Synch with conf files from origin-server/master

templates/broker/broker.conf.erb

@@ -4,22 +4,30 @@ CLOUD_DOMAIN="<%= scope.lookupvar('::openshift_origin::domain') %>"
 # Eg: "small,medium,large"
 VALID_GEAR_SIZES="<%= scope.lookupvar('::openshift_origin::conf_valid_gear_sizes').join(',') %>"
 
+# Comma-separated list of allowed types for ssh keys. krb5-principal keys are added to .k5login, instead of authorized_keys
+#VALID_SSH_KEY_TYPES="ssh-rsa,ssh-dss,[email protected],[email protected],[email protected],[email protected],krb5-principal"
+
+# Default number of domains to assign to a new user
+DEFAULT_MAX_DOMAINS="10"
 # Default number of gears to assign to a new user
 DEFAULT_MAX_GEARS="100"
 # Default gear sizes (comma-separated) allowed to a new user
 DEFAULT_GEAR_CAPABILITIES="<%= scope.lookupvar('::openshift_origin::conf_default_gear_capabilities').join(',') %>"
 # Default gear size for a new gear
 DEFAULT_GEAR_SIZE="<%= scope.lookupvar('::openshift_origin::conf_default_gear_size') %>"
+# Default user capability to create Highly Available applications
+DEFAULT_ALLOW_HA="true"
 
-#Broker datastore configuration
-MONGO_REPLICA_SETS=false
-# Replica set example: "<host-1>:<port-1> <host-2>:<port-2> ..."
+# For replica sets, use ',' delimiter for multiple servers
+# Eg: MONGO_HOST_PORT="<host1:port1>,<host2:port2>..."
 MONGO_HOST_PORT="<%= scope.lookupvar('::openshift_origin::datastore_hostname') %>:27017"
 MONGO_USER="<%= scope.lookupvar('::openshift_origin::mongodb_broker_user') %>"
 MONGO_PASSWORD="<%= scope.lookupvar('::openshift_origin::mongodb_broker_password') %>"
 MONGO_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>"
 MONGO_TEST_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>_test"
 MONGO_SSL="false"
+MONGO_WRITE_REPLICAS=1
+
 #Enables gear/filesystem resource usage tracking
 ENABLE_USAGE_TRACKING_DATASTORE="true"
 #Log resource usage information
@@ -96,6 +104,16 @@ MAX_DOWNLOAD_REDIRECTS="2"
 MAX_DOWNLOAD_TIME="10"
 # Maximum size for downloadable manifest file (in bytes)
 MAX_CART_SIZE="20480"
+# Maximum number of seconds for connection to be established when downloading
+# a cartridge.
+CART_DOWNLOAD_CONN_TIMEOUT="2"
+
+# Set a HTTP proxy server for downloading cartridges
+#
+# HTTP_PROXY="proxy.server.com:3128"
+
+# Team collaboration settings
+MAX_MEMBERS_PER_RESOURCE="100"
 
 # Whether cartridges that specify direct SSL connection to the gear
 # are allowed, denied or forced.
@@ -105,8 +123,38 @@ SSL_ENDPOINT="allow"
 
 # Config flag to allow scalable applications to become Highly Available
 ALLOW_HA_APPLICATIONS="true"
+# This is the public hostname that the HA DNS entries for an application point to
+# This allows setting up an external router and routing application traffic to the application's gears   
+ROUTER_HOSTNAME="www.example.com"
 
-# Determine whether or not multiple HA proxy gears for a given application can be spun up on the same node
+# Prefix/Suffix used for Highly Available application URL
+# http://${HA_DNS_PREFIX}${APP_NAME}-${DOMAIN_NAME}${HA_DNS_SUFFIX}.${CLOUD_DOMAIN}
+HA_DNS_PREFIX="ha-"
+HA_DNS_SUFFIX=""
+
+# This configuration determines if multiple haproxy gears can be hosted on the same node.
+# If allowed, the frontend apache will route the web traffic being sent to this node
+# using the app_dns or the alias to ONLY one of the haproxy gears that has the mapping.
+# To avoid this situation, this flag should be set to false in production environments.
 ALLOW_MULTIPLE_HAPROXY_ON_NODE=<%= scope.lookupvar('::openshift_origin::conf_broker_multi_haproxy_per_node') %>
 
