state_path
¶string
/var/lib/neutron
Where to store Neutron state files. This directory must be writable by the agent.
bind_host
¶host address
0.0.0.0
The host IP to bind to.
bind_port
¶port number
9696
0
65535
The port to bind to
api_extensions_path
¶string
''
The path for API extensions. Note that this can be a colon-separated list of paths. For example: api_extensions_path = extensions:/path/to/more/exts:/even/more/exts. The __path__ of neutron.extensions is appended to this, so if your extensions are in there you don’t need to specify them here.
auth_strategy
¶string
keystone
The type of authentication to use
core_plugin
¶string
<None>
The core plugin Neutron will use
service_plugins
¶list
[]
The service plugins Neutron will use
base_mac
¶string
fa:16:3e:00:00:00
The base MAC address Neutron will use for VIFs. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated.
allow_bulk
¶boolean
True
Allow the usage of the bulk API
pagination_max_limit
¶string
-1
The maximum number of items returned in a single response, value was ‘infinite’ or negative integer means no limit
default_availability_zones
¶list
[]
Default value of availability zone hints. The availability zone aware schedulers use this when the resources availability_zone_hints is empty. Multiple availability zones can be specified by a comma separated string. This value can be empty. In this case, even if availability_zone_hints for a resource is empty, availability zone is considered for high availability while scheduling the resource.
max_dns_nameservers
¶integer
5
Maximum number of DNS nameservers per subnet
max_subnet_host_routes
¶integer
20
Maximum number of host routes per subnet
ipv6_pd_enabled
¶boolean
False
Warning: This feature is experimental with low test coverage, and the Dibbler client which is used for this feature is no longer maintained! Enables IPv6 Prefix Delegation for automatic subnet CIDR allocation. Set to True to enable IPv6 Prefix Delegation for subnet allocation in a PD-capable environment. Users making subnet creation requests for IPv6 subnets without providing a CIDR or subnetpool ID will be given a CIDR via the Prefix Delegation mechanism. Note that enabling PD will override the behavior of the default IPv6 subnetpool.
dhcp_lease_duration
¶integer
86400
DHCP lease duration (in seconds). Use -1 to tell dnsmasq to use infinite lease times.
dns_domain
¶string
openstacklocal
Domain to use for building the hostnames
external_dns_driver
¶string
<None>
Driver for external DNS integration.
dhcp_agent_notification
¶boolean
True
Allow sending resource operation notification to DHCP agent
host
¶host address
example.domain
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Hostname to be used by the Neutron server, agents and services running on this machine. All the agents and services running on this machine must use the same host value.
network_link_prefix
¶string
<None>
This string is prepended to the normal URL that is returned in links to the OpenStack Network API. If it is empty (the default), the URLs are returned unchanged.
notify_nova_on_port_status_changes
¶boolean
True
Send notification to nova when port status changes
notify_nova_on_port_data_changes
¶boolean
True
Send notification to nova when port data (fixed_ips/floatingip) changes so nova can update its cache.
send_events_interval
¶integer
2
Number of seconds between sending events to nova if there are any events to send.
setproctitle
¶string
on
Set process name to match child worker role. Available options are: ‘off’ - retains the previous behavior; ‘on’ - renames processes to ‘neutron-server: role (original string)’; ‘brief’ - renames the same as ‘on’, but without the original string, such as ‘neutron-server: role’.
ipam_driver
¶string
internal
Neutron IPAM (IP address management) driver to use. By default, the reference implementation of the Neutron IPAM driver is used.
vlan_transparent
¶boolean
False
If True, then allow plugins that support it to create VLAN transparent networks.
filter_validation
¶boolean
True
If True, then allow plugins to decide whether to perform validations on filter parameters. Filter validation is enabled if this config is turned on and it is supported by all plugins
global_physnet_mtu
¶integer
1500
MTU of the underlying physical network. Neutron uses this value to calculate MTU for all virtual network components. For flat and VLAN networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay protocol overhead from this value. Defaults to 1500, the standard value for Ethernet.
Group |
Name |
---|---|
ml2 |
segment_mtu |
http_retries
¶integer
3
0
Number of times client connections (nova, ironic) should be retried on a failed HTTP call. 0 (zero) means connection is attempted only once (not retried). Setting to any positive integer means that on failure the connection is retried that many times. For example, setting to 3 means total attempts to connect will be 4.
enable_traditional_dhcp
¶boolean
True
If False, neutron-server will disable the following DHCP-agent related functions:1. DHCP provisioning block 2. DHCP scheduler API extension 3. Network scheduling mechanism 4. DHCP RPC/notification
backlog
¶integer
4096
Number of backlog requests to configure the socket with
retry_until_window
¶integer
30
Number of seconds to keep retrying to listen
use_ssl
¶boolean
False
Enable SSL on the API server
periodic_interval
¶integer
40
Seconds between running periodic tasks.
api_workers
¶integer
<None>
Number of separate API worker processes for service. If not specified, the default is equal to the number of CPUs available for best performance, capped by potential RAM usage.
rpc_workers
¶integer
<None>
Number of RPC worker processes for service. If not specified, the default is equal to half the number of API workers.
rpc_state_report_workers
¶integer
1
Number of RPC worker processes dedicated to state reports queue.
periodic_fuzzy_delay
¶integer
5
Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)
rpc_response_max_timeout
¶integer
600
Maximum seconds to wait for a response from an RPC call.
interface_driver
¶string
<None>
The driver used to manage the virtual interface.
metadata_proxy_socket
¶string
$state_path/metadata_proxy
Location for Metadata Proxy UNIX domain socket.
metadata_proxy_user
¶string
''
User (uid or name) running metadata proxy after its initialization (if empty: agent effective user).
metadata_proxy_group
¶string
''
Group (gid or name) running metadata proxy after its initialization (if empty: agent effective group).
agent_down_time
¶integer
75
Seconds to regard the agent is down; should be at least twice report_interval, to be sure the agent is down for good.
dhcp_load_type
¶string
networks
networks, subnets, ports
Representing the resource type whose load is being reported by the agent. This can be “networks”, “subnets” or “ports”. When specified (Default is networks), the server will extract particular load sent as part of its agent configuration object from the agent report state, which is the number of resources being consumed, at every report_interval.dhcp_load_type can be used in combination with network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.WeightScheduler When the network_scheduler_driver is WeightScheduler, dhcp_load_type can be configured to represent the choice for the resource being balanced. Example: dhcp_load_type=networks
enable_new_agents
¶boolean
True
Agent starts with admin_state_up=False when enable_new_agents=False. In the case, user’s resources will not be scheduled automatically to the agent until admin changes admin_state_up to True.
