Canonical Livepatch Onprem
- Yellow Squad | bundle
- Security
Channel | Revision | Published |
---|---|---|
latest/stable | 11 | 09 Apr 2024 |
latest/edge | 11 | 09 Apr 2024 |
machine/stable | 19 | 16 Oct 2024 |
machine/edge | 20 | 16 Oct 2024 |
k8s/stable | 18 | 27 Sep 2024 |
k8s/edge | 17 | 27 Sep 2024 |
juju deploy canonical-livepatch-onprem
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
-
default_log | string
Default: global
Default log
-
default_mode | string
Default: http
Default mode
-
default_options | string
Default: httplog, dontlognull
Default options
-
default_retries | int
Default: 3
Set the number of retries to perform on a server after a connection failure. It is important to understand that this value applies to the number of connection attempts, not full requests. When a connection has effectively been established to a server, there will be no more retry. In order to avoid immediate reconnections to a server which is restarting, a turn-around timer of 1 second is applied before a retry occurs.
-
default_timeouts | string
Default: queue 20000, client 50000, connect 5000, server 50000
Default timeouts
-
enable_monitoring | boolean
Enable monitoring
-
global_debug | boolean
Debug or not
-
global_default_bind_ciphers | string
Default: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" (without quotes). Please check the "bind" keyword for more information. This config key will be ignored if the installed haproxy package has no SSL support.
-
global_default_bind_options | string
Sets the default string describing the list of global SSL bind options. Use this to force or disable certain protocols like TLS 1.0 or SSL 3.0.
-
global_default_dh_param | int
Default: 2048
Sets the maximum size of the Diffie-Hellman parameters used for generating the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange. Default value if 2048, higher values will increase the CPU load. Values greater than 1024 bits are not supported by Java 7 and earlier clients. This config key will be ignored if the installed haproxy package has no SSL support.
-
global_group | string
Default: haproxy
Group
-
global_hard_stop_after | string
Tune HAProxy's hard-stop-after to prevent lingering HAProxy processes, e.g. 10m (LP:1874386).
-
global_log | string
Default: /dev/log local0, /dev/log local1 notice
Global log line ( multiples ... comma separated list )
-
global_maxconn | int
Default: 4096
Sets the maximum per-process number of concurrent connections to <number>.
-
global_quiet | boolean
Quiet
-
global_spread_checks | int
Sometimes it is desirable to avoid sending health checks to servers at exact intervals, for instance when many logical servers are located on the same physical server. With the help of this parameter, it becomes possible to add some randomness in the check interval between 0 and +/- 50%. A value between 2 and 5 seems to show good results.
-
global_stats_socket | boolean
Whether to enable the stats UNIX socket.
-
global_user | string
Default: haproxy
User
-
key | string
Key ID to import to the apt keyring to support use with arbitary source configuration from outside of Launchpad archives or PPA's.
-
logrotate_config | string
Override package logrotate configuration. . Warning: Setting this value back to the empty string will leave the previous config in place on disk. . Example value: . /var/log/haproxy.log { weekly rotate 52 missingok notifempty compress delaycompress postrotate invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true endscript } .
-
metrics_prefix | string
Default: dev.$UNIT.haproxy
Prefix for metrics. Special value $UNIT can be used to include the name of the unit in the prefix.
-
metrics_sample_interval | int
Default: 5
Period for metrics cron job to run in minutes
-
metrics_target | string
Destination for statsd-format metrics, format "host:port". If not present and valid, metrics disabled. Requires "enable_monitoring" to be set to true to work.
-
monitoring_allowed_cidr | string
Default: 127.0.0.1/32
CIDR allowed ( multiple CIDRs separated by space ) access to the monitoring interface.
-
monitoring_always_critical | boolean
Default: True
Report a service that is down always as critical. If False it will only report a warning if there is still at least one working backend for each proxy.
-
monitoring_password | string
Default: changeme
Password to the monitoring interface ( if "changeme", a new password will be generated and displayed in juju-log )
-
monitoring_port | int
Default: 10000
Default monitoring port
-
monitoring_stats_refresh | int
Default: 3
Monitoring interface refresh interval (in seconds)
-
monitoring_username | string
Default: haproxy
Monitoring username
-
nagios_context | string
Default: juju
Used by the nrpe-external-master subordinate charm. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-postgresql-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
-
nagios_servicegroups | string
A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup.
-
package_status | string
Default: install
The status of service-affecting packages will be set to this value in the dpkg database. Useful valid values are "install" and "hold".
-
peering_mode | string
Default: active-passive
Possible values : "active-passive", "active-active". This is only used if several units are spawned. In "active-passive" mode, all the units will forward traffic to the first working haproxy unit, which will then forward it to configured backends. In "active-active" mode, each unit will proxy the traffic directly to the backends. The "active-passive" mode gives a better control of the maximum connection that will be opened to a backend server.
-
services | string
Default: - service_name: haproxy_service service_host: "0.0.0.0" service_port: 80 service_options: [balance leastconn, cookie SRVNAME insert] server_options: maxconn 100 cookie S{i} check
Services definition(s). Although the variable type is a string, this is interpreted in the charm as yaml. To use multiple services within the same haproxy instance, specify all of the variables (service_name, service_host, service_port, service_options, server_options) with a "-" before the first variable, service_name, as above. Service options is a comma separated list, server options will be appended as a string to the individual server lines for a given listen stanza. If your web application serves dynamic content based on users' login sessions, a visitor will experience unexpected behaviour if each request is proxied to a different backend web server. Session stickiness ensures that a visitor 'sticks' to the backend web server which served their first request. This is made possible by tagging each backend server with a cookie. Session are sticky by default. To turn off sticky sessions, remove the 'cookie SRVNAME insert' and 'cookie S{i}' stanzas from `service_options` and `server_options`.
-
source | string
Optional configuration to support use of additional sources such as: . - ppa:myteam/ppa - cloud:precise-proposed/folsom - http://my.archive.com/ubuntu main . The last option should be used in conjunction with the key configuration option.
-
ssl_cert | string
base64 encoded default SSL certificate. If the keyword 'SELFSIGNED' is used, the certificate and key will be autogenerated as self-signed. This is the certificate used by services configured using keyword 'DEFAULT' as SSL certificate. This config key will be ignored if the installed haproxy package has no SSL support.
-
ssl_key | string
base64 encoded private key for the default SSL certificate. If ssl_cert is specified as SELFSIGNED or the installed haproxy package has no SSL support, this will be ignored.
-
sysctl | string
YAML-formatted list of sysctl values, e.g.: '{ net.ipv4.tcp_max_syn_backlog : 65536 }'
-
tls_crit_days | int
Default: 14
Number of days left for the TLS certificate to expire before alerting Critical in the NRPE check.
-
tls_warn_days | int
Default: 30
Number of days left for the TLS certificate to expire before warning in the nagios NRPE check.
-
userlists | string
Userlists control access to services or stats by allowing only authenticated users. . For example . - list1: groups: - G1 users tiger,scott - G2 users xdb,scott users: - tiger password $6$k6y3o.eP$JlKBx9z... - scott insecure-password elgato - xdb insecure-password hello - list2: groups: - group1 users: - alice insecure-password foo groups group1 - bob insecure-password bar groups group1 . See http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#3.4