diff --git a/templates/broker/broker.conf.erb b/templates/broker/broker.conf.erb index e150363d..e4d75ae3 100644 --- a/templates/broker/broker.conf.erb +++ b/templates/broker/broker.conf.erb @@ -4,22 +4,30 @@ CLOUD_DOMAIN="<%= scope.lookupvar('::openshift_origin::domain') %>" # Eg: "small,medium,large" VALID_GEAR_SIZES="<%= scope.lookupvar('::openshift_origin::conf_valid_gear_sizes').join(',') %>" +# Comma-separated list of allowed types for ssh keys. krb5-principal keys are added to .k5login, instead of authorized_keys +#VALID_SSH_KEY_TYPES="ssh-rsa,ssh-dss,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,krb5-principal" + +# Default number of domains to assign to a new user +DEFAULT_MAX_DOMAINS="10" # Default number of gears to assign to a new user DEFAULT_MAX_GEARS="100" # Default gear sizes (comma-separated) allowed to a new user DEFAULT_GEAR_CAPABILITIES="<%= scope.lookupvar('::openshift_origin::conf_default_gear_capabilities').join(',') %>" # Default gear size for a new gear DEFAULT_GEAR_SIZE="<%= scope.lookupvar('::openshift_origin::conf_default_gear_size') %>" +# Default user capability to create Highly Available applications +DEFAULT_ALLOW_HA="true" -#Broker datastore configuration -MONGO_REPLICA_SETS=false -# Replica set example: ": : ..." +# For replica sets, use ',' delimiter for multiple servers +# Eg: MONGO_HOST_PORT=",..." MONGO_HOST_PORT="<%= scope.lookupvar('::openshift_origin::datastore_hostname') %>:27017" MONGO_USER="<%= scope.lookupvar('::openshift_origin::mongodb_broker_user') %>" MONGO_PASSWORD="<%= scope.lookupvar('::openshift_origin::mongodb_broker_password') %>" MONGO_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>" MONGO_TEST_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>_test" MONGO_SSL="false" +MONGO_WRITE_REPLICAS=1 + #Enables gear/filesystem resource usage tracking ENABLE_USAGE_TRACKING_DATASTORE="true" #Log resource usage information @@ -96,6 +104,16 @@ MAX_DOWNLOAD_REDIRECTS="2" MAX_DOWNLOAD_TIME="10" # Maximum size for downloadable manifest file (in bytes) MAX_CART_SIZE="20480" +# Maximum number of seconds for connection to be established when downloading +# a cartridge. +CART_DOWNLOAD_CONN_TIMEOUT="2" + +# Set a HTTP proxy server for downloading cartridges +# +# HTTP_PROXY="proxy.server.com:3128" + +# Team collaboration settings +MAX_MEMBERS_PER_RESOURCE="100" # Whether cartridges that specify direct SSL connection to the gear # are allowed, denied or forced. @@ -105,8 +123,38 @@ SSL_ENDPOINT="allow" # Config flag to allow scalable applications to become Highly Available ALLOW_HA_APPLICATIONS="true" +# This is the public hostname that the HA DNS entries for an application point to +# This allows setting up an external router and routing application traffic to the application's gears +ROUTER_HOSTNAME="www.example.com" -# Determine whether or not multiple HA proxy gears for a given application can be spun up on the same node +# Prefix/Suffix used for Highly Available application URL +# http://${HA_DNS_PREFIX}${APP_NAME}-${DOMAIN_NAME}${HA_DNS_SUFFIX}.${CLOUD_DOMAIN} +HA_DNS_PREFIX="ha-" +HA_DNS_SUFFIX="" + +# This configuration determines if multiple haproxy gears can be hosted on the same node. +# If allowed, the frontend apache will route the web traffic being sent to this node +# using the app_dns or the alias to ONLY one of the haproxy gears that has the mapping. +# To avoid this situation, this flag should be set to false in production environments. ALLOW_MULTIPLE_HAPROXY_ON_NODE=<%= scope.lookupvar('::openshift_origin::conf_broker_multi_haproxy_per_node') %> -ROUTER_HOSTNAME="www.example.com" +#Whether to allow obsolete cartridges to be instantiated for a new application or added to an existing application +ALLOW_OBSOLETE_CARTRIDGES="false" + +# Whether to allow users to