_key_name: octavia_key\noctavia_ssh_key_dir: \"{{ lookup('env', 'HOME', default='/root') ~ '/.ssh' }}\"\n# SSH Key variables below are set to \"old\" values for backwards compatability\n# of how Nova used to generate keypairs.\noctavia_ssh_key_comment: Generated-by-Nova\n# Options: ssh, pkcs1 and pkcs8\noctavia_ssh_key_format: ssh\n# Options: rsa, dsa, rsa1, ecdsa, ed25519\noctavia_ssh_key_type: rsa\noctavia_ssh_key_size: 2048\n# port the agent listens on\noctavia_agent_port: \"9443\"\noctavia_health_manager_port: 5555\n\n# Octavia Nova flavor\noctavia_amp_flavor_name: \"m1.amphora\"\noctavia_amp_ram: 1024\noctavia_amp_vcpu: 1\noctavia_amp_disk: \"{{ octavia_cinder_enabled | ternary(0, 20) }}\"\n# octavia_amp_extra_specs:\n\n# only increase when it's a really busy system since this is by deployed host,\n# e.g. 3 hosts, 5 workers (this param) per host, results in 15 worker total\noctavia_task_flow_max_workers: 5\n\n# Enable provisioning status sync with neutron db\noctavia_sync_provisioning_status: false\n\n# this controls if Octavia should add an anti-affinity hint to make sure\n# two amphora are not placed pn the same host (the most common setup of\n# ant affinity features in Nova).\noctavia_enable_anti_affinity: true\n\n# Some installations put hardware more suited for load balancing in special\n# availability zones. This allows to target a specific availability zone\n# for amphora creation\noctavia_amp_availability_zone: nova\n\n# List of haproxy template files to copy from deployment host to octavia hosts\n# octavia_user_haproxy_templates:\n# - src: \"/etc/openstack_deploy/octavia/haproxy_templates/base.cfg.j2\"\n# dest: \"/etc/octavia/templates/base.cfg.j2\"\n# - src: \"/etc/openstack_deploy/octavia/haproxy_templates/haproxy.cfg.j2\"\n# dest: \"/etc/octavia/templates/haproxy.cfg.j2\"\n# - src: \"/etc/openstack_deploy/octavia/haproxy_templates/macros.cfg.j2\"\n# dest: \"/etc/octavia/templates/macros.cfg.j2\"\noctavia_user_haproxy_templates: {}\n# Path of custom haproxy template file\n# octavia_haproxy_amphora_template: /etc/octavia/templates/haproxy.cfg.j2\n\n# Name of the Octavia management network in Neutron\noctavia_neutron_management_network_name: lbaas-mgmt\n# Name of the Neutron provider net in the system (flat, vlan, ...)\noctavia_provider_network_name: lbaas\n# Network type\noctavia_provider_network_type: flat\n# Network segmentation ID if vlan, gre...\n# octavia_provider_segmentation_id:\n# Network CIDR\noctavia_management_net_subnet_cidr: 172.29.232.0/22\n# Example allocation range:\n# octavia_management_net_subnet_allocation_pools: \"172.29.232.10-172.29.235.200\"\noctavia_management_net_subnet_allocation_pools: \"\"\n# Do we require the Neutron DHCP server\noctavia_management_net_dhcp: \"False\"\n# Should Octavia set up the network and subnet?\noctavia_service_net_setup: true\n# This should match net_name from provider_networks structure in openstack_user_config\noctavia_provider_inventory_net_name: \"{{ octavia_provider_network_name }}\"\n# This gets container managment network structure based on octavia_provider_inventory_net_name\noctavia_provider_network: >-\n {{ provider_networks | map(attribute='network') | selectattr('net_name', 'defined') | selectattr(\n 'net_name', 'equalto', octavia_provider_inventory_net_name) | list | first\n }}\n# The name of the network address pool\noctavia_container_network_name: \"{{ octavia_provider_network['ip_from_q'] }}_address\"\noctavia_hm_group: \"octavia-health-manager\"\n# Note: We use some heuristics here but if you do anything special make sure to use the\n# ip addresses on the right network. This will use the container networking to figure out the ip\noctavia_hm_hosts: >-\n {% for host in groups[octavia_hm_group] %}{{ hostvars[host]['container_networks'][octavia_container_network_name]['address'] }}{%\n if not loop.last %},{% endif %}{% endfor %}\n# Set this to the right container port aka the eth you connect to the octavia\n# management network\noctavia_container_interface: \"{{ octavia_provider_network.container_interface }}\"\n# Set