-ROUTER_HOSTNAME="www.example.com"
+#Whether to allow obsolete cartridges to be instantiated for a new application or added to an existing application
+ALLOW_OBSOLETE_CARTRIDGES="false"
+
+# Whether to allow users to create aliases that are under the cloud domain. Note:
+# Aliases of the form word-word.<domain> are rejected to prevent conflicts with app names.
+# Also this still will not create any DNS entry for the alias; that is an external step.
+ALLOW_ALIAS_IN_DOMAIN="false"
+
+# Whether to send OpenShift log messages to syslog or to files.
+# If true, messages that normally end up in the Rails environment-specific log
+# (e.g. production.rb), usage.log, and user_action.log will instead go to syslog.
+# SYSLOG_ENABLED="true"
+
+# Customize default app templates for specified framework cartridges.
+# Space-separated list of elements <cartridge-name>|<git url> - URLs must be available for all nodes.
+# URL will be cloned as the git repository for the cartridge at app creation unless the user specifies their own.
+# e.g.: DEFAULT_APP_TEMPLATES=php-5.3|http://example.com/php.git perl-5.10|file:///etc/openshift/cart.conf.d/templates/perl.git
+# WARNING: do not include private credentials in any URL; they would be visible in every app's cloned repository.
+DEFAULT_APP_TEMPLATES=
+

templates/broker/msg-broker-mcollective.conf.erb

@@ -1,12 +1,32 @@
-MCOLLECTIVE_DISCTIMEOUT=5
-MCOLLECTIVE_TIMEOUT=120
-MCOLLECTIVE_VERBOSE=0
-MCOLLECTIVE_PROGRESS_BAR=0
-MCOLLECTIVE_CONFIG="<%= scope.lookupvar('::openshift_origin::params::ruby_scl_path_prefix') %>/etc/mcollective/client.cfg"
-
+# Some settings to configure how mcollective handles gear placement on nodes:
+
+# Use districts when placing gears and moving them between hosts. Should be
+# true except for particular dev/test situations.
 DISTRICTS_ENABLED=false
+
+# Require new gears to be placed in a district; when true, placement will fail
+# if there isn't a district with capacity and the right gear profile.
 DISTRICTS_REQUIRE_FOR_APP_CREATE=false
-DISTRICTS_MAX_CAPACITY=6000 # Only used by district create
+
+# Used as the default max gear capacity when creating a district.
+DISTRICTS_MAX_CAPACITY=6000
+
+# It is unlikely these will need to be changed
 DISTRICTS_FIRST_UID=1000
-
-NODE_PROFILE_ENABLED=0
+MCOLLECTIVE_DISCTIMEOUT=5
+MCOLLECTIVE_TIMEOUT=180
+MCOLLECTIVE_VERBOSE=false
+MCOLLECTIVE_PROGRESS_BAR=0
+MCOLLECTIVE_CONFIG="<%= scope.lookupvar('::openshift_origin::params::ruby_scl_path_prefix') %>/etc/mcollective/client.cfg"
+MCOLLECTIVE_FACT_TIMEOUT=10
+
+# Place gears on nodes with the requested profile; should be true, as
+# a false value means gear profiles are ignored and gears are placed arbitrarily.
+NODE_PROFILE_ENABLED=true
+
+# Require new gears to be placed in a Region/Zone; when true, placement will fail
+# if there isn't a region/zone with right gear profile.
+ZONES_REQUIRE_FOR_APP_CREATE=false
+
+# Minimum zones required for gears in application gear group to be distributed.
+ZONES_MIN_PER_GEAR_GROUP=1

templates/broker/plugins/auth/mongo/mongo.conf.plugin.erb

@@ -1,7 +1,13 @@
-MONGO_REPLICA_SETS=false
-# Replica set example: "<host-1>:<port-1> <host-2>:<port-2> ..."
+# Settings related to the MongoDB variant of an OpenShift auth plugin
+
+# The host:port for your MongoDB server
 MONGO_HOST_PORT="<%= scope.lookupvar('::openshift_origin::datastore_hostname') %>:27017"
+
+# The user to connect to your MongoDB
 MONGO_USER="<%= scope.lookupvar('::openshift_origin::mongodb_broker_user') %>"
+
+# The password to connect to your MongoDB
 MONGO_PASSWORD="<%= scope.lookupvar('::openshift_origin::mongodb_broker_password') %>"
+
+# The database within your MongoDB to use for auth
 MONGO_DB="<%= scope.lookupvar('::openshift_origin::mongodb_name') %>"
-MONGO_COLLECTION="auth_user"

