Red Hat OpenStack Platform 9 Configuration Reference

Red Hat OpenStack Platform 9
Configuration Reference
Configuring Red Hat OpenStack Platform environments
Last Updated: 2017-11-09
Red Hat OpenStack Platform 9 Configuration Reference
Configuring Red Hat OpenStack Platform environments
OpenStack Documentation Team
Red Hat Customer Content Services
rhos-docs@redhat.com
Legal Notice
Copyright © 2016 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity
logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other
countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
Java ® is a registered trademark of Oracle and/or its affiliates.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United
States and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related
to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Abstract
This document is for system administrators who want to look up configuration options. It contains
lists of configuration options available with OpenStack and uses auto-generation to generate
options and the descriptions from the code for each project. It includes sample configuration files.
Table of Contents
Table of Contents
. . . . . . . . . . . 1.
CHAPTER
. .BARE
. . . . . . .METAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . .
.CHAPTER
. . . . . . . . . . 2.
. . BLOCK
. . . . . . . . STORAGE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
..............
2.1. VOLUME DRIVERS
29
2.2. BACKUP DRIVERS
125
2.3. BLOCK STORAGE SAMPLE CONFIGURATION FILES
129
2.4. LOG FILES USED BY BLOCK STORAGE
187
2.5. FIBRE CHANNEL ZONE MANAGER
187
2.6. ADDITIONAL OPTIONS
191
2.7. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR OPENSTACK BLOCK STORAGE
226
.CHAPTER
. . . . . . . . . . 3.
. . COMPUTE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240
...............
3.1. OVERVIEW OF NOVA.CONF
240
3.2. CONFIGURE LOGGING
242
3.3. CONFIGURE AUTHENTICATION AND AUTHORIZATION
242
3.4. CONFIGURE RESIZE
242
3.5. DATABASE CONFIGURATION
243
3.6. CONFIGURE THE OSLO RPC MESSAGING SYSTEM
243
3.7. CONFIGURE THE COMPUTE API
3.8. CONFIGURE THE EC2 API
3.9. FIBRE CHANNEL SUPPORT IN COMPUTE
249
251
251
3.10. ISCSI INTERFACE AND OFFLOAD SUPPORT IN COMPUTE
3.11. HYPERVISORS
251
253
3.12. SCHEDULING
3.13. CELLS
258
276
3.14. CONDUCTOR
3.15. EXAMPLE NOVA.CONF CONFIGURATION FILES
281
281
3.16. COMPUTE LOG FILES
3.17. COMPUTE SAMPLE CONFIGURATION FILES
3.18. NEW, UPDATED AND DEPRECATED OPTIONS IN KILO FOR OPENSTACK COMPUTE
285
285
354
.CHAPTER
. . . . . . . . . . 4.
. . .DASHBOARD
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
...............
4.1. CONFIGURE THE DASHBOARD
366
4.2. ADDITIONAL SAMPLE CONFIGURATION FILES
4.3. DASHBOARD LOG FILES
371
389
.CHAPTER
. . . . . . . . . . 5.
. . DATABASE
. . . . . . . . . . . . .SERVICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
...............
5.1. CONFIGURE THE DATABASE
407
5.2. CONFIGURE THE RPC MESSAGING SYSTEM
410
5.3. NEW, UPDATED AND DEPRECATED OPTIONS IN LIBERTY FOR DATABASE SERVICE
415
.CHAPTER
. . . . . . . . . . 6.
. . DATA
. . . . . . .PROCESSING
. . . . . . . . . . . . . . SERVICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
...............
6.1. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR DATA PROCESSING SERVICE
447
.CHAPTER
. . . . . . . . . . 7.
. . IDENTITY
. . . . . . . . . . .SERVICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .449
...............
7.1. IDENTITY SERVICE CONFIGURATION FILE
449
7.2. IDENTITY SERVICE SAMPLE CONFIGURATION FILES
485
7.3. NEW, UPDATED AND DEPRECATED OPTIONS IN KILO FOR OPENSTACK IDENTITY
528
.CHAPTER
. . . . . . . . . . 8.
. . .IMAGE
. . . . . . .SERVICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
...............
8.1. CONFIGURE THE API
550
8.2. CONFIGURE THE RPC MESSAGING SYSTEM
555
8.3. CONFIGURE IMAGE CACHE
563
1
Red Hat OpenStack Platform 9 Configuration Reference
8.4. SUPPORT FOR ISO IMAGES
8.5. CONFIGURE BACK ENDS
8.6. IMAGE SERVICE SAMPLE CONFIGURATION FILES
566
567
573
8.7. NEW, UPDATED AND DEPRECATED OPTIONS IN LIBERTY FOR OPENSTACK IMAGE SERVICE
603
.CHAPTER
. . . . . . . . . . 9.
. . NETWORKING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .605
...............
9.1. NETWORKING CONFIGURATION OPTIONS
605
9.2. LOG FILES USED BY NETWORKING
705
9.3. NETWORKING SAMPLE CONFIGURATION FILES
706
9.4. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR OPENSTACK NETWORKING
736
.CHAPTER
. . . . . . . . . . 10.
. . . OBJECT
. . . . . . . . . STORAGE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .741
..............
10.1. INTRODUCTION TO OBJECT STORAGE
741
10.2. OBJECT STORAGE GENERAL SERVICE CONFIGURATION
741
10.3. OBJECT SERVER CONFIGURATION
743
10.4. OBJECT EXPIRER CONFIGURATION
10.5. CONTAINER SERVER CONFIGURATION
10.6. CONTAINER SYNC REALMS CONFIGURATION
10.7. CONTAINER RECONCILER CONFIGURATION
10.8. ACCOUNT SERVER CONFIGURATION
758
764
775
778
781
10.9. PROXY SERVER CONFIGURATION
10.10. PROXY SERVER MEMCACHE CONFIGURATION
791
817
10.11. RSYNCD CONFIGURATION
818
10.12. CONFIGURE OBJECT STORAGE FEATURES
10.13. NEW, UPDATED AND DEPRECATED OPTIONS IN LIBERTY FOR OPENSTACK OBJECT STORAGE
819
837
. . . . . . . . . . . 11.
CHAPTER
. . .ORCHESTRATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838
...............
11.1. CONFIGURE APIS
852
11.2. CONFIGURE CLIENTS
11.3. CONFIGURE THE RPC MESSAGING SYSTEM
859
865
11.4. ORCHESTRATION LOG FILES
11.5. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR ORCHESTRATION SERVICE
873
874
. . . . . . . . . . . 12.
CHAPTER
. . . TELEMETRY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875
...............
12.1. TELEMETRY SAMPLE CONFIGURATION FILES
898
12.2. NEW, UPDATED AND DEPRECATED OPTIONS IN KILO FOR TELEMETRY
931
.APPENDIX
. . . . . . . . . . . A.
. . .THE
. . . . POLICY.JSON
. . . . . . . . . . . . . . .FILE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
...............
A.1. EXAMPLES
939
A.2. SYNTAX
A.3. OLDER SYNTAX
941
942
. . . . . . . . . . . . B.
APPENDIX
. . .FIREWALLS
. . . . . . . . . . . . AND
. . . . . DEFAULT
. . . . . . . . . . .PORTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .943
...............
2
Table of Contents
3
Red Hat OpenStack Platform 9 Configuration Reference
CHAPTER 1. BARE METAL
The Bare metal service is capable of managing and provisioning physical machines. The configuration
file of this module is /etc/ironic/ironic.conf.
The following tables provide a comprehensive list of the Bare metal service configuration options.
Table 1.1. Description of agent configuration options
Configuration option = Default value
Description
[agent]
agent_api_version = v1
(StrOpt) API version to use for communicating with
the ramdisk agent.
agent_erase_devices_priority = None
(IntOpt) Priority to run in-band erase devices via the
Ironic Python Agent ramdisk. If unset, will use the
priority set in the ramdisk (defaults to 10 for the
GenericHardwareManager). If set to 0, will not run
during cleaning.
agent_pxe_append_params = nofb nomodeset
vga=normal
(StrOpt) Additional append parameters for
baremetal PXE boot.
agent_pxe_bootfile_name = pxelinux.0
(StrOpt) Neutron bootfile DHCP parameter.
agent_pxe_config_template =
(StrOpt) Template file for PXE configuration.
$pybasedir/drivers/modules/agent_config.template
heartbeat_timeout = 300
(IntOpt) Maximum interval (in seconds) for agent
heartbeats.
manage_tftp = True
(BoolOpt) Whether Ironic will manage TFTP files for
the deploy ramdisks. If set to False, you will need to
configure your own TFTP server that allows booting
the deploy ramdisks.
Table 1.2. Description of AMQP configuration options
Configuration option = Default value
Description
[DEFAULT]
4
control_exchange = openstack
(StrOpt) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
notification_driver = []
(MultiStrOpt) Driver or drivers to handle sending
notifications.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
notification_topics = notifications
(ListOpt) AMQP topic used for OpenStack
notifications.
transport_url = None
(StrOpt) A URL representing the messaging driver to
use and its full configuration. If not set, we fall back
to the rpc_backend option and driver specific
configuration.
Table 1.3. Description of AMT configuration options
Configuration option = Default value
Description
[amt]
action_wait = 10
(IntOpt) Amount of time (in seconds) to wait, before
retrying an AMT operation
max_attempts = 3
(IntOpt) Maximum number of times to attempt an
AMT operation, before failing
protocol = http
(StrOpt) Protocol used for AMT endpoint, support
http/https
Table 1.4. Description of API configuration options
Configuration option = Default value
Description
[api]
host_ip = 0.0.0.0
(StrOpt) The listen IP for the Ironic API server.
max_limit = 1000
(IntOpt) The maximum number of items returned in a
single response from a collection resource.
port = 6385
(IntOpt) The port for the Ironic API server.
Table 1.5. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(StrOpt) Service user password.
admin_tenant_name = admin
(StrOpt) Service tenant name.
5
Red Hat OpenStack Platform 9 Configuration Reference
6
Configuration option = Default value
Description
admin_token = None
(StrOpt) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(StrOpt) Service username.
auth_admin_prefix =
(StrOpt) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(StrOpt) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_plugin = None
(StrOpt) Name of the plugin to load
auth_port = 35357
(IntOpt) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(StrOpt) Protocol of the admin Identity API endpoint
(http or https). Deprecated, use identity_uri.
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_uri = None
(StrOpt) Complete public Identity API endpoint.
auth_version = None
(StrOpt) API version of the admin Identity API
endpoint.
cache = None
(StrOpt) Env key for the swift cache.
cafile = None
(StrOpt) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(StrOpt) Required if identity server requires client
certificate
check_revocations_for_cached = False
(BoolOpt) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
delay_auth_decision = False
(BoolOpt) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(StrOpt) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
hash_algorithms = md5
(ListOpt) Hash algorithms to use for hashing PKI
tokens. This may be a single algorithm or multiple.
The algorithms are those supported by Python
standard hashlib.new(). The hashes will be tried in
the order given, so put the preferred one first for
performance. The result of the first hash will be
stored in the cache. This will typically be set to
multiple values only while migrating from a less
secure algorithm to a more secure one. Once all the
old tokens are expired this option should be set to a
single value for better performance.
http_connect_timeout = None
(IntOpt) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(IntOpt) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(StrOpt) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(BoolOpt) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) Required if identity server requires client
certificate
7
Red Hat OpenStack Platform 9 Configuration Reference
8
Configuration option = Default value
Description
memcache_pool_conn_get_timeout = 10
(IntOpt) (Optional) Number of seconds that an
operation will wait to get a memcache client
connection from the pool.
memcache_pool_dead_retry = 300
(IntOpt) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(IntOpt) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(IntOpt) (Optional) Socket timeout in seconds for
communicating with a memcache server.
memcache_pool_unused_timeout = 60
(IntOpt) (Optional) Number of seconds a connection
to memcached is held unused in the pool before it is
closed.
memcache_secret_key = None
(StrOpt) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(StrOpt) (Optional) If defined, indicate whether
token data should be authenticated or authenticated
and encrypted. Acceptable values are MAC or
ENCRYPT. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(BoolOpt) (Optional) Use the advanced (eventlet
safe) memcache client pool. The advanced pool will
only work under python 2.x.
memcached_servers = None
(ListOpt) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
revocation_cache_time = 10
(IntOpt) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(StrOpt) Directory used to cache files related to PKI
tokens.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
token_cache_time = 300
(IntOpt) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 1.6. Description of authorization configuration options
Configuration option = Default value
Description
[DEFAULT]
auth_strategy = keystone
(StrOpt) Method to use for authentication: noauth or
keystone.
Table 1.7. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
bindir = /usr/local/bin
(StrOpt) Directory where ironic binaries are
installed.
enabled_drivers = pxe_ipmitool
(ListOpt) Specify the list of drivers to load during
service initialization. Missing drivers, or drivers
which fail to initialize, will prevent the conductor
service from starting. The option default is a
recommended set of production-oriented drivers. A
complete list of drivers present on your system may
be found by enumerating the "ironic.drivers"
entrypoint. An example may be found in the
developer documentation online.
fatal_deprecations = False
(BoolOpt) Enables or disables fatal status of
deprecations.
force_raw_images = True
(BoolOpt) Force backing images to raw format.
grub_config_template =
(StrOpt) Template file for grub configuration file.
$pybasedir/common/grub_conf.template
hash_distribution_replicas = 1
(IntOpt) [Experimental Feature] Number of hosts to
map onto each hash partition. Setting this to more
than one will cause additional conductor services to
prepare deployment environments and potentially
allow the Ironic cluster to recover more quickly if a
conductor instance is terminated.
9
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
hash_partition_exponent = 5
(IntOpt) Exponent to determine number of hash
partitions to use when distributing load across
conductors. Larger values will result in more even
distribution of load and less load when rebalancing
the ring, but more memory usage. Number of
partitions per conductor is
(2^hash_partition_exponent). This determines the
granularity of rebalancing: given 10 hosts, and an
exponent of the 2, there are 40 partitions in the
ring.A few thousand partitions should make
rebalancing smooth in most cases. The default is
suitable for up to a few hundred conductors. Too
many partitions has a CPU impact.
host = sd-52009.dedibox.fr
(StrOpt) Name of this node. This can be an opaque
identifier. It is not necessarily a hostname, FQDN, or
IP address. However, the node name must be valid
within an AMQP key.
isolinux_bin = /usr/lib/syslinux/isolinux.bin
(StrOpt) Path to isolinux binary file.
isolinux_config_template =
(StrOpt) Template file for isolinux configuration file.
$pybasedir/common/isolinux_config.template
memcached_servers = None
(ListOpt) Memcached servers or None for in process
cache.
my_ip = 10.0.0.1
(StrOpt) IP address of this host.
parallel_image_downloads = False
(BoolOpt) Run image downloads and raw format
conversions in parallel.
periodic_interval = 60
(IntOpt) Seconds between running periodic tasks.
pybasedir = /usr/lib/python/site-
(StrOpt) Directory where the ironic python module
is installed.
packages/ironic/ironic
10
rootwrap_config = /etc/ironic/rootwrap.conf
(StrOpt) Path to the rootwrap configuration file to
use for running commands as root.
run_external_periodic_tasks = True
(BoolOpt) Some periodic tasks can be run in a
separate process. Should we run them here?
state_path = $pybasedir
(StrOpt) Top-level directory for maintaining ironic's
state.
tempdir = None
(StrOpt) Explicitly specify the temporary working
directory.
CHAPTER 1. BARE METAL
Table 1.8. Description of conductor configuration options
Configuration option = Default value
Description
[conductor]
api_url = None
(StrOpt) URL of Ironic API service. If not set ironic
can get the current value from the keystone service
catalog.
check_provision_state_interval = 60
(IntOpt) Interval between checks of provision
timeouts, in seconds.
clean_nodes = True
(BoolOpt) Cleaning is a configurable set of steps,
such as erasing disk drives, that are performed on
the node to ensure it is in a baseline state and ready
to be deployed to. This is done after instance
deletion, and during the transition from a "managed"
to "available" state. When enabled, the particular
steps performed to clean a node depend on which
driver that node is managed by; see the individual
driver's documentation for details. NOTE: The
introduction of the cleaning operation causes
instance deletion to take significantly longer. In an
environment where all tenants are trusted (eg,
because there is only one tenant), this option could
be safely disabled.
configdrive_swift_container =
(StrOpt) Name of the Swift container to store config
drive data. Used when configdrive_use_swift is True.
ironic_configdrive_container
configdrive_use_swift = False
(BoolOpt) Whether to upload the config drive to
Swift.
deploy_callback_timeout = 1800
(IntOpt) Timeout (seconds) for waiting callback from
deploy ramdisk. 0 - unlimited.
force_power_state_during_sync = True
(BoolOpt) During sync_power_state, should the
hardware power state be set to the state recorded in
the database (True) or should the database be
updated based on the hardware state (False).
heartbeat_interval = 10
(IntOpt) Seconds between conductor heart beats.
heartbeat_timeout = 60
(IntOpt) Maximum time (in seconds) since the last
check-in of a conductor.
inspect_timeout = 1800
(IntOpt) Timeout (seconds) for waiting for node
inspection. 0 - unlimited.
node_locked_retry_attempts = 3
(IntOpt) Number of attempts to grab a node lock.
11
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
node_locked_retry_interval = 1
(IntOpt) Seconds to sleep between node lock
attempts.
periodic_max_workers = 8
(IntOpt) Maximum number of worker threads that
can be started simultaneously by a periodic task.
Should be less than RPC thread pool size.
power_state_sync_max_retries = 3
(IntOpt) During sync_power_state failures, limit the
number of times Ironic should try syncing the
hardware node power state with the node power
state in DB
send_sensor_data = False
(BoolOpt) Enable sending sensor data message via
the notification bus
send_sensor_data_interval = 600
(IntOpt) Seconds between conductor sending
sensor data message to ceilometer via the
notification bus.
send_sensor_data_types = ALL
(ListOpt) List of comma separated metric types
which need to be sent to Ceilometer. The default
value, "ALL", is a special value meaning send all the
sensor data.
sync_local_state_interval = 180
(IntOpt) When conductors join or leave the cluster,
existing conductors may need to update any
persistent local state as nodes are moved around the
cluster. This option controls how often, in seconds,
each conductor will check for nodes that it should
"take over". Set it to a negative value to disable the
check entirely.
sync_power_state_interval = 60
(IntOpt) Interval between syncing the node power
state to the database, in seconds.
workers_pool_size = 100
(IntOpt) The size of the workers greenthread pool.
Table 1.9. Description of console configuration options
Configuration option = Default value
Description
[console]
12
subprocess_checking_interval = 1
(IntOpt) Time interval (in seconds) for checking the
status of console subprocess.
subprocess_timeout = 10
(IntOpt) Time (in seconds) to wait for the console
subprocess to start.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
terminal = shellinaboxd
(StrOpt) Path to serial console terminal program
terminal_cert_dir = None
(StrOpt) Directory containing the terminal SSL
cert(PEM) for serial console access
terminal_pid_dir = None
(StrOpt) Directory for holding terminal pid files. If
not specified, the temporary directory will be used.
Table 1.10. Description of database configuration options
Configuration option = Default value
Description
[database]
backend = sqlalchemy
(StrOpt) The back end to use for the database.
connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(BoolOpt) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(IntOpt) Maximum retries in case of connection error
or deadlock error before error is raised. Set to -1 to
specify an infinite retry count.
db_max_retry_interval = 10
(IntOpt) If db_inc_retry_interval is set, the maximum
seconds between retries of a database operation.
db_retry_interval = 1
(IntOpt) Seconds between retries of a database
transaction.
idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
13
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(IntOpt) Minimum number of SQL connections to
keep open in a pool.
mysql_engine = InnoDB
(StrOpt) MySQL engine to use.
mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(StrOpt) The file name to use with SQLite.
sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(BoolOpt) Enable the experimental use of database
reconnect on connection lost.
Table 1.11. Description of logging configuration options
Configuration option = Default value
[DEFAULT]
14
Description
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
backdoor_port = None
(StrOpt) Enable eventlet backdoor. Acceptable
values are 0, <port>, and <start>:<end>, where 0
results in listening on a random tcp port number;
<port> results in listening on the specified port
number (and not enabling backdoor if that port is in
use); and <start>:<end> results in listening on the
smallest unused port number within the specified
range of port numbers. The chosen port is displayed
in the service's log file.
pecan_debug = False
(BoolOpt) Enable pecan debug mode. WARNING: this
is insecure and should not be used in production.
Table 1.12. Description of deploy configuration options
Configuration option = Default value
Description
[deploy]
dd_block_size = 1M
(StrOpt) Block size to use when writing to the nodes
disk.
efi_system_partition_size = 200
(IntOpt) Size of EFI system partition in MiB when
configuring UEFI systems for local boot.
iscsi_verify_attempts = 3
(IntOpt) Maximum attempts to verify an iSCSI
connection is active, sleeping 1 second between
attempts.
Table 1.13. Description of DHCP configuration options
Configuration option = Default value
Description
[dhcp]
dhcp_provider = neutron
(StrOpt) DHCP provider to use. "neutron" uses
Neutron, and "none" uses a no-op provider.
Table 1.14. Description of discoverd configuration options
Configuration option = Default value
Description
[discoverd]
enabled = False
(BoolOpt) whether to enable inspection using ironicdiscoverd
15
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
service_url = None
(StrOpt) ironic-discoverd HTTP endpoint. If this is
not set, the ironic-discoverd client default
(http://127.0.0.1:5050) will be used.
status_check_period = 60
(IntOpt) period (in seconds) to check status of nodes
on inspection
Table 1.15. Description of disk partitioner configuration options
Configuration option = Default value
Description
[disk_partitioner]
check_device_interval = 1
(IntOpt) After Ironic has completed creating the
partition table, it continues to check for activity on
the attached iSCSI device status at this interval prior
to copying the image to the node, in seconds
check_device_max_retries = 20
(IntOpt) The maximum number of times to check
that the device is not accessed by another process.
If the device is still busy after that, the disk
partitioning will be treated as having failed.
Table 1.16. Description of glance configuration options
Configuration option = Default value
Description
[glance]
16
allowed_direct_url_schemes =
(ListOpt) A list of URL schemes that can be
downloaded directly via the direct_url. Currently
supported schemes: [file].
auth_strategy = keystone
(StrOpt) Authentication strategy to use when
connecting to glance. Only "keystone" and "noauth"
are currently supported by ironic.
glance_api_insecure = False
(BoolOpt) Allow to perform insecure SSL (https)
requests to glance.
glance_api_servers = None
(ListOpt) A list of the glance api servers available to
ironic. Prefix with https:// for SSL-based glance API
servers. Format is [hostname|IP]:port.
glance_host = $my_ip
(StrOpt) Default glance hostname or IP address.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
glance_num_retries = 0
(IntOpt) Number of retries when downloading an
image from glance.
glance_port = 9292
(IntOpt) Default glance port.
glance_protocol = http
(StrOpt) Default protocol to use when connecting to
glance. Set to https for SSL.
swift_account = None
(StrOpt) The account that Glance uses to
communicate with Swift. The format is "AUTH_uuid".
"uuid" is the UUID for the account configured in the
glance-api.conf. Required for temporary URLs. For
example: "AUTH_a422b2-91f3-2f46-74b7d7c9e8958f5d30". Swift temporary URL format:
"endpoint_url/api_version/account/container/objec
t_id"
swift_api_version = v1
(StrOpt) The Swift API version to create a
temporary URL for. Defaults to "v1". Swift temporary
URL format:
"endpoint_url/api_version/account/container/objec
t_id"
swift_container = glance
(StrOpt) The Swift container Glance is configured to
store its images in. Defaults to "glance", which is the
default in glance-api.conf. Swift temporary URL
format:
"endpoint_url/api_version/account/container/objec
t_id"
swift_endpoint_url = None
(StrOpt) The "endpoint" (scheme, hostname,
optional port) for the Swift URL of the form
"endpoint_url/api_version/account/container/objec
t_id". Do not include trailing "/". For example, use
"https://swift.example.com". Required for
temporary URLs.
swift_store_multiple_containers_seed
(IntOpt) This should match a config by the same
name in the Glance configuration file. When set to 0,
a single-tenant store will only use one container to
store all images. When set to an integer value
between 1 and 32, a single-tenant store will use
multiple containers to store images, and this value
will determine how many containers are created.
=0
swift_temp_url_duration = 1200
(IntOpt) The length of time in seconds that the
temporary URL will be valid for. Defaults to 20
minutes. If some deploys get a 401 response code
when trying to download from the temporary URL,
try raising this duration.
17
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
swift_temp_url_key = None
(StrOpt) The secret token given to Swift to allow
temporary URL downloads. Required for temporary
URLs.
Table 1.17. Description of iLO configuration options
Configuration option = Default value
Description
[ilo]
clean_priority_clear_secure_boot_key
s =0
(IntOpt) Priority for clear_secure_boot_keys clean
step. This step is not enabled by default. It can be
enabled to to clear all secure boot keys enrolled
with iLO.
clean_priority_erase_devices = None
(IntOpt) Priority for erase devices clean step. If
unset, it defaults to 10. If set to 0, the step will be
disabled and will not run during cleaning.
clean_priority_reset_bios_to_default
= 10
(IntOpt) Priority for reset_bios_to_default clean
step.
clean_priority_reset_ilo = 1
(IntOpt) Priority for reset_ilo clean step.
clean_priority_reset_ilo_credential
(IntOpt) Priority for reset_ilo_credential clean step.
This step requires "ilo_change_password"
parameter to be updated in nodes's driver_info with
the new password.
= 30
18
clean_priority_reset_secure_boot_key
s_to_default = 20
(IntOpt) Priority for reset_secure_boot_keys clean
step. This step will reset the secure boot keys to
manufacturing defaults.
client_port = 443
(IntOpt) Port to be used for iLO operations
client_timeout = 60
(IntOpt) Timeout (in seconds) for iLO operations
power_retry = 6
(IntOpt) Number of times a power operation needs
to be retried
power_wait = 2
(IntOpt) Amount of time in seconds to wait in
between power operations
swift_ilo_container = ironic_ilo_container
(StrOpt) The Swift iLO container to store data.
swift_object_expiry_timeout = 900
(IntOpt) Amount of time in seconds for Swift objects
to auto-expire.
CHAPTER 1. BARE METAL
Table 1.18. Description of IPMI configuration options
Configuration option = Default value
Description
[ipmi]
min_command_interval = 5
(IntOpt) Minimum time, in seconds, between IPMI
operations sent to a server. There is a risk with
some hardware that setting this too low may cause
the BMC to crash. Recommended setting is 5
seconds.
retry_timeout = 60
(IntOpt) Maximum time in seconds to retry IPMI
operations. There is a tradeoff when setting this
value. Setting this too low may cause older BMCs to
crash and require a hard reset. However, setting too
high can cause the sync power state periodic task to
hang when there are slow or unresponsive BMCs.
Table 1.19. Description of iRMC configuration options
Configuration option = Default value
Description
[irmc]
auth_method = basic
(StrOpt) Authentication method to be used for iRMC
operations, either "basic" or "digest"
client_timeout = 60
(IntOpt) Timeout (in seconds) for iRMC operations
port = 443
(IntOpt) Port to be used for iRMC operations, either
80 or 443
sensor_method = ipmitool
(StrOpt) Sensor data retrieval method, either
"ipmitool" or "scci"
Table 1.20. Description of keystone configuration options
Configuration option = Default value
Description
[keystone]
region_name = None
(StrOpt) The region used for getting endpoints of
OpenStackservices.
Table 1.21. Description of logging configuration options
19
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
debug = False
(BoolOpt) Print debugging output (set logging level
to DEBUG instead of default WARNING level).
default_log_levels = amqp=WARN,
(ListOpt) List of logger=LEVEL pairs.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN
fatal_exception_format_errors = False
(BoolOpt) Make exception message format errors
fatal.
instance_format = "[instance: %(uuid)s] "
(StrOpt) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(StrOpt) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation.
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s .
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecate, use logging_context_format_string and
logging_default_format_string instead.
logging_context_format_string = %
(StrOpt) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
20
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
logging_debug_format_suffix = %
(StrOpt) Data to append to log format when level is
DEBUG.
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d TRACE %(name)s %
(instance)s
(StrOpt) Format string to use for log messages
without context.
(StrOpt) Prefix each line of exception output with
this format.
publish_errors = False
(BoolOpt) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines.
use_stderr = True
(BoolOpt) Log output to standard error.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED during I, and will change in J
to honor RFC5424.
use_syslog_rfc_format = False
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in I, and will be removed in J.
verbose = False
(BoolOpt) Print more verbose output (set logging
level to INFO instead of default WARNING level).
Table 1.22. Description of neutron configuration options
Configuration option = Default value
Description
[neutron]
auth_strategy = keystone
(StrOpt) Default authentication strategy to use when
connecting to neutron. Can be either "keystone" or
"noauth". Running neutron in noauth mode (related
to but not affected by this setting) is insecure and
should only be used for testing.
cleaning_network_uuid = None
(StrOpt) UUID of the network to create Neutron
ports on when booting to a ramdisk for
cleaning/zapping using Neutron DHCP
21
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
retries = 3
(IntOpt) Client retries in the case of a failed request.
url = http://$my_ip:9696
(StrOpt) URL for connecting to neutron.
url_timeout = 30
(IntOpt) Timeout value for connecting to neutron in
seconds.
Table 1.23. Description of policy configuration options
Configuration option = Default value
Description
[oslo_policy]
policy_default_rule = default
(StrOpt) Default rule. Enforced when a requested
rule is not found.
policy_dirs = ['policy.d']
(MultiStrOpt) Directories where policy configuration
files are stored. They can be relative to any
directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(StrOpt) The JSON file that defines policies.
Table 1.24. Description of PXE configuration options
Configuration option = Default value
Description
[pxe]
22
default_ephemeral_format = ext4
(StrOpt) Default file system format for ephemeral
partition, if one is created.
disk_devices = cciss/c0d0,sda,hda,vda
(StrOpt) The disk devices to scan while doing the
deploy.
http_root = /httpboot
(StrOpt) Ironic compute node's HTTP root path.
http_url = None
(StrOpt) Ironic compute node's HTTP server URL.
Example: http://192.1.2.3:8080
image_cache_size = 20480
(IntOpt) Maximum size (in MiB) of cache for master
images, including those in use.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
image_cache_ttl = 10080
(IntOpt) Maximum TTL (in minutes) for old master
images in cache.
images_path = /var/lib/ironic/images/
(StrOpt) Directory where images are stored on disk.
instance_master_path =
/var/lib/ironic/master_images
(StrOpt) Directory where master instance images
are stored on disk.
ipxe_boot_script =
(StrOpt) The path to the main iPXE script file.
$pybasedir/drivers/modules/boot.ipxe
ipxe_enabled = False
(BoolOpt) Enable iPXE boot.
pxe_append_params = nofb nomodeset
vga=normal
(StrOpt) Additional append parameters for
baremetal PXE boot.
pxe_bootfile_name = pxelinux.0
(StrOpt) Bootfile DHCP parameter.
pxe_config_template =
(StrOpt) Template file for PXE configuration.
$pybasedir/drivers/modules/pxe_config.template
tftp_master_path = /tftpboot/master_images
(StrOpt) Directory where master tftp images are
stored on disk.
tftp_root = /tftpboot
(StrOpt) Ironic compute node's tftp root path.
tftp_server = $my_ip
(StrOpt) IP address of Ironic compute node's tftp
server.
uefi_pxe_bootfile_name = elilo.efi
(StrOpt) Bootfile DHCP parameter for UEFI boot
mode.
uefi_pxe_config_template =
(StrOpt) Template file for PXE configuration for UEFI
boot loader.
$pybasedir/drivers/modules/elilo_efi_pxe_config.templa
te
Table 1.25. Description of Redis configuration options
Configuration option = Default value
Description
[matchmaker_redis]
host = 127.0.0.1
(StrOpt) Host to locate redis.
password = None
(StrOpt) Password for Redis server (optional).
23
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
port = 6379
(IntOpt) Use this port to connect to redis host.
[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json
(StrOpt) Matchmaker ring file (JSON).
Table 1.26. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
matchmaker_heartbeat_freq = 300
(IntOpt) Heartbeat frequency.
matchmaker_heartbeat_ttl = 600
(IntOpt) Heartbeat time-to-live.
rpc_backend = rabbit
(StrOpt) The messaging driver to use, defaults to
rabbit. Other drivers include qpid and zmq.
rpc_cast_timeout = 30
(IntOpt) Seconds to wait before a cast expires (TTL).
Only supported by impl_zmq.
rpc_response_timeout = 60
(IntOpt) Seconds to wait for a response from a call.
rpc_thread_pool_size = 64
(IntOpt) Size of RPC thread pool.
[oslo_concurrency]
disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging_amqp]
24
allow_insecure_clients = False
(BoolOpt) Accept clients using either SSL or plain
TCP
broadcast_prefix = broadcast
(StrOpt) address prefix used when broadcasting to
all servers
container_name = None
(StrOpt) Name for the AMQP container
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
group_request_prefix = unicast
(StrOpt) address prefix when sending to any server
in group
idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
server_request_prefix = exclusive
(StrOpt) address prefix used when sending to a
specific server
ssl_ca_file =
(StrOpt) CA certificate PEM file for verifing server
certificate
ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
Table 1.27. Description of RabbitMQ configuration options
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold we check the
heartbeat.
heartbeat_timeout_threshold = 0
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disables the heartbeat, >0 enables it.
Enabling heartbeats requires kombu>=3.0.7 and
amqp>=1.4.0). EXPERIMENTAL
25
Red Hat OpenStack Platform 9 Configuration Reference
26
Configuration option = Default value
Description
kombu_reconnect_delay = 1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 may be available on
some distributions.
rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN
(StrOpt) The RabbitMQ login method.
rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(StrOpt) The RabbitMQ password.
rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
CHAPTER 1. BARE METAL
Configuration option = Default value
Description
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
Table 1.28. Description of Qpid configuration options
Configuration option = Default value
Description
[oslo_messaging_qpid]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
Table 1.29. Description of SeaMicro configuration options
27
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[seamicro]
action_timeout = 10
(IntOpt) Seconds to wait for power action to be
completed
max_retry = 3
(IntOpt) Maximum retries for SeaMicro operations
Table 1.30. Description of SNMP configuration options
Configuration option = Default value
Description
[snmp]
power_timeout = 10
(IntOpt) Seconds to wait for power action to be
completed
Table 1.31. Description of SSH configuration options
Configuration option = Default value
Description
[ssh]
libvirt_uri = qemu:///system
(StrOpt) libvirt uri
Table 1.32. Description of swift configuration options
Configuration option = Default value
Description
[swift]
swift_max_retries = 2
(IntOpt) Maximum number of times to retry a Swift
request, before failing.
Table 1.33. Description of VirtualBox configuration options
Configuration option = Default value
Description
[virtualbox]
port = 18083
28
(IntOpt) Port on which VirtualBox web service is
listening.
CHAPTER 2. BLOCK STORAGE
CHAPTER 2. BLOCK STORAGE
The OpenStack Block Storage service provides persistent storage for Compute instances, working with
many different storage drivers that you can configure.
2.1. VOLUME DRIVERS
To use different volume drivers for the cinder-volume service, use the parameters described in
these sections.
To set a volume driver, use the volume_driver flag. The default is:
volume_driver = cinder.volume.drivers.lvm.LVMISCSIDriver
2.1.1. Ceph RADOS Block Device (RBD)
If you use KVM or QEMU as your hypervisor, you can configure the Compute service to use Ceph
RADOS block devices (RBD) for volumes.
Ceph is a massively scalable, open source, distributed storage system. It is comprised of an object
store, block store, and a POSIX-compliant distributed file system. The platform can auto-scale to the
exabyte level and beyond. It runs on commodity hardware, is self-healing and self-managing, and has
no single point of failure. Ceph is in the Linux kernel and is integrated with the OpenStack cloud
operating system. Due to its open-source nature, you can install and use this portable storage platform
in public or private clouds.
RADOS
Ceph is based on RADOS: Reliable Autonomic Distributed Object Store. RADOS distributes objects across
the storage cluster and replicates objects for fault tolerance. RADOS contains the following major
components:
Object Storage Device (OSD) Daemon. The storage daemon for the RADOS service, which
interacts with the OSD (physical or logical storage unit for your data).
You must run this daemon on each server in your cluster. For each OSD, you can have an
associated hard drive disk. For performance purposes, pool your hard drive disk with raid
arrays, logical volume management (LVM), or B-tree file system (Btrfs) pooling. By default,
the following pools are created: data, metadata, and RBD.
Meta-Data Server (MDS). Stores metadata. MDSs build a POSIX file system on top of objects for
Ceph clients. However, if you do not use the Ceph file system, you do not need a metadata
server.
Monitor (MON). A lightweight daemon that handles all communications with external
applications and clients. It also provides a consensus for distributed decision making in a
Ceph/RADOS cluster. For instance, when you mount a Ceph shared on a client, you point to the
address of a MON server. It checks the state and the consistency of the data. In an ideal setup,
you must run at least three ceph-mon daemons on separate servers.
Ceph developers recommend XFS for production deployments, Btrfs for testing, development, and
any non-critical deployments. Btrfs has the correct feature set and roadmap to serve Ceph in the longterm, but XFS and ext4 provide the necessary stability for today’s deployments.
29
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
If using Btrfs, ensure that you use the correct version (see Ceph Dependencies).
For more information about usable file systems, see ceph.com/ceph-storage/filesystem/.
Ways to store, use, and expose data
To store and access your data, you can use the following storage systems:
RADOS. Use as an object, default storage mechanism.
RBD. Use as a block device. The Linux kernel RBD (RADOS block device) driver allows striping
a Linux block device over multiple distributed object store data objects. It is compatible with
the KVM RBD image.
CephFS. Use as a file, POSIX-compliant file system.
Ceph exposes RADOS; you can access it through the following interfaces:
RADOS Gateway. OpenStack Object Storage and Amazon-S3 compatible RESTful interface (see
RADOS_Gateway).
librados, and its related C/C++ bindings.
RBD and QEMU-RBD. Linux kernel and QEMU block devices that stripe data across multiple
objects.
Driver options
The following table contains the configuration options supported by the Ceph RADOS Block Device
driver.
DEPRECATION NOTICE
The volume_tmp_dir option has been deprecated and replaced by
image_conversion_dir.
Table 2.1. Description of Ceph storage configuration options
Configuration option = Default value
Description
[DEFAULT]
30
rados_connect_timeout = -1
(IntOpt) Timeout value (in seconds) used when
connecting to ceph cluster. If value < 0, no timeout
is set and default librados value is used.
rados_connection_interval = 5
(IntOpt) Interval value (in seconds) between
connection retries to ceph cluster.
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
rados_connection_retries = 3
(IntOpt) Number of retries if connection to ceph
cluster failed.
rbd_ceph_conf =
(StrOpt) Path to the ceph configuration file
rbd_cluster_name = ceph
(StrOpt) The name of ceph cluster
rbd_flatten_volume_from_snapshot =
(BoolOpt) Flatten volumes created from snapshots
to remove dependency from volume to snapshot
False
rbd_max_clone_depth = 5
(IntOpt) Maximum number of nested volume clones
that are taken before a flatten occurs. Set to 0 to
disable cloning.
rbd_pool = rbd
(StrOpt) The RADOS pool where rbd volumes are
stored
rbd_secret_uuid = None
(StrOpt) The libvirt uuid of the secret for the
rbd_user volumes
rbd_store_chunk_size = 4
(IntOpt) Volumes will be chunked into objects of this
size (in megabytes).
rbd_user = None
(StrOpt) The RADOS client name for accessing rbd
volumes - only set when using cephx authentication
volume_tmp_dir = None
(StrOpt) Directory where temporary image files are
stored when the volume driver does not write them
directly to the volume. Warning: this option is now
deprecated, use image_conversion_dir instead.
2.1.2. Dell EqualLogic volume driver
The Dell EqualLogic volume driver interacts with configured EqualLogic arrays and supports various
operations.
Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Clone a volume.
The OpenStack Block Storage service supports:
Multiple instances of Dell EqualLogic Groups or Dell EqualLogic Group Storage Pools and
multiple pools on a single array.
31
Red Hat OpenStack Platform 9 Configuration Reference
Multiple instances of Dell EqualLogic Groups or Dell EqualLogic Group Storage Pools or
multiple pools on a single array.
The Dell EqualLogic volume driver's ability to access the EqualLogic Group is dependent upon the
generic block storage driver's SSH settings in the /etc/cinder/cinder.conf file (see Section 2.3,
“Block Storage sample configuration files” for reference).
Table 2.2. Description of Dell EqualLogic volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
eqlx_chap_login = admin
(StrOpt) Existing CHAP account name. Note that this
option is deprecated in favour of "chap_username"
as specified in cinder/volume/driver.py and will be
removed in next release.
eqlx_chap_password = password
(StrOpt) Password for specified CHAP account
name. Note that this option is deprecated in favour
of "chap_password" as specified in
cinder/volume/driver.py and will be removed in the
next release
eqlx_cli_max_retries = 5
(IntOpt) Maximum retry count for reconnection.
Default is 5.
eqlx_cli_timeout = 30
(IntOpt) Timeout for the Group Manager cli
command execution. Default is 30. Note that this
option is deprecated in favour of
"ssh_conn_timeout" as specified in
cinder/volume/drivers/san/san.py and will be
removed in M release.
eqlx_group_name = group-0
(StrOpt) Group name to use for creating volumes.
Defaults to "group-0".
eqlx_pool = default
(StrOpt) Pool in which volumes will be created.
Defaults to "default".
eqlx_use_chap = False
(BoolOpt) Use CHAP authentication for targets. Note
that this option is deprecated in favour of
"use_chap_auth" as specified in
cinder/volume/driver.py and will be removed in next
release.
The following sample /etc/cinder/cinder.conf configuration lists the relevant settings for a
typical Block Storage service using a single Dell EqualLogic Group:
Example 2.1. Default (single-instance) configuration
[DEFAULT]
32
CHAPTER 2. BLOCK STORAGE
#Required settings
volume_driver = cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver
san_ip = IP_EQLX
san_login = SAN_UNAME
san_password = SAN_PW
eqlx_group_name = EQLX_GROUP
eqlx_pool = EQLX_POOL
#Optional settings
san_thin_provision = true|false
eqlx_use_chap = true|false
eqlx_chap_login = EQLX_UNAME
eqlx_chap_password = EQLX_PW
eqlx_cli_max_retries = 5
san_ssh_port = 22
ssh_conn_timeout = 30
san_private_key = SAN_KEY_PATH
ssh_min_pool_conn = 1
ssh_max_pool_conn = 5
In this example, replace the following variables accordingly:
IP_EQLX
The IP address used to reach the Dell EqualLogic Group through SSH. This field has no default
value.
SAN_UNAME
The user name to login to the Group manager via SSH at the san_ip. Default user name is
grpadmin.
SAN_PW
The corresponding password of SAN_UNAME. Not used when san_private_key is set. Default
password is password.
EQLX_GROUP
The group to be used for a pool where the Block Storage service will create volumes and snapshots.
Default group is group-0.
EQLX_POOL
The pool where the Block Storage service will create volumes and snapshots. Default pool is
default. This option cannot be used for multiple pools utilized by the Block Storage service on a
single Dell EqualLogic Group.
EQLX_UNAME
The CHAP login account for each volume in a pool, if eqlx_use_chap is set to true. Default
account name is chapadmin.
EQLX_PW
33
Red Hat OpenStack Platform 9 Configuration Reference
The corresponding password of EQLX_UNAME. The default password is randomly generated in
hexadecimal, so you must set this password manually.
SAN_KEY_PATH (optional)
The filename of the private key used for SSH authentication. This provides password-less login to
the EqualLogic Group. Not used when san_password is set. There is no default value.
In addition, enable thin provisioning for SAN volumes using the default san_thin_provision =
true setting.
Example 2.2. Multi back-end Dell EqualLogic configuration
The following example shows the typical configuration for a Block Storage service that uses two
Dell EqualLogic back ends:
enabled_backends = backend1,backend2
san_ssh_port = 22
​ssh_conn_timeout = 30
​san_thin_provision = true
​
​[backend1]
​volume_driver = cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver
​volume_backend_name = backend1
​san_ip = IP_EQLX1
​san_login = SAN_UNAME
san_password = SAN_PW
​eqlx_group_name = EQLX_GROUP
​eqlx_pool = EQLX_POOL
​
​[backend2]
​volume_driver = cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver
​volume_backend_name = backend2
​san_ip = IP_EQLX2
san_login = SAN_UNAME
san_password = SAN_PW
​eqlx_group_name = EQLX_GROUP
​eqlx_pool = EQLX_POOL
In this example:
Thin provisioning for SAN volumes is enabled (san_thin_provision = true). This is
recommended when setting up Dell EqualLogic back ends.
Each Dell EqualLogic back-end configuration ([backend1] and [backend2]) has the
same required settings as a single back-end configuration, with the addition of
volume_backend_name.
The san_ssh_port option is set to its default value, 22. This option sets the port used for
SSH.
The ssh_conn_timeout option is also set to its default value, 30. This option sets the
timeout in seconds for CLI commands over SSH.
34
CHAPTER 2. BLOCK STORAGE
The IP_EQLX1 and IP_EQLX2 refer to the IP addresses used to reach the Dell EqualLogic
Group of backend1 and backend2 through SSH, respectively.
For information on configuring multiple back ends, see Configure a multiple-storage back end.
2.1.3. Dell Storage Center Fibre Channel and iSCSI drivers
The Dell Storage Center volume driver interacts with configured Storage Center arrays.
The Dell Storage Center driver manages Storage Center arrays through Enterprise Manager.
Enterprise Manager connection settings and Storage Center options are defined in the cinder.conf
file.
Prerequisite: Dell Enterprise Manager 2015 R1 or later must be used.
Supported operations
The Dell Storage Center volume driver provides the following Cinder volume operations:
Create, delete, attach (map), and detach (unmap) volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Extra spec options
Volume type extra specs can be used to select different Storage Profiles.
Storage Profiles control how Storage Center manages volume data. For a given volume, the selected
Storage Profile dictates which disk tier accepts initial writes, as well as how data progression moves
data between tiers to balance performance and cost. Predefined Storage Profiles are the most
effective way to manage data in Storage Center.
By default, if no Storage Profile is specified in the volume extra specs, the default Storage Profile for
the user account configured for the Block Storage driver is used. The extra spec key
storagetype:storageprofile with the value of the name of the Storage Profile on the Storage
Center can be set to allow to use Storage Profiles other than the default.