this to true to drop the iptables rules\noctavia_ip_tables_fw: true\n# The iptable rules\noctavia_iptables_rules:\n # Allow icmp\n - chain: INPUT\n protocol: icmp\n ctstate: NEW\n icmp_type: 8\n jump: ACCEPT\n # Allow existing connections:\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n ctstate: RELATED,ESTABLISHED\n jump: ACCEPT\n # Allow heartbeat:\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n protocol: udp\n destination_port: \"{{ octavia_health_manager_port }}\"\n jump: ACCEPT\n # Reject INPUT:\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n reject_with: icmp-port-unreachable\n # Reject FORWARD:\n - chain: FORWARD\n in_interface: \"{{ octavia_container_interface }}\"\n reject_with: icmp-port-unreachable\n # Allow icmp6\n - chain: INPUT\n protocol: icmpv6\n jump: ACCEPT\n ip_version: ipv6\n # Allow existing connections\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n ctstate: RELATED,ESTABLISHED\n jump: ACCEPT\n ip_version: ipv6\n # Allow heartbeat\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n protocol: udp\n destination_port: \"{{ octavia_health_manager_port }}\"\n jump: ACCEPT\n ip_version: ipv6\n # Reject INPUT\n - chain: INPUT\n in_interface: \"{{ octavia_container_interface }}\"\n reject_with: icmp6-port-unreachable\n ip_version: ipv6\n # Reject FORWARD\n - chain: FORWARD\n in_interface: \"{{ octavia_container_interface }}\"\n reject_with: icmp6-port-unreachable\n ip_version: ipv6\n\n# uWSGI Settings\noctavia_wsgi_processes_max: 16\noctavia_wsgi_processes: >-\n {{ [[(ansible_facts['processor_vcpus'] // ansible_facts['processor_threads_per_core']) | default(1), 1] | max * 2, octavia_wsgi_processes_max] | min }}\noctavia_wsgi_threads: 1\noctavia_uwsgi_bind_address: \"{{ openstack_service_bind_address | default('0.0.0.0') }}\"\noctavia_uwsgi_tls:\n crt: \"{{ octavia_api_ssl_cert }}\"\n key: \"{{ octavia_api_ssl_key }}\"\n\n# Set up the drivers\n# Provider agents are optional and not required for a successful Octavia provider driver\n# Possible options: amphora_agent, noop_agent, ovn\noctavia_enabled_provider_agents:\n - \"{{ (octavia_ovn_enabled | bool) | ternary('ovn', None) }}\"\n\noctavia_enabled_provider_drivers:\n - \"amphora:'The Octavia Amphora driver.'\"\n - \"amphorav2:'The Octavia Amphora v2 driver.'\"\n - \"{{ (octavia_ovn_enabled | bool) | ternary(\\\"ovn:'The Octavia OVN provider driver.'\\\", False) }}\"\noctavia_default_provider_driver: \"amphorav2\"\noctavia_amphora_driver: amphora_haproxy_rest_driver\noctavia_compute_driver: compute_nova_driver\noctavia_network_driver: allowed_address_pairs_driver\n\n# OVN Defaults\noctavia_ovn_enabled: \"{{ neutron_plugin_type | default('ml2.ovn') == 'ml2.ovn' }}\"\noctavia_ovn_ssl: \"{{ neutron_ovn_ssl | default(True) }}\"\noctavia_ovn_proto: \"{{ (octavia_ovn_ssl) | ternary('ssl', 'tcp') }}\"\n\noctavia_ovn_nb_connection: >-\n {{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,' + octavia_ovn_proto + ':') }}:6641\noctavia_ovn_sb_connection: >-\n {{ octavia_ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + octavia_ovn_proto + ':') }}:6642\n\n\n#\n# Certificate generation\n#\n\n# Set the host which will execute the openssl_* modules\n# for the certificate generation. The host must already\n# have access to pyOpenSSL.\noctavia_cert_setup_host: \"{{ openstack_pki_setup_host | default('localhost') }}\"\n\n# Set the directory where the certificates will be stored\n# on the above host. If the host is localhost, then the user\n# running the playbook must have access to it.