Configuration Reference

Red Hat OpenStack Platform 15

Configuring Red Hat OpenStack Platform environments

OpenStack Documentation Team

OpenStack Documentation Team

Abstract

This document is for system administrators who want to look up configuration options. It contains lists of configuration options available with OpenStack and uses auto-generation to generate options and the descriptions from the code for each project.

Preface

This document describes the options available in the configuration files for each of the major services in Red Hat OpenStack Platform. The content is automatically generated based on the values in the configuration files themselves, and is provided for reference purposes only.

Warning

Manually editing configuration files is not supported. All configuration changes must be made through the Director. Red Hat provides this guide as a technical reference only.

Chapter 1. barbican

The following chapter contains information about the configuration options in the barbican service.

1.1. barbican.conf

This section contains options for the /etc/barbican/barbican.conf file.

1.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/barbican/barbican.conf file.

Table 1.1. DEFAULT

Configuration option = Default valueTypeDescription

admin_role = admin

string value

Role used to identify an authenticated user as administrator.

allow_anonymous_access = False

boolean value

Allow unauthenticated users to access the API with read-only privileges. This only applies when using ContextMiddleware.

api_paste_config = api-paste.ini

string value

File name for the paste.deploy config for api service

backdoor_port = None

string value

Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.

backdoor_socket = None

string value

Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.

client_socket_timeout = 900

integer value

Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.

conn_pool_min_size = 2

integer value

The pool size limit for connections expiration policy

conn_pool_ttl = 1200

integer value

The time-to-live in sec of idle connections in the pool

control_exchange = openstack

string value

The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.

db_auto_create = True

boolean value

Create the Barbican database on service startup.

debug = False

boolean value

If set to true, the logging level will be set to DEBUG instead of the default INFO level.

default_limit_paging = 10

integer value

Default page size for the limit paging URL parameter.

default_log_levels = ['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']

list value

List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.

executor_thread_pool_size = 64

integer value

Size of executor thread pool when executor is threading or eventlet.

fatal_deprecations = False

boolean value

Enables or disables fatal status of deprecations.

host_href = http://localhost:9311

string value

Host name, for use in HATEOAS-style references Note: Typically this would be the load balanced endpoint that clients would use to communicate back with this service. If a deployment wants to derive host from wsgi request instead then make this blank. Blank is needed to override default config value which is http://localhost:9311

`instance_format = [instance: %(uuid)s] `

string value

The format for an instance that is passed with the log message.

`instance_uuid_format = [instance: %(uuid)s] `

string value

The format for an instance UUID that is passed with the log message.

log-config-append = None

string value

The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).

log-date-format = %Y-%m-%d %H:%M:%S

string value

Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.

log-dir = None

string value

(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.

log-file = None

string value

(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.

log_rotate_interval = 1

integer value

The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is setto "interval".

log_rotate_interval_type = days

string value

Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.

log_rotation_type = none

string value

Log rotation type.

logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

string value

Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter

logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d

string value

Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter

logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

string value

Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter

logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s

string value

Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter

logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s

string value

Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter

max_allowed_request_size_in_bytes = 15000

integer value

Maximum allowed http request size against the barbican-api.

max_allowed_secret_in_bytes = 10000

integer value

Maximum allowed secret size in bytes.

max_header_line = 16384

integer value

Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).

max_limit_paging = 100

integer value

Maximum page size for the limit paging URL parameter.

max_logfile_count = 30

integer value

Maximum number of rotated log files.

max_logfile_size_mb = 200

integer value

Log file maximum size in MB. This option is ignored if "log_rotation_type" is not set to "size".

publish_errors = False

boolean value

Enables or disables publication of error events.

rate_limit_burst = 0

integer value

Maximum number of logged messages per rate_limit_interval.

rate_limit_except_level = CRITICAL

string value

Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.

rate_limit_interval = 0

integer value

Interval, number of seconds, of log rate limiting.

rpc_conn_pool_size = 30

integer value

Size of RPC connection pool.

rpc_response_timeout = 60

integer value

Seconds to wait for a response from a call.

run_external_periodic_tasks = True

boolean value

Some periodic tasks can be run in a separate process. Should we run them here?

sql_connection = sqlite:///barbican.sqlite

string value

SQLAlchemy connection string for the reference implementation registry server. Any valid SQLAlchemy connection string is fine. See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine. Note: For absolute addresses, use //// slashes after sqlite:.

sql_idle_timeout = 3600

integer value

Period in seconds after which SQLAlchemy should reestablish its connection to the database. MySQL uses a default wait_timeout of 8 hours, after which it will drop idle connections. This can result in MySQL Gone Away exceptions. If you notice this, you can lower this value to ensure that SQLAlchemy reconnects before MySQL can drop the connection.

sql_max_retries = 60

integer value

Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.

sql_pool_class = QueuePool

string value

Accepts a class imported from the sqlalchemy.pool module, and handles the details of building the pool for you. If commented out, SQLAlchemy will select based on the database dialect. Other options are QueuePool (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy management of connections). See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details

sql_pool_logging = False

boolean value

Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level output) if specified.

sql_pool_max_overflow = 10

integer value

The maximum overflow size of the pool used by SQLAlchemy. When the number of checked-out connections reaches the size set in sql_pool_size, additional connections will be returned up to this limit. It follows then that the total number of simultaneous connections the pool will allow is sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no overflow limit, so no limit will be placed on the total number of concurrent connections. Comment out to allow SQLAlchemy to select the default.

sql_pool_size = 5

integer value

Size of pool used by SQLAlchemy. This is the largest number of connections that will be kept persistently in the pool. Can be set to 0 to indicate no size limit. To disable pooling, use a NullPool with sql_pool_class instead. Comment out to allow SQLAlchemy to select the default.

sql_retry_interval = 1

integer value

Interval between retries of opening a SQL connection.

syslog-log-facility = LOG_USER

string value

Syslog facility to receive log lines. This option is ignored if log_config_append is set.

tcp_keepidle = 600

integer value

Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.

transport_url = rabbit://

string value

The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is:

driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query

Example: rabbit://rabbitmq:password@127.0.0.1:5672//

For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html

use-journal = False

boolean value

Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.

use-json = False

boolean value

Use JSON formatting for logging. This option is ignored if log_config_append is set.

use-syslog = False

boolean value

Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.

use_eventlog = False

boolean value

Log output to Windows Event Log.

use_stderr = False

boolean value

Log output to standard error. This option is ignored if log_config_append is set.

watch-log-file = False

boolean value

Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

wsgi_default_pool_size = 100

integer value

Size of the pool of greenthreads used by wsgi

wsgi_keep_alive = True

boolean value

If False, closes the client socket connection explicitly.

wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f

string value

A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.

1.1.2. certificate

The following table outlines the options available under the [certificate] group in the /etc/barbican/barbican.conf file.

Table 1.2. certificate

Configuration option = Default valueTypeDescription

enabled_certificate_plugins = ['simple_certificate']

multi valued

List of certificate plugins to load.

namespace = barbican.certificate.plugin

string value

Extension namespace to search for plugins.

1.1.3. certificate_event

The following table outlines the options available under the [certificate_event] group in the /etc/barbican/barbican.conf file.

Table 1.3. certificate_event

Configuration option = Default valueTypeDescription

enabled_certificate_event_plugins = ['simple_certificate_event']

multi valued

List of certificate plugins to load.

namespace = barbican.certificate.event.plugin

string value

Extension namespace to search for eventing plugins.

1.1.4. cors

The following table outlines the options available under the [cors] group in the /etc/barbican/barbican.conf file.

Table 1.4. cors

Configuration option = Default valueTypeDescription

allow_credentials = True

boolean value

Indicate that the actual request can include user credentials

allow_headers = ['X-Auth-Token', 'X-Openstack-Request-Id', 'X-Project-Id', 'X-Identity-Status', 'X-User-Id', 'X-Storage-Token', 'X-Domain-Id', 'X-User-Domain-Id', 'X-Project-Domain-Id', 'X-Roles']

list value

Indicate which header field names may be used during the actual request.

allow_methods = ['GET', 'PUT', 'POST', 'DELETE', 'PATCH']

list value

Indicate which methods can be used during the actual request.

allowed_origin = None

list value

Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com

expose_headers = ['X-Auth-Token', 'X-Openstack-Request-Id', 'X-Project-Id', 'X-Identity-Status', 'X-User-Id', 'X-Storage-Token', 'X-Domain-Id', 'X-User-Domain-Id', 'X-Project-Domain-Id', 'X-Roles']

list value

Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.

max_age = 3600

integer value

Maximum cache age of CORS preflight requests.

1.1.5. crypto

The following table outlines the options available under the [crypto] group in the /etc/barbican/barbican.conf file.

Table 1.5. crypto

Configuration option = Default valueTypeDescription

enabled_crypto_plugins = ['simple_crypto']

multi valued

List of crypto plugins to load.

namespace = barbican.crypto.plugin

string value

Extension namespace to search for plugins.

1.1.6. dogtag_plugin

The following table outlines the options available under the [dogtag_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.6. dogtag_plugin

Configuration option = Default valueTypeDescription

auto_approved_profiles = caServerCert

string value

List of automatically approved enrollment profiles

ca_expiration_time = 1

string value

Time in days for CA entries to expire

dogtag_host = localhost

string value

Hostname for the Dogtag instance

dogtag_port = 8443

port value

Port for the Dogtag instance

nss_db_path = /etc/barbican/alias

string value

Path to the NSS certificate database

nss_password = None

string value

Password for the NSS certificate databases

pem_path = /etc/barbican/kra_admin_cert.pem

string value

Path to PEM file for authentication

plugin_name = Dogtag KRA

string value

User friendly plugin name

plugin_working_dir = /etc/barbican/dogtag

string value

Working directory for Dogtag plugin

retries = 3

integer value

Retries when storing or generating secrets

simple_cmc_profile = caOtherCert

string value

Profile for simple CMC requests

1.1.7. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/barbican/barbican.conf file.

Table 1.7. keystone_authtoken

Configuration option = Default valueTypeDescription

auth_section = None

string value

Config Section from which to load plugin specific options

auth_type = None

string value

Authentication type to load

auth_uri = None

string value

Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

auth_version = None

string value

API version of the admin Identity API endpoint.

cache = None

string value

Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers option instead.

cafile = None

string value

A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.

certfile = None

string value

Required if identity server requires client certificate

delay_auth_decision = False

boolean value

Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.

enforce_token_bind = permissive

string value

Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.

hash_algorithms = ['md5']

list value

Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.

http_connect_timeout = None

integer value

Request timeout value for communicating with Identity API server.

http_request_max_retries = 3

integer value

How many times are we trying to reconnect when communicating with Identity API Server.

include_service_catalog = True

boolean value

(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.

insecure = False

boolean value

Verify HTTPS connections.

keyfile = None

string value

Required if identity server requires client certificate

memcache_pool_conn_get_timeout = 10

integer value

(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.

memcache_pool_dead_retry = 300

integer value

(Optional) Number of seconds memcached server is considered dead before it is tried again.

memcache_pool_maxsize = 10

integer value

(Optional) Maximum total number of open connections to every memcached server.

memcache_pool_socket_timeout = 3

integer value

(Optional) Socket timeout in seconds for communicating with a memcached server.

memcache_pool_unused_timeout = 60

integer value

(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.

memcache_secret_key = None

string value

(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.

memcache_security_strategy = None

string value

(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.

memcache_use_advanced_pool = False

boolean value

(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.

memcached_servers = None

list value

Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.

region_name = None

string value

The region in which the identity server can be found.

service_token_roles = ['service']

list value

A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.

service_token_roles_required = False

boolean value

For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.

signing_dir = None

string value

Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

token_cache_time = 300

integer value

In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.

www_authenticate_uri = None

string value

Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

1.1.8. keystone_notifications

The following table outlines the options available under the [keystone_notifications] group in the /etc/barbican/barbican.conf file.

Table 1.8. keystone_notifications

Configuration option = Default valueTypeDescription

allow_requeue = False

boolean value

True enables requeue feature in case of notification processing error. Enable this only when underlying transport supports this feature.

control_exchange = keystone

string value

The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.

enable = False

boolean value

True enables keystone notification listener functionality.

thread_pool_size = 10

integer value

Define the number of max threads to be used for notification server processing functionality.

topic = notifications

string value

Keystone notification queue topic name. This name needs to match one of values mentioned in Keystone deployment’s notification_topics configuration e.g. notification_topics=notifications, barbican_notificationsMultiple servers may listen on a topic and messages will be dispatched to one of the servers in a round-robin fashion. That’s why Barbican service should have its own dedicated notification queue so that it receives all of Keystone notifications.

version = 1.0

string value

Version of tasks invoked via notifications

1.1.9. kmip_plugin

The following table outlines the options available under the [kmip_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.9. kmip_plugin

Configuration option = Default valueTypeDescription

ca_certs = None

string value

File path to concatenated "certification authority" certificates

certfile = None

string value

File path to local client certificate

host = localhost

string value

Address of the KMIP server

keyfile = None

string value

File path to local client certificate keyfile

password = None

string value

Password for authenticating with KMIP server

pkcs1_only = False

boolean value

Only support PKCS#1 encoding of asymmetric keys

plugin_name = KMIP HSM

string value

User friendly plugin name

port = 5696

port value

Port for the KMIP server

ssl_version = PROTOCOL_TLSv1_2

string value

SSL version, maps to the module ssl’s constants

username = None

string value

Username for authenticating with KMIP server

1.1.10. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/barbican/barbican.conf file.

Table 1.10. oslo_messaging_amqp

Configuration option = Default valueTypeDescription

addressing_mode = dynamic

string value

Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing

anycast_address = anycast

string value

Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.

broadcast_prefix = broadcast

string value

address prefix used when broadcasting to all servers

connection_retry_backoff = 2

integer value

Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.

connection_retry_interval = 1

integer value

Seconds to pause before attempting to re-connect.

connection_retry_interval_max = 30

integer value

Maximum limit for connection_retry_interval + connection_retry_backoff

container_name = None

string value

Name for the AMQP container. must be globally unique. Defaults to a generated UUID

default_notification_exchange = None

string value

Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify

default_notify_timeout = 30

integer value

The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.

default_reply_retry = 0

integer value

The maximum number of attempts to re-send a reply message which failed due to a recoverable error.

default_reply_timeout = 30

integer value

The deadline for an rpc reply message delivery.

default_rpc_exchange = None

string value

Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc

default_send_timeout = 30

integer value

The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.

default_sender_link_timeout = 600

integer value

The duration to schedule a purge of idle sender links. Detach link after expiry.

group_request_prefix = unicast

string value

address prefix when sending to any server in group

idle_timeout = 0

integer value

Timeout for inactive connections (in seconds)

link_retry_delay = 10

integer value

Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.

multicast_address = multicast

string value

Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.

notify_address_prefix = openstack.org/om/notify

string value

Address prefix for all generated Notification addresses

notify_server_credit = 100

integer value

Window size for incoming Notification messages

pre_settled = ['rpc-cast', 'rpc-reply']

multi valued

Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled

pseudo_vhost = True

boolean value

Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.

reply_link_credit = 200

integer value

Window size for incoming RPC Reply messages.

rpc_address_prefix = openstack.org/om/rpc

string value

Address prefix for all generated RPC addresses

rpc_server_credit = 100

integer value

Window size for incoming RPC Request messages

`sasl_config_dir = `

string value

Path to directory that contains the SASL configuration

`sasl_config_name = `

string value

Name of configuration file (without .conf suffix)

`sasl_default_realm = `

string value

SASL realm to use if no realm present in username

`sasl_mechanisms = `

string value

Space separated list of acceptable SASL mechanisms

server_request_prefix = exclusive

string value

address prefix used when sending to a specific server

ssl = False

boolean value

Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.

`ssl_ca_file = `

string value

CA certificate PEM file used to verify the server’s certificate

`ssl_cert_file = `

string value

Self-identifying certificate PEM file for client authentication

`ssl_key_file = `

string value

Private key PEM file used to sign ssl_cert_file certificate (optional)

ssl_key_password = None

string value

Password for decrypting ssl_key_file (if encrypted)

ssl_verify_vhost = False

boolean value

By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.

trace = False

boolean value

Debug: dump AMQP frames to stdout

unicast_address = unicast

string value

Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.

1.1.11. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/barbican/barbican.conf file.

Table 1.11. oslo_messaging_kafka

Configuration option = Default valueTypeDescription

conn_pool_min_size = 2

integer value

The pool size limit for connections expiration policy

conn_pool_ttl = 1200

integer value

The time-to-live in sec of idle connections in the pool

consumer_group = oslo_messaging_consumer

string value

Group id for Kafka consumer. Consumers in one group will coordinate message consumption

enable_auto_commit = False

boolean value

Enable asynchronous consumer commits

kafka_consumer_timeout = 1.0

floating point value

Default timeout(s) for Kafka consumers

kafka_max_fetch_bytes = 1048576

integer value

Max fetch bytes of Kafka consumer

max_poll_records = 500

integer value

The maximum number of records returned in a poll call

pool_size = 10

integer value

Pool Size for Kafka Consumers

producer_batch_size = 16384

integer value

Size of batch for the producer async send

producer_batch_timeout = 0.0

floating point value

Upper bound on the delay for KafkaProducer batching in seconds

sasl_mechanism = PLAIN

string value

Mechanism when security protocol is SASL

security_protocol = PLAINTEXT

string value

Protocol used to communicate with brokers

`ssl_cafile = `

string value

CA certificate PEM file used to verify the server certificate

1.1.12. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/barbican/barbican.conf file.

Table 1.12. oslo_messaging_notifications

Configuration option = Default valueTypeDescription

driver = []

multi valued

The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop

retry = -1

integer value

The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite

topics = ['notifications']

list value

AMQP topic used for OpenStack notifications.

transport_url = None

string value

A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

1.1.13. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/barbican/barbican.conf file.

Table 1.13. oslo_messaging_rabbit

Configuration option = Default valueTypeDescription

amqp_auto_delete = False

boolean value

Auto-delete queues in AMQP.

amqp_durable_queues = False

boolean value

Use durable queues in AMQP.

heartbeat_rate = 2

integer value

How often times during the heartbeat_timeout_threshold we check the heartbeat.

heartbeat_timeout_threshold = 60

integer value

Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL

kombu_compression = None

string value

EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.

kombu_failover_strategy = round-robin

string value

Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.

kombu_missing_consumer_retry_timeout = 60

integer value

How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.

kombu_reconnect_delay = 1.0

floating point value

How long to wait before reconnecting in response to an AMQP consumer cancel notification.

rabbit_ha_queues = False

boolean value

Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "

rabbit_interval_max = 30

integer value

Maximum interval of RabbitMQ connection retries. Default is 30 seconds.

rabbit_login_method = AMQPLAIN

string value

The RabbitMQ login method.

rabbit_qos_prefetch_count = 0

integer value

Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.

rabbit_retry_backoff = 2

integer value

How long to backoff for between retries when connecting to RabbitMQ.

rabbit_retry_interval = 1

integer value

How frequently to retry connecting with RabbitMQ.

rabbit_transient_queues_ttl = 1800

integer value

Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.

ssl = False

boolean value

Connect over SSL.

`ssl_ca_file = `

string value

SSL certification authority file (valid only if SSL enabled).

`ssl_cert_file = `

string value

SSL cert file (valid only if SSL enabled).

`ssl_key_file = `

string value

SSL key file (valid only if SSL enabled).

`ssl_version = `

string value

SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

1.1.14. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/barbican/barbican.conf file.

Table 1.14. oslo_middleware

Configuration option = Default valueTypeDescription

enable_proxy_headers_parsing = False

boolean value

Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

1.1.15. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/barbican/barbican.conf file.

Table 1.15. oslo_policy

Configuration option = Default valueTypeDescription

enforce_scope = False

boolean value

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

policy_default_rule = default

string value

Default rule. Enforced when a requested rule is not found.

policy_dirs = ['policy.d']

multi valued

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

policy_file = policy.json

string value

The file that defines policies.

remote_content_type = application/x-www-form-urlencoded

string value

Content Type to send and receive data for REST based policy check

remote_ssl_ca_crt_file = None

string value

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file = None

string value

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file = None

string value

Absolute path client key file REST based policy check

remote_ssl_verify_server_crt = False

boolean value

server identity verification for REST based policy check

1.1.16. p11_crypto_plugin

The following table outlines the options available under the [p11_crypto_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.16. p11_crypto_plugin

Configuration option = Default valueTypeDescription

aes_gcm_generate_iv = True

boolean value

Generate IVs for CKM_AES_GCM mechanism.

always_set_cka_sensitive = True

boolean value

Always set CKA_SENSITIVE=CK_TRUE including CKA_EXTRACTABLE=CK_TRUE keys.

encryption_mechanism = CKM_AES_CBC

string value

Secret encryption mechanism

hmac_key_type = CKK_AES

string value

HMAC Key Type

hmac_keygen_mechanism = CKM_AES_KEY_GEN

string value

HMAC Key Generation Algorithm

hmac_keywrap_mechanism = CKM_SHA256_HMAC

string value

HMAC key wrap mechanism

hmac_label = None

string value

Master HMAC Key label (as stored in the HSM)

library_path = None

string value

Path to vendor PKCS11 library

login = None

string value

Password to login to PKCS11 session

mkek_label = None

string value

Master KEK label (as stored in the HSM)

mkek_length = None

integer value

Master KEK length in bytes.

pkek_cache_limit = 100

integer value

Project KEK Cache Item Limit

pkek_cache_ttl = 900

integer value

Project KEK Cache Time To Live, in seconds

pkek_length = 32

integer value

Project KEK length in bytes.

plugin_name = PKCS11 HSM

string value

User friendly plugin name

rw_session = True

boolean value

Flag for Read/Write Sessions

`seed_file = `

string value

File to pull entropy for seeding RNG

seed_length = 32

integer value

Amount of data to read from file for seed

slot_id = 1

integer value

HSM Slot ID

1.1.17. queue

The following table outlines the options available under the [queue] group in the /etc/barbican/barbican.conf file.

Table 1.17. queue

Configuration option = Default valueTypeDescription

asynchronous_workers = 1

integer value

Number of asynchronous worker processes

enable = False

boolean value

True enables queuing, False invokes workers synchronously

namespace = barbican

string value

Queue namespace

server_name = barbican.queue

string value

Server name for RPC task processing server

topic = barbican.workers

string value

Queue topic name

version = 1.1

string value

Version of tasks invoked via queue

1.1.18. quotas

The following table outlines the options available under the [quotas] group in the /etc/barbican/barbican.conf file.

Table 1.18. quotas

Configuration option = Default valueTypeDescription

quota_cas = -1

integer value

Number of CAs allowed per project

quota_consumers = -1

integer value

Number of consumers allowed per project

quota_containers = -1

integer value

Number of containers allowed per project

quota_orders = -1

integer value

Number of orders allowed per project

quota_secrets = -1

integer value

Number of secrets allowed per project

1.1.19. retry_scheduler

The following table outlines the options available under the [retry_scheduler] group in the /etc/barbican/barbican.conf file.

Table 1.19. retry_scheduler

Configuration option = Default valueTypeDescription

initial_delay_seconds = 10.0

floating point value

Seconds (float) to wait before starting retry scheduler

periodic_interval_max_seconds = 10.0

floating point value

Seconds (float) to wait between periodic schedule events

1.1.20. secretstore

The following table outlines the options available under the [secretstore] group in the /etc/barbican/barbican.conf file.

Table 1.20. secretstore

Configuration option = Default valueTypeDescription

enable_multiple_secret_stores = False

boolean value

Flag to enable multiple secret store plugin backend support. Default is False

enabled_secretstore_plugins = ['store_crypto']

multi valued

List of secret store plugins to load.

namespace = barbican.secretstore.plugin

string value

Extension namespace to search for plugins.

stores_lookup_suffix = None

list value

List of suffix to use for looking up plugins which are supported with multiple backend support.

1.1.21. simple_crypto_plugin

The following table outlines the options available under the [simple_crypto_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.21. simple_crypto_plugin

Configuration option = Default valueTypeDescription

kek = dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=

string value

Key encryption key to be used by Simple Crypto Plugin

plugin_name = Software Only Crypto

string value

User friendly plugin name

1.1.22. snakeoil_ca_plugin

The following table outlines the options available under the [snakeoil_ca_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.22. snakeoil_ca_plugin

Configuration option = Default valueTypeDescription

ca_cert_chain_path = None

string value

Path to CA certificate chain file

ca_cert_key_path = None

string value

Path to CA certificate key file

ca_cert_path = None

string value

Path to CA certificate file

ca_cert_pkcs7_path = None

string value

Path to CA chain pkcs7 file

subca_cert_key_directory = /etc/barbican/snakeoil-cas

string value

Directory in which to store certs/keys for subcas

1.1.23. ssl

The following table outlines the options available under the [ssl] group in the /etc/barbican/barbican.conf file.

Table 1.23. ssl

Configuration option = Default valueTypeDescription

ca_file = None

string value

CA certificate file to use to verify connecting clients.

cert_file = None

string value

Certificate file to use when starting the server securely.

ciphers = None

string value

Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.

key_file = None

string value

Private key file to use when starting the server securely.

version = None

string value

SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

Chapter 2. cinder

The following chapter contains information about the configuration options in the cinder service.