For ease of use from the command line, spaces in Storage Profile names are ignored. As an example,
here is how to define two volume types using the High Priority and Low Priority Storage
Profiles:
$ cinder type-create "GoldVolumeType"
$ cinder type-key "GoldVolumeType" set
storagetype:storageprofile=highpriority
35
Red Hat OpenStack Platform 9 Configuration Reference
$ cinder type-create "BronzeVolumeType"
$ cinder type-key "BronzeVolumeType" set
storagetype:storageprofile=lowpriority
iSCSI configuration
Use the following instructions to update the configuration file for iSCSI:
Example 2.3. Sample iSCSI Configuration
default_volume_type = delliscsi
enabled_backends = delliscsi
[delliscsi]
# Name to give this storage backend
volume_backend_name = delliscsi
# The iSCSI driver to load
volume_driver =
cinder.volume.drivers.dell.dell_storagecenter_iscsi.DellStorageCenterISC
SIDriver
# IP address of Enterprise Manager
san_ip = 172.23.8.101
# Enterprise Manager user name
san_login = Admin
# Enterprise Manager password
san_password = secret
# The Storage Center iSCSI IP address
iscsi_ip_address = 192.168.0.20
# The Storage Center serial number to use
dell_sc_ssn = 64702
# ==Optional settings==
# The Enterprise Manager API port
dell_sc_api_port = 3033
# Server folder to place new server definitions
dell_sc_server_folder = devstacksrv
# Volume folder to place created volumes
dell_sc_volume_folder = devstackvol/Cinder
# The iSCSI IP port
iscsi_port = 3260
Fibre Channel configuration
Use the following instructions to update the configuration file for fibre channel:
Example 2.4. Sample FC configuration
default_volume_type = dellfc
enabled_backends = dellfc
[dellfc]
# Name to give this storage backend
volume_backend_name = dellfc
# The FC driver to load
volume_driver =
36
CHAPTER 2. BLOCK STORAGE
cinder.volume.drivers.dell.dell_storagecenter_fc.DellStorageCenterFCDriv
er
# IP address of Enterprise Manager
san_ip = 172.23.8.101
# Enterprise Manager user name
san_login = Admin
# Enterprise Manager password
san_password = secret
# The Storage Center serial number to use
dell_sc_ssn = 64702
# Optional settings
# The Enterprise Manager API port
dell_sc_api_port = 3033
# Server folder to place new server definitions
dell_sc_server_folder = devstacksrv
# Volume folder to place created volumes
dell_sc_volume_folder = devstackvol/Cinder
Driver options
The following table contains the configuration options specific to the Dell Storage Center volume
driver.
Table 2.3. Description of Dell Storage Center volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
dell_sc_api_port = 3033
(IntOpt) Dell API port
dell_sc_server_folder = openstack
(StrOpt) Name of the server folder to use on the
Storage Center
dell_sc_ssn = 64702
(IntOpt) Storage Center System Serial Number
dell_sc_verify_cert = False
(BoolOpt) Enable HTTPS SC certificate verification.
dell_sc_volume_folder = openstack
(StrOpt) Name of the volume folder to use on the
Storage Center
2.1.4. EMC ScaleIO Block Storage driver configuration
ScaleIO is a software-only solution that uses existing servers' local disks and LAN to create a virtual
SAN that has all of the benefits of external storage, but at a fraction of the cost and complexity. Using
the driver, Block Storage hosts can connect to a ScaleIO Storage cluster.
This section explains how to configure and connect the block storage nodes to a ScaleIO storage
cluster.
37
Red Hat OpenStack Platform 9 Configuration Reference
2.1.4.1. Support matrix
2.1.4.2. Deployment prerequisites
ScaleIO Gateway must be installed and accessible in the network. For installation steps, refer
to the Preparing the installation Manager and the Gateway section in ScaleIO Deployment
Guide. See Section 2.1.4.2.1, “Official documentation”.
ScaleIO Data Client (SDC) must be installed on all OpenStack nodes.
2.1.4.2.1. Official documentation
To find the ScaleIO documentation:
1. Go to the ScaleIO product documentation page.
2. From the left-side panel, select the relevant version (1.32 or 2.0).
3. Search for "ScaleIO Installation Guide 1.32" or "ScaleIO 2.0 Deployment Guide" accordingly.
2.1.4.3. Supported operations
Create, delete, clone, attach, and detach volumes
Create and delete volume snapshots
Create a volume from a snapshot
Copy an image to a volume
Copy a volume to an image
Extend a volume
Get volume statistics
Manage and unmanage a volume
Create, list, update, and delete consistency groups
Create, list, update, and delete consistency group snapshots
2.1.4.4. ScaleIO QoS support
QoS support for the ScaleIO driver includes the ability to set the following capabilities in the Block
Storage API cinder.api.contrib.qos_specs_manage QoS specs extension module:
minBWS
maxBWS
The QoS keys above must be created and associated with a volume type. For information about how to
set the key-value pairs and associate them with a volume type, run the following commands:
$ cinder help qos-create
38
CHAPTER 2. BLOCK STORAGE
$ cinder help qos-key
$ cinder help qos-associate
maxBWS
The QoS I/O issue bandwidth rate limit in KBs. If not set, the I/O issue bandwidth rate has no limit.
The setting must be a multiple of 1024.
maxIOPS
The QoS I/O issue bandwidth rate limit in MBs. If not set, the I/O issue bandwidth rate has no limit.
The setting must be larger than 10.
Since the limits are per SDC, they will be applied after the volume is attached to an instance, and thus
to a compute node/SDC.
2.1.4.5. ScaleIO thin provisioning support
The Block Storage driver supports creation of thin-provisioned volumes, in addition to thick
provisioning. The provisioning type settings should be added as an extra specification of the volume
type, as follows:
sio:provisioning_type = thin\thick
If the provisioning type value is not specified, the default value of "thick" will be used.
2.1.4.6. ScaleIO Block Storage driver configuration
Edit the cinder.conf file by adding the configuration below under the [DEFAULT] section of the file
in case of a single back end, or under a separate section in case of multiple back ends (for example
[ScaleIO]). The configuration file is usually located at /etc/cinder/cinder.conf.
For a configuration example, refer to Section 2.1.4.8, “Configuration example”.
2.1.4.6.1. ScaleIO driver name
Configure the driver name by adding the following parameter:
volume_driver = cinder.volume.drivers.emc.scaleio.ScaleIODriver
2.1.4.6.2. ScaleIO MDM server IP
The ScaleIO Meta Data Manager monitors and maintains the available resources and permissions.
To retrieve the MDM server IP address, use the drv_cfg --query_mdms command.
Configure the MDM server IP address by adding the following parameter:
san_ip = ScaleIO GATEWAY IP
2.1.4.6.3. ScaleIO Protection Domain name
39
Red Hat OpenStack Platform 9 Configuration Reference
ScaleIO allows multiple Protection Domains (groups of SDSs that provide backup for each other).
To retrieve the available Protection Domains, use the command scli --query_all and search for
the Protection Domains section.
Configure the Protection Domain for newly created volumes by adding the following parameter:
sio_protection_domain_name = ScaleIO Protection Domain
2.1.4.6.4. ScaleIO Storage Pool name
A ScaleIO Storage Pool is a set of physical devices in a Protection Domain.
To retrieve the available Storage Pools, use the command scli --query_all and search for
available Storage Pools.
Configure the Storage Pool for newly created volumes by adding the following parameter:
sio_storage_pool_name = ScaleIO Storage Pool
2.1.4.6.5. ScaleIO Storage Pools
Multiple Storage Pools and Protection Domains can be listed for use by the virtual machines.
To retrieve the available Storage Pools, use the command scli --query_all and search for
available Storage Pools.
Configure the available Storage Pools by adding the following parameter:
sio_storage_pools = Comma-separated list of protection domain:storage pool
name
2.1.4.6.6. ScaleIO user credentials
Block Storage requires a ScaleIO user with administrative privileges. ScaleIO recommends creating a
dedicated OpenStack user account that has an administrative user role.
Refer to the ScaleIO User Guide for details on user account management.
Configure the user credentials by adding the following parameters:
san_login = ScaleIO username
san_password = ScaleIO password
2.1.4.7. Multiple back ends
Configuring multiple storage back ends allows you to create several back-end storage solutions that
serve the same Compute resources.
When a volume is created, the scheduler selects the appropriate back end to handle the request,
according to the specified volume type.
40
CHAPTER 2. BLOCK STORAGE
2.1.4.8. Configuration example
cinder.conf example file
You can update the cinder.conf file by editing the necessary parameters as follows:
[Default]
enabled_backends = scaleio
[scaleio]
volume_driver = cinder.volume.drivers.emc.scaleio.ScaleIODriver
volume_backend_name = scaleio
san_ip = GATEWAY_IP
sio_protection_domain_name = Default_domain
sio_storage_pool_name = Default_pool
sio_storage_pools = Domain1:Pool1,Domain2:Pool2
san_login = SIO_USER
san_password = SIO_PASSWD
2.1.4.9. Configuration options
The ScaleIO driver supports these configuration options:
Table 2.4. Description of EMC SIO volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
sio_force_delete = False
(BoolOpt) Whether to allow force delete.
sio_protection_domain_id = None
(StrOpt) Protection domain id.
sio_protection_domain_name = None
(StrOpt) Protection domain name.
sio_rest_server_port = 443
(StrOpt) REST server port.
sio_round_volume_capacity = True
(BoolOpt) Whether to round volume capacity.
sio_server_certificate_path = None
(StrOpt) Server certificate path.
sio_storage_pool_id = None
(StrOpt) Storage pool id.
sio_storage_pool_name = None
(StrOpt) Storage pool name.
sio_storage_pools = None
(StrOpt) Storage pools.
sio_unmap_volume_before_deletion =
(BoolOpt) Whether to unmap volume before
deletion.
False
41
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
sio_verify_server_certificate = False
(BoolOpt) Whether to verify server certificate.
2.1.5. EMC VMAX iSCSI and FC drivers
The EMC VMAX drivers, EMCVMAXISCSIDriver and EMCVMAXFCDriver, support the use of EMC
VMAX storage arrays under OpenStack Block Storage. They both provide equivalent functions and
differ only in support for their respective host attachment methods.
The drivers perform volume operations by communicating with the backend VMAX storage. It uses a
CIM client in Python called PyWBEM to perform CIM operations over HTTP.
The EMC CIM Object Manager (ECOM) is packaged with the EMC SMI-S provider. It is a CIM server that
enables CIM clients to perform CIM operations over HTTP by using SMI-S in the back-end for VMAX
storage operations.
The EMC SMI-S Provider supports the SNIA Storage Management Initiative (SMI), an ANSI standard for
storage management. It supports the VMAX storage system.
2.1.5.1. System requirements
EMC SMI-S Provider V4.6.2.8 and higher is required. You can download SMI-S from the EMC's support
web site (login is required). See the EMC SMI-S Provider release notes for installation instructions.
EMC storage VMAX Family is supported.
2.1.5.2. Supported operations
VMAX drivers support these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Retype a volume.
Create a volume from a snapshot.
VMAX drivers also support the following features:
FAST automated storage tiering policy.
Dynamic masking view creation.
Striped volume creation.
42
CHAPTER 2. BLOCK STORAGE
2.1.5.3. Set up the VMAX drivers
Procedure 2.1. To set up the EMC VMAX drivers
1. Install the python-pywbem package for your distribution. To install the python-pywbem
package for Red Hat Enterprise Linux, CentOS, or Fedora:
# yum install pywbem
2. Download SMI-S from PowerLink and install it. Add your VMAX arrays to SMI-S.
For information, see Section 2.1.5.3.1, “Set up SMI-S” and the SMI-S release notes.
3. Change configuration files. See Section 2.1.5.3.2, “cinder.conf configuration file” and
Section 2.1.5.3.3, “cinder_emc_config_CONF_GROUP_ISCSI.xml configuration file”.
4. Configure connectivity. For FC driver, see Section 2.1.5.3.4, “FC Zoning with VMAX” . For iSCSI
driver, see Section 2.1.5.3.5, “iSCSI with VMAX” .
2.1.5.3.1. Set up SMI-S
You can install SMI-S on a non-OpenStack host. Supported platforms include different flavors of
Windows, Red Hat, and SUSE Linux. SMI-S can be installed on a physical server or a VM hosted by an
ESX server. Note that the supported hypervisor for a VM running SMI-S is ESX only. See the EMC SMIS Provider release notes for more information on supported platforms and installation instructions.
NOTE
You must discover storage arrays on the SMI-S server before you can use the VMAX
drivers. Follow instructions in the SMI-S release notes.
SMI-S is usually installed at /opt/emc/ECIM/ECOM/bin on Linux and C:\Program
Files\EMC\ECIM\ECOM\bin on Windows. After you install and configure SMI-S, go to that directory
and type TestSmiProvider.exe.
Use addsys in TestSmiProvider.exe to add an array. Use dv and examine the output after the
array is added. Make sure that the arrays are recognized by the SMI-S server before using the EMC
VMAX drivers.
2.1.5.3.2. cinder.conf configuration file
Make the following changes in /etc/cinder/cinder.conf.
Add the following entries, where 10.10.61.45 is the IP address of the VMAX iSCSI target:
enabled_backends = CONF_GROUP_ISCSI, CONF_GROUP_FC
[CONF_GROUP_ISCSI]
iscsi_ip_address = 10.10.61.45
volume_driver =
cinder.volume.drivers.emc.emc_vmax_iscsi.EMCVMAXISCSIDriver
cinder_emc_config_file =
/etc/cinder/cinder_emc_config_CONF_GROUP_ISCSI.xml
volume_backend_name=ISCSI_backend
[CONF_GROUP_FC]
43
Red Hat OpenStack Platform 9 Configuration Reference
volume_driver = cinder.volume.drivers.emc.emc_vmax_fc.EMCVMAXFCDriver
cinder_emc_config_file = /etc/cinder/cinder_emc_config_CONF_GROUP_FC.xml
volume_backend_name=FC_backend
In this example, two backend configuration groups are enabled: CONF_GROUP_ISCSI and
CONF_GROUP_FC. Each configuration group has a section describing unique parameters for
connections, drivers, the volume_backend_name, and the name of the EMC-specific configuration file
containing additional settings. Note that the file name is in the format
/etc/cinder/cinder_emc_config_[confGroup].xml.
Once the cinder.conf and EMC-specific configuration files have been created, cinder commands
need to be issued in order to create and associate OpenStack volume types with the declared
volume_backend_names:
$
$
$
$
cinder
cinder
cinder
cinder
type-create VMAX_ISCSI
type-key VMAX_ISCSI set volume_backend_name=ISCSI_backend
type-create VMAX_FC
type-key VMAX_FC set volume_backend_name=FC_backend
By issuing these commands, the Block Storage volume type VMAX_ISCSI is associated with the
ISCSI_backend, and the type VMAX_FC is associated with the FC_backend.
Restart the cinder-volume service.
2.1.5.3.3. cinder_emc_config_CONF_GROUP_ISCSI.xml configuration file
Create the /etc/cinder/cinder_emc_config_CONF_GROUP_ISCSI.xml file. You do not need
to restart the service for this change.
Add the following lines to the XML file:
<?xml version="1.0" encoding="UTF-8" ?>
<EMC>
<EcomServerIp>1.1.1.1</EcomServerIp>
<EcomServerPort>00</EcomServerPort>
<EcomUserName>user1</EcomUserName>
<EcomPassword>password1</EcomPassword>
<PortGroups>
<PortGroup>OS-PORTGROUP1-PG</PortGroup>
<PortGroup>OS-PORTGROUP2-PG</PortGroup>
</PortGroups>
<Array>111111111111</Array>
<Pool>FC_GOLD1</Pool>
<FastPolicy>GOLD1</FastPolicy>
</EMC>
Where:
EcomServerIp and EcomServerPort are the IP address and port number of the ECOM
server which is packaged with SMI-S.
EcomUserName and EcomPassword are credentials for the ECOM server.
PortGroups supplies the names of VMAX port groups that have been pre-configured to
expose volumes managed by this backend. Each supplied port group should have sufficient
44
CHAPTER 2. BLOCK STORAGE
number and distribution of ports (across directors and switches) as to ensure adequate
bandwidth and failure protection for the volume connections. PortGroups can contain one or
more port groups of either iSCSI or FC ports. When a dynamic masking view is created by the
VMAX driver, the port group is chosen randomly from the PortGroup list, to evenly distribute
load across the set of groups provided. Make sure that the PortGroups set contains either all
FC or all iSCSI port groups (for a given backend), as appropriate for the configured driver
(iSCSI or FC).
The Array tag holds the unique VMAX array serial number.
The Pool tag holds the unique pool name within a given array. For backends not using FAST
automated tiering, the pool is a single pool that has been created by the administrator. For
backends exposing FAST policy automated tiering, the pool is the bind pool to be used with the
FAST policy.
The FastPolicy tag conveys the name of the FAST Policy to be used. By including this tag,
volumes managed by this backend are treated as under FAST control. Omitting the
FastPolicy tag means FAST is not enabled on the provided storage pool.
2.1.5.3.4. FC Zoning with VMAX
Zone Manager is recommended when using the VMAX FC driver, especially for larger configurations
where pre-zoning would be too complex and open-zoning would raise security concerns.
2.1.5.3.5. iSCSI with VMAX
Make sure the iscsi-initiator-utils package is installed on the host (use apt-get, zypper, or yum,
depending on Linux flavor).
Verify host is able to ping VMAX iSCSI target ports.
2.1.5.4. VMAX masking view and group naming info
Masking view names
Masking views are dynamically created by the VMAX FC and iSCSI drivers using the following naming
conventions:
OS-[shortHostName][poolName]-I-MV (for Masking Views using iSCSI)
OS-[shortHostName][poolName]-F-MV (for Masking Views using FC)
Initiator group names
For each host that is attached to VMAX volumes using the drivers, an initiator group is created or reused (per attachment type). All initiators of the appropriate type known for that host are included in
the group. At each new attach volume operation, the VMAX driver retrieves the initiators (either
WWNNs or IQNs) from OpenStack and adds or updates the contents of the Initiator Group as required.
Names are of the following format:
OS-[shortHostName]-I-IG (for iSCSI initiators)
OS-[shortHostName]-F-IG (for Fibre Channel initiators)
45
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
Hosts attaching to VMAX storage managed by the OpenStack environment cannot also
be attached to storage on the same VMAX not being managed by OpenStack. This is due
to limitations on VMAX Initiator Group membership.
FA port groups
VMAX array FA ports to be used in a new masking view are chosen from the list provided in the EMC
configuration file.
Storage group names
As volumes are attached to a host, they are either added to an existing storage group (if it exists) or a
new storage group is created and the volume is then added. Storage groups contain volumes created
from a pool (either single-pool or FAST-controlled), attached to a single host, over a single connection
type (iSCSI or FC). Names are formed:
OS-[shortHostName][poolName]-I-SG (attached over iSCSI)
OS-[shortHostName][poolName]-F-SG (attached over Fibre Channel)
2.1.5.5. Concatenated or striped volumes
In order to support later expansion of created volumes, the VMAX Block Storage drivers create
concatenated volumes as the default layout. If later expansion is not required, users can opt to create
striped volumes in order to optimize I/O performance.
Below is an example of how to create striped volumes. First, create a volume type. Then define the
extra spec for the volume type storagetype:stripecount representing the number of meta
members in the striped volume. The example below means that each volume created under the
GoldStriped volume type will be striped and made up of 4 meta members.
$ cinder type-create GoldStriped
$ cinder type-key GoldStriped set volume_backend_name=GOLD_BACKEND
$ cinder type-key GoldStriped set storagetype:stripecount=4
2.1.6. EMC VNX driver
EMC VNX driver consists of EMCCLIISCSIDriver and EMCCLIFCDriver, and supports both iSCSI and FC
protocol. EMCCLIISCSIDriver (VNX iSCSI driver) and EMCCLIFCDriver (VNX FC driver) are
separately based on the ISCSIDriver and FCDriver defined in Block Storage.
2.1.6.1. Overview
The VNX iSCSI driver and VNX FC driver perform the volume operations by executing Navisphere CLI
(NaviSecCLI) which is a command line interface used for management, diagnostics, and reporting
functions for VNX.
2.1.6.1.1. System requirements
46
CHAPTER 2. BLOCK STORAGE
VNX Operational Environment for Block version 5.32 or higher.
VNX Snapshot and Thin Provisioning license should be activated for VNX.
Navisphere CLI v7.32 or higher is installed along with the driver.
2.1.6.1.2. Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Clone a volume.
Extend a volume.
Migrate a volume.
Retype a volume.
Get volume statistics.
Create and delete consistency groups.
Create, list, and delete consistency group snapshots.
Modify consistency groups.
Efficient non-disruptive volume backup.
2.1.6.2. Preparation
This section contains instructions to prepare the Block Storage nodes to use the EMC VNX driver. You
install the Navisphere CLI, install the driver, ensure you have correct zoning configurations, and
register the driver.
2.1.6.2.1. Install Navisphere CLI
Navisphere CLI needs to be installed on all Block Storage nodes within an OpenStack deployment. You
need to download different versions for different platforms.
For all other variants of Linux, Navisphere CLI is available at Downloads for VNX2 Series or
Downloads for VNX1 Series.
After installation, set the security level of Navisphere CLI to low:
$ /opt/Navisphere/bin/naviseccli security -certificate -setLevel low
2.1.6.2.2. Check array software
Make sure your have following software installed for certain features.
47
Red Hat OpenStack Platform 9 Configuration Reference
Table 2.5. Required software
Feature
Software Required
All
ThinProvisioning
All
VNXSnapshots
FAST cache support
FASTCache
Create volume with type compressed
Compression
Create volume with type deduplicated
Deduplication
2.1.6.2.3. Install EMC VNX driver
Both EMCCLIISCSIDriver and EMCCLIFCDriver are included in the Block Storage installer
package:
emc_vnx_cli.py
emc_cli_fc.py (for EMCCLIFCDriver)
emc_cli_iscsi.py (for EMCCLIISCSIDriver)
2.1.6.2.4. Network configuration
For FC Driver, FC zoning is properly configured between hosts and VNX. Check Section 2.1.6.8.2,
“Register FC port with VNX” for reference.
For iSCSI Driver, make sure your VNX iSCSI port is accessible by your hosts. Check Section 2.1.6.8.3,
“Register iSCSI port with VNX” for reference.
You can use initiator_auto_registration=True configuration to avoid register the ports
manually. Check the detail of the configuration in Section 2.1.6.3, “Backend configuration” for
reference.
If you are trying to setup multipath, see Multipath Setup in Section 2.1.6.6.1, “Multipath setup”.
2.1.6.3. Backend configuration
Make the following changes in /etc/cinder/cinder.conf file:
NOTE
Changes to your configuration won't take effect until your restart your cinder service.
2.1.6.3.1. Minimum configuration
Here is a sample of minimum backend configuration. See following sections for the detail of each
option Replace EMCCLIFCDriver to EMCCLIISCSIDriver if your are using the iSCSI driver.
[DEFAULT]
48
CHAPTER 2. BLOCK STORAGE
enabled_backends = vnx_array1
[vnx_array1]
san_ip = 10.10.72.41
san_login = sysadmin
san_password = sysadmin
naviseccli_path = /opt/Navisphere/bin/naviseccli
volume_driver=cinder.volume.drivers.emc.emc_cli_fc.EMCCLIFCDriver
initiator_auto_registration=True
2.1.6.3.2. Multi-backend configuration
Here is a sample of a multi-backend configuration. See following sections for the detail of each option.
Replace EMCCLIFCDriver to EMCCLIISCSIDriver if your are using the iSCSI driver.
[DEFAULT]
enabled_backends=backendA, backendB
[backendA]
storage_vnx_pool_names = Pool_01_SAS, Pool_02_FLASH
san_ip = 10.10.72.41
storage_vnx_security_file_dir = /etc/secfile/array1
naviseccli_path = /opt/Navisphere/bin/naviseccli
volume_driver=cinder.volume.drivers.emc.emc_cli_fc.EMCCLIFCDriver
initiator_auto_registration=True
[backendB]
storage_vnx_pool_names = Pool_02_SAS
san_ip = 10.10.26.101
san_login = username
san_password = password
naviseccli_path = /opt/Navisphere/bin/naviseccli
volume_driver=cinder.volume.drivers.emc.emc_cli_fc.EMCCLIFCDriver
initiator_auto_registration=True
For more details on multi-backends, see OpenStack Cloud Administration Guide
2.1.6.3.3. Required configurations
2.1.6.3.3.1. IP of the VNX Storage Processors
Specify the SP A and SP B IP to connect.
san_ip = <IP of VNX Storage Processor A>
san_secondary_ip = <IP of VNX Storage Processor B>
2.1.6.3.3.2. VNX login credentials
There are two ways to specify the credentials.
Use plain text username and password.
Supply for plain username and password as below.
49
Red Hat OpenStack Platform 9 Configuration Reference
san_login = <VNX account with administrator role>
san_password = <password for VNX account>
storage_vnx_authentication_type = global
Valid values for storage_vnx_authentication_type are: global (default), local, ldap
Use Security file
This approach avoids the plain text password in your cinder configuration file. Supply a security file as
below:
storage_vnx_security_file_dir=<path to security file>
Check the Unisphere CLI user guide or Section 2.1.6.8.1, “Authenticate by security file” for how to
create a security file.
2.1.6.3.3.3. Path to your Unisphere CLI
Specify the absolute path to your naviseccli.
naviseccli_path = /opt/Navisphere/bin/naviseccli
2.1.6.3.3.4. Driver name
For the FC Driver, add the following option:
volume_driver=cinder.volume.drivers.emc.emc_cli_fc.EMCCLIFCDriver
For iSCSI Driver, add following option:
volume_driver=cinder.volume.drivers.emc.emc_cli_iscsi.EMCCLIISCSIDriver
2.1.6.3.4. Optional configurations
2.1.6.3.4.1. VNX pool names
Specify the list of pools to be managed, separated by ','. They should already exist in VNX.
storage_vnx_pool_names = pool 1, pool 2
If this value is not specified, all pools of the array will be used.
2.1.6.3.4.2. Initiator auto registration
When initiator_auto_registration=True, the driver will automatically register initiators to all
working target ports of the VNX array during volume attaching (The driver will skip those initiators
that have already been registered) if the option io_port_list is not specified in cinder.conf.
If the user wants to register the initiators with some specific ports but not register with the other
ports, this functionality should be disabled.
50
CHAPTER 2. BLOCK STORAGE
When a comma-separated list is given to io_port_list, the driver will only register the initiator to
the ports specified in the list and only return target port(s) which belong to the target ports in the
io_port_list instead of all target ports.
Example for FC ports:
io_port_list=a-1,B-3
a or B is Storage Processor, number 1 and 3 are Port ID.
Example for iSCSI ports:
io_port_list=a-1-0,B-3-0
a or B is Storage Processor, the first numbers 1 and 3 are Port ID and the second number 0 is
Virtual Port ID
NOTE
Rather than de-registered, the registered ports will be simply bypassed
whatever they are in 'io_port_list' or not.
The driver will raise an exception if ports in io_port_list are not existed in
VNX during startup.
2.1.6.3.4.3. Force delete volumes in storage group
Some available volumes may remain in storage group on the VNX array due to some OpenStack
timeout issue. But the VNX array do not allow the user to delete the volumes which are in storage
group. Option force_delete_lun_in_storagegroup is introduced to allow the user to delete the
available volumes in this tricky situation.
When force_delete_lun_in_storagegroup=True in the back-end section, the driver will move
the volumes out of storage groups and then delete them if the user tries to delete the volumes that
remain in storage group on the VNX array.
The default value of force_delete_lun_in_storagegroup is False.
2.1.6.3.4.4. Over subscription in thin provisioning
Over subscription allows that the sum of all volumes' capacity (provisioned capacity) to be larger than
the pool's total capacity.
max_over_subscription_ratio in the back-end section is the ratio of provisioned capacity over
total capacity.
The default value of max_over_subscription_ratio is 20.0, which means the provisioned capacity
can not exceed the total capacity. If the value of this ratio is set larger than 1.0, the provisioned
capacity can exceed the total capacity.
2.1.6.3.4.5. Storage group automatic deletion
For volume attaching, the driver has a storage group on VNX for each compute node hosting the vm
instances which are going to consume VNX Block Storage (using compute node's hostname as storage
51
Red Hat OpenStack Platform 9 Configuration Reference
group's name). All the volumes attached to the VM instances in a compute node will be put into the
storage group. If destroy_empty_storage_group=True, the driver will remove the empty storage
group after its last volume is detached. For data safety, it does not suggest to set
destroy_empty_storage_group=True unless the VNX is exclusively managed by one Block
Storage node because consistent lock_path is required for operation synchronization for this behavior.
2.1.6.3.4.6. Initiator auto deregistration
Enabling storage group automatic deletion is the precondition of this function. If
initiator_auto_deregistration=True is set, the driver will deregister all the initiators of the
host after its storage group is deleted.
2.1.6.3.4.7. FC SAN auto zoning
The EMC VNX FC driver supports FC SAN auto zoning when ZoneManager is configured. Set
zoning_mode to fabric in DEFAULT section to enable this feature. For ZoneManager configuration,
refer to Block Storage official guide.
2.1.6.3.4.8. Volume number threshold
In VNX, there is a limitation on the number of pool volumes that can be created in the system. When the
limitation is reached, no more pool volumes can be created even if there is remaining capacity in the
storage pool. In other words, if the scheduler dispatches a volume creation request to a back end that
has free capacity but reaches the volume limitation, the creation fails.
The default value of check_max_pool_luns_threshold is False. When
check_max_pool_luns_threshold=True, the pool-based back end will check the limit and will
report 0 free capacity to the scheduler if the limit is reached. So the scheduler will be able to skip this
kind of pool-based back end that runs out of the pool volume number.
2.1.6.3.4.9. iSCSI initiators
iscsi_initiators is a dictionary of IP addresses of the iSCSI initiator ports on OpenStack
Nova/Cinder nodes which want to connect to VNX via iSCSI. If this option is configured, the driver will
leverage this information to find an accessible iSCSI target portal for the initiator when attaching
volume. Otherwise, the iSCSI target portal will be chosen in a relative random way.
This option is only valid for iSCSI driver.
Here is an example. VNX will connect host1 with 10.0.0.1 and 10.0.0.2. And it will connect host2
with 10.0.0.3.
The key name (like host1 in the example) should be the output of command hostname.
iscsi_initiators = {"host1":["10.0.0.1", "10.0.0.2"],"host2":["10.0.0.3"]}
2.1.6.3.4.10. Default timeout
Specify the timeout(minutes) for operations like LUN migration, LUN creation, etc. For example, LUN
migration is a typical long running operation, which depends on the LUN size and the load of the array.
An upper bound in the specific deployment can be set to avoid unnecessary long wait.
The default value for this option is infinite.
52
CHAPTER 2. BLOCK STORAGE
Example:
default_timeout = 10
2.1.6.3.4.11. Max LUNs per storage group
max_luns_per_storage_group specify the max number of LUNs in a storage group. Default value is
255. It is also the max value supportedby VNX.
2.1.6.3.4.12. Ignore pool full threshold
if ignore_pool_full_threshold is set to True, driver will force LUN creation even if the full
threshold of pool is reached. Default to False
2.1.6.4. Extra spec options
Extra specs are used in volume types created in cinder as the preferred property of the volume.
The Block storage scheduler will use extra specs to find the suitable back end for the volume and the
Block storage driver will create the volume based on the properties specified by the extra spec.
Use following command to create a volume type:
$ cinder type-create "demoVolumeType"
Use following command to update the extra spec of a volume type:
$ cinder type-key "demoVolumeType" set provisioning:type=thin
Volume types can also be configured in OpenStack Horizon.
In VNX Driver, we defined several extra specs. They are introduced below:
2.1.6.4.1. Provisioning type
Key: provisioning:type
Possible Values:
thick
Volume is fully provisioned.
Example 2.5. creating a thick volume type:
$ cinder type-create "ThickVolumeType"
$ cinder type-key "ThickVolumeType" set provisioning:type=thick
thick_provisioning_support='<is> True'
thin
Volume is virtually provisioned
53
Red Hat OpenStack Platform 9 Configuration Reference
Example 2.6. creating a thin volume type:
$ cinder type-create "ThinVolumeType"
$ cinder type-key "ThinVolumeType" set provisioning:type=thin
thin_provisioning_support='<is> True'
deduplicated
Volume is thin and deduplication is enabled. The administrator shall go to VNX to configure
the system level deduplication settings. To create a deduplicated volume, the VNX
Deduplication license must be activated on VNX, and specify
deduplication_support=True to let Block Storage scheduler find the proper volume back
end.
Example 2.7. creating a deduplicated volume type:
$ cinder type-create "DeduplicatedVolumeType"
$ cinder type-key "DeduplicatedVolumeType" set
provisioning:type=deduplicated deduplication_support='<is> True'
compressed
Volume is thin and compression is enabled. The administrator shall go to the VNX to
configure the system level compression settings. To create a compressed volume, the VNX
Compression license must be activated on VNX , and use compression_support=True to let
Block Storage scheduler find a volume back end. VNX does not support creating snapshots on a
compressed volume.
Example 2.8. creating a compressed volume type:
$ cinder type-create "CompressedVolumeType"
$ cinder type-key "CompressedVolumeType" set
provisioning:type=compressed compression_support='<is> True'
Default: thick
NOTE
provisioning:type replaces the old spec key storagetype:provisioning. The
latter one will be obsoleted in the next release. If both provisioning:typeand
storagetype:provisioning are set in the volume type, the value of
provisioning:type will be used.
2.1.6.4.2. Storage tiering support
Key: storagetype:tiering
Possible Values:
54
CHAPTER 2. BLOCK STORAGE
StartHighThenAuto
Auto
HighestAvailable
LowestAvailable
NoMovement
Default: StartHighThenAuto
VNX supports fully automated storage tiering which requires the FAST license activated on the VNX.
The OpenStack administrator can use the extra spec key storagetype:tiering to set the tiering
policy of a volume and use the key fast_support='<is> True' to let Block Storage scheduler find
a volume back end which manages a VNX with FAST license activated. Here are the five supported
values for the extra spec key storagetype:tiering:
Example 2.9. creating a volume types with tiering policy:
$ cinder type-create "ThinVolumeOnLowestAvaibleTier"
$ cinder type-key "CompressedVolumeOnLowestAvaibleTier" set
provisioning:type=thin storagetype:tiering=Auto fast_support='<is> True'
NOTE
Tiering policy can not be applied to a deduplicated volume. Tiering policy of the
deduplicated LUN align with the settings of the pool.
2.1.6.4.3. FAST cache support
Key: fast_cache_enabled
Possible Values:
True
False
Default: False
VNX has FAST Cache feature which requires the FAST Cache license activated on the VNX. Volume will
be created on the backend with FAST cache enabled when True is specified.
2.1.6.4.4. Snap-copy
Key: copytype:snap
Possible Values:
True
False
55
Red Hat OpenStack Platform 9 Configuration Reference
Default: False
The VNX driver supports snap-copy, which extremely accelerates the process for creating a copied
volume.
By default, the driver will do full data copy when creating a volume from a snapshot or cloning a
volume, which is time-consuming especially for large volumes. When the snap-copy is used, the driver
will simply create a snapshot and mount it as a volume for the 2 kinds of operations which will be
instant even for large volumes.
To enable this functionality, the source volume should have copytype:snap=True in the extra specs
of its volume type. Then the new volume cloned from the source or copied from the snapshot for the
source, will be in fact a snap-copy instead of a full copy. If a full copy is needed, retype/migration can
be used to convert the snap-copy volume to a full-copy volume which may be time-consuming.
$ cinder type-create "SnapCopy"
$ cinder type-key "SnapCopy" set copytype:snap=True
User can determine whether the volume is a snap-copy volume or not by showing its metadata. If the
'lun_type' in metadata is 'smp', the volume is a snap-copy volume. Otherwise, it is a full-copy volume.
$ cinder metadata-show <volume>
Constraints:
copytype:snap=True is not allowed in the volume type of a consistency group.
Clone and snapshot creation are not allowed on a copied volume created through the snapcopy before it is converted to a full copy.
The number of snap-copy volume created from a source volume is limited to 255 at one point
in time.
The source volume which has snap-copy volume can not be deleted.
2.1.6.4.5. Pool name
Key: pool_name
Possible Values: name of the storage pool managed by cinder
Default: None
If the user wants to create a volume on a certain storage pool in a backend that manages multiple
pools, a volume type with a extra spec specified storage pool should be created first, then the user can
use this volume type to create the volume.
Example 2.10. Creating the volume type:
$ cinder type-create "HighPerf"
$ cinder type-key "HighPerf" set pool_name=Pool_02_SASFLASH
volume_backend_name=vnx_41
56
CHAPTER 2. BLOCK STORAGE
2.1.6.4.6. Obsoleted extra specs in Mitaka
Avoid using following extra spec keys.
storagetype:provisioning
storagetype:pool
2.1.6.5. Advanced features
2.1.6.5.1. Read-only volumes
OpenStack supports read-only volumes. The following command can be used to set a volume as readonly.
$ cinder readonly-mode-update <volume> True
After a volume is marked as read-only, the driver will forward the information when a hypervisor is
attaching the volume and the hypervisor will make sure the volume is read-only.
2.1.6.5.2. Efficient non-disruptive volume backup
The default implementation in Cinder for non-disruptive volume backup is not efficient since a cloned
volume will be created during backup.
The approach of efficient backup is to create a snapshot for the volume and connect this snapshot (a
mount point in VNX) to the Cinder host for volume backup. This eliminates migration time involved in
volume clone.
Constraints:
Backup creation for a snap-copy volume is not allowed if the volume status is in-use since
snapshot cannot be taken from this volume.
2.1.6.6. Best practice
2.1.6.6.1. Multipath setup
Enabling multipath volume access is recommended for robust data access. The major configuration
includes:
Install multipath-tools, sysfsutils and sg3-utils on nodes hosting Nova-Compute
and Cinder-Volume services (Check the operating system manual for the system distribution
for specific installation steps. For Red Hat based distributions, they should be devicemapper-multipath, sysfsutils and sg3_utils).
Specify use_multipath_for_image_xfer=true in cinder.conf for each FC/iSCSI back end.
Specify iscsi_use_multipath=True in libvirt section of nova.conf. This option is valid
for both iSCSI and FC driver.
For multipath-tools, here is an EMC recommended sample of /etc/multipath.conf.
57
Red Hat OpenStack Platform 9 Configuration Reference
user_friendly_names is not specified in the configuration and thus it will take the default value no.
It is NOT recommended to set it to yes because it may fail operations such as VM live migration.
blacklist {
# Skip the files under /dev that are definitely not FC/iSCSI devices
# Different system may need different customization
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
devnode "^hd[a-z][0-9]*"
devnode "^cciss!c[0-9]d[0-9]*[p[0-9]*]"
# Skip LUNZ device from VNX
device {
vendor "DGC"
product "LUNZ"
}
}
defaults {
user_friendly_names no
flush_on_last_del yes
}
devices {
# Device attributed for EMC CLARiiON and VNX series ALUA
device {
vendor "DGC"
product ".*"
product_blacklist "LUNZ"
path_grouping_policy group_by_prio
path_selector "round-robin 0"
path_checker emc_clariion
features "1 queue_if_no_path"
hardware_handler "1 alua"
prio alua
failback immediate
}
}
NOTE
When multipath is used in OpenStack, multipath faulty devices may come out in NovaCompute nodes due to different issues (Bug 1336683 is a typical example).
A solution to completely avoid faulty devices has not been found yet. faulty_device_cleanup.py
mitigates this issue when VNX iSCSI storage is used. Cloud administrators can deploy the script in all
Nova-Compute nodes and use a CRON job to run the script on each Nova-Compute node periodically so
that faulty devices will not stay too long. See VNX faulty device cleanup for detailed usage and the
script.
2.1.6.7. Restrictions and limitations
2.1.6.7.1. iSCSI port cache
EMC VNX iSCSI driver caches the iSCSI ports information, so that the user should restart the cinder-
58
CHAPTER 2. BLOCK STORAGE
volume service or wait for seconds (which is configured by periodic_interval in cinder.conf)
before any volume attachment operation after changing the iSCSI port configurations. Otherwise the
attachment may fail because the old iSCSI port configurations were used.
2.1.6.7.2. No extending for volume with snapshots
VNX does not support extending the thick volume which has a snapshot. If the user tries to extend a
volume which has a snapshot, the status of the volume would change to error_extending.
2.1.6.7.3. Limitations for deploying cinder on computer node
It is not recommended to deploy the driver on a compute node if cinder upload-to-image -force True is used against an in-use volume. Otherwise, cinder upload-to-image --force
True will terminate the data access of the vm instance to the volume.
2.1.6.7.4. Storage group with host names in VNX
When the driver notices that there is no existing storage group that has the host name as the storage
group name, it will create the storage group and also add the compute node's or Block Storage nodes'
registered initiators into the storage group.
If the driver notices that the storage group already exists, it will assume that the registered initiators
have also been put into it and skip the operations above for better performance.
It is recommended that the storage administrator does not create the storage group manually and
instead relies on the driver for the preparation. If the storage administrator needs to create the
storage group manually for some special requirements, the correct registered initiators should be put
into the storage group as well (otherwise the following volume attaching operations will fail ).
2.1.6.7.5. EMC storage-assisted volume migration
EMC VNX driver supports storage-assisted volume migration, when the user starts migrating with
cinder migrate --force-host-copy False <volume_id> <host> or cinder migrate
<volume_id> <host>, cinder will try to leverage the VNX's native volume migration functionality.
In following scenarios, VNX storage-assisted volume migration will not be triggered:
1. Volume migration between back ends with different storage protocol, ex, FC and iSCSI.
2. Volume is to be migrated across arrays.
2.1.6.8. Appendix
2.1.6.8.1. Authenticate by security file
VNX credentials are necessary when the driver connects to the VNX system. Credentials in global,
local and ldap scopes are supported. There are two approaches to provide the credentials:
The recommended one is using the Navisphere CLI security file to provide the credentials which can
get rid of providing the plain text credentials in the configuration file. Following is the instruction on
how to do this.
1. Find out the Linux user id of the cinder-volume processes. Assuming the service cindervolume is running by the account cinder.
59
Red Hat OpenStack Platform 9 Configuration Reference
2. Run su as root user.
3. In /etc/passwd, change cinder:x:113:120::/var/lib/cinder:/bin/false to
cinder:x:113:120::/var/lib/cinder:/bin/bash (This temporary change is to make
step 4 work.)
4. Save the credentials on behave of cinder user to a security file (assuming the array
credentials are admin/admin in global scope). In the command below, the '-secfilepath'
switch is used to specify the location to save the security file.
# su -l cinder -c '/opt/Navisphere/bin/naviseccli -AddUserSecurity user admin -password admin -scope 0 -secfilepath <location>'
5. Change cinder:x:113:120::/var/lib/cinder:/bin/bash back to
cinder:x:113:120::/var/lib/cinder:/bin/false in /etc/passwd
6. Remove the credentials options san_login, san_password and
storage_vnx_authentication_type from cinder.conf. (normally it is
/etc/cinder/cinder.conf). Add option storage_vnx_security_file_dir and set its
value to the directory path of your security file generated in step 4. Omit this option if secfilepath is not used in step 4.
7. Restart the cinder-volume service to validate the change.
2.1.6.8.2. Register FC port with VNX
This configuration is only required when initiator_auto_registration=False.
To access VNX storage, the compute nodes should be registered on VNX first if initiator auto
registration is not enabled.
To perform "Copy Image to Volume" and "Copy Volume to Image" operations, the nodes running the
cinder-volume service (Block Storage nodes) must be registered with the VNX as well.
The steps mentioned below are for the compute nodes. Follow the same steps for the Block Storage
nodes also (The steps can be skipped if initiator auto registration is enabled).
1. Assume 20:00:00:24:FF:48:BA:C2:21:00:00:24:FF:48:BA:C2 is the WWN of a FC
initiator port name of the compute node whose hostname and IP are myhost1 and
10.10.61.1. Register 20:00:00:24:FF:48:BA:C2:21:00:00:24:FF:48:BA:C2 in
Unisphere:
a. Login to Unisphere, go to FNM0000000000->Hosts->Initiators.
b. Refresh and wait until the initiator
20:00:00:24:FF:48:BA:C2:21:00:00:24:FF:48:BA:C2 with SP Port A-1 appears.
c. Click the Register button, select CLARiiON/VNX and enter the hostname (which is the
output of the linux command hostname) and IP address:
Hostname : myhost1
IP : 10.10.61.1
Click Register
60
CHAPTER 2. BLOCK STORAGE
d. Then host 10.10.61.1 will appear under Hosts->Host List as well.
2. Register the wwn with more ports if needed.
2.1.6.8.3. Register iSCSI port with VNX
This configuration is only required when initiator_auto_registration=False.
To access VNX storage, the compute nodes should be registered on VNX first if initiator auto
registration is not enabled.
To perform "Copy Image to Volume" and "Copy Volume to Image" operations, the nodes running the
cinder-volume service (Block Storage nodes) must be registered with the VNX as well.
The steps mentioned below are for the compute nodes. Follow the same steps for the Block Storage
nodes also (The steps can be skipped if initiator auto registration is enabled).
1. On the compute node with IP address 10.10.61.1 and hostname myhost1, execute the
following commands (assuming 10.10.61.35 is the iSCSI target):
a. Start the iSCSI initiator service on the node
# /etc/init.d/open-iscsi start
b. Discover the iSCSI target portals on VNX
# iscsiadm -m discovery -t st -p 10.10.61.35
c. Enter /etc/iscsi
# cd /etc/iscsi
d. Find out the iqn of the node
# more initiatorname.iscsi
2. Login to VNX from the compute node using the target corresponding to the SPA port:
# iscsiadm -m node -T iqn.1992-04.com.emc:cx.apm01234567890.a0 -p
10.10.61.35 -l
3. Assume iqn.1993-08.org.debian:01:1a2b3c4d5f6g is the initiator name of the
compute node. Register iqn.1993-08.org.debian:01:1a2b3c4d5f6g in Unisphere:
a. Login to Unisphere, go to FNM0000000000->Hosts->Initiators .
b. Refresh and wait until the initiator iqn.1993-08.org.debian:01:1a2b3c4d5f6g with
SP Port A-8v0 appears.
c. Click the Register button, select CLARiiON/VNX and enter the hostname (which is the
output of the linux command hostname) and IP address:
Hostname : myhost1
61
Red Hat OpenStack Platform 9 Configuration Reference
IP : 10.10.61.1
Click Register
d. Then host 10.10.61.1 will appear under Hosts->Host List as well.
4. Logout iSCSI on the node:
# iscsiadm -m node -u
5. Login to VNX from the compute node using the target corresponding to the SPB port:
# iscsiadm -m node -T iqn.1992-04.com.emc:cx.apm01234567890.b8 -p
10.10.61.36 -l
6. In Unisphere register the initiator with the SPB port.
7. Logout iSCSI on the node:
# iscsiadm -m node -u
8. Register the iqn with more ports if needed.
2.1.7. EMC XtremIO Block Storage driver configuration
The high performance XtremIO All Flash Array (AFA) offers Block Storage services to OpenStack.
Using the driver, OpenStack Block Storage hosts can connect to an XtermIO Storage cluster.
This section explains how to configure and connect an OpenStack block storage host to an XtremIO
storage cluster.
2.1.7.1. Support matrix
Xtremapp: Version 3.0 and 4.0
2.1.7.2. Supported operations
Create, delete, clone, attach, and detach volumes
Create and delete volume snapshots
Create a volume from a snapshot
Copy an image to a volume
Copy a volume to an image
Extend a volume
Manage and unmanage a volume
Get volume statistics
2.1.7.3. XtremIO Block Storage driver configuration
62
CHAPTER 2. BLOCK STORAGE
Edit the cinder.conf file by adding the configuration below under the [DEFAULT] section of the file
in case of a single back end or under a separate section in case of multiple back ends (for example
[XTREMIO]). The configuration file is usually located under the following path
/etc/cinder/cinder.conf.
