ml2_conf.ini¶
DEFAULT¶
- debug¶
- Type:
boolean
- Default:
False
- Mutable:
This option can be changed without restarting.
If set to true, the logging level will be set to DEBUG instead of the default INFO level.
- log_config_append¶
- Type:
string
- Default:
<None>
- Mutable:
This option can be changed without restarting.
The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).
¶ Group
Name
DEFAULT
log-config
DEFAULT
log_config
- log_date_format¶
- Type:
string
- Default:
%Y-%m-%d %H:%M:%S
Defines the format string for %(asctime)s in log records. Default: the value above . This option is ignored if log_config_append is set.
- log_file¶
- Type:
string
- Default:
<None>
(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
¶ Group
Name
DEFAULT
logfile
- log_dir¶
- Type:
string
- Default:
<None>
(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
¶ Group
Name
DEFAULT
logdir
- watch_log_file¶
- Type:
boolean
- Default:
False
Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
This function is known to have bene broken for long time, and depends on the unmaintained library
- use_syslog¶
- Type:
boolean
- Default:
False
Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
- use_journal¶
- Type:
boolean
- Default:
False
Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
- syslog_log_facility¶
- Type:
string
- Default:
LOG_USER
Syslog facility to receive log lines. This option is ignored if log_config_append is set.
- use_json¶
- Type:
boolean
- Default:
False
Use JSON formatting for logging. This option is ignored if log_config_append is set.
- use_stderr¶
- Type:
boolean
- Default:
False
Log output to standard error. This option is ignored if log_config_append is set.
- log_color¶
- Type:
boolean
- Default:
False
(Optional) Set the ‘color’ key according to log levels. This option takes effect only when logging to stderr or stdout is used. This option is ignored if log_config_append is set.
- log_rotate_interval¶
- Type:
integer
- Default:
1
The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is set to “interval”.
- log_rotate_interval_type¶
- Type:
string
- Default:
days
- Valid Values:
Seconds, Minutes, Hours, Days, Weekday, Midnight
Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.
- max_logfile_count¶
- Type:
integer
- Default:
30
Maximum number of rotated log files.
- max_logfile_size_mb¶
- Type:
integer
- Default:
200
Log file maximum size in MB. This option is ignored if “log_rotation_type” is not set to “size”.
- log_rotation_type¶
- Type:
string
- Default:
none
- Valid Values:
interval, size, none
Log rotation type.
Possible values
- interval
Rotate logs at predefined time intervals.
- size
Rotate logs once they reach a predefined size.
- none
Do not rotate log files.
- logging_context_format_string¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(global_request_id)s %(request_id)s %(user_identity)s] %(instance)s%(message)s
Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter
- logging_default_format_string¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter
- logging_debug_format_suffix¶
- Type:
string
- Default:
%(funcName)s %(pathname)s:%(lineno)d
Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter
- logging_exception_prefix¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter
- logging_user_identity_format¶
- Type:
string
- Default:
%(user)s %(project)s %(domain)s %(system_scope)s %(user_domain)s %(project_domain)s
Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter
- default_log_levels¶
- Type:
list
- Default:
['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']
List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
- publish_errors¶
- Type:
boolean
- Default:
False
Enables or disables publication of error events.
- instance_format¶
- Type:
string
- Default:
"[instance: %(uuid)s] "
The format for an instance that is passed with the log message.
- instance_uuid_format¶
- Type:
string
- Default:
"[instance: %(uuid)s] "
The format for an instance UUID that is passed with the log message.
- rate_limit_interval¶
- Type:
integer
- Default:
0
Interval, number of seconds, of log rate limiting.
- rate_limit_burst¶
- Type:
integer
- Default:
0
Maximum number of logged messages per rate_limit_interval.
- rate_limit_except_level¶
- Type:
string
- Default:
CRITICAL
- Valid Values:
CRITICAL, ERROR, INFO, WARNING, DEBUG, ‘’
Log level name used by rate limiting. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
- fatal_deprecations¶
- Type:
boolean
- Default:
False
Enables or disables fatal status of deprecations.
ml2¶
- type_drivers¶
- Type:
list
- Default:
['local', 'flat', 'vlan', 'gre', 'vxlan', 'geneve']
List of network type driver entrypoints to be loaded from the neutron.ml2.type_drivers namespace.