\noctavia_cert_dir: \"{{ openstack_pki_dir | default(lookup('env', 'HOME', default='/root') ~ '/openstack-ansible') }}\"\noctavia_cert_keys_dir: \"{{ octavia_cert_dir }}/certs/private/\"\noctavia_cert_certs_dir: \"{{ octavia_cert_dir }}/certs/certs/\"\noctavia_cert_dest_dir: \"/etc/octavia/certs\"\n\noctavia_cert_client_req_common_name: \"www.example.com\" # change this to something more real\noctavia_cert_client_req_country_name: \"US\"\noctavia_cert_client_req_state_or_province_name: \"Denial\"\noctavia_cert_client_req_locality_name: \"Nowhere\"\noctavia_cert_client_req_organization_name: \"Dis\"\noctavia_cert_validity_days: 1825 # 5 years\noctavia_generate_certs: true # generate self signed client certs\noctavia_generate_client_cert: true\noctavia_generate_ca: true\noctavia_regenerate_client_cert: \"\"\noctavia_regenerate_ca: \"\"\n\n# OVN server certificate\n# The local address used for the ovn certificate\noctavia_ovn_node_address: \"{{ management_address | default('127.0.0.1') }}\"\n# OVN destination files for SSL certificates\noctavia_ovn_pki_intermediate_cert_name: \"{{ octavia_api_intermediate_cert_name }}\"\noctavia_ovn_pki_intermediate_chain_path: >-\n {{ octavia_cert_dir ~ '/roots/' ~ octavia_ovn_pki_intermediate_cert_name ~ '/certs/' ~ octavia_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}\noctavia_ovn_ssl_cert: \"octavia_ovn.pem\"\noctavia_ovn_ssl_key: \"octavia_ovn.key\"\noctavia_ovn_ssl_ca_cert: \"octavia_ovn-ca.pem\"\n\noctavia_cert_authorities:\n - name: \"OctaviaServerRoot\"\n country: \"{{ octavia_cert_client_req_country_name }}\"\n state_or_province_name: \"{{ octavia_cert_client_req_state_or_province_name }}\"\n organization_name: \"{{ octavia_cert_client_req_organization_name }}\"\n locality_name: \"{{ octavia_cert_client_req_locality_name }}\"\n cn: \"Octavia Server CA\"\n provider: selfsigned\n basic_constraints: \"CA:TRUE\"\n key_passphrase: \"{{ octavia_ca_private_key_passphrase }}\"\n key_usage:\n - digitalSignature\n - cRLSign\n - keyCertSign\n not_after: \"+{{ octavia_cert_validity_days }}d\"\n - name: \"OctaviaClientRoot\"\n country: \"{{ octavia_cert_client_req_country_name }}\"\n state_or_province_name: \"{{ octavia_cert_client_req_state_or_province_name }}\"\n organization_name: \"{{ octavia_cert_client_req_organization_name }}\"\n locality_name: \"{{ octavia_cert_client_req_locality_name }}\"\n cn: \"Octavia Client CA\"\n provider: selfsigned\n basic_constraints: \"CA:TRUE\"\n key_passphrase: \"{{ octavia_cert_client_password }}\"\n key_usage:\n - digitalSignature\n - cRLSign\n - keyCertSign\n not_after: \"+{{ octavia_cert_validity_days }}d\"\n\noctavia_cert_certificates:\n # Communication between haproxy and octavia API\n - name: \"octavia-api_{{ ansible_facts['hostname'] }}\"\n provider: ownca\n cn: \"{{ ansible_facts['hostname'] }}\"\n san: \"{{ octavia_api_cert_san }}\"\n signed_by: \"{{ octavia_api_intermediate_cert_name }}\"\n condition: \"{{ octavia_backend_ssl | bool }}\"\n # Communication between octavia control plane and amphoras\n - name: \"octavia_client\"\n provider: ownca\n cn: \"{{ octavia_cert_client_req_common_name }}\"\n signed_by: \"OctaviaClientRoot\"\n ownca_key_passphrase: \"{{ octavia_cert_client_password }}\"\n key_usage:\n - nonRepudiation\n - digitalSignature\n - keyEncipherment\n extended_key_usage:\n - clientAuth\n - emailProtection\n condition: \"{{ octavia_generate_certs | bool }}\"\n # OVN NB/SB communication\n - name: \"octavia_ovn_{{ ansible_facts['hostname'] }}\"\n provider: ownca\n cn: \"{{ ansible_facts['hostname'] }}\"\n san: \"{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ octavia_ovn_node_address }}\"\n signed_by: \"{{ octavia_ovn_pki_intermediate_cert_name }}\"\n condition: \"{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}\"\n\n# Installation details for SSL certificates\noctavia_cert_install_certificates:\n # Communication between haproxy and octavia API\n - src: \"{{ octavia_api_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n dest: \"{{ octavia_api_ssl_cert }}\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_user_name }}\"\n mode: \"0644\"\n condition: \"{{ octavia_backend_ssl | bool }}\"\n - src: \"{{ octavia_api_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia-api_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n dest: \"{{ octavia_api_ssl_key }}\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_user_name }}\"\n mode: \"0600\"\n condition: \"{{ octavia_backend_ssl | bool }}\"\n # Server CA\n - src: \"{{ octavia_ca_certificate | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/certs/OctaviaServerRoot.crt') }}\"\n