2.1. cinder.conf

This section contains options for the /etc/cinder/cinder.conf file.

2.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/cinder/cinder.conf file.

Table 2.1. DEFAULT

Configuration option = Default valueTypeDescription

allocated_capacity_weight_multiplier = -1.0

floating point value

Multiplier used for weighing allocated capacity. Positive numbers mean to stack vs spread.

allow_availability_zone_fallback = False

boolean value

If the requested Cinder availability zone is unavailable, fall back to the value of default_availability_zone, then storage_availability_zone, instead of failing.

allowed_direct_url_schemes = []

list value

A list of url schemes that can be downloaded directly via the direct_url. Currently supported schemes: [file, cinder].

api_paste_config = api-paste.ini

string value

File name for the paste.deploy config for api service

api_rate_limit = True

boolean value

Enables or disables rate limit of the API.

as13000_ipsan_pools = ['Pool0']

list value

The Storage Pools Cinder should use, a comma separated list.

as13000_meta_pool = None

string value

The pool which is used as a meta pool when creating a volume, and it should be a replication pool at present. If not set, the driver will choose a replication pool from the value of as13000_ipsan_pools.

as13000_token_available_time = 3300

integer value

The effective time of token validity in seconds.

auth_strategy = keystone

string value

The strategy to use for auth. Supports noauth or keystone.

az_cache_duration = 3600

integer value

Cache volume availability zones in memory for the provided duration in seconds

backdoor_port = None

string value

Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.

backdoor_socket = None

string value

Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.

backend_availability_zone = None

string value

Availability zone for this volume backend. If not set, the storage_availability_zone option value is used as the default for all backends.

backup_api_class = cinder.backup.api.API

string value

The full class name of the volume backup API class

backup_ceph_chunk_size = 134217728

integer value

The chunk size, in bytes, that a backup is broken into before transfer to the Ceph object store.

backup_ceph_conf = /etc/ceph/ceph.conf

string value

Ceph configuration file to use.

backup_ceph_image_journals = False

boolean value

If True, apply JOURNALING and EXCLUSIVE_LOCK feature bits to the backup RBD objects to allow mirroring

backup_ceph_pool = backups

string value

The Ceph pool where volume backups are stored.

backup_ceph_stripe_count = 0

integer value

RBD stripe count to use when creating a backup image.

backup_ceph_stripe_unit = 0

integer value

RBD stripe unit to use when creating a backup image.

backup_ceph_user = cinder

string value

The Ceph user to connect with. Default here is to use the same user as for Cinder volumes. If not using cephx this should be set to None.

backup_compression_algorithm = zlib

string value

Compression algorithm (None to disable)

backup_container = None

string value

Custom directory to use for backups.

backup_driver = cinder.backup.drivers.swift.SwiftBackupDriver

string value

Driver to use for backups.

backup_enable_progress_timer = True

boolean value

Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the backend storage. The default value is True to enable the timer.

backup_file_size = 1999994880

integer value

The maximum size in bytes of the files used to hold backups. If the volume being backed up exceeds this size, then it will be backed up into multiple files.backup_file_size must be a multiple of backup_sha_block_size_bytes.

backup_gcs_block_size = 32768

integer value

The size in bytes that changes are tracked for incremental backups. backup_gcs_object_size has to be multiple of backup_gcs_block_size.

backup_gcs_bucket = None

string value

The GCS bucket to use.

backup_gcs_bucket_location = US

string value

Location of GCS bucket.

backup_gcs_credential_file = None

string value

Absolute path of GCS service account credential file.

backup_gcs_enable_progress_timer = True

boolean value

Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the GCS backend storage. The default value is True to enable the timer.

backup_gcs_num_retries = 3

integer value

Number of times to retry.

backup_gcs_object_size = 52428800

integer value

The size in bytes of GCS backup objects.

backup_gcs_project_id = None

string value

Owner project id for GCS bucket.

backup_gcs_proxy_url = None

uri value

URL for http proxy access.

backup_gcs_reader_chunk_size = 2097152

integer value

GCS object will be downloaded in chunks of bytes.

backup_gcs_retry_error_codes = ['429']

list value

List of GCS error codes.

backup_gcs_storage_class = NEARLINE

string value

Storage class of GCS bucket.

backup_gcs_user_agent = gcscinder

string value

Http user-agent string for gcs api.

backup_gcs_writer_chunk_size = 2097152

integer value

GCS object will be uploaded in chunks of bytes. Pass in a value of -1 if the file is to be uploaded as a single chunk.

backup_manager = cinder.backup.manager.BackupManager

string value

Full class name for the Manager for volume backup

backup_metadata_version = 2

integer value

Backup metadata version to be used when backing up volume metadata. If this number is bumped, make sure the service doing the restore supports the new version.

backup_mount_options = None

string value

Mount options passed to the NFS client. See NFS man page for details.

backup_mount_point_base = $state_path/backup_mount

string value

Base dir containing mount point for NFS share.

backup_name_template = backup-%s

string value

Template string to be used to generate backup names

backup_native_threads_pool_size = 60

integer value

Size of the native threads pool for the backups. Most backup drivers rely heavily on this, it can be decreased for specific drivers that don’t.

backup_object_number_per_notification = 10

integer value

The number of chunks or objects, for which one Ceilometer notification will be sent

backup_posix_path = $state_path/backup

string value

Path specifying where to store backups.

backup_service_inithost_offload = True

boolean value

Offload pending backup delete during backup service startup. If false, the backup service will remain down until all pending backups are deleted.

backup_sha_block_size_bytes = 32768

integer value

The size in bytes that changes are tracked for incremental backups. backup_file_size has to be multiple of backup_sha_block_size_bytes.

backup_share = None

string value

NFS share in hostname:path, ipv4addr:path, or "[ipv6addr]:path" format.

backup_swift_auth = per_user

string value

Swift authentication mechanism (per_user or single_user).

backup_swift_auth_insecure = False

boolean value

Bypass verification of server certificate when making SSL connection to Swift.

backup_swift_auth_url = None

uri value

The URL of the Keystone endpoint

backup_swift_auth_version = 1

string value

Swift authentication version. Specify "1" for auth 1.0, or "2" for auth 2.0 or "3" for auth 3.0

backup_swift_block_size = 32768

integer value

The size in bytes that changes are tracked for incremental backups. backup_swift_object_size has to be multiple of backup_swift_block_size.

backup_swift_ca_cert_file = None

string value

Location of the CA certificate file to use for swift client requests.

backup_swift_container = volumebackups

string value

The default Swift container to use

backup_swift_enable_progress_timer = True

boolean value

Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the Swift backend storage. The default value is True to enable the timer.

backup_swift_key = None

string value

Swift key for authentication

backup_swift_object_size = 52428800

integer value

The size in bytes of Swift backup objects

backup_swift_project = None

string value

Swift project/account name. Required when connecting to an auth 3.0 system

backup_swift_project_domain = None

string value

Swift project domain name. Required when connecting to an auth 3.0 system

backup_swift_retry_attempts = 3

integer value

The number of retries to make for Swift operations

backup_swift_retry_backoff = 2

integer value

The backoff time in seconds between Swift retries

backup_swift_tenant = None

string value

Swift tenant/account name. Required when connecting to an auth 2.0 system

backup_swift_url = None

uri value

The URL of the Swift endpoint

backup_swift_user = None

string value

Swift user name

backup_swift_user_domain = None

string value

Swift user domain name. Required when connecting to an auth 3.0 system

backup_timer_interval = 120

integer value

Interval, in seconds, between two progress notifications reporting the backup status

backup_tsm_compression = True

boolean value

Enable or Disable compression for backups

backup_tsm_password = password

string value

TSM password for the running username

backup_tsm_volume_prefix = backup

string value

Volume prefix for the backup id when backing up to TSM

backup_use_same_host = False

boolean value

Backup services use same backend.

backup_use_temp_snapshot = False

boolean value

If this is set to True, a temporary snapshot will be created for performing non-disruptive backups. Otherwise a temporary volume will be cloned in order to perform a backup.

backup_workers = 1

integer value

Number of backup processes to launch. Improves performance with concurrent backups.

capacity_weight_multiplier = 1.0

floating point value

Multiplier used for weighing free capacity. Negative numbers mean to stack vs spread.

`chap_password = `

string value

Password for specified CHAP account name.

`chap_username = `

string value

CHAP user name.

chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf

string value

Chiscsi (CXT) global defaults configuration file

cinder_internal_tenant_project_id = None

string value

ID of the project which will be used as the Cinder internal tenant.

cinder_internal_tenant_user_id = None

string value

ID of the user to be used in volume operations as the Cinder internal tenant.

client_socket_timeout = 900

integer value

Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.

clone_volume_timeout = 680

integer value

Create clone volume timeout

cloned_volume_same_az = True

boolean value

Ensure that the new volumes are the same AZ as snapshot or source volume

cluster = None

string value

Name of this cluster. Used to group volume hosts that share the same backend configurations to work in HA Active-Active mode. Active-Active is not yet supported.

compute_api_class = cinder.compute.nova.API

string value

The full class name of the compute API class to use

config-dir = ['~/.project/project.conf.d/', '~/project.conf.d/', '/etc/project/project.conf.d/', '/etc/project.conf.d/']

list value

Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s) specified via previous --config-file, arguments hence over-ridden options in the directory take precedence.

config-file = ['~/.project/project.conf', '~/project.conf', '/etc/project/project.conf', '/etc/project.conf']

unknown value

Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to %(default)s.

config_source = []

list value

Lists configuration groups that provide more details for accessing configuration settings from locations other than local files.

conn_pool_min_size = 2

integer value

The pool size limit for connections expiration policy

conn_pool_ttl = 1200

integer value

The time-to-live in sec of idle connections in the pool

consistencygroup_api_class = cinder.consistencygroup.api.API

string value

The full class name of the consistencygroup API class

control_exchange = openstack

string value

The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.

datacore_api_timeout = 300

integer value

Seconds to wait for a response from a DataCore API call.

datacore_disk_failed_delay = 15

integer value

Seconds to wait for DataCore virtual disk to come out of the "Failed" state.

datacore_disk_pools = []

list value

List of DataCore disk pools that can be used by volume driver.

datacore_disk_type = single

string value

DataCore virtual disk type (single/mirrored). Mirrored virtual disks require two storage servers in the server group.

datacore_iscsi_chap_enabled = False

boolean value

Configure CHAP authentication for iSCSI connections.

datacore_iscsi_chap_storage = None

string value

iSCSI CHAP authentication password storage file.

datacore_iscsi_unallowed_targets = []

list value

List of iSCSI targets that cannot be used to attach volume. To prevent the DataCore iSCSI volume driver from using some front-end targets in volume attachment, specify this option and list the iqn and target machine for each target as the value, such as <iqn:target name>, <iqn:target name>, <iqn:target name>.

datacore_storage_profile = None

string value

DataCore virtual disk storage profile.

db_driver = cinder.db

string value

Driver to use for database access

debug = False

boolean value

If set to true, the logging level will be set to DEBUG instead of the default INFO level.

default_availability_zone = None

string value

Default availability zone for new volumes. If not set, the storage_availability_zone option value is used as the default for new volumes.

default_group_type = None

string value

Default group type to use

default_log_levels = ['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']

list value

List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.

default_volume_type = None

string value

Default volume type to use

driver_client_cert = None

string value

The path to the client certificate for verification, if the driver supports it.

driver_client_cert_key = None

string value

The path to the client certificate key for verification, if the driver supports it.

driver_data_namespace = None

string value

Namespace for driver private data values to be saved in.

driver_ssl_cert_path = None

string value

Can be used to specify a non default path to a CA_BUNDLE file or directory with certificates of trusted CAs, which will be used to validate the backend

driver_ssl_cert_verify = False

boolean value

If set to True the http client will validate the SSL certificate of the backend endpoint.

driver_use_ssl = False

boolean value

Tell driver to use SSL for connection to backend storage if the driver supports it.

dsware_isthin = False

boolean value

The flag of thin storage allocation.

`dsware_manager = `

string value

Fusionstorage manager ip addr for cinder-volume.

`dsware_rest_url = `

string value

The address of FusionStorage array. For example, "dsware_rest_url=xxx"

`dsware_storage_pools = `

string value

The list of pools on the FusionStorage array, the semicolon(;) was used to split the storage pools, "dsware_storage_pools = xxx1; xxx2; xxx3"

enable_force_upload = False

boolean value

Enables the Force option on upload_to_image. This enables running upload_volume on in-use volumes for backends that support it.

enable_new_services = True

boolean value

Services to be added to the available pool on create

enable_unsupported_driver = False

boolean value

Set this to True when you want to allow an unsupported driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.

enable_v2_api = True

boolean value

DEPRECATED: Deploy v2 of the Cinder API.

enable_v3_api = True

boolean value

Deploy v3 of the Cinder API.

enabled_backends = None

list value

A list of backend names to use. These backend names should be backed by a unique [CONFIG] group with its options

enforce_multipath_for_image_xfer = False

boolean value

If this is set to True, attachment of volumes for image transfer will be aborted when multipathd is not running. Otherwise, it will fallback to single path.

executor_thread_pool_size = 64

integer value

Size of executor thread pool when executor is threading or eventlet.

fatal_deprecations = False

boolean value

Enables or disables fatal status of deprecations.

filter_function = None

string value

String representation for an equation that will be used to filter hosts. Only used when the driver filter is set to be used by the Cinder scheduler.

`fusionstorageagent = `

string value

Fusionstorage agent ip addr range

glance_api_insecure = False

boolean value

Allow to perform insecure SSL (https) requests to glance (https will be used but cert validation will not be performed).

glance_api_servers = None

list value

A list of the URLs of glance API servers available to cinder ([http[s]://][hostname|ip]:port). If protocol is not specified it defaults to http.

glance_api_ssl_compression = False

boolean value

Enables or disables negotiation of SSL layer compression. In some cases disabling compression can improve data throughput, such as when high network bandwidth is available and you use compressed image formats like qcow2.

glance_ca_certificates_file = None

string value

Location of ca certificates file to use for glance client requests.

glance_catalog_info = image:glance:publicURL

string value

Info to match when looking for glance in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if glance_api_servers are not provided.

glance_core_properties = ['checksum', 'container_format', 'disk_format', 'image_name', 'image_id', 'min_disk', 'min_ram', 'name', 'size']

list value

Default core properties of image

glance_num_retries = 0

integer value

Number retries when downloading an image from glance

glance_request_timeout = None

integer value

http/https timeout value for glance operations. If no value (None) is supplied here, the glanceclient default value is used.

glusterfs_backup_mount_point = $state_path/backup_mount

string value

Base dir containing mount point for gluster share.

glusterfs_backup_share = None

string value

GlusterFS share in <hostname|ipv4addr|ipv6addr>:<gluster_vol_name> format. Eg: 1.2.3.4:backup_vol

goodness_function = None

string value

String representation for an equation that will be used to determine the goodness of a host. Only used when using the goodness weigher is set to be used by the Cinder scheduler.

graceful_shutdown_timeout = 60

integer value

Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.

group_api_class = cinder.group.api.API

string value

The full class name of the group API class

host = ccsosp-undercloud.usersys.redhat.com

host address value

Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.

iet_conf = /etc/iet/ietd.conf

string value

IET configuration file

image_conversion_dir = $state_path/conversion

string value

Directory used for temporary storage during image conversion

image_upload_use_cinder_backend = False

boolean value

If set to True, upload-to-image in raw format will create a cloned volume and register its location to the image service, instead of uploading the volume content. The cinder backend and locations support must be enabled in the image service.

image_upload_use_internal_tenant = False

boolean value

If set to True, the image volume created by upload-to-image will be placed in the internal tenant. Otherwise, the image volume is created in the current context’s tenant.

image_volume_cache_enabled = False

boolean value

Enable the image volume cache for this backend.

image_volume_cache_max_count = 0

integer value

Max number of entries allowed in the image volume cache. 0 ⇒ unlimited.

image_volume_cache_max_size_gb = 0

integer value

Max size of the image volume cache for this backend in GB. 0 ⇒ unlimited.

init_host_max_objects_retrieval = 0

integer value

Max number of volumes and snapshots to be retrieved per batch during volume manager host initialization. Query results will be obtained in batches from the database and not in one shot to avoid extreme memory usage. Set 0 to turn off this functionality.

`instance_format = [instance: %(uuid)s] `

string value

The format for an instance that is passed with the log message.

`instance_uuid_format = [instance: %(uuid)s] `

string value

The format for an instance UUID that is passed with the log message.

instorage_mcs_allow_tenant_qos = False

boolean value

Allow tenants to specify QOS on create

instorage_mcs_iscsi_chap_enabled = True

boolean value

Configure CHAP authentication for iSCSI connections (Default: Enabled)

instorage_mcs_localcopy_rate = 50

integer value

Specifies the InStorage LocalCopy copy rate to be used when creating a full volume copy. The default is rate is 50, and the valid rates are 1-100.

instorage_mcs_localcopy_timeout = 120

integer value

Maximum number of seconds to wait for LocalCopy to be prepared.

instorage_mcs_vol_autoexpand = True

boolean value

Storage system autoexpand parameter for volumes (True/False)

instorage_mcs_vol_compression = False

boolean value

Storage system compression option for volumes

instorage_mcs_vol_grainsize = 256

integer value

Storage system grain size parameter for volumes (32/64/128/256)

instorage_mcs_vol_intier = True

boolean value

Enable InTier for volumes

instorage_mcs_vol_iogrp = 0

string value

The I/O group in which to allocate volumes. It can be a comma-separated list in which case the driver will select an io_group based on least number of volumes associated with the io_group.

instorage_mcs_vol_rsize = 2

integer value

Storage system space-efficiency parameter for volumes (percentage)

instorage_mcs_vol_warning = 0

integer value

Storage system threshold for volume capacity warnings (percentage)

instorage_mcs_volpool_name = ['volpool']

list value

Comma separated list of storage system storage pools for volumes.

instorage_san_secondary_ip = None

string value

Specifies secondary management IP or hostname to be used if san_ip is invalid or becomes inaccessible.

iscsi_iotype = fileio

string value

Sets the behavior of the iSCSI target to either perform blockio or fileio optionally, auto can be set and Cinder will autodetect type of backing device

iscsi_secondary_ip_addresses = []

list value

The list of secondary IP addresses of the iSCSI daemon

`iscsi_target_flags = `

string value

Sets the target-specific flags for the iSCSI target. Only used for tgtadm to specify backing device flags using bsoflags option. The specified string is passed as is to the underlying tool.

iscsi_write_cache = on

string value

Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter is valid if target_helper is set to tgtadm.

iser_helper = tgtadm

string value

The name of the iSER target user-land tool to use

iser_ip_address = $my_ip

string value

The IP address that the iSER daemon is listening on

iser_port = 3260

port value

The port that the iSER daemon is listening on

iser_target_prefix = iqn.2010-10.org.openstack:

string value

Prefix for iSER volumes

keystone_catalog_info = identity:Identity Service:publicURL

string value

Info to match when looking for keystone in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if backup_swift_auth_url is unset

log-config-append = None

string value

The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).

log-date-format = %Y-%m-%d %H:%M:%S

string value

Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.

log-dir = None

string value

(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.

log-file = None

string value

(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.

log_options = True

boolean value

Enables or disables logging values of all registered options when starting a service (at DEBUG level).

log_rotate_interval = 1

integer value

The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is setto "interval".

log_rotate_interval_type = days

string value

Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.

log_rotation_type = none

string value

Log rotation type.

logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

string value

Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter

logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d

string value

Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter

logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

string value

Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter

logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s

string value

Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter

logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s

string value

Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter

manager_ips = {}

dict value

This option is to support the FSA to mount across the different nodes. The parameters takes the standard dict config form, manager_ips = host1:ip1, host2:ip2…​

max_age = 0

integer value

Number of seconds between subsequent usage refreshes

max_header_line = 16384

integer value

Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).

max_logfile_count = 30

integer value

Maximum number of rotated log files.

max_logfile_size_mb = 200

integer value

Log file maximum size in MB. This option is ignored if "log_rotation_type" is not set to "size".

max_over_subscription_ratio = 20.0

string value

Representation of the over subscription ratio when thin provisioning is enabled. Default ratio is 20.0, meaning provisioned capacity can be 20 times of the total physical capacity. If the ratio is 10.5, it means provisioned capacity can be 10.5 times of the total physical capacity. A ratio of 1.0 means provisioned capacity cannot exceed the total physical capacity. If ratio is auto, Cinder will automatically calculate the ratio based on the provisioned capacity and the used space. If not set to auto, the ratio has to be a minimum of 1.0.

message_reap_interval = 86400

integer value

interval between periodic task runs to clean expired messages in seconds.

message_ttl = 2592000

integer value

message minimum life in seconds.

migration_create_volume_timeout_secs = 300

integer value

Timeout for creating the volume to migrate to when performing volume migration (seconds)

monkey_patch = False

boolean value

Enable monkey patching

monkey_patch_modules = []

list value

List of modules/decorators to monkey patch

my_ip = 10.65.176.99

host address value

IP address of this host

no_snapshot_gb_quota = False

boolean value

Whether snapshots count against gigabyte quota

num_iser_scan_tries = 3

integer value

The maximum number of times to rescan iSER target to find volume

num_shell_tries = 3

integer value

Number of times to attempt to run flakey shell commands

num_volume_device_scan_tries = 3

integer value

The maximum number of times to rescan targets to find volume

nvmet_ns_id = 10

integer value

The namespace id associated with the subsystem that will be created with the path for the LVM volume.

nvmet_port_id = 1

port value

The port that the NVMe target is listening on.

osapi_max_limit = 1000

integer value

The maximum number of items that a collection resource returns in a single response

osapi_volume_ext_list = []

list value

Specify list of extensions to load when using osapi_volume_extension option with cinder.api.contrib.select_extensions

osapi_volume_extension = ['cinder.api.contrib.standard_extensions']

multi valued

osapi volume extension to load

osapi_volume_listen = 0.0.0.0

string value

IP address on which OpenStack Volume API listens

osapi_volume_listen_port = 8776

port value

Port on which OpenStack Volume API listens

osapi_volume_use_ssl = False

boolean value

Wraps the socket in a SSL context if True is set. A certificate file and key file must be specified.

osapi_volume_workers = None

integer value

Number of workers for OpenStack Volume API service. The default is equal to the number of CPUs available.

per_volume_size_limit = -1

integer value

Max size allowed per volume, in gigabytes

periodic_fuzzy_delay = 60

integer value

Range, in seconds, to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)

periodic_interval = 60

integer value

Interval, in seconds, between running periodic tasks

pool_id_filter = []

list value

Pool id permit to use

pool_type = default

string value

Pool type, like sata-2copy

public_endpoint = None

string value

Public url to use for versions endpoint. The default is None, which will use the request’s host_url attribute to populate the URL base. If Cinder is operating behind a proxy, you will want to change this to represent the proxy’s URL.

publish_errors = False

boolean value

Enables or disables publication of error events.

quota_backup_gigabytes = 1000

integer value

Total amount of storage, in gigabytes, allowed for backups per project

quota_backups = 10

integer value

Number of volume backups allowed per project

quota_consistencygroups = 10

integer value

Number of consistencygroups allowed per project

quota_driver = cinder.quota.DbQuotaDriver

string value

Default driver to use for quota checks

quota_gigabytes = 1000

integer value

Total amount of storage, in gigabytes, allowed for volumes and snapshots per project

quota_groups = 10

integer value

Number of groups allowed per project

quota_snapshots = 10

integer value

Number of volume snapshots allowed per project

quota_volumes = 10

integer value

Number of volumes allowed per project

rate_limit_burst = 0

integer value

Maximum number of logged messages per rate_limit_interval.

rate_limit_except_level = CRITICAL

string value

Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.

rate_limit_interval = 0

integer value

Interval, number of seconds, of log rate limiting.

reinit_driver_count = 3

integer value

Maximum times to reintialize the driver if volume initialization fails. The interval of retry is exponentially backoff, and will be 1s, 2s, 4s etc.

replication_device = None

dict value

Multi opt of dictionaries to represent a replication target device. This option may be specified multiple times in a single config section to specify multiple replication target devices. Each entry takes the standard dict config form: replication_device = target_device_id:<required>,key1:value1,key2:value2…​

report_discard_supported = False

boolean value

Report to clients of Cinder that the backend supports discard (aka. trim/unmap). This will not actually change the behavior of the backend or the client directly, it will only notify that it can be used.

report_interval = 10

integer value

Interval, in seconds, between nodes reporting state to datastore

reservation_clean_interval = $reservation_expire

integer value

Interval between periodic task runs to clean expired reservations in seconds.

reservation_expire = 86400

integer value

Number of seconds until a reservation expires

reserved_percentage = 0

integer value

The percentage of backend capacity is reserved

resource_query_filters_file = /etc/cinder/resource_filters.json

string value

Json file indicating user visible filter parameters for list queries.

restore_discard_excess_bytes = True

boolean value

If True, always discard excess bytes when restoring volumes i.e. pad with zeroes.

rootwrap_config = /etc/cinder/rootwrap.conf

string value

Path to the rootwrap configuration file to use for running commands as root

rpc_conn_pool_size = 30

integer value

Size of RPC connection pool.

rpc_response_timeout = 60

integer value

Seconds to wait for a response from a call.