templates/broker/plugins/dns/avahi/cname-manager.conf.erb

@@ -1,2 +1,2 @@
-KEY_NAME=<%= scope.lookupvar('::openshift_origin::named_hostname') %>
-KEY_VALUE=<%= scope.lookupvar('::openshift_origin::domain') %>
+KEY_NAME=<%= scope.lookupvar('::openshift_origin::domain') %>
+KEY_VALUE=<%= scope.lookupvar('::openshift_origin::bind_key') %>

templates/broker/plugins/dns/nsupdate/nsupdate-kerb.conf.erb

@@ -1,5 +1,15 @@
+# Settings related to the nsupdate variant of an OpenShift DNS plugin
+# configured for GSS-TSIG (Kerberos) authentication.
+
+# The DNS server
 BIND_SERVER="<%= scope.lookupvar('::openshift_origin::named_ip_addr') %>"
+
+# The DNS server's port
 BIND_PORT=53
+
+# The base zone for the DNS server
 BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>"
+
+# GSS-TSIG (Kerberos) Authentication
 BIND_KRB_PRINCIPAL="DNS/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %>@<%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %>"
 BIND_KRB_KEYTAB="<%= scope.lookupvar('::openshift_origin::bind_krb_keytab') %>"

templates/broker/plugins/dns/nsupdate/nsupdate.conf.erb

@@ -1,5 +1,16 @@
-BIND_SERVER="<%= scope.lookupvar('::openshift_origin::named_ip_addr') %>"
+# Settings related to the nsupdate variant of an OpenShift DNS plugin
+# configured for TSIG authentication.
+
+# The DNS server
+BIND_SERVER="127.0.0.1"
+
+# The DNS server's port
 BIND_PORT=53
+
+# The base zone for the DNS server
+BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>"
+
+# TSIG authentication
 BIND_KEYNAME="<%= scope.lookupvar('::openshift_origin::domain') %>"
 BIND_KEYVALUE="<%= scope.lookupvar('::openshift_origin::bind_key') %>"
-BIND_ZONE="<%= scope.lookupvar('::openshift_origin::domain') %>"
+BIND_KEYALGORITHM=HMAC-MD5 # TODO: Parameterize.

templates/console/console.conf.erb

@@ -7,30 +7,44 @@
 # Required
 #
 BROKER_URL=https://<%= scope.lookupvar('::openshift_origin::broker_hostname') %>/broker/rest
-DOMAIN_SUFFIX="<%= scope.lookupvar('::openshift_origin::domain') %>"
 
 #
-# A URL used when creating links to the OpenShift community sites
+# A proxy URL to use when connecting with the broker.
 #
 # Optional
 #
-COMMUNITY_URL=https://www.openshift.com/
+# BROKER_PROXY_URL=
 
 #
-# A proxy URL to use when connecting with the broker.
+# The base URL of the community wiki site.
 #
 # Optional
 #
-# BROKER_PROXY_URL=
+COMMUNITY_URL=https://www.openshift.com/
+
+# When set, any absolute URLs that are generated will use this host
+# DEFAULT_URL_OPTIONS_HOST=openshift.redhat.com
 
+# When set, any absolute URLs that are generated will use this port
+# When set to nothing no port will be specified on the URL
+# DEFAULT_URL_OPTIONS_PORT=
+
+# The server url hosting the static assets for the console
+# ASSET_HOST=https://openshift.redhat.com
 
 #
 # SSL settings for the connection between the console and broker.
 # Specified as a Ruby hash of options to be passed to Net::HTTP.
 #
 # Optional, will use the default Ruby environment settings
 #
+# No certificate checking (INSECURE, use only in trusted networks):
 BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE}
+#
+# Perform cert checking and require SSLv3 (some Mac environments may
+# need this set):
+# BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_PEER, :ssl_version => :SSLv3}
+
 