For a configuration example, refer to the configuration example.
2.1.7.3.1. XtremIO driver name
Configure the driver name by adding the following parameter:
For iSCSI volume_driver =
cinder.volume.drivers.emc.xtremio.XtremIOIscsiDriver
For Fibre Channel volume_driver =
cinder.volume.drivers.emc.xtremio.XtremIOFibreChannelDriver
2.1.7.3.2. XtremIO management server (XMS) IP
To retrieve the management IP, use the show-xms CLI command.
Configure the management IP by adding the following parameter: san_ip = XMS Management IP
2.1.7.3.3. XtremIO cluster name
In XtremIO version 4.0, a single XMS can manage multiple cluster back ends. In such setups, the
administrator is required to specify the cluster name (in addition to the XMS IP). Each cluster must be
defined as a separate back end.
To retrieve the Cluster Name, run the show-clusters CLI command.
Configure the cluster name by adding the xtremio_cluster_name = Cluster-Name
NOTE
When a single cluster is managed in XtremIO version 4.0, the cluster name is not
required.
2.1.7.3.4. XtremIO user credentials
OpenStack Block Storage requires an XtremIO XMS user with administrative privileges. XtremIO
recommends creating a dedicated OpenStack user account that holds an administrative user role.
Refer to the XtremIO User Guide for details on user account management
Create an XMS account using either the XMS GUI or the add-user-accountCLI command.
Configure the user credentials by adding the following parameters:
san_login = XMS username
san_password = XMS username password
2.1.7.4. Multiple back ends
63
Red Hat OpenStack Platform 9 Configuration Reference
Configuring multiple storage back ends enables you to create several back-end storage solutions that
serve the same OpenStack Compute resources.
When a volume is created, the scheduler selects the appropriate back end to handle the request,
according to the specified volume type.
2.1.7.5. Setting thin provisioning and multipathing parameters
To support thin provisioning and multipathing in the XtremIO Array, the following parameters from the
Nova and Cinder configuration files should be modified as follows:
Thin Provisioning
All XtremIO volumes are thin provisioned. The default value of 20 should be maintained for the
max_over_subscription_ratio parameter.
The use_cow_images parameter in thenova.conffile should be set to False as follows:
use_cow_images = false
Multipathing
The use_multipath_for_image_xfer parameter in thecinder.conf file should be set to
True as follows:
use_multipath_for_image_xfer = true
2.1.7.6. Restarting OpenStack Block Storage
Save thecinder.conffile and restart cinder by running the following command:
$ openstack-service restart cinder-volume
2.1.7.7. Configuring CHAP
The XtremIO Block Storage driver supports CHAP initiator authentication. If CHAP initiator
authentication is required, set the CHAP Authentication mode to initiator.
To set the CHAP initiator mode using CLI, run the following CLI command:
$ modify-chap chap-authentication-mode=initiator
The CHAP initiator mode can also be set via the XMS GUI
Refer to XtremIO User Guide for details on CHAP configuration via GUI and CLI.
The CHAP initiator authentication credentials (username and password) are generated automatically
by the Block Storage driver. Therefore, there is no need to configure the initial CHAP credentials
manually in XMS.
2.1.7.8. Configuration example
cinder.conf example file
You can update the cinder.conf file by editing the necessary parameters as follows:
64
CHAPTER 2. BLOCK STORAGE
[Default]
enabled_backends = XtremIO
[XtremIO]
volume_driver =
cinder.volume.drivers.emc.xtremio.XtremIOFibreChannelDriver
san_ip = XMS_IP
xtremio_cluster_name = Cluster01
san_login = XMS_USER
san_password = XMS_PASSWD
volume_backend_name = XtremIOAFA
2.1.8. Fujitsu ETERNUS DX driver
The Fujitsu ETERNUS DX driver provides FC and iSCSI support for ETERNUS DX S3 series.
The driver performs volume operations by communicating with ETERNUS DX. It uses a CIM client in
Python called PyWBEM to perform CIM operations over HTTP. You can specify RAID Group and Thin
Provisioning Pool (TPP) in ETERNUS DX as a storage pool.
System requirements
Firmware version V10L30 or later is required.
An Advanced Copy Feature license is required to create a snapshot and a clone.
The pywbem should be installed on the Controller node.
NOTE
The multipath environment with ETERNUS Multipath Driver is unsupported.
Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume. [1]
Get volume statistics.
2.1.8.1. Configure the Fujitsu ETERNUS device
Before you can define the Fujitsu ETERNUS device as a Block Storage back end, you need to configure
storage pools and ports on the device first. Consult your device documentation for details on each
step:
65
Red Hat OpenStack Platform 9 Configuration Reference
1. Set up a LAN connection between the Controller nodes (where the Block Storage service is
hosted) and MNT ports of the ETERNUS device.
2. Set up a SAN connection between the Compute nodes and CA ports of the ETERNUS device.
3. Log in to the ETERNUS device using an account with the Admin role.
4. Enable the SMI-S of ETERNUS DX.
5. Register an Advanced Copy Feature license and configure the copy table size.
6. Create a storage pool for volumes. This pool will be used later in the EternusPool setting in
Section 2.1.8.2, “Configuring the Back End” .
NOTE
If you want to create volume snapshots on a different storage pool, create a
storage pool for that as well. This pool will be used in the EternusSnapPool
setting in Section 2.1.8.2, “Configuring the Back End” .
7. Create a Snap Data Pool Volume (SDPV) to enable Snap Data Pool (SDP) for the create a
snapshot function.
8. Configure storage ports to be used by the Block Storage service. Then:
a. Set those ports to CA mode.
b. Enable the host-affinity settings of those storage ports. To enable host-affinity, run the
following from the ETERNUS CLI for each port:
CLI> set PROTO-parameters -host-affinity enable -port CM# CA#
PORT
Where: * PROTO defines which storage protocol is in use, as in fc (Fibre Channel) or iscsi. *
CM# CA# refer to the controller enclosure where the port is located. * PORT is the port
number.
2.1.8.2. Configuring the Back End
Fujitsu Eternus back ends use either of the following drivers:
cinder.volume.drivers.fujitsu.eternus_dx_fc.FJDXFCDrive (fibre channel)
cinder.volume.drivers.fujitsu.eternus_dx_iscsi.FJDXISCSIDriver (iSCSI)
The settings for Fujitsu Eternus back ends are defined in a separate XML file. To define a back end, set
volume_driver to the corresponding driver and cinder_eternus_config_file to point to the
back end's XML configuration file. For example, if your fibre channel back end settings are defined in
/etc/cinder/eternus-dx.xml, use:
volume_driver = cinder.volume.drivers.fujitsu.eternus_dx_fc.FJDXFCDriver
cinder_eternus_config_file = /etc/cinder/eternus_dx.xml
If you set the driver without defining cinder_eternus_config_file, then the driver will use
cinder_eternus_config_file = etc/cinder/cinder_fujitsu_eternus_dx.xml by default.
66
CHAPTER 2. BLOCK STORAGE
The XML configuration file should contain the following settings:
EternusIP
IP address of the SMI-S connection of the ETERNUS device. Specifically, use the IP address of the
MNT port of the device.
EternusPort
port number for the SMI-S connection port of the ETERNUS device.
EternusUser
User name to be used for the SMI-S connection (EternusIP).
EternusPassword
Corresponding password of EternusUser on EternusIP.
EternusPool
Name of the storage pool created for volumes (from Section 2.1.8.1, “Configure the Fujitsu
ETERNUS device”). Specifically, use the pool’s RAID Group name or TPP name in the ETERNUS
device.
EternusSnapPool
Name of the storage pool created for volume snapshots (from Section 2.1.8.1, “Configure the Fujitsu
ETERNUS device”). Specifically, use the pool’s RAID Group name in the ETERNUS device. If you did
not create a different pool for snapshots, use the same value as EternusPool.
EternusISCSIIP
(ISCSI only) IP address for iSCSI connections to the ETERNUS device. You can specify multiple IPs
by creating an entry for each one.
For example, with a fibre-channel back end:
<?xml version='1.0' encoding='UTF-8'?>
<FUJITSU>
<EternusIP>0.0.0.0</EternusIP>
<EternusPort>5988</EternusPort>
<EternusUser>smisuser</EternusUser>
<EternusPassword>smispassword</EternusPassword>
<EternusPool>raid5_0001</EternusPool>
<EternusSnapPool>raid5_0001</EternusSnapPool>
</FUJITSU>
With an iSCSI back end:
<?xml version='1.0' encoding='UTF-8'?>
<FUJITSU>
<EternusIP>0.0.0.0</EternusIP>
<EternusPort>5988</EternusPort>
<EternusUser>smisuser</EternusUser>
<EternusPassword>smispassword</EternusPassword>
<EternusPool>raid5_0001</EternusPool>
<EternusSnapPool>raid5_0001</EternusSnapPool>
<EternusISCSIIP>1.1.1.1</EternusISCSIIP>
<EternusISCSIIP>1.1.1.2</EternusISCSIIP>
<EternusISCSIIP>1.1.1.3</EternusISCSIIP>
<EternusISCSIIP>1.1.1.4</EternusISCSIIP>
</FUJITSU>
67
Red Hat OpenStack Platform 9 Configuration Reference
2.1.9. HDS HNAS iSCSI and NFS driver
This OpenStack Block Storage volume driver provides iSCSI and NFS support for Hitachi NAS Platform
Models 3080, 3090, 4040, 4060, 4080 and 4100.
2.1.9.1. Supported operations
The NFS and iSCSI drivers support these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Get volume statistics.
Manage and unmanage a volume.
2.1.9.2. HNAS storage requirements
Before using iSCSI and NFS services, use the HNAS configuration and management GUI (SMU) or SSC
CLI to create storage pool(s), file system(s), and assign an EVS. Make sure that the file system used is
not created as a replication target. Additionally:
For NFS:
Create NFS exports, choose a path for them (it must be different from "/") and set the Show
snapshots option to hide and disable access.
Also, in the "Access Configuration" set the option norootsquash , e.g. "* (rw,
norootsquash)", so HNAS cinder driver can change the permissions of its volumes.
In order to use the hardware accelerated features of NFS HNAS, we recommend setting max-nfsversion to 3. Refer to HNAS command line reference to see how to configure this option.
For iSCSI:
You need to set an iSCSI domain.
2.1.9.3. Block storage host requirements
The Block storage host requires the nfs-utils package.
If you are not using SSH, you need the HDS SSC to communicate with an HNAS array using the SSC
commands. This utility package is available in the RPM package distributed with the hardware through
physical media or it can be manually copied from the SMU to the Block Storage host.
68
CHAPTER 2. BLOCK STORAGE
2.1.9.4. Package installation
If you are installing the driver from a RPM or DEB package, follow the steps bellow:
1. Install the dependencies:
# yum install nfs-utils nfs-utils-lib
2. Configure the driver as described in the Section 2.1.9.5, “Driver configuration” section.
3. Restart all cinder services (volume, scheduler and backup).
2.1.9.5. Driver configuration
The HDS driver supports the concept of differentiated services (also referred as quality of service) by
mapping volume types to services provided through HNAS.
HNAS supports a variety of storage options and file system capabilities, which are selected through the
definition of volume types and the use of multiple back ends. The driver maps up to four volume types
into separated exports or file systems, and can support any number if using multiple back ends.
The configuration for the driver is read from an XML-formatted file (one per back end), which you need
to create and set its path in the cinder.conf configuration file. Below are the configuration needed
in the cinder.conf configuration file [2] :
[DEFAULT]
enabled_backends = hnas_iscsi1, hnas_nfs1
For HNAS iSCSI driver create this section:
[hnas_iscsi1]
volume_driver = cinder.volume.drivers.hitachi.hnas_iscsi.HDSISCSIDriver
hds_hnas_iscsi_config_file = /path/to/config/hnas_config_file.xml
volume_backend_name = HNAS-ISCSI
For HNAS NFS driver create this section:
[hnas_nfs1]
volume_driver = cinder.volume.drivers.hitachi.hnas_nfs.HDSNFSDriver
hds_hnas_nfs_config_file = /path/to/config/hnas_config_file.xml
volume_backend_name = HNAS-NFS
The XML file has the following format:
<?xml version = "1.0" encoding = "UTF-8" ?>
<config>
<mgmt_ip0>172.24.44.15</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<chap_enabled>False</chap_enabled>
<ssh_enabled>False</ssh_enabled>
<cluster_admin_ip0>10.1.1.1</cluster_admin_ip0>
<username>supervisor</username>
<password>supervisor</password>
<svc_0>
69
Red Hat OpenStack Platform 9 Configuration Reference
<volume_type>default</volume_type>
<iscsi_ip>172.24.44.20</iscsi_ip>
<hdp>fs01-husvm</hdp>
</svc_0>
<svc_1>
<volume_type>platinum</volume_type>
<iscsi_ip>172.24.44.20</iscsi_ip>
<hdp>fs01-platinum</hdp>
</svc_1>
</config>
2.1.9.6. HNAS volume driver XML configuration options
An OpenStack Block Storage node using HNAS drivers can have up to four services. Each service is
defined by a svc_n tag (svc_0, svc_1, svc_2, or svc_3 [3], for example). These are the
configuration options available for each service label:
Table 2.6. Configuration options for service labels
Option
Type
Default
Description
volume_type
Requir
ed
default
When a create_volume call with a certain
volume type happens, the volume type will try to be
matched up with this tag. In each configuration file
you must define the default volume type in the
service labels and, if no volume type is specified, the
default is used. Other labels are case sensitive
and should match exactly. If no configured volume
types match the incoming requested type, an error
occurs in the volume creation.
iscsi_ip
Requir
ed only
for
iSCSI
An iSCSI IP address dedicated to the service.
hdp
Requir
ed
For iSCSI driver: virtual file system label associated
with the service.
For NFS driver: path to the volume
(<ip_address>:/<path>) associated with the service.
Additionally, this entry must be added in the file
used to list available NFS shares. This file is located,
by default, in /etc/cinder/nfs_shares or you
can specify the location in the
nfs_shares_config option in the
cinder.conf configuration file.
These are the configuration options available to the config section of the XML config file:
Table 2.7. Configuration options
70
CHAPTER 2. BLOCK STORAGE
Option
Type
Default
Description
mgmt_ip0
Requir
ed
hnas_cmd
Option
al
ssc
Command to communicate to HNAS array.
chap_enabled
Option
al
(iSCSI
only)
True
Boolean tag used to enable CHAP authentication
protocol.
username
Requir
ed
supervisor
It's always required on HNAS.
password
Requir
ed
supervisor
Password is always required on HNAS.
svc_0, svc_1,
svc_2, svc_3
Option
al
(at least one
label has to
be defined)
Service labels: these four predefined names help
four different sets of configuration options. Each can
specify HDP and a unique volume type.
cluster_admin_ip
0
Option
al if
ssh_enabled
Option
al
False
Enables SSH authentication between Block Storage
host and the SMU.
ssh_private_key
Requir
ed if
False
Path to the SSH private key used to authenticate in
HNAS SMU. The public key must be uploaded to
HNAS SMU using ssh-register-public-key
(this is an SSH subcommand). Note that copying the
public key HNAS using ssh-copy-id doesn't work
properly as the SMU periodically wipe out those
keys.
Management Port 0 IP address. Should be the IP
address of the "Admin" EVS.
The address of HNAS cluster admin.
ssh_e
nable
d is
True
ssh_e
nable
d is
True
2.1.9.7. Service labels
HNAS driver supports differentiated types of service using the service labels. It is possible to create up
to four types of them, as gold, platinum, silver and ssd, for example.
After creating the services in the XML configuration file, you must configure one volume_type per
service. Each volume_type must have the metadata service_label with the same name
configured in the <volume_type> section of that service. If this is not set, OpenStack Block Storage
will schedule the volume creation to the pool with largest available free space or other criteria
configured in volume filters.
$ cinder type-create default
$ cinder type-key default set service_label=default
$ cinder type-create platinum-tier
71
Red Hat OpenStack Platform 9 Configuration Reference
$ cinder type-key platinum set service_label=platinum
2.1.9.8. Multi-back-end configuration
If you use multiple back ends and intend to enable the creation of a volume in a specific back end, you
must configure volume types to set the volume_backend_name option to the appropriate back end.
Then, create volume_type configurations with the same volume_backend_name .
$
$
$
$
cinder
cinder
cinder
cinder
type-create 'iscsi'
type-key 'iscsi' set volume_backend_name = 'HNAS-ISCSI'
type-create 'nfs'
type-key 'nfs' set volume_backend_name = 'HNAS-NFS'
You can deploy multiple OpenStack HNAS drivers instances that each control a separate HNAS array.
Each service (svc_0, svc_1, svc_2, svc_3) on the instances need to have a volume_type and
service_label metadata associated with it. If no metadata is associated with a pool, OpenStack Block
Storage filtering algorithm selects the pool with the largest available free space.
2.1.9.9. SSH configuration
Instead of using SSC on the Block Storage host and store its credential on the XML configuration file,
HNAS driver supports SSH authentication. To configure that:
1. If you don't have a pair of public keys already generated, create it in the Block Storage host
(leave the pass-phrase empty):
$ mkdir -p /opt/hds/ssh
$ ssh-keygen -f /opt/hds/ssh/hnaskey
2. Change the owner of the key to cinder (or the user the volume service will be run):
# chown -R cinder.cinder /opt/hds/ssh
3. Create the directory "ssh_keys" in the SMU server:
$ ssh [manager|supervisor]@<smu-ip> 'mkdir -p /var/opt/mercurymain/home/[manager|supervisor]/ssh_keys/'
4. Copy the public key to the "ssh_keys" directory:
$ scp /opt/hds/ssh/hnaskey.pub [manager|supervisor]@<smuip>:/var/opt/mercury-main/home/[manager|supervisor]/ssh_keys/
5. Access the SMU server:
$ ssh [manager|supervisor]@<smu-ip>
6. Run the command to register the SSH keys:
$ ssh-register-public-key -u [manager|supervisor] -f
ssh_keys/hnaskey.pub
72
CHAPTER 2. BLOCK STORAGE
7. Check the communication with HNAS in the Block Storage host:
$ ssh -i /opt/hds/ssh/hnaskey [manager|supervisor]@<smu-ip> 'ssc
<cluster_admin_ip0> df -a'
<cluster_admin_ip0> is "localhost" for single node deployments. This should return a list of
available file systems on HNAS.
2.1.9.10. Editing the XML config file:
1. Set the "username".
2. Enable SSH adding the line "<ssh_enabled> True</ssh_enabled>" under "<config>"
section.
3. Set the private key path: "<ssh_private_key>
/opt/hds/ssh/hnaskey</ssh_private_key>" under "<config>" section.
4. If the HNAS is in a multi-cluster configuration set "<cluster_admin_ip0>" to the cluster
node admin IP. In a single node HNAS, leave it empty.
5. Restart cinder services.

WARNING
Note that copying the public key HNAS using ssh-copy-id doesn't work properly as
the SMU periodically wipe out those keys.
2.1.9.11. Manage and unmanage
The manage and unmanage are two new API extensions that add some new features to the driver. The
manage action on an existing volume is very similar to a volume creation. It creates a volume entry on
OpenStack Block Storage DB, but instead of creating a new volume in the back end, it only adds a 'link'
to an existing volume. Volume name, description, volume_type, metadata and availability_zone are
supported as in a normal volume creation.
The unmanage action on an existing volume removes the volume from the OpenStack Block Storage
DB, but keeps the actual volume in the back-end. From an OpenStack Block Storage perspective the
volume would be deleted, but it would still exist for outside use.
HOW TO MANAGE:
On the Dashboard:
For NFS:
1. Under the tab System -> Volumes choose the option [ + Manage Volume ]
2. Fill the fields Identifier, Host and Volume Type with volume information to be
managed:
73
Red Hat OpenStack Platform 9 Configuration Reference
Identifier: ip:/type/volume_name Example:
172.24.44.34:/silver/volume-test
Host: host@backend-name#pool_name Example: myhost@hnasnfs#test_silver
Volume Name: volume_name Example: volume-test
Volume Type: choose a type of volume Example: silver
For iSCSI:
1. Under the tab System -> Volumes choose the option [ + Manage Volume ]
2. Fill the fields Identifier, Host, Volume Name and Volume Type with volume
information to be managed:
Identifier: filesystem-name/volume-name Example: filesystemtest/volume-test
Host: host@backend-name#pool_name Example: myhost@hnasiscsi#test_silver
Volume Name: volume_name Example: volume-test
Volume Type: choose a type of volume Example: silver
By CLI:
$ cinder --os-volume-api-version 2 manage [--source-name
<source-name>][--id-type <id-type>] [--name <name>][-description <description>][--volume-type <volume-type>] [-availability-zone <availability-zone>][--metadata [<key=value>
[<key=value> ...]]][--bootable] <host> [<key=value>
[<key=value> ...]]
Example:
For NFS:
$ cinder --os-volume-api-version 2 manage --name <volume-test>
--volume-type <silver> --source-name
<172.24.44.34:/silver/volume-test> <myhost@hnasnfs#test_silver>
For iSCSI:
$ cinder --os-volume-api-version 2 manage --name <volume-test>
--volume-type <silver> --source-name <filesystem-test/volumetest> <myhost@hnas-iscsi#test_silver>
74
CHAPTER 2. BLOCK STORAGE
HOW TO UNMANAGE:
On Dashboard:
1. Under the tab [ System -> Volumes ] choose a volume
2. On the volume options, choose [ +Unmanage Volume ]
3. Check the data and confirm.
By CLI:
$ cinder --os-volume-api-version 2 unmanage <volume>
Example:
$ cinder --os-volume-api-version 2 unmanage <voltest>
2.1.9.12. Additional notes
The get_volume_stats() function always provides the available capacity based on the
combined sum of all the HDPs that are used in these services labels.
After changing the configuration on the storage, the OpenStack Block Storage driver must be
restarted.
On Red Hat, if the system is configured to use SELinux, you need to set "virt_use_nfs =
on" for NFS driver work properly.
# setsebool -P virt_use_nfs on
It is not possible to manage a volume if there is a slash ('/') or a colon (':') on the volume name.
2.1.10. Hitachi storage volume driver
Hitachi storage volume driver provides iSCSI and Fibre Channel support for Hitachi storages.
2.1.10.1. System requirements
Supported storages:
Hitachi Virtual Storage Platform G1000 (VSP G1000)
Hitachi Virtual Storage Platform (VSP)
Hitachi Unified Storage VM (HUS VM)
Hitachi Unified Storage 100 Family (HUS 100 Family)
Required software:
RAID Manager Ver 01-32-03/01 or later for VSP G1000/VSP/HUS VM
Hitachi Storage Navigator Modular 2 (HSNM2) Ver 27.50 or later for HUS 100 Family
75
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
HSNM2 needs to be installed under /usr/stonavm.
Required licenses:
Hitachi In-System Replication Software for VSP G1000/VSP/HUS VM
(Mandatory) ShadowImage in-system replication for HUS 100 Family
(Optional) Copy-on-Write Snapshot for HUS 100 Family
Additionally, the pexpect package is required.
2.1.10.2. Supported operations
Create, delete, attach and detach volumes.
Create, list and delete volume snapshots.
Create a volume from a snapshot.
Copy a volume to an image.
Copy an image to a volume.
Clone a volume.
Extend a volume.
Get volume statistics.
2.1.10.3. Configuration
Set up Hitachi storage
You need to specify settings as described below. For details about each step, see the user's guide of
the storage device. Use a storage administrative software such as Storage Navigator to set up the
storage device so that LDEVs and host groups can be created and deleted, and LDEVs can be
connected to the server and can be asynchronously copied.
1. Create a Dynamic Provisioning pool.
2. Connect the ports at the storage to the Controller node and Compute nodes.
3. For VSP G1000/VSP/HUS VM, set "port security" to "enable" for the ports at the storage.
4. For HUS 100 Family, set "Host Group security"/"iSCSI target security" to "ON" for the ports at
the storage.
5. For the ports at the storage, create host groups (iSCSI targets) whose names begin with
HBSD- for the Controller node and each Compute node. Then register a WWN (initiator IQN) for
each of the Controller node and Compute nodes.
6. For VSP G1000/VSP/HUS VM, perform the following:
76
CHAPTER 2. BLOCK STORAGE
Create a storage device account belonging to the Administrator User Group. (To use
multiple storage devices, create the same account name for all the target storage devices,
and specify the same resource group and permissions.)
Create a command device (In-Band), and set user authentication to ON.
Register the created command device to the host group for the Controller node.
To use the Thin Image function, create a pool for Thin Image.
7. For HUS 100 Family, perform the following:
Use the command auunitaddauto to register the unit name and controller of the storage
device to HSNM2.
When connecting via iSCSI, if you are using CHAP certification, specify the same user and
password as that used for the storage port.
Set up Hitachi Gigabit Fibre Channel adaptor
Change a parameter of the hfcldd driver and update the initram file if Hitachi Gigabit Fibre Channel
adaptor is used.
# /opt/hitachi/drivers/hba/hfcmgr -E hfc_rport_lu_scan 1
# dracut -f initramfs-KERNEL_VERSION.img KERNEL_VERSION
# reboot
Set up Hitachi storage volume driver
1. Create directory.
# mkdir /var/lock/hbsd
# chown cinder:cinder /var/lock/hbsd
2. Create "volume type" and "volume key".
This example shows that HUS100_SAMPLE is created as "volume type" and hus100_backend
is registered as "volume key".
$ cinder type-create HUS100_SAMPLE
$ cinder type-key HUS100_SAMPLE set
volume_backend_name=hus100_backend
Specify any identical "volume type" name and "volume key".
To confirm the created "volume type", execute the following command:
$ cinder extra-specs-list
3. Edit /etc/cinder/cinder.conf as follows.
If you use Fibre Channel:
volume_driver = cinder.volume.drivers.hitachi.hbsd_fc.HBSDFCDriver
77
Red Hat OpenStack Platform 9 Configuration Reference
If you use iSCSI:
volume_driver =
cinder.volume.drivers.hitachi.hbsd_iscsi.HBSDISCSIDriver
Also, set volume_backend_name created by cinder type-key
volume_backend_name = hus100_backend
This table shows configuration options for Hitachi storage volume driver.
Table 2.8. Description of Hitachi storage volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
hitachi_add_chap_user = False
(BoolOpt) Add CHAP user
hitachi_async_copy_check_interva
l = 10
(IntOpt) Interval to check copy asynchronously
hitachi_auth_method = None
(StrOpt) iSCSI authentication method
hitachi_auth_password = HBSD-CHAP-
(StrOpt) iSCSI authentication password
password
78
hitachi_auth_user = HBSD-CHAP-user
(StrOpt) iSCSI authentication username
hitachi_copy_check_interval = 3
(IntOpt) Interval to check copy
hitachi_copy_speed = 3
(IntOpt) Copy speed of storage system
hitachi_default_copy_method = FULL
(StrOpt) Default copy method of storage system
hitachi_group_range = None
(StrOpt) Range of group number
hitachi_group_request = False
(BoolOpt) Request for creating HostGroup or
iSCSI Target
hitachi_horcm_add_conf = True
(BoolOpt) Add to HORCM configuration
hitachi_horcm_numbers = 200,201
(StrOpt) Instance numbers for HORCM
hitachi_horcm_password = None
(StrOpt) Password of storage system for
HORCM
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
hitachi_horcm_resource_lock_time
out = 600
(IntOpt) Timeout until a resource lock is
released, in seconds. The value must be
between 0 and 7200.
hitachi_horcm_user = None
(StrOpt) Username of storage system for
HORCM
hitachi_ldev_range = None
(StrOpt) Range of logical device of storage
system
hitachi_pool_id = None
(IntOpt) Pool ID of storage system
hitachi_serial_number = None
(StrOpt) Serial number of storage system
hitachi_target_ports = None
(StrOpt) Control port names for HostGroup or
iSCSI Target
hitachi_thin_pool_id = None
(IntOpt) Thin pool ID of storage system
hitachi_unit_name = None
(StrOpt) Name of an array unit
hitachi_zoning_request = False
(BoolOpt) Request for FC Zone creating
HostGroup
4. Restart Block Storage service.
When the startup is done, "MSGID0003-I: The storage backend can be used." is output into
/var/log/cinder/volume.log as follows.
2014-09-01 10:34:14.169 28734 WARNING cinder.volume.drivers.hitachi.
hbsd_common [req-a0bb70b5-7c3f-422a-a29e-6a55d6508135 None None]
MSGID0003-I: The storage backend can be used. (config_group:
hus100_backend)
2.1.11. HPE 3PAR Fibre Channel and iSCSI drivers
The HPE3PARFCDriver and HPE3PARISCSIDriver drivers, which are based on the Block Storage
service (Cinder) plug-in architecture, run volume operations by communicating with the HPE 3PAR
storage system over HTTP, HTTPS, and SSH connections. The HTTP and HTTPS communications use
hp3parclient, which is part of the Python standard library.
For information about how to manage HPE 3PAR storage systems, see the HPE 3PAR user
documentation.
2.1.11.1. System requirements
To use the HPE 3PAR drivers, install the following software and components on the HPE 3PAR storage
system:
79
Red Hat OpenStack Platform 9 Configuration Reference
HPE 3PAR Operating System software version 3.1.3 MU1 or higher.
Deduplication provisioning requires SSD disks and HPE 3PAR Operating System software
version 3.2.1 MU1 or higher.
Enabling Flash Cache Policy requires the following:
Array must contain SSD disks.
HPE 3PAR Operating System software version 3.2.1 MU2 or higher.
python-3parclient version 4.2.0 or newer.
Array must have the Adaptive Flash Cache license installed.
Flash Cache must be enabled on the array with the CLI command createflashcache
SIZE, where SIZE must be in 16 GB increments. For example, createflashcache
128g will create 128 GB of Flash Cache for each node pair in the array.
The Dynamic Optimization license is required to support any feature that results in a
volume changing provisioning type or CPG. This may apply to the volume migrate,
retype, and manage commands.
The Virtual Copy License is required to support any feature that involves volume
snapshots. This applies to the volume snapshot-* commands.
HPE 3PAR drivers will now check the licenses installed on the array and disable driver
capabilities based on available licenses. This will apply to thin provisioning, QoS support and
volume replication.
HPE 3PAR Web Services API Server must be enabled and running
One Common Provisioning Group (CPG)
Additionally, you must install the python-3parclient version 4.2.0 or newer from the Python
standard library on the system with the enabled Block Storage service volume drivers.
2.1.11.2. Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Migrate a volume with back-end assistance.
Retype a volume.
80
CHAPTER 2. BLOCK STORAGE
Manage and unmanage a volume.
Create, delete, update, snapshot, and clone consistency groups.
Create and delete consistency group snapshots.
Create a consistency group from a consistency group snapshot or another group.
Volume type support for both HPE 3PAR drivers includes the ability to set the following capabilities in
the OpenStack Block Storage API cinder.api.contrib.types_extra_specs volume type extra
specs extension module:
hpe3par:snap_cpg
hpe3par:provisioning
hpe3par:persona
hpe3par:vvs
hpe3par:flash_cache
To work with the default filter scheduler, the key values are case sensitive and scoped with hpe3par:.
For information about how to set the key-value pairs and associate them with a volume type, run the
following command:
$ cinder help type-key
NOTE
Volumes that are cloned only support extra specs keys cpg, snap_cpg, provisioning and
vvs. The others are ignored. In addition the comments section of the cloned volume in
the HPE 3PAR StoreServ storage array is not populated.
If volume types are not used or a particular key is not set for a volume type, the following defaults are
used:
hpe3par:cpg - Defaults to the hpe3par_cpg setting in the cinder.conf file.
hpe3par:snap_cpg - Defaults to the hpe3par_snap setting in the cinder.conf file. If
hpe3par_snap is not set, it defaults to the hpe3par_cpg setting.
hpe3par:provisioning - Defaults to thin provisioning, the valid values are thin, full, and
dedup.
hpe3par:persona - Defaults to the 2 - Generic-ALUA persona. The valid values are, 1 Generic, 2 - Generic-ALUA, 3 - Generic-legacy, 4 - HPUX-legacy, 5 - AIXlegacy, 6 - EGENERA, 7 - ONTAP-legacy, 8 - VMware, 9 - OpenVMS, 10 - HPUX, and
11 - WindowsServer.
hpe3par:flash_cache - Defaults to false, the valid values are true and false.
QoS support for both HPE 3PAR drivers includes the ability to set the following capabilities in the
OpenStack Block Storage API cinder.api.contrib.qos_specs_manage qos specs extension
module:
81
Red Hat OpenStack Platform 9 Configuration Reference
minBWS
maxBWS
minIOPS
maxIOPS
latency
priority
The qos keys above no longer require to be scoped but must be created and associated to a volume
type. For information about how to set the key-value pairs and associate them with a volume type, run
the following commands:
$ cinder help qos-create
$ cinder help qos-key
$ cinder help qos-associate
The following keys require that the HPE 3PAR StoreServ storage array has a Priority Optimization
license installed.
hpe3par:vvs - The virtual volume set name that has been predefined by the Administrator
with Quality of Service (QoS) rules associated to it. If you specify extra_specs hpe3par:vvs,
the qos_specs minIOPS, maxIOPS, minBWS, and maxBWS settings are ignored.
minBWS - The QoS I/O issue bandwidth minimum goal in MBs. If not set, the I/O issue
bandwidth rate has no minimum goal.
maxBWS - The QoS I/O issue bandwidth rate limit in MBs. If not set, the I/O issue bandwidth
rate has no limit.
minIOPS - The QoS I/O issue count minimum goal. If not set, the I/O issue count has no
minimum goal.
maxIOPS - The QoS I/O issue count rate limit. If not set, the I/O issue count rate has no limit.
latency - The latency goal in milliseconds.
priority - The priority of the QoS rule over other rules. If not set, the priority is normal, valid
values are low, normal and high.
NOTE
Since the Icehouse release, minIOPS and maxIOPS must be used together to set I/O
limits. Similarly, minBWS and maxBWS must be used together. If only one is set the
other will be set to the same value.
The following keys require that the HPE 3PAR StoreServ storage array has an Adaptive Flash Cache
license installed.
82
CHAPTER 2. BLOCK STORAGE
hpe3par:flash_cache - The flash-cache policy, which can be turned on and off by setting
the value to true or false.
2.1.11.3. Enable the HPE 3PAR Fibre Channel and iSCSI drivers
The HP3PARFCDriver and HP3PARISCSIDriver are installed with the OpenStack software.
1. Install the hp3parclient Python package on the OpenStack Block Storage system.
# pip install 'python-3parclient>=4.0,<5.0'
2. Verify that the HPE 3PAR Web Services API server is enabled and running on the HPE 3PAR
storage system.
a. Log onto the HP 3PAR storage system with administrator access.
$ ssh 3paradm@<HP 3PAR IP Address>
b. View the current state of the Web Services API Server.
# showwsapi
-Service- -State- -HTTP_State- HTTP_Port -HTTPS_State- HTTPS_Port
-VersionEnabled
Active Enabled
8008
Enabled
8080
1.1
c. If the Web Services API Server is disabled, start it.
# startwsapi
3. If the HTTP or HTTPS state is disabled, enable one of them.
# setwsapi -http enable
or
# setwsapi -https enable
NOTE
To stop the Web Services API Server, use the stopwsapi command. For other
options run the setwsapi –h command.
4. If you are not using an existing CPG, create a CPG on the HPE 3PAR storage system to be used
as the default location for creating volumes.
5. Make the following changes in the /etc/cinder/cinder.conf file.
## REQUIRED SETTINGS# 3PAR WS API Server URL
hpe3par_api_url=https://10.10.0.141:8080/api/v1
# 3PAR username with the 'edit' role
83
Red Hat OpenStack Platform 9 Configuration Reference
hpe3par_username=edit3par
# 3PAR password for the user specified in hpe3par_username
hpe3par_password=3parpass
# 3PAR CPG to use for volume creation
hpe3par_cpg=OpenStackCPG_RAID5_NL
# IP address of SAN controller for SSH access to the array
san_ip=10.10.22.241
# Username for SAN controller for SSH access to the array
san_login=3paradm
# Password for SAN controller for SSH access to the array
san_password=3parpass
# FIBRE CHANNEL(uncomment the next line to enable the FC driver)
#
volume_driver=cinder.volume.drivers.hpe.hpe_3par_fc.HPE3PARFCDriver
# iSCSI (uncomment the next line to enable the iSCSI driver and
# hpe3par_iscsi_ips or iscsi_ip_address)
#volume_driver=cinder.volume.drivers.hpe.hpe_3par_iscsi.HPE3PARISCSI
Driver
# iSCSI multiple port configuration
# hpe3par_iscsi_ips=10.10.220.253:3261,10.10.222.234
# Still available for single port iSCSI configuration
#iscsi_ip_address=10.10.220.253
# Enable HTTP debugging to 3PAR
hpe3par_debug=False
# Enable CHAP authentication for iSCSI connections.
hpe3par_iscsi_chap_enabled=false
# The CPG to use for Snapshots for volumes. If empty hpe3par_cpg
will be
# used.
hpe3par_snap_cpg=OpenStackSNAP_CPG
# Time in hours to retain a snapshot. You can't delete it before
this
# expires.
hpe3par_snapshot_retention=48
# Time in hours when a snapshot expires and is deleted. This must be
# larger than retention.
hpe3par_snapshot_expiration=72
# The ratio of oversubscription when thin provisioned volumes are
# involved. Default ratio is 20.0, this means that a provisioned
# capacity can be 20 times of the total physical capacity.
84
CHAPTER 2. BLOCK STORAGE
max_over_subscription_ratio=20.0
# This flag represents the percentage of reserved back-end capacity.
reserved_percentage=15
NOTE
You can enable only one driver on each cinder instance unless you enable
multiple back-end support.
NOTE
You can configure one or more iSCSI addresses by using the
hpe3par_iscsi_ips option. When you configure multiple addresses, the
driver selects the iSCSI port with the fewest active volumes at attach time. The
IP address might include an IP port by using a colon (:) to separate the address
from port. If you do not define an IP port, the default port 3260 is used.
Separate IP addresses with a comma (,). The
iscsi_ip_address/iscsi_port options might be used as an alternative to
hpe3par_iscsi_ips for single port iSCSI configuration.
6. Save the changes to the cinder.conf file and restart the cinder-volume service.
The HPE 3PAR Fibre Channel and iSCSI drivers are now enabled on your OpenStack system. If you
experience problems, review the Block Storage service log files for errors.
2.1.12. Huawei storage driver
The Huawei driver supports the iSCSI and Fibre Channel connections and enables OceanStor T series
V200R002, OceanStor 18000 series V100R001 and OceanStor V3 series V300R002 storage to
provide block storage services for OpenStack.
Supported operations
Create, delete, expand, attach, and detach volumes.
Create and delete a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Create a volume from a snapshot.
Clone a volume.
Configure block storage nodes
1. Modify the cinder.conf configuration file and add volume_driver and
cinder_huawei_conf_file items.
Example for configuring a storage system:
85
Red Hat OpenStack Platform 9 Configuration Reference
volume_driver = cinder.volume.drivers.huawei.HuaweiVolumeDriver
cinder_huawei_conf_file = /etc/cinder/cinder_huawei_conf.xml
Example for configuring multiple storage systems:
enabled_backends = t_iscsi, 18000_iscsi
[t_iscsi]
volume_driver = cinder.volume.drivers.huawei.HuaweiVolumeDriver
cinder_huawei_conf_file =
/etc/cinder/cinder_huawei_conf_t_iscsi.xml
volume_backend_name = HuaweiTISCSIDriver
[18000_iscsi]
volume_driver = cinder.volume.drivers.huawei.HuaweiVolumeDriver
cinder_huawei_conf_file =
/etc/cinder/cinder_huawei_conf_18000_iscsi.xml
volume_backend_name = Huawei18000ISCSIDriver
2. In /etc/cinder, create a driver configuration file. The driver configuration file name must be
the same as the cinder_huawei_conf_file item in the cinder_conf configuration file.
3. Configure product and protocol.
Product and Protocol indicate the storage system type and link type respectively. For the
OceanStor 18000 series V100R001 storage systems, the driver configuration file is as follows:
<?xml version='1.0' encoding='UTF-8'?>
<config>
<Storage>
<Product>18000</Product>
<Protocol>iSCSI</Protocol>
<RestURL>https://x.x.x.x/deviceManager/rest/</RestURL>
<UserName>xxxxxxxx</UserName>
<UserPassword>xxxxxxxx</UserPassword>
</Storage>
<LUN>
<LUNType>Thick</LUNType>
<WriteType>1</WriteType>
<MirrorSwitch>0</MirrorSwitch>
<LUNcopyWaitInterval>5</LUNcopyWaitInterval>
<Timeout>432000</Timeout>
<StoragePool>xxxxxxxx</StoragePool>
</LUN>
<iSCSI>
<DefaultTargetIP>x.x.x.x</DefaultTargetIP>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
</iSCSI>
<Host OSType="Linux" HostIP="x.x.x.x, x.x.x.x"/>
</config>
86
CHAPTER 2. BLOCK STORAGE
NOTE
Note for fibre channel driver configuration
In the configuration files of OceanStor T series V200R002 and OceanStor
V3 V300R002, parameter configurations are the same with the exception
of the RestURL parameter. The following describes how to configure the
RestURL parameter:
<RestURL>https://x.x.x.x:8088/deviceManager/rest/</Res
tURL>
For a Fibre Channel driver, you do not need to configure an iSCSI target IP
address. Delete the iSCSI configuration from the preceding examples.
<iSCSI>
<DefaultTargetIP>x.x.x.x</DefaultTargetIP>
<Initiator Name="xxxxxxxx"
TargetIP="x.x.x.x"/>
<Initiator Name="xxxxxxxx"
TargetIP="x.x.x.x"/>
</iSCSI>
This table describes the Huawei storage driver configuration options:
Table 2.9. Huawei storage driver configuration options
Property
Type
Default
Description
Product
Mandatory
-
Type of a
storage product.
Valid values are
T , TV3, or
18000.
Protocol
Mandatory
-
Type of a
protocol. Valid
values are
iSCSI or FC.
RestURL
Mandatory
-
Access address
of the Rest port
(required only
for the 18000)
UserName
Mandatory
-
User name of an
administrator
UserPasswor
d
Mandatory
-
Password of an
administrator
87
Red Hat OpenStack Platform 9 Configuration Reference
Property
Type
Default
Description
LUNType
Optional
Thin
Type of a
created LUN.
Valid values are
Thick or Thin.
StripUnitSi
ze
Optional
64
Stripe depth of a
created LUN.
The value is
expressed in KB.
This flag is not
valid for a thin
LUN.
88
WriteType
Optional
1
Cache write
method. The
method can be
write back, write
through, or
Required write
back. The default
value is 1 ,
indicating write
back.
MirrorSwitc
h
Optional
1
Cache mirroring
policy. The
default value is
1 , indicating that
a mirroring
policy is used.
Prefetch
Type
Optional
3
Cache prefetch
strategy. The
strategy can be
constant
prefetch,
variable
prefetch, or
intelligent
prefetch. Default
value is 3 , which
indicates
intelligent
prefetch and is
not required for
the OceanStor
18000 series.
Prefetch
Value
Optional
0
Cache prefetch
value.
CHAPTER 2. BLOCK STORAGE
Property
Type
Default
Description
LUNcopyWait
Interval
Optional
5
After LUN copy
is enabled, the
plug-in
frequently
queries the copy
progress. You
can set a value
to specify the
query interval.
Timeout
Optional
432,000
Timeout period
for waiting LUN
copy of an array
to complete.
StoragePool
Mandatory
-
Name of a
storage pool
that you want to
use.
DefaultTarg
etIP
Optional
-
Default IP
address of the
iSCSI port
provided for
compute nodes.
Initiator
Name
Optional
-
Name of a
compute node
initiator.
Initiator
TargetIP
Optional
-
IP address of the
iSCSI port
provided for
compute nodes.
OSType
Optional
Linux
The OS type for
a compute node.
HostIP
Optional
-
The IPs for
compute nodes.
89
Red Hat OpenStack Platform 9 Configuration Reference
NOTE FOR THE CONFIGURATION
1. You can configure one iSCSI target port for each or all compute nodes. The
driver checks whether a target port IP address is configured for the current
compute node. If not, select DefaultTargetIP.
2. Only one storage pool can be configured.
3. For details about LUN configuration information, see the show lun
general command in the command-line interface (CLI) documentation or
run the help -c show lun general on the storage system CLI.
4. After the driver is loaded, the storage system obtains any modification of
the driver configuration file in real time and you do not need to restart the
cinder-volume service.
4. Restart the Cinder service.
2.1.13. IBM Storwize family and SVC volume driver
The volume management driver for Storwize family and SAN Volume Controller (SVC) provides
OpenStack Compute instances with access to IBM Storwize family or SVC storage systems.
2.1.13.1. Configure the Storwize family and SVC system
Network configuration
The Storwize family or SVC system must be configured for iSCSI, Fibre Channel, or both.
If using iSCSI, each Storwize family or SVC node should have at least one iSCSI IP address. The IBM
Storwize/SVC driver uses an iSCSI IP address associated with the volume's preferred node (if
available) to attach the volume to the instance, otherwise it uses the first available iSCSI IP address of
the system. The driver obtains the iSCSI IP address directly from the storage system; you do not need
to provide these iSCSI IP addresses directly to the driver.
NOTE
If using iSCSI, ensure that the compute nodes have iSCSI network access to the Storwize
family or SVC system.
NOTE
OpenStack Nova's Grizzly version supports iSCSI multipath. Once this is configured on
the Nova host (outside the scope of this documentation), multipath is enabled.
If using Fibre Channel (FC), each Storwize family or SVC node should have at least one WWPN port
configured. If the storwize_svc_multipath_enabled flag is set to True in the Cinder configuration
file, the driver uses all available WWPNs to attach the volume to the instance (details about the
configuration flags appear in the next section). If the flag is not set, the driver uses the WWPN
associated with the volume's preferred node (if available), otherwise it uses the first available WWPN of
the system. The driver obtains the WWPNs directly from the storage system; you do not need to
provide these WWPNs directly to the driver.
90
CHAPTER 2. BLOCK STORAGE
NOTE
If using FC, ensure that the compute nodes have FC connectivity to the Storwize family
or SVC system.
iSCSI CHAP authentication
If using iSCSI for data access and the storwize_svc_iscsi_chap_enabled is set to True, the
driver will associate randomly-generated CHAP secrets with all hosts on the Storwize family system.
OpenStack compute nodes use these secrets when creating iSCSI connections.
NOTE
CHAP secrets are added to existing hosts as well as newly-created ones. If the CHAP
option is enabled, hosts will not be able to access the storage without the generated
secrets.
NOTE
Not all OpenStack Compute drivers support CHAP authentication. Check compatibility
before using.
NOTE
CHAP secrets are passed from OpenStack Block Storage to Compute in clear text. This
communication should be secured to ensure that CHAP secrets are not discovered.
Configure storage pools
Each instance of the IBM Storwize/SVC driver allocates all volumes in a single pool. The pool should be
created in advance and be provided to the driver using the storwize_svc_volpool_name
configuration flag. Details about the configuration flags and how to provide the flags to the driver
appear in the next section.