rpc_resources_processing_step
¶integer
20
1
Number of resources for neutron to divide the large RPC call data sets. It can be reduced if RPC timeout occurred. The best value can be determined empirically in your environment.
max_routes
¶integer
30
Maximum number of routes per router
enable_snat_by_default
¶boolean
True
Define the default value of enable_snat if not provided in external_gateway_info.
network_scheduler_driver
¶string
neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
Driver to use for scheduling network to DHCP agent
network_auto_schedule
¶boolean
True
Allow auto scheduling networks to DHCP agent.
allow_automatic_dhcp_failover
¶boolean
True
Automatically remove networks from offline DHCP agents.
dhcp_agents_per_network
¶integer
1
1
Number of DHCP agents scheduled to host a tenant network. If this number is greater than 1, the scheduler automatically assigns multiple DHCP agents for a given tenant network, providing high availability for the DHCP service. However this does not provide high availability for the IPv6 metadata service in isolated networks.
enable_services_on_agents_with_admin_state_down
¶boolean
False
Enable services on an agent with admin_state_up False. If this option is False, when admin_state_up of an agent is turned False, services on it will be disabled. Agents with admin_state_up False are not selected for automatic scheduling regardless of this option. But manual scheduling to such agents is available if this option is True.
dvr_base_mac
¶string
fa:16:3f:00:00:00
The base mac address used for unique DVR instances by Neutron. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated. The ‘dvr_base_mac’ must be different from ‘base_mac’ to avoid mixing them up with MAC’s allocated for tenant ports. A 4 octet example would be dvr_base_mac = fa:16:3f:4f:00:00. The default is 3 octet
router_distributed
¶boolean
False
System-wide flag to determine the type of router that tenants can create. Only admin can override.
enable_dvr
¶boolean
True
Determine if setup is configured for DVR. If False, DVR API extension will be disabled.
host_dvr_for_dhcp
¶boolean
True
Flag to determine if hosting a DVR local router to the DHCP agent is desired. If False, any L3 function supported by the DHCP agent instance will not be possible, for instance: DNS.
router_scheduler_driver
¶string
neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
Driver to use for scheduling router to a default L3 agent
router_auto_schedule
¶boolean
True
Allow auto scheduling of routers to L3 agent.
allow_automatic_l3agent_failover
¶boolean
False
Automatically reschedule routers from offline L3 agents to online L3 agents.
l3_ha
¶boolean
False
Enable HA mode for virtual routers.
max_l3_agents_per_router
¶integer
3
Maximum number of L3 agents which a HA router will be scheduled on. If it is set to 0 then the router will be scheduled on every agent.
l3_ha_net_cidr
¶string
169.254.192.0/18
Subnet used for the l3 HA admin network.
l3_ha_network_type
¶string
''
The network type to use when creating the HA network for an HA router. By default or if empty, the first ‘tenant_network_types’ is used. This is helpful when the VRRP traffic should use a specific network which is not the default one.
l3_ha_network_physical_name
¶string
''
The physical network name with which the HA network can be created.
max_allowed_address_pair
¶integer
10
Maximum number of allowed address pairs
allowed_conntrack_helpers
¶list
[{'tftp': 'udp'}, {'ftp': 'tcp'}, {'sip': 'tcp'}, {'sip': 'udp'}]
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Defines the allowed conntrack helpers, and conntack helper module protocol constraints.
rpc_conn_pool_size
¶integer
30
1
Size of RPC connection pool.
Group |
Name |
---|---|
DEFAULT |
rpc_conn_pool_size |
conn_pool_min_size
¶integer
2
The pool size limit for connections expiration policy
conn_pool_ttl
¶integer
1200
The time-to-live in sec of idle connections in the pool
executor_thread_pool_size
¶integer
64
Size of executor thread pool when executor is threading or eventlet.
Group |
Name |
---|---|
DEFAULT |
rpc_thread_pool_size |
rpc_response_timeout
¶integer
60
Seconds to wait for a response from a call.
transport_url
¶string
rabbit://
The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is:
driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query
Example: rabbit://rabbitmq:password@127.0.0.1:5672//
For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
control_exchange
¶string
openstack
The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
rpc_ping_enabled
¶boolean
False
Add an endpoint to answer to ping calls. Endpoint is named oslo_rpc_server_ping
run_external_periodic_tasks
¶boolean
True
Some periodic tasks can be run in a separate process. Should we run them here?
backdoor_port
¶string
<None>
Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
backdoor_socket
¶string
<None>
Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with ‘backdoor_port’ in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option. Inside the path {pid} will be replaced with the PID of the current process.
log_options
¶boolean
True
Enables or disables logging values of all registered options when starting a service (at DEBUG level).
graceful_shutdown_timeout
¶integer
60
Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
api_paste_config
¶string
api-paste.ini
File name for the paste.deploy config for api service
wsgi_log_format
¶string
%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f
A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
tcp_keepidle
¶integer
600
Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
wsgi_default_pool_size
¶integer
100
Size of the pool of greenthreads used by wsgi
max_header_line
¶integer
16384
Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
wsgi_keep_alive
¶boolean
True
If False, closes the client socket connection explicitly.
client_socket_timeout
¶integer
900
Timeout for client connections’ socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of ‘0’ means wait forever.
wsgi_server_debug
¶boolean
False
True if the server should send exception tracebacks to the clients on 500 errors. If False, the server will respond with empty bodies.
debug
¶boolean
False
This option can be changed without restarting.
If set to true, the logging level will be set to DEBUG instead of the default INFO level.
log_config_append
¶string
<None>
This option can be changed without restarting.
The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).
Group |
Name |
---|---|
DEFAULT |
log-config |
DEFAULT |
log_config |
log_date_format
¶string
%Y-%m-%d %H:%M:%S
Defines the format string for %(asctime)s in log records. Default: the value above . This option is ignored if log_config_append is set.
log_file
¶string
<None>
(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
Group |
Name |
---|---|
DEFAULT |
logfile |
log_dir
¶string
<None>
(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
Group |
Name |
---|---|
DEFAULT |
logdir |
watch_log_file
¶boolean
False
Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
use_syslog
¶boolean
False
Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
use_journal
¶boolean
False
Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
syslog_log_facility
¶string
LOG_USER
Syslog facility to receive log lines. This option is ignored if log_config_append is set.
use_json
¶boolean
False
Use JSON formatting for logging. This option is ignored if log_config_append is set.
use_stderr
¶boolean
False
Log output to standard error. This option is ignored if log_config_append is set.
use_eventlog
¶boolean
False
Log output to Windows Event Log.
log_rotate_interval
¶integer
1
The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is set to “interval”.
log_rotate_interval_type
¶string
days
Seconds, Minutes, Hours, Days, Weekday, Midnight
Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.
max_logfile_count
¶integer
30
Maximum number of rotated log files.
max_logfile_size_mb
¶integer
200
Log file maximum size in MB. This option is ignored if “log_rotation_type” is not set to “size”.
log_rotation_type
¶string
none
interval, size, none
Log rotation type.