create aliases that are under the cloud domain. Note: +# Aliases of the form word-word. are rejected to prevent conflicts with app names. +# Also this still will not create any DNS entry for the alias; that is an external step. +ALLOW_ALIAS_IN_DOMAIN="false" + +# Whether to send OpenShift log messages to syslog or to files. +# If true, messages that normally end up in the Rails environment-specific log +# (e.g. production.rb), usage.log, and user_action.log will instead go to syslog. +# SYSLOG_ENABLED="true" + +# Customize default app templates for specified framework cartridges. +# Space-separated list of elements | - URLs must be available for all nodes. +# URL will be cloned as the git repository for the cartridge at app creation unless the user specifies their own. +# e.g.: DEFAULT_APP_TEMPLATES=php-5.3|http://example.com/php.git perl-5.10|file:///etc/openshift/cart.conf.d/templates/perl.git +# WARNING: do not include private credentials in any URL; they would be visible in every app's cloned repository. +DEFAULT_APP_TEMPLATES= + diff --git a/templates/broker/msg-broker-mcollective.conf.erb b/templates/broker/msg-broker-mcollective.conf.erb index 694262bd..7d876924 100644 --- a/templates/broker/msg-broker-mcollective.conf.erb +++ b/templates/broker/msg-broker-mcollective.conf.erb @@ -1,12 +1,32 @@ -MCOLLECTIVE_DISCTIMEOUT=5 -MCOLLECTIVE_TIMEOUT=120 -MCOLLECTIVE_VERBOSE=0 -MCOLLECTIVE_PROGRESS_BAR=0 -MCOLLECTIVE_CONFIG="<%= scope.lookupvar('::openshift_origin::params::ruby_scl_path_prefix') %>/etc/mcollective/client.cfg" - +# Some settings to configure how mcollective handles gear placement on nodes: + +# Use districts when placing gears and moving them between hosts. Should be +# true except for particular dev/test situations. DISTRICTS_ENABLED=false + +# Require new gears to be placed in a district; when true, placement will fail +# if there isn't a district with capacity and the right gear profile. DISTRICTS_REQUIRE_FOR_APP_CREATE=false -DISTRICTS_MAX_CAPACITY=6000 # Only used by district create + +# Used as the default max gear capacity when creating a district. +DISTRICTS_MAX_CAPACITY=6000 + +# It is unlikely these will need to be changed DISTRICTS_FIRST_UID=1000 - -NODE_PROFILE_ENABLED=0 +MCOLLECTIVE_DISCTIMEOUT=5 +MCOLLECTIVE_TIMEOUT=180 +MCOLLECTIVE_VERBOSE=false +MCOLLECTIVE_PROGRESS_BAR=0 +MCOLLECTIVE_CONFIG="<%= scope.lookupvar('::openshift_origin::params::ruby_scl_path_prefix') %>/etc/mcollective/client.cfg" +MCOLLECTIVE_FACT_TIMEOUT=10 + +# Place gears on nodes with the requested profile; should be true, as +# a false value means gear profiles are ignored and gears are placed arbitrarily. +NODE_PROFILE_ENABLED=true + +# Require new gears to be placed in a Region/Zone; when true, placement will fail +# if there isn't a region/zone with right gear profile. +ZONES_REQUIRE_FOR_APP_CREATE=false + +# Minimum zones required for gears in application gear group to be distributed. +ZONES_MIN_PER_GEAR_GROUP=1 diff --git a/templates/broker/plugins/auth/mongo/mongo.conf.plugin.erb b/templates/broker/plugins/auth/mongo/mongo.conf.plugin.erb index 64d7f5f2..873453a2 100644 --- a/templates/broker/plugins/auth/mongo/mongo.conf.plugin.erb +++ b/templates/broker/plugins/auth/mongo/mongo.conf.plugin.erb @@ -1,7 +1,13 @@ -MONGO_REPLICA_SETS=false -# Replica set example: ": : ..." +# Settings related to the MongoDB variant of an OpenShift auth plugin + +# The host:port for your MongoDB server MONGO_HOST_PORT="<%= scope.lookupvar('::openshift_origin::datastore_hostname') %>:27017" + +# The user to connect to your MongoDB MONGO_USER="<%= scope.lookupvar('::openshift_origin::mongodb_broker_user') %>" + +# The password to connect to your MongoDB MONGO_PASSWORD="<%= scope.lookupvar('::openshift_origin::mongodb_broker_password') %>" + +# The