Configure user authentication for the driver
The driver requires access to the Storwize family or SVC system management interface. The driver
communicates with the management using SSH. The driver should be provided with the Storwize
family or SVC management IP using the san_ip flag, and the management port should be provided by
the san_ssh_port flag. By default, the port value is configured to be port 22 (SSH).
NOTE
Make sure the compute node running the cinder-volume management driver has SSH
network access to the storage system.
To allow the driver to communicate with the Storwize family or SVC system, you must provide the
driver with a user on the storage system. The driver has two authentication methods: password-based
authentication and SSH key pair authentication. The user should have an Administrator role. It is
suggested to create a new user for the management driver. Consult your storage and security
administrator regarding the preferred authentication method and how passwords or SSH keys should
be stored in a secure manner.
91
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
When creating a new user on the Storwize or SVC system, make sure the user belongs to
the Administrator group or to another group that has an Administrator role.
If using password authentication, assign a password to the user on the Storwize or SVC system. The
driver configuration flags for the user and password are san_login and san_password, respectively.
If you are using the SSH key pair authentication, create SSH private and public keys using the
instructions below or by any other method. Associate the public key with the user by uploading the
public key: select the "choose file" option in the Storwize family or SVC management GUI under "SSH
public key". Alternatively, you may associate the SSH public key using the command line interface;
details can be found in the Storwize and SVC documentation. The private key should be provided to the
driver using the san_private_key configuration flag.
Create a SSH key pair with OpenSSH
You can create an SSH key pair using OpenSSH, by running:
$ ssh-keygen -t rsa
The command prompts for a file to save the key pair. For example, if you select 'key' as the filename,
two files are created: key and key.pub. The key file holds the private SSH key and key.pub holds the
public SSH key.
The command also prompts for a pass phrase, which should be empty.
The private key file should be provided to the driver using the san_private_key configuration flag.
The public key should be uploaded to the Storwize family or SVC system using the storage
management GUI or command line interface.
NOTE
Ensure that Cinder has read permissions on the private key file.
2.1.13.2. Configure the Storwize family and SVC driver
Enable the Storwize family and SVC driver
Set the volume driver to the Storwize family and SVC driver by setting the volume_driver option in
cinder.conf as follows:
volume_driver = cinder.volume.drivers.ibm.storwize_svc.StorwizeSVCDriver
Storwize family and SVC driver options in cinder.conf
The following options specify default values for all volumes. Some can be over-ridden using volume
types, which are described below.
Table 2.10. List of configuration flags for Storwize storage and SVC driver
92
CHAPTER 2. BLOCK STORAGE
Flag name
Type
Default
Description
san_ip
Requir
ed
san_ssh_port
Option
al
san_login
Requir
ed
Management login username
san_password
Requir
ed [a]
Management login password
san_private_key
Requir
ed [a]
Management login SSH private key
storwize_svc_volpool_name
Requir
ed
Default pool name for volumes
storwize_svc_vol_rsize
Option
al
2
Initial physical allocation (percentage)
storwize_svc_vol_warning
Option
al
0
(disabled
)
Space allocation warning threshold
storwize_svc_vol_autoexpand
Option
al
True
Enable or disable volume auto expand
storwize_svc_vol_grainsize
Option
al
256
Volume grain size [b] in KB
storwize_svc_vol_compression
Option
al
False
Enable or disable Real-time
Compression [d]
storwize_svc_vol_easytier
Option
al
True
Enable or disable Easy Tier [e]
storwize_svc_vol_iogrp
Option
al
0
The I/O group in which to allocate
vdisks
storwize_svc_flashcopy_timeo
ut
Option
al
120
FlashCopy timeout threshold [f]
(seconds)
storwize_svc_connection_prot
ocol
Option
al
iSCSI
Connection protocol to use (currently
supports 'iSCSI' or 'FC')
storwize_svc_iscsi_chap_enab
led
Option
al
True
Configure CHAP authentication for
iSCSI connections
Management IP or host name
22
Management port
[b]
(percentage) [b]
[c]
93
Red Hat OpenStack Platform 9 Configuration Reference
Flag name
Type
Default
Description
storwize_svc_multipath_enabl
ed
Option
al
False
Enable multipath for FC connections
storwize_svc_multihost_enabl
ed
Option
al
True
Enable mapping vdisks to multiple
hosts [h]
storwize_svc_vol_nofmtdisk
Option
al
False
Enable or disable fast format [i]
[g]
[a] The authentication requires either a password ( san_password) or SSH private key (san_private_key).
One must be specified. If both are specified, the driver uses only the SSH private key.
[b] The driver creates thin-provisioned volumes by default. The storwize_svc_vol_rsize flag defines the initial
physical allocation percentage for thin-provisioned volumes, or if set to -1, the driver creates full allocated volumes.
More details about the available options are available in the Storwize family and SVC documentation.
[c] Defines whether thin-provisioned volumes can be auto expanded by the storage system, a value of True means that
auto expansion is enabled, a value of False disables auto expansion. Details about this option can be found in the–
autoexpand flag of the Storwize family and SVC command line interface mkvdisk command.
[d] Defines whether Real-time Compression is used for the volumes created with OpenStack. Details on Real-time
Compression can be found in the Storwize family and SVC documentation. The Storwize or SVC system must have
compression enabled for this feature to work.
[e] Defines whether Easy Tier is used for the volumes created with OpenStack. Details on EasyTier can be found in the
Storwize family and SVC documentation. The Storwize or SVC system must have Easy Tier enabled for this feature to
work.
[f] The driver wait timeout threshold when creating an OpenStack snapshot. This is actually the maximum amount of time
that the driver waits for the Storwize family or SVC system to prepare a new FlashCopy mapping. The driver accepts a
maximum wait time of 600 seconds (10 minutes).
[g] Multipath for iSCSI connections requires no storage-side configuration and is enabled if the compute host has
multipath configured.
[h] This option allows the driver to map a vdisk to more than one host at a time. This scenario occurs during migration of a
virtual machine with an attached volume; the volume is simultaneously mapped to both the source and destination
compute hosts. If your deployment does not require attaching vdisks to multiple hosts, setting this flag to False will
provide added safety.
[i] Defines whether or not the fast formatting of thick-provisioned volumes is disabled at creation. The default value is
False and a value of True means that fast format is disabled. Details about this option can be found in the –
nofmtdisk flag of the Storwize family and SVC command line interface mkvdisk command.
Table 2.11. Description of IBM Storwise driver configuration options
Configuration option = Default value
Description
[DEFAULT]
storwize_svc_allow_tenant_qos = False
(BoolOpt) Allow tenants to specify QOS on create
storwize_svc_connection_protocol =
(StrOpt) Connection protocol (iSCSI/FC)
iSCSI
94
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
storwize_svc_flashcopy_timeout = 120
(IntOpt) Maximum number of seconds to wait for
FlashCopy to be prepared.
storwize_svc_iscsi_chap_enabled = True
(BoolOpt) Configure CHAP authentication for iSCSI
connections (Default: Enabled)
storwize_svc_multihostmap_enabled =
(BoolOpt) Allows vdisk to multi host mapping
True
storwize_svc_multipath_enabled = False
(BoolOpt) Connect with multipath (FC only; iSCSI
multipath is controlled by Nova)
storwize_svc_npiv_compatibility_mode
(BoolOpt) Indicate whether svc driver is compatible
for NPIV setup. If it is compatible, it will allow no
wwpns being returned on get_conn_fc_wwpns
during initialize_connection. It should always be set
to True. It will be deprecated and removed in M
release.
= True
storwize_svc_stretched_cluster_partn
er = None
(StrOpt) If operating in stretched cluster mode,
specify the name of the pool in which mirrored
copies are stored.Example: "pool2"
storwize_svc_vol_autoexpand = True
(BoolOpt) Storage system autoexpand parameter
for volumes (True/False)
storwize_svc_vol_compression = False
(BoolOpt) Storage system compression option for
volumes
storwize_svc_vol_easytier = True
(BoolOpt) Enable Easy Tier for volumes
storwize_svc_vol_grainsize = 256
(IntOpt) Storage system grain size parameter for
volumes (32/64/128/256)
storwize_svc_vol_iogrp = 0
(IntOpt) The I/O group in which to allocate volumes
storwize_svc_vol_rsize = 2
(IntOpt) Storage system space-efficiency parameter
for volumes (percentage)
storwize_svc_vol_warning = 0
(IntOpt) Storage system threshold for volume
capacity warnings (percentage)
storwize_svc_volpool_name = volpool
(StrOpt) Storage system storage pool for volumes
Placement with volume types
The IBM Storwize/SVC driver exposes capabilities that can be added to the extra specs of volume
types, and used by the filter scheduler to determine placement of new volumes. Make sure to prefix
95
Red Hat OpenStack Platform 9 Configuration Reference
these keys with capabilities: to indicate that the scheduler should use them. The following extra
specs are supported:
capabilities:volume_back-end_name - Specify a specific back-end where the volume should be
created. The back-end name is a concatenation of the name of the IBM Storwize/SVC storage
system as shown in lssystem, an underscore, and the name of the pool (mdisk group). For
example:
capabilities:volume_back-end_name=myV7000_openstackpool
capabilities:compression_support - Specify a back-end according to compression support. A
value of True should be used to request a back-end that supports compression, and a value of
False will request a back-end that does not support compression. If you do not have
constraints on compression support, do not set this key. Note that specifying True does not
enable compression; it only requests that the volume be placed on a back-end that supports
compression. Example syntax:
capabilities:compression_support='<is> True'
capabilities:easytier_support - Similar semantics as the compression_support key, but for
specifying according to support of the Easy Tier feature. Example syntax:
capabilities:easytier_support='<is> True'
capabilities:storage_protocol - Specifies the connection protocol used to attach volumes of
this type to instances. Legal values are iSCSI and FC. This extra specs value is used for
both placement and setting the protocol used for this volume. In the example syntax, note <in>
is used as opposed to <is> used in the previous examples.
capabilities:storage_protocol='<in> FC'
Configure per-volume creation options
Volume types can also be used to pass options to the IBM Storwize/SVC driver, which over-ride the
default values set in the configuration file. Contrary to the previous examples where the "capabilities"
scope was used to pass parameters to the Cinder scheduler, options can be passed to the IBM
Storwize/SVC driver with the "drivers" scope.
The following extra specs keys are supported by the IBM Storwize/SVC driver:
rsize
warning
autoexpand
grainsize
compression
easytier
multipath
96
CHAPTER 2. BLOCK STORAGE
iogrp
These keys have the same semantics as their counterparts in the configuration file. They are set
similarly; for example, rsize=2 or compression=False.
Example: Volume types
In the following example, we create a volume type to specify a controller that supports iSCSI and
compression, to use iSCSI when attaching the volume, and to enable compression:
$ cinder type-create compressed
$ cinder type-key compressed set capabilities:storage_protocol='<in>
iSCSI' capabilities:compression_support='<is> True'
drivers:compression=True
We can then create a 50GB volume using this type:
$ cinder create --display-name "compressed volume" --volume-type
compressed 50
Volume types can be used, for example, to provide users with different
performance levels (such as, allocating entirely on an HDD tier, using Easy Tier for an HDDSDD mix, or allocating entirely on an SSD tier)
resiliency levels (such as, allocating volumes in pools with different RAID levels)
features (such as, enabling/disabling Real-time Compression)
QOS
The Storwize driver provides QOS support for storage volumes by controlling the I/O amount. QOS is
enabled by editing the etc/cinder/cinder.conf file and setting the
storwize_svc_allow_tenant_qos to True.
There are three ways to set the Storwize IOThrotting parameter for storage volumes:
Add the qos:IOThrottling key into a QOS specification and associate it with a volume type.
Add the qos:IOThrottling key into an extra specification with a volume type.
Add the qos:IOThrottling key to the storage volume metadata.
NOTE
If you are changing a volume type with QOS to a new volume type without QOS, the QOS
configuration settings will be removed.
2.1.13.3. Operational notes for the Storwize family and SVC driver
Migrate volumes
In the context of OpenStack Block Storage's volume migration feature, the IBM Storwize/SVC driver
enables the storage's virtualization technology. When migrating a volume from one pool to another, the
97
Red Hat OpenStack Platform 9 Configuration Reference
volume will appear in the destination pool almost immediately, while the storage moves the data in the
background.
NOTE
To enable this feature, both pools involved in a given volume migration must have the
same values for extent_size. If the pools have different values for extent_size, the
data will still be moved directly between the pools (not host-side copy), but the
operation will be synchronous.
Extend volumes
The IBM Storwize/SVC driver allows for extending a volume's size, but only for volumes without
snapshots.
Snapshots and clones
Snapshots are implemented using FlashCopy with no background copy (space-efficient). Volume
clones (volumes created from existing volumes) are implemented with FlashCopy, but with
background copy enabled. This means that volume clones are independent, full copies. While this
background copy is taking place, attempting to delete or extend the source volume will result in that
operation waiting for the copy to complete.
Volume retype
The IBM Storwize/SVC driver enables you to modify volume types. When you modify volume types, you
can also change these extra specs properties:
rsize
warning
autoexpand
grainsize
compression
easytier
iogrp
nofmtdisk
NOTE
When you change the rsize, grainsize or compression properties, volume copies
are asynchronously synchronized on the array.
NOTE
To change the iogrp property, IBM Storwize/SVC firmware version 6.4.0 or later is
required.
98
CHAPTER 2. BLOCK STORAGE
2.1.14. IBM XIV and DS8000 volume driver
The IBM Storage Driver for OpenStack is a Block Storage driver that supports IBM XIV and IBM
DS8000 storage systems over Fiber channel and iSCSI.
Set the following in your cinder.conf, and use the following options to configure it.
volume_driver = cinder.volume.drivers.xiv_ds8k.XIVDS8KDriver
Table 2.12. Description of IBM XIV and DS8000 volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
san_clustername =
(StrOpt) Cluster name to use for creating volumes
san_ip =
(StrOpt) IP address of SAN controller
san_login = admin
(StrOpt) Username for SAN controller
san_password =
(StrOpt) Password for SAN controller
xiv_chap = disabled
(StrOpt) CHAP authentication mode, effective only
for iscsi (disabled|enabled)
xiv_ds8k_connection_type = iscsi
(StrOpt) Connection type to the IBM Storage Array
xiv_ds8k_proxy =
(StrOpt) Proxy driver that connects to the IBM
Storage Array
xiv_ds8k_openstack.nova_proxy.XIVDS8KNovaProxy
NOTE
To use the IBM Storage Driver for OpenStack you must download and install the
package available at: http://www.ibm.com/support/fixcentral/swg/selectFixes?
parent=Enterprise%2BStorage%2BServers&product=ibm/Storage_Disk/XIV+Storage+System+%2
For full documentation refer to IBM's online documentation available at
http://pic.dhe.ibm.com/infocenter/strhosts/ic/topic/com.ibm.help.strghosts.doc/novahomepage.html.
2.1.15. LVM
The default volume back-end uses local volumes managed by LVM.
This driver supports different transport protocols to attach volumes, currently iSCSI and iSER.
99
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
The Block Storage iSCSI LVM driver has significant performance issues. In production
environments, with high I/O activity, there are many potential issues which could affect
performance or data integrity.
Red Hat strongly recommends using a certified Block Storage plug-in provider for
storage in a production environment. The software iSCSI LVM driver should be used and
is only supported for single node evaluations and proof of concept environments.
Set the following in your cinder.conf configuration file, and use the following options to configure
for iSCSI transport:
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
iscsi_protocol = iscsi
Use the following options to configure for the iSER transport:
volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver
iscsi_protocol = iser
Table 2.13. Description of LVM configuration options
Configuration option = Default value
Description
[DEFAULT]
lvm_conf_file = /etc/cinder/lvm.conf
(StrOpt) LVM conf file to use for the LVM driver in
Cinder; this setting is ignored if the specified file
does not exist (You can also specify 'None' to not
use a conf file even if one exists).
lvm_mirrors = 0
(IntOpt) If >0, create LVs with multiple mirrors. Note
that this requires lvm_mirrors + 2 PVs with available
space
lvm_type = default
(StrOpt) Type of LVM volumes to deploy; (default,
thin, or auto). Auto defaults to thin if thin is
supported.
volume_group = cinder-volumes
(StrOpt) Name for the VG that will contain exported
volumes
2.1.16. NetApp unified driver
The NetApp unified driver is a block storage driver that supports multiple storage families and
protocols. A storage family corresponds to storage systems built on different NetApp technologies
such as clustered Data ONTAP, Data ONTAP operating in 7-Mode, and E-Series. The storage protocol
refers to the protocol used to initiate data storage and access operations on those storage systems
like iSCSI and NFS. The NetApp unified driver can be configured to provision and manage OpenStack
100
CHAPTER 2. BLOCK STORAGE
volumes on a given storage family using a specified storage protocol. The OpenStack volumes can then
be used for accessing and storing data using the storage protocol on the storage family system. The
NetApp unified driver is an extensible interface that can support new storage families and protocols.
NOTE
With the Juno release of OpenStack, OpenStack Block Storage has introduced the
concept of "storage pools", in which a single OpenStack Block Storage back end may
present one or more logical storage resource pools from which OpenStack Block
Storage will select as a storage location when provisioning volumes.
In releases prior to Juno, the NetApp unified driver contained some "scheduling" logic
that determined which NetApp storage container (namely, a FlexVol volume for Data
ONTAP, or a dynamic disk pool for E-Series) that a new OpenStack Block Storage
volume would be placed into.
With the introduction of pools, all scheduling logic is performed completely within the
OpenStack Block Storage scheduler, as each NetApp storage container is directly
exposed to the OpenStack Block Storage scheduler as a storage pool; whereas
previously, the NetApp unified driver presented an aggregated view to the scheduler
and made a final placement decision as to which NetApp storage container the
OpenStack Block Storage volume would be provisioned into.
2.1.16.1. NetApp clustered Data ONTAP storage family
The NetApp clustered Data ONTAP storage family represents a configuration group which provides
OpenStack compute instances access to clustered Data ONTAP storage systems. At present it can be
configured in OpenStack Block Storage to work with iSCSI and NFS storage protocols.
2.1.16.1.1. NetApp iSCSI configuration for clustered Data ONTAP
The NetApp iSCSI configuration for clustered Data ONTAP is an interface from OpenStack to clustered
Data ONTAP storage systems for provisioning and managing the SAN block storage entity; that is, a
NetApp LUN which can be accessed using the iSCSI protocol.
The iSCSI configuration for clustered Data ONTAP is a direct interface from OpenStack Block Storage
to the clustered Data ONTAP instance and as such does not require additional management software
to achieve the desired functionality. It uses NetApp APIs to interact with the clustered Data ONTAP
instance.
Configuration options for clustered Data ONTAP family with iSCSI protocol
Configure the volume driver, storage family and storage protocol to the NetApp unified driver,
clustered Data ONTAP, and iSCSI respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = iscsi
netapp_vserver = openstack-vserver
netapp_server_hostname = myhostname
netapp_server_port = port
netapp_login = username
netapp_password = password
101
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.
Table 2.14. Description of NetApp cDOT iSCSI driver configuration options
Configuration option = Default value
Description
[DEFAULT]
netapp_login = None
(StrOpt) Administrative user account name used to
access the storage system or proxy server.
netapp_lun_ostype = None
(StrOpt) This option defines the type of operating
system that will access a LUN exported from Data
ONTAP; it is assigned to the LUN at the time it is
created.
netapp_lun_space_reservation = enabled
(StrOpt) This option determines if storage space is
reserved for LUN allocation. If enabled, LUNs are
thick provisioned. If space reservation is disabled,
storage space is allocated on demand.
netapp_partner_backend_name = None
(StrOpt) The name of the config.conf stanza for a
Data ONTAP (7-mode) HA partner. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode, and it is required if the storage
protocol selected is FC.
netapp_password = None
(StrOpt) Password for the administrative user
account specified in the netapp_login option.
netapp_pool_name_search_pattern = (.+)
(StrOpt) This option is used to restrict provisioning
to the specified pools. Specify the value of this
option to be a regular expression which will be
applied to the names of objects from the storage
backend which represent pools in Cinder. This option
is only utilized when the storage protocol is
configured to use iSCSI or FC.
netapp_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system or proxy server.
netapp_server_port = None
(IntOpt) The TCP port to use for communication with
the storage system or proxy server. If not specified,
Data ONTAP drivers will use 80 for HTTP and 443
for HTTPS; E-Series will use 8080 for HTTP and
8443 for HTTPS.
102
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
netapp_size_multiplier = 1.2
(FloatOpt) The quantity to be multiplied by the
requested volume size to ensure enough space is
available on the virtual storage server (Vserver) to
fulfill the volume creation request. Note: this option
is deprecated and will be removed in favor of
"reserved_percentage" in the Mitaka release.
netapp_storage_family = ontap_cluster
(StrOpt) The storage family type used on the
storage system; valid values are ontap_7mode for
using Data ONTAP operating in 7-Mode,
ontap_cluster for using clustered Data ONTAP, or
eseries for using E-Series.
netapp_storage_protocol = None
(StrOpt) The storage protocol to be used on the data
path with the storage system.
netapp_transport_type = http
(StrOpt) The transport protocol used when
communicating with the storage system or proxy
server.
netapp_vserver = None
(StrOpt) This option specifies the virtual storage
server (Vserver) name on the storage cluster on
which provisioning of block storage volumes should
occur.
NOTE
If you specify an account in the netapp_login that only has virtual storage server
(Vserver) administration privileges (rather than cluster-wide administration privileges),
some advanced features of the NetApp unified driver will not work and you may see
warnings in the OpenStack Block Storage logs.
TIP
For more information on these options and other deployment and operational scenarios, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.16.1.2. NetApp NFS configuration for clustered Data ONTAP
The NetApp NFS configuration for clustered Data ONTAP is an interface from OpenStack to a clustered
Data ONTAP system for provisioning and managing OpenStack volumes on NFS exports provided by
the clustered Data ONTAP system that are accessed using the NFS protocol.
The NFS configuration for clustered Data ONTAP is a direct interface from OpenStack Block Storage
to the clustered Data ONTAP instance and as such does not require any additional management
software to achieve the desired functionality. It uses NetApp APIs to interact with the clustered Data
ONTAP instance.
Configuration options for the clustered Data ONTAP family with NFS protocol
103
Red Hat OpenStack Platform 9 Configuration Reference
Configure the volume driver, storage family, and storage protocol to NetApp unified driver, clustered
Data ONTAP, and NFS respectively by setting the volume_driver, netapp_storage_family and
netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = nfs
netapp_vserver = openstack-vserver
netapp_server_hostname = myhostname
netapp_server_port = port
netapp_login = username
netapp_password = password
nfs_shares_config = /etc/cinder/nfs_shares
Table 2.15. Description of NetApp cDOT NFS driver configuration options
Configuration option = Default value
Description
[DEFAULT]
expiry_thres_minutes = 720
(IntOpt) This option specifies the threshold for last
access time for images in the NFS image cache.
When a cache cleaning cycle begins, images in the
cache that have not been accessed in the last M
minutes, where M is the value of this parameter, will
be deleted from the cache to create free space on
the NFS share.
netapp_copyoffload_tool_path = None
(StrOpt) This option specifies the path of the NetApp
copy offload tool binary. Ensure that the binary has
execute permissions set which allow the effective
user of the cinder-volume process to execute the
file.
netapp_host_type = None
(StrOpt) This option defines the type of operating
system for all initiators that can access a LUN. This
information is used when mapping LUNs to
individual hosts or groups of hosts.
netapp_host_type = None
(StrOpt) This option defines the type of operating
system for all initiators that can access a LUN. This
information is used when mapping LUNs to
individual hosts or groups of hosts.
netapp_login = None
(StrOpt) Administrative user account name used to
access the storage system or proxy server.
netapp_lun_ostype = None
(StrOpt) This option defines the type of operating
system that will access a LUN exported from Data
ONTAP; it is assigned to the LUN at the time it is
created.
104
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
netapp_partner_backend_name = None
(StrOpt) The name of the config.conf stanza for a
Data ONTAP (7-mode) HA partner. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode, and it is required if the storage
protocol selected is FC.
netapp_password = None
(StrOpt) Password for the administrative user
account specified in the netapp_login option.
netapp_pool_name_search_pattern = (.+)
(StrOpt) This option is used to restrict provisioning
to the specified pools. Specify the value of this
option to be a regular expression which will be
applied to the names of objects from the storage
backend which represent pools in Cinder. This option
is only utilized when the storage protocol is
configured to use iSCSI or FC.
netapp_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system or proxy server.
netapp_server_port = None
(IntOpt) The TCP port to use for communication with
the storage system or proxy server. If not specified,
Data ONTAP drivers will use 80 for HTTP and 443
for HTTPS; E-Series will use 8080 for HTTP and
8443 for HTTPS.
netapp_storage_family = ontap_cluster
(StrOpt) The storage family type used on the
storage system; valid values are ontap_7mode for
using Data ONTAP operating in 7-Mode,
ontap_cluster for using clustered Data ONTAP, or
eseries for using E-Series.
netapp_storage_protocol = None
(StrOpt) The storage protocol to be used on the data
path with the storage system.
netapp_transport_type = http
(StrOpt) The transport protocol used when
communicating with the storage system or proxy
server.
netapp_vserver = None
(StrOpt) This option specifies the virtual storage
server (Vserver) name on the storage cluster on
which provisioning of block storage volumes should
occur.
thres_avl_size_perc_start = 20
(IntOpt) If the percentage of available space for an
NFS share has dropped below the value specified by
this option, the NFS image cache will be cleaned.
105
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
thres_avl_size_perc_stop = 60
(IntOpt) When the percentage of available space on
an NFS share has reached the percentage specified
by this option, the driver will stop clearing files from
the NFS image cache that have not been accessed in
the last M minutes, where M is the value of the
expiry_thres_minutes configuration option.
NOTE
Additional NetApp NFS configuration options are shared with the generic NFS driver.
These options can be found here: Table 2.20, “Description of NFS storage configuration
options”.
NOTE
If you specify an account in the netapp_login that only has virtual storage server
(Vserver) administration privileges (rather than cluster-wide administration privileges),
some advanced features of the NetApp unified driver will not work and you may see
warnings in the OpenStack Block Storage logs.
NetApp NFS Copy Offload client
A feature was added in the Icehouse release of the NetApp unified driver that enables Image Service
images to be efficiently copied to a destination Block Storage volume. When the Block Storage and
Image Service are configured to use the NetApp NFS Copy Offload client, a controller-side copy will be
attempted before reverting to downloading the image from the Image Service. This improves image
provisioning times while reducing the consumption of bandwidth and CPU cycles on the host(s) running
the Image and Block Storage services. This is due to the copy operation being performed completely
within the storage cluster.
The NetApp NFS Copy Offload client can be used in either of the following scenarios:
The Image Service is configured to store images in an NFS share that is exported from a
NetApp FlexVol volume and the destination for the new Block Storage volume will be on an
NFS share exported from a different FlexVol volume than the one used by the Image Service.
Both FlexVols must be located within the same cluster.
The source image from the Image Service has already been cached in an NFS image cache
within a Block Storage backend. The cached image resides on a different FlexVol volume than
the destination for the new Block Storage volume. Both FlexVols must be located within the
same cluster.
To use this feature, you must configure the Image Service, as follows:
Set the default_store configuration option to file.
Set the filesystem_store_datadir configuration option to the path to the Image Service
NFS export.
Set the show_image_direct_url configuration option to True.
Set the show_multiple_locations configuration option to True.
106
CHAPTER 2. BLOCK STORAGE
IMPORTANT
If configured without the proper policy settings, a non-admin user of the Image
Service can replace active image data (that is, switch out a current image
without other users knowing). See the OSSN announcement (recommended
actions) for configuration information:
https://wiki.openstack.org/wiki/OSSN/OSSN-0065
Set the filesystem_store_metadata_file configuration option to a metadata file. The
metadata file should contain a JSON object that contains the correct information about the
NFS export used by the Image Service, similar to:
{
"share_location": "nfs://192.168.0.1/myGlanceExport",
"mount_point": "/var/lib/glance/images",
"type": "nfs"
}
To use this feature, you must configure the Block Storage service, as follows:
Set the netapp_copyoffload_tool_path configuration option to the path to the NetApp
Copy Offload binary.
Set the glance_api_version configuration option to 2.
IMPORTANT
This feature requires that:
The storage system must have Data ONTAP v8.2 or greater installed.
The vStorage feature must be enabled on each storage virtual machine (SVM,
also known as a Vserver) that is permitted to interact with the copy offload
client.
To configure the copy offload workflow, enable NFS v4.0 or greater and export
it from the SVM.
TIP
To download the NetApp copy offload binary to be utilized in conjunction with the
netapp_copyoffload_tool_path configuration option, visit the Utility Toolchest page at the
NetApp Support portal (login is required).
TIP
For more information on these options and other deployment and operational scenarios, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.16.1.3. NetApp-supported extra specs for clustered Data ONTAP
Extra specs enable vendors to specify extra filter criteria that the Block Storage scheduler uses when
it determines which volume node should fulfill a volume provisioning request. When you use the
NetApp unified driver with a clustered Data ONTAP storage system, you can leverage extra specs with
107
Red Hat OpenStack Platform 9 Configuration Reference
OpenStack Block Storage volume types to ensure that OpenStack Block Storage volumes are created
on storage back ends that have certain properties. For example, when you configure QoS, mirroring, or
compression for a storage back end.
Extra specs are associated with OpenStack Block Storage volume types, so that when users request
volumes of a particular volume type, the volumes are created on storage back ends that meet the list
of requirements. For example, the back ends have the available space or extra specs. You can use the
specs in the following table when you define OpenStack Block Storage volume types by using the
cinder type-key command.
Table 2.16. Description of extra specs options for NetApp Unified Driver with Clustered Data
ONTAP
Extra spec
Type
Description
netapp_raid_type
String
Limit the candidate volume list based on one of the
following raid types: raid4, raid_dp.
netapp_disk_type
String
Limit the candidate volume list based on one of the
following disk types: ATA, BSAS, EATA, FCAL,
FSAS, LUN, MSATA, SAS, SATA, SCSI,
XATA, XSAS, or SSD.
String
Specify the name of a QoS policy group, which defines
measurable Service Level Objectives, that should be
applied to the OpenStack Block Storage volume at the
time of volume creation. Ensure that the QoS policy group
object within Data ONTAP should be defined before an
OpenStack Block Storage volume is created, and that the
QoS policy group is not associated with the destination
FlexVol volume.
netapp_mirrored
Boolean
Limit the candidate volume list to only the ones that are
mirrored on the storage controller.
netapp_unmirrored[b]
Boolean
Limit the candidate volume list to only the ones that are
not mirrored on the storage controller.
netapp_dedup
Boolean
Limit the candidate volume list to only the ones that have
deduplication enabled on the storage controller.
netapp_nodedup[b]
Boolean
Limit the candidate volume list to only the ones that have
deduplication disabled on the storage controller.
netapp_compression
Boolean
Limit the candidate volume list to only the ones that have
compression enabled on the storage controller.
netapp_nocompression[
Boolean
Limit the candidate volume list to only the ones that have
compression disabled on the storage controller.
netapp:qos_policy_gr
oup[a]
b]
108
CHAPTER 2. BLOCK STORAGE
Extra spec
Type
Description
netapp_thin_provisio
ned
Boolean
Limit the candidate volume list to only the ones that
support thin provisioning on the storage controller.
netapp_thick_provisi
Boolean
Limit the candidate volume list to only the ones that
support thick provisioning on the storage controller.
oned[b]
[a] Note that this extra spec has a colon ( : ) in its name because it is used by the driver to assign the QoS policy group to
the OpenStack Block Storage volume after it has been provisioned.
[b] In the Juno release, these negative-assertion extra specs are formally deprecated by the NetApp unified driver.
Instead of using the deprecated negative-assertion extra specs (for example, netapp_unmirrored) with a value of
true, use the corresponding positive-assertion extra spec (for example, netapp_mirrored) with a value of
false.
2.1.16.2. NetApp Data ONTAP operating in 7-Mode storage family
The NetApp Data ONTAP operating in 7-Mode storage family represents a configuration group which
provides OpenStack compute instances access to 7-Mode storage systems. At present it can be
configured in OpenStack Block Storage to work with iSCSI and NFS storage protocols.
2.1.16.2.1. NetApp iSCSI configuration for Data ONTAP operating in 7-Mode
The NetApp iSCSI configuration for Data ONTAP operating in 7-Mode is an interface from OpenStack
to Data ONTAP operating in 7-Mode storage systems for provisioning and managing the SAN block
storage entity, that is, a LUN which can be accessed using iSCSI protocol.
The iSCSI configuration for Data ONTAP operating in 7-Mode is a direct interface from OpenStack to
Data ONTAP operating in 7-Mode storage system and it does not require additional management
software to achieve the desired functionality. It uses NetApp ONTAPI to interact with the Data ONTAP
operating in 7-Mode storage system.
Configuration options for the Data ONTAP operating in 7-Mode storage family with iSCSI protocol
Configure the volume driver, storage family and storage protocol to the NetApp unified driver, Data
ONTAP operating in 7-Mode, and iSCSI respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = iscsi
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password
NOTE
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.
109
Red Hat OpenStack Platform 9 Configuration Reference
Table 2.17. Description of NetApp 7-Mode iSCSI driver configuration options
Configuration option = Default value
Description
[DEFAULT]
netapp_login = None
(StrOpt) Administrative user account name used to
access the storage system or proxy server.
netapp_partner_backend_name = None
(StrOpt) The name of the config.conf stanza for a
Data ONTAP (7-mode) HA partner. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode, and it is required if the storage
protocol selected is FC.
netapp_password = None
(StrOpt) Password for the administrative user
account specified in the netapp_login option.
netapp_pool_name_search_pattern = (.+)
(StrOpt) This option is used to restrict provisioning
to the specified pools. Specify the value of this
option to be a regular expression which will be
applied to the names of objects from the storage
backend which represent pools in Cinder. This option
is only utilized when the storage protocol is
configured to use iSCSI or FC.
netapp_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system or proxy server.
netapp_server_port = None
(IntOpt) The TCP port to use for communication with
the storage system or proxy server. If not specified,
Data ONTAP drivers will use 80 for HTTP and 443
for HTTPS; E-Series will use 8080 for HTTP and
8443 for HTTPS.
netapp_size_multiplier = 1.2
(FloatOpt) The quantity to be multiplied by the
requested volume size to ensure enough space is
available on the virtual storage server (Vserver) to
fulfill the volume creation request. Note: this option
is deprecated and will be removed in favor of
"reserved_percentage" in the Mitaka release.
netapp_storage_family = ontap_cluster
(StrOpt) The storage family type used on the
storage system; valid values are ontap_7mode for
using Data ONTAP operating in 7-Mode,
ontap_cluster for using clustered Data ONTAP, or
eseries for using E-Series.
netapp_storage_protocol = None
(StrOpt) The storage protocol to be used on the data
path with the storage system.
110
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
netapp_transport_type = http
(StrOpt) The transport protocol used when
communicating with the storage system or proxy
server.
netapp_vfiler = None
(StrOpt) The vFiler unit on which provisioning of
block storage volumes will be done. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode. Only use this option when
utilizing the MultiStore feature on the NetApp
storage system.
TIP
For more information on these options and other deployment and operational scenarios, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.16.2.2. NetApp NFS configuration for Data ONTAP operating in 7-Mode
The NetApp NFS configuration for Data ONTAP operating in 7-Mode is an interface from OpenStack to
Data ONTAP operating in 7-Mode storage system for provisioning and managing OpenStack volumes
on NFS exports provided by the Data ONTAP operating in 7-Mode storage system which can then be
accessed using NFS protocol.
The NFS configuration for Data ONTAP operating in 7-Mode is a direct interface from OpenStack Block
Storage to the Data ONTAP operating in 7-Mode instance and as such does not require any additional
management software to achieve the desired functionality. It uses NetApp ONTAPI to interact with the
Data ONTAP operating in 7-Mode storage system.
Configuration options for the Data ONTAP operating in 7-Mode family with NFS protocol
Configure the volume driver, storage family, and storage protocol to the NetApp unified driver, Data
ONTAP operating in 7-Mode, and NFS respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = nfs
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password
nfs_shares_config = /etc/cinder/nfs_shares
Table 2.18. Description of NetApp 7-Mode NFS driver configuration options
Configuration option = Default value
Description
[DEFAULT]
111
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
expiry_thres_minutes = 720
(IntOpt) This option specifies the threshold for last
access time for images in the NFS image cache.
When a cache cleaning cycle begins, images in the
cache that have not been accessed in the last M
minutes, where M is the value of this parameter, will
be deleted from the cache to create free space on
the NFS share.
netapp_login = None
(StrOpt) Administrative user account name used to
access the storage system or proxy server.
netapp_partner_backend_name = None
(StrOpt) The name of the config.conf stanza for a
Data ONTAP (7-mode) HA partner. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode, and it is required if the storage
protocol selected is FC.
netapp_password = None
(StrOpt) Password for the administrative user
account specified in the netapp_login option.
netapp_pool_name_search_pattern = (.+)
(StrOpt) This option is used to restrict provisioning
to the specified pools. Specify the value of this
option to be a regular expression which will be
applied to the names of objects from the storage
backend which represent pools in Cinder. This option
is only utilized when the storage protocol is
configured to use iSCSI or FC.
netapp_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system or proxy server.
netapp_server_port = None
(IntOpt) The TCP port to use for communication with
the storage system or proxy server. If not specified,
Data ONTAP drivers will use 80 for HTTP and 443
for HTTPS; E-Series will use 8080 for HTTP and
8443 for HTTPS.
netapp_storage_family = ontap_cluster
(StrOpt) The storage family type used on the
storage system; valid values are ontap_7mode for
using Data ONTAP operating in 7-Mode,
ontap_cluster for using clustered Data ONTAP, or
eseries for using E-Series.
netapp_storage_protocol = None
(StrOpt) The storage protocol to be used on the data
path with the storage system.
112
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
netapp_transport_type = http
(StrOpt) The transport protocol used when
communicating with the storage system or proxy
server.
netapp_vfiler = None
(StrOpt) The vFiler unit on which provisioning of
block storage volumes will be done. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode. Only use this option when
utilizing the MultiStore feature on the NetApp
storage system.
thres_avl_size_perc_start = 20
(IntOpt) If the percentage of available space for an
NFS share has dropped below the value specified by
this option, the NFS image cache will be cleaned.
thres_avl_size_perc_stop = 60
(IntOpt) When the percentage of available space on
an NFS share has reached the percentage specified
by this option, the driver will stop clearing files from
the NFS image cache that have not been accessed in
the last M minutes, where M is the value of the
expiry_thres_minutes configuration option.
NOTE
Additional NetApp NFS configuration options are shared with the generic NFS driver.
For a description of these, see Table 2.20, “Description of NFS storage configuration
options”.
TIP
For more information on these options and other deployment and operational scenarios, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.16.3. NetApp E-Series storage family
The NetApp E-Series storage family represents a configuration group which provides OpenStack
compute instances access to E-Series storage systems. At present it can be configured in OpenStack
Block Storage to work with the iSCSI storage protocol.
2.1.16.3.1. NetApp iSCSI configuration for E-Series
The NetApp iSCSI configuration for E-Series is an interface from OpenStack to E-Series storage
systems for provisioning and managing the SAN block storage entity; that is, a NetApp LUN which can
be accessed using the iSCSI protocol.
The iSCSI configuration for E-Series is an interface from OpenStack Block Storage to the E-Series
proxy instance and as such requires the deployment of the proxy instance in order to achieve the
desired functionality. The driver uses REST APIs to interact with the E-Series proxy instance, which in
turn interacts directly with the E-Series controllers.
113
Red Hat OpenStack Platform 9 Configuration Reference
The use of multipath and DM-MP are required when using the OpenStack Block Storage driver for ESeries. In order for OpenStack Block Storage and OpenStack Compute to take advantage of multiple
paths, the following configuration options must be correctly configured:
The use_multipath_for_image_xfer option should be set to True in the cinder.conf
file within the driver-specific stanza (for example, [myDriver]).
The iscsi_use_multipath option should be set to True in the nova.conf file within the
[libvirt] stanza.
Configuration options for E-Series storage family with iSCSI protocol
Configure the volume driver, storage family, and storage protocol to the NetApp unified driver, ESeries, and iSCSI respectively by setting the volume_driver, netapp_storage_family and
netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = eseries
netapp_storage_protocol = iscsi
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password
netapp_controller_ips = 1.2.3.4,5.6.7.8
netapp_sa_password = arrayPassword
netapp_storage_pools = pool1,pool2
use_multipath_for_image_xfer = True
NOTE
To use the E-Series driver, you must override the default value of
netapp_storage_family with eseries.
NOTE
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.
Table 2.19. Description of NetApp E-Series driver configuration options
Configuration option = Default value
Description
[DEFAULT]
netapp_controller_ips = None
114
(StrOpt) This option is only utilized when the
storage family is configured to eseries. This option is
used to restrict provisioning to the specified
controllers. Specify the value of this option to be a
comma separated list of controller hostnames or IP
addresses to be used for provisioning.
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
netapp_enable_multiattach = False
(BoolOpt) This option specifies whether the driver
should allow operations that require multiple
attachments to a volume. An example would be live
migration of servers that have volumes attached.
When enabled, this backend is limited to 256 total
volumes in order to guarantee volumes can be
accessed by more than one host.
netapp_host_type = None
(StrOpt) This option defines the type of operating
system for all initiators that can access a LUN. This
information is used when mapping LUNs to
individual hosts or groups of hosts.
netapp_login = None
(StrOpt) Administrative user account name used to
access the storage system or proxy server.
netapp_partner_backend_name = None
(StrOpt) The name of the config.conf stanza for a
Data ONTAP (7-mode) HA partner. This option is
only used by the driver when connecting to an
instance with a storage family of Data ONTAP
operating in 7-Mode, and it is required if the storage
protocol selected is FC.
netapp_password = None
(StrOpt) Password for the administrative user
account specified in the netapp_login option.
netapp_pool_name_search_pattern = (.+)
(StrOpt) This option is used to restrict provisioning
to the specified pools. Specify the value of this
option to be a regular expression which will be
applied to the names of objects from the storage
backend which represent pools in Cinder. This option
is only utilized when the storage protocol is
configured to use iSCSI or FC.
netapp_sa_password = None
(StrOpt) Password for the NetApp E-Series storage
array.
netapp_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system or proxy server.
netapp_server_port = None
(IntOpt) The TCP port to use for communication with
the storage system or proxy server. If not specified,
Data ONTAP drivers will use 80 for HTTP and 443
for HTTPS; E-Series will use 8080 for HTTP and
8443 for HTTPS.
115
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
netapp_storage_family = ontap_cluster
(StrOpt) The storage family type used on the
storage system; valid values are ontap_7mode for
using Data ONTAP operating in 7-Mode,
ontap_cluster for using clustered Data ONTAP, or
eseries for using E-Series.
netapp_transport_type = http
(StrOpt) The transport protocol used when
communicating with the storage system or proxy
server.
netapp_webservice_path = /devmgr/v2
(StrOpt) This option is used to specify the path to
the E-Series proxy application on a proxy server. The
value is combined with the value of the
netapp_transport_type, netapp_server_hostname,
and netapp_server_port options to create the URL
used by the driver to connect to the proxy
application.
TIP
For more information on these options and other deployment and operational scenarios, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.16.4. Upgrading prior NetApp drivers to the NetApp unified driver
NetApp introduced a new unified block storage driver in Havana for configuring different storage
families and storage protocols. This requires defining upgrade path for NetApp drivers which existed in
releases prior to Havana. This section covers the upgrade configuration for NetApp drivers to the new
unified configuration and a list of deprecated NetApp drivers.
2.1.16.4.1. Upgraded NetApp drivers
This section describes how to update OpenStack Block Storage configuration from a pre-Havana
release to the unified driver format.
Driver upgrade configuration
1. NetApp iSCSI direct driver for Clustered Data ONTAP in Grizzly (or earlier).
volume_driver =
cinder.volume.drivers.netapp.iscsi.NetAppDirectCmodeISCSIDriver
NetApp unified driver configuration.
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = iscsi
2. NetApp NFS direct driver for Clustered Data ONTAP in Grizzly (or earlier).
116
CHAPTER 2. BLOCK STORAGE
volume_driver =
cinder.volume.drivers.netapp.nfs.NetAppDirectCmodeNfsDriver
NetApp unified driver configuration.
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = nfs
3. NetApp iSCSI direct driver for Data ONTAP operating in 7-Mode storage controller in Grizzly
(or earlier)
volume_driver =
cinder.volume.drivers.netapp.iscsi.NetAppDirect7modeISCSIDriver
NetApp unified driver configuration
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = iscsi
4. NetApp NFS direct driver for Data ONTAP operating in 7-Mode storage controller in Grizzly
(or earlier)
volume_driver =
cinder.volume.drivers.netapp.nfs.NetAppDirect7modeNfsDriver
NetApp unified driver configuration
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = nfs
2.1.16.4.2. Deprecated NetApp drivers
This section lists the NetApp drivers in earlier releases that are deprecated in Havana.
1. NetApp iSCSI driver for clustered Data ONTAP.
volume_driver =
cinder.volume.drivers.netapp.iscsi.NetAppCmodeISCSIDriver
2. NetApp NFS driver for clustered Data ONTAP.
volume_driver =
cinder.volume.drivers.netapp.nfs.NetAppCmodeNfsDriver
3. NetApp iSCSI driver for Data ONTAP operating in 7-Mode storage controller.
volume_driver = cinder.volume.drivers.netapp.iscsi.NetAppISCSIDriver
117
Red Hat OpenStack Platform 9 Configuration Reference
4. NetApp NFS driver for Data ONTAP operating in 7-Mode storage controller.
volume_driver = cinder.volume.drivers.netapp.nfs.NetAppNFSDriver
NOTE
For support information on deprecated NetApp drivers in the Havana release, visit the
NetApp OpenStack Deployment and Operations Guide.
2.1.17. NFS driver
The Network File System (NFS) is a distributed file system protocol originally developed by Sun
Microsystems in 1984. An NFS server exports one or more of its file systems, known as shares. An NFS
client can mount these exported shares on its own file system. You can perform file actions on this
mounted remote file system as if the file system were local.
2.1.17.1. How the NFS driver works
The NFS driver, and other drivers based on it, work quite differently than a traditional block storage
driver.
The NFS driver does not actually allow an instance to access a storage device at the block level.
Instead, files are created on an NFS share and mapped to instances, which emulates a block device.
This works in a similar way to QEMU, which stores instances in the /var/lib/nova/instances
directory.
2.1.17.2. Enable the NFS driver and related options
To use Cinder with the NFS driver, first set the volume_driver in cinder.conf:
volume_driver=cinder.volume.drivers.nfs.NfsDriver
The following table contains the options supported by the NFS driver.
Table 2.20. Description of NFS storage configuration options
Configuration option = Default value
Description
[DEFAULT]
nfs_mount_attempts = 3
(IntOpt) The number of attempts to mount nfs
shares before raising an error. At least one attempt
will be made to mount an nfs share, regardless of the
value specified.
nfs_mount_options = None
(StrOpt) Mount options passed to the nfs client. See
section of the nfs man page for details.
nfs_mount_point_base = $state_path/mnt
(StrOpt) Base dir containing mount points for nfs
shares.