Possible values
Rotate logs at predefined time intervals.
Rotate logs once they reach a predefined size.
Do not rotate log files.
logging_context_format_string
¶string
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(global_request_id)s %(request_id)s %(user_identity)s] %(instance)s%(message)s
Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter
logging_default_format_string
¶string
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter
logging_debug_format_suffix
¶string
%(funcName)s %(pathname)s:%(lineno)d
Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter
logging_exception_prefix
¶string
%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter
logging_user_identity_format
¶string
%(user)s %(project)s %(domain)s %(system_scope)s %(user_domain)s %(project_domain)s
Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter
default_log_levels
¶list
['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']
List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
publish_errors
¶boolean
False
Enables or disables publication of error events.
instance_format
¶string
"[instance: %(uuid)s] "
The format for an instance that is passed with the log message.
instance_uuid_format
¶string
"[instance: %(uuid)s] "
The format for an instance UUID that is passed with the log message.
rate_limit_interval
¶integer
0
Interval, number of seconds, of log rate limiting.
rate_limit_burst
¶integer
0
Maximum number of logged messages per rate_limit_interval.
rate_limit_except_level
¶string
CRITICAL
Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
fatal_deprecations
¶boolean
False
Enables or disables fatal status of deprecations.
root_helper
¶string
sudo
Root helper application. Use ‘sudo neutron-rootwrap /etc/neutron/rootwrap.conf’ to use the real root filter facility. Change to ‘sudo’ to skip the filtering and just run the command directly.
use_helper_for_ns_read
¶boolean
True
Use the root helper when listing the namespaces on a system. This may not be required depending on the security configuration. If the root helper is not required, set this to False for a performance improvement.
root_helper_daemon
¶string
<None>
Root helper daemon application to use when possible.
Use ‘sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf’ to run rootwrap in “daemon mode” which has been reported to improve performance at scale. For more information on running rootwrap in “daemon mode”, see:
https://docs.openstack.org/oslo.rootwrap/latest/user/usage.html#daemon-mode
report_interval
¶floating point
30
Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.
log_agent_heartbeats
¶boolean
False
Log agent heartbeats
comment_iptables_rules
¶boolean
True
Add comments to iptables rules. Set to false to disallow the addition of comments to generated iptables rules that describe each rule’s purpose. System must support the iptables comments module for addition of comments.
debug_iptables_rules
¶boolean
False
Duplicate every iptables difference calculation to ensure the format being generated matches the format of iptables-save. This option should not be turned on for production systems because it imposes a performance penalty.
use_random_fully
¶boolean
True
Use random-fully in SNAT masquerade rules.
check_child_processes_action
¶string
respawn
respawn, exit
Action to be executed when a child process dies
check_child_processes_interval
¶integer
60
Interval between checks of child process liveness (seconds), use 0 to disable
kill_scripts_path
¶string
/etc/neutron/kill_scripts/
Location of scripts used to kill external processes. Names of scripts here must follow the pattern: “<process-name>-kill” where <process-name> is name of the process which should be killed using this script. For example, kill script for dnsmasq process should be named “dnsmasq-kill”. If path is set to None, then default “kill” command will be used to stop processes.
availability_zone
¶string
nova
Availability zone of this node
config_prefix
¶string
cache.oslo
Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.
expiration_time
¶integer
600
Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.
backend
¶string
dogpile.cache.null
oslo_cache.memcache_pool, oslo_cache.dict, oslo_cache.mongo, oslo_cache.etcd3gw, dogpile.cache.pymemcache, dogpile.cache.memcached, dogpile.cache.pylibmc, dogpile.cache.bmemcached, dogpile.cache.dbm, dogpile.cache.redis, dogpile.cache.memory, dogpile.cache.memory_pickle, dogpile.cache.null
Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.
backend_argument
¶multi-valued
''
Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: “<argname>:<value>”.
proxies
¶list
[]
Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.
enabled
¶boolean
False
Global toggle for caching.
debug_cache_backend
¶boolean
False
Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.
memcache_servers
¶list
['localhost:11211']
Memcache servers in the format of “host:port”. This is used by backends dependent on Memcached.If dogpile.cache.memcached
or oslo_cache.memcache_pool
is used and a given host refer to an IPv6 or a given domain refer to IPv6 then you should prefix the given address withthe address family (inet6
) (e.g inet6[::1]:11211
, inet6:[fd12:3456:789a:1::1]:11211
, inet6:[controller-0.internalapi]:11211
). If the address family is not given then these backends will use the default inet
address family which corresponds to IPv4
memcache_dead_retry
¶integer
300
Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
memcache_socket_timeout
¶floating point
1.0
Timeout in seconds for every call to a server. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
memcache_pool_maxsize
¶integer
10
Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).
memcache_pool_unused_timeout
¶integer
60
Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).
memcache_pool_connection_get_timeout
¶integer
10
Number of seconds that an operation will wait to get a memcache client connection.
memcache_pool_flush_on_reconnect
¶boolean
False
Global toggle if memcache will be flushed on reconnect. (oslo_cache.memcache_pool backend only).
memcache_sasl_enabled
¶boolean
False
Enable the SASL(Simple Authentication and SecurityLayer) if the SASL_enable is true, else disable.
memcache_username
¶string
''
the user name for the memcached which SASL enabled
memcache_password
¶string
''
the password for the memcached which SASL enabled
tls_enabled
¶boolean
False
Global toggle for TLS usage when comunicating with the caching servers.
tls_cafile
¶string
<None>
Path to a file of concatenated CA certificates in PEM format necessary to establish the caching servers’ authenticity. If tls_enabled is False, this option is ignored.
tls_certfile
¶string
<None>
Path to a single file in PEM format containing the client’s certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. This file is only required when client side authentication is necessary. If tls_enabled is False, this option is ignored.