 #
 # The type of security mode that OpenShift should use.  There are
@@ -62,6 +76,7 @@ BROKER_API_SSL_OPTIONS={:verify_mode => OpenSSL::SSL::VERIFY_NONE}
 #
 CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') == 'mongo' ? 'basic' : 'remote_user' %>
 
+
 #
 # The name of the request env variable or header that indicates a 
 # user is authenticated.  This value will be used as the display 
@@ -81,6 +96,7 @@ CONSOLE_SECURITY=<%= scope.lookupvar('::openshift_origin::broker_auth_plugin') =
 #
 REMOTE_USER_HEADER=REMOTE_USER
 
+
 #
 # When using remote_user security, the value of the authentication
 # header may not be human readable or intended for display.  This 
@@ -105,4 +121,12 @@ REMOTE_USER_HEADER=REMOTE_USER
 #
 REMOTE_USER_COPY_HEADERS=X-Remote-User
 
+
+#
+# Should log messages be sent to syslog instead of a log file
+#
+# Optional
+#
+# SYSLOG_ENABLED=true
+
 SESSION_SECRET="<%= scope.lookupvar('::openshift_origin::conf_console_session_secret') %>"

templates/console/plugins/auth/kerberos/openshift-origin-auth-remote-user-kerberos.conf.erb

@@ -13,6 +13,10 @@ RequestHeader set X-Remote-User "%{RU}e" env=RU
     AuthType Kerberos
     KrbMethodNegotiate On
     KrbMethodK5Passwd On
+    # The KrbLocalUserMapping enables conversion to local users, using
+    # auth_to_local rules in /etc/krb5.conf. By default it strips the
+    # @REALM part. See krb5.conf(5) for details how to set up specific rules.
+    KrbLocalUserMapping On
     KrbServiceName HTTP/<%= scope.lookupvar('::openshift_origin::broker_krb_service_name') %>
     KrbAuthRealms <%= scope.lookupvar('::openshift_origin::broker_krb_auth_realms') %>
     Krb5KeyTab <%= scope.lookupvar('::openshift_origin::broker_krb_keytab') %>

templates/node/node.conf.erb

@@ -10,33 +10,49 @@ CLOUD_DOMAIN="<%= scope.lookupvar('::openshift_origin::domain') %>"
 # You may want these, depending on the complexity of your networking:
 EXTERNAL_ETH_DEV='<%= scope.lookupvar('::openshift_origin::conf_node_external_eth_dev') %>'                                 # Specify the internet facing public ethernet device
 # INTERNAL_ETH_DEV='eth1'                                 # Specify the internal cluster facing ethernet device
-INSTANCE_ID="<%= scope.lookupvar('::openshift_origin::node_hostname') %>"                                      # Set by RH EC2 automation
 