database within your MongoDB to use for auth MONGO_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>" -MONGO_COLLECTION="auth_user" diff --git a/templates/broker/plugins/dns/avahi/cname-manager.conf.erb b/templates/broker/plugins/dns/avahi/cname-manager.conf.erb index 7d406539..f44060b9 100644 --- a/templates/broker/plugins/dns/avahi/cname-manager.conf.erb +++ b/templates/broker/plugins/dns/avahi/cname-manager.conf.erb @@ -1,2 +1,2 @@ -KEY_NAME=<%= scope.lookupvar('::openshift_origin::named_hostname') %> -KEY_VALUE=<%= scope.lookupvar('::openshift_origin::domain') %> \ No newline at end of file +KEY_NAME=<%= scope.lookupvar('::openshift_origin::domain') %> +KEY_VALUE=<%= scope.lookupvar('::openshift_origin::bind_key') %> diff --git a/templates/broker/plugins/dns/nsupdate/nsupdate-kerb.conf.erb b/templates/broker/plugins/dns/nsupdate/nsupdate-kerb.conf.erb index ff76f7ef..6ddb66d9 100644 --- a/templates/broker/plugins/dns/nsupdate/nsupdate-kerb.conf.erb +++ b/templates/broker/plugins/dns/nsupdate/nsupdate-kerb.conf.erb @@ -1,5 +1,15 @@ +# Settings related to the nsupdate variant of an OpenShift DNS plugin +# configured for GSS-TSIG (Kerberos) authentication. + +# The DNS server BIND_SERVER="<%= scope.lookupvar('::openshift_origin::named_ip_addr') %>" + +# The DNS server's port BIND_PORT=53 + +# The base zone for the DNS server BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>" + +# GSS-TSIG (Kerberos) Authentication BIND_KRB_PRINCIPAL="DNS/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %>@<%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %>" BIND_KRB_KEYTAB="<%= scope.lookupvar('::openshift_origin::bind_krb_keytab') %>" diff --git a/templates/broker/plugins/dns/nsupdate/nsupdate.conf.erb b/templates/broker/plugins/dns/nsupdate/nsupdate.conf.erb index 7ea0f2db..16786a0b 100644 --- a/templates/broker/plugins/dns/nsupdate/nsupdate.conf.erb +++ b/templates/broker/plugins/dns/nsupdate/nsupdate.conf.erb @@ -1,5 +1,16 @@ -BIND_SERVER="<%= scope.lookupvar('::openshift_origin::named_ip_addr') %>" +# Settings related to the nsupdate variant of an OpenShift DNS plugin +# configured for TSIG authentication. + +# The DNS server +BIND_SERVER="127.0.0.1" + +# The DNS server's port BIND_PORT=53 + +# The base zone for the DNS server +BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>" + +# TSIG authentication BIND_KEYNAME="<%= scope.lookupvar('::openshift_origin::domain') %>" BIND_KEYVALUE="<%= scope.lookupvar('::openshift_origin::bind_key') %>" -BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>" +BIND_KEYALGORITHM=HMAC-MD5 # TODO: Parameterize. diff --git a/templates/console/console.conf.erb b/templates/console/console.conf.erb index db46af0d..f68d9dc2 100644 --- a/templates/console/console.conf.erb +++ b/templates/console/console.conf.erb @@ -7,22 +7,30 @@ # Required # BROKER_URL=https://<%= scope.lookupvar('::openshift_origin::broker_hostname') %>/broker/rest -DOMAIN_SUFFIX="<%= scope.lookupvar('::openshift_origin::domain') %>" # -# A URL used when creating links to the OpenShift community sites +# A proxy URL to use when connecting with the broker. # # Optional # -COMMUNITY_URL=https://www.openshift.com/ +# BROKER_PROXY_URL= # -# A proxy URL to use when connecting with the broker. +# The base URL of the community wiki site. # # Optional # -# BROKER_PROXY_URL= +COMMUNITY_URL=https://www.openshift.com/ + +# When set, any absolute URLs that are generated will use this host +# DEFAULT_URL_OPTIONS_HOST=openshift.redhat.com +# When set, any absolute URLs that are generated will use this port +# When set to nothing no port will be specified on the URL +# DEFAULT_URL_OPTIONS_PORT= + +# The server url hosting the static assets for the console +# ASSET_HOST=https://openshift.redhat.com # # SSL settings for the connection