tls_keyfile
¶string
<None>
Path to a single file containing the client’s private key in. Otherwise the private key will be taken from the file specified in tls_certfile. If tls_enabled is False, this option is ignored.
tls_allowed_ciphers
¶string
<None>
Set the available ciphers for sockets created with the TLS context. It should be a string in the OpenSSL cipher list format. If not specified, all OpenSSL enabled ciphers will be available.
enable_socket_keepalive
¶boolean
False
Global toggle for the socket keepalive of dogpile’s pymemcache backend
socket_keepalive_idle
¶integer
1
0
The time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes. Should be a positive integer most greater than zero.
socket_keepalive_interval
¶integer
1
0
The time (in seconds) between individual keepalive probes. Should be a positive integer greater than zero.
socket_keepalive_count
¶integer
1
0
The maximum number of keepalive probes TCP should send before dropping the connection. Should be a positive integer greater than zero.
enable_retry_client
¶boolean
False
Enable retry client mechanisms to handle failure. Those mechanisms can be used to wrap all kind of pymemcache clients. The wrapper allows you to define how many attempts to make and how long to wait between attemots.
retry_attempts
¶integer
2
1
Number of times to attempt an action before failing.
retry_delay
¶floating point
0
Number of seconds to sleep between each attempt.
hashclient_retry_attempts
¶integer
2
1
Amount of times a client should be tried before it is marked dead and removed from the pool in the HashClient’s internal mechanisms.
hashclient_retry_delay
¶floating point
1
Time in seconds that should pass between retry attempts in the HashClient’s internal mechanisms.
dead_timeout
¶floating point
60
Time in seconds before attempting to add a node back in the pool in the HashClient’s internal mechanisms.
allowed_origin
¶list
<None>
Indicate whether this resource may be shared with the domain received in the requests “origin” header. Format: “<protocol>://<host>[:<port>]”, no trailing slash. Example: https://horizon.example.com
allow_credentials
¶boolean
True
Indicate that the actual request can include user credentials
expose_headers
¶list
['X-Auth-Token', 'X-Subject-Token', 'X-Service-Token', 'X-OpenStack-Request-ID', 'OpenStack-Volume-microversion']
Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
max_age
¶integer
3600
Maximum cache age of CORS preflight requests.
allow_methods
¶list
['GET', 'PUT', 'POST', 'DELETE', 'PATCH']
Indicate which methods can be used during the actual request.
allow_headers
¶list
['X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID']
Indicate which header field names may be used during the actual request.
engine
¶string
''
Database engine for which script will be generated when using offline migration.
sqlite_synchronous
¶boolean
True
If True, SQLite uses synchronous mode.
Group |
Name |
---|---|
DEFAULT |
sqlite_synchronous |
backend
¶string
sqlalchemy
The back end to use for the database.
Group |
Name |
---|---|
DEFAULT |
db_backend |
connection
¶string
<None>
The SQLAlchemy connection string to use to connect to the database.
Group |
Name |
---|---|
DEFAULT |
sql_connection |
DATABASE |
sql_connection |
sql |
connection |
slave_connection
¶string
<None>
The SQLAlchemy connection string to use to connect to the slave database.
mysql_sql_mode
¶string
TRADITIONAL
The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
mysql_enable_ndb
¶boolean
False
If True, transparently enables support for handling MySQL Cluster (NDB).
connection_recycle_time
¶integer
3600
Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
max_pool_size
¶integer
5
Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
max_retries
¶integer
10
Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
Group |
Name |
---|---|
DEFAULT |
sql_max_retries |
DATABASE |
sql_max_retries |
retry_interval
¶integer
10
Interval between retries of opening a SQL connection.
Group |
Name |
---|---|
DEFAULT |
sql_retry_interval |
DATABASE |
reconnect_interval |
max_overflow
¶integer
50
If set, use this value for max_overflow with SQLAlchemy.
Group |
Name |
---|---|
DEFAULT |
sql_max_overflow |
DATABASE |
sqlalchemy_max_overflow |
connection_debug
¶integer
0
0
100
Verbosity of SQL debugging information: 0=None, 100=Everything.
Group |
Name |
---|---|
DEFAULT |
sql_connection_debug |
connection_trace
¶boolean
False
Add Python stack traces to SQL as comment strings.
Group |
Name |
---|---|
DEFAULT |
sql_connection_trace |
pool_timeout
¶integer
<None>
If set, use this value for pool_timeout with SQLAlchemy.
Group |
Name |
---|---|
DATABASE |
sqlalchemy_pool_timeout |
use_db_reconnect
¶boolean
False
Enable the experimental use of database reconnect on connection lost.
db_retry_interval
¶integer
1
Seconds between retries of a database transaction.
db_inc_retry_interval
¶boolean
True
If True, increases the interval between retries of a database operation up to db_max_retry_interval.
db_max_retry_interval
¶integer
10
If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
db_max_retries
¶integer
20
Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
connection_parameters
¶string
''
Optional URL parameters to append onto the connection URL at connect time; specify as param1=value1¶m2=value2&…
linuxbridge
¶boolean
False
Enable execution of the experimental Linuxbridge agent.
path
¶string
/healthcheck
The path to respond to healtcheck requests on.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
detailed
¶boolean
False
Show more detailed information as part of the response. Security note: Enabling this option may expose sensitive details about the service being monitored. Be sure to verify that it will not violate your security policies.
backends
¶list
[]
Additional backends that can perform health checks and report that information back as part of a request.
disable_by_file_path
¶string
<None>
Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
disable_by_file_paths
¶list
[]
Check the presence of a file based on a port to determine if an application is running on a port. Expects a “port:path” list of strings. Used by DisableByFilesPortsHealthcheck plugin.
auth_url
¶unknown type
<None>
Authentication URL
auth_type
¶unknown type
<None>
Authentication type to load
Group |
Name |
---|---|
ironic |
auth_plugin |
cafile
¶string
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
certfile
¶string
<None>
PEM encoded client certificate cert file
collect_timing
¶boolean
False
Collect per-API call timing information.
default_domain_id
¶unknown type
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
default_domain_name
¶unknown type
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
domain_id
¶unknown type
<None>
Domain ID to scope to
domain_name
¶unknown type
<None>
Domain name to scope to
insecure
¶boolean
False
Verify HTTPS connections.