- tenant_network_types¶
- Type:
list
- Default:
['local']
Ordered list of network_types to allocate as tenant networks. The default value ‘local’ is useful for single-box testing but provides no connectivity between hosts.
- mechanism_drivers¶
- Type:
list
- Default:
[]
An ordered list of networking mechanism driver entrypoints to be loaded from the neutron.ml2.mechanism_drivers namespace.
- extension_drivers¶
- Type:
list
- Default:
[]
An ordered list of extension driver entrypoints to be loaded from the neutron.ml2.extension_drivers namespace. For example: extension_drivers = port_security,qos
- path_mtu¶
- Type:
integer
- Default:
0
Maximum size of an IP packet (MTU) that can traverse the underlying physical network infrastructure without fragmentation when using an overlay/tunnel protocol. This option allows specifying a physical network MTU value that differs from the default global_physnet_mtu value.
- physical_network_mtus¶
- Type:
dict
- Default:
{}
Mappings of physical networks to MTU values. The format of the mapping is <physnet>:<mtu val>. This mapping allows specifying a physical network MTU value that differs from the default global_physnet_mtu value.
- external_network_type¶
- Type:
string
- Default:
<None>
Default network type for external networks when no provider attributes are specified. By default it is None, which means that if provider attributes are not specified while creating external networks then they will have the same type as tenant networks. Allowed values for external_network_type config option depend on the network type values configured in type_drivers config option.
- overlay_ip_version¶
- Type:
integer
- Default:
4
- Valid Values:
4, 6
IP version of all overlay (tunnel) network endpoints.
Possible values
- 4
IPv4
- 6
IPv6
- tunnelled_network_rp_name¶
- Type:
string
- Default:
rp_tunnelled
Resource provider name for the host with tunnelled networks. This resource provider represents the available bandwidth for all tunnelled networks in a compute node. NOTE: this parameter is used both by the Neutron server and the mechanism driver agents; it is recommended not to change it once any resource provider register has been created.
ml2_type_flat¶
- flat_networks¶
- Type:
list
- Default:
*
List of physical_network names with which flat networks can be created. Use default ‘*’ to allow flat networks with arbitrary physical_network names. Use an empty list to disable flat networks.
ml2_type_geneve¶
- vni_ranges¶
- Type:
list
- Default:
[]
Comma-separated list of <vni_min>:<vni_max> tuples enumerating ranges of Geneve VNI IDs that are available for tenant network allocation. Note OVN does not use the actual values.
- max_header_size¶
- Type:
integer
- Default:
30
The maximum allowed Geneve encapsulation header size (in bytes). Geneve header is extensible, this value is used to calculate the maximum MTU for Geneve-based networks. The default is 30, which is the size of the Geneve header without any additional option headers. Note the default is not enough for OVN which requires at least 38.
ml2_type_gre¶
- tunnel_id_ranges¶
- Type:
list
- Default:
[]
Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation
ml2_type_vlan¶
- network_vlan_ranges¶
- Type:
list
- Default:
[]
List of <physical_network>:<vlan_min>:<vlan_max> or <physical_network> specifying physical_network names usable for VLAN provider and tenant networks, as well as ranges of VLAN tags on each available for allocation to tenant networks. If no range is defined, the whole valid VLAN ID set [1, 4094] will be assigned.
ml2_type_vxlan¶
- vni_ranges¶
- Type:
list
- Default:
[]
Comma-separated list of <vni_min>:<vni_max> tuples enumerating ranges of VXLAN VNI IDs that are available for tenant network allocation
- vxlan_group¶
- Type:
string
- Default:
<None>
Multicast group for VXLAN. When configured, will enable sending all broadcast traffic to this multicast group. When left unconfigured, will disable multicast VXLAN mode.