run_external_periodic_tasks = True

boolean value

Some periodic tasks can be run in a separate process. Should we run them here?

scheduler_default_filters = ['AvailabilityZoneFilter', 'CapacityFilter', 'CapabilitiesFilter']

list value

Which filter class names to use for filtering hosts when not specified in the request.

scheduler_default_weighers = ['CapacityWeigher']

list value

Which weigher class names to use for weighing hosts.

scheduler_driver = cinder.scheduler.filter_scheduler.FilterScheduler

string value

Default scheduler driver to use

scheduler_host_manager = cinder.scheduler.host_manager.HostManager

string value

The scheduler host manager class to use

`scheduler_json_config_location = `

string value

Absolute path to scheduler configuration JSON file.

scheduler_manager = cinder.scheduler.manager.SchedulerManager

string value

Full class name for the Manager for scheduler

scheduler_max_attempts = 3

integer value

Maximum number of attempts to schedule a volume

scheduler_weight_handler = cinder.scheduler.weights.OrderedHostWeightHandler

string value

Which handler to use for selecting the host/pool after weighing

scst_target_driver = iscsi

string value

SCST target implementation can choose from multiple SCST target drivers.

scst_target_iqn_name = None

string value

Certain ISCSI targets have predefined target names, SCST target driver uses this name.

service_down_time = 60

integer value

Maximum time since last check-in for a service to be considered up

snapshot_name_template = snapshot-%s

string value

Template string to be used to generate snapshot names

snapshot_same_host = True

boolean value

Create volume from snapshot at the host where snapshot resides

split_loggers = False

boolean value

Log requests to multiple loggers.

ssh_hosts_key_file = $state_path/ssh_known_hosts

string value

File containing SSH host keys for the systems with which Cinder needs to communicate. OPTIONAL: Default=$state_path/ssh_known_hosts

state_path = /var/lib/cinder

string value

Top-level directory for maintaining cinder’s state

storage_availability_zone = nova

string value

Availability zone of this node. Can be overridden per volume backend with the option "backend_availability_zone".

storage_protocol = iscsi

string value

Protocol for transferring data between host and storage back-end.

storpool_replication = 3

integer value

The default StorPool chain replication value. Used when creating a volume with no specified type if storpool_template is not set. Also used for calculating the apparent free space reported in the stats.

storpool_template = None

string value

The StorPool template for volumes with no type.

strict_ssh_host_key_policy = False

boolean value

Option to enable strict host key checking. When set to "True" Cinder will only connect to systems with a host key present in the configured "ssh_hosts_key_file". When set to "False" the host key will be saved upon first connection and used for subsequent connections. Default=False

swift_catalog_info = object-store:swift:publicURL

string value

Info to match when looking for swift in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if backup_swift_url is unset

syslog-log-facility = LOG_USER

string value

Syslog facility to receive log lines. This option is ignored if log_config_append is set.

target_helper = tgtadm

string value

Target user-land tool to use. tgtadm is default, use lioadm for LIO iSCSI support, scstadmin for SCST target support, ietadm for iSCSI Enterprise Target, iscsictl for Chelsio iSCSI Target, nvmet for NVMEoF support, spdk-nvmeof for SPDK NVMe-oF, or fake for testing.

target_ip_address = $my_ip

string value

The IP address that the iSCSI daemon is listening on

target_port = 3260

port value

The port that the iSCSI daemon is listening on

target_prefix = iqn.2010-10.org.openstack:

string value

Prefix for iSCSI volumes

target_protocol = iscsi

string value

Determines the target protocol for new volumes, created with tgtadm, lioadm and nvmet target helpers. In order to enable RDMA, this parameter should be set with the value "iser". The supported iSCSI protocol values are "iscsi" and "iser", in case of nvmet target set to "nvmet_rdma".

tcp_keepalive = True

boolean value

Sets the value of TCP_KEEPALIVE (True/False) for each server socket.

tcp_keepalive_count = None

integer value

Sets the value of TCP_KEEPCNT for each server socket. Not supported on OS X.

tcp_keepalive_interval = None

integer value

Sets the value of TCP_KEEPINTVL in seconds for each server socket. Not supported on OS X.

tcp_keepidle = 600

integer value

Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.

trace_flags = None

list value

List of options that control which trace info is written to the DEBUG log level to assist developers. Valid values are method and api.

transfer_api_class = cinder.transfer.api.API

string value

The full class name of the volume transfer API class

transport_url = rabbit://

string value

The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is:

driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query

Example: rabbit://rabbitmq:password@127.0.0.1:5672//

For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html

until_refresh = 0

integer value

Count of reservations until usage is refreshed

use-journal = False

boolean value

Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.

use-json = False

boolean value

Use JSON formatting for logging. This option is ignored if log_config_append is set.

use-syslog = False

boolean value

Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.

use_chap_auth = False

boolean value

Option to enable/disable CHAP authentication for targets.

use_default_quota_class = True

boolean value

Enables or disables use of default quota class with default quota.

use_eventlog = False

boolean value

Log output to Windows Event Log.

use_forwarded_for = False

boolean value

Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.

use_multipath_for_image_xfer = False

boolean value

Do we attach/detach volumes in cinder using multipath for volume to image and image to volume transfers?

use_stderr = False

boolean value

Log output to standard error. This option is ignored if log_config_append is set.

verify_glance_signatures = enabled

string value

Enable image signature verification.

Cinder uses the image signature metadata from Glance and verifies the signature of a signed image while downloading that image. There are two options here.

  1. enabled: verify when image has signature metadata.
  2. disabled: verification is turned off.

If the image signature cannot be verified or if the image signature metadata is incomplete when required, then Cinder will not create the volume and update it into an error state. This provides end users with stronger assurances of the integrity of the image data they are using to create volumes.

volume_api_class = cinder.volume.api.API

string value

The full class name of the volume API class to use

volume_backend_name = None

string value

The backend name for a given driver implementation

volume_clear = zero

string value

Method used to wipe old volumes

volume_clear_ionice = None

string value

The flag to pass to ionice to alter the i/o priority of the process used to zero a volume after deletion, for example "-c3" for idle only priority.

volume_clear_size = 0

integer value

Size in MiB to wipe at start of old volumes. 1024 MiB at max. 0 ⇒ all

volume_copy_blkio_cgroup_name = cinder-volume-copy

string value

The blkio cgroup name to be used to limit bandwidth of volume copy

volume_copy_bps_limit = 0

integer value

The upper limit of bandwidth of volume copy. 0 ⇒ unlimited

volume_dd_blocksize = 1M

string value

The default block size used when copying/clearing volumes

volume_manager = cinder.volume.manager.VolumeManager

string value

Full class name for the Manager for volume

volume_name_template = volume-%s

string value

Template string to be used to generate volume names

volume_number_multiplier = -1.0

floating point value

Multiplier used for weighing volume number. Negative numbers mean to spread vs stack.

volume_service_inithost_offload = False

boolean value

Offload pending volume delete during volume service startup

volume_transfer_key_length = 16

integer value

The number of characters in the autogenerated auth key.

volume_transfer_salt_length = 8

integer value

The number of characters in the salt.

volume_usage_audit_period = month

string value

Time period for which to generate volume usages. The options are hour, day, month, or year.

volumes_dir = $state_path/volumes

string value

Volume configuration file storage directory

vrts_lun_sparse = True

boolean value

Create sparse Lun.

vrts_target_config = /etc/cinder/vrts_target.xml

string value

VA config file.

watch-log-file = False

boolean value

Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

wsgi_default_pool_size = 100

integer value

Size of the pool of greenthreads used by wsgi

wsgi_keep_alive = True

boolean value

If False, closes the client socket connection explicitly.

wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f

string value

A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.

zoning_mode = None

string value

FC Zoning mode configured, only fabric is supported now.

2.1.2. backend

The following table outlines the options available under the [backend] group in the /etc/cinder/cinder.conf file.

Table 2.2. backend

Configuration option = Default valueTypeDescription

backend_host = None

string value

Backend override of host value.

2.1.3. backend_defaults

The following table outlines the options available under the [backend_defaults] group in the /etc/cinder/cinder.conf file.

Table 2.3. backend_defaults

Configuration option = Default valueTypeDescription

auto_calc_max_oversubscription_ratio = False

boolean value

K2 driver will calculate max_oversubscription_ratio on setting this option as True.

backend_availability_zone = None

string value

Availability zone for this volume backend. If not set, the storage_availability_zone option value is used as the default for all backends.

backend_native_threads_pool_size = 20

integer value

Size of the native threads pool for the backend. Increase for backends that heavily rely on this, like the RBD driver.

chap = disabled

string value

CHAP authentication mode, effective only for iscsi (disabled|enabled)

`chap_password = `

string value

Password for specified CHAP account name.

`chap_username = `

string value

CHAP user name.

check_max_pool_luns_threshold = False

boolean value

DEPRECATED: Report free_capacity_gb as 0 when the limit to maximum number of pool LUNs is reached. By default, the value is False.

chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf

string value

Chiscsi (CXT) global defaults configuration file

cinder_eternus_config_file = /etc/cinder/cinder_fujitsu_eternus_dx.xml

string value

config file for cinder eternus_dx volume driver

cinder_huawei_conf_file = /etc/cinder/cinder_huawei_conf.xml

string value

The configuration file for the Cinder Huawei driver.

connection_type = iscsi

string value

Connection type to the IBM Storage Array

cycle_period_seconds = 300

integer value

This defines an optional cycle period that applies to Global Mirror relationships with a cycling mode of multi. A Global Mirror relationship using the multi cycling_mode performs a complete cycle at most once each period. The default is 300 seconds, and the valid seconds are 60-86400.

datera_503_interval = 5

integer value

Interval between 503 retries

datera_503_timeout = 120

integer value

Timeout for HTTP 503 retry messages

datera_api_port = 7717

string value

Datera API port.

datera_api_version = 2

string value

Datera API version.

datera_debug = False

boolean value

True to set function arg and return logging

datera_debug_replica_count_override = False

boolean value

ONLY FOR DEBUG/TESTING PURPOSES True to set replica_count to 1

datera_disable_profiler = False

boolean value

Set to True to disable profiling in the Datera driver

datera_tenant_id = None

string value

If set to Map -→ OpenStack project ID will be mapped implicitly to Datera tenant ID If set to None -→ Datera tenant ID will not be used during volume provisioning If set to anything else -→ Datera tenant ID will be the provided value

default_timeout = 31536000

integer value

Default timeout for CLI operations in minutes. For example, LUN migration is a typical long running operation, which depends on the LUN size and the load of the array. An upper bound in the specific deployment can be set to avoid unnecessary long wait. By default, it is 365 days long.

deferred_deletion_delay = 0

integer value

Time delay in seconds before a volume is eligible for permanent removal after being tagged for deferred deletion.

deferred_deletion_purge_interval = 60

integer value

Number of seconds between runs of the periodic task to purge volumes tagged for deletion.

dell_api_async_rest_timeout = 15

integer value

Dell SC API async call default timeout in seconds.

dell_api_sync_rest_timeout = 30

integer value

Dell SC API sync call default timeout in seconds.

dell_sc_api_port = 3033

port value

Dell API port

dell_sc_server_folder = openstack

string value

Name of the server folder to use on the Storage Center

dell_sc_ssn = 64702

integer value

Storage Center System Serial Number

dell_sc_verify_cert = False

boolean value

Enable HTTPS SC certificate verification

dell_sc_volume_folder = openstack

string value

Name of the volume folder to use on the Storage Center

dell_server_os = Red Hat Linux 6.x

string value

Server OS type to use when creating a new server on the Storage Center.

destroy_empty_storage_group = False

boolean value

To destroy storage group when the last LUN is removed from it. By default, the value is False.

disable_discovery = False

boolean value

Disabling iSCSI discovery (sendtargets) for multipath connections on K2 driver.

`dpl_pool = `

string value

DPL pool uuid in which DPL volumes are stored.

dpl_port = 8357

port value

DPL port number.

drbdmanage_devs_on_controller = True

boolean value

If set, the c-vol node will receive a useable /dev/drbdX device, even if the actual data is stored on other nodes only. This is useful for debugging, maintenance, and to be able to do the iSCSI export from the c-vol node.

drbdmanage_disk_options = {"c-min-rate": "4M"}

string value

Disk options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.

drbdmanage_net_options = {"connect-int": "4", "allow-two-primaries": "yes", "ko-count": "30", "max-buffers": "20000", "ping-timeout": "100"}

string value

Net options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.

drbdmanage_redundancy = 1

integer value

Number of nodes that should replicate the data.

drbdmanage_resize_plugin = drbdmanage.plugins.plugins.wait_for.WaitForVolumeSize

string value

Volume resize completion wait plugin.

drbdmanage_resize_policy = {"timeout": "60"}

string value

Volume resize completion wait policy.

drbdmanage_resource_options = {"auto-promote-timeout": "300"}

string value

Resource options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.

drbdmanage_resource_plugin = drbdmanage.plugins.plugins.wait_for.WaitForResource

string value

Resource deployment completion wait plugin.

drbdmanage_resource_policy = {"ratio": "0.51", "timeout": "60"}

string value

Resource deployment completion wait policy.

drbdmanage_snapshot_plugin = drbdmanage.plugins.plugins.wait_for.WaitForSnapshot

string value

Snapshot completion wait plugin.

drbdmanage_snapshot_policy = {"count": "1", "timeout": "60"}

string value

Snapshot completion wait policy.

driver_client_cert = None

string value

The path to the client certificate for verification, if the driver supports it.

driver_client_cert_key = None

string value

The path to the client certificate key for verification, if the driver supports it.

driver_data_namespace = None

string value

Namespace for driver private data values to be saved in.

driver_ssl_cert_path = None

string value

Can be used to specify a non default path to a CA_BUNDLE file or directory with certificates of trusted CAs, which will be used to validate the backend

driver_ssl_cert_verify = False

boolean value

If set to True the http client will validate the SSL certificate of the backend endpoint.

driver_use_ssl = False

boolean value

Tell driver to use SSL for connection to backend storage if the driver supports it.

`ds8k_devadd_unitadd_mapping = `

string value

Mapping between IODevice address and unit address.

ds8k_host_type = auto

string value

Set to zLinux if your OpenStack version is prior to Liberty and you’re connecting to zLinux systems. Otherwise set to auto. Valid values for this parameter are: auto, AMDLinuxRHEL, AMDLinuxSuse, AppleOSX, Fujitsu, Hp, HpTru64, HpVms, LinuxDT, LinuxRF, LinuxRHEL, LinuxSuse, Novell, SGI, SVC, SanFsAIX, SanFsLinux, Sun, VMWare, Win2000, Win2003, Win2008, Win2012, iLinux, nSeries, pLinux, pSeries, pSeriesPowerswap, zLinux, iSeries.

ds8k_ssid_prefix = FF

string value

Set the first two digits of SSID.

enable_deferred_deletion = False

boolean value

Enable deferred deletion. Upon deletion, volumes are tagged for deletion but will only be removed asynchronously at a later time.

enable_unsupported_driver = False

boolean value

Set this to True when you want to allow an unsupported driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.

enforce_multipath_for_image_xfer = False

boolean value

If this is set to True, attachment of volumes for image transfer will be aborted when multipathd is not running. Otherwise, it will fallback to single path.

eqlx_cli_max_retries = 5

integer value

Maximum retry count for reconnection. Default is 5.

eqlx_group_name = group-0

string value

Group name to use for creating volumes. Defaults to "group-0".

eqlx_pool = default

string value

Pool in which volumes will be created. Defaults to "default".

excluded_domain_ip = None

IP address value

DEPRECATED: Fault Domain IP to be excluded from iSCSI returns.

excluded_domain_ips = []

list value

Comma separated Fault Domain IPs to be excluded from iSCSI returns.

expiry_thres_minutes = 720

integer value

This option specifies the threshold for last access time for images in the NFS image cache. When a cache cleaning cycle begins, images in the cache that have not been accessed in the last M minutes, where M is the value of this parameter, will be deleted from the cache to create free space on the NFS share.

extra_capabilities = {}

string value

User defined capabilities, a JSON formatted string specifying key/value pairs. The key/value pairs can be used by the CapabilitiesFilter to select between backends when requests specify volume types. For example, specifying a service level or the geographical location of a backend, then creating a volume type to allow the user to select by these different properties.

filter_function = None

string value

String representation for an equation that will be used to filter hosts. Only used when the driver filter is set to be used by the Cinder scheduler.

flashsystem_connection_protocol = FC

string value

Connection protocol should be FC. (Default is FC.)

flashsystem_iscsi_portid = 0

integer value

Default iSCSI Port ID of FlashSystem. (Default port is 0.)

flashsystem_multihostmap_enabled = True

boolean value

Allows vdisk to multi host mapping. (Default is True)

force_delete_lun_in_storagegroup = False

boolean value

Delete a LUN even if it is in Storage Groups. By default, the value is False.

goodness_function = None

string value

String representation for an equation that will be used to determine the goodness of a host. Only used when using the goodness weigher is set to be used by the Cinder scheduler.

gpfs_hosts = []

list value

Comma-separated list of IP address or hostnames of GPFS nodes.

gpfs_hosts_key_file = $state_path/ssh_known_hosts

string value

File containing SSH host keys for the gpfs nodes with which driver needs to communicate. Default=$state_path/ssh_known_hosts

gpfs_images_dir = None

string value

Specifies the path of the Image service repository in GPFS. Leave undefined if not storing images in GPFS.

gpfs_images_share_mode = None

string value

Specifies the type of image copy to be used. Set this when the Image service repository also uses GPFS so that image files can be transferred efficiently from the Image service to the Block Storage service. There are two valid values: "copy" specifies that a full copy of the image is made; "copy_on_write" specifies that copy-on-write optimization strategy is used and unmodified blocks of the image file are shared efficiently.

gpfs_max_clone_depth = 0

integer value

Specifies an upper limit on the number of indirections required to reach a specific block due to snapshots or clones. A lengthy chain of copy-on-write snapshots or clones can have a negative impact on performance, but improves space utilization. 0 indicates unlimited clone depth.

gpfs_mount_point_base = None

string value

Specifies the path of the GPFS directory where Block Storage volume and snapshot files are stored.

`gpfs_private_key = `

string value

Filename of private key to use for SSH authentication.

gpfs_sparse_volumes = True

boolean value

Specifies that volumes are created as sparse files which initially consume no space. If set to False, the volume is created as a fully allocated file, in which case, creation may take a significantly longer time.

gpfs_ssh_port = 22

port value

SSH port to use.

gpfs_storage_pool = system

string value

Specifies the storage pool that volumes are assigned to. By default, the system storage pool is used.

gpfs_strict_host_key_policy = False

boolean value

Option to enable strict gpfs host key checking while connecting to gpfs nodes. Default=False

gpfs_user_login = root

string value

Username for GPFS nodes.

`gpfs_user_password = `

string value

Password for GPFS node user.

`hpe3par_api_url = `

string value

3PAR WSAPI Server Url like https://<3par ip>:8080/api/v1

hpe3par_cpg = ['OpenStack']

list value

List of the CPG(s) to use for volume creation

`hpe3par_cpg_snap = `

string value

The CPG to use for Snapshots for volumes. If empty the userCPG will be used.

hpe3par_debug = False

boolean value

Enable HTTP debugging to 3PAR

hpe3par_iscsi_chap_enabled = False

boolean value

Enable CHAP authentication for iSCSI connections.

hpe3par_iscsi_ips = []

list value

List of target iSCSI addresses to use.

`hpe3par_password = `

string value

3PAR password for the user specified in hpe3par_username

`hpe3par_snapshot_expiration = `

string value

The time in hours when a snapshot expires and is deleted. This must be larger than expiration

`hpe3par_snapshot_retention = `

string value

The time in hours to retain a snapshot. You can’t delete it before this expires.

`hpe3par_username = `

string value

3PAR username with the edit role

hpelefthand_api_url = None

uri value

HPE LeftHand WSAPI Server Url like https://<LeftHand ip>:8081/lhos

hpelefthand_clustername = None

string value

HPE LeftHand cluster name

hpelefthand_debug = False

boolean value

Enable HTTP debugging to LeftHand

hpelefthand_iscsi_chap_enabled = False

boolean value

Configure CHAP authentication for iSCSI connections (Default: Disabled)

hpelefthand_password = None

string value

HPE LeftHand Super user password

hpelefthand_ssh_port = 16022

port value

Port number of SSH service.

hpelefthand_username = None

string value

HPE LeftHand Super user username

hpmsa_api_protocol = https

string value

HPMSA API interface protocol.

hpmsa_backend_name = A

string value

Pool or Vdisk name to use for volume creation.

hpmsa_backend_type = virtual

string value

linear (for Vdisk) or virtual (for Pool).

hpmsa_iscsi_ips = []

list value

List of comma-separated target iSCSI IP addresses.

hpmsa_verify_certificate = False

boolean value

Whether to verify HPMSA array SSL certificate.

hpmsa_verify_certificate_path = None

string value

HPMSA array SSL certificate path.

hypermetro_devices = None

string value

The remote device hypermetro will use.

iet_conf = /etc/iet/ietd.conf

string value

IET configuration file

ignore_pool_full_threshold = False

boolean value

Force LUN creation even if the full threshold of pool is reached. By default, the value is False.

image_upload_use_cinder_backend = False

boolean value

If set to True, upload-to-image in raw format will create a cloned volume and register its location to the image service, instead of uploading the volume content. The cinder backend and locations support must be enabled in the image service.

image_upload_use_internal_tenant = False

boolean value

If set to True, the image volume created by upload-to-image will be placed in the internal tenant. Otherwise, the image volume is created in the current context’s tenant.

image_volume_cache_enabled = False

boolean value

Enable the image volume cache for this backend.

image_volume_cache_max_count = 0

integer value

Max number of entries allowed in the image volume cache. 0 ⇒ unlimited.

image_volume_cache_max_size_gb = 0

integer value

Max size of the image volume cache for this backend in GB. 0 ⇒ unlimited.

infinidat_iscsi_netspaces = []

list value

List of names of network spaces to use for iSCSI connectivity

infinidat_pool_name = None

string value

Name of the pool from which volumes are allocated

infinidat_storage_protocol = fc

string value

Protocol for transferring data between host and storage back-end.

infinidat_use_compression = False

boolean value

Specifies whether to turn on compression for newly created volumes.

initiator_auto_deregistration = False

boolean value

Automatically deregister initiators after the related storage group is destroyed. By default, the value is False.

initiator_auto_registration = False

boolean value

Automatically register initiators. By default, the value is False.

initiator_check = False

boolean value

Use this value to enable the initiator_check.

interval = 3

integer value

Use this value to specify length of the interval in seconds.

io_port_list = None

list value

Comma separated iSCSI or FC ports to be used in Nova or Cinder.

iscsi_initiators = None

string value

Mapping between hostname and its iSCSI initiator IP addresses.

iscsi_iotype = fileio

string value

Sets the behavior of the iSCSI target to either perform blockio or fileio optionally, auto can be set and Cinder will autodetect type of backing device

iscsi_secondary_ip_addresses = []

list value

The list of secondary IP addresses of the iSCSI daemon

`iscsi_target_flags = `

string value

Sets the target-specific flags for the iSCSI target. Only used for tgtadm to specify backing device flags using bsoflags option. The specified string is passed as is to the underlying tool.

iscsi_write_cache = on

string value

Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter is valid if target_helper is set to tgtadm.

iser_helper = tgtadm

string value

The name of the iSER target user-land tool to use

iser_ip_address = $my_ip

string value

The IP address that the iSER daemon is listening on

iser_port = 3260

port value

The port that the iSER daemon is listening on

iser_target_prefix = iqn.2010-10.org.openstack:

string value

Prefix for iSER volumes

lenovo_api_protocol = https

string value

Lenovo api interface protocol.

lenovo_backend_name = A

string value

Pool or Vdisk name to use for volume creation.

lenovo_backend_type = virtual

string value

linear (for VDisk) or virtual (for Pool).

lenovo_iscsi_ips = []

list value

List of comma-separated target iSCSI IP addresses.

lenovo_verify_certificate = False

boolean value

Whether to verify Lenovo array SSL certificate.

lenovo_verify_certificate_path = None

string value

Lenovo array SSL certificate path.

linstor_controller_diskless = True

boolean value

True means Cinder node is a diskless LINSTOR node.

linstor_default_blocksize = 4096

integer value

Default Block size for Image restoration. When using iSCSI transport, this option specifies the block size

linstor_default_storage_pool_name = DfltStorPool

string value

Default Storage Pool name for LINSTOR.

linstor_default_uri = linstor://localhost

string value

Default storage URI for LINSTOR.

linstor_default_volume_group_name = drbd-vg

string value

Default Volume Group name for LINSTOR. Not Cinder Volume.

linstor_volume_downsize_factor = 4096

floating point value

Default volume downscale size in KiB = 4 MiB.

`lss_range_for_cg = `

string value

Reserve LSSs for consistency group.

lvm_conf_file = /etc/cinder/lvm.conf

string value

LVM conf file to use for the LVM driver in Cinder; this setting is ignored if the specified file does not exist (You can also specify None to not use a conf file even if one exists).

lvm_mirrors = 0

integer value

If >0, create LVs with multiple mirrors. Note that this requires lvm_mirrors + 2 PVs with available space

lvm_suppress_fd_warnings = False

boolean value

Suppress leaked file descriptor warnings in LVM commands.

lvm_type = auto

string value

Type of LVM volumes to deploy; (default, thin, or auto). Auto defaults to thin if thin is supported.