118
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
nfs_oversub_ratio = 1.0
(FloatOpt) This will compare the allocated to
available space on the volume destination. If the
ratio exceeds this number, the destination will no
longer be valid. Note that this option is deprecated in
favor of "max_oversubscription_ratio" and will be
removed in the Mitaka release.
nfs_shares_config = /etc/cinder/nfs_shares
(StrOpt) File with the list of available nfs shares
nfs_sparsed_volumes = True
(BoolOpt) Create volumes as sparsed files which
take no space.If set to False volume is created as
regular file.In such case volume creation takes a lot
of time.
nfs_used_ratio = 0.95
(FloatOpt) Percent of ACTUAL usage of the
underlying volume before no new volumes can be
allocated to the volume destination. Note that this
option is deprecated in favor of
"reserved_percentage" and will be removed in the
Mitaka release.
NOTE
As of the Icehouse release, the NFS driver (and other drivers based off it) will attempt to
mount shares using version 4.1 of the NFS protocol (including pNFS). If the mount
attempt is unsuccessful due to a lack of client or server support, a subsequent mount
attempt that requests the default behavior of the mount.nfs command will be
performed. On most distributions, the default behavior is to attempt mounting first with
NFS v4.0, then silently fall back to NFS v3.0 if necessary. If the nfs_mount_options
configuration option contains a request for a specific version of NFS to be used, or if
specific options are specified in the shares configuration file specified by the
nfs_shares_config configuration option, the mount will be attempted as requested
with no subsequent attempts.
2.1.17.3. How to use the NFS driver
1. Access to one or more NFS servers. Creating an NFS server is outside the scope of this
document. This example assumes access to the following NFS servers and mount points:
192.168.1.200:/storage
192.168.1.201:/storage
192.168.1.202:/storage
This example demonstrates the use of with this driver with multiple NFS servers. Multiple
servers are not required. One is usually enough.
2. Add your list of NFS servers to the file you specified with the nfs_shares_config option.
For example, if the value of this option was set to /etc/cinder/shares.txt, then:
119
Red Hat OpenStack Platform 9 Configuration Reference
# cat /etc/cinder/shares.txt
192.168.1.200:/storage 192.168.1.201:/storage 192.168.1.202:/storage
Comments are allowed in this file. They begin with a #.
3. Configure the nfs_mount_point_base option. This is a directory where cinder-volume
mounts all NFS shares stored in shares.txt. For this example, /var/lib/cinder/nfs is
used. You can, of course, use the default value of $state_path/mnt.
4. Start the cinder-volume service. /var/lib/cinder/nfs should now contain a directory
for each NFS share specified in shares.txt. The name of each directory is a hashed name:
# ls /var/lib/cinder/nfs/
... 46c5db75dc3a3a50a10bfd1a456a9f3f ...
5. You can now create volumes as you normally would:
$ nova volume-create --display-name myvol 5
# ls /var/lib/cinder/nfs/46c5db75dc3a3a50a10bfd1a456a9f3f
volume-a8862558-e6d6-4648-b5df-bb84f31c8935
This volume can also be attached and deleted just like other volumes. However, snapshotting
is not supported.
NFS driver notes
cinder-volume manages the mounting of the NFS shares as well as volume creation on the
shares. Keep this in mind when planning your OpenStack architecture. If you have one master
NFS server, it might make sense to only have one cinder-volume service to handle all
requests to that NFS server. However, if that single server is unable to handle all requests,
more than one cinder-volume service is needed as well as potentially more than one NFS
server.
Because data is stored in a file and not actually on a block storage device, you might not see
the same IO performance as you would with a traditional block storage driver. Test
accordingly.
Despite possible IO performance loss, having volume data stored in a file might be beneficial.
For example, backing up volumes can be as easy as copying the volume files.
NOTE
Regular IO flushing and syncing still stands.
2.1.18. SolidFire
The SolidFire Cluster is a high performance all SSD iSCSI storage device that provides massive scale
out capability and extreme fault tolerance. A key feature of the SolidFire cluster is the ability to set and
modify during operation specific QoS levels on a volume for volume basis. The SolidFire cluster offers
this along with de-duplication, compression, and an architecture that takes full advantage of SSDs.
To configure the use of a SolidFire cluster with Block Storage, modify your cinder.conf file as
follows:
120
CHAPTER 2. BLOCK STORAGE
volume_driver = cinder.volume.drivers.solidfire.SolidFireDriver
san_ip = 172.17.1.182
# the address of your MVIP
san_login = sfadmin
# your cluster admin login
san_password = sfpassword
# your cluster admin password
sf_account_prefix = ''
# prefix for tenant account creation on
solidfire cluster

WARNING
Older versions of the SolidFire driver (prior to Icehouse) created a unique account
prefixed with $cinder-volume-service-hostname-$tenant-id on the
SolidFire cluster for each tenant. Unfortunately, this account formation resulted in
issues for High Availability (HA) installations and installations where the cindervolume service can move to a new node. The current default implementation does
not experience this issue as no prefix is used. For installations created on a prior
release, the OLD default behavior can be configured by using the keyword
"hostname" in sf_account_prefix.
Table 2.21. Description of SolidFire driver configuration options
Configuration option = Default value
Description
[DEFAULT]
sf_account_prefix = None
(StrOpt) Create SolidFire accounts with this prefix.
Any string can be used here, but the string
"hostname" is special and will create a prefix using
the cinder node hostname (previous default
behavior). The default is NO prefix.
sf_allow_template_caching = True
(BoolOpt) Create an internal cache of copy of images
when a bootable volume is created to eliminate
fetch from glance and qemu-conversion on
subsequent calls.
sf_allow_tenant_qos = False
(BoolOpt) Allow tenants to specify QOS on create
sf_api_port = 443
(IntOpt) SolidFire API port. Useful if the device api is
behind a proxy on a different port.
sf_emulate_512 = True
(BoolOpt) Set 512 byte emulation on volume
creation;
sf_enable_volume_mapping = True
(BoolOpt) Create an internal mapping of volume IDs
and account. Optimizes lookups and performance at
the expense of memory, very large deployments may
want to consider setting to False.
121
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
sf_svip = None
(StrOpt) Overrides default cluster SVIP with the one
specified. This is required or deployments that have
implemented the use of VLANs for iSCSI networks in
their cloud.
sf_template_account_name = openstack-
(StrOpt) Account name on the SolidFire Cluster to
use as owner of template/cache volumes (created if
does not exist).
vtemplate
2.1.19. Tintri
Tintri VMstore is a smart storage that sees, learns and adapts for cloud and virtualization. The Tintri
Cinder driver will interact with configured VMstore running Tintri OS 4.0 and above. It supports various
operations using Tintri REST APIs and NFS protocol.
To configure the use of a Tintri VMstore with Block Storage, perform the following actions:
1. Edit the etc/cinder/cinder.conf file and set the cinder.volume.drivers.tintri options:
volume_driver=cinder.volume.drivers.tintri.TintriDriver
# Mount options passed to the nfs client. See section of the
# nfs man page for details. (string value)
nfs_mount_options=vers=3,lookupcache=pos
#
# Options defined in cinder.volume.drivers.tintri
#
# The hostname (or IP address) for the storage system (string
# value)
tintri_server_hostname={Tintri VMstore Management IP}
# User name for the storage system (string value)
tintri_server_username={username}
# Password for the storage system (string value)
tintri_server_password={password}
# API version for the storage system (string value)
#tintri_api_version=v310
# Following options needed for NFS configuration
# File with the list of available nfs shares (string value)
#nfs_shares_config=/etc/cinder/nfs_shares
2. Edit the etc/nova/nova.conf file, and set the nfs_mount_options:
nfs_mount_options=vers=3
3. Edit the /etc/cinder/nfs_shares file, and add the Tintri VMstore mount points associated
with the configured VMstore management IP in the cinder.conf file:
122
CHAPTER 2. BLOCK STORAGE
{vmstore_data_ip}:/tintri/{submount1}
{vmstore_data_ip}:/tintri/{submount2}
Table 2.22. Description of Tintri volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
tintri_api_version = v310
(StrOpt) API version for the storage system
tintri_server_hostname = None
(StrOpt) The hostname (or IP address) for the
storage system
tintri_server_password = None
(StrOpt) Password for the storage system
tintri_server_username = None
(StrOpt) User name for the storage system
2.1.20. Violin Memory 7000 Series FSP volume driver
The OpenStack V7000 driver package from Violin Memory adds Block Storage service support for
Violin 7300 Flash Storage Platforms (FSPs) and 7700 FSP controllers.
The driver package release can be used with any OpenStack Liberty deployment for all 7300 FSPs and
7700 FSP controllers running Concerto 7.5.3 and later using Fibre Channel HBAs.
2.1.20.1. System requirements
To use the Violin driver, the following are required:
Violin 7300/7700 series FSP with:
Concerto OS version 7.5.3 or later
Fibre channel host interfaces
The Violin block storage driver: This driver implements the block storage API calls. The driver
is included with the OpenStack Liberty release.
The vmemclient library: This is the Violin Array Communications library to the Flash Storage
Platform through a REST-like interface. The client can be installed using the python pip
installer tool. Further information on vmemclient can be found on PyPI.
pip install vmemclient
2.1.20.2. Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
123
Red Hat OpenStack Platform 9 Configuration Reference
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
note
Listed operations are supported for thick, thin, and dedup luns, with the exception of
cloning. Cloning operations are supported only on thick luns.
2.1.20.3. Driver configuration
Once the array is configured as per the installation guide, it is simply a matter of editing the cinder
configuration file to add or modify the parameters. The driver currently only supports fibre channel
configuration.
2.1.20.3.1. Fibre channel configuration
Set the following in your cinder.conf configuration file, replacing the variables using the guide in
the following section:
volume_driver = cinder.volume.drivers.violin.v7000_fcp.V7000FCPDriver
volume_backend_name = vmem_violinfsp
extra_capabilities = VMEM_CAPABILITIES
san_ip = VMEM_MGMT_IP
san_login = VMEM_USER_NAME
san_password = VMEM_PASSWORD
use_multipath_for_image_xfer = true
2.1.20.3.2. Configuration parameters
Description of configuration value placeholders:
VMEM_CAPABILITIES
User defined capabilities, a JSON formatted string specifying key-value pairs (string value). The
ones particularly supported are dedup and thin. Only these two capabilities are listed here in
cinder.conf file, indicating this backend be selected for creating luns which have a volume type
associated with them that have dedup or thin extra_specs specified. For example, if the FSP is
configured to support dedup luns, set the associated driver capabilities to:
{"dedup":"True","thin":"True"}.
VMEM_MGMT_IP
External IP address or host name of the Violin 7300 Memory Gateway. This can be an IP address or
host name.
VMEM_USER_NAME
Log-in user name for the Violin 7300 Memory Gateway or 7700 FSP controller. This user must have
administrative rights on the array or controller.
124
CHAPTER 2. BLOCK STORAGE
VMEM_PASSWORD
Log-in user's password.
2.2. BACKUP DRIVERS
This section describes how to configure the cinder-backup service and its drivers.
To set a backup driver, use the backup_driver flag. By default there is no backup driver enabled.
2.2.1. Ceph backup driver
The Ceph backup driver backs up volumes of any type to a Ceph back-end store. The driver can also
detect whether the volume to be backed up is a Ceph RBD volume, and if so, it tries to perform
incremental and differential backups.
For source Ceph RBD volumes, you can perform backups within the same Ceph pool (not
recommended). You can also perform backups between different Ceph pools and between different
Ceph clusters.
At the time of writing, differential backup support in Ceph/librbd was quite new. This driver attempts a
differential backup in the first instance. If the differential backup fails, the driver falls back to full
backup/copy.
If incremental backups are used, multiple backups of the same volume are stored as snapshots so that
minimal space is consumed in the backup store. It takes far less time to restore a volume than to take a
full copy.
NOTE
Block Storage enables you to:
Restore to a new volume, which is the default and recommended action.
Restore to the original volume from which the backup was taken. The restore
action takes a full copy because this is the safest action.
To enable the Ceph backup driver, include the following option in the cinder.conf file:
backup_driver = cinder.backup.drivers.ceph
The following configuration options are available for the Ceph backup driver.
Table 2.23. Description of Ceph backup driver configuration options
Configuration option = Default value
Description
[DEFAULT]
backup_ceph_chunk_size = 134217728
(IntOpt) The chunk size, in bytes, that a backup is
broken into before transfer to the Ceph object store.
125
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
backup_ceph_conf = /etc/ceph/ceph.conf
(StrOpt) Ceph configuration file to use.
backup_ceph_pool = backups
(StrOpt) The Ceph pool where volume backups are
stored.
backup_ceph_stripe_count = 0
(IntOpt) RBD stripe count to use when creating a
backup image.
backup_ceph_stripe_unit = 0
(IntOpt) RBD stripe unit to use when creating a
backup image.
backup_ceph_user = cinder
(StrOpt) The Ceph user to connect with. Default
here is to use the same user as for Cinder volumes. If
not using cephx this should be set to None.
restore_discard_excess_bytes = True
(BoolOpt) If True, always discard excess bytes when
restoring volumes i.e. pad with zeroes.
This example shows the default options for the Ceph backup driver.
backup_ceph_conf=/etc/ceph/ceph.conf
backup_ceph_user = cinder
backup_ceph_chunk_size = 134217728
backup_ceph_pool = backups
backup_ceph_stripe_unit = 0
backup_ceph_stripe_count = 0
2.2.2. IBM Tivoli Storage Manager backup driver
The IBM Tivoli Storage Manager (TSM) backup driver enables performing volume backups to a TSM
server.
The TSM client should be installed and configured on the machine running the cinder-backup
service. See the IBM Tivoli Storage Manager Backup-Archive Client Installation and User's Guidefor details
on installing the TSM client.
To enable the IBM TSM backup driver, include the following option in cinder.conf:
backup_driver = cinder.backup.drivers.tsm
The following configuration options are available for the TSM backup driver.
Table 2.24. Description of IBM Tivoli Storage Manager backup driver configuration options
Configuration option = Default value
[DEFAULT]
126
Description
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
backup_tsm_compression = True
(BoolOpt) Enable or Disable compression for
backups
backup_tsm_password = password
(StrOpt) TSM password for the running username
backup_tsm_volume_prefix = backup
(StrOpt) Volume prefix for the backup id when
backing up to TSM
This example shows the default options for the TSM backup driver.
backup_tsm_volume_prefix = backup
backup_tsm_password = password
backup_tsm_compression = True
2.2.3. Swift backup driver
The backup driver for the swift back end performs a volume backup to an object storage system.
To enable the swift backup driver, include the following option in the cinder.conf file:
backup_driver = cinder.backup.drivers.swift
The following configuration options are available for the Swift back-end backup driver.
Table 2.25. Description of Swift backup driver configuration options
Configuration option = Default value
Description
[DEFAULT]
backup_swift_auth = per_user
(StrOpt) Swift authentication mechanism
backup_swift_auth_version = 1
(StrOpt) Swift authentication version. Specify "1" for
auth 1.0, or "2" for auth 2.0
backup_swift_block_size = 32768
(IntOpt) The size in bytes that changes are tracked
for incremental backups. backup_swift_object_size
has to be multiple of backup_swift_block_size.
backup_swift_ca_cert_file = None
(StrOpt) Location of the CA certificate file to use for
swift client requests.
backup_swift_container = volumebackups
(StrOpt) The default Swift container to use
127
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
backup_swift_enable_progress_timer =
(BoolOpt) Enable or Disable the timer to send the
periodic progress notifications to Ceilometer when
backing up the volume to the Swift backend storage.
The default value is True to enable the timer.
True
backup_swift_key = None
(StrOpt) Swift key for authentication
backup_swift_object_size = 52428800
(IntOpt) The size in bytes of Swift backup objects
backup_swift_retry_attempts = 3
(IntOpt) The number of retries to make for Swift
operations
backup_swift_retry_backoff = 2
(IntOpt) The backoff time in seconds between Swift
retries
backup_swift_tenant = None
(StrOpt) Swift tenant/account name. Required when
connecting to an auth 2.0 system
backup_swift_url = None
(StrOpt) The URL of the Swift endpoint
backup_swift_user = None
(StrOpt) Swift user name
swift_catalog_info = object-
(StrOpt) Info to match when looking for swift in the
service catalog. Format is: separated values of the
form: <service_type>:<service_name>:
<endpoint_type> - Only used if backup_swift_url is
unset
store:swift:publicURL
To enable the swift backup driver for 1.0 or 2.0 authentication version, specify 1 or 2 correspondingly.
For example:
backup_swift_auth_version = 2
In addition, the 2.0 authentication system requires backup_swift_tenant setting:
backup_swift_tenant = <None>
This example shows the default options for the Swift back-end backup driver.
backup_swift_url = http://localhost:8080/v1/AUTH_
backup_swift_auth = per_user
backup_swift_auth_version = 1
backup_swift_user = <None>
backup_swift_key = <None>
backup_swift_container = volumebackups
backup_swift_object_size = 52428800
128
CHAPTER 2. BLOCK STORAGE
backup_swift_retry_attempts = 3
backup_swift_retry_backoff = 2
backup_compression_algorithm = zlib
2.2.4. NFS backup driver
The backup driver for the NFS back end backs up volumes of any type to an NFS exported backup
repository.
To enable the NFS backup driver, include the following option in the [DEFAULT] section of the
cinder.conf file:
backup_driver = cinder.backup.drivers.nfs
The following configuration options are available for the NFS back-end backup driver.
Table 2.26. Description of NFS backup driver configuration options
Configuration option = Default value
Description
[DEFAULT]
backup_container = None
(StrOpt) Custom directory to use for backups.
backup_enable_progress_timer = True
(BoolOpt) Enable or Disable the timer to send the
periodic progress notifications to Ceilometer when
backing up the volume to the backend storage. The
default value is True to enable the timer.
backup_file_size = 1999994880
(IntOpt) The maximum size in bytes of the files used
to hold backups. If the volume being backed up
exceeds this size, then it will be backed up into
multiple files.backup_file_size must be a multiple of
backup_sha_block_size_bytes.
backup_mount_options = None
(StrOpt) Mount options passed to the NFS client.
See NFS man page for details.
backup_mount_point_base =
(StrOpt) Base dir containing mount point for NFS
share.
$state_path/backup_mount
backup_sha_block_size_bytes = 32768
(IntOpt) The size in bytes that changes are tracked
for incremental backups. backup_file_size has to be
multiple of backup_sha_block_size_bytes.
backup_share = None
(StrOpt) NFS share in hostname:path, ipv4addr:path,
or "[ipv6addr]:path" format.
2.3. BLOCK STORAGE SAMPLE CONFIGURATION FILES
All the files in this section can be found in /etc/cinder.
129
Red Hat OpenStack Platform 9 Configuration Reference
2.3.1. cinder.conf
The cinder.conf file is installed in /etc/cinder by default. When you manually install the Block
Storage service, the options in the cinder.conf file are set to default values.
The cinder.conf file contains most of the options to configure the Block Storage service.
[DEFAULT]
#
# Options defined in oslo.messaging
#
# ZeroMQ bind address. Should be a wildcard (*), an ethernet
# interface, or IP. The "host" option should point or resolve
# to this address. (string value)
#rpc_zmq_bind_address=*
# MatchMaker driver. (string value)
#rpc_zmq_matchmaker=local
# ZeroMQ receiver listening port. (integer value)
#rpc_zmq_port=9501
# Number of ZeroMQ contexts, defaults to 1. (integer value)
#rpc_zmq_contexts=1
# Maximum number of ingress messages to locally buffer per
# topic. Default is unlimited. (integer value)
#rpc_zmq_topic_backlog=<None>
# Directory for holding IPC sockets. (string value)
#rpc_zmq_ipc_dir=/var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP
# address. Must match "host" option, if running Nova. (string
# value)
#rpc_zmq_host=cinder
# Seconds to wait before a cast expires (TTL). Only supported
# by impl_zmq. (integer value)
#rpc_cast_timeout=30
# Heartbeat frequency. (integer value)
#matchmaker_heartbeat_freq=300
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl=600
# Size of RPC thread pool. (integer value)
#rpc_thread_pool_size=64
# Driver or drivers to handle sending notifications. (multi
# valued)
#notification_driver=
130
CHAPTER 2. BLOCK STORAGE
# AMQP topic used for OpenStack notifications. (list value)
# Deprecated group/name - [rpc_notifier2]/topics
#notification_topics=notifications
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout=60
# A URL representing the messaging driver to use and its full
# configuration. If not set, we fall back to the rpc_backend
# option and driver specific configuration. (string value)
#transport_url=<None>
# The messaging driver to use, defaults to rabbit. Other
# drivers include qpid and zmq. (string value)
#rpc_backend=rabbit
# The default exchange under which topics are scoped. May be
# overridden by an exchange name specified in the
# transport_url option. (string value)
#control_exchange=openstack
#
# Options defined in cinder.exception
#
# Make exception message format errors fatal. (boolean value)
#fatal_exception_format_errors=false
#
# Options defined in cinder.quota
#
# Number of volumes allowed per project (integer value)
#quota_volumes=10
# Number of volume snapshots allowed per project (integer
# value)
#quota_snapshots=10
# Number of consistencygroups allowed per project (integer
# value)
#quota_consistencygroups=10
# Total amount of storage, in gigabytes, allowed for volumes
# and snapshots per project (integer value)
#quota_gigabytes=1000
# Number of volume backups allowed per project (integer value)
#quota_backups=10
# Total amount of storage, in gigabytes, allowed for backups
# per project (integer value)
#quota_backup_gigabytes=1000
131
Red Hat OpenStack Platform 9 Configuration Reference
# Number of seconds until a reservation expires (integer
# value)
#reservation_expire=86400
# Count of reservations until usage is refreshed (integer
# value)
#until_refresh=0
# Number of seconds between subsequent usage refreshes
# (integer value)
#max_age=0
# Default driver to use for quota checks (string value)
#quota_driver=cinder.quota.DbQuotaDriver
# Enables or disables use of default quota class with default
# quota. (boolean value)
#use_default_quota_class=true
#
# Options defined in cinder.service
#
# Interval, in seconds, between nodes reporting state to
# datastore (integer value)
#report_interval=10
# Interval, in seconds, between running periodic tasks
# (integer value)
#periodic_interval=60
# Range, in seconds, to randomly delay when starting the
# periodic task scheduler to reduce stampeding. (Disable by
# setting to 0) (integer value)
#periodic_fuzzy_delay=60
# IP address on which OpenStack Volume API listens (string
# value)
#osapi_volume_listen=0.0.0.0
# Port on which OpenStack Volume API listens (integer value)
#osapi_volume_listen_port=8776
# Number of workers for OpenStack Volume API service. The
# default is equal to the number of CPUs available. (integer
# value)
#osapi_volume_workers=<None>
#
# Options defined in cinder.ssh_utils
#
# Option to enable strict host key checking. When set to
# "True" Cinder will only connect to systems with a host key
132
CHAPTER 2. BLOCK STORAGE
# present in the configured "ssh_hosts_key_file". When set to
# "False" the host key will be saved upon first connection and
# used for subsequent connections. Default=False (boolean
# value)
#strict_ssh_host_key_policy=false
# File containing SSH host keys for the systems with which
# Cinder needs to communicate. OPTIONAL:
# Default=$state_path/ssh_known_hosts (string value)
#ssh_hosts_key_file=$state_path/ssh_known_hosts
#
# Options defined in cinder.test
#
# File name of clean sqlite db (string value)
#sqlite_clean_db=clean.sqlite
#
# Options defined in cinder.wsgi
#
# Maximum line size of message headers to be accepted.
# max_header_line may need to be increased when using large
# tokens (typically those generated by the Keystone v3 API
# with big service catalogs). (integer value)
#max_header_line=16384
# Timeout for client connections' socket operations. If an
# incoming connection is idle for this number of seconds it
# will be closed. A value of '0' means wait forever. (integer
# value)
#client_socket_timeout=900
# If False, closes the client socket connection explicitly.
# Setting it to True to maintain backward compatibility.
# Recommended setting is set it to False. (boolean value)
#wsgi_keep_alive=true
# Sets the value of TCP_KEEPALIVE (True/False) for each server
# socket. (boolean value)
#tcp_keepalive=true
# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Not supported on OS X. (integer value)
#tcp_keepidle=600
# Sets the value of TCP_KEEPINTVL in seconds for each server
# socket. Not supported on OS X. (integer value)
#tcp_keepalive_interval=<None>
# Sets the value of TCP_KEEPCNT for each server socket. Not
# supported on OS X. (integer value)
#tcp_keepalive_count=<None>
133
Red Hat OpenStack Platform 9 Configuration Reference
# CA certificate file to use to verify connecting clients
# (string value)
#ssl_ca_file=<None>
# Certificate file to use when starting the server securely
# (string value)
#ssl_cert_file=<None>
# Private key file to use when starting the server securely
# (string value)
#ssl_key_file=<None>
#
# Options defined in cinder.api.common
#
# The maximum number of items that a collection resource
# returns in a single response (integer value)
#osapi_max_limit=1000
# Base URL that will be presented to users in links to the
# OpenStack Volume API (string value)
# Deprecated group/name - [DEFAULT]/osapi_compute_link_prefix
#osapi_volume_base_URL=<None>
#
# Options defined in cinder.api.middleware.auth
#
# Treat X-Forwarded-For as the canonical remote address. Only
# enable this if you have a sanitizing proxy. (boolean value)
#use_forwarded_for=false
#
# Options defined in cinder.api.middleware.sizelimit
#
# Max size for body of a request (integer value)
#osapi_max_request_body_size=114688
#
# Options defined in cinder.api.views.versions
#
# Public url to use for versions endpoint. The default is
# None, which will use the request's host_url attribute to
# populate the URL base. If Cinder is operating behind a
# proxy, you will want to change this to represent the proxy's
# URL. (string value)
#public_endpoint=<None>
134
CHAPTER 2. BLOCK STORAGE
#
# Options defined in cinder.backup.chunkeddriver
#
# Compression algorithm (None to disable) (string value)
#backup_compression_algorithm=zlib
#
# Options defined in cinder.backup.driver
#
# Backup metadata version to be used when backing up volume
# metadata. If this number is bumped, make sure the service
# doing the restore supports the new version. (integer value)
#backup_metadata_version=2
# The number of chunks or objects, for which one Ceilometer
# notification will be sent (integer value)
#backup_object_number_per_notification=10
# Interval, in seconds, between two progress notifications
# reporting the backup status (integer value)
#backup_timer_interval=120
#
# Options defined in cinder.backup.drivers.ceph
#
# Ceph configuration file to use. (string value)
#backup_ceph_conf=/etc/ceph/ceph.conf
# The Ceph user to connect with. Default here is to use the
# same user as for Cinder volumes. If not using cephx this
# should be set to None. (string value)
#backup_ceph_user=cinder
# The chunk size, in bytes, that a backup is broken into
# before transfer to the Ceph object store. (integer value)
#backup_ceph_chunk_size=134217728
# The Ceph pool where volume backups are stored. (string
# value)
#backup_ceph_pool=backups
# RBD stripe unit to use when creating a backup image.
# (integer value)
#backup_ceph_stripe_unit=0
# RBD stripe count to use when creating a backup image.
# (integer value)
#backup_ceph_stripe_count=0
# If True, always discard excess bytes when restoring volumes
135
Red Hat OpenStack Platform 9 Configuration Reference
# i.e. pad with zeroes. (boolean value)
#restore_discard_excess_bytes=true
#
# Options defined in cinder.backup.drivers.nfs
#
# The maximum size in bytes of the files used to hold backups.
# If the volume being backed up exceeds this size, then it
# will be backed up into multiple files. (integer value)
#backup_file_size=1999994880
# The size in bytes that changes are tracked for incremental
# backups. backup_swift_object_size has to be multiple of
# backup_swift_block_size. (integer value)
#backup_sha_block_size_bytes=32768
# Enable or Disable the timer to send the periodic progress
# notifications to Ceilometer when backing up the volume to
# the backend storage. The default value is True to enable the
# timer. (boolean value)
#backup_enable_progress_timer=true
# Base dir containing mount point for NFS share. (string
# value)
#backup_mount_point_base=$state_path/backup_mount
# NFS share in fqdn:path, ipv4addr:path, or "[ipv6addr]:path"
# format. (string value)
#backup_share=<None>
# Mount options passed to the NFS client. See NFS man page for
# details. (string value)
#backup_mount_options=<None>
# Custom container to use for backups. (string value)
#backup_container=<None>
#
# Options defined in cinder.backup.drivers.swift
#
# The URL of the Swift endpoint (string value)
#backup_swift_url=<None>
# Info to match when looking for swift in the service catalog.
# Format is: separated values of the form:
# <service_type>:<service_name>:<endpoint_type> - Only used if
# backup_swift_url is unset (string value)
#swift_catalog_info=object-store:swift:publicURL
# Swift authentication mechanism (string value)
#backup_swift_auth=per_user
136
CHAPTER 2. BLOCK STORAGE
# Swift authentication version. Specify "1" for auth 1.0, or
# "2" for auth 2.0 (string value)
#backup_swift_auth_version=1
# Swift tenant/account name. Required when connecting to an
# auth 2.0 system (string value)
#backup_swift_tenant=<None>
# Swift user name (string value)
#backup_swift_user=<None>
# Swift key for authentication (string value)
#backup_swift_key=<None>
# The default Swift container to use (string value)
#backup_swift_container=volumebackups
# The size in bytes of Swift backup objects (integer value)
#backup_swift_object_size=52428800
# The size in bytes that changes are tracked for incremental
# backups. backup_swift_object_size has to be multiple of
# backup_swift_block_size. (integer value)
#backup_swift_block_size=32768
# The number of retries to make for Swift operations (integer
# value)
#backup_swift_retry_attempts=3
# The backoff time in seconds between Swift retries (integer
# value)
#backup_swift_retry_backoff=2
# Enable or Disable the timer to send the periodic progress
# notifications to Ceilometer when backing up the volume to
# the Swift backend storage. The default value is True to
# enable the timer. (boolean value)
#backup_swift_enable_progress_timer=true
#
# Options defined in cinder.backup.drivers.tsm
#
# Volume prefix for the backup id when backing up to TSM
# (string value)
#backup_tsm_volume_prefix=backup
# TSM password for the running username (string value)
#backup_tsm_password=password
# Enable or Disable compression for backups (boolean value)
#backup_tsm_compression=true
#
137
Red Hat OpenStack Platform 9 Configuration Reference
# Options defined in cinder.backup.manager
#
# Driver to use for backups. (string value)
# Deprecated group/name - [DEFAULT]/backup_service
#backup_driver=cinder.backup.drivers.swift
#
# Options defined in cinder.cmd.volume
#
# Backend override of host value. (string value)
# Deprecated group/name - [DEFAULT]/host
#backend_host=<None>
#
# Options defined in cinder.cmd.volume_usage_audit
#
# If this option is specified then the start time specified is
# used instead of the start time of the last completed audit
# period. (string value)
#start_time=<None>
# If this option is specified then the end time specified is
# used instead of the end time of the last completed audit
# period. (string value)
#end_time=<None>
# Send the volume and snapshot create and delete notifications
# generated in the specified period. (boolean value)
#send_actions=false
#
# Options defined in cinder.common.config
#
# File name for the paste.deploy config for cinder-api (string
# value)
#api_paste_config=api-paste.ini
# Top-level directory for maintaining cinder's state (string
# value)
# Deprecated group/name - [DEFAULT]/pybasedir
#state_path=/var/lib/cinder
# IP address of this host (string value)
#my_ip=10.0.0.1
# Default glance host name or IP (string value)
#glance_host=$my_ip
# Default glance port (integer value)
138
CHAPTER 2. BLOCK STORAGE
#glance_port=9292
# A list of the glance API servers available to cinder
# ([hostname|ip]:port) (list value)
#glance_api_servers=$glance_host:$glance_port
# Version of the glance API to use (integer value)
#glance_api_version=1
# Number retries when downloading an image from glance
# (integer value)
#glance_num_retries=0
# Allow to perform insecure SSL (https) requests to glance
# (boolean value)
#glance_api_insecure=false
# Enables or disables negotiation of SSL layer compression. In
# some cases disabling compression can improve data
# throughput, such as when high network bandwidth is available
# and you use compressed image formats like qcow2. (boolean
# value)
#glance_api_ssl_compression=false
# Location of ca certificates file to use for glance client
# requests. (string value)
#glance_ca_certificates_file=<None>
# http/https timeout value for glance operations. If no value
# (None) is supplied here, the glanceclient default value is
# used. (integer value)
#glance_request_timeout=<None>
# The topic that scheduler nodes listen on (string value)
#scheduler_topic=cinder-scheduler
# The topic that volume nodes listen on (string value)
#volume_topic=cinder-volume
# The topic that volume backup nodes listen on (string value)
#backup_topic=cinder-backup
# DEPRECATED: Deploy v1 of the Cinder API. (boolean value)
#enable_v1_api=true
# Deploy v2 of the Cinder API. (boolean value)
#enable_v2_api=true
# Enables or disables rate limit of the API. (boolean value)
#api_rate_limit=true
# Specify list of extensions to load when using
# osapi_volume_extension option with
# cinder.api.contrib.select_extensions (list value)
#osapi_volume_ext_list=
139
Red Hat OpenStack Platform 9 Configuration Reference
# osapi volume extension to load (multi valued)
#osapi_volume_extension=cinder.api.contrib.standard_extensions
# Full class name for the Manager for volume (string value)
#volume_manager=cinder.volume.manager.VolumeManager
# Full class name for the Manager for volume backup (string
# value)
#backup_manager=cinder.backup.manager.BackupManager
# Full class name for the Manager for scheduler (string value)
#scheduler_manager=cinder.scheduler.manager.SchedulerManager
# Name of this node. This can be an opaque identifier. It is
# not necessarily a host name, FQDN, or IP address. (string
# value)
#host=cinder
# Availability zone of this node (string value)
#storage_availability_zone=nova
# Default availability zone for new volumes. If not set, the
# storage_availability_zone option value is used as the
# default for new volumes. (string value)
#default_availability_zone=<None>
# Default volume type to use (string value)
#default_volume_type=<None>
# Time period for which to generate volume usages. The options
# are hour, day, month, or year. (string value)
#volume_usage_audit_period=month
# Path to the rootwrap configuration file to use for running
# commands as root (string value)
#rootwrap_config=/etc/cinder/rootwrap.conf
# Enable monkey patching (boolean value)
#monkey_patch=false
# List of modules/decorators to monkey patch (list value)
#monkey_patch_modules=
# Maximum time since last check-in for a service to be
# considered up (integer value)
#service_down_time=60
# The full class name of the volume API class to use (string
# value)
#volume_api_class=cinder.volume.api.API
# The full class name of the volume backup API class (string
# value)
#backup_api_class=cinder.backup.api.API
# The strategy to use for auth. Supports noauth, keystone, and
140
CHAPTER 2. BLOCK STORAGE
# deprecated. (string value)
#auth_strategy=noauth
# A list of backend names to use. These backend names should
# be backed by a unique [CONFIG] group with its options (list
# value)
#enabled_backends=<None>
# Whether snapshots count against gigabyte quota (boolean
# value)
#no_snapshot_gb_quota=false
# The full class name of the volume transfer API class (string
# value)
#transfer_api_class=cinder.transfer.api.API
# The full class name of the volume replication API class
# (string value)
#replication_api_class=cinder.replication.api.API
# The full class name of the consistencygroup API class
# (string value)
#consistencygroup_api_class=cinder.consistencygroup.api.API
# OpenStack privileged account username. Used for requests to
# other services (such as Nova) that require an account with
# special rights. (string value)
#os_privileged_user_name=<None>
# Password associated with the OpenStack privileged account.
# (string value)
#os_privileged_user_password=<None>
# Tenant name associated with the OpenStack privileged
# account. (string value)
#os_privileged_user_tenant=<None>
#
# Options defined in cinder.compute
#
# The full class name of the compute API class to use (string
# value)
#compute_api_class=cinder.compute.nova.API
#
# Options defined in cinder.compute.nova
#
# Match this value when searching for nova in the service
# catalog. Format is: separated values of the form:
# <service_type>:<service_name>:<endpoint_type> (string value)
#nova_catalog_info=compute:Compute Service:publicURL
141
Red Hat OpenStack Platform 9 Configuration Reference
# Same as nova_catalog_info, but for admin endpoint. (string
# value)
#nova_catalog_admin_info=compute:Compute Service:adminURL
# Override service catalog lookup with template for nova
# endpoint e.g. http://localhost:8774/v2/%(project_id)s
# (string value)
#nova_endpoint_template=<None>
# Same as nova_endpoint_template, but for admin endpoint.
# (string value)
#nova_endpoint_admin_template=<None>
# Region name of this node (string value)
#os_region_name=<None>
# Location of ca certificates file to use for nova client
# requests. (string value)
#nova_ca_certificates_file=<None>
# Allow to perform insecure SSL requests to nova (boolean
# value)
#nova_api_insecure=false
#
# Options defined in cinder.db.api
#
# Services to be added to the available pool on create
# (boolean value)
#enable_new_services=true
# Template string to be used to generate volume names (string
# value)
#volume_name_template=volume-%s
# Template string to be used to generate snapshot names
# (string value)
#snapshot_name_template=snapshot-%s
# Template string to be used to generate backup names (string
# value)
#backup_name_template=backup-%s
#
# Options defined in cinder.db.base
#
# Driver to use for database access (string value)
#db_driver=cinder.db
#
# Options defined in cinder.image.glance
142
CHAPTER 2. BLOCK STORAGE
#
# Default core properties of image (list value)
#glance_core_properties=checksum,container_format,disk_format,image_name,i
mage_id,min_disk,min_ram,name,size
# A list of url schemes that can be downloaded directly via
# the direct_url. Currently supported schemes: [file]. (list
# value)
#allowed_direct_url_schemes=
#
# Options defined in cinder.image.image_utils
#
# Directory used for temporary storage during image conversion
# (string value)
#image_conversion_dir=$state_path/conversion
#
# Options defined in cinder.openstack.common.eventlet_backdoor
#
# Enable eventlet backdoor. Acceptable values are 0, <port>,
# and <start>:<end>, where 0 results in listening on a random
# tcp port number; <port> results in listening on the
# specified port number (and not enabling backdoor if that
# port is in use); and <start>:<end> results in listening on
# the smallest unused port number within the specified range
# of port numbers. The chosen port is displayed in the
# service's log file. (string value)
#backdoor_port=<None>
#
# Options defined in cinder.openstack.common.periodic_task
#
# Some periodic tasks can be run in a separate process. Should
# we run them here? (boolean value)
#run_external_periodic_tasks=true
#
# Options defined in cinder.openstack.common.policy
#
# The JSON file that defines policies. (string value)
#policy_file=policy.json
# Default rule. Enforced when a requested rule is not found.
# (string value)
#policy_default_rule=default
143
Red Hat OpenStack Platform 9 Configuration Reference
# Directories where policy configuration files are stored.
# They can be relative to any directory in the search path
# defined by the config_dir option, or absolute paths. The
# file defined by policy_file must exist for these directories
# to be searched. Missing or empty directories are ignored.
# (multi valued)
#policy_dirs=policy.d
#
# Options defined in cinder.openstack.common.versionutils
#
# Enables or disables fatal status of deprecations. (boolean
# value)
#fatal_deprecations=false
#
# Options defined in cinder.scheduler.driver
#
# The scheduler host manager class to use (string value)
#scheduler_host_manager=cinder.scheduler.host_manager.HostManager
# Maximum number of attempts to schedule an volume (integer
# value)
#scheduler_max_attempts=3
#
# Options defined in cinder.scheduler.host_manager
#
# Which filter class names to use for filtering hosts when not
# specified in the request. (list value)
#scheduler_default_filters=AvailabilityZoneFilter,CapacityFilter,Capabilit
iesFilter
# Which weigher class names to use for weighing hosts. (list
# value)
#scheduler_default_weighers=CapacityWeigher
#
# Options defined in cinder.scheduler.manager
#
# Default scheduler driver to use (string value)
#scheduler_driver=cinder.scheduler.filter_scheduler.FilterScheduler
#
# Options defined in cinder.scheduler.scheduler_options
#
144
CHAPTER 2. BLOCK STORAGE
# Absolute path to scheduler configuration JSON file. (string
# value)
#scheduler_json_config_location=
#
# Options defined in cinder.scheduler.simple
#
# This configure option has been deprecated along with the
# SimpleScheduler. New scheduler is able to gather capacity
# information for each host, thus setting the maximum number
# of volume gigabytes for host is no longer needed. It's safe
# to remove this configure from cinder.conf. (integer value)
#max_gigabytes=10000
#
# Options defined in cinder.scheduler.weights.capacity
#
# Multiplier used for weighing volume capacity. Negative
# numbers mean to stack vs spread. (floating point value)
#capacity_weight_multiplier=1.0
# Multiplier used for weighing volume capacity. Negative
# numbers mean to stack vs spread. (floating point value)
#allocated_capacity_weight_multiplier=-1.0
#
# Options defined in cinder.scheduler.weights.volume_number
#
# Multiplier used for weighing volume number. Negative numbers
# mean to spread vs stack. (floating point value)
#volume_number_multiplier=-1.0
#
# Options defined in cinder.transfer.api
#
# The number of characters in the salt. (integer value)
#volume_transfer_salt_length=8
# The number of characters in the autogenerated auth key.
# (integer value)
#volume_transfer_key_length=16
#
# Options defined in cinder.volume.api
#
# Cache volume availability zones in memory for the provided
145
Red Hat OpenStack Platform 9 Configuration Reference
# duration in seconds (integer value)
#az_cache_duration=3600
# Create volume from snapshot at the host where snapshot
# resides (boolean value)
#snapshot_same_host=true
# Ensure that the new volumes are the same AZ as snapshot or
# source volume (boolean value)
#cloned_volume_same_az=true
#
# Options defined in cinder.volume.driver
#
# The maximum number of times to rescan iSER targetto find
# volume (integer value)
#num_iser_scan_tries=3
# This option is deprecated and unused. It will be removed in
# the Liberty release. (integer value)
#iser_num_targets=<None>
# Prefix for iSER volumes (string value)
#iser_target_prefix=iqn.2010-10.org.openstack:
# The IP address that the iSER daemon is listening on (string
# value)
#iser_ip_address=$my_ip
# The port that the iSER daemon is listening on (integer
# value)
#iser_port=3260
# The name of the iSER target user-land tool to use (string
# value)
#iser_helper=tgtadm
# Number of times to attempt to run flakey shell commands
# (integer value)
#num_shell_tries=3
# The percentage of backend capacity is reserved (integer
# value)
#reserved_percentage=0
# This option is deprecated and unused. It will be removed in
# the Liberty release. (integer value)
#iscsi_num_targets=<None>
# Prefix for iSCSI volumes (string value)
#iscsi_target_prefix=iqn.2010-10.org.openstack:
# The IP address that the iSCSI daemon is listening on (string
# value)
146
CHAPTER 2. BLOCK STORAGE
#iscsi_ip_address=$my_ip
# The list of secondary IP addresses of the iSCSI daemon (list
# value)
#iscsi_secondary_ip_addresses=
# The port that the iSCSI daemon is listening on (integer
# value)
#iscsi_port=3260
# The maximum number of times to rescan targets to find volume
# (integer value)
# Deprecated group/name - [DEFAULT]/num_iscsi_scan_tries
#num_volume_device_scan_tries=3
# The backend name for a given driver implementation (string
# value)
#volume_backend_name=<None>
# Do we attach/detach volumes in cinder using multipath for
# volume to image and image to volume transfers? (boolean
# value)
#use_multipath_for_image_xfer=false
# If this is set to True, attachment of volumes for image
# transfer will be aborted when multipathd is not running.
# Otherwise, it will fallback to single path. (boolean value)
#enforce_multipath_for_image_xfer=false
# Method used to wipe old volumes (string value)
#volume_clear=zero
# Size in MiB to wipe at start of old volumes. 0 => all
# (integer value)
#volume_clear_size=0
# The flag to pass to ionice to alter the i/o priority of the
# process used to zero a volume after deletion, for example
# "-c3" for idle only priority. (string value)
#volume_clear_ionice=<None>
# iSCSI target user-land tool to use. tgtadm is default, use
# lioadm for LIO iSCSI support, scstadmin for SCST target
# support, iseradm for the ISER protocol, ietadm for iSCSI
# Enterprise Target, iscsictl for Chelsio iSCSI Target or fake
# for testing. (string value)
#iscsi_helper=tgtadm
# Volume configuration file storage directory (string value)
#volumes_dir=$state_path/volumes
# IET configuration file (string value)
#iet_conf=/etc/iet/ietd.conf
# Chiscsi (CXT) global defaults configuration file (string
# value)
147
Red Hat OpenStack Platform 9 Configuration Reference
#chiscsi_conf=/etc/chelsio-iscsi/chiscsi.conf
# This option is deprecated and unused. It will be removed in
# the next release. (string value)
#lio_initiator_iqns=
# Sets the behavior of the iSCSI target to either perform
# blockio or fileio optionally, auto can be set and Cinder
# will autodetect type of backing device (string value)
#iscsi_iotype=fileio
# The default block size used when copying/clearing volumes
# (string value)
#volume_dd_blocksize=1M
# The blkio cgroup name to be used to limit bandwidth of
# volume copy (string value)
#volume_copy_blkio_cgroup_name=cinder-volume-copy
# The upper limit of bandwidth of volume copy. 0 => unlimited
# (integer value)
#volume_copy_bps_limit=0
# Sets the behavior of the iSCSI target to either perform
# write-back(on) or write-through(off). This parameter is
# valid if iscsi_helper is set to tgtadm or iseradm. (string
# value)
#iscsi_write_cache=on
# Determines the iSCSI protocol for new iSCSI volumes, created
# with tgtadm or lioadm target helpers. In order to enable
# RDMA, this parameter should be set with the value "iser".
# The supported iSCSI protocol values are "iscsi" and "iser".
# (string value)
#iscsi_protocol=iscsi
# The path to the client certificate key for verification, if
# the driver supports it. (string value)
#driver_client_cert_key=<None>
# The path to the client certificate for verification, if the
# driver supports it. (string value)
#driver_client_cert=<None>
# Tell driver to use SSL for connection to backend storage if
# the driver supports it. (boolean value)
#driver_use_ssl=false
#
#
#
#
#
#
#
#
148
Float representation of the over subscription ratio when
thin provisioning is involved. Default ratio is 20.0,
meaning provisioned capacity can be 20 times of the total
physical capacity. If the ratio is 10.5, it means
provisioned capacity can be 10.5 times of the total physical
capacity. A ratio of 1.0 means provisioned capacity cannot
exceed the total physical capacity. A ratio lower than 1.0
will be ignored and the default value will be used instead.