keyfile
¶string
<None>
PEM encoded client certificate key file
password
¶unknown type
<None>
User’s password
project_domain_id
¶unknown type
<None>
Domain ID containing project
project_domain_name
¶unknown type
<None>
Domain name containing project
project_id
¶unknown type
<None>
Project ID to scope to
Group |
Name |
---|---|
ironic |
tenant-id |
ironic |
tenant_id |
project_name
¶unknown type
<None>
Project name to scope to
Group |
Name |
---|---|
ironic |
tenant-name |
ironic |
tenant_name |
split_loggers
¶boolean
False
Log requests to multiple loggers.
system_scope
¶unknown type
<None>
Scope for system operations
tenant_id
¶unknown type
<None>
Tenant ID
tenant_name
¶unknown type
<None>
Tenant Name
timeout
¶integer
<None>
Timeout value for http requests
trust_id
¶unknown type
<None>
ID of the trust to use as a trustee use
user_domain_id
¶unknown type
<None>
User’s domain id
user_domain_name
¶unknown type
<None>
User’s domain name
user_id
¶unknown type
<None>
User id
username
¶unknown type
<None>
Username
Group |
Name |
---|---|
ironic |
user-name |
ironic |
user_name |
enable_notifications
¶boolean
False
Send notification events to ironic. (For example on relevant port status changes.)
www_authenticate_uri
¶string
<None>
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.
Group |
Name |
---|---|
keystone_authtoken |
auth_uri |
auth_uri
¶string
<None>
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
Warning
This option is deprecated for removal since Queens. Its value may be silently ignored in the future.
The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
auth_version
¶string
<None>
API version of the Identity API endpoint.
interface
¶string
internal
Interface to use for the Identity API endpoint. Valid values are “public”, “internal” (default) or “admin”.
delay_auth_decision
¶boolean
False
Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
http_connect_timeout
¶integer
<None>
Request timeout value for communicating with Identity API server.
http_request_max_retries
¶integer
3
How many times are we trying to reconnect when communicating with Identity API Server.
cache
¶string
<None>
Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers
option instead.
certfile
¶string
<None>
Required if identity server requires client certificate
keyfile
¶string
<None>
Required if identity server requires client certificate
cafile
¶string
<None>
A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
insecure
¶boolean
False
Verify HTTPS connections.
region_name
¶string
<None>
The region in which the identity server can be found.
memcached_servers
¶list
<None>
Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
Group |
Name |
---|---|
keystone_authtoken |
memcache_servers |
token_cache_time
¶integer
300
In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
memcache_security_strategy
¶string
None
None, MAC, ENCRYPT
(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcache_secret_key
¶string
<None>
(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
memcache_pool_dead_retry
¶integer
300
(Optional) Number of seconds memcached server is considered dead before it is tried again.
memcache_pool_maxsize
¶integer
10
(Optional) Maximum total number of open connections to every memcached server.
memcache_pool_socket_timeout
¶integer
3
(Optional) Socket timeout in seconds for communicating with a memcached server.
memcache_pool_unused_timeout
¶integer
60
(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
memcache_pool_conn_get_timeout
¶integer
10
(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
memcache_use_advanced_pool
¶boolean
True
(Optional) Use the advanced (eventlet safe) memcached client pool.
include_service_catalog
¶boolean
True
(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
enforce_token_bind
¶string
permissive
Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
service_token_roles
¶list
['service']
A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
service_token_roles_required
¶boolean
False
For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
service_type
¶string
<None>
The name or type of the service as it appears in the service catalog. This is used to validate tokens that have restricted access rules.
auth_type
¶unknown type
<None>
Authentication type to load
Group |
Name |
---|---|
keystone_authtoken |
auth_plugin |
auth_section
¶unknown type
<None>
Config Section from which to load plugin specific options
region_name
¶string
<None>
Name of nova region to use. Useful if keystone manages more than one region.
endpoint_type
¶string
public
public, admin, internal
Type of the nova endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of public, internal or admin.
auth_url
¶unknown type
<None>
Authentication URL
auth_type
¶unknown type
<None>
Authentication type to load
Group |
Name |
---|---|
nova |
auth_plugin |
cafile
¶string
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
certfile
¶string
<None>
PEM encoded client certificate cert file
collect_timing
¶boolean
False
Collect per-API call timing information.
default_domain_id
¶unknown type
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
default_domain_name
¶unknown type
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
domain_id
¶unknown type
<None>
Domain ID to scope to
domain_name
¶unknown type
<None>
Domain name to scope to
insecure
¶boolean
False
Verify HTTPS connections.
keyfile
¶string
<None>
PEM encoded client certificate key file
password
¶unknown type
<None>
User’s password
project_domain_id
¶unknown type
<None>
Domain ID containing project
project_domain_name
¶unknown type
<None>
Domain name containing project
project_id
¶unknown type
<None>
Project ID to scope to
Group |
Name |
---|---|
nova |
tenant-id |
nova |
tenant_id |
project_name
¶unknown type
<None>
Project name to scope to
Group |
Name |
---|---|
nova |
tenant-name |
nova |
tenant_name |
split_loggers
¶boolean
False
Log requests to multiple loggers.
system_scope
¶unknown type
<None>
Scope for system operations
tenant_id
¶unknown type
<None>
Tenant ID
tenant_name
¶unknown type
<None>
Tenant Name
timeout
¶integer
<None>
Timeout value for http requests
trust_id
¶unknown type
<None>
ID of the trust to use as a trustee use
user_domain_id
¶unknown type
<None>
User’s domain id
user_domain_name
¶unknown type
<None>
User’s domain name
user_id
¶unknown type
<None>
User id
username
¶unknown type
<None>
Username
Group |
Name |
---|---|
nova |
user-name |
nova |
user_name |
disable_process_locking
¶boolean
False
Enables or disables inter-process locks.
Group |
Name |
---|---|
DEFAULT |
disable_process_locking |
lock_path
¶string
<None>
Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.