`management_ips = `

string value

List of Management IP addresses (separated by commas)

max_luns_per_storage_group = 255

integer value

Default max number of LUNs in a storage group. By default, the value is 255.

max_over_subscription_ratio = 20.0

string value

Representation of the over subscription ratio when thin provisioning is enabled. Default ratio is 20.0, meaning provisioned capacity can be 20 times of the total physical capacity. If the ratio is 10.5, it means provisioned capacity can be 10.5 times of the total physical capacity. A ratio of 1.0 means provisioned capacity cannot exceed the total physical capacity. If ratio is auto, Cinder will automatically calculate the ratio based on the provisioned capacity and the used space. If not set to auto, the ratio has to be a minimum of 1.0.

metro_domain_name = None

string value

The remote metro device domain name.

metro_san_address = None

string value

The remote metro device request url.

metro_san_password = None

string value

The remote metro device san password.

metro_san_user = None

string value

The remote metro device san user.

metro_storage_pools = None

string value

The remote metro device pool names.

`nas_host = `

string value

IP address or Hostname of NAS system.

nas_login = admin

string value

User name to connect to NAS system.

nas_mount_options = None

string value

Options used to mount the storage backend file system where Cinder volumes are stored.

`nas_password = `

string value

Password to connect to NAS system.

`nas_private_key = `

string value

Filename of private key to use for SSH authentication.

nas_secure_file_operations = auto

string value

Allow network-attached storage systems to operate in a secure environment where root level access is not permitted. If set to False, access is as the root user and insecure. If set to True, access is not as root. If set to auto, a check is done to determine if this is a new installation: True is used if so, otherwise False. Default is auto.

nas_secure_file_permissions = auto

string value

Set more secure file permissions on network-attached storage volume files to restrict broad other/world access. If set to False, volumes are created with open permissions. If set to True, volumes are created with permissions for the cinder user and group (660). If set to auto, a check is done to determine if this is a new installation: True is used if so, otherwise False. Default is auto.

`nas_share_path = `

string value

Path to the share to use for storing Cinder volumes. For example: "/srv/export1" for an NFS server export available at 10.0.5.10:/srv/export1 .

nas_ssh_port = 22

port value

SSH port to use to connect to NAS system.

nas_volume_prov_type = thin

string value

Provisioning type that will be used when creating volumes.

naviseccli_path = None

string value

Naviseccli Path.

netapp_api_trace_pattern = (.*)

string value

A regular expression to limit the API tracing. This option is honored only if enabling api tracing with the trace_flags option. By default, all APIs will be traced.

netapp_copyoffload_tool_path = None

string value

This option specifies the path of the NetApp copy offload tool binary. Ensure that the binary has execute permissions set which allow the effective user of the cinder-volume process to execute the file.

netapp_host_type = None

string value

This option defines the type of operating system for all initiators that can access a LUN. This information is used when mapping LUNs to individual hosts or groups of hosts.

netapp_login = None

string value

Administrative user account name used to access the storage system or proxy server.

netapp_lun_ostype = None

string value

This option defines the type of operating system that will access a LUN exported from Data ONTAP; it is assigned to the LUN at the time it is created.

netapp_lun_space_reservation = enabled

string value

This option determines if storage space is reserved for LUN allocation. If enabled, LUNs are thick provisioned. If space reservation is disabled, storage space is allocated on demand.

netapp_password = None

string value

Password for the administrative user account specified in the netapp_login option.

netapp_pool_name_search_pattern = (.+)

string value

This option is used to restrict provisioning to the specified pools. Specify the value of this option to be a regular expression which will be applied to the names of objects from the storage backend which represent pools in Cinder. This option is only utilized when the storage protocol is configured to use iSCSI or FC.

netapp_replication_aggregate_map = None

dict value

Multi opt of dictionaries to represent the aggregate mapping between source and destination back ends when using whole back end replication. For every source aggregate associated with a cinder pool (NetApp FlexVol), you would need to specify the destination aggregate on the replication target device. A replication target device is configured with the configuration option replication_device. Specify this option as many times as you have replication devices. Each entry takes the standard dict config form: netapp_replication_aggregate_map = backend_id:<name_of_replication_device_section>,src_aggr_name1:dest_aggr_name1,src_aggr_name2:dest_aggr_name2,…​

netapp_server_hostname = None

string value

The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = None

integer value

The TCP port to use for communication with the storage system or proxy server. If not specified, Data ONTAP drivers will use 80 for HTTP and 443 for HTTPS.

netapp_size_multiplier = 1.2

floating point value

The quantity to be multiplied by the requested volume size to ensure enough space is available on the virtual storage server (Vserver) to fulfill the volume creation request. Note: this option is deprecated and will be removed in favor of "reserved_percentage" in the Mitaka release.

netapp_snapmirror_quiesce_timeout = 3600

integer value

The maximum time in seconds to wait for existing SnapMirror transfers to complete before aborting during a failover.

netapp_storage_family = ontap_cluster

string value

The storage family type used on the storage system; the only valid value is ontap_cluster for using clustered Data ONTAP.

netapp_storage_protocol = None

string value

The storage protocol to be used on the data path with the storage system.

netapp_transport_type = http

string value

The transport protocol used when communicating with the storage system or proxy server.

netapp_vserver = None

string value

This option specifies the virtual storage server (Vserver) name on the storage cluster on which provisioning of block storage volumes should occur.

nexenta_blocksize = 4096

integer value

Block size for datasets

nexenta_chunksize = 32768

integer value

NexentaEdge iSCSI LUN object chunk size

`nexenta_client_address = `

string value

NexentaEdge iSCSI Gateway client address for non-VIP service

nexenta_dataset_compression = on

string value

Compression value for new ZFS folders.

nexenta_dataset_dedup = off

string value

Deduplication value for new ZFS folders.

`nexenta_dataset_description = `

string value

Human-readable description for the folder.

nexenta_encryption = False

boolean value

Defines whether NexentaEdge iSCSI LUN object has encryption enabled.

`nexenta_folder = `

string value

A folder where cinder created datasets will reside.

`nexenta_host = `

string value

IP address of Nexenta SA

nexenta_host_group_prefix = cinder

string value

Prefix for iSCSI host groups on SA

nexenta_iops_limit = 0

integer value

NexentaEdge iSCSI LUN object IOPS limit

`nexenta_iscsi_service = `

string value

NexentaEdge iSCSI service name

nexenta_iscsi_target_host_group = all

string value

Group of hosts which are allowed to access volumes

`nexenta_iscsi_target_portal_groups = `

string value

Nexenta target portal groups

nexenta_iscsi_target_portal_port = 3260

integer value

Nexenta target portal port

`nexenta_iscsi_target_portals = `

string value

Comma separated list of portals for NexentaStor5, in format of IP1:port1,IP2:port2. Port is optional, default=3260. Example: 10.10.10.1:3267,10.10.1.2

nexenta_lu_writebackcache_disabled = False

boolean value

Postponed write to backing store or not

`nexenta_lun_container = `

string value

NexentaEdge logical path of bucket for LUNs

nexenta_luns_per_target = 100

integer value

Amount of iSCSI LUNs per each target

nexenta_mount_point_base = $state_path/mnt

string value

Base directory that contains NFS share mount points

nexenta_nbd_symlinks_dir = /dev/disk/by-path

string value

NexentaEdge logical path of directory to store symbolic links to NBDs

nexenta_nms_cache_volroot = True

boolean value

If set True cache NexentaStor appliance volroot option value.

nexenta_ns5_blocksize = 32

integer value

Block size for datasets

nexenta_password = nexenta

string value

Password to connect to Nexenta SA

nexenta_replication_count = 3

integer value

NexentaEdge iSCSI LUN object replication count.

`nexenta_rest_address = `

string value

IP address of NexentaEdge management REST API endpoint

nexenta_rest_password = nexenta

string value

Password to connect to NexentaEdge.

nexenta_rest_port = 0

integer value

HTTP(S) port to connect to Nexenta REST API server. If it is equal zero, 8443 for HTTPS and 8080 for HTTP is used

nexenta_rest_protocol = auto

string value

Use http or https for REST connection (default auto)

nexenta_rest_user = admin

string value

User name to connect to NexentaEdge.

nexenta_rrmgr_compression = 0

integer value

Enable stream compression, level 1..9. 1 - gives best speed; 9 - gives best compression.

nexenta_rrmgr_connections = 2

integer value

Number of TCP connections.

nexenta_rrmgr_tcp_buf_size = 4096

integer value

TCP Buffer size in KiloBytes.

nexenta_shares_config = /etc/cinder/nfs_shares

string value

File with the list of available nfs shares

nexenta_sparse = False

boolean value

Enables or disables the creation of sparse datasets

nexenta_sparsed_volumes = True

boolean value

Enables or disables the creation of volumes as sparsed files that take no space. If disabled (False), volume is created as a regular file, which takes a long time.

nexenta_target_group_prefix = cinder

string value

Prefix for iSCSI target groups on SA

nexenta_target_prefix = iqn.1986-03.com.sun:02:cinder

string value

IQN prefix for iSCSI targets

nexenta_use_https = True

boolean value

Use secure HTTP for REST connection (default True)

nexenta_user = admin

string value

User name to connect to Nexenta SA

nexenta_volume = cinder

string value

SA Pool that holds all volumes

nexenta_volume_group = iscsi

string value

Volume group for NexentaStor5 iSCSI

nfs_mount_attempts = 3

integer value

The number of attempts to mount NFS shares before raising an error. At least one attempt will be made to mount an NFS share, regardless of the value specified.

nfs_mount_options = None

string value

Mount options passed to the NFS client. See section of the NFS man page for details.

nfs_mount_point_base = $state_path/mnt

string value

Base dir containing mount points for NFS shares.

nfs_qcow2_volumes = False

boolean value

Create volumes as QCOW2 files rather than raw files.

nfs_shares_config = /etc/cinder/nfs_shares

string value

File with the list of available NFS shares.

nfs_snapshot_support = False

boolean value

Enable support for snapshots on the NFS driver. Platforms using libvirt <1.2.7 will encounter issues with this feature.

nfs_sparsed_volumes = True

boolean value

Create volumes as sparsed files which take no space. If set to False volume is created as regular file. In such case volume creation takes a lot of time.

nimble_pool_name = default

string value

Nimble Controller pool name

nimble_subnet_label = *

string value

Nimble Subnet Label

nimble_verify_cert_path = None

string value

Path to Nimble Array SSL certificate

nimble_verify_certificate = False

boolean value

Whether to verify Nimble SSL Certificate

num_iser_scan_tries = 3

integer value

The maximum number of times to rescan iSER target to find volume

num_shell_tries = 3

integer value

Number of times to attempt to run flakey shell commands

num_volume_device_scan_tries = 3

integer value

The maximum number of times to rescan targets to find volume

nvmet_ns_id = 10

integer value

The namespace id associated with the subsystem that will be created with the path for the LVM volume.

nvmet_port_id = 1

port value

The port that the NVMe target is listening on.

powermax_array = None

string value

Serial number of the array to connect to.

powermax_port_groups = None

list value

List of port groups containing frontend ports configured prior for server connection.

powermax_service_level = None

string value

Service level to use for provisioning storage. Setting this as an extra spec in pool_name is preferable.

powermax_snapvx_unlink_limit = 3

integer value

Use this value to specify the maximum number of unlinks for the temporary snapshots before a clone operation.

powermax_srp = None

string value

Storage resource pool on array to use for provisioning.

proxy = cinder.volume.drivers.ibm.ibm_storage.proxy.IBMStorageProxy

string value

Proxy driver that connects to the IBM Storage Array

pure_api_token = None

string value

REST API authorization token.

pure_automatic_max_oversubscription_ratio = True

boolean value

Automatically determine an oversubscription ratio based on the current total data reduction values. If used this calculated value will override the max_over_subscription_ratio config option.

pure_eradicate_on_delete = False

boolean value

When enabled, all Pure volumes, snapshots, and protection groups will be eradicated at the time of deletion in Cinder. Data will NOT be recoverable after a delete with this set to True! When disabled, volumes and snapshots will go into pending eradication state and can be recovered.

pure_replica_interval_default = 3600

integer value

Snapshot replication interval in seconds.

pure_replica_retention_long_term_default = 7

integer value

Retain snapshots per day on target for this time (in days.)

pure_replica_retention_long_term_per_day_default = 3

integer value

Retain how many snapshots for each day.

pure_replica_retention_short_term_default = 14400

integer value

Retain all snapshots on target for this time (in seconds.)

pure_replication_pg_name = cinder-group

string value

Pure Protection Group name to use for async replication (will be created if it does not exist).

pure_replication_pod_name = cinder-pod

string value

Pure Pod name to use for sync replication (will be created if it does not exist).

qnap_management_url = None

uri value

The URL to management QNAP Storage. Driver does not support IPv6 address in URL.

qnap_poolname = None

string value

The pool name in the QNAP Storage

qnap_storage_protocol = iscsi

string value

Communication protocol to access QNAP storage

quobyte_client_cfg = None

string value

Path to a Quobyte Client configuration file.

quobyte_mount_point_base = $state_path/mnt

string value

Base dir containing the mount point for the Quobyte volume.

quobyte_overlay_volumes = False

boolean value

Create new volumes from the volume_from_snapshot_cache by creating overlay files instead of full copies. This speeds up the creation of volumes from this cache. This feature requires the options quobyte_qcow2_volumes and quobyte_volume_from_snapshot_cache to be set to True. If one of these is set to False this option is ignored.

quobyte_qcow2_volumes = True

boolean value

Create volumes as QCOW2 files rather than raw files.

quobyte_sparsed_volumes = True

boolean value

Create volumes as sparse files which take no space. If set to False, volume is created as regular file.

quobyte_volume_from_snapshot_cache = False

boolean value

Create a cache of volumes from merged snapshots to speed up creation of multiple volumes from a single snapshot.

quobyte_volume_url = None

string value

Quobyte URL to the Quobyte volume using e.g. a DNS SRV record (preferred) or a host list (alternatively) like quobyte://<DIR host1>, <DIR host2>/<volume name>

rados_connect_timeout = -1

integer value

Timeout value (in seconds) used when connecting to ceph cluster. If value < 0, no timeout is set and default librados value is used.

rados_connection_interval = 5

integer value

Interval value (in seconds) between connection retries to ceph cluster.

rados_connection_retries = 3

integer value

Number of retries if connection to ceph cluster failed.

`rbd_ceph_conf = `

string value

Path to the ceph configuration file

rbd_cluster_name = ceph

string value

The name of ceph cluster

rbd_exclusive_cinder_pool = False

boolean value

Set to True if the pool is used exclusively by Cinder. On exclusive use driver won’t query images' provisioned size as they will match the value calculated by the Cinder core code for allocated_capacity_gb. This reduces the load on the Ceph cluster as well as on the volume service.

rbd_flatten_volume_from_snapshot = False

boolean value

Flatten volumes created from snapshots to remove dependency from volume to snapshot

`rbd_keyring_conf = `

string value

Path to the ceph keyring file

rbd_max_clone_depth = 5

integer value

Maximum number of nested volume clones that are taken before a flatten occurs. Set to 0 to disable cloning.

rbd_pool = rbd

string value

The RADOS pool where rbd volumes are stored

rbd_secret_uuid = None

string value

The libvirt uuid of the secret for the rbd_user volumes

rbd_store_chunk_size = 4

integer value

Volumes will be chunked into objects of this size (in megabytes).

rbd_user = None

string value

The RADOS client name for accessing rbd volumes - only set when using cephx authentication

remove_empty_host = False

boolean value

To remove the host from Unity when the last LUN is detached from it. By default, it is False.

replication_connect_timeout = 5

integer value

Timeout value (in seconds) used when connecting to ceph cluster to do a demotion/promotion of volumes. If value < 0, no timeout is set and default librados value is used.

replication_device = None

dict value

Multi opt of dictionaries to represent a replication target device. This option may be specified multiple times in a single config section to specify multiple replication target devices. Each entry takes the standard dict config form: replication_device = target_device_id:<required>,key1:value1,key2:value2…​

report_discard_supported = False

boolean value

Report to clients of Cinder that the backend supports discard (aka. trim/unmap). This will not actually change the behavior of the backend or the client directly, it will only notify that it can be used.

report_dynamic_total_capacity = True

boolean value

Set to True for driver to report total capacity as a dynamic value (used + current free) and to False to report a static value (quota max bytes if defined and global size of cluster if not).

reserved_percentage = 0

integer value

The percentage of backend capacity is reserved

retries = 200

integer value

Use this value to specify number of retries.

san_api_port = None

port value

Port to use to access the SAN API

`san_clustername = `

string value

Cluster name to use for creating volumes

`san_ip = `

string value

IP address of SAN controller

san_is_local = False

boolean value

Execute commands locally instead of over SSH; use if the volume service is running on the SAN device

san_login = admin

string value

Username for SAN controller

`san_password = `

string value

Password for SAN controller

`san_private_key = `

string value

Filename of private key to use for SSH authentication

san_rest_port = 8443

port value

REST server port number.

san_ssh_port = 22

port value

SSH port to use with SAN

san_thin_provision = True

boolean value

Use thin provisioning for SAN volumes?

scst_target_driver = iscsi

string value

SCST target implementation can choose from multiple SCST target drivers.

scst_target_iqn_name = None

string value

Certain ISCSI targets have predefined target names, SCST target driver uses this name.

`secondary_san_ip = `

string value

IP address of secondary DSM controller

secondary_san_login = Admin

string value

Secondary DSM user name

`secondary_san_password = `

string value

Secondary DSM user password name

secondary_sc_api_port = 3033

port value

Secondary Dell API port

sf_account_prefix = None

string value

Create SolidFire accounts with this prefix. Any string can be used here, but the string "hostname" is special and will create a prefix using the cinder node hostname (previous default behavior). The default is NO prefix.

sf_allow_template_caching = False

boolean value

This option is deprecated and will be removed in the next OpenStack release. Please use the general cinder image-caching feature instead.

sf_allow_tenant_qos = False

boolean value

Allow tenants to specify QOS on create

sf_api_port = 443

port value

SolidFire API port. Useful if the device api is behind a proxy on a different port.

sf_emulate_512 = True

boolean value

Set 512 byte emulation on volume creation;

sf_enable_vag = False

boolean value

Utilize volume access groups on a per-tenant basis.

sf_provisioning_calc = maxProvisionedSpace

string value

Change how SolidFire reports used space and provisioning calculations. If this parameter is set to usedSpace, the driver will report correct values as expected by Cinder thin provisioning.

sf_svip = None

string value

Overrides default cluster SVIP with the one specified. This is required or deployments that have implemented the use of VLANs for iSCSI networks in their cloud.

sf_template_account_name = openstack-vtemplate

string value

Account name on the SolidFire Cluster to use as owner of template/cache volumes (created if does not exist).

sf_volume_prefix = UUID-

string value

Create SolidFire volumes with this prefix. Volume names are of the form <sf_volume_prefix><cinder-volume-id>. The default is to use a prefix of UUID-.

sheepdog_store_address = 127.0.0.1

string value

IP address of sheep daemon.

sheepdog_store_port = 7000

port value

Port of sheep daemon.

sio_allow_non_padded_volumes = False

boolean value

Allow volumes to be created in Storage Pools when zero padding is disabled. This option should not be enabled if multiple tenants will utilize volumes from a shared Storage Pool.

sio_max_over_subscription_ratio = 10.0

floating point value

max_over_subscription_ratio setting for the driver. Maximum value allowed is 10.0.

sio_protection_domain_id = None

string value

DEPRECATED: Protection Domain ID.

sio_protection_domain_name = None

string value

DEPRECATED: Protection Domain name.

sio_rest_server_port = 443

string value

Gateway REST server port.

sio_round_volume_capacity = True

boolean value

Round volume sizes up to 8GB boundaries. VxFlex OS/ScaleIO requires volumes to be sized in multiples of 8GB. If set to False, volume creation will fail for volumes not sized properly

sio_server_api_version = None

string value

VxFlex OS/ScaleIO API version. This value should be left as the default value unless otherwise instructed by technical support.

sio_server_certificate_path = None

string value

Server certificate path.

sio_storage_pool_id = None

string value

DEPRECATED: Storage Pool ID.

sio_storage_pool_name = None

string value

DEPRECATED: Storage Pool name.

sio_storage_pools = None

string value

Storage Pools. Comma separated list of storage pools used to provide volumes. Each pool should be specified as a protection_domain_name:storage_pool_name value

sio_unmap_volume_before_deletion = False

boolean value

Unmap volumes before deletion.

sio_verify_server_certificate = False

boolean value

Verify server certificate.

smbfs_default_volume_format = vhd

string value

Default format that will be used when creating volumes if no volume format is specified.

smbfs_mount_point_base = C:\OpenStack\_mnt

string value

Base dir containing mount points for smbfs shares.

smbfs_pool_mappings = {}

dict value

Mappings between share locations and pool names. If not specified, the share names will be used as pool names. Example: //addr/share:pool_name,//addr/share2:pool_name2

smbfs_shares_config = C:\OpenStack\smbfs_shares.txt

string value

File with the list of available smbfs shares.

spdk_rpc_ip = None

string value

The NVMe target remote configuration IP address.

spdk_rpc_password = None

string value

The NVMe target remote configuration password.

spdk_rpc_port = 8000

port value

The NVMe target remote configuration port.

spdk_rpc_username = None

string value

The NVMe target remote configuration username.

ssh_conn_timeout = 30

integer value

SSH connection timeout in seconds

ssh_max_pool_conn = 5

integer value

Maximum ssh connections in the pool

ssh_min_pool_conn = 1

integer value

Minimum ssh connections in the pool

storage_protocol = iscsi

string value

Protocol for transferring data between host and storage back-end.

storage_vnx_authentication_type = global

string value

VNX authentication scope type. By default, the value is global.

storage_vnx_pool_names = None

list value

Comma-separated list of storage pool names to be used.

storage_vnx_security_file_dir = None

string value

Directory path that contains the VNX security file. Make sure the security file is generated first.

storwize_peer_pool = None

string value

Specifies the name of the peer pool for hyperswap volume, the peer pool must exist on the other site.

storwize_preferred_host_site = {}

dict value

Specifies the site information for host. One WWPN or multi WWPNs used in the host can be specified. For example: storwize_preferred_host_site=site1:wwpn1,site2:wwpn2&wwpn3 or storwize_preferred_host_site=site1:iqn1,site2:iqn2

storwize_san_secondary_ip = None

string value

Specifies secondary management IP or hostname to be used if san_ip is invalid or becomes inaccessible.

storwize_svc_allow_tenant_qos = False

boolean value

Allow tenants to specify QOS on create

storwize_svc_flashcopy_rate = 50

integer value

Specifies the Storwize FlashCopy copy rate to be used when creating a full volume copy. The default is rate is 50, and the valid rates are 1-150.

storwize_svc_flashcopy_timeout = 120

integer value

Maximum number of seconds to wait for FlashCopy to be prepared.

storwize_svc_iscsi_chap_enabled = True

boolean value

Configure CHAP authentication for iSCSI connections (Default: Enabled)

storwize_svc_mirror_pool = None

string value

Specifies the name of the pool in which mirrored copy is stored. Example: "pool2"

storwize_svc_multihostmap_enabled = True

boolean value

This option no longer has any affect. It is deprecated and will be removed in the next release.

storwize_svc_multipath_enabled = False

boolean value

Connect with multipath (FC only; iSCSI multipath is controlled by Nova)

storwize_svc_stretched_cluster_partner = None

string value

If operating in stretched cluster mode, specify the name of the pool in which mirrored copies are stored.Example: "pool2"

storwize_svc_vol_autoexpand = True

boolean value

Storage system autoexpand parameter for volumes (True/False)

storwize_svc_vol_compression = False

boolean value

Storage system compression option for volumes

storwize_svc_vol_easytier = True

boolean value

Enable Easy Tier for volumes

storwize_svc_vol_grainsize = 256

integer value

Storage system grain size parameter for volumes (8/32/64/128/256)

storwize_svc_vol_iogrp = 0

string value

The I/O group in which to allocate volumes. It can be a comma-separated list in which case the driver will select an io_group based on least number of volumes associated with the io_group.

storwize_svc_vol_nofmtdisk = False

boolean value

Specifies that the volume not be formatted during creation.

storwize_svc_vol_rsize = 2

integer value

Storage system space-efficiency parameter for volumes (percentage)

storwize_svc_vol_warning = 0

integer value

Storage system threshold for volume capacity warnings (percentage)

storwize_svc_volpool_name = ['volpool']

list value

Comma separated list of storage system storage pools for volumes.

suppress_requests_ssl_warnings = False

boolean value

Suppress requests library SSL certificate warnings.

synology_admin_port = 5000

port value

Management port for Synology storage.

synology_device_id = None

string value

Device id for skip one time password check for logging in Synology storage if OTP is enabled.

synology_one_time_pass = None

string value

One time password of administrator for logging in Synology storage if OTP is enabled.

`synology_password = `

string value

Password of administrator for logging in Synology storage.