ovn¶
- ovn_nb_connection¶
- Type:
string
- Default:
tcp:127.0.0.1:6641
The connection string for the OVN_Northbound OVSDB. Use tcp:IP:PORT for TCP connection. Use ssl:IP:PORT for SSL connection. The ovn_nb_private_key, ovn_nb_certificate and ovn_nb_ca_cert are mandatory. Use unix:FILE for unix domain socket connection. Multiple connections can be specified by a comma separated string. See also: https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216
- ovn_nb_private_key¶
- Type:
string
- Default:
''
The PEM file with private key for SSL connection to OVN-NB-DB
- ovn_nb_certificate¶
- Type:
string
- Default:
''
The PEM file with certificate that certifies the private key specified in ovn_nb_private_key
- ovn_nb_ca_cert¶
- Type:
string
- Default:
''
The PEM file with CA certificate that OVN should use to verify certificates presented to it by SSL peers
- ovn_sb_connection¶
- Type:
string
- Default:
tcp:127.0.0.1:6642
The connection string for the OVN_Southbound OVSDB. Use tcp:IP:PORT for TCP connection. Use ssl:IP:PORT for SSL connection. The ovn_sb_private_key, ovn_sb_certificate and ovn_sb_ca_cert are mandatory. Use unix:FILE for unix domain socket connection. Multiple connections can be specified by a comma separated string. See also: https://github.com/openvswitch/ovs/blob/ab4d3bfbef37c31331db5a9dbe7c22eb8d5e5e5f/python/ovs/db/idl.py#L215-L216
- ovn_sb_private_key¶
- Type:
string
- Default:
''
The PEM file with private key for SSL connection to OVN-SB-DB
- ovn_sb_certificate¶
- Type:
string
- Default:
''
The PEM file with certificate that certifies the private key specified in ovn_sb_private_key
- ovn_sb_ca_cert¶
- Type:
string
- Default:
''
The PEM file with CA certificate that OVN should use to verify certificates presented to it by SSL peers
- ovsdb_connection_timeout¶
- Type:
integer
- Default:
180
Timeout, in seconds, for the OVSDB connection transaction
- ovsdb_retry_max_interval¶
- Type:
integer
- Default:
180
Max interval, in seconds ,between each retry to get the OVN NB and SB IDLs
- ovsdb_probe_interval¶
- Type:
integer
- Default:
60000
- Minimum Value:
0
The probe interval for the OVSDB session, in milliseconds. If this is zero, it disables the connection keepalive feature. If non-zero the value will be forced to at least 1000 milliseconds. Defaults to 60 seconds.
- neutron_sync_mode¶
- Type:
string
- Default:
log
- Valid Values:
off, log, repair, migrate
The synchronization mode of OVN_Northbound OVSDB with Neutron DB. off - synchronization is off log - during neutron-server startup, check to see if OVN is in sync with the Neutron database. Log warnings for any inconsistencies found so that an admin can investigate repair - during neutron-server startup, automatically create resources found in Neutron but not in OVN. Also remove resources from OVN that are no longer in Neutron.migrate - This mode is to OVS to OVN migration. It will sync the DB just like repair mode but it will additionally fix the Neutron DB resource from OVS to OVN.
- ovn_l3_scheduler¶
- Type:
string
- Default:
leastloaded
- Valid Values:
leastloaded, chance
The OVN L3 Scheduler type used to schedule router gateway ports on hypervisors/chassis. leastloaded - chassis with fewest gateway ports selected chance - chassis randomly selected
- enable_distributed_floating_ip¶
- Type:
boolean
- Default:
False
Enable distributed floating IP support. If True, the NAT action for floating IPs will be done locally and not in the centralized gateway. This saves the path to the external network. This requires the user to configure the physical network map (i.e. ovn-bridge-mappings) on each compute node.
- vhost_sock_dir¶
- Type:
string
- Default:
/var/run/openvswitch
The directory in which vhost virtio sockets are created by all the vswitch daemons
- dhcp_default_lease_time¶
- Type:
integer
- Default:
43200
Default lease time (in seconds) to use with OVN’s native DHCP service.