CHAPTER 2. BLOCK STORAGE
# (floating point value)
#max_over_subscription_ratio=20.0
# Certain ISCSI targets have predefined target names, SCST
# target driver uses this name. (string value)
#scst_target_iqn_name=<None>
# SCST target implementation can choose from multiple SCST
# target drivers. (string value)
#scst_target_driver=iscsi
# Option to enable/disable CHAP authentication for targets.
# (boolean value)
# Deprecated group/name - [DEFAULT]/eqlx_use_chap
#use_chap_auth=false
# CHAP user name. (string value)
# Deprecated group/name - [DEFAULT]/eqlx_chap_login
#chap_username=
# Password for specified CHAP account name. (string value)
# Deprecated group/name - [DEFAULT]/eqlx_chap_password
#chap_password=
# Namespace for driver private data values to be saved in.
# (string value)
#driver_data_namespace=<None>
# String representation for an equation that will be used to
# filter hosts. Only used when the driver filter is set to be
# used by the Cinder scheduler. (string value)
#filter_function=<None>
# String representation for an equation that will be used to
# determine the goodness of a host. Only used when using the
# goodness weigher is set to be used by the Cinder scheduler.
# (string value)
#goodness_function=<None>
#
# Options defined in cinder.volume.drivers.block_device
#
# List of all available devices (list value)
#available_devices=
#
# Options defined in cinder.volume.drivers.cloudbyte.options
#
# These values will be used for CloudByte storage's addQos API
# call. (dict value)
#cb_add_qosgroup=latency:15,iops:10,graceallowed:false,iopscontrol:true,me
mlimit:0,throughput:0,tpcontrol:false,networkspeed:0
149
Red Hat OpenStack Platform 9 Configuration Reference
# Driver will use this API key to authenticate against the
# CloudByte storage's management interface. (string value)
#cb_apikey=None
# CloudByte storage specific account name. This maps to a
# project name in OpenStack. (string value)
#cb_account_name=None
# This corresponds to the name of Tenant Storage Machine (TSM)
# in CloudByte storage. A volume will be created in this TSM.
# (string value)
#cb_tsm_name=None
# A retry value in seconds. Will be used by the driver to
# check if volume creation was successful in CloudByte
# storage. (integer value)
#cb_confirm_volume_create_retry_interval=5
# Will confirm a successful volume creation in CloudByte
# storage by making this many number of attempts. (integer
# value)
#cb_confirm_volume_create_retries=3
# These values will be used for CloudByte storage's
# createVolume API call. (dict value)
#cb_create_volume=compression:off,deduplication:off,blocklength:512B,sync:
always,protocoltype:ISCSI,recordsize:16k
#
# Options defined in cinder.volume.drivers.datera
#
# DEPRECATED: This will be removed in the Liberty release. Use
# san_login and san_password instead. This directly sets the
# Datera API token. (string value)
#datera_api_token=<None>
# Datera API port. (string value)
#datera_api_port=7717
# Datera API version. (string value)
#datera_api_version=1
# Number of replicas to create of an inode. (string value)
#datera_num_replicas=3
#
# Options defined in cinder.volume.drivers.dell.dell_storagecenter_common
#
# Storage Center System Serial Number (integer value)
#dell_sc_ssn=64702
150
CHAPTER 2. BLOCK STORAGE
# Dell API port (integer value)
#dell_sc_api_port=3033
# Name of the server folder to use on the Storage Center
# (string value)
#dell_sc_server_folder=openstack
# Name of the volume folder to use on the Storage Center
# (string value)
#dell_sc_volume_folder=openstack
#
# Options defined in cinder.volume.drivers.emc.emc_vmax_common
#
# use this file for cinder emc plugin config data (string
# value)
#cinder_emc_config_file=/etc/cinder/cinder_emc_config.xml
#
# Options defined in cinder.volume.drivers.emc.emc_vnx_cli
#
# VNX authentication scope type. (string value)
#storage_vnx_authentication_type=global
# Directory path that contains the VNX security file. Make
# sure the security file is generated first. (string value)
#storage_vnx_security_file_dir=<None>
# Naviseccli Path. (string value)
#naviseccli_path=
# Storage pool name. (string value)
#storage_vnx_pool_name=<None>
# VNX secondary SP IP Address. (string value)
#san_secondary_ip=<None>
# Default timeout for CLI operations in minutes. For example,
# LUN migration is a typical long running operation, which
# depends on the LUN size and the load of the array. An upper
# bound in the specific deployment can be set to avoid
# unnecessary long wait. By default, it is 365 days long.
# (integer value)
#default_timeout=525600
# Default max number of LUNs in a storage group. By default,
# the value is 255. (integer value)
#max_luns_per_storage_group=255
# To destroy storage group when the last LUN is removed from
# it. By default, the value is False. (boolean value)
#destroy_empty_storage_group=false
151
Red Hat OpenStack Platform 9 Configuration Reference
# Mapping between hostname and its iSCSI initiator IP
# addresses. (string value)
#iscsi_initiators=
# Automatically register initiators. By default, the value is
# False. (boolean value)
#initiator_auto_registration=false
# Automatically deregister initiators after the related
# storage group is destroyed. By default, the value is False.
# (boolean value)
#initiator_auto_deregistration=false
# Report free_capacity_gb as 0 when the limit to maximum
# number of pool LUNs is reached. By default, the value is
# False. (boolean value)
#check_max_pool_luns_threshold=false
# Delete a LUN even if it is in Storage Groups. (boolean
# value)
#force_delete_lun_in_storagegroup=false
#
# Options defined in cinder.volume.drivers.emc.xtremio
#
# XMS cluster id in multi-cluster environment (string value)
#xtremio_cluster_name=
#
# Options defined in cinder.volume.drivers.eqlx
#
# Group name to use for creating volumes. Defaults to
# "group-0". (string value)
#eqlx_group_name=group-0
# Timeout for the Group Manager cli command execution. Default
# is 30. (integer value)
#eqlx_cli_timeout=30
# Maximum retry count for reconnection. Default is 5. (integer
# value)
#eqlx_cli_max_retries=5
# Use CHAP authentication for targets. Note that this option
# is deprecated in favour of "use_chap_auth" as specified in
# cinder/volume/driver.py and will be removed in next release.
# (boolean value)
#eqlx_use_chap=false
# Existing CHAP account name. Note that this option is
# deprecated in favour of "chap_username" as specified in
152
CHAPTER 2. BLOCK STORAGE
# cinder/volume/driver.py and will be removed in next release.
# (string value)
#eqlx_chap_login=admin
# Password for specified CHAP account name. Note that this
# option is deprecated in favour of "chap_password" as
# specified in cinder/volume/driver.py and will be removed in
# the next release (string value)
#eqlx_chap_password=password
# Pool in which volumes will be created. Defaults to
# "default". (string value)
#eqlx_pool=default
#
# Options defined in cinder.volume.drivers.glusterfs
#
# File with the list of available gluster shares (string
# value)
#glusterfs_shares_config=/etc/cinder/glusterfs_shares
# Create volumes as sparsed files which take no space.If set
# to False volume is created as regular file.In such case
# volume creation takes a lot of time. (boolean value)
#glusterfs_sparsed_volumes=true
# Create volumes as QCOW2 files rather than raw files.
# (boolean value)
#glusterfs_qcow2_volumes=false
# Base dir containing mount points for gluster shares. (string
# value)
#glusterfs_mount_point_base=$state_path/mnt
#
# Options defined in cinder.volume.drivers.hds.hds
#
# The configuration file for the Cinder HDS driver for HUS
# (string value)
#hds_cinder_config_file=/opt/hds/hus/cinder_hus_conf.xml
#
# Options defined in cinder.volume.drivers.hds.iscsi
#
# Configuration file for HDS iSCSI cinder plugin (string
# value)
#hds_hnas_iscsi_config_file=/opt/hds/hnas/cinder_iscsi_conf.xml
#
153
Red Hat OpenStack Platform 9 Configuration Reference
# Options defined in cinder.volume.drivers.hds.nfs
#
# Configuration file for HDS NFS cinder plugin (string value)
#hds_hnas_nfs_config_file=/opt/hds/hnas/cinder_nfs_conf.xml
#
# Options defined in cinder.volume.drivers.hitachi.hbsd_common
#
# Serial number of storage system (string value)
#hitachi_serial_number=<None>
# Name of an array unit (string value)
#hitachi_unit_name=<None>
# Pool ID of storage system (integer value)
#hitachi_pool_id=<None>
# Thin pool ID of storage system (integer value)
#hitachi_thin_pool_id=<None>
# Range of logical device of storage system (string value)
#hitachi_ldev_range=<None>
# Default copy method of storage system (string value)
#hitachi_default_copy_method=FULL
# Copy speed of storage system (integer value)
#hitachi_copy_speed=3
# Interval to check copy (integer value)
#hitachi_copy_check_interval=3
# Interval to check copy asynchronously (integer value)
#hitachi_async_copy_check_interval=10
# Control port names for HostGroup or iSCSI Target (string
# value)
#hitachi_target_ports=<None>
# Range of group number (string value)
#hitachi_group_range=<None>
# Request for creating HostGroup or iSCSI Target (boolean
# value)
#hitachi_group_request=false
#
# Options defined in cinder.volume.drivers.hitachi.hbsd_fc
#
# Request for FC Zone creating HostGroup (boolean value)
#hitachi_zoning_request=false
154
CHAPTER 2. BLOCK STORAGE
#
# Options defined in cinder.volume.drivers.hitachi.hbsd_horcm
#
# Instance numbers for HORCM (string value)
#hitachi_horcm_numbers=200,201
# Username of storage system for HORCM (string value)
#hitachi_horcm_user=<None>
# Password of storage system for HORCM (string value)
#hitachi_horcm_password=<None>
# Add to HORCM configuration (boolean value)
#hitachi_horcm_add_conf=true
#
# Options defined in cinder.volume.drivers.hitachi.hbsd_iscsi
#
# Add CHAP user (boolean value)
#hitachi_add_chap_user=false
# iSCSI authentication method (string value)
#hitachi_auth_method=<None>
# iSCSI authentication username (string value)
#hitachi_auth_user=HBSD-CHAP-user
# iSCSI authentication password (string value)
#hitachi_auth_password=HBSD-CHAP-password
#
# Options defined in cinder.volume.drivers.huawei
#
# The configuration file for the Cinder Huawei driver (string
# value)
#cinder_huawei_conf_file=/etc/cinder/cinder_huawei_conf.xml
#
# Options defined in cinder.volume.drivers.ibm.flashsystem
#
# Connection protocol should be FC. (string value)
#flashsystem_connection_protocol=FC
# Connect with multipath (FC only). (boolean value)
#flashsystem_multipath_enabled=false
# Allows vdisk to multi host mapping. (boolean value)
155
Red Hat OpenStack Platform 9 Configuration Reference
#flashsystem_multihostmap_enabled=true
#
# Options defined in cinder.volume.drivers.ibm.gpfs
#
# Specifies the path of the GPFS directory where Block Storage
# volume and snapshot files are stored. (string value)
#gpfs_mount_point_base=<None>
# Specifies the path of the Image service repository in GPFS.
# Leave undefined if not storing images in GPFS. (string
# value)
#gpfs_images_dir=<None>
# Specifies the type of image copy to be used. Set this when
# the Image service repository also uses GPFS so that image
# files can be transferred efficiently from the Image service
# to the Block Storage service. There are two valid values:
# "copy" specifies that a full copy of the image is made;
# "copy_on_write" specifies that copy-on-write optimization
# strategy is used and unmodified blocks of the image file are
# shared efficiently. (string value)
#gpfs_images_share_mode=<None>
# Specifies an upper limit on the number of indirections
# required to reach a specific block due to snapshots or
# clones. A lengthy chain of copy-on-write snapshots or
# clones can have a negative impact on performance, but
# improves space utilization. 0 indicates unlimited clone
# depth. (integer value)
#gpfs_max_clone_depth=0
# Specifies that volumes are created as
# initially consume no space. If set to
# created as a fully allocated file, in
# may take a significantly longer time.
#gpfs_sparse_volumes=true
sparse files which
False, the volume is
which case, creation
(boolean value)
# Specifies the storage pool that volumes are assigned to. By
# default, the system storage pool is used. (string value)
#gpfs_storage_pool=system
#
# Options defined in cinder.volume.drivers.ibm.ibmnas
#
# IBMNAS platform type to be used as backend storage; valid
# values are - v7ku : for using IBM Storwize V7000 Unified,
# sonas : for using IBM Scale Out NAS, gpfs-nas : for using
# NFS based IBM GPFS deployments. (string value)
#ibmnas_platform_type=v7ku
156
CHAPTER 2. BLOCK STORAGE
#
# Options defined in cinder.volume.drivers.ibm.storwize_svc
#
# Storage system storage pool for volumes (string value)
#storwize_svc_volpool_name=volpool
# Storage system space-efficiency parameter for volumes
# (percentage) (integer value)
#storwize_svc_vol_rsize=2
# Storage system threshold for volume capacity warnings
# (percentage) (integer value)
#storwize_svc_vol_warning=0
# Storage system autoexpand parameter for volumes (True/False)
# (boolean value)
#storwize_svc_vol_autoexpand=true
# Storage system grain size parameter for volumes
# (32/64/128/256) (integer value)
#storwize_svc_vol_grainsize=256
# Storage system compression option for volumes (boolean
# value)
#storwize_svc_vol_compression=false
# Enable Easy Tier for volumes (boolean value)
#storwize_svc_vol_easytier=true
# The I/O group in which to allocate volumes (integer value)
#storwize_svc_vol_iogrp=0
# Maximum number of seconds to wait for FlashCopy to be
# prepared. Maximum value is 600 seconds (10 minutes) (integer
# value)
#storwize_svc_flashcopy_timeout=120
# Connection protocol (iSCSI/FC) (string value)
#storwize_svc_connection_protocol=iSCSI
# Configure CHAP authentication for iSCSI connections
# (Default: Enabled) (boolean value)
#storwize_svc_iscsi_chap_enabled=true
# Connect with multipath (FC only; iSCSI multipath is
# controlled by Nova) (boolean value)
#storwize_svc_multipath_enabled=false
# Allows vdisk to multi host mapping (boolean value)
#storwize_svc_multihostmap_enabled=true
#
#
#
#
Indicate whether svc driver is compatible for NPIV setup. If
it is compatible, it will allow no wwpns being returned on
get_conn_fc_wwpns during initialize_connection (boolean
value)
157
Red Hat OpenStack Platform 9 Configuration Reference
#storwize_svc_npiv_compatibility_mode=false
# Allow tenants to specify QOS on create (boolean value)
#storwize_svc_allow_tenant_qos=false
# If operating in stretched cluster mode, specify the name of
# the pool in which mirrored copies are stored.Example:
# "pool2" (string value)
#storwize_svc_stretched_cluster_partner=<None>
#
# Options defined in cinder.volume.drivers.ibm.xiv_ds8k
#
# Proxy driver that connects to the IBM Storage Array (string
# value)
#xiv_ds8k_proxy=xiv_ds8k_openstack.nova_proxy.XIVDS8KNovaProxy
# Connection type to the IBM Storage Array (string value)
#xiv_ds8k_connection_type=iscsi
# CHAP authentication mode, effective only for iscsi
# (disabled|enabled) (string value)
#xiv_chap=disabled
#
# Options defined in cinder.volume.drivers.lvm
#
# Name for the VG that will contain exported volumes (string
# value)
#volume_group=cinder-volumes
# If >0, create LVs with multiple mirrors. Note that this
# requires lvm_mirrors + 2 PVs with available space (integer
# value)
#lvm_mirrors=0
# Type of LVM volumes to deploy (string value)
#lvm_type=default
# LVM conf file to use for the LVM driver in Cinder; this
# setting is ignored if the specified file does not exist (You
# can also specify 'None' to not use a conf file even if one
# exists). (string value)
#lvm_conf_file=/etc/cinder/lvm.conf
#
# Options defined in cinder.volume.drivers.netapp.options
#
# The vFiler unit on which provisioning of block storage
# volumes will be done. This option is only used by the driver
158
CHAPTER 2. BLOCK STORAGE
# when connecting to an instance with a storage family of Data
# ONTAP operating in 7-Mode. Only use this option when
# utilizing the MultiStore feature on the NetApp storage
# system. (string value)
#netapp_vfiler=<None>
# The name of the config.conf stanza for a Data ONTAP (7-mode)
# HA partner. This option is only used by the driver when
# connecting to an instance with a storage family of Data
# ONTAP operating in 7-Mode, and it is required if the storage
# protocol selected is FC. (string value)
#netapp_partner_backend_name=<None>
# Administrative user account name used to access the storage
# system or proxy server. (string value)
#netapp_login=<None>
# Password for the administrative user account specified in
# the netapp_login option. (string value)
#netapp_password=<None>
# This option specifies the virtual storage server (Vserver)
# name on the storage cluster on which provisioning of block
# storage volumes should occur. (string value)
#netapp_vserver=<None>
# The hostname (or IP address) for the storage system or proxy
# server. (string value)
#netapp_server_hostname=<None>
# The TCP port to use for communication with the storage
# system or proxy server. If not specified, Data ONTAP drivers
# will use 80 for HTTP and 443 for HTTPS; E-Series will use
# 8080 for HTTP and 8443 for HTTPS. (integer value)
#netapp_server_port=<None>
# This option is used to specify the path to the E-Series
# proxy application on a proxy server. The value is combined
# with the value of the netapp_transport_type,
# netapp_server_hostname, and netapp_server_port options to
# create the URL used by the driver to connect to the proxy
# application. (string value)
#netapp_webservice_path=/devmgr/v2
# This option is only utilized when the storage family is
# configured to eseries. This option is used to restrict
# provisioning to the specified controllers. Specify the value
# of this option to be a comma separated list of controller
# hostnames or IP addresses to be used for provisioning.
# (string value)
#netapp_controller_ips=<None>
# Password for the NetApp E-Series storage array. (string
# value)
#netapp_sa_password=<None>
159
Red Hat OpenStack Platform 9 Configuration Reference
# This option is used to restrict provisioning to the
# specified storage pools. Only dynamic disk pools are
# currently supported. Specify the value of this option to be
# a comma separated list of disk pool names to be used for
# provisioning. (string value)
#netapp_storage_pools=<None>
# This option is used to define how the controllers in the
# E-Series storage array will work with the particular
# operating system on the hosts that are connected to it.
# (string value)
#netapp_eseries_host_type=linux_dm_mp
# If the percentage of available space for an NFS share has
# dropped below the value specified by this option, the NFS
# image cache will be cleaned. (integer value)
#thres_avl_size_perc_start=20
# When the percentage of available space on an NFS share has
# reached the percentage specified by this option, the driver
# will stop clearing files from the NFS image cache that have
# not been accessed in the last M minutes, where M is the
# value of the expiry_thres_minutes configuration option.
# (integer value)
#thres_avl_size_perc_stop=60
# This option specifies the threshold for last access time for
# images in the NFS image cache. When a cache cleaning cycle
# begins, images in the cache that have not been accessed in
# the last M minutes, where M is the value of this parameter,
# will be deleted from the cache to create free space on the
# NFS share. (integer value)
#expiry_thres_minutes=720
# This option specifies the path of the NetApp copy offload
# tool binary. Ensure that the binary has execute permissions
# set which allow the effective user of the cinder-volume
# process to execute the file. (string value)
#netapp_copyoffload_tool_path=<None>
# The quantity to be multiplied by the requested volume size
# to ensure enough space is available on the virtual storage
# server (Vserver) to fulfill the volume creation request.
# (floating point value)
#netapp_size_multiplier=1.2
# This option is only utilized when the storage protocol is
# configured to use iSCSI or FC. This option is used to
# restrict provisioning to the specified controller volumes.
# Specify the value of this option to be a comma separated
# list of NetApp controller volume names to be used for
# provisioning. (string value)
#netapp_volume_list=<None>
# The storage family type used on the storage system; valid
# values are ontap_7mode for using Data ONTAP operating in
160
CHAPTER 2. BLOCK STORAGE
# 7-Mode, ontap_cluster for using clustered Data ONTAP, or
# eseries for using E-Series. (string value)
#netapp_storage_family=ontap_cluster
# The storage protocol to be used on the data path with the
# storage system. (string value)
#netapp_storage_protocol=<None>
# The transport protocol used when communicating with the
# storage system or proxy server. (string value)
#netapp_transport_type=http
#
# Options defined in cinder.volume.drivers.nfs
#
# File with the list of available nfs shares (string value)
#nfs_shares_config=/etc/cinder/nfs_shares
# Create volumes as sparsed files which take no space.If set
# to False volume is created as regular file.In such case
# volume creation takes a lot of time. (boolean value)
#nfs_sparsed_volumes=true
# Percent of ACTUAL usage of the underlying volume before no
# new volumes can be allocated to the volume destination.
# (floating point value)
#nfs_used_ratio=0.95
# This will compare the allocated to available space on the
# volume destination. If the ratio exceeds this number, the
# destination will no longer be valid. (floating point value)
#nfs_oversub_ratio=1.0
# Base dir containing mount points for nfs shares. (string
# value)
#nfs_mount_point_base=$state_path/mnt
# Mount options passed to the nfs client. See section of the
# nfs man page for details. (string value)
#nfs_mount_options=<None>
# The number of attempts to mount nfs shares before raising an
# error. At least one attempt will be made to mount an nfs
# share, regardless of the value specified. (integer value)
#nfs_mount_attempts=3
#
# Options defined in cinder.volume.drivers.nimble
#
# Nimble Controller pool name (string value)
#nimble_pool_name=default
161
Red Hat OpenStack Platform 9 Configuration Reference
# Nimble Subnet Label (string value)
#nimble_subnet_label=*
#
# Options defined in cinder.volume.drivers.openvstorage
#
# Vpool to use for volumes - backend is defined by vpool not
# by us. (string value)
#vpool_name=
#
# Options defined in cinder.volume.drivers.prophetstor.options
#
# DPL pool uuid in which DPL volumes are stored. (string
# value)
#dpl_pool=
# DPL port number. (integer value)
#dpl_port=8357
#
# Options defined in cinder.volume.drivers.pure
#
# REST API authorization token. (string value)
#pure_api_token=<None>
#
# Options defined in cinder.volume.drivers.quobyte
#
# URL to the Quobyte volume e.g., quobyte://<DIR host>/<volume
# name> (string value)
#quobyte_volume_url=<None>
# Path to a Quobyte Client configuration file. (string value)
#quobyte_client_cfg=<None>
# Create volumes as sparse files which take no space. If set
# to False, volume is created as regular file.In such case
# volume creation takes a lot of time. (boolean value)
#quobyte_sparsed_volumes=true
# Create volumes as QCOW2 files rather than raw files.
# (boolean value)
#quobyte_qcow2_volumes=true
# Base dir containing the mount point for the Quobyte volume.
# (string value)
#quobyte_mount_point_base=$state_path/mnt
162
CHAPTER 2. BLOCK STORAGE
#
# Options defined in cinder.volume.drivers.rbd
#
# The RADOS pool where rbd volumes are stored (string value)
#rbd_pool=rbd
# The RADOS client name for accessing rbd volumes - only set
# when using cephx authentication (string value)
#rbd_user=<None>
# Path to the ceph configuration file (string value)
#rbd_ceph_conf=
# Flatten volumes created from snapshots to remove dependency
# from volume to snapshot (boolean value)
#rbd_flatten_volume_from_snapshot=false
# The libvirt uuid of the secret for the rbd_user volumes
# (string value)
#rbd_secret_uuid=<None>
# Directory where temporary image files are stored when the
# volume driver does not write them directly to the volume.
# Warning: this option is now deprecated, please use
# image_conversion_dir instead. (string value)
#volume_tmp_dir=<None>
# Maximum number of nested volume clones that are taken before
# a flatten occurs. Set to 0 to disable cloning. (integer
# value)
#rbd_max_clone_depth=5
# Volumes will be chunked into objects of this size (in
# megabytes). (integer value)
#rbd_store_chunk_size=4
# Timeout value (in seconds) used when connecting to ceph
# cluster. If value < 0, no timeout is set and default
# librados value is used. (integer value)
#rados_connect_timeout=-1
#
# Options defined in cinder.volume.drivers.remotefs
#
# IP address or Hostname of NAS system. (string value)
#nas_ip=
# User name to connect to NAS system. (string value)
#nas_login=admin
# Password to connect to NAS system. (string value)
163
Red Hat OpenStack Platform 9 Configuration Reference
#nas_password=
# SSH port to use to connect to NAS system. (integer value)
#nas_ssh_port=22
# Filename of private key to use for SSH authentication.
# (string value)
#nas_private_key=
# Allow network-attached storage systems to operate in a
# secure environment where root level access is not permitted.
# If set to False, access is as the root user and insecure. If
# set to True, access is not as root. If set to auto, a check
# is done to determine if this is a new installation: True is
# used if so, otherwise False. Default is auto. (string value)
#nas_secure_file_operations=auto
# Set more secure file permissions on network-attached storage
# volume files to restrict broad other/world access. If set to
# False, volumes are created with open permissions. If set to
# True, volumes are created with permissions for the cinder
# user and group (660). If set to auto, a check is done to
# determine if this is a new installation: True is used if so,
# otherwise False. Default is auto. (string value)
#nas_secure_file_permissions=auto
# Path to the share to use for storing Cinder volumes. For
# example: "/srv/export1" for an NFS server export available
# at 10.0.5.10:/srv/export1 . (string value)
#nas_share_path=
# Options used to mount the storage backend file system where
# Cinder volumes are stored. (string value)
#nas_mount_options=<None>
#
# Options defined in cinder.volume.drivers.san.hp.hp_3par_common
#
# 3PAR WSAPI Server Url like https://<3par ip>:8080/api/v1
# (string value)
#hp3par_api_url=
# 3PAR Super user username (string value)
#hp3par_username=
# 3PAR Super user password (string value)
#hp3par_password=
# List of the CPG(s) to use for volume creation (list value)
#hp3par_cpg=OpenStack
# The CPG to use for Snapshots for volumes. If empty the
# userCPG will be used. (string value)
#hp3par_cpg_snap=
164
CHAPTER 2. BLOCK STORAGE
# The time in hours to retain a snapshot.
# before this expires. (string value)
#hp3par_snapshot_retention=
You can't delete it
# The time in hours when a snapshot expires and is deleted.
# This must be larger than expiration (string value)
#hp3par_snapshot_expiration=
# Enable HTTP debugging to 3PAR (boolean value)
#hp3par_debug=false
# List of target iSCSI addresses to use. (list value)
#hp3par_iscsi_ips=
# Enable CHAP authentication for iSCSI connections. (boolean
# value)
#hp3par_iscsi_chap_enabled=false
#
# Options defined in cinder.volume.drivers.san.hp.hp_lefthand_rest_proxy
#
# HP LeftHand WSAPI Server Url like https://<LeftHand
# ip>:8081/lhos (string value)
#hplefthand_api_url=<None>
# HP LeftHand Super user username (string value)
#hplefthand_username=<None>
# HP LeftHand Super user password (string value)
#hplefthand_password=<None>
# HP LeftHand cluster name (string value)
#hplefthand_clustername=<None>
# Configure CHAP authentication for iSCSI connections
# (Default: Disabled) (boolean value)
#hplefthand_iscsi_chap_enabled=false
# Enable HTTP debugging to LeftHand (boolean value)
#hplefthand_debug=false
#
# Options defined in cinder.volume.drivers.san.san
#
# Use thin provisioning for SAN volumes? (boolean value)
#san_thin_provision=true
# IP address of SAN controller (string value)
#san_ip=
# Username for SAN controller (string value)
165
Red Hat OpenStack Platform 9 Configuration Reference
#san_login=admin
# Password for SAN controller (string value)
#san_password=
# Filename of private key to use for SSH authentication
# (string value)
#san_private_key=
# Cluster name to use for creating volumes (string value)
#san_clustername=
# SSH port to use with SAN (integer value)
#san_ssh_port=22
# Execute commands locally instead of over SSH; use if the
# volume service is running on the SAN device (boolean value)
#san_is_local=false
# SSH connection timeout in seconds (integer value)
#ssh_conn_timeout=30
# Minimum ssh connections in the pool (integer value)
#ssh_min_pool_conn=1
# Maximum ssh connections in the pool (integer value)
#ssh_max_pool_conn=5
#
# Options defined in cinder.volume.drivers.scality
#
# Path or URL to Scality SOFS configuration file (string
# value)
#scality_sofs_config=<None>
# Base dir where Scality SOFS shall be mounted (string value)
#scality_sofs_mount_point=$state_path/scality
# Path from Scality SOFS root to volume dir (string value)
#scality_sofs_volume_dir=cinder/volumes
#
# Options defined in cinder.volume.drivers.smbfs
#
# File with the list of available smbfs shares. (string value)
#smbfs_shares_config=/etc/cinder/smbfs_shares
# Default format that will be used when creating volumes if no
# volume format is specified. (string value)
#smbfs_default_volume_format=qcow2
# Create volumes as sparsed files which take no space rather
166
CHAPTER 2. BLOCK STORAGE
# than regular files when using raw format, in which case
# volume creation takes lot of time. (boolean value)
#smbfs_sparsed_volumes=true
# Percent of ACTUAL usage of the underlying volume before no
# new volumes can be allocated to the volume destination.
# (floating point value)
#smbfs_used_ratio=0.95
# This will compare the allocated to available space on the
# volume destination. If the ratio exceeds this number, the
# destination will no longer be valid. (floating point value)
#smbfs_oversub_ratio=1.0
# Base dir containing mount points for smbfs shares. (string
# value)
#smbfs_mount_point_base=$state_path/mnt
# Mount options passed to the smbfs client. See mount.cifs man
# page for details. (string value)
#smbfs_mount_options=noperm,file_mode=0775,dir_mode=0775
#
# Options defined in cinder.volume.drivers.solidfire
#
# Set 512 byte emulation on volume creation;
#sf_emulate_512=true
(boolean value)
# Allow tenants to specify QOS on create (boolean value)
#sf_allow_tenant_qos=false
# Create SolidFire accounts with this prefix. Any string can
# be used here, but the string "hostname" is special and will
# create a prefix using the cinder node hostsname (previous
# default behavior). The default is NO prefix. (string value)
#sf_account_prefix=<None>
# Account name on the SolidFire Cluster to use as owner of
# template/cache volumes (created if does not exist). (string
# value)
#sf_template_account_name=openstack-vtemplate
# Create an internal cache of copy of images when a bootable
# volume is created to eliminate fetch from glance and qemu# conversion on subsequent calls. (boolean value)
#sf_allow_template_caching=true
# SolidFire API port. Useful if the device api is behind a
# proxy on a different port. (integer value)
#sf_api_port=443
#
# Options defined in cinder.volume.drivers.srb
167
Red Hat OpenStack Platform 9 Configuration Reference
#
# Comma-separated list of REST servers IP to connect to. (eg
# http://IP1/,http://IP2:81/path (string value)
#srb_base_urls=<None>
#
# Options defined in cinder.volume.drivers.violin.v6000_common
#
# IP address or hostname of mg-a (string value)
#gateway_mga=<None>
# IP address or hostname of mg-b (string value)
#gateway_mgb=<None>
# Use igroups to manage targets and initiators (boolean value)
#use_igroups=false
# Global backend request timeout, in seconds (integer value)
#request_timeout=300
#
# Options defined in cinder.volume.drivers.vmware.vmdk
#
# IP address for connecting to VMware ESX/VC server. (string
# value)
#vmware_host_ip=<None>
# Username for authenticating with VMware ESX/VC server.
# (string value)
#vmware_host_username=<None>
# Password for authenticating with VMware ESX/VC server.
# (string value)
#vmware_host_password=<None>
# Optional VIM service WSDL Location e.g
# http://<server>/vimService.wsdl. Optional over-ride to
# default location for bug work-arounds. (string value)
#vmware_wsdl_location=<None>
# Number of times VMware ESX/VC server API must be retried
# upon connection related issues. (integer value)
#vmware_api_retry_count=10
# The interval (in seconds) for polling remote tasks invoked
# on VMware ESX/VC server. (floating point value)
#vmware_task_poll_interval=0.5
# Name for the folder in the VC datacenter that will contain
# cinder volumes. (string value)
#vmware_volume_folder=cinder-volumes
168
CHAPTER 2. BLOCK STORAGE
# Timeout in seconds for VMDK volume transfer between Cinder
# and Glance. (integer value)
#vmware_image_transfer_timeout_secs=7200
# Max number of objects to be retrieved per batch. Query
# results will be obtained in batches from the server and not
# in one shot. Server may still limit the count to something
# less than the configured value. (integer value)
#vmware_max_objects_retrieval=100
# Optional string specifying the VMware VC server version. The
# driver attempts to retrieve the version from VMware VC
# server. Set this configuration only if you want to override
# the VC server version. (string value)
#vmware_host_version=<None>
# Directory where virtual disks are stored during volume
# backup and restore. (string value)
#vmware_tmp_dir=/tmp
#
# Options defined in cinder.volume.drivers.windows.windows
#
# Path to store VHD backed volumes (string value)
#windows_iscsi_lun_path=C:\iSCSIVirtualDisks
#
# Options defined in cinder.volume.drivers.xio
#
# Default storage pool for volumes. (integer value)
#ise_storage_pool=1
# Raid level for ISE volumes. (integer value)
#ise_raid=1
# Number of retries (per port) when establishing connection to
# ISE management port. (integer value)
#ise_connection_retries=5
# Interval (secs) between retries. (integer value)
#ise_retry_interval=1
# Number on retries to get completion status after issuing a
# command to ISE. (integer value)
#ise_completion_retries=30
#
# Options defined in cinder.volume.drivers.zfssa.zfssanfs
#
169
Red Hat OpenStack Platform 9 Configuration Reference
# Data path IP address (string value)
#zfssa_data_ip=<None>
# HTTPS port number (string value)
#zfssa_https_port=443
# Options to be passed while mounting share over nfs (string
# value)
#zfssa_nfs_mount_options=
# Storage pool name. (string value)
#zfssa_nfs_pool=
# Project name. (string value)
#zfssa_nfs_project=NFSProject
# Share name. (string value)
#zfssa_nfs_share=nfs_share
# Data compression. (string value)
#zfssa_nfs_share_compression=off
# Synchronous write bias-latency, throughput. (string value)
#zfssa_nfs_share_logbias=latency
# REST connection timeout. (seconds) (integer value)
#zfssa_rest_timeout=<None>
#
# Options defined in cinder.volume.manager
#
# Driver to use for volume creation (string value)
#volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver
# Timeout for creating the volume to migrate to when
# performing volume migration (seconds) (integer value)
#migration_create_volume_timeout_secs=300
# Offload pending volume delete during volume service startup
# (boolean value)
#volume_service_inithost_offload=false
# FC Zoning mode configured (string value)
#zoning_mode=none
# User defined capabilities, a JSON formatted string
# specifying key/value pairs. The key/value pairs can be used
# by the CapabilitiesFilter to select between backends when
# requests specify volume types. For example, specifying a
# service level or the geographical location of a backend,
# then creating a volume type to allow the user to select by
# these different properties. (string value)
#extra_capabilities={}
170
CHAPTER 2. BLOCK STORAGE
[BRCD_FABRIC_EXAMPLE]
#
# Options defined in cinder.zonemanager.drivers.brocade.brcd_fabric_opts
#
# Management IP of fabric (string value)
#fc_fabric_address=
# Fabric user ID (string value)
#fc_fabric_user=
# Password for user (string value)
#fc_fabric_password=
# Connecting port (integer value)
#fc_fabric_port=22
# overridden zoning policy (string value)
#zoning_policy=initiator-target
# overridden zoning activation state (boolean value)
#zone_activate=true
# overridden zone name prefix (string value)
#zone_name_prefix=<None>
# Principal switch WWN of the fabric (string value)
#principal_switch_wwn=<None>
[CISCO_FABRIC_EXAMPLE]
#
# Options defined in cinder.zonemanager.drivers.cisco.cisco_fabric_opts
#
# Management IP of fabric (string value)
#cisco_fc_fabric_address=
# Fabric user ID (string value)
#cisco_fc_fabric_user=
# Password for user (string value)
#cisco_fc_fabric_password=
# Connecting port (integer value)
#cisco_fc_fabric_port=22
# overridden zoning policy (string value)
#cisco_zoning_policy=initiator-target
# overridden zoning activation state (boolean value)
#cisco_zone_activate=true
171
Red Hat OpenStack Platform 9 Configuration Reference
# overridden zone name prefix (string value)
#cisco_zone_name_prefix=<None>
# VSAN of the Fabric (string value)
#cisco_zoning_vsan=<None>
[database]
#
# Options defined in oslo.db.concurrency
#
# Enable the experimental use of thread pooling for all DB API
# calls (boolean value)
# Deprecated group/name - [DEFAULT]/dbapi_use_tpool
#use_tpool=false
[fc-zone-manager]
#
# Options defined in
cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver
#
# Southbound connector for zoning operation (string value)
#brcd_sb_connector=cinder.zonemanager.drivers.brocade.brcd_fc_zone_client_
cli.BrcdFCZoneClientCLI
#
# Options defined in cinder.zonemanager.drivers.cisco.cisco_fc_zone_driver
#
# Southbound connector for zoning operation (string value)
#cisco_sb_connector=cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_
cli.CiscoFCZoneClientCLI
#
# Options defined in cinder.zonemanager.fc_zone_manager
#
# FC Zone Driver responsible for zone management (string
# value)
#zone_driver=cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.BrcdFC
ZoneDriver
# Zoning policy configured by user; valid values include
# "initiator-target" or "initiator" (string value)
#zoning_policy=initiator-target
# Comma separated list of Fibre Channel fabric names. This
# list of names is used to retrieve other SAN credentials for
# connecting to each SAN fabric (string value)
172
CHAPTER 2. BLOCK STORAGE
#fc_fabric_names=<None>
# FC SAN Lookup Service (string value)
#fc_san_lookup_service=cinder.zonemanager.drivers.brocade.brcd_fc_san_look
up_service.BrcdFCSanLookupService
[keymgr]
#
# Options defined in cinder.keymgr
#
# The full class name of the key manager API class (string
# value)
#api_class=cinder.keymgr.conf_key_mgr.ConfKeyManager
#
# Options defined in cinder.keymgr.conf_key_mgr
#
# Fixed key returned by key manager, specified in hex (string
# value)
#fixed_key=<None>
#
# Options defined in cinder.keymgr.key_mgr
#
# Authentication url for encryption service. (string value)
#encryption_auth_url=http://localhost:5000/v3
# Url for encryption service. (string value)
#encryption_api_url=http://localhost:9311/v1
[keystone_authtoken]
#
# Options defined in keystonemiddleware.auth_token
#
# Complete public Identity API endpoint. (string value)
#auth_uri=<None>
# API version of the admin Identity API endpoint. (string
# value)
#auth_version=<None>
# Do not handle authorization requests within the middleware,
# but delegate the authorization decision to downstream WSGI
# components. (boolean value)
#delay_auth_decision=false
173
Red Hat OpenStack Platform 9 Configuration Reference
# Request timeout value for communicating with Identity API
# server. (integer value)
#http_connect_timeout=<None>
# How many times are we trying to reconnect when communicating
# with Identity API Server. (integer value)
#http_request_max_retries=3
# Env key for the swift cache. (string value)
#cache=<None>
# Required if identity server requires client certificate
# (string value)
#certfile=<None>
# Required if identity server requires client certificate
# (string value)
#keyfile=<None>
# A PEM encoded Certificate Authority to use when verifying
# HTTPs connections. Defaults to system CAs. (string value)
#cafile=<None>
# Verify HTTPS connections. (boolean value)
#insecure=false
# Directory used to cache files related to PKI tokens. (string
# value)
#signing_dir=<None>
# Optionally specify a list of memcached server(s) to use for
# caching. If left undefined, tokens will instead be cached
# in-process. (list value)
# Deprecated group/name - [DEFAULT]/memcache_servers
#memcached_servers=<None>
# In order to prevent excessive effort spent validating
# tokens, the middleware caches previously-seen tokens for a
# configurable duration (in seconds). Set to -1 to disable
# caching completely. (integer value)
#token_cache_time=300
# Determines the frequency at which the list of revoked tokens
# is retrieved from the Identity service (in seconds). A high
# number of revocation events combined with a low cache
# duration may significantly reduce performance. (integer
# value)
#revocation_cache_time=10
#
#
#
#
#
#
#
174
(Optional) If defined, indicate whether token data should be
authenticated or authenticated and encrypted. Acceptable
values are MAC or ENCRYPT. If MAC, token data is
authenticated (with HMAC) in the cache. If ENCRYPT, token
data is encrypted and authenticated in the cache. If the
value is not one of these options or empty, auth_token will
raise an exception on initialization. (string value)
CHAPTER 2. BLOCK STORAGE
#memcache_security_strategy=<None>
# (Optional, mandatory if memcache_security_strategy is
# defined) This string is used for key derivation. (string
# value)
#memcache_secret_key=<None>
# (Optional) Number of seconds memcached server is considered
# dead before it is tried again. (integer value)
#memcache_pool_dead_retry=300
# (Optional) Maximum total number of open connections to every
# memcached server. (integer value)
#memcache_pool_maxsize=10
# (Optional) Socket timeout in seconds for communicating with
# a memcache server. (integer value)
#memcache_pool_socket_timeout=3
# (Optional) Number of seconds a connection to memcached is
# held unused in the pool before it is closed. (integer value)
#memcache_pool_unused_timeout=60
# (Optional) Number of seconds that an operation will wait to
# get a memcache client connection from the pool. (integer
# value)
#memcache_pool_conn_get_timeout=10
# (Optional) Use the advanced (eventlet safe) memcache client
# pool. The advanced pool will only work under python 2.x.
# (boolean value)
#memcache_use_advanced_pool=false
# (Optional) Indicate whether to set the X-Service-Catalog
# header. If False, middleware will not ask for service
# catalog on token validation and will not set the X-Service# Catalog header. (boolean value)
#include_service_catalog=true
# Used to control the use and type of token binding. Can be
# set to: "disabled" to not check token binding. "permissive"
# (default) to validate binding information if the bind type
# is of a form known to the server and ignore it if not.
# "strict" like "permissive" but if the bind type is unknown
# the token will be rejected. "required" any form of token
# binding is needed to be allowed. Finally the name of a
# binding method that must be present in tokens. (string
# value)
#enforce_token_bind=permissive
# If true, the revocation list will be checked for cached
# tokens. This requires that PKI tokens are configured on the
# identity server. (boolean value)
#check_revocations_for_cached=false
# Hash algorithms to use for hashing PKI tokens. This may be a
175
Red Hat OpenStack Platform 9 Configuration Reference
# single algorithm or multiple. The algorithms are those
# supported by Python standard hashlib.new(). The hashes will
# be tried in the order given, so put the preferred one first
# for performance. The result of the first hash will be stored
# in the cache. This will typically be set to multiple values
# only while migrating from a less secure algorithm to a more
# secure one. Once all the old tokens are expired this option
# should be set to a single value for better performance.
# (list value)
#hash_algorithms=md5
[matchmaker_redis]
#
# Options defined in oslo.messaging
#
# Host to locate redis. (string value)
#host=127.0.0.1
# Use this port to connect to redis host. (integer value)
#port=6379
# Password for Redis server (optional). (string value)
#password=<None>
[matchmaker_ring]
#
# Options defined in oslo.messaging
#
# Matchmaker ring file (JSON). (string value)
# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
#ringfile=/etc/oslo/matchmaker_ring.json
[oslo_messaging_amqp]
#
# Options defined in oslo.messaging
#
# address prefix used when sending to a specific server
# (string value)
#server_request_prefix=exclusive
# address prefix used when broadcasting to all servers (string
# value)
#broadcast_prefix=broadcast
# address prefix when sending to any server in group (string
# value)
#group_request_prefix=unicast
176
CHAPTER 2. BLOCK STORAGE
# Name for the AMQP container (string value)
#container_name=<None>
# Timeout for inactive connections (in seconds) (integer
# value)
#idle_timeout=0
# Debug: dump AMQP frames to stdout (boolean value)
#trace=false
# CA certificate PEM file for verifing server certificate
# (string value)
#ssl_ca_file=
# Identifying certificate PEM file to present to clients
# (string value)
#ssl_cert_file=
# Private key PEM file used to sign cert_file certificate
# (string value)
#ssl_key_file=
# Password for decrypting ssl_key_file (if encrypted) (string
# value)
#ssl_key_password=<None>
# Accept clients using either SSL or plain TCP (boolean value)
#allow_insecure_clients=false
[oslo_messaging_qpid]
#
# Options defined in oslo.messaging
#
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false
# Auto-delete queues in AMQP. (boolean value)
#amqp_auto_delete=false
# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30
# Qpid broker hostname. (string value)
#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672
# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port
177
Red Hat OpenStack Platform 9 Configuration Reference
# Username for Qpid connection. (string value)
#qpid_username=
# Password for Qpid connection. (string value)
#qpid_password=
# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=
# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60
# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp
# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true
# The number of prefetched messages held by receiver. (integer
# value)
#qpid_receiver_capacity=1
# The qpid topology version to use. Version 1 is what was
# originally used by impl_qpid. Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work. Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1
[oslo_messaging_rabbit]
#
# Options defined in oslo.messaging
#
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false
# Auto-delete queues in AMQP. (boolean value)
#amqp_auto_delete=false
# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30
# SSL version to use (valid only if SSL enabled). Valid values
# are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may
# be available on some distributions. (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=
178
CHAPTER 2. BLOCK STORAGE
# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=
# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0
# The RabbitMQ broker address where a single node is used.
# (string value)
#rabbit_host=localhost
# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672
# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false
# The RabbitMQ userid. (string value)
#rabbit_userid=guest
# The RabbitMQ password. (string value)
#rabbit_password=guest
# The RabbitMQ login method. (string value)
#rabbit_login_method=AMQPLAIN
# The RabbitMQ virtual host. (string value)
#rabbit_virtual_host=/
# How frequently to retry connecting with RabbitMQ. (integer
# value)
#rabbit_retry_interval=1
# How long to backoff for between retries when connecting to
# RabbitMQ. (integer value)
#rabbit_retry_backoff=2
# Maximum number of RabbitMQ connection retries. Default is 0
# (infinite retry count). (integer value)
#rabbit_max_retries=0
# Use HA queues in RabbitMQ (x-ha-policy: all). If you change
# this option, you must wipe the RabbitMQ database. (boolean
# value)
#rabbit_ha_queues=false
# Number of seconds after which the Rabbit broker is
179
Red Hat OpenStack Platform 9 Configuration Reference
# considered down if heartbeat's keep-alive fails (0 disables
# the heartbeat, >0 enables it. Enabling heartbeats requires
# kombu>=3.0.7 and amqp>=1.4.0). EXPERIMENTAL (integer value)
#heartbeat_timeout_threshold=0
# How often times during the heartbeat_timeout_threshold we
# check the heartbeat. (integer value)
#heartbeat_rate=2
# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
# (boolean value)
#fake_rabbit=false
[profiler]
#
# Options defined in cinder.service
#
# If False fully disable profiling feature. (boolean value)
#profiler_enabled=false
# If False doesn't trace SQL requests. (boolean value)
#trace_sqlalchemy=false
[DEFAULT]
[keystone_authtoken]
#
# From keystonemiddleware.auth_token
#
# Complete public Identity API endpoint. (string value)
#auth_uri = <None>
# API version of the admin Identity API endpoint. (string value)
#auth_version = <None>
# Do not handle authorization requests within the middleware, but
# delegate the authorization decision to downstream WSGI components.
# (boolean value)
#delay_auth_decision = false
# Request timeout value for communicating with Identity API server.
# (integer value)
#http_connect_timeout = <None>
# How many times are we trying to reconnect when communicating with
# Identity API Server. (integer value)
#http_request_max_retries = 3
# Env key for the swift cache. (string value)
180
CHAPTER 2. BLOCK STORAGE
#cache = <None>
# Required if identity server requires client certificate (string
# value)
#certfile = <None>
# Required if identity server requires client certificate (string
# value)
#keyfile = <None>
# A PEM encoded Certificate Authority to use when verifying HTTPs
# connections. Defaults to system CAs. (string value)
#cafile = <None>
# Verify HTTPS connections. (boolean value)
#insecure = false
# Directory used to cache files related to PKI tokens. (string value)
#signing_dir = <None>
# Optionally specify a list of memcached server(s) to use for caching.
# If left undefined, tokens will instead be cached in-process. (list
# value)
# Deprecated group/name - [DEFAULT]/memcache_servers
#memcached_servers = <None>
# In order to prevent excessive effort spent validating tokens, the
# middleware caches previously-seen tokens for a configurable duration
# (in seconds). Set to -1 to disable caching completely. (integer
# value)
#token_cache_time = 300
# Determines the frequency at which the list of revoked tokens is
# retrieved from the Identity service (in seconds). A high number of
# revocation events combined with a low cache duration may
# significantly reduce performance. (integer value)
#revocation_cache_time = 10
# (Optional) If defined, indicate whether token data should be
# authenticated or authenticated and encrypted. Acceptable values are
# MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in
# the cache. If ENCRYPT, token data is encrypted and authenticated in
# the cache. If the value is not one of these options or empty,
# auth_token will raise an exception on initialization. (string value)
#memcache_security_strategy = <None>
# (Optional, mandatory if memcache_security_strategy is defined) This
# string is used for key derivation. (string value)
#memcache_secret_key = <None>
# (Optional) Number of seconds memcached server is considered dead
# before it is tried again. (integer value)
#memcache_pool_dead_retry = 300
# (Optional) Maximum total number of open connections to every
# memcached server. (integer value)
181
Red Hat OpenStack Platform 9 Configuration Reference
#memcache_pool_maxsize = 10
# (Optional) Socket timeout in seconds for communicating with a
# memcache server. (integer value)
#memcache_pool_socket_timeout = 3
# (Optional) Number of seconds a connection to memcached is held
# unused in the pool before it is closed. (integer value)
#memcache_pool_unused_timeout = 60
# (Optional) Number of seconds that an operation will wait to get a
# memcache client connection from the pool. (integer value)
#memcache_pool_conn_get_timeout = 10
# (Optional) Use the advanced (eventlet safe) memcache client pool.
# The advanced pool will only work under python 2.x. (boolean value)
#memcache_use_advanced_pool = false
# (Optional) Indicate whether to set the X-Service-Catalog header. If
# False, middleware will not ask for service catalog on token
# validation and will not set the X-Service-Catalog header. (boolean
# value)
#include_service_catalog = true
# Used to control the use and type of token binding. Can be set to:
# "disabled" to not check token binding. "permissive" (default) to
# validate binding information if the bind type is of a form known to
# the server and ignore it if not. "strict" like "permissive" but if
# the bind type is unknown the token will be rejected. "required" any
# form of token binding is needed to be allowed. Finally the name of a
# binding method that must be present in tokens. (string value)
#enforce_token_bind = permissive
# If true, the revocation list will be checked for cached tokens. This
# requires that PKI tokens are configured on the identity server.
# (boolean value)
#check_revocations_for_cached = false
# Hash algorithms to use for hashing PKI tokens. This may be a single
# algorithm or multiple. The algorithms are those supported by Python
# standard hashlib.new(). The hashes will be tried in the order given,
# so put the preferred one first for performance. The result of the
# first hash will be stored in the cache. This will typically be set
# to multiple values only while migrating from a less secure algorithm
# to a more secure one. Once all the old tokens are expired this
# option should be set to a single value for better performance. (list
# value)
#hash_algorithms = md5
# Prefix to prepend at the beginning of the path. Deprecated, use
# identity_uri. (string value)
#auth_admin_prefix =
# Host providing the admin Identity API endpoint. Deprecated, use
# identity_uri. (string value)
#auth_host = 127.0.0.1
182
CHAPTER 2. BLOCK STORAGE
# Port of the admin Identity API endpoint. Deprecated, use
# identity_uri. (integer value)
#auth_port = 35357
# Protocol of the admin Identity API endpoint (http or https).
# Deprecated, use identity_uri. (string value)
#auth_protocol = https
# Complete admin Identity API endpoint. This should specify the
# unversioned root endpoint e.g. https://localhost:35357/ (string
# value)
#identity_uri = <None>
# This option is deprecated and may be removed in a future release.
# Single shared secret with the Keystone configuration used for
# bootstrapping a Keystone installation, or otherwise bypassing the
# normal authentication process. This option should not be used, use
# `admin_user` and `admin_password` instead. (string value)
#admin_token = <None>
# Service username. (string value)
#admin_user = <None>
# Service user password. (string value)
#admin_password = <None>
# Service tenant name. (string value)
#admin_tenant_name = admin
2.3.2. api-paste.ini
Use the api-paste.ini file to configure the Block Storage API service.