`synology_pool_name = `

string value

Volume on Synology storage to be used for creating lun.

synology_ssl_verify = True

boolean value

Do certificate validation or not if $driver_use_ssl is True

synology_username = admin

string value

Administrator of Synology storage.

target_helper = tgtadm

string value

Target user-land tool to use. tgtadm is default, use lioadm for LIO iSCSI support, scstadmin for SCST target support, ietadm for iSCSI Enterprise Target, iscsictl for Chelsio iSCSI Target, nvmet for NVMEoF support, spdk-nvmeof for SPDK NVMe-oF, or fake for testing.

target_ip_address = $my_ip

string value

The IP address that the iSCSI daemon is listening on

target_port = 3260

port value

The port that the iSCSI daemon is listening on

target_prefix = iqn.2010-10.org.openstack:

string value

Prefix for iSCSI volumes

target_protocol = iscsi

string value

Determines the target protocol for new volumes, created with tgtadm, lioadm and nvmet target helpers. In order to enable RDMA, this parameter should be set with the value "iser". The supported iSCSI protocol values are "iscsi" and "iser", in case of nvmet target set to "nvmet_rdma".

thres_avl_size_perc_start = 20

integer value

If the percentage of available space for an NFS share has dropped below the value specified by this option, the NFS image cache will be cleaned.

thres_avl_size_perc_stop = 60

integer value

When the percentage of available space on an NFS share has reached the percentage specified by this option, the driver will stop clearing files from the NFS image cache that have not been accessed in the last M minutes, where M is the value of the expiry_thres_minutes configuration option.

tintri_api_version = v310

string value

API version for the storage system

tintri_image_cache_expiry_days = 30

integer value

Delete unused image snapshots older than mentioned days

tintri_image_shares_config = None

string value

Path to image nfs shares file

tintri_server_hostname = None

string value

The hostname (or IP address) for the storage system

tintri_server_password = None

string value

Password for the storage system

tintri_server_username = None

string value

User name for the storage system

trace_flags = None

list value

List of options that control which trace info is written to the DEBUG log level to assist developers. Valid values are method and api.

u4p_failover_autofailback = True

boolean value

If the driver should automatically failback to the primary instance of Unisphere when a successful connection is re-established.

u4p_failover_backoff_factor = 1

integer value

A backoff factor to apply between attempts after the second try (most errors are resolved immediately by a second try without a delay). Retries will sleep for: {backoff factor} * (2 ^ ({number of total retries} - 1)) seconds.

u4p_failover_retries = 3

integer value

The maximum number of retries each connection should attempt. Note, this applies only to failed DNS lookups, socket connections and connection timeouts, never to requests where data has made it to the server.

u4p_failover_target = None

dict value

Dictionary of Unisphere failover target info.

u4p_failover_timeout = 20.0

integer value

How long to wait for the server to send data before giving up.

unique_fqdn_network = True

boolean value

Whether or not our private network has unique FQDN on each initiator or not. For example networks with QA systems usually have multiple servers/VMs with the same FQDN. When true this will create host entries on K2 using the FQDN, when false it will use the reversed IQN/WWNN.

unity_io_ports = []

list value

A comma-separated list of iSCSI or FC ports to be used. Each port can be Unix-style glob expressions.

unity_storage_pool_names = []

list value

A comma-separated list of storage pool names to be used.

use_chap_auth = False

boolean value

Option to enable/disable CHAP authentication for targets.

use_multipath_for_image_xfer = False

boolean value

Do we attach/detach volumes in cinder using multipath for volume to image and image to volume transfers?

vmax_array = None

string value

DEPRECATED: vmax_array.

vmax_port_groups = None

list value

DEPRECATED: vmax_port_groups.

vmax_service_level = None

string value

DEPRECATED: vmax_service_level.

vmax_snapvx_unlink_limit = 3

integer value

DEPRECATED: vmax_snapvc_unlink_limit.

vmax_srp = None

string value

DEPRECATED: vmax_srp.

vmax_workload = None

string value

Workload, setting this as an extra spec in pool_name is preferable.

vmware_adapter_type = lsiLogic

string value

Default adapter type to be used for attaching volumes.

vmware_api_retry_count = 10

integer value

Number of times VMware vCenter server API must be retried upon connection related issues.

vmware_ca_file = None

string value

CA bundle file to use in verifying the vCenter server certificate.

vmware_cluster_name = None

multi valued

Name of a vCenter compute cluster where volumes should be created.

vmware_connection_pool_size = 10

integer value

Maximum number of connections in http connection pool.

vmware_datastore_regex = None

string value

Regular expression pattern to match the name of datastores where backend volumes are created.

vmware_host_ip = None

string value

IP address for connecting to VMware vCenter server.

vmware_host_password = None

string value

Password for authenticating with VMware vCenter server.

vmware_host_port = 443

port value

Port number for connecting to VMware vCenter server.

vmware_host_username = None

string value

Username for authenticating with VMware vCenter server.

vmware_host_version = None

string value

Optional string specifying the VMware vCenter server version. The driver attempts to retrieve the version from VMware vCenter server. Set this configuration only if you want to override the vCenter server version.

vmware_image_transfer_timeout_secs = 7200

integer value

Timeout in seconds for VMDK volume transfer between Cinder and Glance.

vmware_insecure = False

boolean value

If true, the vCenter server certificate is not verified. If false, then the default CA truststore is used for verification. This option is ignored if "vmware_ca_file" is set.

vmware_lazy_create = True

boolean value

If true, the backend volume in vCenter server is created lazily when the volume is created without any source. The backend volume is created when the volume is attached, uploaded to image service or during backup.

vmware_max_objects_retrieval = 100

integer value

Max number of objects to be retrieved per batch. Query results will be obtained in batches from the server and not in one shot. Server may still limit the count to something less than the configured value.

vmware_snapshot_format = template

string value

Volume snapshot format in vCenter server.

vmware_storage_profile = None

multi valued

Names of storage profiles to be monitored.

vmware_task_poll_interval = 2.0

floating point value

The interval (in seconds) for polling remote tasks invoked on VMware vCenter server.

vmware_tmp_dir = /tmp

string value

Directory where virtual disks are stored during volume backup and restore.

vmware_volume_folder = Volumes

string value

Name of the vCenter inventory folder that will contain Cinder volumes. This folder will be created under "OpenStack/<project_folder>", where project_folder is of format "Project (<volume_project_id>)".

vmware_wsdl_location = None

string value

Optional VIM service WSDL Location e.g http://<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds.

volume_backend_name = None

string value

The backend name for a given driver implementation

volume_clear = zero

string value

Method used to wipe old volumes

volume_clear_ionice = None

string value

The flag to pass to ionice to alter the i/o priority of the process used to zero a volume after deletion, for example "-c3" for idle only priority.

volume_clear_size = 0

integer value

Size in MiB to wipe at start of old volumes. 1024 MiB at max. 0 ⇒ all

volume_copy_blkio_cgroup_name = cinder-volume-copy

string value

The blkio cgroup name to be used to limit bandwidth of volume copy

volume_copy_bps_limit = 0

integer value

The upper limit of bandwidth of volume copy. 0 ⇒ unlimited

volume_dd_blocksize = 1M

string value

The default block size used when copying/clearing volumes

volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver

string value

Driver to use for volume creation

volume_group = cinder-volumes

string value

Name for the VG that will contain exported volumes

volumes_dir = $state_path/volumes

string value

Volume configuration file storage directory

vzstorage_default_volume_format = raw

string value

Default format that will be used when creating volumes if no volume format is specified.

vzstorage_mount_options = None

list value

Mount options passed to the vzstorage client. See section of the pstorage-mount man page for details.

vzstorage_mount_point_base = $state_path/mnt

string value

Base dir containing mount points for vzstorage shares.

vzstorage_shares_config = /etc/cinder/vzstorage_shares

string value

File with the list of available vzstorage shares.

vzstorage_sparsed_volumes = True

boolean value

Create volumes as sparsed files which take no space rather than regular files when using raw format, in which case volume creation takes lot of time.

vzstorage_used_ratio = 0.95

floating point value

Percent of ACTUAL usage of the underlying volume before no new volumes can be allocated to the volume destination.

windows_iscsi_lun_path = C:\iSCSIVirtualDisks

string value

Path to store VHD backed volumes

xtremio_array_busy_retry_count = 5

integer value

Number of retries in case array is busy

xtremio_array_busy_retry_interval = 5

integer value

Interval between retries in case array is busy

xtremio_clean_unused_ig = False

boolean value

Should the driver remove initiator groups with no volumes after the last connection was terminated. Since the behavior till now was to leave the IG be, we default to False (not deleting IGs without connected volumes); setting this parameter to True will remove any IG after terminating its connection to the last volume.

`xtremio_cluster_name = `

string value

XMS cluster id in multi-cluster environment

xtremio_volumes_per_glance_cache = 100

integer value

Number of volumes created from each cached glance image

zadara_default_snap_policy = False

boolean value

VPSA - Attach snapshot policy for volumes

zadara_password = None

string value

VPSA - Password

zadara_ssl_cert_verify = True

boolean value

If set to True the http client will validate the SSL certificate of the VPSA endpoint.

zadara_use_iser = True

boolean value

VPSA - Use ISER instead of iSCSI

zadara_user = None

string value

VPSA - Username

zadara_vol_encrypt = False

boolean value

VPSA - Default encryption policy for volumes

zadara_vol_name_template = OS_%s

string value

VPSA - Default template for VPSA volume names

zadara_vpsa_host = None

string value

VPSA - Management Host name or IP address

zadara_vpsa_poolname = None

string value

VPSA - Storage Pool assigned for volumes

zadara_vpsa_port = None

port value

VPSA - Port number

zadara_vpsa_use_ssl = False

boolean value

VPSA - Use SSL connection

zfssa_cache_directory = os-cinder-cache

string value

Name of directory inside zfssa_nfs_share where cache volumes are stored.

zfssa_cache_project = os-cinder-cache

string value

Name of ZFSSA project where cache volumes are stored.

zfssa_data_ip = None

string value

Data path IP address

zfssa_enable_local_cache = True

boolean value

Flag to enable local caching: True, False.

zfssa_https_port = 443

string value

HTTPS port number

`zfssa_initiator = `

string value

iSCSI initiator IQNs. (comma separated)

`zfssa_initiator_config = `

string value

iSCSI initiators configuration.

`zfssa_initiator_group = `

string value

iSCSI initiator group.

`zfssa_initiator_password = `

string value

Secret of the iSCSI initiator CHAP user.

`zfssa_initiator_user = `

string value

iSCSI initiator CHAP user (name).

zfssa_lun_compression = off

string value

Data compression.

zfssa_lun_logbias = latency

string value

Synchronous write bias.

zfssa_lun_sparse = False

boolean value

Flag to enable sparse (thin-provisioned): True, False.

zfssa_lun_volblocksize = 8k

string value

Block size.

zfssa_manage_policy = loose

string value

Driver policy for volume manage.

`zfssa_nfs_mount_options = `

string value

Options to be passed while mounting share over nfs

`zfssa_nfs_pool = `

string value

Storage pool name.

zfssa_nfs_project = NFSProject

string value

Project name.

zfssa_nfs_share = nfs_share

string value

Share name.

zfssa_nfs_share_compression = off

string value

Data compression.

zfssa_nfs_share_logbias = latency

string value

Synchronous write bias-latency, throughput.

zfssa_pool = None

string value

Storage pool name.

zfssa_project = None

string value

Project name.

`zfssa_replication_ip = `

string value

IP address used for replication data. (maybe the same as data ip)

zfssa_rest_timeout = None

integer value

REST connection timeout. (seconds)

zfssa_target_group = tgt-grp

string value

iSCSI target group name.

zfssa_target_interfaces = None

string value

Network interfaces of iSCSI targets. (comma separated)

`zfssa_target_password = `

string value

Secret of the iSCSI target CHAP user.

zfssa_target_portal = None

string value

iSCSI target portal (Data-IP:Port, w.x.y.z:3260).

`zfssa_target_user = `

string value

iSCSI target CHAP user (name).

2.1.4. barbican

The following table outlines the options available under the [barbican] group in the /etc/cinder/cinder.conf file.

Table 2.4. barbican

Configuration option = Default valueTypeDescription

auth_endpoint = http://localhost/identity/v3

string value

Use this endpoint to connect to Keystone

barbican_api_version = None

string value

Version of the Barbican API, for example: "v1"

barbican_endpoint = None

string value

Use this endpoint to connect to Barbican, for example: "http://localhost:9311/"

barbican_endpoint_type = public

string value

Specifies the type of endpoint. Allowed values are: public, private, and admin

number_of_retries = 60

integer value

Number of times to retry poll for key creation completion

retry_delay = 1

integer value

Number of seconds to wait before retrying poll for key creation completion

verify_ssl = True

boolean value

Specifies if insecure TLS (https) requests. If False, the server’s certificate will not be validated

2.1.5. brcd_fabric_example

The following table outlines the options available under the [brcd_fabric_example] group in the /etc/cinder/cinder.conf file.

Table 2.5. brcd_fabric_example

Configuration option = Default valueTypeDescription

`fc_fabric_address = `

string value

Management IP of fabric.

`fc_fabric_password = `

string value

Password for user.

fc_fabric_port = 22

port value

Connecting port

`fc_fabric_ssh_cert_path = `

string value

Local SSH certificate Path.

`fc_fabric_user = `

string value

Fabric user ID.

fc_southbound_protocol = REST_HTTP

string value

South bound connector for the fabric.

fc_virtual_fabric_id = None

string value

Virtual Fabric ID.

zone_activate = True

boolean value

Overridden zoning activation state.

zone_name_prefix = openstack

string value

Overridden zone name prefix.

zoning_policy = initiator-target

string value

Overridden zoning policy.

2.1.6. cisco_fabric_example

The following table outlines the options available under the [cisco_fabric_example] group in the /etc/cinder/cinder.conf file.

Table 2.6. cisco_fabric_example

Configuration option = Default valueTypeDescription

`cisco_fc_fabric_address = `

string value

Management IP of fabric

`cisco_fc_fabric_password = `

string value

Password for user

cisco_fc_fabric_port = 22

port value

Connecting port

`cisco_fc_fabric_user = `

string value

Fabric user ID

cisco_zone_activate = True

boolean value

overridden zoning activation state

cisco_zone_name_prefix = None

string value

overridden zone name prefix

cisco_zoning_policy = initiator-target

string value

overridden zoning policy

cisco_zoning_vsan = None

string value

VSAN of the Fabric

2.1.7. coordination

The following table outlines the options available under the [coordination] group in the /etc/cinder/cinder.conf file.

Table 2.7. coordination

Configuration option = Default valueTypeDescription

backend_url = file://$state_path

string value

The backend URL to use for distributed coordination.

2.1.8. cors

The following table outlines the options available under the [cors] group in the /etc/cinder/cinder.conf file.

Table 2.8. cors

Configuration option = Default valueTypeDescription

allow_credentials = True

boolean value

Indicate that the actual request can include user credentials

allow_headers = ['X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID', 'X-Trace-Info', 'X-Trace-HMAC', 'OpenStack-API-Version']

list value

Indicate which header field names may be used during the actual request.

allow_methods = ['GET', 'PUT', 'POST', 'DELETE', 'PATCH', 'HEAD']

list value

Indicate which methods can be used during the actual request.

allowed_origin = None

list value

Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com

expose_headers = ['X-Auth-Token', 'X-Subject-Token', 'X-Service-Token', 'X-OpenStack-Request-ID', 'OpenStack-API-Version']

list value

Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.

max_age = 3600

integer value

Maximum cache age of CORS preflight requests.

2.1.9. database

The following table outlines the options available under the [database] group in the /etc/cinder/cinder.conf file.

Table 2.9. database

Configuration option = Default valueTypeDescription

backend = sqlalchemy

string value

The back end to use for the database.

connection = None

string value

The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

integer value

Verbosity of SQL debugging information: 0=None, 100=Everything.

`connection_parameters = `

string value

Optional URL parameters to append onto the connection URL at connect time; specify as param1=value1&param2=value2&…​

connection_recycle_time = 3600

integer value

Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.

connection_trace = False

boolean value

Add Python stack traces to SQL as comment strings.

db_inc_retry_interval = True

boolean value

If True, increases the interval between retries of a database operation up to db_max_retry_interval.

db_max_retries = 20

integer value

Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

integer value

If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.

db_retry_interval = 1

integer value

Seconds between retries of a database transaction.

max_overflow = 50

integer value

If set, use this value for max_overflow with SQLAlchemy.

max_pool_size = 5

integer value

Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.

max_retries = 10

integer value

Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.

min_pool_size = 1

integer value

Minimum number of SQL connections to keep open in a pool.

mysql_enable_ndb = False

boolean value

If True, transparently enables support for handling MySQL Cluster (NDB).

mysql_sql_mode = TRADITIONAL

string value

The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=

pool_timeout = None

integer value

If set, use this value for pool_timeout with SQLAlchemy.

retry_interval = 10

integer value

Interval between retries of opening a SQL connection.

slave_connection = None

string value

The SQLAlchemy connection string to use to connect to the slave database.

sqlite_synchronous = True

boolean value

If True, SQLite uses synchronous mode.

use_db_reconnect = False

boolean value

Enable the experimental use of database reconnect on connection lost.

2.1.10. fc-zone-manager

The following table outlines the options available under the [fc-zone-manager] group in the /etc/cinder/cinder.conf file.

Table 2.10. fc-zone-manager

Configuration option = Default valueTypeDescription

brcd_sb_connector = HTTP

string value

South bound connector for zoning operation

cisco_sb_connector = cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClientCLI

string value

Southbound connector for zoning operation

enable_unsupported_driver = False

boolean value

Set this to True when you want to allow an unsupported zone manager driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.

fc_fabric_names = None

string value

Comma separated list of Fibre Channel fabric names. This list of names is used to retrieve other SAN credentials for connecting to each SAN fabric

fc_san_lookup_service = cinder.zonemanager.drivers.brocade.brcd_fc_san_lookup_service.BrcdFCSanLookupService

string value

FC SAN Lookup Service

zone_driver = cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.BrcdFCZoneDriver

string value

FC Zone Driver responsible for zone management

zoning_policy = initiator-target

string value

Zoning policy configured by user; valid values include "initiator-target" or "initiator"

2.1.11. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/cinder/cinder.conf file.

Table 2.11. healthcheck

Configuration option = Default valueTypeDescription

backends = []

list value

Additional backends that can perform health checks and report that information back as part of a request.

detailed = False

boolean value

Show more detailed information as part of the response. Security note: Enabling this option may expose sensitive details about the service being monitored. Be sure to verify that it will not violate your security policies.

disable_by_file_path = None

string value

Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.

disable_by_file_paths = []

list value

Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.

path = /healthcheck

string value

The path to respond to healtcheck requests on.

2.1.12. key_manager

The following table outlines the options available under the [key_manager] group in the /etc/cinder/cinder.conf file.

Table 2.12. key_manager

Configuration option = Default valueTypeDescription

auth_type = None

string value

The type of authentication credential to create. Possible values are token, password, keystone_token, and keystone_password. Required if no context is passed to the credential factory.

auth_url = None

string value

Use this endpoint to connect to Keystone.

backend = barbican

string value

Specify the key manager implementation. Options are "barbican" and "vault". Default is "barbican". Will support the values earlier set using [key_manager]/api_class for some time.

domain_id = None

string value

Domain ID for domain scoping. Optional for keystone_token and keystone_password auth_type.

domain_name = None

string value

Domain name for domain scoping. Optional for keystone_token and keystone_password auth_type.

fixed_key = None

string value

Fixed key returned by key manager, specified in hex

password = None

string value

Password for authentication. Required for password and keystone_password auth_type.

project_domain_id = None

string value

Project’s domain ID for project. Optional for keystone_token and keystone_password auth_type.

project_domain_name = None

string value

Project’s domain name for project. Optional for keystone_token and keystone_password auth_type.

project_id = None

string value

Project ID for project scoping. Optional for keystone_token and keystone_password auth_type.

project_name = None

string value

Project name for project scoping. Optional for keystone_token and keystone_password auth_type.

reauthenticate = True

boolean value

Allow fetching a new token if the current one is going to expire. Optional for keystone_token and keystone_password auth_type.

token = None

string value

Token for authentication. Required for token and keystone_token auth_type if no context is passed to the credential factory.

trust_id = None

string value

Trust ID for trust scoping. Optional for keystone_token and keystone_password auth_type.

user_domain_id = None

string value

User’s domain ID for authentication. Optional for keystone_token and keystone_password auth_type.

user_domain_name = None

string value

User’s domain name for authentication. Optional for keystone_token and keystone_password auth_type.

user_id = None

string value

User ID for authentication. Optional for keystone_token and keystone_password auth_type.

username = None

string value

Username for authentication. Required for password auth_type. Optional for the keystone_password auth_type.

2.1.13. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/cinder/cinder.conf file.

Table 2.13. keystone_authtoken

Configuration option = Default valueTypeDescription

auth_section = None

string value

Config Section from which to load plugin specific options

auth_type = None

string value

Authentication type to load

auth_uri = None

string value

Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

auth_version = None

string value

API version of the admin Identity API endpoint.

cache = None

string value

Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers option instead.

cafile = None

string value

A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.

certfile = None

string value

Required if identity server requires client certificate

delay_auth_decision = False

boolean value

Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.

enforce_token_bind = permissive

string value

Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.

hash_algorithms = ['md5']

list value

Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.

http_connect_timeout = None

integer value

Request timeout value for communicating with Identity API server.

http_request_max_retries = 3

integer value

How many times are we trying to reconnect when communicating with Identity API Server.

include_service_catalog = True

boolean value

(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.

insecure = False

boolean value

Verify HTTPS connections.

keyfile = None

string value

Required if identity server requires client certificate

memcache_pool_conn_get_timeout = 10

integer value

(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.

memcache_pool_dead_retry = 300

integer value

(Optional) Number of seconds memcached server is considered dead before it is tried again.

memcache_pool_maxsize = 10

integer value

(Optional) Maximum total number of open connections to every memcached server.

memcache_pool_socket_timeout = 3

integer value

(Optional) Socket timeout in seconds for communicating with a memcached server.

memcache_pool_unused_timeout = 60

integer value

(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.

memcache_secret_key = None

string value

(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.

memcache_security_strategy = None

string value

(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.

memcache_use_advanced_pool = False

boolean value

(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.

memcached_servers = None

list value

Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.

region_name = None

string value

The region in which the identity server can be found.

service_token_roles = ['service']

list value

A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.

service_token_roles_required = False

boolean value

For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.

signing_dir = None

string value

Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

token_cache_time = 300

integer value

In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.

www_authenticate_uri = None

string value

Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

2.1.14. nova

The following table outlines the options available under the [nova] group in the /etc/cinder/cinder.conf file.

Table 2.14. nova

Configuration option = Default valueTypeDescription

auth_section = None

string value

Config Section from which to load plugin specific options

auth_type = None

string value

Authentication type to load

cafile = None

string value

PEM encoded Certificate Authority to use when verifying HTTPs connections.

certfile = None

string value

PEM encoded client certificate cert file

collect-timing = False

boolean value

Collect per-API call timing information.

insecure = False

boolean value

Verify HTTPS connections.

interface = public

string value

Type of the nova endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of public, internal or admin.

keyfile = None

string value

PEM encoded client certificate key file

region_name = None

string value

Name of nova region to use. Useful if keystone manages more than one region.

split-loggers = False

boolean value

Log requests to multiple loggers.

timeout = None

integer value

Timeout value for http requests

token_auth_url = None

string value

The authentication URL for the nova connection when using the current users token

2.1.15. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/cinder/cinder.conf file.

Table 2.15. oslo_concurrency

Configuration option = Default valueTypeDescription

disable_process_locking = False

boolean value

Enables or disables inter-process locks.

lock_path = None

string value

Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

2.1.16. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/cinder/cinder.conf file.

Table 2.16. oslo_messaging_amqp

Configuration option = Default valueTypeDescription

addressing_mode = dynamic

string value

Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing

anycast_address = anycast

string value

Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.

broadcast_prefix = broadcast

string value

address prefix used when broadcasting to all servers

connection_retry_backoff = 2

integer value

Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.

connection_retry_interval = 1

integer value

Seconds to pause before attempting to re-connect.

connection_retry_interval_max = 30

integer value

Maximum limit for connection_retry_interval + connection_retry_backoff

container_name = None

string value

Name for the AMQP container. must be globally unique. Defaults to a generated UUID

default_notification_exchange = None

string value

Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify

default_notify_timeout = 30

integer value

The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.

default_reply_retry = 0

integer value

The maximum number of attempts to re-send a reply message which failed due to a recoverable error.

default_reply_timeout = 30

integer value

The deadline for an rpc reply message delivery.

default_rpc_exchange = None

string value

Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc

default_send_timeout = 30

integer value

The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.

default_sender_link_timeout = 600

integer value

The duration to schedule a purge of idle sender links. Detach link after expiry.

group_request_prefix = unicast

string value

address prefix when sending to any server in group

idle_timeout = 0

integer value

Timeout for inactive connections (in seconds)

link_retry_delay = 10

integer value

Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.

multicast_address = multicast

string value

Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.

notify_address_prefix = openstack.org/om/notify

string value

Address prefix for all generated Notification addresses

notify_server_credit = 100

integer value

Window size for incoming Notification messages

pre_settled = ['rpc-cast', 'rpc-reply']

multi valued

Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled

pseudo_vhost = True

boolean value

Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.

reply_link_credit = 200

integer value

Window size for incoming RPC Reply messages.

rpc_address_prefix = openstack.org/om/rpc

string value

Address prefix for all generated RPC addresses

rpc_server_credit = 100

integer value

Window size for incoming RPC Request messages

`sasl_config_dir = `

string value

Path to directory that contains the SASL configuration

`sasl_config_name = `

string value

Name of configuration file (without .conf suffix)

`sasl_default_realm = `

string value

SASL realm to use if no realm present in username

`sasl_mechanisms = `

string value

Space separated list of acceptable SASL mechanisms

server_request_prefix = exclusive

string value

address prefix used when sending to a specific server

ssl = False

boolean value

Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.