- ovsdb_log_level¶
- Type:
string
- Default:
INFO
- Valid Values:
CRITICAL, ERROR, WARNING, INFO, DEBUG
The log level used for OVSDB
- ovn_metadata_enabled¶
- Type:
boolean
- Default:
False
Whether to use metadata service.
- dns_servers¶
- Type:
list
- Default:
[]
Comma-separated list of the DNS servers which will be used as forwarders if a subnet’s dns_nameservers field is empty. If both subnet’s dns_nameservers and this option are empty, then the DNS resolvers on the host running the neutron server will be used.
- ovn_dhcp4_global_options¶
- Type:
dict
- Default:
{}
Dictionary of global DHCPv4 options which will be automatically set on each subnet upon creation and on all existing subnets when Neutron starts. An empty value for a DHCP option will cause that option to be unset globally. EXAMPLES: - ntp_server:1.2.3.4,wpad:1.2.3.5 - Set ntp_server and wpad - ntp_server:,wpad:1.2.3.5 - Unset ntp_server and set wpad See the ovn-nb(5) man page for available options.
- ovn_dhcp6_global_options¶
- Type:
dict
- Default:
{}
Dictionary of global DHCPv6 options which will be automatically set on each subnet upon creation and on all existing subnets when Neutron starts. An empty value for a DHCPv6 option will cause that option to be unset globally. See the ovn-nb(5) man page for available options.
- ovn_emit_need_to_frag¶
- Type:
boolean
- Default:
True
Configure OVN to emit “need to frag” packets in case of MTU mismatches. You may have to disable this option if you are running an old host kernel (version < 5.2). You may check the output of the following command: ovs-appctl -t ovs-vswitchd dpif/show-dp-features br-int | grep “Check pkt length action”.
Warning
This option is deprecated for removal since 2025.1. Its value may be silently ignored in the future.
- Reason:
The option is useful only on very old Linux kernels (version < 5.2).
- disable_ovn_dhcp_for_baremetal_ports¶
- Type:
boolean
- Default:
False
Disable OVN’s built-in DHCP for baremetal ports (VNIC type “baremetal”). This allows operators to plug their own DHCP server of choice for PXE booting baremetal nodes. OVN 23.06.0 and newer also supports baremetal
PXE
based provisioning over IPv6. If an older version of OVN is used for baremetal provisioning over IPv6 this option should be set to “True” and neutron-dhcp-agent should be used instead. Defaults to “False”.
- localnet_learn_fdb¶
- Type:
boolean
- Default:
False
If enabled it will allow localnet ports to learn MAC addresses and store them in FDB SB table. This avoids flooding for traffic towards unknown IPs when port security is disabled. It requires OVN 22.09 or newer.
- fdb_age_threshold¶
- Type:
integer
- Default:
0
- Minimum Value:
0
The number of seconds to keep FDB entries in the OVN DB. The value defaults to 0, which means disabled. This is supported by OVN >= 23.09.
- mac_binding_age_threshold¶
- Type:
integer
- Default:
0
- Minimum Value:
0
The number of seconds to keep MAC_Binding entries in the OVN DB. 0 to disable aging.
- broadcast_arps_to_all_routers¶
- Type:
boolean
- Default:
True
If enabled (default) OVN will flood ARP requests to all attached ports on a network. If set to False, ARP requests are only sent to routers on that network if the target MAC address matches. ARP requests that do not match a router will only be forwarded to non-router ports. Supported by OVN >= 23.06.
- ovn_router_indirect_snat¶
- Type:
boolean
- Default:
False
Whether to configure SNAT for all nested subnets connected to the router through any other routers, similar to the default ML2/OVS behavior. Defaults to “False”.