between the console and broker. @@ -30,7 +38,13 @@ COMMUNITY_URL=https://www.openshift.com/ # # Optional, will use the default Ruby environment settings # +# No certificate checking (INSECURE, use only in trusted networks): BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE} +# +# Perform cert checking and require SSLv3 (some Mac environments may +# need this set): +# BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_PEER, :ssl_version => :SSLv3} + # # The type of security mode that OpenShift should use. There are @@ -62,6 +76,7 @@ BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE} # CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') == 'mongo' ? 'basic' : 'remote_user' %> + # # The name of the request env variable or header that indicates a # user is authenticated. This value will be used as the display @@ -81,6 +96,7 @@ CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') = # REMOTE_USER_HEADER=REMOTE_USER + # # When using remote_user security, the value of the authentication # header may not be human readable or intended for display. This @@ -105,4 +121,12 @@ REMOTE_USER_HEADER=REMOTE_USER # REMOTE_USER_COPY_HEADERS=X-Remote-User + +# +# Should log messages be sent to syslog instead of a log file +# +# Optional +# +# SYSLOG_ENABLED=true + SESSION_SECRET="<%= scope.lookupvar('::openshift_origin::conf_console_session_secret') %>" diff --git a/templates/console/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb b/templates/console/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb index 0b993451..eb724e54 100644 --- a/templates/console/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb +++ b/templates/console/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb @@ -13,6 +13,10 @@ RequestHeader set X-Remote-User "%{RU}e" env=RU AuthType Kerberos KrbMethodNegotiate On KrbMethodK5Passwd On + # The KrbLocalUserMapping enables conversion to local users, using + # auth_to_local rules in /etc/krb5.conf. By default it strips the + # @REALM part. See krb5.conf(5) for details how to set up specific rules. + KrbLocalUserMapping On KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %> KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %> Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %> diff --git a/templates/node/node.conf.erb b/templates/node/node.conf.erb index 746f43c8..450aa257 100644 --- a/templates/node/node.conf.erb +++ b/templates/node/node.conf.erb @@ -10,26 +10,30 @@ CLOUD_DOMAIN="<%= scope.lookupvar('::openshift_origin::domain') %>" # You may want these, depending on the complexity of your networking: EXTERNAL_ETH_DEV='<%= scope.lookupvar('::openshift_origin::conf_node_external_eth_dev') %>' # Specify the internet facing public ethernet device # INTERNAL_ETH_DEV='eth1' # Specify the internal cluster facing ethernet device -INSTANCE_ID="<%= scope.lookupvar('::openshift_origin::node_hostname') %>" # Set by RH EC2 automation -# Generally the following should not be changed: -ENABLE_CGROUPS='1' # Enable cgroups for gears (0=off, 1=on) -GEAR_BASE_DIR="/var/lib/openshift" # gear root directory -GEAR_SKEL_DIR="/etc/openshift/skel" # skel files to use when building a gear -GEAR_SHELL="/usr/bin/oo-trap-user" # shell to use for the gear -GEAR_GECOS="OpenShift guest" # Gecos information to populate for the gear user -GEAR_MIN_UID=1000 # Lower bound of UID used to create gears -GEAR_MAX_UID=6500 # Upper bound of UID used to create gears +# Uncomment and use the following line if you want to gear users to be members of +# additional groups besides the one with the same id as the uid. The other group +# should be an existing group. +#GEAR_SUPPLEMENTARY_GROUPS="another_group" # Supplementary groups for gear UIDs (comma separated list) <% if scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') != "" -%> -GEAR_SUPL_GRPS="<%= scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') %>" # Supplementary groups for gear UIDs (comma separated list) +GEAR_SUPPLEMENTARY_GROUPS="<%= scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') %>" # Supplementary groups for gear UIDs (comma separated list) <% end -%> -OPENSHIFT_NODE_PLUGINS="" # Extentions to load when customize/observe openshift-origin-node models -CARTRIDGE_BASE_PATH="/usr/libexec/openshift/cartridges" # Locations where cartridges are installed -LAST_ACCESS_DIR="/var/lib/openshift/.last_access" # Location to maintain last accessed time for gears -APACHE_ACCESS_LOG="/var/log/httpd/access_log" # Localion of httpd for node -PROXY_MIN_PORT_NUM=35531 # Lower bound of port numbers used to proxy ports externally -PROXY_PORTS_PER_GEAR=5 # Number of proxy ports available per gear -CREATE_APP_SYMLINKS=0 # If set to 1, creates gear-name symlinks to the UUID directories (debugging only) + +# Generally the following should not be changed: +ENABLE_CGROUPS=1 # constrain gears in cgroups (1=yes, 0=no) +GEAR_BASE_DIR="/var/lib/openshift" # gear root directory +GEAR_SKEL_DIR="/etc/openshift/skel" # skel files to use when building a gear +GEAR_SHELL="/usr/bin/oo-trap-user" # shell to use for the gear +GEAR_GECOS="OpenShift guest" # Gecos information to populate for the gear user +GEAR_MIN_UID=1000 # Lower bound of UID used to create gears +GEAR_MAX_UID=6999 # Upper bound of UID used to create gears +OPENSHIFT_NODE_PLUGINS="" # Extensions to load when customize/observe openshift-origin-node models +CARTRIDGE_BASE_PATH="/usr/libexec/openshift/cartridges" # Locations where cartridges are installed +LAST_ACCESS_DIR="/var/lib/openshift/.last_access" # Location to maintain last accessed time for gears +APACHE_ACCESS_LOG="/var/log/httpd/openshift_log" # Localion of httpd for node +PROXY_MIN_PORT_NUM=35531 # Lower bound of port numbers used to proxy ports externally +PROXY_PORTS_PER_GEAR=5 # Number of proxy ports available per gear +CREATE_APP_SYMLINKS=0 # If set to 1, creates gear-name symlinks to the UUID directories (debugging only) OPENSHIFT_HTTP_CONF_DIR="/etc/httpd/conf.d/openshift" PLATFORM_LOG_FILE=/var/log/openshift/node/platform.log @@ -37,6 +41,18 @@ PLATFORM_LOG_LEVEL=DEBUG PLATFORM_TRACE_LOG_FILE=/var/log/openshift/node/platform-trace.log PLATFORM_TRACE_LOG_LEVEL=DEBUG -OPENSHIFT_FRONTEND_HTTP_PLUGINS=<%= scope.lookupvar('::openshift_origin::node_frontend_plugins').map{ |p| 'openshift-origin-frontend-' + p }.join(',') %> +LIBVIRT_PRIVATE_IP_RANGE=172.16.0.0/12 +LIBVIRT_PRIVATE_IP_ROUTE=172.16.0.0/12 +LIBVIRT_PRIVATE_IP_GW=172.16.0.1 CONTAINERIZATION_PLUGIN=openshift-origin-container-<%= scope.lookupvar('::openshift_origin::node_container_plugin') %> +QUOTA_WARNING_PERCENT=90.0 + +REPORT_BUILD_ANALYTICS=true + +# MOTD_FILE="/etc/openshift/welcome.rhcsh" # Change the default rhcs welcome message + +# Gems for managing the frontend http server +# NOTE: Steps must be taken both before and after these values are changed. +# Run "oo-frontend-plugin-modify --help" for more information. +OPENSHIFT_FRONTEND_HTTP_PLUGINS=<%= scope.lookupvar('::openshift_origin::node_frontend_plugins').map{ |p| 'openshift-origin-frontend-' + p }.join(',') %> diff --git a/templates/plugins/frontend/apache_mod_rewrite/node_routes.txt.erb b/templates/plugins/frontend/apache_mod_rewrite/node_routes.txt.erb index 4419627a..1b8759be 100644 --- a/templates/plugins/frontend/apache_mod_rewrite/node_routes.txt.erb +++ b/templates/plugins/frontend/apache_mod_rewrite/node_routes.txt.erb @@ -1,3 +1,3 @@ __default__ REDIRECT:/console __default__/console TOHTTPS:127.0.0.1:8118/console -__default__/broker TOHTTPS:127.0.0.1:8080/broker \ No newline at end of file +__default__/broker TOHTTPS:127.0.0.1:8080/broker