karbor.conf

karbor.conf

DEFAULT

state_path
Type:string
Default:/var/lib/karbor

Top-level directory for maintaining karbor’s state

Deprecated Variations
Group Name
DEFAULT pybasedir
service_down_time
Type:integer
Default:60

Maximum time since last check-in for a service to be considered up

operationengine_topic
Type:string
Default:karbor-operationengine

The topic that OperationEngine nodes listen on

operationengine_manager
Type:string
Default:karbor.services.operationengine.manager.OperationEngineManager

Full class name for the Manager for OperationEngine

protection_topic
Type:string
Default:karbor-protection

The topic that protection nodes listen on

protection_manager
Type:string
Default:karbor.services.protection.manager.ProtectionManager

Full class name for the Manager for Protection

host
Type:host address
Default:ubuntu-xenial-rax-iad-0004962405

Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.

auth_strategy
Type:string
Default:keystone
Valid Values:noauth, keystone

The strategy to use for auth. Supports noauth or keystone.

osapi_max_limit
Type:integer
Default:1000

The maximum number of items that a collection resource returns in a single response

osapi_karbor_base_URL
Type:string
Default:<None>

Base URL that will be presented to users in links to the OpenStack Karbor API

query_instance_filters
Type:list
Default:status

Instance filter options which non-admin user could use to query instances. Default values are: [‘status’]

query_provider_filters
Type:list
Default:name,description

Provider filter options which non-admin user could use to query providers. Default values are: [‘name’, ‘description’]

query_checkpoint_filters
Type:list
Default:project_id,plan_id,start_date,end_date

Checkpoint filter options which non-admin user could use to query checkpoints. Default values are: [‘project_id’, ‘plan_id’, ‘start_date’, ‘end_date’]

enable_new_services
Type:boolean
Default:true

Services to be added to the available pool on create

thread_count
Type:integer
Default:10

The count of thread which executor will start

min_interval
Type:integer
Default:3600

The minimum interval of two adjacent time points. min_interval >= (max_window_time * 2)

min_window_time
Type:integer
Default:900

The minimum window time

max_window_time
Type:integer
Default:1800

The maximum window time

time_format
Type:string
Default:calendar
Valid Values:crontab, calendar

The type of time format which is used to compute time

trigger_poll_interval
Type:integer
Default:15

Interval, in seconds, in which Karbor will poll for trigger events

scheduling_strategy
Type:string
Default:multi_node

Time trigger scheduling strategy

retained_operation_log_number
Type:integer
Default:5

The number of retained operation log

sync_status_interval
Type:integer
Default:20

update protection status interval

workflow_engine
Type:string
Default:karbor.services.protection.flows.workflow.TaskFlowEngine

The workflow engine provides flow and task interface

provider_registry
Type:string
Default:provider-registry

the provider registry

max_concurrent_operations
Type:integer
Default:0

number of maximum concurrent operation (protect, restore, delete) flows. 0 means no hard limit

tcp_keepalive
Type:boolean
Default:true

Sets the value of TCP_KEEPALIVE (True/False) for each server socket.

tcp_keepalive_interval
Type:integer
Default:<None>

Sets the value of TCP_KEEPINTVL in seconds for each server socket. Not supported on OS X.

tcp_keepalive_count
Type:integer
Default:<None>

Sets the value of TCP_KEEPCNT for each server socket. Not supported on OS X.

fatal_exception_format_errors
Type:boolean
Default:false

Make exception message format errors fatal.

report_interval
Type:integer
Default:10

Interval, in seconds, between nodes reporting state to datastore

periodic_interval
Type:integer
Default:60

Interval, in seconds, between running periodic tasks

periodic_fuzzy_delay
Type:integer
Default:60

Range, in seconds, to randomly delay when starting the periodic task OperationEngine to reduce stampeding. (Disable by setting to 0)

osapi_karbor_listen
Type:host address
Default:0.0.0.0

IP address on which OpenStack Karbor API listens

osapi_karbor_listen_port
Type:port number
Default:8799
Minimum Value:0
Maximum Value:65535

Port on which OpenStack Karbor API listens

osapi_karbor_workers
Type:integer
Default:<None>

Number of workers for OpenStack Karbor API service. The default is equal to the number of CPUs available.

cinder_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

cinder_endpoint
Type:string
Default:<None>

URL of the cinder endpoint.

cinder_catalog_info
Type:string
Default:volumev3:cinderv3:publicURL

Info to match when looking for cinder in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if cinder_endpoint is unset

cinder_ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

cinder_auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to Cinder.

clients_keystone

auth_uri
Type:string
Default:u''

Unversioned keystone url in format like http://0.0.0.0:5000.

database

sqlite_synchronous
Type:boolean
Default:true

If True, SQLite uses synchronous mode.

