[DEFAULT]
# concurrent live migrations are more likely to fail and are slower
# overall then serializing live migrations so set this to 1 explictly
max_concurrent_live_migrations=1
state_path = /var/lib/nova
# enable log rotation in oslo config by default
max_logfile_count=1
max_logfile_size_mb=20
log_rotation_type=size
debug=true
transport_url=**********
ssl_only=true
cert=/etc/pki/tls/certs/nova-novncproxy.crt
key=/etc/pki/tls/private/nova-novncproxy.key

[oslo_concurrency]
lock_path = /var/lib/nova/tmp

[oslo_messaging_rabbit]
amqp_durable_queues=false
amqp_auto_delete=false
# we should consider using quorum queues instead
# rabbit_quorum_queue=true
heartbeat_in_pthread=false

[console]
ssl_minimum_version=tlsv1_3

[api]
# for compatibility with older release we override the default
# to be the empty string. This ensures no domain suffix is added
# to the instance name.
dhcp_domain = ''

[oslo_messaging_notifications]
driver = noop

[vnc]
enabled = True
novncproxy_host = "::0"
novncproxy_port = 6080
auth_schemes=vencrypt,none
vencrypt_client_key=/etc/pki/tls/private/vencrypt.key
vencrypt_client_cert=/etc/pki/tls/certs/vencrypt.crt
vencrypt_ca_certs=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

[cache]
# always enable caching
enabled = True
# on contoler we prefer to use memcache when its deployed
backend = oslo_cache.memcache_pool
memcache_servers=memcached-0.memcached.openstack.svc:11212
memcache_socket_timeout = 0.5
memcache_pool_connection_get_timeout = 1
memcache_dead_retry = 30
tls_enabled=true

[database]
connection = **********

[keystone_authtoken]
memcached_servers=inet:[memcached-0.memcached.openstack.svc]:11211
auth_url =  https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
# This is part of hardening related to CVE-2023-2088
# https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required
# when enabled the service token user must have the service role to be considered valid.
service_token_roles_required = true

[placement]
auth_url =  https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
valid_interfaces = internal

[glance]
auth_url = https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
valid_interfaces = internal

[neutron]
auth_url = https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
valid_interfaces = internal
service_metadata_proxy = true

[cinder]
auth_url = https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
catalog_info = volumev3:cinderv3:internalURL

[barbican]
auth_url =  https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********
region_name = regionOne
barbican_endpoint_type = internal

[service_user]
send_service_user_token = true
auth_url = https://keystone-internal.openstack.svc:5000
auth_type = password
project_domain_name = Default
user_domain_name = Default
project_name = service
username = **********
password = **********

[oslo_limit]
system_scope = all
endpoint_interface = internal
endpoint_service_type = compute
endpoint_region_name = regionOne
auth_url = https://keystone-internal.openstack.svc:5000
auth_type = password
user_domain_name = Default
username = **********
password = **********

[upgrade_levels]
compute = auto

[oslo_reports]
# api services need file based GMR trigger as apache disables signal handling
file_event_handler=/var/lib/nova