dest: \"{{ octavia_cert_dest_dir }}/server_ca.pem\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ octavia_generate_certs | bool }}\"\n - src: \"{{ octavia_ca_private_key | default(octavia_cert_dir ~ '/roots/OctaviaServerRoot/private/OctaviaServerRoot.key.pem') }}\"\n dest: \"{{ octavia_cert_dest_dir }}/ca_key.pem\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ octavia_generate_certs | bool }}\"\n # Client CA\n - src: \"{{ octavia_client_ca | default(octavia_cert_dir ~ '/roots/OctaviaClientRoot/certs/OctaviaClientRoot.crt') }}\"\n dest: \"{{ octavia_cert_dest_dir }}/client_ca.pem\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ octavia_generate_certs | bool }}\"\n # Client certificate\n - src: \"{{ octavia_client_cert | default(octavia_cert_certs_dir ~ '/octavia_client.crt') }}\"\n dest: \"{{ octavia_cert_dest_dir }}/client.pem.crt\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ octavia_generate_certs | bool }}\"\n - src: \"{{ octavia_client_key | default(octavia_cert_keys_dir ~ '/octavia_client.key.pem') }}\"\n dest: \"{{ octavia_cert_dest_dir }}/client.pem.key\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0640\"\n condition: \"{{ octavia_generate_certs | bool }}\"\n # OVN certificates\n - src: \"{{ octavia_ovn_user_ssl_cert | default(octavia_cert_certs_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}\"\n dest: \"{{ [octavia_cert_dest_dir, octavia_ovn_ssl_cert] | join('/') }}\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0644\"\n condition: \"{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}\"\n - src: \"{{ octavia_ovn_user_ssl_key | default(octavia_cert_keys_dir ~ 'octavia_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}\"\n dest: \"{{ [octavia_cert_dest_dir, octavia_ovn_ssl_key] | join('/') }}\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0600\"\n condition: \"{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}\"\n - src: \"{{ octavia_ovn_user_ssl_ca_cert | default(octavia_ovn_pki_intermediate_chain_path) }}\"\n dest: \"{{ [octavia_cert_dest_dir, octavia_ovn_ssl_ca_cert] | join('/') }}\"\n owner: \"{{ octavia_system_user_name }}\"\n group: \"{{ octavia_system_group_name }}\"\n mode: \"0644\"\n condition: \"{{ (octavia_ovn_ssl and octavia_ovn_enabled) }}\"\n\n# Custom client CA\n# octavia_client_ca: \"{{ octavia_cert_dir }}/ca_01.pem\"\n## Custom client certs\n# octavia_client_cert: \"{{ octavia_cert_dir }}/client.pem\"\n# octavia_client_key: \"{{ octavia_cert_dir }}/client.key.pem\"\n## server\n# octavia_server_ca: \"{{ octavia_ca_certificate }}\"\n## ca certs\n# octavia_ca_private_key: \"{{ octavia_cert_dir }}/private/cakey.pem\"\noctavia_ca_private_key_passphrase: \"{{ octavia_cert_client_password }}\"\n# octavia_ca_certificate: \"{{ octavia_cert_dir }}/ca_server_01.pem\"\n# Custom OVN certs\n# octavia_ovnnb_user_ssl_cert: \n# octavia_ovnnb_user_ssl_key: \n# octavia_ovnsb_user_ssl_cert: \n# octavia_ovnsb_user_ssl_key: \n\n## Tunable overrides\noctavia_octavia_conf_overrides: {}\noctavia_api_paste_ini_overrides: {}\noctavia_policy_overrides: {}\noctavia_api_uwsgi_ini_overrides: {}\n\n###\n### Backend TLS\n###\n\n# Define if communication between haproxy and service backends should be\n# encrypted with TLS.\noctavia_backend_ssl: \"{{ openstack_service_backend_ssl | default(False) }}\"\n\n# octavia server certificate\noctavia_api_intermediate_cert_name: \"{{ openstack_pki_service_intermediate_cert_name | default('ExampleCorpIntermediate') }}\"\noctavia_api_cert_san: \"{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}\"\n\n# octavia destination files for SSL certificates\noctavia_api_ssl_cert: \"{{ octavia_cert_dest_dir }}/octavia-api.pem\"\noctavia_api_ssl_key: \"{{ octavia_cert_dest_dir }}/octavia-api.key\"\n\n# Define user-provided SSL certificates\n# octavia_api_user_ssl_cert: \n# octavia_api_user_ssl_key: \n","created":"2025-12-08T13:57:19.701271Z","updated":"2025-12-08T13:57:19.701283Z","path":"/home/zuul/src/opendev.org/openstack/openstack-ansible-os_octavia/defaults/main.yml"}