Deprecated Variations
Group Name
DEFAULT sqlite_synchronous
backend
Type:string
Default:sqlalchemy

The back end to use for the database.

Deprecated Variations
Group Name
DEFAULT db_backend
connection
Type:string
Default:<None>

The SQLAlchemy connection string to use to connect to the database.

Deprecated Variations
Group Name
DEFAULT sql_connection
DATABASE sql_connection
sql connection
slave_connection
Type:string
Default:<None>

The SQLAlchemy connection string to use to connect to the slave database.

mysql_sql_mode
Type:string
Default:TRADITIONAL

The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=

mysql_enable_ndb
Type:boolean
Default:false

If True, transparently enables support for handling MySQL Cluster (NDB).

connection_recycle_time
Type:integer
Default:3600

Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.

Deprecated Variations
Group Name
DATABASE idle_timeout
database idle_timeout
DEFAULT sql_idle_timeout
DATABASE sql_idle_timeout
sql idle_timeout
min_pool_size
Type:integer
Default:1

Minimum number of SQL connections to keep open in a pool.

Deprecated Variations
Group Name
DEFAULT sql_min_pool_size
DATABASE sql_min_pool_size
max_pool_size
Type:integer
Default:5

Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.

Deprecated Variations
Group Name
DEFAULT sql_max_pool_size
DATABASE sql_max_pool_size
max_retries
Type:integer
Default:10

Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.

Deprecated Variations
Group Name
DEFAULT sql_max_retries
DATABASE sql_max_retries
retry_interval
Type:integer
Default:10

Interval between retries of opening a SQL connection.

Deprecated Variations
Group Name
DEFAULT sql_retry_interval
DATABASE reconnect_interval
max_overflow
Type:integer
Default:50

If set, use this value for max_overflow with SQLAlchemy.

Deprecated Variations
Group Name
DEFAULT sql_max_overflow
DATABASE sqlalchemy_max_overflow
connection_debug
Type:integer
Default:0
Minimum Value:0
Maximum Value:100

Verbosity of SQL debugging information: 0=None, 100=Everything.

Deprecated Variations
Group Name
DEFAULT sql_connection_debug
connection_trace
Type:boolean
Default:false

Add Python stack traces to SQL as comment strings.

Deprecated Variations
Group Name
DEFAULT sql_connection_trace
pool_timeout
Type:integer
Default:<None>

If set, use this value for pool_timeout with SQLAlchemy.

Deprecated Variations
Group Name
DATABASE sqlalchemy_pool_timeout
use_db_reconnect
Type:boolean
Default:false

Enable the experimental use of database reconnect on connection lost.

db_retry_interval
Type:integer
Default:1

Seconds between retries of a database transaction.

db_inc_retry_interval
Type:boolean
Default:true

If True, increases the interval between retries of a database operation up to db_max_retry_interval.

db_max_retry_interval
Type:integer
Default:10

If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.

db_max_retries
Type:integer
Default:20

Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.

glance_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

glance_endpoint
Type:string
Default:<None>

URL of the glance endpoint.

glance_catalog_info
Type:string
Default:image:glance:publicURL

Info to match when looking for glance in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if glance_endpoint is unset

glance_ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

glance_auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to Glance.

karbor_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

keystone_authtoken

www_authenticate_uri
Type:string
Default:<None>

Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

Deprecated Variations
Group Name
keystone_authtoken auth_uri
auth_uri
Type:string
Default:<None>

Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

Warning

This option is deprecated for removal since Queens. Its value may be silently ignored in the future.

Reason:The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
auth_version
Type:string
Default:<None>

API version of the admin Identity API endpoint.

delay_auth_decision
Type:boolean
Default:false

Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.

http_connect_timeout
Type:integer
Default:<None>

Request timeout value for communicating with Identity API server.

http_request_max_retries
Type:integer
Default:3

How many times are we trying to reconnect when communicating with Identity API Server.

cache
Type:string
Default:<None>

Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers option instead.

certfile
Type:string
Default:<None>

Required if identity server requires client certificate

keyfile
Type:string
Default:<None>

Required if identity server requires client certificate

cafile
Type:string
Default:<None>

A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.

insecure
Type:boolean
Default:false

Verify HTTPS connections.

region_name
Type:string
Default:<None>

The region in which the identity server can be found.

signing_dir
Type:string
Default:<None>

Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:PKI token format is no longer supported.
memcached_servers
Type:list
Default:<None>

Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.