`ssl_ca_file = `

string value

CA certificate PEM file used to verify the server’s certificate

`ssl_cert_file = `

string value

Self-identifying certificate PEM file for client authentication

`ssl_key_file = `

string value

Private key PEM file used to sign ssl_cert_file certificate (optional)

ssl_key_password = None

string value

Password for decrypting ssl_key_file (if encrypted)

ssl_verify_vhost = False

boolean value

By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.

trace = False

boolean value

Debug: dump AMQP frames to stdout

unicast_address = unicast

string value

Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.

2.1.17. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/cinder/cinder.conf file.

Table 2.17. oslo_messaging_kafka

Configuration option = Default valueTypeDescription

conn_pool_min_size = 2

integer value

The pool size limit for connections expiration policy

conn_pool_ttl = 1200

integer value

The time-to-live in sec of idle connections in the pool

consumer_group = oslo_messaging_consumer

string value

Group id for Kafka consumer. Consumers in one group will coordinate message consumption

enable_auto_commit = False

boolean value

Enable asynchronous consumer commits

kafka_consumer_timeout = 1.0

floating point value

Default timeout(s) for Kafka consumers

kafka_max_fetch_bytes = 1048576

integer value

Max fetch bytes of Kafka consumer

max_poll_records = 500

integer value

The maximum number of records returned in a poll call

pool_size = 10

integer value

Pool Size for Kafka Consumers

producer_batch_size = 16384

integer value

Size of batch for the producer async send

producer_batch_timeout = 0.0

floating point value

Upper bound on the delay for KafkaProducer batching in seconds

sasl_mechanism = PLAIN

string value

Mechanism when security protocol is SASL

security_protocol = PLAINTEXT

string value

Protocol used to communicate with brokers

`ssl_cafile = `

string value

CA certificate PEM file used to verify the server certificate

2.1.18. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/cinder/cinder.conf file.

Table 2.18. oslo_messaging_notifications

Configuration option = Default valueTypeDescription

driver = []

multi valued

The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop

retry = -1

integer value

The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite

topics = ['notifications']

list value

AMQP topic used for OpenStack notifications.

transport_url = None

string value

A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

2.1.19. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/cinder/cinder.conf file.

Table 2.19. oslo_messaging_rabbit

Configuration option = Default valueTypeDescription

amqp_auto_delete = False

boolean value

Auto-delete queues in AMQP.

amqp_durable_queues = False

boolean value

Use durable queues in AMQP.

heartbeat_rate = 2

integer value

How often times during the heartbeat_timeout_threshold we check the heartbeat.

heartbeat_timeout_threshold = 60

integer value

Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL

kombu_compression = None

string value

EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.

kombu_failover_strategy = round-robin

string value

Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.

kombu_missing_consumer_retry_timeout = 60

integer value

How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.

kombu_reconnect_delay = 1.0

floating point value

How long to wait before reconnecting in response to an AMQP consumer cancel notification.

rabbit_ha_queues = False

boolean value

Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "

rabbit_interval_max = 30

integer value

Maximum interval of RabbitMQ connection retries. Default is 30 seconds.

rabbit_login_method = AMQPLAIN

string value

The RabbitMQ login method.

rabbit_qos_prefetch_count = 0

integer value

Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.

rabbit_retry_backoff = 2

integer value

How long to backoff for between retries when connecting to RabbitMQ.

rabbit_retry_interval = 1

integer value

How frequently to retry connecting with RabbitMQ.

rabbit_transient_queues_ttl = 1800

integer value

Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.

ssl = False

boolean value

Connect over SSL.

`ssl_ca_file = `

string value

SSL certification authority file (valid only if SSL enabled).

`ssl_cert_file = `

string value

SSL cert file (valid only if SSL enabled).

`ssl_key_file = `

string value

SSL key file (valid only if SSL enabled).

`ssl_version = `

string value

SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

2.1.20. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/cinder/cinder.conf file.

Table 2.20. oslo_middleware

Configuration option = Default valueTypeDescription

enable_proxy_headers_parsing = False

boolean value

Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

max_request_body_size = 114688

integer value

The maximum body size for each request, in bytes.

secure_proxy_ssl_header = X-Forwarded-Proto

string value

The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

2.1.21. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/cinder/cinder.conf file.

Table 2.21. oslo_policy

Configuration option = Default valueTypeDescription

enforce_scope = False

boolean value

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

policy_default_rule = default

string value

Default rule. Enforced when a requested rule is not found.

policy_dirs = ['policy.d']

multi valued

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

policy_file = policy.yaml

string value

The file that defines policies.

remote_content_type = application/x-www-form-urlencoded

string value

Content Type to send and receive data for REST based policy check

remote_ssl_ca_crt_file = None

string value

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file = None

string value

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file = None

string value

Absolute path client key file REST based policy check

remote_ssl_verify_server_crt = False

boolean value

server identity verification for REST based policy check

2.1.22. oslo_reports

The following table outlines the options available under the [oslo_reports] group in the /etc/cinder/cinder.conf file.

Table 2.22. oslo_reports

Configuration option = Default valueTypeDescription

file_event_handler = None

string value

The path to a file to watch for changes to trigger the reports, instead of signals. Setting this option disables the signal trigger for the reports. If application is running as a WSGI application it is recommended to use this instead of signals.

file_event_handler_interval = 1

integer value

How many seconds to wait between polls when file_event_handler is set

log_dir = None

string value

Path to a log directory where to create a file

2.1.23. oslo_versionedobjects

The following table outlines the options available under the [oslo_versionedobjects] group in the /etc/cinder/cinder.conf file.

Table 2.23. oslo_versionedobjects

Configuration option = Default valueTypeDescription

fatal_exception_format_errors = False

boolean value

Make exception message format errors fatal

2.1.24. privsep

The following table outlines the options available under the [privsep] group in the /etc/cinder/cinder.conf file.

Table 2.24. privsep

Configuration option = Default valueTypeDescription

capabilities = []

list value

List of Linux capabilities retained by the privsep daemon.

group = None

string value

Group that the privsep daemon should run as.

helper_command = None

string value

Command to invoke to start the privsep daemon if not using the "fork" method. If not specified, a default is generated using "sudo privsep-helper" and arguments designed to recreate the current configuration. This command must accept suitable --privsep_context and --privsep_sock_path arguments.

thread_pool_size = 8

integer value

The number of threads available for privsep to concurrently run processes. Defaults to the number of CPU cores in the system.

user = None

string value

User that the privsep daemon should run as.

2.1.25. profiler

The following table outlines the options available under the [profiler] group in the /etc/cinder/cinder.conf file.

Table 2.25. profiler

Configuration option = Default valueTypeDescription

connection_string = messaging://

string value

Connection string for a notifier backend.

Default value is messaging:// which sets the notifier to oslo_messaging.

Examples of possible values:

  • messaging:// - use oslo_messaging driver for sending spans.
  • redis://127.0.0.1:6379 - use redis driver for sending spans.
  • mongodb://127.0.0.1:27017 - use mongodb driver for sending spans.
  • elasticsearch://127.0.0.1:9200 - use elasticsearch driver for sending spans.
  • jaeger://127.0.0.1:6831 - use jaeger tracing as driver for sending spans.

enabled = False

boolean value

Enable the profiling for all services on this node.

Default value is False (fully disable the profiling feature).

Possible values:

  • True: Enables the feature
  • False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.

es_doc_type = notification

string value

Document type for notification indexing in elasticsearch.

es_scroll_size = 10000

integer value

Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).

es_scroll_time = 2m

string value

This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.

filter_error_trace = False

boolean value

Enable filter traces that contain error/exception to a separated place.

Default value is set to False.

Possible values:

  • True: Enable filter traces that contain error/exception.
  • False: Disable the filter.

hmac_keys = SECRET_KEY

string value

Secret key(s) to use for encrypting context data for performance profiling.

This string value should have the following format: <key1>[,<key2>,…​<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.

Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.

sentinel_service_name = mymaster

string value

Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).

socket_timeout = 0.1

floating point value

Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).

trace_sqlalchemy = False

boolean value

Enable SQL requests profiling in services.

Default value is False (SQL requests won’t be traced).

Possible values:

  • True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
  • False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

2.1.26. sample_castellan_source

The following table outlines the options available under the [sample_castellan_source] group in the /etc/cinder/cinder.conf file.

Table 2.26. sample_castellan_source

Configuration option = Default valueTypeDescription

config_file = None

string value

The path to a castellan configuration file.

driver = None

string value

The name of the driver that can load this configuration source.

mapping_file = None

string value

The path to a configuration/castellan_id mapping file.

2.1.27. sample_remote_file_source

The following table outlines the options available under the [sample_remote_file_source] group in the /etc/cinder/cinder.conf file.

Table 2.27. sample_remote_file_source

Configuration option = Default valueTypeDescription

ca_path = None

string value

The path to a CA_BUNDLE file or directory with certificates of trusted CAs.

client_cert = None

string value

Client side certificate, as a single file path containing either the certificate only or the private key and the certificate.

client_key = None

string value

Client side private key, in case client_cert is specified but does not includes the private key.

driver = None

string value

The name of the driver that can load this configuration source.

uri = None

uri value

Required option with the URI of the extra configuration file’s location.

2.1.28. service_user

The following table outlines the options available under the [service_user] group in the /etc/cinder/cinder.conf file.

Table 2.28. service_user

Configuration option = Default valueTypeDescription

cafile = None

string value

PEM encoded Certificate Authority to use when verifying HTTPs connections.

certfile = None

string value

PEM encoded client certificate cert file

collect-timing = False

boolean value

Collect per-API call timing information.

insecure = False

boolean value

Verify HTTPS connections.

keyfile = None

string value

PEM encoded client certificate key file

send_service_user_token = False

boolean value

When True, if sending a user token to an REST API, also send a service token.

split-loggers = False

boolean value

Log requests to multiple loggers.

timeout = None

integer value

Timeout value for http requests

2.1.29. ssl

The following table outlines the options available under the [ssl] group in the /etc/cinder/cinder.conf file.

Table 2.29. ssl

Configuration option = Default valueTypeDescription

ca_file = None

string value

CA certificate file to use to verify connecting clients.

cert_file = None

string value

Certificate file to use when starting the server securely.

ciphers = None

string value

Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.

key_file = None

string value

Private key file to use when starting the server securely.

version = None

string value

SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

2.1.30. vault

The following table outlines the options available under the [vault] group in the /etc/cinder/cinder.conf file.

Table 2.30. vault

Configuration option = Default valueTypeDescription

approle_role_id = None

string value

AppRole role_id for authentication with vault

approle_secret_id = None

string value

AppRole secret_id for authentication with vault

kv_mountpoint = secret

string value

Mountpoint of KV store in Vault to use, for example: secret

root_token_id = None

string value

root token for vault

ssl_ca_crt_file = None

string value

Absolute path to ca cert file

use_ssl = False

boolean value

SSL Enabled/Disabled

vault_url = http://127.0.0.1:8200

string value

Use this endpoint to connect to Vault, for example: "http://127.0.0.1:8200"

Chapter 3. glance

The following chapter contains information about the configuration options in the glance service.

3.1. glance-api.conf

This section contains options for the /etc/glance/glance-api.conf file.

3.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/glance/glance-api.conf file.

Table 3.1. DEFAULT

Configuration option = Default valueTypeDescription

admin_password = None

string value

The administrators password. If "use_user_token" is not in effect, then admin credentials can be specified.

admin_role = admin

string value

Role used to identify an authenticated user as administrator.

Provide a string value representing a Keystone role to identify an administrative user. Users with this role will be granted administrative privileges. The default value for this option is admin.

Possible values:

  • A string value which is a valid Keystone role

Related options:

  • None

admin_tenant_name = None

string value

The tenant name of the administrative user. If "use_user_token" is not in effect, then admin tenant name can be specified.

admin_user = None

string value

The administrators user name. If "use_user_token" is not in effect, then admin credentials can be specified.

allow_additional_image_properties = True

boolean value

Allow users to add additional/custom properties to images.

Glance defines a standard set of properties (in its schema) that appear on every image. These properties are also known as base properties. In addition to these properties, Glance allows users to add custom properties to images. These are known as additional properties.

By default, this configuration option is set to True and users are allowed to add additional properties. The number of additional properties that can be added to an image can be controlled via image_property_quota configuration option.

Possible values:

  • True
  • False

Related options:

  • image_property_quota

allow_anonymous_access = False

boolean value

Allow limited access to unauthenticated users.

Assign a boolean to determine API access for unathenticated users. When set to False, the API cannot be accessed by unauthenticated users. When set to True, unauthenticated users can access the API with read-only privileges. This however only applies when using ContextMiddleware.

Possible values:

  • True
  • False

Related options:

  • None

allowed_rpc_exception_modules = ['glance.common.exception', 'builtins', 'exceptions']

list value

List of allowed exception modules to handle RPC exceptions.

Provide a comma separated list of modules whose exceptions are permitted to be recreated upon receiving exception data via an RPC call made to Glance. The default list includes glance.common.exception, builtins, and exceptions.

The RPC protocol permits interaction with Glance via calls across a network or within the same system. Including a list of exception namespaces with this option enables RPC to propagate the exceptions back to the users.

Possible values:

  • A comma separated list of valid exception modules

Related options:

  • None

api_limit_max = 1000

integer value

Maximum number of results that could be returned by a request.

As described in the help text of limit_param_default, some requests may return multiple results. The number of results to be returned are governed either by the limit parameter in the request or the limit_param_default configuration option. The value in either case, can’t be greater than the absolute maximum defined by this configuration option. Anything greater than this value is trimmed down to the maximum value defined here.

Note

Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience.

Possible values:

  • Any positive integer

Related options:

  • limit_param_default

auth_region = None

string value

The region for the authentication service. If "use_user_token" is not in effect and using keystone auth, then region name can be specified.

auth_strategy = noauth

string value

The strategy to use for authentication. If "use_user_token" is not in effect, then auth strategy can be specified.

auth_url = None

string value

The URL to the keystone service. If "use_user_token" is not in effect and using keystone auth, then URL of keystone can be specified.

backlog = 4096

integer value

Set the number of incoming connection requests.

Provide a positive integer value to limit the number of requests in the backlog queue. The default queue size is 4096.

An incoming connection to a TCP listener socket is queued before a connection can be established with the server. Setting the backlog for a TCP socket ensures a limited queue size for incoming traffic.

Possible values:

  • Positive integer

Related options:

  • None

bind_host = 0.0.0.0

host address value

IP address to bind the glance servers to.

Provide an IP address to bind the glance server to. The default value is 0.0.0.0.

Edit this option to enable the server to listen on one particular IP address on the network card. This facilitates selection of a particular network interface for the server.

Possible values:

  • A valid IPv4 address
  • A valid IPv6 address

Related options:

  • None

bind_port = None

port value

Port number on which the server will listen.

Provide a valid port number to bind the server’s socket to. This port is then set to identify processes and forward network messages that arrive at the server. The default bind_port value for the API server is 9292 and for the registry server is 9191.

Possible values:

  • A valid port number (0 to 65535)

Related options:

  • None

ca_file = None

string value

Absolute path to the CA file.

Provide a string value representing a valid absolute path to the Certificate Authority file to use for client authentication.

A CA file typically contains necessary trusted certificates to use for the client authentication. This is essential to ensure that a secure connection is established to the server via the internet.

Possible values:

  • Valid absolute path to the CA file

Related options:

  • None

cert_file = None

string value

Absolute path to the certificate file.

Provide a string value representing a valid absolute path to the certificate file which is required to start the API service securely.

A certificate file typically is a public key container and includes the server’s public key, server name, server information and the signature which was a result of the verification process using the CA certificate. This is required for a secure connection establishment.

Possible values:

  • Valid absolute path to the certificate file

Related options:

  • None

client_socket_timeout = 900

integer value

Timeout for client connections' socket operations.

Provide a valid integer value representing time in seconds to set the period of wait before an incoming connection can be closed. The default value is 900 seconds.

The value zero implies wait forever.

Possible values:

  • Zero
  • Positive integer

Related options:

  • None

conn_pool_min_size = 2

integer value

The pool size limit for connections expiration policy

conn_pool_ttl = 1200

integer value

The time-to-live in sec of idle connections in the pool

control_exchange = openstack

string value

The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.

data_api = glance.db.sqlalchemy.api

string value

Python module path of data access API.

Specifies the path to the API to use for accessing the data model. This option determines how the image catalog data will be accessed.

Possible values:

  • glance.db.sqlalchemy.api
  • glance.db.registry.api
  • glance.db.simple.api

If this option is set to glance.db.sqlalchemy.api then the image catalog data is stored in and read from the database via the SQLAlchemy Core and ORM APIs.

Setting this option to glance.db.registry.api will force all database access requests to be routed through the Registry service. This avoids data access from the Glance API nodes for an added layer of security, scalability and manageability.

Note

In v2 OpenStack Images API, the registry service is optional. In order to use the Registry API in v2, the option enable_v2_registry must be set to True.

Finally, when this configuration option is set to glance.db.simple.api, image catalog data is stored in and read from an in-memory data structure. This is primarily used for testing.

Related options:

  • enable_v2_api
  • enable_v2_registry

debug = False

boolean value

If set to true, the logging level will be set to DEBUG instead of the default INFO level.

default_log_levels = ['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']

list value

List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.

default_publisher_id = image.localhost

string value

Default publisher_id for outgoing Glance notifications.

This is the value that the notification driver will use to identify messages for events originating from the Glance service. Typically, this is the hostname of the instance that generated the message.

Possible values:

  • Any reasonable instance identifier, for example: image.host1

Related options:

  • None

delayed_delete = False

boolean value

Turn on/off delayed delete.

Typically when an image is deleted, the glance-api service puts the image into deleted state and deletes its data at the same time. Delayed delete is a feature in Glance that delays the actual deletion of image data until a later point in time (as determined by the configuration option scrub_time). When delayed delete is turned on, the glance-api service puts the image into pending_delete state upon deletion and leaves the image data in the storage backend for the image scrubber to delete at a later time. The image scrubber will move the image into deleted state upon successful deletion of image data.

Note

When delayed delete is turned on, image scrubber MUST be running as a periodic task to prevent the backend storage from filling up with undesired usage.

Possible values:

  • True
  • False

Related options:

  • scrub_time
  • wakeup_time
  • scrub_pool_size

digest_algorithm = sha256

string value

Digest algorithm to use for digital signature.

Provide a string value representing the digest algorithm to use for generating digital signatures. By default, sha256 is used.

To get a list of the available algorithms supported by the version of OpenSSL on your platform, run the command: openssl list-message-digest-algorithms. Examples are sha1, sha256, and sha512.

Note

digest_algorithm is not related to Glance’s image signing and verification. It is only used to sign the universally unique identifier (UUID) as a part of the certificate file and key file validation.

Possible values:

  • An OpenSSL message digest algorithm identifier

Relation options:

  • None

disabled_notifications = []

list value

List of notifications to be disabled.

Specify a list of notifications that should not be emitted. A notification can be given either as a notification type to disable a single event notification, or as a notification group prefix to disable all event notifications within a group.

Possible values: A comma-separated list of individual notification types or notification groups to be disabled. Currently supported groups: image image.member task metadef_namespace metadef_object metadef_property metadef_resource_type metadef_tag For a complete listing and description of each event refer to: http://docs.openstack.org/developer/glance/notifications.html

The values must be specified as: <group_name>.<event_name>
For example: image.create,task.success,metadef_tag

Related options:

  • None

enable_v1_registry = True

boolean value

DEPRECATED FOR REMOVAL

enable_v2_api = True

boolean value

Deploy the v2 OpenStack Images API.

When this option is set to True, Glance service will respond to requests on registered endpoints conforming to the v2 OpenStack Images API.

NOTES:

  • If this option is disabled, then the enable_v2_registry option, which is enabled by default, is also recommended to be disabled.

Possible values:

  • True
  • False

Related options:

  • enable_v2_registry

enable_v2_registry = True

boolean value

Deploy the v2 API Registry service.

When this option is set to True, the Registry service will be enabled in Glance for v2 API requests.

NOTES:

  • Use of Registry is optional in v2 API, so this option must only be enabled if both enable_v2_api is set to True and the data_api option is set to glance.db.registry.api.
  • If deploying only the v1 OpenStack Images API, this option, which is enabled by default, should be disabled.

Possible values:

  • True
  • False

Related options:

  • enable_v2_api
  • data_api

enabled_backends = None

dict value

Key:Value pair of store identifier and store type. In case of multiple backends should be separated using comma.

enabled_import_methods = ['glance-direct', 'web-download']

list value

List of enabled Image Import Methods

Both glance-direct and web-download are enabled by default.

Related options:

  • [DEFAULT]/node_staging_uri

executor_thread_pool_size = 64

integer value

Size of executor thread pool when executor is threading or eventlet.

fatal_deprecations = False

boolean value

Enables or disables fatal status of deprecations.

hashing_algorithm = sha512

string value

" Secure hashing algorithm used for computing the os_hash_value property.

This option configures the Glance "multihash", which consists of two image properties: the os_hash_algo and the os_hash_value. The os_hash_algo will be populated by the value of this configuration option, and the os_hash_value will be populated by the hexdigest computed when the algorithm is applied to the uploaded or imported image data.

The value must be a valid secure hash algorithm name recognized by the python hashlib library. You can determine what these are by examining the hashlib.algorithms_available data member of the version of the library being used in your Glance installation. For interoperability purposes, however, we recommend that you use the set of secure hash names supplied by the hashlib.algorithms_guaranteed data member because those algorithms are guaranteed to be supported by the hashlib library on all platforms. Thus, any image consumer using hashlib locally should be able to verify the os_hash_value of the image.

The default value of sha512 is a performant secure hash algorithm.

If this option is misconfigured, any attempts to store image data will fail. For that reason, we recommend using the default value.

Possible values:

  • Any secure hash algorithm name recognized by the Python hashlib library

Related options:

  • None

http_keepalive = True

boolean value

Set keep alive option for HTTP over TCP.

Provide a boolean value to determine sending of keep alive packets. If set to False, the server returns the header "Connection: close". If set to True, the server returns a "Connection: Keep-Alive" in its responses. This enables retention of the same TCP connection for HTTP conversations instead of opening a new one with each new request.

This option must be set to False if the client socket connection needs to be closed explicitly after the response is received and read successfully by the client.

Possible values:

  • True
  • False

Related options:

  • None

image_cache_dir = None

string value

Base directory for image cache.

This is the location where image data is cached and served out of. All cached images are stored directly under this directory. This directory also contains three subdirectories, namely, incomplete, invalid and queue.

The incomplete subdirectory is the staging area for downloading images. An image is first downloaded to this directory. When the image download is successful it is moved to the base directory. However, if the download fails, the partially downloaded image file is moved to the invalid subdirectory.

The queue`subdirectory is used for queuing images for download. This is used primarily by the cache-prefetcher, which can be scheduled as a periodic task like cache-pruner and cache-cleaner, to cache images ahead of their usage. Upon receiving the request to cache an image, Glance touches a file in the `queue directory with the image id as the file name. The cache-prefetcher, when running, polls for the files in queue directory and starts downloading them in the order they were created. When the download is successful, the zero-sized file is deleted from the queue directory. If the download fails, the zero-sized file remains and it’ll be retried the next time cache-prefetcher runs.

Possible values:

  • A valid path

Related options:

  • image_cache_sqlite_db

image_cache_driver = sqlite

string value

The driver to use for image cache management.

This configuration option provides the flexibility to choose between the different image-cache drivers available. An image-cache driver is responsible for providing the essential functions of image-cache like write images to/read images from cache, track age and usage of cached images, provide a list of cached images, fetch size of the cache, queue images for caching and clean up the cache, etc.

The essential functions of a driver are defined in the base class glance.image_cache.drivers.base.Driver. All image-cache drivers (existing and prospective) must implement this interface. Currently available drivers are sqlite and xattr. These drivers primarily differ in the way they store the information about cached images:

  • The sqlite driver uses a sqlite database (which sits on every glance node locally) to track the usage of cached images.
  • The xattr driver uses the extended attributes of files to store this information. It also requires a filesystem that sets atime on the files when accessed.

Possible values:

  • sqlite
  • xattr

Related options:

  • None

image_cache_max_size = 10737418240

integer value

The upper limit on cache size, in bytes, after which the cache-pruner cleans up the image cache.