- live_migration_activation_strategy¶
- Type:
string
- Default:
rarp
- Valid Values:
rarp, ‘’
Activation strategy to use for live migration. The default rarp strategy expects the hypervisor to send a Reverse ARP request through the migrated port after migration is complete. An empty value means a migrated port is immediately activated on the destination host.
ovn_nb_global¶
- ignore_lsp_down¶
- Type:
boolean
- Default:
False
If set to False, ARP/ND reply flows for logical switch ports will be installed only if the port is UP, i.e. claimed by a Chassis. If set to True, these flows are installed regardless of the status of the port, which can result in a situation that an ARP request to an IP is resolved even before the relevant VM/container is running. For environments where this is not an issue, setting it to True can reduce the load and latency of the control plane. The default value is False.
- fdb_removal_limit¶
- Type:
integer
- Default:
0
- Minimum Value:
0
FDB aging bulk removal limit. This limits how many rows can expire in a single transaction. Default is 0, which is unlimited. When the limit is reached, the next batch removal is delayed by 5 seconds. This is supported by OVN >= 23.09.
- mac_binding_removal_limit¶
- Type:
integer
- Default:
0
- Minimum Value:
0
MAC binding aging bulk removal limit. This limits how many entries can expire in a single transaction. The default is 0 which is unlimited. When the limit is reached, the next batch removal is delayed by 5 seconds.
ovs¶
- ovsdb_timeout¶
- Type:
integer
- Default:
10
Timeout in seconds for OVSDB commands. If the timeout expires, OVSDB commands will fail with ALARMCLOCK error.
- bridge_mac_table_size¶
- Type:
integer
- Default:
50000
The maximum number of MAC addresses to learn on a bridge managed by the Neutron OVS agent. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch according to the documentation.
- igmp_snooping_enable¶
- Type:
boolean
- Default:
False
Enable IGMP snooping for integration bridge. If this option is set to True, support for Internet Group Management Protocol (IGMP) is enabled in integration bridge.
- igmp_flood¶
- Type:
boolean
- Default:
False
Multicast packets (except reports) are unconditionally forwarded to the ports bridging a logical network to a physical network.
- igmp_flood_reports¶
- Type:
boolean
- Default:
True
Multicast reports are unconditionally forwarded to the ports bridging a logical network to a physical network.
- igmp_flood_unregistered¶
- Type:
boolean
- Default:
False
This option enables or disables flooding of unregistered multicast packets to all ports. If False, The switch will send unregistered multicast packets only to ports connected to multicast routers.
ovs_driver¶
- vnic_type_prohibit_list¶
- Type:
list
- Default:
[]
Comma-separated list of VNIC types for which support is administratively prohibited by the mechanism driver. Please note that the supported vnic_types depend on your network interface card, on the kernel version of your operating system, and on other factors, like OVS version. In case of ovs mechanism driver the valid vnic types are normal and direct. Note that direct is supported only from kernel 4.8, and from ovs 2.8.0. Bind DIRECT (SR-IOV) port allows to offload the OVS flows using tc to the SR-IOV NIC. This allows to support hardware offload via tc and that allows us to manage the VF by OpenFlow control plane using representor net-device.
securitygroup¶
- firewall_driver¶
- Type:
string
- Default:
<None>
Driver for security groups firewall in the L2 agent
- enable_security_group¶
- Type:
boolean
- Default:
True
Controls whether the neutron security group API is enabled in the server. It should be false when using no security groups or using the Nova security group API.
- enable_ipset¶
- Type:
boolean
- Default:
True
Use IPsets to speed-up the iptables based security groups. Enabling IPset support requires that ipset is installed on the L2 agent node.
- permitted_ethertypes¶
- Type:
list
- Default:
[]
Comma-separated list of ethertypes to be permitted, in hexadecimal (starting with “0x”). For example, “0x4008” to permit InfiniBand.
sriov_driver¶
- vnic_type_prohibit_list¶
- Type:
list
- Default:
[]
Comma-separated list of VNIC types for which support is administratively prohibited by the mechanism driver. Please note that the supported vnic_types depend on your network interface card, on the kernel version of your operating system, and on other factors. In the case of SRIOV mechanism drivers the valid VNIC types are direct, macvtap and direct-physical.