Deprecated Variations
Group Name
keystone_authtoken memcache_servers
token_cache_time
Type:integer
Default:300

In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.

revocation_cache_time
Type:integer
Default:10

Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:PKI token format is no longer supported.
memcache_security_strategy
Type:string
Default:None
Valid Values:None, MAC, ENCRYPT

(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.

memcache_secret_key
Type:string
Default:<None>

(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.

memcache_pool_dead_retry
Type:integer
Default:300

(Optional) Number of seconds memcached server is considered dead before it is tried again.

memcache_pool_maxsize
Type:integer
Default:10

(Optional) Maximum total number of open connections to every memcached server.

memcache_pool_socket_timeout
Type:integer
Default:3

(Optional) Socket timeout in seconds for communicating with a memcached server.

memcache_pool_unused_timeout
Type:integer
Default:60

(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.

memcache_pool_conn_get_timeout
Type:integer
Default:10

(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.

memcache_use_advanced_pool
Type:boolean
Default:false

(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.

include_service_catalog
Type:boolean
Default:true

(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.

enforce_token_bind
Type:string
Default:permissive

Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.

check_revocations_for_cached
Type:boolean
Default:false

If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:PKI token format is no longer supported.
hash_algorithms
Type:list
Default:md5

Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:PKI token format is no longer supported.
service_token_roles
Type:list
Default:service

A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.

service_token_roles_required
Type:boolean
Default:false

For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.

auth_type
Type:unknown type
Default:<None>

Authentication type to load

Deprecated Variations
Group Name
keystone_authtoken auth_plugin
auth_section
Type:unknown type
Default:<None>

Config Section from which to load plugin specific options

manila_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

manila_endpoint
Type:string
Default:<None>

URL of the manila endpoint.

manila_catalog_info
Type:string
Default:sharev2:manilav2:publicURL

Info to match when looking for manila in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if manila_endpoint is unset

manila_ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

manila_auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to manila.

neutron_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

neutron_endpoint
Type:string
Default:<None>

URL of the neutron endpoint.

neutron_catalog_info
Type:string
Default:network:neutron:publicURL

Info to match when looking for neutron in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if neutron_endpoint is unset

neutron_ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

neutron_auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to Neutron.

nova_client

service_name
Type:string
Default:<None>

The name of service registered in Keystone

service_type
Type:string
Default:<None>

The type of service registered in Keystone

version
Type:string
Default:<None>

The version of service client

region_id
Type:string
Default:RegionOne

The region id which the service belongs to.

interface
Type:string
Default:internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to service.

nova_endpoint
Type:string
Default:<None>

URL of the nova endpoint. <endpoint_url>

nova_catalog_info
Type:string
Default:compute:nova:publicURL

Info to match when looking for nova in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if nova_endpoint is unset

nova_ca_cert_file
Type:string
Default:<None>

Location of the CA certificate file to use for client requests in SSL connections.

nova_auth_insecure
Type:boolean
Default:false

Bypass verification of server certificate when making SSL connection to Nova.

operationengine

max_concurrent_operations
Type:integer
Default:0

number of maximum concurrent running operations,0 means no hard limit

executor
Type:string
Default:green_thread
Valid Values:thread_pool, green_thread

The name of executor which is used to run operations

oslo_concurrency

disable_process_locking
Type:boolean
Default:false

Enables or disables inter-process locks.

Deprecated Variations
Group Name
DEFAULT disable_process_locking
lock_path
Type:string
Default:<None>

Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

Deprecated Variations
Group Name
DEFAULT lock_path

oslo_policy

enforce_scope
Type:boolean
Default:false

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

policy_file
Type:string
Default:policy.json

The file that defines policies.

Deprecated Variations
Group Name
DEFAULT policy_file
policy_default_rule
Type:string
Default:default

Default rule. Enforced when a requested rule is not found.

Deprecated Variations
Group Name
DEFAULT policy_default_rule
policy_dirs
Type:multi-valued
Default:policy.d

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

Deprecated Variations
Group Name
DEFAULT policy_dirs
remote_content_type
Type:string
Default:application/x-www-form-urlencoded
Valid Values:application/x-www-form-urlencoded, application/json

Content Type to send and receive data for REST based policy check

remote_ssl_verify_server_crt
Type:boolean
Default:false

server identity verification for REST based policy check

remote_ssl_ca_crt_file
Type:string
Default:<None>

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file
Type:string
Default:<None>

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file
Type:string
Default:<None>

Absolute path client key file REST based policy check

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.