#############
# OpenStack #
#############
[composite:osapi_volume]
use = call:cinder.api:root_app_factory
/: apiversions
/v1: openstack_volume_api_v1
/v2: openstack_volume_api_v2
[composite:openstack_volume_api_v1]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv1
keystone = request_id faultwrap sizelimit osprofiler authtoken
keystonecontext apiv1
keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken
keystonecontext apiv1
183
Red Hat OpenStack Platform 9 Configuration Reference
[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = request_id faultwrap sizelimit osprofiler noauth apiv2
keystone = request_id faultwrap sizelimit osprofiler authtoken
keystonecontext apiv2
keystone_nolimit = request_id faultwrap sizelimit osprofiler authtoken
keystonecontext apiv2
[filter:request_id]
paste.filter_factory = oslo_middleware.request_id:RequestId.factory
[filter:faultwrap]
paste.filter_factory = cinder.api.middleware.fault:FaultWrapper.factory
[filter:osprofiler]
paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
hmac_keys = SECRET_KEY
enabled = yes
[filter:noauth]
paste.filter_factory = cinder.api.middleware.auth:NoAuthMiddleware.factory
[filter:sizelimit]
paste.filter_factory =
cinder.api.middleware.sizelimit:RequestBodySizeLimiter.factory
[app:apiv1]
paste.app_factory = cinder.api.v1.router:APIRouter.factory
[app:apiv2]
paste.app_factory = cinder.api.v2.router:APIRouter.factory
[pipeline:apiversions]
pipeline = faultwrap osvolumeversionapp
[app:osvolumeversionapp]
paste.app_factory = cinder.api.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory =
cinder.api.middleware.auth:CinderKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
2.3.3. policy.json
The policy.json file defines additional access controls that apply to the Block Storage service.
184
CHAPTER 2. BLOCK STORAGE
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"admin_api": "is_admin:True",
"volume:create": "",
"volume:delete": "",
"volume:get": "",
"volume:get_all": "",
"volume:get_volume_metadata": "",
"volume:get_volume_admin_metadata": "rule:admin_api",
"volume:delete_volume_admin_metadata": "rule:admin_api",
"volume:update_volume_admin_metadata": "rule:admin_api",
"volume:get_snapshot": "",
"volume:get_all_snapshots": "",
"volume:extend": "",
"volume:update_readonly_flag": "",
"volume:retype": "",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:types_extra_specs": "rule:admin_api",
"volume_extension:volume_type_access": "",
"volume_extension:volume_type_access:addProjectAccess":
"rule:admin_api",
"volume_extension:volume_type_access:removeProjectAccess":
"rule:admin_api",
"volume_extension:volume_type_encryption": "rule:admin_api",
"volume_extension:volume_encryption_metadata": "rule:admin_or_owner",
"volume_extension:extended_snapshot_attributes": "",
"volume_extension:volume_image_metadata": "",
"volume_extension:quotas:show": "",
"volume_extension:quotas:update": "rule:admin_api",
"volume_extension:quota_classes": "",
"volume_extension:volume_admin_actions:reset_status":
"rule:admin_api",
"volume_extension:snapshot_admin_actions:reset_status":
"rule:admin_api",
"volume_extension:backup_admin_actions:reset_status":
"rule:admin_api",
"volume_extension:volume_admin_actions:force_delete":
"rule:admin_api",
"volume_extension:volume_admin_actions:force_detach":
"rule:admin_api",
"volume_extension:snapshot_admin_actions:force_delete":
"rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume":
"rule:admin_api",
"volume_extension:volume_admin_actions:migrate_volume_completion":
"rule:admin_api",
"volume_extension:volume_host_attribute": "rule:admin_api",
"volume_extension:volume_tenant_attribute": "rule:admin_or_owner",
185
Red Hat OpenStack Platform 9 Configuration Reference
"volume_extension:volume_mig_status_attribute": "rule:admin_api",
"volume_extension:hosts": "rule:admin_api",
"volume_extension:services": "rule:admin_api",
"volume_extension:volume_manage": "rule:admin_api",
"volume_extension:volume_unmanage": "rule:admin_api",
"volume:services": "rule:admin_api",
"volume:create_transfer": "",
"volume:accept_transfer": "",
"volume:delete_transfer": "",
"volume:get_all_transfers": "",
"volume_extension:replication:promote": "rule:admin_api",
"volume_extension:replication:reenable": "rule:admin_api",
"backup:create" : "",
"backup:delete": "",
"backup:get": "",
"backup:get_all": "",
"backup:restore": "",
"backup:backup-import": "rule:admin_api",
"backup:backup-export": "rule:admin_api",
"snapshot_extension:snapshot_actions:update_snapshot_status": "",
"consistencygroup:create" : "group:nobody",
"consistencygroup:delete": "group:nobody",
"consistencygroup:update": "group:nobody",
"consistencygroup:get": "group:nobody",
"consistencygroup:get_all": "group:nobody",
"consistencygroup:create_cgsnapshot" : "group:nobody",
"consistencygroup:delete_cgsnapshot": "group:nobody",
"consistencygroup:get_cgsnapshot": "group:nobody",
"consistencygroup:get_all_cgsnapshots": "group:nobody",
"scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api"
}
2.3.4. rootwrap.conf
The rootwrap.conf file defines configuration values used by the rootwrap script when the Block
Storage service must escalate its privileges to those of the root user.
# Configuration for cinder-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
# List of directories to search executables in, in case filters do not
186
CHAPTER 2. BLOCK STORAGE
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
2.4. LOG FILES USED BY BLOCK STORAGE
The corresponding log file of each Block Storage service is stored in the /var/log/cinder/
directory of the host on which each service runs.
Table 2.27. Log files used by Block Storage services
Log file
Service/interface
api.log
openstack-cinder-api
cinder-manage.log
cinder-manage
scheduler.log
openstack-cinderscheduler
volume.log
openstack-cinder-volume
2.5. FIBRE CHANNEL ZONE MANAGER
The Fibre Channel Zone Manager allows FC SAN Zone/Access control management in conjunction
with Fibre Channel block storage. The configuration of Fibre Channel Zone Manager and various zone
drivers are described in this section.
2.5.1. Configure Block Storage to use Fibre Channel Zone Manager
If Block Storage is configured to use a Fibre Channel volume driver that supports Zone Manager,
update cinder.conf to add the following configuration options to enable Fibre Channel Zone
Manager.
Make the following changes in the /etc/cinder/cinder.conf file.
Table 2.28. Description of zoning configuration options
187
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
zoning_mode = none
(StrOpt) FC Zoning mode configured
[fc-zone-manager]
fc_fabric_names = None
(StrOpt) Comma separated list of Fibre Channel
fabric names. This list of names is used to retrieve
other SAN credentials for connecting to each SAN
fabric
fc_san_lookup_service =
(StrOpt) FC SAN Lookup Service
cinder.zonemanager.drivers.brocade.brcd_fc_san_lookup
_service.BrcdFCSanLookupService
zone_driver =
cinder.zonemanager.drivers.brocade.brcd_fc_zone_drive
r.BrcdFCZoneDriver
zoning_policy = initiator-target
(StrOpt) FC Zone Driver responsible for zone
management
(StrOpt) Zoning policy configured by user; valid
values include "initiator-target" or "initiator"
To use different Fibre Channel Zone Drivers, use the parameters described in this section.
NOTE
When multi backend configuration is used, provide the zoning_mode configuration
option as part of the volume driver configuration where volume_driver option is
specified.
NOTE
Default value of zoning_mode is None and this needs to be changed to fabric to allow
fabric zoning.
NOTE
zoning_policy can be configured as initiator-target or initiator
2.5.2. Brocade Fibre Channel Zone Driver
Brocade Fibre Channel Zone Driver performs zoning operations through SSH. Configure Brocade Zone
Driver and lookup service by specifying the following parameters:
Table 2.29. Description of zoning manager configuration options
188
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[fc-zone-manager]
brcd_sb_connector =
cinder.zonemanager.drivers.brocade.brcd_fc_zone_clien
t_cli.BrcdFCZoneClientCLI
(StrOpt) Southbound connector for zoning
operation
Configure SAN fabric parameters in the form of fabric groups as described in the example below:
Table 2.30. Description of zoning fabrics configuration options
Configuration option = Default value
Description
[BRCD_FABRIC_EXAMPLE]
fc_fabric_address =
(StrOpt) Management IP of fabric
fc_fabric_password =
(StrOpt) Password for user
fc_fabric_port = 22
(IntOpt) Connecting port
fc_fabric_user =
(StrOpt) Fabric user ID
principal_switch_wwn = None
(StrOpt) Principal switch WWN of the fabric
zone_activate = True
(BoolOpt) overridden zoning activation state
zone_name_prefix = None
(StrOpt) overridden zone name prefix
zoning_policy = initiator-target
(StrOpt) overridden zoning policy
NOTE
Define a fabric group for each fabric using the fabric names used in fc_fabric_names
configuration option as group name.
2.5.2.1. System requirements
Brocade Fibre Channel Zone Driver requires firmware version FOS v6.4 or higher.
As a best practice for zone management, use a user account with zoneadmin role. Users with admin
role (including the default admin user account) are limited to a maximum of two concurrent SSH
sessions.
For information about how to manage Brocade Fibre Channel switches, see the Brocade Fabric OS user
documentation.
2.5.3. Cisco Fibre Channel Zone Driver
189
Red Hat OpenStack Platform 9 Configuration Reference
Cisco Fibre Channel Zone Driver automates the zoning operations through SSH. Configure Cisco Zone
Driver, Cisco Southbound connector, FC SAN lookup service and Fabric name.
Set the following options in the cinder.conf configuration file.
[fc-zone-manager]
zone_driver =
cinder.zonemanager.drivers.cisco.cisco_fc_zone_driver.CiscoFCZoneDriver
fc_san_lookup_service =
cinder.zonemanager.drivers.cisco.cisco_fc_san_lookup_service.CiscoFCSanLoo
kupService
fc_fabric_names = CISCO_FABRIC_EXAMPLE
cisco_sb_connector =
cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClien
tCLI
Table 2.31. Description of cisco zoning manager configuration options
Configuration option = Default value
Description
[fc-zone-manager]
cisco_sb_connector =
cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_
cli.CiscoFCZoneClientCLI
(StrOpt) Southbound connector for zoning
operation
Configure SAN fabric parameters in the form of fabric groups as described in the example below:
Table 2.32. Description of cisco zoning fabrics configuration options
Configuration option = Default value
Description
[CISCO_FABRIC_EXAMPLE]
cisco_fc_fabric_address =
(StrOpt) Management IP of fabric
cisco_fc_fabric_password =
(StrOpt) Password for user
cisco_fc_fabric_port = 22
(IntOpt) Connecting port
cisco_fc_fabric_user =
(StrOpt) Fabric user ID
cisco_zone_activate = True
(BoolOpt) overridden zoning activation state
cisco_zone_name_prefix = None
(StrOpt) overridden zone name prefix
cisco_zoning_policy = initiator-target
(StrOpt) overridden zoning policy
cisco_zoning_vsan = None
(StrOpt) VSAN of the Fabric
190
CHAPTER 2. BLOCK STORAGE
NOTE
Define a fabric group for each fabric using the fabric names used in fc_fabric_names
configuration option as group name.
The Cisco Fibre Channel Zone Driver supports basic and enhanced zoning modes.The
zoning VSAN must exist with an active zone set name which is same as the
fc_fabric_names option.
2.5.3.1. System requirements
Cisco MDS 9000 Family Switches.
Cisco MDS NX-OS Release 6.2(9) or later.
For information about how to manage Cisco Fibre Channel switches, see the Cisco MDS 9000 user
documentation.
2.6. ADDITIONAL OPTIONS
These options can also be set in the cinder.conf file.
Table 2.33. Description of API configuration options
Configuration option = Default value
Description
[DEFAULT]
api_paste_config = api-paste.ini
(StrOpt) File name for the paste.deploy config for
cinder-api
api_rate_limit = True
(BoolOpt) Enables or disables rate limit of the API.
az_cache_duration = 3600
(IntOpt) Cache volume availability zones in memory
for the provided duration in seconds
backend_host = None
(StrOpt) Backend override of host value.
default_timeout = 525600
(IntOpt) Default timeout for CLI operations in
minutes. For example, LUN migration is a typical
long running operation, which depends on the LUN
size and the load of the array. An upper bound in the
specific deployment can be set to avoid unnecessary
long wait. By default, it is 365 days long.
enable_v1_api = True
(BoolOpt) DEPRECATED: Deploy v1 of the Cinder
API.
enable_v2_api = True
(BoolOpt) Deploy v2 of the Cinder API.
191
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
extra_capabilities = {}
(StrOpt) User defined capabilities, a JSON
formatted string specifying key/value pairs. The
key/value pairs can be used by the CapabilitiesFilter
to select between backends when requests specify
volume types. For example, specifying a service
level or the geographical location of a backend, then
creating a volume type to allow the user to select by
these different properties.
ignore_pool_full_threshold = False
(BoolOpt) Force LUN creation even if the full
threshold of pool is reached.
management_ips =
(StrOpt) List of Management IP addresses
(separated by commas)
max_header_line = 16384
(IntOpt) Maximum line size of message headers to
be accepted. max_header_line may need to be
increased when using large tokens (typically those
generated by the Keystone v3 API with big service
catalogs).
osapi_max_limit = 1000
(IntOpt) The maximum number of items that a
collection resource returns in a single response
osapi_max_request_body_size = 114688
(IntOpt) Max size for body of a request
osapi_volume_base_URL = None
(StrOpt) Base URL that will be presented to users in
links to the OpenStack Volume API
osapi_volume_ext_list =
(ListOpt) Specify list of extensions to load when
using osapi_volume_extension option with
cinder.api.contrib.select_extensions
osapi_volume_extension =
(MultiStrOpt) osapi volume extension to load
['cinder.api.contrib.standard_extensions']
osapi_volume_listen = 0.0.0.0
(StrOpt) IP address on which OpenStack Volume
API listens
osapi_volume_listen_port = 8776
(IntOpt) Port on which OpenStack Volume API
listens
osapi_volume_workers = None
(IntOpt) Number of workers for OpenStack Volume
API service. The default is equal to the number of
CPUs available.
password =
(StrOpt) Password for Redis server (optional).
192
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
per_volume_size_limit = -1
(IntOpt) Max size allowed per volume, in gigabytes
port = 6379
(IntOpt) Use this port to connect to redis host.
public_endpoint = None
(StrOpt) Public url to use for versions endpoint. The
default is None, which will use the request's host_url
attribute to populate the URL base. If Cinder is
operating behind a proxy, you will want to change
this to represent the proxy's URL.
query_volume_filters = name, status,
(ListOpt) Volume filter options which non-admin
user could use to query volumes. Default values are:
['name', 'status', 'metadata', 'availability_zone']
metadata, availability_zone
transfer_api_class = cinder.transfer.api.API
(StrOpt) The full class name of the volume transfer
API class
volume_api_class = cinder.volume.api.API
(StrOpt) The full class name of the volume API class
to use
volume_name_template = volume-%s
(StrOpt) Template string to be used to generate
volume names
volume_number_multiplier = -1.0
(FloatOpt) Multiplier used for weighing volume
number. Negative numbers mean to spread vs stack.
volume_transfer_key_length = 16
(IntOpt) The number of characters in the
autogenerated auth key.
volume_transfer_salt_length = 8
(IntOpt) The number of characters in the salt.
[oslo_middleware]
max_request_body_size = 114688
(IntOpt) The maximum body size for each request, in
bytes.
secure_proxy_ssl_header = X-Forwarded-
(StrOpt) The HTTP Header that will be used to
determine what the original request protocol
scheme was, even if it was hidden by an SSL
termination proxy.
Proto
[oslo_policy]
policy_default_rule = default
(StrOpt) Default rule. Enforced when a requested
rule is not found.
193
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
policy_dirs = ['policy.d']
(MultiStrOpt) Directories where policy configuration
files are stored. They can be relative to any
directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(StrOpt) The JSON file that defines policies.
[oslo_versionedobjects]
fatal_exception_format_errors = False
(BoolOpt) Make exception message format errors
fatal
Table 2.34. Description of AMQP configuration options
Configuration option = Default value
Description
[DEFAULT]
control_exchange = openstack
(StrOpt) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
notification_driver = []
(MultiStrOpt) The Drivers(s) to handle sending
notifications. Possible values are messaging,
messagingv2, routing, log, test, noop
notification_topics = notifications
(ListOpt) AMQP topic used for OpenStack
notifications.
transport_url = None
(StrOpt) A URL representing the messaging driver to
use and its full configuration. If not set, we fall back
to the rpc_backend option and driver specific
configuration.
Table 2.35. Description of authorization configuration options
Configuration option = Default value
Description
[DEFAULT]
auth_strategy = keystone
(StrOpt) The strategy to use for auth. Supports
noauth, keystone, and deprecated.
Table 2.36. Description of authorization token configuration options
194
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(StrOpt) Service user password.
admin_tenant_name = admin
(StrOpt) Service tenant name.
admin_token = None
(StrOpt) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(StrOpt) Service username.
auth_admin_prefix =
(StrOpt) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(StrOpt) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_plugin = None
(StrOpt) Name of the plugin to load
auth_port = 35357
(IntOpt) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(StrOpt) Protocol of the admin Identity API endpoint
(http or https). Deprecated, use identity_uri.
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_uri = None
(StrOpt) Complete public Identity API endpoint.
auth_version = None
(StrOpt) API version of the admin Identity API
endpoint.
cache = None
(StrOpt) Env key for the swift cache.
cafile = None
(StrOpt) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(StrOpt) Required if identity server requires client
certificate
195
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
check_revocations_for_cached = False
(BoolOpt) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
delay_auth_decision = False
(BoolOpt) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(StrOpt) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
hash_algorithms = md5
(ListOpt) Hash algorithms to use for hashing PKI
tokens. This may be a single algorithm or multiple.
The algorithms are those supported by Python
standard hashlib.new(). The hashes will be tried in
the order given, so put the preferred one first for
performance. The result of the first hash will be
stored in the cache. This will typically be set to
multiple values only while migrating from a less
secure algorithm to a more secure one. Once all the
old tokens are expired this option should be set to a
single value for better performance.
http_connect_timeout = None
(IntOpt) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(IntOpt) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(StrOpt) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(BoolOpt) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(BoolOpt) Verify HTTPS connections.
196
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
keyfile = None
(StrOpt) Required if identity server requires client
certificate
memcache_pool_conn_get_timeout = 10
(IntOpt) (Optional) Number of seconds that an
operation will wait to get a memcached client
connection from the pool.
memcache_pool_dead_retry = 300
(IntOpt) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(IntOpt) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(IntOpt) (Optional) Socket timeout in seconds for
communicating with a memcached server.
memcache_pool_unused_timeout = 60
(IntOpt) (Optional) Number of seconds a connection
to memcached is held unused in the pool before it is
closed.
memcache_secret_key = None
(StrOpt) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(StrOpt) (Optional) If defined, indicate whether
token data should be authenticated or authenticated
and encrypted. Acceptable values are MAC or
ENCRYPT. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(BoolOpt) (Optional) Use the advanced (eventlet
safe) memcached client pool. The advanced pool will
only work under python 2.x.
region_name = None
(StrOpt) The region in which the identity server can
be found.
revocation_cache_time = 10
(IntOpt) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(StrOpt) Directory used to cache files related to PKI
tokens.
197
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
token_cache_time = 300
(IntOpt) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 2.37. Description of backups configuration options
Configuration option = Default value
Description
[DEFAULT]
backup_api_class = cinder.backup.api.API
(StrOpt) The full class name of the volume backup
API class
backup_compression_algorithm = zlib
(StrOpt) Compression algorithm (None to disable)
backup_driver = cinder.backup.drivers.swift
(StrOpt) Driver to use for backups.
backup_manager =
(StrOpt) Full class name for the Manager for volume
backup
cinder.backup.manager.BackupManager
backup_metadata_version = 2
(IntOpt) Backup metadata version to be used when
backing up volume metadata. If this number is
bumped, make sure the service doing the restore
supports the new version.
backup_name_template = backup-%s
(StrOpt) Template string to be used to generate
backup names
backup_object_number_per_notificatio
n = 10
(IntOpt) The number of chunks or objects, for which
one Ceilometer notification will be sent
backup_posix_path = $state_path/backup
(StrOpt) Path specifying where to store backups.
backup_service_inithost_offload = False
(BoolOpt) Offload pending backup delete during
backup service startup.
backup_timer_interval = 120
(IntOpt) Interval, in seconds, between two progress
notifications reporting the backup status
backup_topic = cinder-backup
(StrOpt) The topic that volume backup nodes listen
on
snapshot_name_template = snapshot-%s
(StrOpt) Template string to be used to generate
snapshot names
198
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
snapshot_same_host = True
(BoolOpt) Create volume from snapshot at the host
where snapshot resides
Table 2.38. Description of block device configuration options
Configuration option = Default value
Description
[DEFAULT]
available_devices =
(ListOpt) List of all available devices
Table 2.39. Description of CA and SSL configuration options
Configuration option = Default value
Description
[DEFAULT]
ssl_ca_file = None
(StrOpt) CA certificate file to use to verify
connecting clients
ssl_cert_file = None
(StrOpt) Certificate file to use when starting the
server securely
ssl_key_file = None
(StrOpt) Private key file to use when starting the
server securely
Table 2.40. Description of CloudByte volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
cb_account_name = None
(StrOpt) CloudByte storage specific account name.
This maps to a project name in OpenStack.
cb_add_qosgroup = {'latency': '15', 'iops': '10',
(DictOpt) These values will be used for CloudByte
storage's addQos API call.
'graceallowed': 'false', 'iopscontrol': 'true', 'memlimit': '0',
'throughput': '0', 'tpcontrol': 'false', 'networkspeed': '0'}
cb_apikey = None
(StrOpt) Driver will use this API key to authenticate
against the CloudByte storage's management
interface.
199
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
cb_auth_group = None
(StrOpt) This corresponds to the discovery
authentication group in CloudByte storage. Chap
users are added to this group. Driver uses the first
user found for this group. Default value is None.
cb_confirm_volume_create_retries = 3
(IntOpt) Will confirm a successful volume creation in
CloudByte storage by making this many number of
attempts.
cb_confirm_volume_create_retry_inter
val = 5
(IntOpt) A retry value in seconds. Will be used by the
driver to check if volume creation was successful in
CloudByte storage.
cb_confirm_volume_delete_retries = 3
(IntOpt) Will confirm a successful volume deletion in
CloudByte storage by making this many number of
attempts.
cb_confirm_volume_delete_retry_inter
val = 5
(IntOpt) A retry value in seconds. Will be used by the
driver to check if volume deletion was successful in
CloudByte storage.
cb_create_volume = {'compression': 'off',
(DictOpt) These values will be used for CloudByte
storage's createVolume API call.
'deduplication': 'off', 'blocklength': '512B', 'sync': 'always',
'protocoltype': 'ISCSI', 'recordsize': '16k'}
cb_tsm_name = None
(StrOpt) This corresponds to the name of Tenant
Storage Machine (TSM) in CloudByte storage. A
volume will be created in this TSM.
Table 2.41. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
allow_availability_zone_fallback =
False
(BoolOpt) If the requested Cinder availability zone is
unavailable, fall back to the value of
default_availability_zone, then
storage_availability_zone, instead of failing.
chap_password =
(StrOpt) Password for specified CHAP account
name.
chap_username =
(StrOpt) CHAP user name.
chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf
(StrOpt) Chiscsi (CXT) global defaults configuration
file
200
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
cinder_internal_tenant_project_id =
(StrOpt) ID of the project which will be used as the
Cinder internal tenant.
None
cinder_internal_tenant_user_id = None
(StrOpt) ID of the user to be used in volume
operations as the Cinder internal tenant.
client_socket_timeout = 900
(IntOpt) Timeout for client connections' socket
operations. If an incoming connection is idle for this
number of seconds it will be closed. A value of '0'
means wait forever.
compute_api_class = cinder.compute.nova.API
(StrOpt) The full class name of the compute API
class to use
consistencygroup_api_class =
(StrOpt) The full class name of the consistencygroup
API class
cinder.consistencygroup.api.API
default_availability_zone = None
(StrOpt) Default availability zone for new volumes. If
not set, the storage_availability_zone option value is
used as the default for new volumes.
default_volume_type = None
(StrOpt) Default volume type to use
driver_data_namespace = None
(StrOpt) Namespace for driver private data values to
be saved in.
driver_ssl_cert_verify = False
(BoolOpt) If set to True the http client will validate
the SSL certificate of the backend endpoint.
enable_force_upload = False
(BoolOpt) Enables the Force option on
upload_to_image. This enables running
upload_volume on in-use volumes for backends that
support it.
enable_new_services = True
(BoolOpt) Services to be added to the available pool
on create
end_time = None
(StrOpt) If this option is specified then the end time
specified is used instead of the end time of the last
completed audit period.
enforce_multipath_for_image_xfer =
(BoolOpt) If this is set to True, attachment of
volumes for image transfer will be aborted when
multipathd is not running. Otherwise, it will fallback
to single path.
False
executor_thread_pool_size = 64
(IntOpt) Size of executor thread pool.
201
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
host = localhost
(StrOpt) Name of this node. This can be an opaque
identifier. It is not necessarily a host name, FQDN, or
IP address.
iet_conf = /etc/iet/ietd.conf
(StrOpt) IET configuration file
iscsi_secondary_ip_addresses =
(ListOpt) The list of secondary IP addresses of the
iSCSI daemon
managed_replication_target = True
(BoolOpt) There are two types of target
configurations managed (replicate to another
configured backend) or unmanaged (replicate to a
device not managed by Cinder).
max_over_subscription_ratio = 20.0
(FloatOpt) Float representation of the over
subscription ratio when thin provisioning is involved.
Default ratio is 20.0, meaning provisioned capacity
can be 20 times of the total physical capacity. If the
ratio is 10.5, it means provisioned capacity can be
10.5 times of the total physical capacity. A ratio of
1.0 means provisioned capacity cannot exceed the
total physical capacity. A ratio lower than 1.0 will be
ignored and the default value will be used instead.
memcached_servers = None
(ListOpt) Memcached servers or None for in process
cache.
monkey_patch = False
(BoolOpt) Enable monkey patching
monkey_patch_modules =
(ListOpt) List of modules/decorators to monkey
patch
my_ip = 10.0.0.1
(StrOpt) IP address of this host
no_snapshot_gb_quota = False
(BoolOpt) Whether snapshots count against
gigabyte quota
num_shell_tries = 3
(IntOpt) Number of times to attempt to run flakey
shell commands
os_privileged_user_auth_url = None
(StrOpt) Auth URL associated with the OpenStack
privileged account.
os_privileged_user_name = None
(StrOpt) OpenStack privileged account username.
Used for requests to other services (such as Nova)
that require an account with special rights.
202
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
os_privileged_user_password = None
(StrOpt) Password associated with the OpenStack
privileged account.
os_privileged_user_tenant = None
(StrOpt) Tenant name associated with the
OpenStack privileged account.
periodic_fuzzy_delay = 60
(IntOpt) Range, in seconds, to randomly delay when
starting the periodic task scheduler to reduce
stampeding. (Disable by setting to 0)
periodic_interval = 60
(IntOpt) Interval, in seconds, between running
periodic tasks
replication_api_class =
(StrOpt) The full class name of the volume
replication API class
cinder.replication.api.API
replication_devices = None
(ListOpt) List of k/v pairs representing a replication
target for this backend device. For unmanaged the
format is: {'key-1'='val1' 'key-2'='val2'...},{...} and for
managed devices its simply a list of valid configured
backend_names that the driver supports replicating
to: backend-a,bakcend-b...
report_interval = 10
(IntOpt) Interval, in seconds, between nodes
reporting state to datastore
request_timeout = 300
(IntOpt) Global backend request timeout, in seconds
reserved_percentage = 0
(IntOpt) The percentage of backend capacity is
reserved
rootwrap_config = /etc/cinder/rootwrap.conf
(StrOpt) Path to the rootwrap configuration file to
use for running commands as root
send_actions = False
(BoolOpt) Send the volume and snapshot create and
delete notifications generated in the specified
period.
service_down_time = 60
(IntOpt) Maximum time since last check-in for a
service to be considered up
sqlite_clean_db = clean.sqlite
(StrOpt) File name of clean sqlite db
ssh_hosts_key_file =
(StrOpt) File containing SSH host keys for the
systems with which Cinder needs to communicate.
OPTIONAL: Default=$state_path/ssh_known_hosts
$state_path/ssh_known_hosts
203
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
start_time = None
(StrOpt) If this option is specified then the start time
specified is used instead of the start time of the last
completed audit period.
state_path = /var/lib/cinder
(StrOpt) Top-level directory for maintaining cinder's
state
storage_availability_zone = nova
(StrOpt) Availability zone of this node
strict_ssh_host_key_policy = False
(BoolOpt) Option to enable strict host key checking.
When set to "True" Cinder will only connect to
systems with a host key present in the configured
"ssh_hosts_key_file". When set to "False" the host
key will be saved upon first connection and used for
subsequent connections. Default=False
tcp_keepalive = True
(BoolOpt) Sets the value of TCP_KEEPALIVE
(True/False) for each server socket.
tcp_keepalive_count = None
(IntOpt) Sets the value of TCP_KEEPCNT for each
server socket. Not supported on OS X.
tcp_keepalive_interval = None
(IntOpt) Sets the value of TCP_KEEPINTVL in
seconds for each server socket. Not supported on
OS X.
tcp_keepidle = 600
(IntOpt) Sets the value of TCP_KEEPIDLE in seconds
for each server socket. Not supported on OS X.
until_refresh = 0
(IntOpt) Count of reservations until usage is
refreshed
use_chap_auth = False
(BoolOpt) Option to enable/disable CHAP
authentication for targets.
use_forwarded_for = False
(BoolOpt) Treat X-Forwarded-For as the canonical
remote address. Only enable this if you have a
sanitizing proxy.
watch_log_file = False
(BoolOpt) (Optional) Uses logging handler designed
to watch file system. When log file is moved or
removed this handler will open a new log file with
specified path instantaneously. It makes sense only
if log-file option is specified and Linux platform is
used. This option is ignored if log_config_append is
set.
204
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
wsgi_keep_alive = True
(BoolOpt) If False, closes the client socket
connection explicitly. Setting it to True to maintain
backward compatibility. Recommended setting is
set it to False.
[keystone_authtoken]
memcached_servers = None
(ListOpt) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
Table 2.42. Description of Compute configuration options
Configuration option = Default value
Description
[DEFAULT]
nova_api_insecure = False
(BoolOpt) Allow to perform insecure SSL requests to
nova
nova_ca_certificates_file = None
(StrOpt) Location of ca certificates file to use for
nova client requests.
nova_catalog_admin_info =
(StrOpt) Same as nova_catalog_info, but for admin
endpoint.
compute:Compute Service:adminURL
nova_catalog_info = compute:Compute
Service:publicURL
(StrOpt) Match this value when searching for nova in
the service catalog. Format is: separated values of
the form: <service_type>:<service_name>:
<endpoint_type>
nova_endpoint_admin_template = None
(StrOpt) Same as nova_endpoint_template, but for
admin endpoint.
nova_endpoint_template = None
(StrOpt) Override service catalog lookup with
template for nova endpoint e.g.
http://localhost:8774/v2/%(project_id)s
os_region_name = None
(StrOpt) Region name of this node
Table 2.43. Description of database configuration options
Configuration option = Default value
Description
[DEFAULT]
205
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
db_driver = cinder.db
(StrOpt) Driver to use for database access
[database]
backend = sqlalchemy
(StrOpt) The back end to use for the database.
connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(BoolOpt) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(IntOpt) Maximum retries in case of connection error
or deadlock error before error is raised. Set to -1 to
specify an infinite retry count.
db_max_retry_interval = 10
(IntOpt) If db_inc_retry_interval is set, the maximum
seconds between retries of a database operation.
db_retry_interval = 1
(IntOpt) Seconds between retries of a database
transaction.
idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(IntOpt) Minimum number of SQL connections to
keep open in a pool.
206
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(StrOpt) The file name to use with SQLite.
sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(BoolOpt) Enable the experimental use of database
reconnect on connection lost.
use_tpool = False
(BoolOpt) Enable the experimental use of thread
pooling for all DB API calls
Table 2.44. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
trace_flags = None
(ListOpt) List of options that control which trace info
is written to the DEBUG log level to assist
developers. Valid values are method and api.
Table 2.45. Description of EMC configuration options
Configuration option = Default value
Description
[DEFAULT]
check_max_pool_luns_threshold = False
(BoolOpt) Report free_capacity_gb as 0 when the
limit to maximum number of pool LUNs is reached.
By default, the value is False.
207
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
cinder_emc_config_file =
(StrOpt) use this file for cinder emc plugin config
data
/etc/cinder/cinder_emc_config.xml
destroy_empty_storage_group = False
(BoolOpt) To destroy storage group when the last
LUN is removed from it. By default, the value is
False.
force_delete_lun_in_storagegroup =
(BoolOpt) Delete a LUN even if it is in Storage
Groups.
False
initiator_auto_deregistration = False
(BoolOpt) Automatically deregister initiators after
the related storage group is destroyed. By default,
the value is False.
initiator_auto_registration = False
(BoolOpt) Automatically register initiators. By
default, the value is False.
io_port_list = *
(StrOpt) Comma separated iSCSI or FC ports to be
used in Nova or Cinder.
iscsi_initiators =
(StrOpt) Mapping between hostname and its iSCSI
initiator IP addresses.
max_luns_per_storage_group = 255
(IntOpt) Default max number of LUNs in a storage
group. By default, the value is 255.
naviseccli_path =
(StrOpt) Naviseccli Path.
storage_vnx_authentication_type =
(StrOpt) VNX authentication scope type.
global
storage_vnx_pool_names = None
(StrOpt) Comma-separated list of storage pool
names to be used.
storage_vnx_security_file_dir = None
(StrOpt) Directory path that contains the VNX
security file. Make sure the security file is generated
first.
xtremio_array_busy_retry_count = 5
(IntOpt) Number of retries in case array is busy
xtremio_array_busy_retry_interval = 5
(IntOpt) Interval between retries in case array is
busy
xtremio_cluster_name =
(StrOpt) XMS cluster id in multi-cluster environment
Table 2.46. Description of IBM FlashSystem volume driver configuration options
208
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT]
flashsystem_connection_protocol = FC
(StrOpt) Connection protocol should be FC. (Default
is FC.)
flashsystem_iscsi_portid = 0
(IntOpt) Default iSCSI Port ID of FlashSystem.
(Default port is 0.)
flashsystem_multihostmap_enabled =
(BoolOpt) Allows vdisk to multi host mapping.
(Default is True)
True
flashsystem_multipath_enabled = False
(BoolOpt) Connect with multipath (FC only).(Default
is false.)
Table 2.47. Description of IBM SONAS and Storwise V7000 volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
ibmnas_platform_type = v7ku
(StrOpt) IBMNAS platform type to be used as
backend storage; valid values are - v7ku : for using
IBM Storwize V7000 Unified, sonas : for using IBM
Scale Out NAS, gpfs-nas : for using NFS based IBM
GPFS deployments.
nas_ip =
(StrOpt) IP address or Hostname of NAS system.
nas_login = admin
(StrOpt) User name to connect to NAS system.
nas_mount_options = None
(StrOpt) Options used to mount the storage
backend file system where Cinder volumes are
stored.
nas_password =
(StrOpt) Password to connect to NAS system.
nas_private_key =
(StrOpt) Filename of private key to use for SSH
authentication.
nas_secure_file_operations = auto
(StrOpt) Allow network-attached storage systems
to operate in a secure environment where root level
access is not permitted. If set to False, access is as
the root user and insecure. If set to True, access is
not as root. If set to auto, a check is done to
determine if this is a new installation: True is used if
so, otherwise False. Default is auto.
209
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
nas_secure_file_permissions = auto
(StrOpt) Set more secure file permissions on
network-attached storage volume files to restrict
broad other/world access. If set to False, volumes
are created with open permissions. If set to True,
volumes are created with permissions for the cinder
user and group (660). If set to auto, a check is done
to determine if this is a new installation: True is used
if so, otherwise False. Default is auto.
nas_share_path =
(StrOpt) Path to the share to use for storing Cinder
volumes. For example: "/srv/export1" for an NFS
server export available at 10.0.5.10:/srv/export1 .
nas_ssh_port = 22
(IntOpt) SSH port to use to connect to NAS system.
Table 2.48. Description of images configuration options
Configuration option = Default value
Description
[DEFAULT]
allowed_direct_url_schemes =
(ListOpt) A list of url schemes that can be
downloaded directly via the direct_url. Currently
supported schemes: [file].
glance_api_insecure = False
(BoolOpt) Allow to perform insecure SSL (https)
requests to glance
glance_api_servers =
(ListOpt) A list of the glance API servers available to
cinder ([hostname|ip]:port)
$glance_host:$glance_port
glance_api_ssl_compression = False
(BoolOpt) Enables or disables negotiation of SSL
layer compression. In some cases disabling
compression can improve data throughput, such as
when high network bandwidth is available and you
use compressed image formats like qcow2.
glance_api_version = 1
(IntOpt) Version of the glance API to use
glance_ca_certificates_file = None
(StrOpt) Location of ca certificates file to use for
glance client requests.
glance_core_properties = checksum,
(ListOpt) Default core properties of image
container_format, disk_format, image_name, image_id,
min_disk, min_ram, name, size
glance_host = $my_ip
210
(StrOpt) Default glance host name or IP
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
glance_num_retries = 0
(IntOpt) Number retries when downloading an image
from glance
glance_port = 9292
(IntOpt) Default glance port
glance_request_timeout = None
(IntOpt) http/https timeout value for glance
operations. If no value (None) is supplied here, the
glanceclient default value is used.
image_conversion_dir =
(StrOpt) Directory used for temporary storage
during image conversion
$state_path/conversion
image_upload_use_cinder_backend = False
(BoolOpt) If set to True, upload-to-image in raw
format will create a cloned volume and register its
location to the image service, instead of uploading
the volume content. The cinder backend and
locations support must be enabled in the image
service, and glance_api_version must be set to 2.
image_upload_use_internal_tenant =
(BoolOpt) If set to True, the image volume created
by upload-to-image will be placed in the internal
tenant. Otherwise, the image volume is created in
the current context's tenant.
False
image_volume_cache_enabled = False
(BoolOpt) Enable the image volume cache for this
backend.
image_volume_cache_max_count = 0
(IntOpt) Max number of entries allowed in the image
volume cache. 0 => unlimited.
image_volume_cache_max_size_gb = 0
(IntOpt) Max size of the image volume cache for this
backend in GB. 0 => unlimited.
use_multipath_for_image_xfer = False
(BoolOpt) Do we attach/detach volumes in cinder
using multipath for volume to image and image to
volume transfers?
Table 2.49. Description of key manager configuration options
Configuration option = Default value
Description
[keymgr]
api_class =
cinder.keymgr.conf_key_mgr.ConfKeyManager
(StrOpt) The full class name of the key manager API
class
encryption_api_url = http://localhost:9311/v1
(StrOpt) Url for encryption service.
211
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
encryption_auth_url =
(StrOpt) Authentication url for encryption service.
http://localhost:5000/v3
fixed_key = None
(StrOpt) Fixed key returned by key manager,
specified in hex
Table 2.50. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
debug = False
(BoolOpt) Print debugging output (set logging level
to DEBUG instead of default INFO level).
default_log_levels = amqp=WARN,
(ListOpt) List of logger=LEVEL pairs. This option is
ignored if log_config_append is set.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
requests.packages.urllib3.util.retry=WARN,
urllib3.util.retry=WARN, keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN,
taskflow=WARN
fatal_deprecations = False
(BoolOpt) Enables or disables fatal status of
deprecations.
fatal_exception_format_errors = False
(BoolOpt) Make exception message format errors
fatal.
instance_format = "[instance: %(uuid)s] "
(StrOpt) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(StrOpt) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
212
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation. Note that when logging
configuration files are used then all logging
configuration is set in the configuration file and
other logging configuration options are ignored (for
example, log_format).
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s . This option is ignored
if log_config_append is set.
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths. This option is ignored if
log_config_append is set.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout. This
option is ignored if log_config_append is set.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecate, use logging_context_format_string and
logging_default_format_string instead. This option is
ignored if log_config_append is set.
logging_context_format_string = %
(StrOpt) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d ERROR %(name)s %
(instance)s
(StrOpt) Data to append to log format when level is
DEBUG.
(StrOpt) Format string to use for log messages
without context.
(StrOpt) Prefix each line of exception output with
this format.
publish_errors = False
(BoolOpt) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines. This
option is ignored if log_config_append is set.
use_stderr = True
(BoolOpt) Log output to standard error. This option
is ignored if log_config_append is set.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED and will be changed later to
honor RFC5424. This option is ignored if
log_config_append is set.
213
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
use_syslog_rfc_format = True
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in Kilo, and will be removed in Mitaka,
along with this option. This option is ignored if
log_config_append is set.
verbose = True
(BoolOpt) If set to false, will disable INFO logging
level, making WARNING the default.
Table 2.51. Description of NAS configuration options
Configuration option = Default value
Description
[DEFAULT]
nas_ip =
(StrOpt) IP address or Hostname of NAS system.
nas_login = admin
(StrOpt) User name to connect to NAS system.
nas_mount_options = None
(StrOpt) Options used to mount the storage
backend file system where Cinder volumes are
stored.
nas_password =
(StrOpt) Password to connect to NAS system.
nas_private_key =
(StrOpt) Filename of private key to use for SSH
authentication.
nas_secure_file_operations = auto
(StrOpt) Allow network-attached storage systems
to operate in a secure environment where root level
access is not permitted. If set to False, access is as
the root user and insecure. If set to True, access is
not as root. If set to auto, a check is done to
determine if this is a new installation: True is used if
so, otherwise False. Default is auto.
nas_secure_file_permissions = auto
(StrOpt) Set more secure file permissions on
network-attached storage volume files to restrict
broad other/world access. If set to False, volumes
are created with open permissions. If set to True,
volumes are created with permissions for the cinder
user and group (660). If set to auto, a check is done
to determine if this is a new installation: True is used
if so, otherwise False. Default is auto.
214
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
nas_share_path =
(StrOpt) Path to the share to use for storing Cinder
volumes. For example: "/srv/export1" for an NFS
server export available at 10.0.5.10:/srv/export1 .
nas_ssh_port = 22
(IntOpt) SSH port to use to connect to NAS system.