Group |
Name |
---|---|
DEFAULT |
lock_path |
container_name
¶string
<None>
Name for the AMQP container. must be globally unique. Defaults to a generated UUID
Group |
Name |
---|---|
amqp1 |
container_name |
idle_timeout
¶integer
0
Timeout for inactive connections (in seconds)
Group |
Name |
---|---|
amqp1 |
idle_timeout |
trace
¶boolean
False
Debug: dump AMQP frames to stdout
Group |
Name |
---|---|
amqp1 |
trace |
ssl
¶boolean
False
Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
ssl_ca_file
¶string
''
CA certificate PEM file used to verify the server’s certificate
Group |
Name |
---|---|
amqp1 |
ssl_ca_file |
ssl_cert_file
¶string
''
Self-identifying certificate PEM file for client authentication
Group |
Name |
---|---|
amqp1 |
ssl_cert_file |
ssl_key_file
¶string
''
Private key PEM file used to sign ssl_cert_file certificate (optional)
Group |
Name |
---|---|
amqp1 |
ssl_key_file |
ssl_key_password
¶string
<None>
Password for decrypting ssl_key_file (if encrypted)
Group |
Name |
---|---|
amqp1 |
ssl_key_password |
ssl_verify_vhost
¶boolean
False
By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
sasl_mechanisms
¶string
''
Space separated list of acceptable SASL mechanisms
Group |
Name |
---|---|
amqp1 |
sasl_mechanisms |
sasl_config_dir
¶string
''
Path to directory that contains the SASL configuration
Group |
Name |
---|---|
amqp1 |
sasl_config_dir |
sasl_config_name
¶string
''
Name of configuration file (without .conf suffix)
Group |
Name |
---|---|
amqp1 |
sasl_config_name |
sasl_default_realm
¶string
''
SASL realm to use if no realm present in username
connection_retry_interval
¶integer
1
1
Seconds to pause before attempting to re-connect.
connection_retry_backoff
¶integer
2
0
Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
connection_retry_interval_max
¶integer
30
1
Maximum limit for connection_retry_interval + connection_retry_backoff
link_retry_delay
¶integer
10
1
Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
default_reply_retry
¶integer
0
-1
The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
default_reply_timeout
¶integer
30
5
The deadline for an rpc reply message delivery.
default_send_timeout
¶integer
30
5
The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
default_notify_timeout
¶integer
30
5
The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
default_sender_link_timeout
¶integer
600
1
The duration to schedule a purge of idle sender links. Detach link after expiry.
addressing_mode
¶string
dynamic
Indicates the addressing mode used by the driver. Permitted values: ‘legacy’ - use legacy non-routable addressing ‘routable’ - use routable addresses ‘dynamic’ - use legacy addresses if the message bus does not support routing otherwise use routable addressing
pseudo_vhost
¶boolean
True
Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private ‘subnet’ per virtual host. Set to False if the message bus supports virtual hosting using the ‘hostname’ field in the AMQP 1.0 Open performative as the name of the virtual host.
server_request_prefix
¶string
exclusive
address prefix used when sending to a specific server
Group |
Name |
---|---|
amqp1 |
server_request_prefix |
broadcast_prefix
¶string
broadcast
address prefix used when broadcasting to all servers
Group |
Name |
---|---|
amqp1 |
broadcast_prefix |
group_request_prefix
¶string
unicast
address prefix when sending to any server in group
Group |
Name |
---|---|
amqp1 |
group_request_prefix |
rpc_address_prefix
¶string
openstack.org/om/rpc
Address prefix for all generated RPC addresses
notify_address_prefix
¶string
openstack.org/om/notify
Address prefix for all generated Notification addresses
multicast_address
¶string
multicast
Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
unicast_address
¶string
unicast
Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
anycast_address
¶string
anycast
Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
default_notification_exchange
¶string
<None>
Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else ‘notify’
default_rpc_exchange
¶string
<None>
Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else ‘rpc’
reply_link_credit
¶integer
200
1
Window size for incoming RPC Reply messages.
rpc_server_credit
¶integer
100
1
Window size for incoming RPC Request messages
notify_server_credit
¶integer
100
1
Window size for incoming Notification messages
pre_settled
¶multi-valued
rpc-cast
rpc-reply
Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: ‘rpc-call’ - send RPC Calls pre-settled ‘rpc-reply’- send RPC Replies pre-settled ‘rpc-cast’ - Send RPC Casts pre-settled ‘notify’ - Send Notifications pre-settled
kafka_max_fetch_bytes
¶integer
1048576
Max fetch bytes of Kafka consumer
kafka_consumer_timeout
¶floating point
1.0
Default timeout(s) for Kafka consumers
pool_size
¶integer
10
Pool Size for Kafka Consumers
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
Driver no longer uses connection pool.
conn_pool_min_size
¶integer
2
The pool size limit for connections expiration policy
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
Driver no longer uses connection pool.
conn_pool_ttl
¶integer
1200
The time-to-live in sec of idle connections in the pool
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
Driver no longer uses connection pool.
consumer_group
¶string
oslo_messaging_consumer
Group id for Kafka consumer. Consumers in one group will coordinate message consumption
producer_batch_timeout
¶floating point
0.0
Upper bound on the delay for KafkaProducer batching in seconds
producer_batch_size
¶integer
16384
Size of batch for the producer async send
compression_codec
¶string
none
none, gzip, snappy, lz4, zstd
The compression codec for all data generated by the producer. If not set, compression will not be used. Note that the allowed values of this depend on the kafka version
enable_auto_commit
¶boolean
False
Enable asynchronous consumer commits
max_poll_records
¶integer
500
The maximum number of records returned in a poll call
security_protocol
¶string
PLAINTEXT
PLAINTEXT, SASL_PLAINTEXT, SSL, SASL_SSL
Protocol used to communicate with brokers
sasl_mechanism
¶string
PLAIN
Mechanism when security protocol is SASL
ssl_cafile
¶string
''
CA certificate PEM file used to verify the server certificate
ssl_client_cert_file
¶string
''
Client certificate PEM file used for authentication.
ssl_client_key_file
¶string
''
Client key PEM file used for authentication.
ssl_client_key_password
¶string
''
Client key password file used for authentication.
driver
¶multi-valued
''
The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
Group |
Name |
---|---|
DEFAULT |
notification_driver |
transport_url
¶string
<None>
A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.
Group |
Name |
---|---|
DEFAULT |
notification_transport_url |
topics
¶list
['notifications']
AMQP topic used for OpenStack notifications.
Group |
Name |
---|---|
rpc_notifier2 |
topics |
DEFAULT |
notification_topics |
retry
¶integer
-1
The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
amqp_durable_queues
¶boolean
False
Use durable queues in AMQP. If rabbit_quorum_queue is enabled, queues will be durable and this value will be ignored.
amqp_auto_delete
¶boolean
False
Auto-delete queues in AMQP.
Group |
Name |
---|---|
DEFAULT |
amqp_auto_delete |
ssl
¶boolean
False
Connect over SSL.
Group |
Name |
---|---|
oslo_messaging_rabbit |
rabbit_use_ssl |
ssl_version
¶string
''
SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
Group |
Name |
---|---|
oslo_messaging_rabbit |
kombu_ssl_version |
ssl_key_file
¶string
''
SSL key file (valid only if SSL enabled).