Note

This is just a threshold for cache-pruner to act upon. It is NOT a hard limit beyond which the image cache would never grow. In fact, depending on how often the cache-pruner runs and how quickly the cache fills, the image cache can far exceed the size specified here very easily. Hence, care must be taken to appropriately schedule the cache-pruner and in setting this limit.

Glance caches an image when it is downloaded. Consequently, the size of the image cache grows over time as the number of downloads increases. To keep the cache size from becoming unmanageable, it is recommended to run the cache-pruner as a periodic task. When the cache pruner is kicked off, it compares the current size of image cache and triggers a cleanup if the image cache grew beyond the size specified here. After the cleanup, the size of cache is less than or equal to size specified here.

Possible values:

  • Any non-negative integer

Related options:

  • None

image_cache_sqlite_db = cache.db

string value

The relative path to sqlite file database that will be used for image cache management.

This is a relative path to the sqlite file database that tracks the age and usage statistics of image cache. The path is relative to image cache base directory, specified by the configuration option image_cache_dir.

This is a lightweight database with just one table.

Possible values:

  • A valid relative path to sqlite file database

Related options:

  • image_cache_dir

image_cache_stall_time = 86400

integer value

The amount of time, in seconds, an incomplete image remains in the cache.

Incomplete images are images for which download is in progress. Please see the description of configuration option image_cache_dir for more detail. Sometimes, due to various reasons, it is possible the download may hang and the incompletely downloaded image remains in the incomplete directory. This configuration option sets a time limit on how long the incomplete images should remain in the incomplete directory before they are cleaned up. Once an incomplete image spends more time than is specified here, it’ll be removed by cache-cleaner on its next run.

It is recommended to run cache-cleaner as a periodic task on the Glance API nodes to keep the incomplete images from occupying disk space.

Possible values:

  • Any non-negative integer

Related options:

  • None

image_location_quota = 10

integer value

Maximum number of locations allowed on an image.

Any negative value is interpreted as unlimited.

Related options:

  • None

image_member_quota = 128

integer value

Maximum number of image members per image.

This limits the maximum of users an image can be shared with. Any negative value is interpreted as unlimited.

Related options:

  • None

image_property_quota = 128

integer value

Maximum number of properties allowed on an image.

This enforces an upper limit on the number of additional properties an image can have. Any negative value is interpreted as unlimited.

Note

This won’t have any impact if additional properties are disabled. Please refer to allow_additional_image_properties.

Related options:

  • allow_additional_image_properties

image_size_cap = 1099511627776

integer value

Maximum size of image a user can upload in bytes.

An image upload greater than the size mentioned here would result in an image creation failure. This configuration option defaults to 1099511627776 bytes (1 TiB).

NOTES:

  • This value should only be increased after careful consideration and must be set less than or equal to 8 EiB (9223372036854775808).
  • This value must be set with careful consideration of the backend storage capacity. Setting this to a very low value may result in a large number of image failures. And, setting this to a very large value may result in faster consumption of storage. Hence, this must be set according to the nature of images created and storage capacity available.

Possible values:

  • Any positive number less than or equal to 9223372036854775808

image_tag_quota = 128

integer value

Maximum number of tags allowed on an image.

Any negative value is interpreted as unlimited.

Related options:

  • None

`instance_format = [instance: %(uuid)s] `

string value

The format for an instance that is passed with the log message.

`instance_uuid_format = [instance: %(uuid)s] `

string value

The format for an instance UUID that is passed with the log message.

key_file = None

string value

Absolute path to a private key file.

Provide a string value representing a valid absolute path to a private key file which is required to establish the client-server connection.

Possible values:

  • Absolute path to the private key file

Related options:

  • None

limit_param_default = 25

integer value

The default number of results to return for a request.

Responses to certain API requests, like list images, may return multiple items. The number of results returned can be explicitly controlled by specifying the limit parameter in the API request. However, if a limit parameter is not specified, this configuration value will be used as the default number of results to be returned for any API request.

NOTES:

  • The value of this configuration option may not be greater than the value specified by api_limit_max.
  • Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience.

Possible values:

  • Any positive integer

Related options:

  • api_limit_max

location_strategy = location_order

string value

Strategy to determine the preference order of image locations.

This configuration option indicates the strategy to determine the order in which an image’s locations must be accessed to serve the image’s data. Glance then retrieves the image data from the first responsive active location it finds in this list.

This option takes one of two possible values location_order and store_type. The default value is location_order, which suggests that image data be served by using locations in the order they are stored in Glance. The store_type value sets the image location preference based on the order in which the storage backends are listed as a comma separated list for the configuration option store_type_preference.

Possible values:

  • location_order
  • store_type

Related options:

  • store_type_preference

log-config-append = None

string value

The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).

log-date-format = %Y-%m-%d %H:%M:%S

string value

Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.

log-dir = None

string value

(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.

log-file = None

string value

(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.

log_rotate_interval = 1

integer value

The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is setto "interval".

log_rotate_interval_type = days

string value

Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.

log_rotation_type = none

string value

Log rotation type.

logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s

string value

Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter

logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d

string value

Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter

logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s

string value

Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter

logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s

string value

Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter

logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s

string value

Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter

max_header_line = 16384

integer value

Maximum line size of message headers.

Provide an integer value representing a length to limit the size of message headers. The default value is 16384.

Note

max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs). However, it is to be kept in mind that larger values for max_header_line would flood the logs.

Setting max_header_line to 0 sets no limit for the line size of message headers.

Possible values:

  • 0
  • Positive integer

Related options:

  • None

max_logfile_count = 30

integer value

Maximum number of rotated log files.

max_logfile_size_mb = 200

integer value

Log file maximum size in MB. This option is ignored if "log_rotation_type" is not set to "size".

max_request_id_length = 64

integer value

Limit the request ID length.

Provide an integer value to limit the length of the request ID to the specified length. The default value is 64. Users can change this to any ineteger value between 0 and 16384 however keeping in mind that a larger value may flood the logs.

Possible values:

  • Integer value between 0 and 16384

Related options:

  • None

metadata_encryption_key = None

string value

AES key for encrypting store location metadata.

Provide a string value representing the AES cipher to use for encrypting Glance store metadata.

Note

The AES key to use must be set to a random string of length 16, 24 or 32 bytes.

Possible values:

  • String value representing a valid AES key

Related options:

  • None

node_staging_uri = file:///tmp/staging/

string value

The URL provides location where the temporary data will be stored

This option is for Glance internal use only. Glance will save the image data uploaded by the user to staging endpoint during the image import process.

This option does not change the staging API endpoint by any means.

Note

It is discouraged to use same path as [task]/work_dir

Note

file://<absolute-directory-path> is the only option api_image_import flow will support for now.

Note

The staging path must be on shared filesystem available to all Glance API nodes.

Possible values:

  • String starting with file:// followed by absolute FS path

Related options:

  • [task]/work_dir

owner_is_tenant = True

boolean value

Set the image owner to tenant or the authenticated user.

Assign a boolean value to determine the owner of an image. When set to True, the owner of the image is the tenant. When set to False, the owner of the image will be the authenticated user issuing the request. Setting it to False makes the image private to the associated user and sharing with other users within the same tenant (or "project") requires explicit image sharing via image membership.

Possible values:

  • True
  • False

Related options:

  • None

property_protection_file = None

string value

The location of the property protection file.

Provide a valid path to the property protection file which contains the rules for property protections and the roles/policies associated with them.

A property protection file, when set, restricts the Glance image properties to be created, read, updated and/or deleted by a specific set of users that are identified by either roles or policies. If this configuration option is not set, by default, property protections won’t be enforced. If a value is specified and the file is not found, the glance-api service will fail to start. More information on property protections can be found at: https://docs.openstack.org/glance/latest/admin/property-protections.html

Possible values:

  • Empty string
  • Valid path to the property protection configuration file

Related options:

  • property_protection_rule_format

property_protection_rule_format = roles

string value

Rule format for property protection.

Provide the desired way to set property protection on Glance image properties. The two permissible values are roles and policies. The default value is roles.

If the value is roles, the property protection file must contain a comma separated list of user roles indicating permissions for each of the CRUD operations on each property being protected. If set to policies, a policy defined in policy.json is used to express property protections for each of the CRUD operations. Examples of how property protections are enforced based on roles or policies can be found at: https://docs.openstack.org/glance/latest/admin/property-protections.html#examples

Possible values:

  • roles
  • policies

Related options:

  • property_protection_file

public_endpoint = None

string value

Public url endpoint to use for Glance versions response.

This is the public url endpoint that will appear in the Glance "versions" response. If no value is specified, the endpoint that is displayed in the version’s response is that of the host running the API service. Change the endpoint to represent the proxy URL if the API service is running behind a proxy. If the service is running behind a load balancer, add the load balancer’s URL for this value.

Possible values:

  • None
  • Proxy URL
  • Load balancer URL

Related options:

  • None

publish_errors = False

boolean value

Enables or disables publication of error events.

pydev_worker_debug_host = None

host address value

Host address of the pydev server.

Provide a string value representing the hostname or IP of the pydev server to use for debugging. The pydev server listens for debug connections on this address, facilitating remote debugging in Glance.

Possible values:

  • Valid hostname
  • Valid IP address

Related options:

  • None

pydev_worker_debug_port = 5678

port value

Port number that the pydev server will listen on.

Provide a port number to bind the pydev server to. The pydev process accepts debug connections on this port and facilitates remote debugging in Glance.

Possible values:

  • A valid port number

Related options:

  • None

rate_limit_burst = 0

integer value

Maximum number of logged messages per rate_limit_interval.

rate_limit_except_level = CRITICAL

string value

Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.

rate_limit_interval = 0

integer value

Interval, number of seconds, of log rate limiting.

registry_client_ca_file = None

string value

Absolute path to the Certificate Authority file.

Provide a string value representing a valid absolute path to the certificate authority file to use for establishing a secure connection to the registry server.

Note

This option must be set if registry_client_protocol is set to https. Alternatively, the GLANCE_CLIENT_CA_FILE environment variable may be set to a filepath of the CA file. This option is ignored if the registry_client_insecure option is set to True.

Possible values:

  • String value representing a valid absolute path to the CA file.

Related options:

  • registry_client_protocol
  • registry_client_insecure

registry_client_cert_file = None

string value

Absolute path to the certificate file.

Provide a string value representing a valid absolute path to the certificate file to use for establishing a secure connection to the registry server.

Note

This option must be set if registry_client_protocol is set to https. Alternatively, the GLANCE_CLIENT_CERT_FILE environment variable may be set to a filepath of the certificate file.

Possible values:

  • String value representing a valid absolute path to the certificate file.

Related options:

  • registry_client_protocol

registry_client_insecure = False

boolean value

Set verification of the registry server certificate.

Provide a boolean value to determine whether or not to validate SSL connections to the registry server. By default, this option is set to False and the SSL connections are validated.

If set to True, the connection to the registry server is not validated via a certifying authority and the registry_client_ca_file option is ignored. This is the registry’s equivalent of specifying --insecure on the command line using glanceclient for the API.

Possible values:

  • True
  • False

Related options:

  • registry_client_protocol
  • registry_client_ca_file

registry_client_key_file = None

string value

Absolute path to the private key file.

Provide a string value representing a valid absolute path to the private key file to use for establishing a secure connection to the registry server.

Note

This option must be set if registry_client_protocol is set to https. Alternatively, the GLANCE_CLIENT_KEY_FILE environment variable may be set to a filepath of the key file.

Possible values:

  • String value representing a valid absolute path to the key file.

Related options:

  • registry_client_protocol

registry_client_protocol = http

string value

Protocol to use for communication with the registry server.

Provide a string value representing the protocol to use for communication with the registry server. By default, this option is set to http and the connection is not secure.

This option can be set to https to establish a secure connection to the registry server. In this case, provide a key to use for the SSL connection using the registry_client_key_file option. Also include the CA file and cert file using the options registry_client_ca_file and registry_client_cert_file respectively.

Possible values:

  • http
  • https

Related options:

  • registry_client_key_file
  • registry_client_cert_file
  • registry_client_ca_file

registry_client_timeout = 600

integer value

Timeout value for registry requests.

Provide an integer value representing the period of time in seconds that the API server will wait for a registry request to complete. The default value is 600 seconds.

A value of 0 implies that a request will never timeout.

Possible values:

  • Zero
  • Positive integer

Related options:

  • None

registry_host = 0.0.0.0

host address value

Address the registry server is hosted on.

Possible values:

  • A valid IP or hostname

Related options:

  • None

registry_port = 9191

port value

Port the registry server is listening on.

Possible values:

  • A valid port number

Related options:

  • None

rpc_conn_pool_size = 30

integer value

Size of RPC connection pool.

rpc_response_timeout = 60

integer value

Seconds to wait for a response from a call.

scrub_pool_size = 1

integer value

The size of thread pool to be used for scrubbing images.

When there are a large number of images to scrub, it is beneficial to scrub images in parallel so that the scrub queue stays in control and the backend storage is reclaimed in a timely fashion. This configuration option denotes the maximum number of images to be scrubbed in parallel. The default value is one, which signifies serial scrubbing. Any value above one indicates parallel scrubbing.

Possible values:

  • Any non-zero positive integer

Related options:

  • delayed_delete

scrub_time = 0

integer value

The amount of time, in seconds, to delay image scrubbing.

When delayed delete is turned on, an image is put into pending_delete state upon deletion until the scrubber deletes its image data. Typically, soon after the image is put into pending_delete state, it is available for scrubbing. However, scrubbing can be delayed until a later point using this configuration option. This option denotes the time period an image spends in pending_delete state before it is available for scrubbing.

It is important to realize that this has storage implications. The larger the scrub_time, the longer the time to reclaim backend storage from deleted images.

Possible values:

  • Any non-negative integer

Related options:

  • delayed_delete

secure_proxy_ssl_header = None

string value

The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is "HTTP_X_FORWARDED_PROTO".

send_identity_headers = False

boolean value

Send headers received from identity when making requests to registry.

Typically, Glance registry can be deployed in multiple flavors, which may or may not include authentication. For example, trusted-auth is a flavor that does not require the registry service to authenticate the requests it receives. However, the registry service may still need a user context to be populated to serve the requests. This can be achieved by the caller (the Glance API usually) passing through the headers it received from authenticating with identity for the same request. The typical headers sent are X-User-Id, X-Tenant-Id, X-Roles, X-Identity-Status and X-Service-Catalog.

Provide a boolean value to determine whether to send the identity headers to provide tenant and user information along with the requests to registry service. By default, this option is set to False, which means that user and tenant information is not available readily. It must be obtained by authenticating. Hence, if this is set to False, flavor must be set to value that either includes authentication or authenticated user context.

Possible values:

  • True
  • False

Related options:

  • flavor

show_image_direct_url = False

boolean value

Show direct image location when returning an image.

This configuration option indicates whether to show the direct image location when returning image details to the user. The direct image location is where the image data is stored in backend storage. This image location is shown under the image property direct_url.

When multiple image locations exist for an image, the best location is displayed based on the location strategy indicated by the configuration option location_strategy.

NOTES:

  • Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to False by default. Set this to True with EXTREME CAUTION and ONLY IF you know what you are doing!
  • If an operator wishes to avoid showing any image location(s) to the user, then both this option and show_multiple_locations MUST be set to False.

Possible values:

  • True
  • False

Related options:

  • show_multiple_locations
  • location_strategy

show_multiple_locations = False

boolean value

Show all image locations when returning an image.

This configuration option indicates whether to show all the image locations when returning image details to the user. When multiple image locations exist for an image, the locations are ordered based on the location strategy indicated by the configuration opt location_strategy. The image locations are shown under the image property locations.

NOTES:

  • Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to False by default. Set this to True with EXTREME CAUTION and ONLY IF you know what you are doing!
  • See https://wiki.openstack.org/wiki/OSSN/OSSN-0065 for more information.
  • If an operator wishes to avoid showing any image location(s) to the user, then both this option and show_image_direct_url MUST be set to False.

Possible values:

  • True
  • False

Related options:

  • show_image_direct_url
  • location_strategy

syslog-log-facility = LOG_USER

string value

Syslog facility to receive log lines. This option is ignored if log_config_append is set.

tcp_keepidle = 600

integer value

Set the wait time before a connection recheck.

Provide a positive integer value representing time in seconds which is set as the idle wait time before a TCP keep alive packet can be sent to the host. The default value is 600 seconds.

Setting tcp_keepidle helps verify at regular intervals that a connection is intact and prevents frequent TCP connection reestablishment.

Possible values:

  • Positive integer value representing time in seconds

Related options:

  • None

transport_url = rabbit://

string value

The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is:

driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query

Example: rabbit://rabbitmq:password@127.0.0.1:5672//

For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html

use-journal = False

boolean value

Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.

use-json = False

boolean value

Use JSON formatting for logging. This option is ignored if log_config_append is set.

use-syslog = False

boolean value

Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.

use_eventlog = False

boolean value

Log output to Windows Event Log.

use_stderr = False

boolean value

Log output to standard error. This option is ignored if log_config_append is set.

use_user_token = True

boolean value

Whether to pass through the user token when making requests to the registry. To prevent failures with token expiration during big files upload, it is recommended to set this parameter to False.If "use_user_token" is not in effect, then admin credentials can be specified.

user_storage_quota = 0

string value

Maximum amount of image storage per tenant.

This enforces an upper limit on the cumulative storage consumed by all images of a tenant across all stores. This is a per-tenant limit.

The default unit for this configuration option is Bytes. However, storage units can be specified using case-sensitive literals B, KB, MB, GB and TB representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytes respectively. Note that there should not be any space between the value and unit. Value 0 signifies no quota enforcement. Negative values are invalid and result in errors.

Possible values:

  • A string that is a valid concatenation of a non-negative integer representing the storage value and an optional string literal representing storage units as mentioned above.

Related options:

  • None

watch-log-file = False

boolean value

Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

workers = None

integer value

Number of Glance worker processes to start.

Provide a non-negative integer value to set the number of child process workers to service requests. By default, the number of CPUs available is set as the value for workers limited to 8. For example if the processor count is 6, 6 workers will be used, if the processor count is 24 only 8 workers will be used. The limit will only apply to the default value, if 24 workers is configured, 24 is used.

Each worker process is made to listen on the port set in the configuration file and contains a greenthread pool of size 1000.

Note

Setting the number of workers to zero, triggers the creation of a single API process with a greenthread pool of size 1000.

Possible values:

  • 0
  • Positive integer value (typically equal to the number of CPUs)

Related options:

  • None

3.1.2. cinder

The following table outlines the options available under the [cinder] group in the /etc/glance/glance-api.conf file.

Table 3.2. cinder

Configuration option = Default valueTypeDescription

cinder_api_insecure = False

boolean value

Allow to perform insecure SSL requests to cinder.

If this option is set to True, HTTPS endpoint connection is verified using the CA certificates file specified by cinder_ca_certificates_file option.

Possible values:

  • True
  • False

Related options:

  • cinder_ca_certificates_file

cinder_ca_certificates_file = None

string value

Location of a CA certificates file used for cinder client requests.

The specified CA certificates file, if set, is used to verify cinder connections via HTTPS endpoint. If the endpoint is HTTP, this value is ignored. cinder_api_insecure must be set to True to enable the verification.

Possible values:

  • Path to a ca certificates file

Related options:

  • cinder_api_insecure

cinder_catalog_info = volumev2::publicURL

string value

Information to match when looking for cinder in the service catalog.

When the cinder_endpoint_template is not set and any of cinder_store_auth_address, cinder_store_user_name, cinder_store_project_name, cinder_store_password is not set, cinder store uses this information to lookup cinder endpoint from the service catalog in the current context. cinder_os_region_name, if set, is taken into consideration to fetch the appropriate endpoint.

The service catalog can be listed by the openstack catalog list command.

Possible values:

  • A string of of the following form: <service_type>:<service_name>:<interface> At least service_type and interface should be specified. service_name can be omitted.

Related options:

  • cinder_os_region_name
  • cinder_endpoint_template
  • cinder_store_auth_address
  • cinder_store_user_name
  • cinder_store_project_name
  • cinder_store_password

cinder_endpoint_template = None

string value

Override service catalog lookup with template for cinder endpoint.

When this option is set, this value is used to generate cinder endpoint, instead of looking up from the service catalog. This value is ignored if cinder_store_auth_address, cinder_store_user_name, cinder_store_project_name, and cinder_store_password are specified.

If this configuration option is set, cinder_catalog_info will be ignored.

Possible values:

  • URL template string for cinder endpoint, where %%(tenant)s is replaced with the current tenant (project) name. For example: http://cinder.openstack.example.org/v2/%%(tenant)s

Related options:

  • cinder_store_auth_address
  • cinder_store_user_name
  • cinder_store_project_name
  • cinder_store_password
  • cinder_catalog_info

cinder_http_retries = 3

integer value

Number of cinderclient retries on failed http calls.

When a call failed by any errors, cinderclient will retry the call up to the specified times after sleeping a few seconds.

Possible values:

  • A positive integer

Related options:

  • None

cinder_os_region_name = None

string value

Region name to lookup cinder service from the service catalog.

This is used only when cinder_catalog_info is used for determining the endpoint. If set, the lookup for cinder endpoint by this node is filtered to the specified region. It is useful when multiple regions are listed in the catalog. If this is not set, the endpoint is looked up from every region.

Possible values:

  • A string that is a valid region name.

Related options:

  • cinder_catalog_info

cinder_state_transition_timeout = 300

integer value

Time period, in seconds, to wait for a cinder volume transition to complete.

When the cinder volume is created, deleted, or attached to the glance node to read/write the volume data, the volume’s state is changed. For example, the newly created volume status changes from creating to available after the creation process is completed. This specifies the maximum time to wait for the status change. If a timeout occurs while waiting, or the status is changed to an unexpected value (e.g. error), the image creation fails.

Possible values:

  • A positive integer

Related options:

  • None

cinder_store_auth_address = None

string value

The address where the cinder authentication service is listening.

When all of cinder_store_auth_address, cinder_store_user_name, cinder_store_project_name, and cinder_store_password options are specified, the specified values are always used for the authentication. This is useful to hide the image volumes from users by storing them in a project/tenant specific to the image service. It also enables users to share the image volume among other projects under the control of glance’s ACL.

If either of these options are not set, the cinder endpoint is looked up from the service catalog, and current context’s user and project are used.

Possible values:

  • A valid authentication service address, for example: http://openstack.example.org/identity/v2.0

Related options:

  • cinder_store_user_name
  • cinder_store_password
  • cinder_store_project_name

cinder_store_password = None

string value

Password for the user authenticating against cinder.

This must be used with all the following related options. If any of these are not specified, the user of the current context is used.

Possible values:

  • A valid password for the user specified by cinder_store_user_name

Related options:

  • cinder_store_auth_address
  • cinder_store_user_name
  • cinder_store_project_name

cinder_store_project_name = None

string value

Project name where the image volume is stored in cinder.

If this configuration option is not set, the project in current context is used.

This must be used with all the following related options. If any of these are not specified, the project of the current context is used.

Possible values:

  • A valid project name

Related options:

  • cinder_store_auth_address
  • cinder_store_user_name
  • cinder_store_password

cinder_store_user_name = None

string value

User name to authenticate against cinder.

This must be used with all the following related options. If any of these are not specified, the user of the current context is used.

Possible values:

  • A valid user name

Related options:

  • cinder_store_auth_address
  • cinder_store_password
  • cinder_store_project_name

cinder_volume_type = None

string value

Volume type that will be used for volume creation in cinder.

Some cinder backends can have several volume types to optimize storage usage. Adding this option allows an operator to choose a specific volume type in cinder that can be optimized for images.

If this is not set, then the default volume type specified in the cinder configuration will be used for volume creation.

Possible values:

  • A valid volume type from cinder

Related options:

  • None

rootwrap_config = /etc/glance/rootwrap.conf

string value

Path to the rootwrap configuration file to use for running commands as root.

The cinder store requires root privileges to operate the image volumes (for connecting to iSCSI/FC volumes and reading/writing the volume data, etc.). The configuration file should allow the required commands by cinder store and os-brick library.

Possible values:

  • Path to the rootwrap config file

Related options:

  • None

3.1.3. cors

The following table outlines the options available under the [cors] group in the /etc/glance/glance-api.conf file.

Table 3.3. cors

Configuration option = Default valueTypeDescription

allow_credentials = True

boolean value

Indicate that the actual request can include user credentials

allow_headers = ['Content-MD5', 'X-Image-Meta-Checksum', 'X-Storage-Token', 'Accept-Encoding', 'X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID']

list value

Indicate which header field names may be used during the actual request.

allow_methods = ['GET', 'PUT', 'POST', 'DELETE', 'PATCH']

list value

Indicate which methods can be used during the actual request.

allowed_origin = None

list value

Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com

expose_headers = ['X-Image-Meta-Checksum', 'X-Auth-Token', 'X-Subject-Token', 'X-Service-Token', 'X-OpenStack-Request-ID']

list value

Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.

max_age = 3600

integer value

Maximum cache age of CORS preflight requests.

3.1.4. database

The following table outlines the options available under the [database] group in the /etc/glance/glance-api.conf file.

Table 3.4. database

Configuration option = Default valueTypeDescription

backend = sqlalchemy

string value

The back end to use for the database.

connection = None

string value

The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

integer value

Verbosity of SQL debugging information: 0=None, 100=Everything.