-# Generally the following should not be changed:
-ENABLE_CGROUPS='1'                                        # Enable cgroups for gears (0=off, 1=on)
-GEAR_BASE_DIR="/var/lib/openshift"                        # gear root directory
-GEAR_SKEL_DIR="/etc/openshift/skel"                       # skel files to use when building a gear
-GEAR_SHELL="/usr/bin/oo-trap-user"                        # shell to use for the gear
-GEAR_GECOS="OpenShift guest"                              # Gecos information to populate for the gear user
-GEAR_MIN_UID=1000                                         # Lower bound of UID used to create gears
-GEAR_MAX_UID=6500                                         # Upper bound of UID used to create gears
+# Uncomment and use the following line if you want to gear users to be members of
+# additional groups besides the one with the same id as the uid. The other group
+# should be an existing group.
+#GEAR_SUPPLEMENTARY_GROUPS="another_group"  # Supplementary groups for gear UIDs (comma separated list)
 <% if scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') != "" -%>
-GEAR_SUPL_GRPS="<%= scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') %>"  # Supplementary groups for gear UIDs (comma separated list)
+GEAR_SUPPLEMENTARY_GROUPS="<%= scope.lookupvar('::openshift_origin::conf_node_supplementary_posix_groups') %>"  # Supplementary groups for gear UIDs (comma separated list)
 <% end -%>
-OPENSHIFT_NODE_PLUGINS=""                                 # Extentions to load when customize/observe openshift-origin-node models
-CARTRIDGE_BASE_PATH="/usr/libexec/openshift/cartridges"   # Locations where cartridges are installed
-LAST_ACCESS_DIR="/var/lib/openshift/.last_access"         # Location to maintain last accessed time for gears
-APACHE_ACCESS_LOG="/var/log/httpd/access_log"             # Localion of httpd for node
-PROXY_MIN_PORT_NUM=35531                                  # Lower bound of port numbers used to proxy ports externally
-PROXY_PORTS_PER_GEAR=5                                    # Number of proxy ports available per gear
-CREATE_APP_SYMLINKS=0                                     # If set to 1, creates gear-name symlinks to the UUID directories (debugging only)
+
+# Generally the following should not be changed:
+ENABLE_CGROUPS=1                                             # constrain gears in cgroups (1=yes, 0=no)
+GEAR_BASE_DIR="/var/lib/openshift"                           # gear root directory
+GEAR_SKEL_DIR="/etc/openshift/skel"                          # skel files to use when building a gear
+GEAR_SHELL="/usr/bin/oo-trap-user"                           # shell to use for the gear
+GEAR_GECOS="OpenShift guest"                                 # Gecos information to populate for the gear user
+GEAR_MIN_UID=1000                                            # Lower bound of UID used to create gears
+GEAR_MAX_UID=6999                                            # Upper bound of UID used to create gears
+OPENSHIFT_NODE_PLUGINS=""                                    # Extensions to load when customize/observe openshift-origin-node models
+CARTRIDGE_BASE_PATH="/usr/libexec/openshift/cartridges"      # Locations where cartridges are installed
+LAST_ACCESS_DIR="/var/lib/openshift/.last_access"            # Location to maintain last accessed time for gears
+APACHE_ACCESS_LOG="/var/log/httpd/openshift_log"             # Localion of httpd for node
+PROXY_MIN_PORT_NUM=35531                                     # Lower bound of port numbers used to proxy ports externally
+PROXY_PORTS_PER_GEAR=5                                       # Number of proxy ports available per gear
+CREATE_APP_SYMLINKS=0                                        # If set to 1, creates gear-name symlinks to the UUID directories (debugging only)
 OPENSHIFT_HTTP_CONF_DIR="/etc/httpd/conf.d/openshift"
 
 PLATFORM_LOG_FILE=/var/log/openshift/node/platform.log
 PLATFORM_LOG_LEVEL=DEBUG
 PLATFORM_TRACE_LOG_FILE=/var/log/openshift/node/platform-trace.log
 PLATFORM_TRACE_LOG_LEVEL=DEBUG
 
-OPENSHIFT_FRONTEND_HTTP_PLUGINS=<%= scope.lookupvar('::openshift_origin::node_frontend_plugins').map{ |p| 'openshift-origin-frontend-' + p }.join(',') %>
+LIBVIRT_PRIVATE_IP_RANGE=172.16.0.0/12
+LIBVIRT_PRIVATE_IP_ROUTE=172.16.0.0/12
+LIBVIRT_PRIVATE_IP_GW=172.16.0.1
 
 CONTAINERIZATION_PLUGIN=openshift-origin-container-<%= scope.lookupvar('::openshift_origin::node_container_plugin') %>
+QUOTA_WARNING_PERCENT=90.0
+
+REPORT_BUILD_ANALYTICS=true
+
+# MOTD_FILE="/etc/openshift/welcome.rhcsh"                   # Change the default rhcs welcome message
+
+# Gems for managing the frontend http server
+# NOTE: Steps must be taken both before and after these values are changed.
+#       Run "oo-frontend-plugin-modify  --help" for more information.
+OPENSHIFT_FRONTEND_HTTP_PLUGINS=<%= scope.lookupvar('::openshift_origin::node_frontend_plugins').map{ |p| 'openshift-origin-frontend-' + p }.join(',') %>

templates/plugins/frontend/apache_mod_rewrite/node_routes.txt.erb

@@ -1,3 +1,3 @@
 __default__ REDIRECT:/console
 __default__/console TOHTTPS:127.0.0.1:8118/console
-__default__/broker TOHTTPS:127.0.0.1:8080/broker
+__default__/broker TOHTTPS:127.0.0.1:8080/broker