Group |
Name |
---|---|
oslo_messaging_rabbit |
kombu_ssl_keyfile |
ssl_cert_file
¶string
''
SSL cert file (valid only if SSL enabled).
Group |
Name |
---|---|
oslo_messaging_rabbit |
kombu_ssl_certfile |
ssl_ca_file
¶string
''
SSL certification authority file (valid only if SSL enabled).
Group |
Name |
---|---|
oslo_messaging_rabbit |
kombu_ssl_ca_certs |
ssl_enforce_fips_mode
¶boolean
False
Global toggle for enforcing the OpenSSL FIPS mode. This feature requires Python support. This is available in Python 3.9 in all environments and may have been backported to older Python versions on select environments. If the Python executable used does not support OpenSSL FIPS mode, an exception will be raised.
heartbeat_in_pthread
¶boolean
False
Run the health check heartbeat thread through a native python thread by default. If this option is equal to False then the health check heartbeat will inherit the execution model from the parent process. For example if the parent process has monkey patched the stdlib by using eventlet/greenlet then the heartbeat will be run through a green thread. This option should be set to True only for the wsgi services.
kombu_reconnect_delay
¶floating point
1.0
0.0
4.5
How long to wait (in seconds) before reconnecting in response to an AMQP consumer cancel notification.
Group |
Name |
---|---|
DEFAULT |
kombu_reconnect_delay |
kombu_compression
¶string
<None>
EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
kombu_missing_consumer_retry_timeout
¶integer
60
How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
Group |
Name |
---|---|
oslo_messaging_rabbit |
kombu_reconnect_timeout |
kombu_failover_strategy
¶string
round-robin
round-robin, shuffle
Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
rabbit_login_method
¶string
AMQPLAIN
PLAIN, AMQPLAIN, EXTERNAL, RABBIT-CR-DEMO
The RabbitMQ login method.
Group |
Name |
---|---|
DEFAULT |
rabbit_login_method |
rabbit_retry_interval
¶integer
1
How frequently to retry connecting with RabbitMQ.
rabbit_retry_backoff
¶integer
2
How long to backoff for between retries when connecting to RabbitMQ.
Group |
Name |
---|---|
DEFAULT |
rabbit_retry_backoff |
rabbit_interval_max
¶integer
30
Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
rabbit_ha_queues
¶boolean
False
Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: “rabbitmqctl set_policy HA ‘^(?!amq.).*’ ‘{“ha-mode”: “all”}’ “
Group |
Name |
---|---|
DEFAULT |
rabbit_ha_queues |
rabbit_quorum_queue
¶boolean
False
Use quorum queues in RabbitMQ (x-queue-type: quorum). The quorum queue is a modern queue type for RabbitMQ implementing a durable, replicated FIFO queue based on the Raft consensus algorithm. It is available as of RabbitMQ 3.8.0. If set this option will conflict with the HA queues (rabbit_ha_queues
) aka mirrored queues, in other words the HA queues should be disabled, quorum queues durable by default so the amqp_durable_queues opion is ignored when this option enabled.
rabbit_quorum_delivery_limit
¶integer
0
Each time a message is redelivered to a consumer, a counter is incremented. Once the redelivery count exceeds the delivery limit the message gets dropped or dead-lettered (if a DLX exchange has been configured) Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
rabbit_quroum_max_memory_length
¶integer
0
By default all messages are maintained in memory if a quorum queue grows in length it can put memory pressure on a cluster. This option can limit the number of messages in the quorum queue. Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
rabbit_quroum_max_memory_bytes
¶integer
0
By default all messages are maintained in memory if a quorum queue grows in length it can put memory pressure on a cluster. This option can limit the number of memory bytes used by the quorum queue. Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
rabbit_transient_queues_ttl
¶integer
1800
1
Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
rabbit_qos_prefetch_count
¶integer
0
Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
heartbeat_timeout_threshold
¶integer
60
Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disables heartbeat).
heartbeat_rate
¶integer
2
How often times during the heartbeat_timeout_threshold we check the heartbeat.
direct_mandatory_flag
¶boolean
True
(DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct send. The direct send is used as reply, so the MessageUndeliverable exception is raised in case the client queue does not exist.MessageUndeliverable exception will be used to loop for a timeout to lets a chance to sender to recover.This flag is deprecated and it will not be possible to deactivate this functionality anymore
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
Mandatory flag no longer deactivable.
enable_cancel_on_failover
¶boolean
False
Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and notify consumerswhen queue is down
enable_proxy_headers_parsing
¶boolean
False
Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
enforce_scope
¶boolean
False
This option controls whether or not to enforce scope when evaluating policies. If True
, the scope of the token used in the request is compared to the scope_types
of the policy being enforced. If the scopes do not match, an InvalidScope
exception will be raised. If False
, a message will be logged informing operators that policies are being invoked with mismatching scope.
enforce_new_defaults
¶boolean
False
This option controls whether or not to use old deprecated defaults when evaluating policies. If True
, the old deprecated defaults are not going to be evaluated. This means if any existing token is allowed for old defaults but is disallowed for new defaults, it will be disallowed. It is encouraged to enable this flag along with the enforce_scope
flag so that you can get the benefits of new defaults and scope_type
together. If False
, the deprecated policy check string is logically OR’d with the new policy check string, allowing for a graceful upgrade experience between releases with new policies, which is the default behavior.
policy_file
¶string
policy.yaml
The relative or absolute path of a file that maps roles to permissions for a given service. Relative paths must be specified in relation to the configuration file setting this option.
Group |
Name |
---|---|
DEFAULT |
policy_file |
policy_default_rule
¶string
default
Default rule. Enforced when a requested rule is not found.