`connection_parameters = `

string value

Optional URL parameters to append onto the connection URL at connect time; specify as param1=value1&param2=value2&…​

connection_recycle_time = 3600

integer value

Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.

connection_trace = False

boolean value

Add Python stack traces to SQL as comment strings.

db_inc_retry_interval = True

boolean value

If True, increases the interval between retries of a database operation up to db_max_retry_interval.

db_max_retries = 20

integer value

Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

integer value

If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.

db_retry_interval = 1

integer value

Seconds between retries of a database transaction.

max_overflow = 50

integer value

If set, use this value for max_overflow with SQLAlchemy.

max_pool_size = 5

integer value

Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.

max_retries = 10

integer value

Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.

min_pool_size = 1

integer value

Minimum number of SQL connections to keep open in a pool.

mysql_enable_ndb = False

boolean value

If True, transparently enables support for handling MySQL Cluster (NDB).

mysql_sql_mode = TRADITIONAL

string value

The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=

pool_timeout = None

integer value

If set, use this value for pool_timeout with SQLAlchemy.

retry_interval = 10

integer value

Interval between retries of opening a SQL connection.

slave_connection = None

string value

The SQLAlchemy connection string to use to connect to the slave database.

sqlite_synchronous = True

boolean value

If True, SQLite uses synchronous mode.

use_db_reconnect = False

boolean value

Enable the experimental use of database reconnect on connection lost.

use_tpool = False

boolean value

Enable the experimental use of thread pooling for all DB API calls

3.1.5. file

The following table outlines the options available under the [file] group in the /etc/glance/glance-api.conf file.

Table 3.5. file

Configuration option = Default valueTypeDescription

filesystem_store_chunk_size = 65536

integer value

Chunk size, in bytes.

The chunk size used when reading or writing image files. Raising this value may improve the throughput but it may also slightly increase the memory usage when handling a large number of requests.

Possible Values:

  • Any positive integer value

Related options:

  • None

filesystem_store_datadir = /var/lib/glance/images

string value

Directory to which the filesystem backend store writes images.

Upon start up, Glance creates the directory if it doesn’t already exist and verifies write access to the user under which glance-api runs. If the write access isn’t available, a BadStoreConfiguration exception is raised and the filesystem store may not be available for adding new images.

Note

This directory is used only when filesystem store is used as a storage backend. Either filesystem_store_datadir or filesystem_store_datadirs option must be specified in glance-api.conf. If both options are specified, a BadStoreConfiguration will be raised and the filesystem store may not be available for adding new images.

Possible values:

  • A valid path to a directory

Related options:

  • filesystem_store_datadirs
  • filesystem_store_file_perm

filesystem_store_datadirs = None

multi valued

List of directories and their priorities to which the filesystem backend store writes images.

The filesystem store can be configured to store images in multiple directories as opposed to using a single directory specified by the filesystem_store_datadir configuration option. When using multiple directories, each directory can be given an optional priority to specify the preference order in which they should be used. Priority is an integer that is concatenated to the directory path with a colon where a higher value indicates higher priority. When two directories have the same priority, the directory with most free space is used. When no priority is specified, it defaults to zero.

More information on configuring filesystem store with multiple store directories can be found at https://docs.openstack.org/glance/latest/configuration/configuring.html

Note

This directory is used only when filesystem store is used as a storage backend. Either filesystem_store_datadir or filesystem_store_datadirs option must be specified in glance-api.conf. If both options are specified, a BadStoreConfiguration will be raised and the filesystem store may not be available for adding new images.

Possible values:

  • List of strings of the following form:

    • <a valid directory path>:<optional integer priority>

Related options:

  • filesystem_store_datadir
  • filesystem_store_file_perm

filesystem_store_file_perm = 0

integer value

File access permissions for the image files.

Set the intended file access permissions for image data. This provides a way to enable other services, e.g. Nova, to consume images directly from the filesystem store. The users running the services that are intended to be given access to could be made a member of the group that owns the files created. Assigning a value less then or equal to zero for this configuration option signifies that no changes be made to the default permissions. This value will be decoded as an octal digit.

For more information, please refer the documentation at https://docs.openstack.org/glance/latest/configuration/configuring.html

Possible values:

  • A valid file access permission
  • Zero
  • Any negative integer

Related options:

  • None

filesystem_store_metadata_file = None

string value

Filesystem store metadata file.

The path to a file which contains the metadata to be returned with any location associated with the filesystem store. The file must contain a valid JSON object. The object should contain the keys id and mountpoint. The value for both keys should be a string.

Possible values:

  • A valid path to the store metadata file

Related options:

  • None

3.1.6. glance.store.http.store

The following table outlines the options available under the [glance.store.http.store] group in the /etc/glance/glance-api.conf file.

Table 3.6. glance.store.http.store

Configuration option = Default valueTypeDescription

http_proxy_information = {}

dict value

The http/https proxy information to be used to connect to the remote server.

This configuration option specifies the http/https proxy information that should be used to connect to the remote server. The proxy information should be a key value pair of the scheme and proxy, for example, http:10.0.0.1:3128. You can also specify proxies for multiple schemes by separating the key value pairs with a comma, for example, http:10.0.0.1:3128, https:10.0.0.1:1080.

Possible values:

  • A comma separated list of scheme:proxy pairs as described above

Related options:

  • None

https_ca_certificates_file = None

string value

Path to the CA bundle file.

This configuration option enables the operator to use a custom Certificate Authority file to verify the remote server certificate. If this option is set, the https_insecure option will be ignored and the CA file specified will be used to authenticate the server certificate and establish a secure connection to the server.

Possible values:

  • A valid path to a CA file

Related options:

  • https_insecure

https_insecure = True

boolean value

Set verification of the remote server certificate.

This configuration option takes in a boolean value to determine whether or not to verify the remote server certificate. If set to True, the remote server certificate is not verified. If the option is set to False, then the default CA truststore is used for verification.

This option is ignored if https_ca_certificates_file is set. The remote server certificate will then be verified using the file specified using the https_ca_certificates_file option.

Possible values:

  • True
  • False

Related options:

  • https_ca_certificates_file

3.1.7. glance.store.rbd.store

The following table outlines the options available under the [glance.store.rbd.store] group in the /etc/glance/glance-api.conf file.

Table 3.7. glance.store.rbd.store

Configuration option = Default valueTypeDescription

rados_connect_timeout = 0

integer value

Timeout value for connecting to Ceph cluster.

This configuration option takes in the timeout value in seconds used when connecting to the Ceph cluster i.e. it sets the time to wait for glance-api before closing the connection. This prevents glance-api hangups during the connection to RBD. If the value for this option is set to less than or equal to 0, no timeout is set and the default librados value is used.

Possible Values:

  • Any integer value

Related options:

  • None

rbd_store_ceph_conf = /etc/ceph/ceph.conf

string value

Ceph configuration file path.

This configuration option takes in the path to the Ceph configuration file to be used. If the value for this option is not set by the user or is set to None, librados will locate the default configuration file which is located at /etc/ceph/ceph.conf. If using Cephx authentication, this file should include a reference to the right keyring in a client.<USER> section

Possible Values:

  • A valid path to a configuration file

Related options:

  • rbd_store_user

rbd_store_chunk_size = 8

integer value

Size, in megabytes, to chunk RADOS images into.

Provide an integer value representing the size in megabytes to chunk Glance images into. The default chunk size is 8 megabytes. For optimal performance, the value should be a power of two.

When Ceph’s RBD object storage system is used as the storage backend for storing Glance images, the images are chunked into objects of the size set using this option. These chunked objects are then stored across the distributed block data store to use for Glance.

Possible Values:

  • Any positive integer value

Related options:

  • None

rbd_store_pool = images

string value

RADOS pool in which images are stored.

When RBD is used as the storage backend for storing Glance images, the images are stored by means of logical grouping of the objects (chunks of images) into a pool. Each pool is defined with the number of placement groups it can contain. The default pool that is used is images.

More information on the RBD storage backend can be found here: http://ceph.com/planet/how-data-is-stored-in-ceph-cluster/

Possible Values:

  • A valid pool name

Related options:

  • None

rbd_store_user = None

string value

RADOS user to authenticate as.

This configuration option takes in the RADOS user to authenticate as. This is only needed when RADOS authentication is enabled and is applicable only if the user is using Cephx authentication. If the value for this option is not set by the user or is set to None, a default value will be chosen, which will be based on the client. section in rbd_store_ceph_conf.

Possible Values:

  • A valid RADOS user

Related options:

  • rbd_store_ceph_conf

3.1.8. glance.store.sheepdog.store

The following table outlines the options available under the [glance.store.sheepdog.store] group in the /etc/glance/glance-api.conf file.

Table 3.8. glance.store.sheepdog.store

Configuration option = Default valueTypeDescription

sheepdog_store_address = 127.0.0.1

host address value

Address to bind the Sheepdog daemon to.

Provide a string value representing the address to bind the Sheepdog daemon to. The default address set for the sheep is 127.0.0.1.

The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages directed to the address set using sheepdog_store_address option to store chunks of Glance images.

Possible values:

  • A valid IPv4 address
  • A valid IPv6 address
  • A valid hostname

Related Options:

  • sheepdog_store_port

sheepdog_store_chunk_size = 64

integer value

Chunk size for images to be stored in Sheepdog data store.

Provide an integer value representing the size in mebibyte (1048576 bytes) to chunk Glance images into. The default chunk size is 64 mebibytes.

When using Sheepdog distributed storage system, the images are chunked into objects of this size and then stored across the distributed data store to use for Glance.

Chunk sizes, if a power of two, help avoid fragmentation and enable improved performance.

Possible values:

  • Positive integer value representing size in mebibytes.

Related Options:

  • None

sheepdog_store_port = 7000

port value

Port number on which the sheep daemon will listen.

Provide an integer value representing a valid port number on which you want the Sheepdog daemon to listen on. The default port is 7000.

The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages it receives on the port number set using sheepdog_store_port option to store chunks of Glance images.

Possible values:

  • A valid port number (0 to 65535)

Related Options:

  • sheepdog_store_address

3.1.9. glance.store.swift.store

The following table outlines the options available under the [glance.store.swift.store] group in the /etc/glance/glance-api.conf file.

Table 3.9. glance.store.swift.store

Configuration option = Default valueTypeDescription

default_swift_reference = ref1

string value

Reference to default Swift account/backing store parameters.

Provide a string value representing a reference to the default set of parameters required for using swift account/backing store for image storage. The default reference value for this configuration option is ref1. This configuration option dereferences the parameters and facilitates image storage in Swift storage backend every time a new image is added.

Possible values:

  • A valid string value

Related options:

  • None

swift_buffer_on_upload = False

boolean value

Buffer image segments before upload to Swift.

Provide a boolean value to indicate whether or not Glance should buffer image data to disk while uploading to swift. This enables Glance to resume uploads on error.

NOTES: When enabling this option, one should take great care as this increases disk usage on the API node. Be aware that depending upon how the file system is configured, the disk space used for buffering may decrease the actual disk space available for the glance image cache. Disk utilization will cap according to the following equation: (swift_store_large_object_chunk_size * workers * 1000)

Possible values:

  • True
  • False

Related options:

  • swift_upload_buffer_dir

swift_store_admin_tenants = []

list value

List of tenants that will be granted admin access.

This is a list of tenants that will be granted read/write access on all Swift containers created by Glance in multi-tenant mode. The default value is an empty list.

Possible values:

  • A comma separated list of strings representing UUIDs of Keystone projects/tenants

Related options:

  • None

swift_store_auth_address = None

string value

The address where the Swift authentication service is listening.

swift_store_auth_insecure = False

boolean value

Set verification of the server certificate.

This boolean determines whether or not to verify the server certificate. If this option is set to True, swiftclient won’t check for a valid SSL certificate when authenticating. If the option is set to False, then the default CA truststore is used for verification.

Possible values:

  • True
  • False

Related options:

  • swift_store_cacert

swift_store_auth_version = 2

string value

Version of the authentication service to use. Valid versions are 2 and 3 for keystone and 1 (deprecated) for swauth and rackspace.

swift_store_cacert = None

string value

Path to the CA bundle file.

This configuration option enables the operator to specify the path to a custom Certificate Authority file for SSL verification when connecting to Swift.

Possible values:

  • A valid path to a CA file

Related options:

  • swift_store_auth_insecure

swift_store_config_file = None

string value

Absolute path to the file containing the swift account(s) configurations.

Include a string value representing the path to a configuration file that has references for each of the configured Swift account(s)/backing stores. By default, no file path is specified and customized Swift referencing is disabled. Configuring this option is highly recommended while using Swift storage backend for image storage as it avoids storage of credentials in the database.

Note

Please do not configure this option if you have set swift_store_multi_tenant to True.

Possible values:

  • String value representing an absolute path on the glance-api node

Related options:

  • swift_store_multi_tenant

swift_store_container = glance

string value

Name of single container to store images/name prefix for multiple containers

When a single container is being used to store images, this configuration option indicates the container within the Glance account to be used for storing all images. When multiple containers are used to store images, this will be the name prefix for all containers. Usage of single/multiple containers can be controlled using the configuration option swift_store_multiple_containers_seed.

When using multiple containers, the containers will be named after the value set for this configuration option with the first N chars of the image UUID as the suffix delimited by an underscore (where N is specified by swift_store_multiple_containers_seed).

Example: if the seed is set to 3 and swift_store_container = glance, then an image with UUID fdae39a1-bac5-4238-aba4-69bcc726e848 would be placed in the container glance_fda. All dashes in the UUID are included when creating the container name but do not count toward the character limit, so when N=10 the container name would be glance_fdae39a1-ba.

Possible values:

  • If using single container, this configuration option can be any string that is a valid swift container name in Glance’s Swift account
  • If using multiple containers, this configuration option can be any string as long as it satisfies the container naming rules enforced by Swift. The value of swift_store_multiple_containers_seed should be taken into account as well.

Related options:

  • swift_store_multiple_containers_seed
  • swift_store_multi_tenant
  • swift_store_create_container_on_put

swift_store_create_container_on_put = False

boolean value

Create container, if it doesn’t already exist, when uploading image.

At the time of uploading an image, if the corresponding container doesn’t exist, it will be created provided this configuration option is set to True. By default, it won’t be created. This behavior is applicable for both single and multiple containers mode.

Possible values:

  • True
  • False

Related options:

  • None

swift_store_endpoint = None

string value

The URL endpoint to use for Swift backend storage.

Provide a string value representing the URL endpoint to use for storing Glance images in Swift store. By default, an endpoint is not set and the storage URL returned by auth is used. Setting an endpoint with swift_store_endpoint overrides the storage URL and is used for Glance image storage.

Note

The URL should include the path up to, but excluding the container. The location of an object is obtained by appending the container and object to the configured URL.

Possible values:

  • String value representing a valid URL path up to a Swift container

Related Options:

  • None

swift_store_endpoint_type = publicURL

string value

Endpoint Type of Swift service.

This string value indicates the endpoint type to use to fetch the Swift endpoint. The endpoint type determines the actions the user will be allowed to perform, for instance, reading and writing to the Store. This setting is only used if swift_store_auth_version is greater than 1.

Possible values:

  • publicURL
  • adminURL
  • internalURL

Related options:

  • swift_store_endpoint

swift_store_expire_soon_interval = 60

integer value

Time in seconds defining the size of the window in which a new token may be requested before the current token is due to expire.

Typically, the Swift storage driver fetches a new token upon the expiration of the current token to ensure continued access to Swift. However, some Swift transactions (like uploading image segments) may not recover well if the token expires on the fly.

Hence, by fetching a new token before the current token expiration, we make sure that the token does not expire or is close to expiry before a transaction is attempted. By default, the Swift storage driver requests for a new token 60 seconds or less before the current token expiration.

Possible values:

  • Zero
  • Positive integer value

Related Options:

  • None

swift_store_key = None

string value

Auth key for the user authenticating against the Swift authentication service.

swift_store_large_object_chunk_size = 200

integer value

The maximum size, in MB, of the segments when image data is segmented.

When image data is segmented to upload images that are larger than the limit enforced by the Swift cluster, image data is broken into segments that are no bigger than the size specified by this configuration option. Refer to swift_store_large_object_size for more detail.

For example: if swift_store_large_object_size is 5GB and swift_store_large_object_chunk_size is 1GB, an image of size 6.2GB will be segmented into 7 segments where the first six segments will be 1GB in size and the seventh segment will be 0.2GB.

Possible values:

  • A positive integer that is less than or equal to the large object limit enforced by Swift cluster in consideration.

Related options:

  • swift_store_large_object_size

swift_store_large_object_size = 5120

integer value

The size threshold, in MB, after which Glance will start segmenting image data.

Swift has an upper limit on the size of a single uploaded object. By default, this is 5GB. To upload objects bigger than this limit, objects are segmented into multiple smaller objects that are tied together with a manifest file. For more detail, refer to https://docs.openstack.org/swift/latest/overview_large_objects.html

This configuration option specifies the size threshold over which the Swift driver will start segmenting image data into multiple smaller files. Currently, the Swift driver only supports creating Dynamic Large Objects.

Note

This should be set by taking into account the large object limit enforced by the Swift cluster in consideration.

Possible values:

  • A positive integer that is less than or equal to the large object limit enforced by the Swift cluster in consideration.

Related options:

  • swift_store_large_object_chunk_size

swift_store_multi_tenant = False

boolean value

Store images in tenant’s Swift account.

This enables multi-tenant storage mode which causes Glance images to be stored in tenant specific Swift accounts. If this is disabled, Glance stores all images in its own account. More details multi-tenant store can be found at https://wiki.openstack.org/wiki/GlanceSwiftTenantSpecificStorage

Note

If using multi-tenant swift store, please make sure that you do not set a swift configuration file with the swift_store_config_file option.

Possible values:

  • True
  • False

Related options:

  • swift_store_config_file

swift_store_multiple_containers_seed = 0

integer value

Seed indicating the number of containers to use for storing images.

When using a single-tenant store, images can be stored in one or more than one containers. When set to 0, all images will be stored in one single container. When set to an integer value between 1 and 32, multiple containers will be used to store images. This configuration option will determine how many containers are created. The total number of containers that will be used is equal to 16^N, so if this config option is set to 2, then 16^2=256 containers will be used to store images.

Please refer to swift_store_container for more detail on the naming convention. More detail about using multiple containers can be found at https://specs.openstack.org/openstack/glance-specs/specs/kilo/swift-store-multiple-containers.html

Note

This is used only when swift_store_multi_tenant is disabled.

Possible values:

  • A non-negative integer less than or equal to 32

Related options:

  • swift_store_container
  • swift_store_multi_tenant
  • swift_store_create_container_on_put

swift_store_region = None

string value

The region of Swift endpoint to use by Glance.

Provide a string value representing a Swift region where Glance can connect to for image storage. By default, there is no region set.

When Glance uses Swift as the storage backend to store images for a specific tenant that has multiple endpoints, setting of a Swift region with swift_store_region allows Glance to connect to Swift in the specified region as opposed to a single region connectivity.

This option can be configured for both single-tenant and multi-tenant storage.

Note

Setting the region with swift_store_region is tenant-specific and is necessary only if the tenant has multiple endpoints across different regions.

Possible values:

  • A string value representing a valid Swift region.

Related Options:

  • None

swift_store_retry_get_count = 0

integer value

The number of times a Swift download will be retried before the request fails.

Provide an integer value representing the number of times an image download must be retried before erroring out. The default value is zero (no retry on a failed image download). When set to a positive integer value, swift_store_retry_get_count ensures that the download is attempted this many more times upon a download failure before sending an error message.

Possible values:

  • Zero
  • Positive integer value

Related Options:

  • None

swift_store_service_type = object-store

string value

Type of Swift service to use.

Provide a string value representing the service type to use for storing images while using Swift backend storage. The default service type is set to object-store.

Note

If swift_store_auth_version is set to 2, the value for this configuration option needs to be object-store. If using a higher version of Keystone or a different auth scheme, this option may be modified.

Possible values:

  • A string representing a valid service type for Swift storage.

Related Options:

  • None

swift_store_ssl_compression = True

boolean value

SSL layer compression for HTTPS Swift requests.

Provide a boolean value to determine whether or not to compress HTTPS Swift requests for images at the SSL layer. By default, compression is enabled.

When using Swift as the backend store for Glance image storage, SSL layer compression of HTTPS Swift requests can be set using this option. If set to False, SSL layer compression of HTTPS Swift requests is disabled. Disabling this option may improve performance for images which are already in a compressed format, for example, qcow2.

Possible values:

  • True
  • False

Related Options:

  • None

swift_store_use_trusts = True

boolean value

Use trusts for multi-tenant Swift store.

This option instructs the Swift store to create a trust for each add/get request when the multi-tenant store is in use. Using trusts allows the Swift store to avoid problems that can be caused by an authentication token expiring during the upload or download of data.

By default, swift_store_use_trusts is set to True(use of trusts is enabled). If set to False, a user token is used for the Swift connection instead, eliminating the overhead of trust creation.

Note

This option is considered only when swift_store_multi_tenant is set to True

Possible values:

  • True
  • False

Related options:

  • swift_store_multi_tenant

swift_store_user = None

string value

The user to authenticate against the Swift authentication service.

swift_upload_buffer_dir = None

string value

Directory to buffer image segments before upload to Swift.

Provide a string value representing the absolute path to the directory on the glance node where image segments will be buffered briefly before they are uploaded to swift.

NOTES: * This is required only when the configuration option swift_buffer_on_upload is set to True. * This directory should be provisioned keeping in mind the swift_store_large_object_chunk_size and the maximum number of images that could be uploaded simultaneously by a given glance node.

Possible values:

  • String value representing an absolute directory path

Related options:

  • swift_buffer_on_upload
  • swift_store_large_object_chunk_size

3.1.10. glance.store.vmware_datastore.store

The following table outlines the options available under the [glance.store.vmware_datastore.store] group in the /etc/glance/glance-api.conf file.

Table 3.10. glance.store.vmware_datastore.store

Configuration option = Default valueTypeDescription

vmware_api_retry_count = 10

integer value

The number of VMware API retries.

This configuration option specifies the number of times the VMware ESX/VC server API must be retried upon connection related issues or server API call overload. It is not possible to specify retry forever.

Possible Values:

  • Any positive integer value

Related options:

  • None

vmware_ca_file = None

string value

Absolute path to the CA bundle file.

This configuration option enables the operator to use a custom Cerificate Authority File to verify the ESX/vCenter certificate.

If this option is set, the "vmware_insecure" option will be ignored and the CA file specified will be used to authenticate the ESX/vCenter server certificate and establish a secure connection to the server.

Possible Values:

  • Any string that is a valid absolute path to a CA file

Related options:

  • vmware_insecure

vmware_datastores = None

multi valued

The datastores where the image can be stored.

This configuration option specifies the datastores where the image can be stored in the VMWare store backend. This option may be specified multiple times for specifying multiple datastores. The datastore name should be specified after its datacenter path, separated by ":". An optional weight may be given after the datastore name, separated again by ":" to specify the priority. Thus, the required format becomes <datacenter_path>:<datastore_name>:<optional_weight>.

When adding an image, the datastore with highest weight will be selected, unless there is not enough free space available in cases where the image size is already known. If no weight is given, it is assumed to be zero and the directory will be considered for selection last. If multiple datastores have the same weight, then the one with the most free space available is selected.

Possible Values:

  • Any string of the format: <datacenter_path>:<datastore_name>:<optional_weight>

Related options: * None

vmware_insecure = False

boolean value

Set verification of the ESX/vCenter server certificate.

This configuration option takes a boolean value to determine whether or not to verify the ESX/vCenter server certificate. If this option is set to True, the ESX/vCenter server certificate is not verified. If this option is set to False, then the default CA truststore is used for verification.

This option is ignored if the "vmware_ca_file" option is set. In that case, the ESX/vCenter server certificate will then be verified using the file specified using the "vmware_ca_file" option .

Possible Values:

  • True
  • False

Related options:

  • vmware_ca_file

vmware_server_host = None

host address value

Address of the ESX/ESXi or vCenter Server target system.

This configuration option sets the address of the ESX/ESXi or vCenter Server target system. This option is required when using the VMware storage backend. The address can contain an IP address (127.0.0.1) or a DNS name (www.my-domain.com).

Possible Values:

  • A valid IPv4 or IPv6 address
  • A valid DNS name

Related options:

  • vmware_server_username
  • vmware_server_password

vmware_server_password = None

string value

Server password.

This configuration option takes the password for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend.

Possible Values:

  • Any string that is a password corresponding to the username specified using the "vmware_server_username" option

Related options:

  • vmware_server_host
  • vmware_server_username

vmware_server_username = None

string value

Server username.

This configuration option takes the username for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend.

Possible Values:

  • Any string that is the username for a user with appropriate privileges

Related options:

  • vmware_server_host
  • vmware_server_password

vmware_store_image_dir = /openstack_glance

string value

The directory where the glance images will be stored in the datastore.

This configuration option specifies the path to the directory where the glance images will be stored in the VMware datastore. If this option is not set, the default directory where the glance images are stored is openstack_glance.

Possible Values:

  • Any string that is a valid path to a directory