Group |
Name |
---|---|
DEFAULT |
policy_default_rule |
policy_dirs
¶multi-valued
policy.d
Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
Group |
Name |
---|---|
DEFAULT |
policy_dirs |
remote_content_type
¶string
application/x-www-form-urlencoded
application/x-www-form-urlencoded, application/json
Content Type to send and receive data for REST based policy check
remote_ssl_verify_server_crt
¶boolean
False
server identity verification for REST based policy check
remote_ssl_ca_crt_file
¶string
<None>
Absolute path to ca cert file for REST based policy check
remote_ssl_client_crt_file
¶string
<None>
Absolute path to client cert for REST based policy check
remote_ssl_client_key_file
¶string
<None>
Absolute path client key file REST based policy check
log_dir
¶string
<None>
Path to a log directory where to create a file
file_event_handler
¶string
<None>
The path to a file to watch for changes to trigger the reports, instead of signals. Setting this option disables the signal trigger for the reports. If application is running as a WSGI application it is recommended to use this instead of signals.
file_event_handler_interval
¶integer
1
How many seconds to wait between polls when file_event_handler is set
region_name
¶string
<None>
Name of placement region to use. Useful if keystone manages more than one region.
endpoint_type
¶string
public
public, admin, internal
Type of the placement endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of public, internal or admin.
auth_url
¶unknown type
<None>
Authentication URL
auth_type
¶unknown type
<None>
Authentication type to load
Group |
Name |
---|---|
placement |
auth_plugin |
cafile
¶string
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
certfile
¶string
<None>
PEM encoded client certificate cert file
collect_timing
¶boolean
False
Collect per-API call timing information.
default_domain_id
¶unknown type
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
default_domain_name
¶unknown type
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
domain_id
¶unknown type
<None>
Domain ID to scope to
domain_name
¶unknown type
<None>
Domain name to scope to
insecure
¶boolean
False
Verify HTTPS connections.
keyfile
¶string
<None>
PEM encoded client certificate key file
password
¶unknown type
<None>
User’s password
project_domain_id
¶unknown type
<None>
Domain ID containing project
project_domain_name
¶unknown type
<None>
Domain name containing project
project_id
¶unknown type
<None>
Project ID to scope to
Group |
Name |
---|---|
placement |
tenant-id |
placement |
tenant_id |
project_name
¶unknown type
<None>
Project name to scope to
Group |
Name |
---|---|
placement |
tenant-name |
placement |
tenant_name |
split_loggers
¶boolean
False
Log requests to multiple loggers.
system_scope
¶unknown type
<None>
Scope for system operations
tenant_id
¶unknown type
<None>
Tenant ID
tenant_name
¶unknown type
<None>
Tenant Name
timeout
¶integer
<None>
Timeout value for http requests
trust_id
¶unknown type
<None>
ID of the trust to use as a trustee use
user_domain_id
¶unknown type
<None>
User’s domain id
user_domain_name
¶unknown type
<None>
User’s domain name
user_id
¶unknown type
<None>
User id
username
¶unknown type
<None>
Username
Group |
Name |
---|---|
placement |
user-name |
placement |
user_name |
Configuration options for the oslo.privsep daemon. Note that this group name can be changed by the consuming service. Check the service’s docs to see if this is the case.
user
¶string
<None>
User that the privsep daemon should run as.
group
¶string
<None>
Group that the privsep daemon should run as.
capabilities
¶unknown type
[]
List of Linux capabilities retained by the privsep daemon.
thread_pool_size
¶integer
multiprocessing.cpu_count()
1
This option has a sample default set, which means that its actual default value may vary from the one documented above.
The number of threads available for privsep to concurrently run processes. Defaults to the number of CPU cores in the system.
helper_command
¶string
<None>
Command to invoke to start the privsep daemon if not using the “fork” method. If not specified, a default is generated using “sudo privsep-helper” and arguments designed to recreate the current configuration. This command must accept suitable –privsep_context and –privsep_sock_path arguments.
logger_name
¶string
oslo_privsep.daemon
Logger name to use for this privsep context. By default all contexts log with oslo_privsep.daemon.
enabled
¶boolean
False
Enable the profiling for all services on this node.
Default value is False (fully disable the profiling feature).
Possible values:
True: Enables the feature
False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
Group |
Name |
---|---|
profiler |
profiler_enabled |
trace_sqlalchemy
¶boolean
False
Enable SQL requests profiling in services.
Default value is False (SQL requests won’t be traced).
Possible values:
True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.
hmac_keys
¶string
SECRET_KEY
Secret key(s) to use for encrypting context data for performance profiling.
This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.
Both “enabled” flag and “hmac_keys” config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
connection_string
¶string
messaging://
Connection string for a notifier backend.
Default value is messaging://
which sets the notifier to oslo_messaging.
Examples of possible values:
messaging://
- use oslo_messaging driver for sending spans.
redis://127.0.0.1:6379
- use redis driver for sending spans.
mongodb://127.0.0.1:27017
- use mongodb driver for sending spans.
elasticsearch://127.0.0.1:9200
- use elasticsearch driver for sending
spans.
jaeger://127.0.0.1:6831
- use jaeger tracing as driver for sending spans.
es_doc_type
¶string
notification
Document type for notification indexing in elasticsearch.
es_scroll_time
¶string
2m
This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
es_scroll_size
¶integer
10000
Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
socket_timeout
¶floating point
0.1
Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
sentinel_service_name
¶string
mymaster
Redissentinel uses a service name to identify a master redis service.
This parameter defines the name (for example:
sentinal_service_name=mymaster
).
filter_error_trace
¶boolean
False
Enable filter traces that contain error/exception to a separated place.
Default value is set to False.
Possible values:
True: Enable filter traces that contain error/exception.
False: Disable the filter.
default_quota
¶integer
-1
Default number of resource allowed per tenant. A negative value means unlimited.
quota_network
¶integer
100
Number of networks allowed per tenant. A negative value means unlimited.
quota_subnet
¶integer
100
Number of subnets allowed per tenant, A negative value means unlimited.
quota_port
¶integer
500
Number of ports allowed per tenant. A negative value means unlimited.
quota_driver
¶string
neutron.db.quota.driver_nolock.DbQuotaNoLockDriver
Default driver to use for quota checks.
track_quota_usage
¶boolean
True
Keep in track in the database of current resource quota usage. Plugins which do not leverage the neutron database should set this flag to False.
quota_router
¶integer
10
Number of routers allowed per tenant. A negative value means unlimited.
quota_floatingip
¶integer
50
Number of floating IPs allowed per tenant. A negative value means unlimited.
quota_security_group
¶integer
10
Number of security groups allowed per tenant. A negative value means unlimited.
quota_security_group_rule
¶integer
100
Number of security rules allowed per tenant. A negative value means unlimited.
ca_file
¶string
<None>
CA certificate file to use to verify connecting clients.
Group |
Name |
---|---|
DEFAULT |
ssl_ca_file |
cert_file
¶string
<None>
Certificate file to use when starting the server securely.
Group |
Name |
---|---|
DEFAULT |
ssl_cert_file |
key_file
¶string
<None>
Private key file to use when starting the server securely.
Group |
Name |
---|---|
DEFAULT |
ssl_key_file |
version
¶string
<None>
SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
ciphers
¶string
<None>
Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.