Table 2.52. Description of Open vStorage driver configuration options
Configuration option = Default value
Description
[DEFAULT]
vpool_name =
(StrOpt) Vpool to use for volumes - backend is
defined by vpool not by us.
Table 2.53. Description of oslo_middleware configuration options
Configuration option = Default value
Description
[oslo_middleware]
max_request_body_size = 114688
(IntOpt) The maximum body size for each request, in
bytes.
Table 2.54. Description of profiler configuration options
Configuration option = Default value
Description
[profiler]
profiler_enabled = False
(BoolOpt) If False fully disable profiling feature.
trace_sqlalchemy = False
(BoolOpt) If False doesn't trace SQL requests.
Table 2.55. Description of Pure Storage driver configuration options
Configuration option = Default value
Description
[DEFAULT]
pure_api_token = None
(StrOpt) REST API authorization token.
Table 2.56. Description of Qpid configuration options
215
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_messaging_qpid]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
216
CHAPTER 2. BLOCK STORAGE
Table 2.57. Description of quota configuration options
Configuration option = Default value
Description
[DEFAULT]
max_age = 0
(IntOpt) Number of seconds between subsequent
usage refreshes
quota_backup_gigabytes = 1000
(IntOpt) Total amount of storage, in gigabytes,
allowed for backups per project
quota_backups = 10
(IntOpt) Number of volume backups allowed per
project
quota_consistencygroups = 10
(IntOpt) Number of consistencygroups allowed per
project
quota_driver = cinder.quota.DbQuotaDriver
(StrOpt) Default driver to use for quota checks
quota_gigabytes = 1000
(IntOpt) Total amount of storage, in gigabytes,
allowed for volumes and snapshots per project
quota_snapshots = 10
(IntOpt) Number of volume snapshots allowed per
project
quota_volumes = 10
(IntOpt) Number of volumes allowed per project
reservation_expire = 86400
(IntOpt) Number of seconds until a reservation
expires
use_default_quota_class = True
(BoolOpt) Enables or disables use of default quota
class with default quota.
Table 2.58. Description of RabbitMQ configuration options
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
217
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold we check the
heartbeat.
heartbeat_timeout_threshold = 60
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disable the heartbeat). EXPERIMENTAL
kombu_reconnect_delay = 1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
kombu_reconnect_timeout = 60
(IntOpt) How long to wait before considering a
reconnect attempt to have failed. This value should
not be longer than rpc_response_timeout.
kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 may be available on
some distributions.
rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN
(StrOpt) The RabbitMQ login method.
rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(StrOpt) The RabbitMQ password.
rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
218
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
Table 2.59. Description of Redis configuration options
Configuration option = Default value
Description
[matchmaker_redis]
host = 127.0.0.1
(StrOpt) Host to locate redis.
password =
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
Table 2.60. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
rpc_backend = rabbit
(StrOpt) The messaging driver to use, defaults to
rabbit. Other drivers include qpid and zmq.
219
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
rpc_cast_timeout = 30
(IntOpt) Seconds to wait before a cast expires (TTL).
Only supported by impl_zmq.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
rpc_poll_timeout = 1
(IntOpt) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
rpc_response_timeout = 60
(IntOpt) Seconds to wait for a response from a call.
volume_topic = cinder-volume
(StrOpt) The topic that volume nodes listen on
[oslo_concurrency]
disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging_amqp]
allow_insecure_clients = False
(BoolOpt) Accept clients using either SSL or plain
TCP
broadcast_prefix = broadcast
(StrOpt) address prefix used when broadcasting to
all servers
container_name = None
(StrOpt) Name for the AMQP container
group_request_prefix = unicast
(StrOpt) address prefix when sending to any server
in group
idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
password =
(StrOpt) Password for message broker
authentication
sasl_config_dir =
(StrOpt) Path to directory that contains the SASL
configuration
220
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
sasl_config_name =
(StrOpt) Name of configuration file (without .conf
suffix)
sasl_mechanisms =
(StrOpt) Space separated list of acceptable SASL
mechanisms
server_request_prefix = exclusive
(StrOpt) address prefix used when sending to a
specific server
ssl_ca_file =
(StrOpt) CA certificate PEM file to verify server
certificate
ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
username =
(StrOpt) User name for message broker
authentication
Table 2.61. Description of SAN configuration options
Configuration option = Default value
Description
[DEFAULT]
san_clustername =
(StrOpt) Cluster name to use for creating volumes
san_ip =
(StrOpt) IP address of SAN controller
san_is_local = False
(BoolOpt) Execute commands locally instead of over
SSH; use if the volume service is running on the SAN
device
san_login = admin
(StrOpt) Username for SAN controller
san_password =
(StrOpt) Password for SAN controller
san_private_key =
(StrOpt) Filename of private key to use for SSH
authentication
221
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
san_secondary_ip = None
(StrOpt) VNX secondary SP IP Address.
san_ssh_port = 22
(IntOpt) SSH port to use with SAN
san_thin_provision = True
(BoolOpt) Use thin provisioning for SAN volumes?
ssh_conn_timeout = 30
(IntOpt) SSH connection timeout in seconds
ssh_max_pool_conn = 5
(IntOpt) Maximum ssh connections in the pool
ssh_min_pool_conn = 1
(IntOpt) Minimum ssh connections in the pool
Table 2.62. Description of scheduler configuration options
Configuration option = Default value
Description
[DEFAULT]
filter_function = None
(StrOpt) String representation for an equation that
will be used to filter hosts. Only used when the driver
filter is set to be used by the Cinder scheduler.
goodness_function = None
(StrOpt) String representation for an equation that
will be used to determine the goodness of a host.
Only used when using the goodness weigher is set to
be used by the Cinder scheduler.
scheduler_default_filters =
(ListOpt) Which filter class names to use for filtering
hosts when not specified in the request.
AvailabilityZoneFilter, CapacityFilter, CapabilitiesFilter
scheduler_default_weighers =
CapacityWeigher
(ListOpt) Which weigher class names to use for
weighing hosts.
scheduler_driver =
(StrOpt) Default scheduler driver to use
cinder.scheduler.filter_scheduler.FilterScheduler
scheduler_host_manager =
(StrOpt) The scheduler host manager class to use
cinder.scheduler.host_manager.HostManager
scheduler_json_config_location =
(StrOpt) Absolute path to scheduler configuration
JSON file.
scheduler_manager =
(StrOpt) Full class name for the Manager for
scheduler
cinder.scheduler.manager.SchedulerManager
222
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
scheduler_max_attempts = 3
(IntOpt) Maximum number of attempts to schedule
an volume
scheduler_topic = cinder-scheduler
(StrOpt) The topic that scheduler nodes listen on
Table 2.63. Description of SCST volume driver configuration options
Configuration option = Default value
Description
[DEFAULT]
scst_target_driver = iscsi
(StrOpt) SCST target implementation can choose
from multiple SCST target drivers.
scst_target_iqn_name = None
(StrOpt) Certain ISCSI targets have predefined
target names, SCST target driver uses this name.
Table 2.64. Description of Scality REST Block storage driver configuration options
Configuration option = Default value
Description
[DEFAULT]
srb_base_urls = None
(StrOpt) Comma-separated list of REST servers IP
to connect to. (eg http://IP1/,http://IP2:81/path
Table 2.65. Description of storage configuration options
Configuration option = Default value
Description
[DEFAULT]
allocated_capacity_weight_multiplier
= -1.0
(FloatOpt) Multiplier used for weighing volume
capacity. Negative numbers mean to stack vs
spread.
capacity_weight_multiplier = 1.0
(FloatOpt) Multiplier used for weighing volume
capacity. Negative numbers mean to stack vs
spread.
enabled_backends = None
(ListOpt) A list of backend names to use. These
backend names should be backed by a unique
[CONFIG] group with its options
223
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
iscsi_helper = tgtadm
(StrOpt) iSCSI target user-land tool to use. tgtadm is
default, use lioadm for LIO iSCSI support, scstadmin
for SCST target support, iseradm for the ISER
protocol, ietadm for iSCSI Enterprise Target, iscsictl
for Chelsio iSCSI Target or fake for testing.
iscsi_iotype = fileio
(StrOpt) Sets the behavior of the iSCSI target to
either perform blockio or fileio optionally, auto can
be set and Cinder will autodetect type of backing
device
iscsi_ip_address = $my_ip
(StrOpt) The IP address that the iSCSI daemon is
listening on
iscsi_port = 3260
(IntOpt) The port that the iSCSI daemon is listening
on
iscsi_protocol = iscsi
(StrOpt) Determines the iSCSI protocol for new
iSCSI volumes, created with tgtadm or lioadm target
helpers. In order to enable RDMA, this parameter
should be set with the value "iser". The supported
iSCSI protocol values are "iscsi" and "iser".
iscsi_target_flags =
(StrOpt) Sets the target-specific flags for the iSCSI
target. Only used for tgtadm to specify backing
device flags using bsoflags option. The specified
string is passed as is to the underlying tool.
iscsi_target_prefix = iqn.2010-
(StrOpt) Prefix for iSCSI volumes
10.org.openstack:
iscsi_write_cache = on
(StrOpt) Sets the behavior of the iSCSI target to
either perform write-back(on) or write-through(off).
This parameter is valid if iscsi_helper is set to
tgtadm or iseradm.
iser_helper = tgtadm
(StrOpt) The name of the iSER target user-land tool
to use
iser_ip_address = $my_ip
(StrOpt) The IP address that the iSER daemon is
listening on
iser_port = 3260
(IntOpt) The port that the iSER daemon is listening
on
iser_target_prefix = iqn.2010-
(StrOpt) Prefix for iSER volumes
10.org.openstack:
224
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
migration_create_volume_timeout_secs
(IntOpt) Timeout for creating the volume to migrate
to when performing volume migration (seconds)
= 300
num_iser_scan_tries = 3
(IntOpt) The maximum number of times to rescan
iSER targetto find volume
num_volume_device_scan_tries = 3
(IntOpt) The maximum number of times to rescan
targets to find volume
volume_backend_name = None
(StrOpt) The backend name for a given driver
implementation
volume_clear = zero
(StrOpt) Method used to wipe old volumes
volume_clear_ionice = None
(StrOpt) The flag to pass to ionice to alter the i/o
priority of the process used to zero a volume after
deletion, for example "-c3" for idle only priority.
volume_clear_size = 0
(IntOpt) Size in MiB to wipe at start of old volumes. 0
=> all
volume_copy_blkio_cgroup_name = cinder-
(StrOpt) The blkio cgroup name to be used to limit
bandwidth of volume copy
volume-copy
volume_copy_bps_limit = 0
(IntOpt) The upper limit of bandwidth of volume
copy. 0 => unlimited
volume_dd_blocksize = 1M
(StrOpt) The default block size used when
copying/clearing volumes
volume_driver =
(StrOpt) Driver to use for volume creation
cinder.volume.drivers.lvm.LVMVolumeDriver
volume_manager =
(StrOpt) Full class name for the Manager for volume
cinder.volume.manager.VolumeManager
volume_service_inithost_offload = False
(BoolOpt) Offload pending volume delete during
volume service startup
volume_usage_audit_period = month
(StrOpt) Time period for which to generate volume
usages. The options are hour, day, month, or year.
volumes_dir = $state_path/volumes
(StrOpt) Volume configuration file storage directory
Table 2.66. Description of Violin volume driver configuration options
225
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
gateway_mga = None
(StrOpt) IP address or hostname of mg-a
gateway_mgb = None
(StrOpt) IP address or hostname of mg-b
use_igroups = False
(BoolOpt) Use igroups to manage targets and
initiators
violin_request_timeout = 300
(IntOpt) Global backend request timeout, in seconds.
Table 2.67. Description of zones configuration options
Configuration option = Default value
Description
[DEFAULT]
cloned_volume_same_az = True
(BoolOpt) Ensure that the new volumes are the same
AZ as snapshot or source volume
2.7. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR
OPENSTACK BLOCK STORAGE
Table 2.68. New options
Configuration option = Default value
Description
[DEFAULT] backup_gcs_block_size =
32768
(IntOpt) The size in bytes that changes are tracked
for incremental backups. backup_gcs_object_size
has to be multiple of backup_gcs_block_size.
[DEFAULT] backup_gcs_bucket = None
(StrOpt) The GCS bucket to use.
[DEFAULT] backup_gcs_bucket_location
= US
(StrOpt) Location of GCS bucket.
[DEFAULT] backup_gcs_credential_file
= None
(StrOpt) Absolute path of GCS service account
credential file.
[DEFAULT]
backup_gcs_enable_progress_timer =
True
(BoolOpt) Enable or Disable the timer to send the
periodic progress notifications to Ceilometer when
backing up the volume to the GCS backend storage.
The default value is True to enable the timer.
[DEFAULT] backup_gcs_num_retries = 3
(IntOpt) Number of times to retry.
226
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT] backup_gcs_object_size =
52428800
(IntOpt) The size in bytes of GCS backup objects.
[DEFAULT] backup_gcs_project_id =
None
(StrOpt) Owner project id for GCS bucket.
[DEFAULT]
backup_gcs_reader_chunk_size =
2097152
(IntOpt) GCS object will be downloaded in chunks of
bytes.
[DEFAULT]
backup_gcs_retry_error_codes = 429
(ListOpt) List of GCS error codes.
[DEFAULT] backup_gcs_storage_class =
NEARLINE
(StrOpt) Storage class of GCS bucket.
[DEFAULT] backup_gcs_user_agent =
gcscinder
(StrOpt) Http user-agent string for gcs api.
[DEFAULT]
backup_gcs_writer_chunk_size =
2097152
(IntOpt) GCS object will be uploaded in chunks of
bytes. Pass in a value of -1 if the file is to be uploaded
as a single chunk.
[DEFAULT] backup_swift_auth_insecure
= False
(BoolOpt) Bypass verification of server certificate
when making SSL connection to Swift.
[DEFAULT] backup_swift_auth_url =
None
(StrOpt) The URL of the Keystone endpoint
[DEFAULT] backup_use_same_host =
False
(BoolOpt) Backup services use same backend.
[DEFAULT] cb_update_file_system =
compression, sync, noofcopies,
readonly
(ListOpt) These values will be used for CloudByte
storage's updateFileSystem API call.
[DEFAULT] cb_update_qos_group =
iops, latency, graceallowed
(ListOpt) These values will be used for CloudByte
storage's updateQosGroup API call.
[DEFAULT] cinder_eternus_config_file
=
/etc/cinder/cinder_fujitsu_eternus_d
x.xml
(StrOpt) config file for cinder eternus_dx volume
driver
[DEFAULT] clone_check_timeout = 3600
(IntOpt) How long we check whether a clone is
finished before we give up
227
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT] coho_rpc_port = 2049
(IntOpt) RPC port to connect to Coha Data
MicroArray
[DEFAULT] disco_client = 127.0.0.1
(IPOpt) The IP of DMS client socket server
[DEFAULT] disco_client_port = 9898
(PortOpt) The port to connect DMS client socket
server
[DEFAULT] disco_wsdl_path =
/etc/cinder/DISCOService.wsdl
(StrOpt) Path to the wsdl file to communicate with
DISCO request manager
[DEFAULT]
drbdmanage_devs_on_controller = True
(BoolOpt) If set, the c-vol node will receive a useable
/dev/drbdX device, even if the actual data is stored
on other nodes only. This is useful for debugging,
maintenance, and to be able to do the iSCSI export
from the c-vol node.
[DEFAULT] drbdmanage_resize_plugin =
drbdmanage.plugins.plugins.wait_for.
WaitForVolumeSize
(StrOpt) Volume resize completion wait plugin.
[DEFAULT] drbdmanage_resize_policy =
{"timeout": "60"}
(StrOpt) Volume resize completion wait policy.
[DEFAULT] drbdmanage_resource_plugin
=
drbdmanage.plugins.plugins.wait_for.
WaitForResource
(StrOpt) Resource deployment completion wait
plugin.
[DEFAULT] drbdmanage_resource_policy
= {"ratio": "0.51", "timeout":
"60"}
(StrOpt) Resource deployment completion wait
policy.
[DEFAULT] drbdmanage_snapshot_plugin
=
drbdmanage.plugins.plugins.wait_for.
WaitForSnapshot
(StrOpt) Snapshot completion wait plugin.
[DEFAULT] drbdmanage_snapshot_policy
= {"count": "1", "timeout": "60"}
(StrOpt) Snapshot completion wait policy.
[DEFAULT] driver_ssl_cert_path =
None
(StrOpt) Can be used to specify a non default path
to a CA_BUNDLE file or directory with certificates of
trusted CAs, which will be used to validate the
backend
[DEFAULT] enable_v3_api = True
(BoolOpt) Deploy v3 of the Cinder API.
228
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT] glance_catalog_info =
image:glance:publicURL
(StrOpt) Info to match when looking for glance in the
service catalog. Format is: separated values of the
form: <service_type>:<service_name>:
<endpoint_type> - Only used if glance_api_servers
are not provided.
[DEFAULT] hpe3par_api_url =
(StrOpt) 3PAR WSAPI Server Url like https://<3par
ip>:8080/api/v1
[DEFAULT] hpe3par_cpg = OpenStack
(ListOpt) List of the CPG(s) to use for volume
creation
[DEFAULT] hpe3par_cpg_snap =
(StrOpt) The CPG to use for Snapshots for volumes.
If empty the userCPG will be used.
[DEFAULT] hpe3par_debug = False
(BoolOpt) Enable HTTP debugging to 3PAR
[DEFAULT] hpe3par_iscsi_chap_enabled
= False
(BoolOpt) Enable CHAP authentication for iSCSI
connections.
[DEFAULT] hpe3par_iscsi_ips =
(ListOpt) List of target iSCSI addresses to use.
[DEFAULT] hpe3par_password =
(StrOpt) 3PAR password for the user specified in
hpe3par_username
[DEFAULT]
hpe3par_snapshot_expiration =
(StrOpt) The time in hours when a snapshot expires
and is deleted. This must be larger than expiration
[DEFAULT] hpe3par_snapshot_retention
=
(StrOpt) The time in hours to retain a snapshot. You
can't delete it before this expires.
[DEFAULT] hpe3par_username =
(StrOpt) 3PAR username with the 'edit' role
[DEFAULT] hpelefthand_api_url = None
(StrOpt) HPE LeftHand WSAPI Server Url like
https://<LeftHand ip>:8081/lhos
[DEFAULT] hpelefthand_clustername =
None
(StrOpt) HPE LeftHand cluster name
[DEFAULT] hpelefthand_debug = False
(BoolOpt) Enable HTTP debugging to LeftHand
[DEFAULT]
hpelefthand_iscsi_chap_enabled =
False
(BoolOpt) Configure CHAP authentication for iSCSI
connections (Default: Disabled)
[DEFAULT] hpelefthand_password =
None
(StrOpt) HPE LeftHand Super user password
229
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT] hpelefthand_ssh_port =
16022
(PortOpt) Port number of SSH service.
[DEFAULT] hpelefthand_username =
None
(StrOpt) HPE LeftHand Super user username
[DEFAULT]
hpexp_async_copy_check_interval = 10
(IntOpt) Interval to check copy asynchronously
[DEFAULT] hpexp_compute_target_ports
= None
(ListOpt) Target port names of compute node for
host group or iSCSI target
[DEFAULT] hpexp_copy_check_interval
= 3
(IntOpt) Interval to check copy
[DEFAULT] hpexp_copy_speed = 3
(IntOpt) Copy speed of storage system
[DEFAULT] hpexp_default_copy_method
= FULL
(StrOpt) Default copy method of storage system.
There are two valid values: "FULL" specifies that a
full copy; "THIN" specifies that a thin copy. Default
value is "FULL"
[DEFAULT] hpexp_group_request =
False
(BoolOpt) Request for creating host group or iSCSI
target
[DEFAULT] hpexp_horcm_add_conf =
True
(BoolOpt) Add to HORCM configuration
[DEFAULT]
hpexp_horcm_name_only_discovery =
False
(BoolOpt) Only discover a specific name of host
group or iSCSI target
[DEFAULT] hpexp_horcm_numbers = 200,
201
(ListOpt) Instance numbers for HORCM
[DEFAULT] hpexp_horcm_resource_name
= meta_resource
(StrOpt) Resource group name of storage system for
HORCM
[DEFAULT] hpexp_horcm_user = None
(StrOpt) Username of storage system for HORCM
[DEFAULT] hpexp_ldev_range = None
(StrOpt) Logical device range of storage system
[DEFAULT] hpexp_pool = None
(StrOpt) Pool of storage system
[DEFAULT] hpexp_storage_cli = None
(StrOpt) Type of storage command line interface
[DEFAULT] hpexp_storage_id = None
(StrOpt) ID of storage system
230
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT] hpexp_target_ports = None
(ListOpt) Target port names for host group or iSCSI
target
[DEFAULT] hpexp_thin_pool = None
(StrOpt) Thin pool of storage system
[DEFAULT] hpexp_zoning_request =
False
(BoolOpt) Request for FC Zone creating host group
[DEFAULT] hypermetro_devices = None
(StrOpt) The remote device hypermetro will use.
[DEFAULT] keystone_catalog_info =
identity:Identity Service:publicURL
(StrOpt) Info to match when looking for keystone in
the service catalog. Format is: separated values of
the form: <service_type>:<service_name>:
<endpoint_type> - Only used if
backup_swift_auth_url is unset
[DEFAULT]
lvm_max_over_subscription_ratio =
1.0
(FloatOpt) max_over_subscription_ratio setting for
the LVM driver. If set, this takes precedence over
the general max_over_subscription_ratio option. If
None, the general option is used.
[DEFAULT] nexenta_blocksize = 4096
(IntOpt) Block size for datasets
[DEFAULT] nexenta_chunksize = 16384
(IntOpt) NexentaEdge iSCSI LUN object chunk size
[DEFAULT] nexenta_client_address =
(StrOpt) NexentaEdge iSCSI Gateway client address
for non-VIP service
[DEFAULT]
nexenta_dataset_compression = on
(StrOpt) Compression value for new ZFS folders.
[DEFAULT] nexenta_dataset_dedup =
off
(StrOpt) Deduplication value for new ZFS folders.
[DEFAULT]
nexenta_dataset_description =
(StrOpt) Human-readable description for the folder.
[DEFAULT] nexenta_host =
(StrOpt) IP address of Nexenta SA
[DEFAULT] nexenta_iscsi_service =
(StrOpt) NexentaEdge iSCSI service name
[DEFAULT]
nexenta_iscsi_target_portal_port =
3260
(IntOpt) Nexenta target portal port
[DEFAULT] nexenta_lun_container =
(StrOpt) NexentaEdge logical path of bucket for
LUNs
231
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT] nexenta_mount_point_base =
$state_path/mnt
(StrOpt) Base directory that contains NFS share
mount points
[DEFAULT] nexenta_nms_cache_volroot
= True
(BoolOpt) If set True cache NexentaStor appliance
volroot option value.
[DEFAULT] nexenta_ns5_blocksize = 32
(IntOpt) Block size for datasets
[DEFAULT] nexenta_password = nexenta
(StrOpt) Password to connect to Nexenta SA
[DEFAULT] nexenta_rest_address =
(StrOpt) IP address of NexentaEdge management
REST API endpoint
[DEFAULT] nexenta_rest_password =
nexenta
(StrOpt) Password to connect to NexentaEdge
[DEFAULT] nexenta_rest_port = 8080
(IntOpt) HTTP port to connect to Nexenta REST API
server
[DEFAULT] nexenta_rest_protocol =
auto
(StrOpt) Use http or https for REST connection
(default auto)
[DEFAULT] nexenta_rest_user = admin
(StrOpt) User name to connect to NexentaEdge
[DEFAULT] nexenta_rrmgr_compression
= 0
(IntOpt) Enable stream compression, level 1..9. 1 gives best speed; 9 - gives best compression.
[DEFAULT] nexenta_rrmgr_connections
= 2
(IntOpt) Number of TCP connections.
[DEFAULT] nexenta_rrmgr_tcp_buf_size
= 4096
(IntOpt) TCP Buffer size in KiloBytes.
[DEFAULT] nexenta_shares_config =
/etc/cinder/nfs_shares
(StrOpt) File with the list of available nfs shares
[DEFAULT] nexenta_sparse = False
(BoolOpt) Enables or disables the creation of sparse
datasets
[DEFAULT] nexenta_sparsed_volumes =
True
(BoolOpt) Enables or disables the creation of
volumes as sparsed files that take no space. If
disabled (False), volume is created as a regular file,
which takes a long time.
[DEFAULT]
nexenta_target_group_prefix =
cinder/
(StrOpt) Prefix for iSCSI target groups on SA
232
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT] nexenta_target_prefix =
iqn.1986-03.com.sun:02:cinder-
(StrOpt) IQN prefix for iSCSI targets
[DEFAULT] nexenta_user = admin
(StrOpt) User name to connect to Nexenta SA
[DEFAULT] nexenta_volume = cinder
(StrOpt) SA Pool that holds all volumes
[DEFAULT] nexenta_volume_group =
iscsi
(StrOpt) Volume group for ns5
[DEFAULT]
pure_automatic_max_oversubscription_
ratio = True
(BoolOpt) Automatically determine an
oversubscription ratio based on the current total
data reduction values. If used this calculated value
will override the max_over_subscription_ratio config
option.
[DEFAULT] pure_eradicate_on_delete =
False
(BoolOpt) When enabled, all Pure volumes,
snapshots, and protection groups will be eradicated
at the time of deletion in Cinder. Data will NOT be
recoverable after a delete with this set to True!
When disabled, volumes and snapshots will go into
pending eradication state and can be recovered.
[DEFAULT]
pure_replica_interval_default = 900
(IntOpt) Snapshot replication interval in seconds.
[DEFAULT]
pure_replica_retention_long_term_def
ault = 7
(IntOpt) Retain snapshots per day on target for this
time (in days.)
[DEFAULT]
pure_replica_retention_long_term_per
_day_default = 3
(IntOpt) Retain how many snapshots for each day.
[DEFAULT]
pure_replica_retention_short_term_de
fault = 14400
(IntOpt) Retain all snapshots on target for this time
(in seconds.)
[DEFAULT] replication_device = None
(MultiOpt) Multi opt of dictionaries to represent a
replication target device. This option may be
specified multiple times in a single config section to
specify multiple replication target devices. Each
entry takes the standard dict config form:
replication_device = target_device_id:
<required>,key1:value1,key2:value2...
233
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT] report_discard_supported =
False
(BoolOpt) Report to clients of Cinder that the
backend supports discard (aka. trim/unmap). This
will not actually change the behavior of the backend
or the client directly, it will only notify that it can be
used.
[DEFAULT] restore_check_timeout =
3600
(IntOpt) How long we check whether a restore is
finished before we give up
[DEFAULT] retry_interval = 1
(IntOpt) How long we wait before retrying to get an
item detail
[DEFAULT] sf_enable_vag = False
(BoolOpt) Utilize volume access groups on a pertenant basis.
[DEFAULT] sf_volume_prefix = UUID-
(StrOpt) Create SolidFire volumes with this prefix.
Volume names are of the form <sf_volume_prefix>
<cinder-volume-id>. The default is to use a prefix of
'UUID-'.
[DEFAULT]
smbfs_allocation_info_file_path =
$state_path/allocation_data
(StrOpt) The path of the automatically generated file
containing information about volume disk space
allocation.
[DEFAULT] snapshot_check_timeout =
3600
(IntOpt) How long we check whether a snapshot is
finished before we give up
[DEFAULT] storwize_san_secondary_ip
= None
(StrOpt) Specifies secondary management IP or
hostname to be used if san_ip is invalid or becomes
inaccessible.
[DEFAULT]
storwize_svc_flashcopy_rate = 50
(IntOpt) Specifies the Storwize FlashCopy copy rate
to be used when creating a full volume copy. The
default is rate is 50, and the valid rates are 1-100.
[DEFAULT] storwize_svc_vol_nofmtdisk
= False
(BoolOpt) Specifies that the volume not be
formatted during creation.
[DEFAULT]
suppress_requests_ssl_warnings =
False
(BoolOpt) Suppress requests library SSL certificate
warnings.
[DEFAULT] tegile_default_pool = None
(StrOpt) Create volumes in this pool
[DEFAULT] tegile_default_project =
None
(StrOpt) Create volumes in this project
234
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT]
tintri_image_cache_expiry_days = 30
(IntOpt) Delete unused image snapshots older than
mentioned days
[DEFAULT] tintri_image_shares_config
= None
(StrOpt) Path to image nfs shares file
[DEFAULT] volume_name_prefix =
openstack-
(StrOpt) Prefix before volume name to differenciate
DISCO volume created through openstack and the
other ones
[DEFAULT]
xtremio_volumes_per_glance_cache =
100
(IntOpt) Number of volumes created from each
cached glance image
[DEFAULT] zfssa_manage_policy =
loose
(StrOpt) Driver policy for volume manage.
[BRCD_FABRIC_EXAMPLE]
fc_fabric_ssh_cert_path =
(StrOpt) Local SSH certificate Path.
[BRCD_FABRIC_EXAMPLE]
fc_southbound_protocol = HTTP
(StrOpt) South bound connector for the fabric.
[BRCD_FABRIC_EXAMPLE]
fc_virtual_fabric_id = None
(StrOpt) Virtual Fabric ID.
[coordination] backend_url =
file://$state_path
(StrOpt) The backend URL to use for distributed
coordination.
[coordination] heartbeat = 1.0
(FloatOpt) Number of seconds between heartbeats
for distributed coordination.
[coordination]
initial_reconnect_backoff = 0.1
(FloatOpt) Initial number of seconds to wait after
failed reconnection.
[coordination] max_reconnect_backoff
= 60.0
(FloatOpt) Maximum number of seconds between
sequential reconnection retries.
[hyperv] force_volumeutils_v1 =
False
(BoolOpt) DEPRECATED: Force V1 volume utility
class
[profiler] enabled = False
(BoolOpt) Enables the profiling for all services on
this node. Default value is False (fully disable the
profiling feature). Possible values: * True: Enables
the feature * False: Disables the feature. The
profiling cannot be started via this project
operations. If the profiling is triggered by another
project, this project part will be empty.
235
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[profiler] hmac_keys = SECRET_KEY
(StrOpt) Secret key(s) to use for encrypting context
data for performance profiling. This string value
should have the following format: <key1>[,<key2>,...
<keyn>], where each key is some random string. A
user who triggers the profiling via the REST API has
to set one of these keys in the headers of the REST
API call to include profiling results of this node for
this particular project. Both "enabled" flag and
"hmac_keys" config options should be set to enable
profiling. Also, to generate correct profiling
information across all services at least one key
needs to be consistent between OpenStack projects.
This ensures it can be used from client side to
generate the trace, containing information from all
possible resources.
Table 2.69. New default values
Option
New default value
New default value
[DEFAULT]
datera_api_version
1
2
[DEFAULT]
datera_num_replicas
3
1
[DEFAULT]
glance_api_servers
$glance_host:$glance_port
None
[DEFAULT]
query_volume_filters
name, status, metadata,
availability_zone
name, status, metadata,
availability_zone, bootable
[DEFAULT] zoning_mode
none
None
[BRCD_FABRIC_EXAMPLE]
zone_name_prefix
None
openstack
[fc-zone-manager]
brcd_sb_connector
cinder.zonemanager.drivers.brocade
.brcd_fc_zone_client_cli.BrcdFCZon
eClientCLI
HTTP
Table 2.70. Deprecated options
Configuration option = Default value
Description
[DEFAULT] enable_v1_api
None
236
CHAPTER 2. BLOCK STORAGE
Configuration option = Default value
Description
[DEFAULT] enable_v2_api
None
[DEFAULT] eqlx_chap_login
[DEFAULT] chap_username
[DEFAULT] eqlx_chap_password
[DEFAULT] chap_password
[DEFAULT] eqlx_use_chap
[DEFAULT] use_chap_auth
[DEFAULT] host
[DEFAULT] backend_host
[DEFAULT] hp3par_api_url
[DEFAULT] hpe3par_api_url
[DEFAULT] hp3par_cpg
[DEFAULT] hpe3par_cpg
[DEFAULT] hp3par_cpg_snap
[DEFAULT] hpe3par_cpg_snap
[DEFAULT] hp3par_debug
[DEFAULT] hpe3par_debug
[DEFAULT] hp3par_iscsi_chap_enabled
[DEFAULT] hpe3par_iscsi_chap_enabled
[DEFAULT] hp3par_iscsi_ips
[DEFAULT] hpe3par_iscsi_ips
[DEFAULT] hp3par_password
[DEFAULT] hpe3par_password
[DEFAULT] hp3par_snapshot_expiration
[DEFAULT] hpe3par_snapshot_expiration
[DEFAULT] hp3par_snapshot_retention
[DEFAULT] hpe3par_snapshot_retention
[DEFAULT] hp3par_username
[DEFAULT] hpe3par_username
[DEFAULT] hplefthand_api_url
[DEFAULT] hpelefthand_api_url
[DEFAULT] hplefthand_clustername
[DEFAULT] hpelefthand_clustername
[DEFAULT] hplefthand_debug
[DEFAULT] hpelefthand_debug
[DEFAULT]
hplefthand_iscsi_chap_enabled
[DEFAULT] hpelefthand_iscsi_chap_enabled
[DEFAULT] hplefthand_password
[DEFAULT] hpelefthand_password
[DEFAULT] hplefthand_username
[DEFAULT] hpelefthand_username
[DEFAULT]
hpxp_async_copy_check_interval
[DEFAULT] hpexp_async_copy_check_interval
237
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT] hpxp_compute_target_ports
[DEFAULT] hpexp_compute_target_ports
[DEFAULT] hpxp_copy_check_interval
[DEFAULT] hpexp_copy_check_interval
[DEFAULT] hpxp_copy_speed
[DEFAULT] hpexp_copy_speed
[DEFAULT] hpxp_default_copy_method
[DEFAULT] hpexp_default_copy_method
[DEFAULT] hpxp_group_request
[DEFAULT] hpexp_group_request
[DEFAULT] hpxp_horcm_add_conf
[DEFAULT] hpexp_horcm_add_conf
[DEFAULT]
hpxp_horcm_name_only_discovery
[DEFAULT] hpexp_horcm_name_only_discovery
[DEFAULT] hpxp_horcm_numbers
[DEFAULT] hpexp_horcm_numbers
[DEFAULT] hpxp_horcm_resource_name
[DEFAULT] hpexp_horcm_resource_name
[DEFAULT] hpxp_horcm_user
[DEFAULT] hpexp_horcm_user
[DEFAULT] hpxp_ldev_range
[DEFAULT] hpexp_ldev_range
[DEFAULT] hpxp_pool
[DEFAULT] hpexp_pool
[DEFAULT] hpxp_storage_cli
[DEFAULT] hpexp_storage_cli
[DEFAULT] hpxp_storage_id
[DEFAULT] hpexp_storage_id
[DEFAULT] hpxp_target_ports
[DEFAULT] hpexp_target_ports
[DEFAULT] hpxp_thin_pool
[DEFAULT] hpexp_thin_pool
[DEFAULT] hpxp_zoning_request
[DEFAULT] hpexp_zoning_request
[DEFAULT]
osapi_max_request_body_size
[oslo_middleware] max_request_body_size
[DEFAULT] use_syslog
None
[hyperv] force_volumeutils_v1
None
[profiler] profiler_enabled
[profiler] enabled
238
CHAPTER 2. BLOCK STORAGE
[1] Volume extension is executable only when you use TPP as a storage pool.
[2] The configuration file location may differ.
[3] There is no relative precedence or weight among these four labels.
239
Red Hat OpenStack Platform 9 Configuration Reference
CHAPTER 3. COMPUTE
The OpenStack Compute service is a cloud computing fabric controller, which is the main part of an
IaaS system. You can use OpenStack Compute to host and manage cloud computing systems. This
section describes the OpenStack Compute configuration options.
To configure your Compute installation, you must define configuration options in these files:
nova.conf. Contains most of the Compute configuration options. Resides in the /etc/nova/
directory.
api-paste.ini. Defines Compute limits. Resides in the /etc/nova/ directory.
Related Image service and Identity service management configuration files.
Ephemeral Storage Discrepancy with Ceph
When using Red Hat Ceph as a back end for ephemeral storage, the Compute service does not calculate
the amount of available storage correctly. Specifically, Compute simply adds up the amount of
available storage without factoring in replication. This results in grossly overstated available storage,
which in turn could cause unexpected storage oversubscription.
To determine the correct ephemeral storage capacity, query the Ceph service directly instead. For
more information, see BZ#1236473.
3.1. OVERVIEW OF NOVA.CONF
You can use a particular configuration option file by using the option (nova.conf) parameter when
you run one of the nova-* services. This parameter inserts configuration option definitions from the
specified configuration file name, which might be useful for debugging or performance tuning.
For a list of configuration options, see the tables in this guide.
To learn more about the nova.conf configuration file, review the general purpose configuration
options documented in Table 3.17, “Description of common configuration options” .
IMPORTANT
Do not specify quotes around Nova options.
Sections
Configuration options are grouped by section. The Compute configuration file supports the following
sections:
[DEFAULT]
Contains most configuration options. If the documentation for a configuration option does not
specify its section, assume that it appears in this section.
[baremetal]
Configures the baremetal hypervisor driver.
[cells]
Configures cells functionality. For details, see Section 3.13, “Cells”.
240
CHAPTER 3. COMPUTE
[conductor]
Configures the nova-conductor service.
[database]
Configures the database that Compute uses.
[glance]
Configures how to access the Image service.
[image_file_url]
Configures additional filesystems to access the Image Service.
[keymgr]
Configures the key manager.
[keystone_authtoken]
Configures authorization via Identity service.
[libvirt]
Configures the hypervisor drivers using the Libvirt library: KVM, LXC, Qemu, UML, Xen.
[matchmaker_redis]
Configures a Redis server.
[matchmaker_ring]
Configures a matchmaker ring.
[metrics]
Configures weights for the metrics weighter.
[neutron]
Configures Networking specific options.
[osapi_v3]
Configures the OpenStack Compute API v3.
[rdp]
Configures RDP proxying.
[serial_console]
Configures serial console.
[spice]
Configures virtual consoles using SPICE.
241
Red Hat OpenStack Platform 9 Configuration Reference
[ssl]
Configures certificate authority using SSL.
[trusted_computing]
Configures the trusted computing pools functionality and how to connect to a remote attestation
service.
[upgrade_levels]
Configures version locking on the RPC (message queue) communications between the various
Compute services to allow live upgrading an OpenStack installation.
[vmware]
Configures the VMware hypervisor driver.
[xenserver]
Configures the XenServer hypervisor driver.
[zookeeper]
Configures the ZooKeeper ServiceGroup driver.
3.2. CONFIGURE LOGGING
You can use the nova.conf file to configure where Compute logs events, the level of logging, and log
formats.
To customize log formats for OpenStack Compute, use the configuration option settings documented
in Table 3.35, “Description of logging configuration options” .
3.3. CONFIGURE AUTHENTICATION AND AUTHORIZATION
There are different methods of authentication for the OpenStack Compute project, including no
authentication. The preferred system is the OpenStack Identity service, code-named Keystone.
To customize authorization settings for Compute, use the configuration options documented in
Table 3.11, “Description of authentication configuration options” .
To customize certificate authority settings for Compute, use the configuration options documented in
Table 3.15, “Description of CA and SSL configuration options” .
To customize Compute and the Identity service to use LDAP as a backend, refer to the configuration
options documented in Table 3.32, “Description of LDAP configuration options” .
3.4. CONFIGURE RESIZE
Resize (or Server resize) is the ability to change the flavor of a server, thus allowing it to upscale or
downscale according to user needs. For this feature to work properly, you might need to configure
some underlying virt layers.
3.4.1. KVM
242
CHAPTER 3. COMPUTE
Resize on KVM is implemented currently by transferring the images between compute nodes over ssh.
For KVM you need hostnames to resolve properly and passwordless ssh access between your compute
hosts. Direct access from one compute host to another is needed to copy the VM file across.
3.5. DATABASE CONFIGURATION
You can configure OpenStack Compute to use any SQLAlchemy-compatible database. The database
name is nova. The nova-conductor service is the only service that writes to the database. The other
Compute services access the database through the nova-conductor service.
To ensure that the database schema is current, run the following command:
# nova-manage db sync
If nova-conductor is not used, entries to the database are mostly written by the nova-scheduler
service, although all services must be able to update entries in the database.
In either case, use the configuration option settings documented in Table 3.22, “Description of
database configuration options” to configure the connection string for the nova database.
3.6. CONFIGURE THE OSLO RPC MESSAGING SYSTEM
OpenStack projects use AMQP, an open standard for messaging middleware. OpenStack services that
run on multiple servers to talk to each other. OpenStack Oslo RPC supports two implementations of
AMQP: RabbitMQ and Qpid.
3.6.1. Configure RabbitMQ
OpenStack Oslo RPC uses RabbitMQ by default. Use these options to configure the RabbitMQ
message system. The rpc_backend option is not required as long as RabbitMQ is the default
messaging system. However, if it is included the configuration, you must set it to rabbit.
rpc_backend=rabbit
You can use these additional options to configure the RabbitMQ messaging system. You can configure
messaging communication for different installation scenarios, tune retries for RabbitMQ, and define
the size of the RPC thread pool. To monitor notifications through RabbitMQ, you must set the
notification_driver option to nova.openstack.common.notifier.rpc_notifier in the
nova.conf file. The default for sending usage data is sixty seconds plus a random number of seconds
from zero to sixty.
Table 3.1. Description of RabbitMQ configuration options
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
243
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold to check the
heartbeat.
heartbeat_timeout_threshold = 0
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disables the heartbeat, >0 enables it.
Enabling heartbeats requires kombu>=3.0.7 and
amqp>=1.4.0). EXPERIMENTAL
kombu_reconnect_delay = 1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 are also available.
rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN
(StrOpt) The RabbitMQ login method.
rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(StrOpt) The RabbitMQ password.
rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
244
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
3.6.2. Configure Qpid
Use these options to configure the Qpid messaging system for OpenStack Oslo RPC. Qpid is not the
default messaging system, so you must enable it by setting the rpc_backend option in the
nova.conf file.
rpc_backend=qpid
This critical option points the compute nodes to the Qpid broker (server). Set qpid_hostname to the
host name where the broker runs in the nova.conf file.
NOTE
The --qpid_hostname parameter accepts a host name or IP address value.
qpid_hostname=hostname.example.com
If the Qpid broker listens on a port other than the AMQP default of 5672, you must set the qpid_port
option to that value:
qpid_port=12345
If you configure the Qpid broker to require authentication, you must add a user name and password to
the configuration:
qpid_username=username
qpid_password=password
By default, TCP is used as the transport. To enable SSL, set the qpid_protocol option:
qpid_protocol=ssl
245
Red Hat OpenStack Platform 9 Configuration Reference
This table lists additional options that you use to configure the Qpid messaging driver for OpenStack
Oslo RPC. These options are used infrequently.
Table 3.2. Description of Qpid configuration options
Configuration option = Default value
Description
[oslo_messaging_qpid]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
3.6.3. Configure messaging
Use these options to configure the RabbitMQ and Qpid messaging drivers.
Table 3.3. Description of AMQP configuration options
246
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
[DEFAULT]
control_exchange = openstack
(StrOpt) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
default_publisher_id = None
(StrOpt) Default publisher_id for outgoing
notifications
notification_driver = []
(MultiStrOpt) Driver or drivers to handle sending
notifications.
notification_topics = notifications
(ListOpt) AMQP topic used for OpenStack
notifications.
transport_url = None
(StrOpt) A URL representing the messaging driver to
use and its full configuration. If not set, fall back to
the rpc_backend option and driver specific
configuration.
Table 3.4. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
matchmaker_heartbeat_freq = 300
(IntOpt) Heartbeat frequency.
matchmaker_heartbeat_ttl = 600
(IntOpt) Heartbeat time-to-live.
rpc_backend = rabbit
(StrOpt) The messaging driver to use, defaults to
rabbit. Other drivers include qpid and zmq.
rpc_cast_timeout = 30
(IntOpt) Seconds to wait before a cast expires (TTL).
Only supported by impl_zmq.
rpc_response_timeout = 60
(IntOpt) Seconds to wait for a response from a call.
rpc_thread_pool_size = 64
(IntOpt) Size of RPC thread pool.
[cells]
rpc_driver_queue_base = cells.intercell
(StrOpt) Base queue name to use when
communicating between cells. Various topics by
message type will be appended to this.
247
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_concurrency]
disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging_amqp]
allow_insecure_clients = False
(BoolOpt) Accept clients using either SSL or plain
TCP
broadcast_prefix = broadcast
(StrOpt) address prefix used when broadcasting to
all servers
container_name = None
(StrOpt) Name for the AMQP container
group_request_prefix = unicast
(StrOpt) address prefix when sending to any server
in group
idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
server_request_prefix = exclusive
(StrOpt) address prefix used when sending to a
specific server
ssl_ca_file =
(StrOpt) CA certificate PEM file for verifing server
certificate
ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
[upgrade_levels]
248
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
baseapi = None
(StrOpt) Set a version cap for messages sent to the
base api in any service
3.7. CONFIGURE THE COMPUTE API
The Compute API, run by the nova-api daemon, is the component of OpenStack Compute that
receives and responds to user requests, whether they be direct API calls, or via the CLI tools or
dashboard.
Configure Compute API password handling
The OpenStack Compute API enables users to specify an administrative password when they create or
rebuild a server instance. If the user does not specify a password, a random password is generated and
returned in the API response.
In practice, how the admin password is handled depends on the hypervisor in use and might require
additional configuration of the instance. For example, you might have to install an agent to handle the
password setting. If the hypervisor and instance configuration do not support setting a password at
server create time, the password that is returned by the create API call is misleading because it was
ignored.
To prevent this confusion, use the enable_instance_password configuration option to disable the
return of the admin password for installations that do not support setting instance passwords.
Configure Compute API rate limiting
OpenStack Compute supports API rate limiting for the OpenStack API. The rate limiting allows an
administrator to configure limits on the type and number of API calls that can be made in a specific
time interval.
When API rate limits are exceeded, HTTP requests return an error with a status code of 403 Forbidden.
Rate limiting is not available for the EC2 API.
Define limits
To define limits, set these values:
The HTTP method used in the API call, typically one of GET, PUT, POST, or DELETE.
A human readable URI that is used as a friendly description of where the limit is applied.
A regular expression . The limit is applied to all URIs that match the regular expression and
HTTP method.
A limit value that specifies the maximum count of units before the limit takes effect.
An interval that specifies time frame to which the limit is applied. The interval can be SECOND,
MINUTE, HOUR, or DAY.
Rate limits are applied in relative order to the HTTP method, going from least to most specific.
249
Red Hat OpenStack Platform 9 Configuration Reference
Default limits
Normally, you install OpenStack Compute with the following limits enabled:
Table 3.5. Default API rate limits
HTTP method
API URI
API regular expression
Limit
POST
any URI (*)
.*
120 per minute
POST
/servers
^/servers
120 per minute
PUT
any URI (*)
.*
120 per minute
GET
*changes-since*
.*changes-since.*
120 per minute
DELETE
any URI (*)
.*
120 per minute
GET
*/os-fping
^/os-fping
12 per minute
Configure and change limits
As part of the WSGI pipeline, the /etc/nova/api-paste.ini file defines the actual limits.
To enable limits, include the ratelimit filter in the API pipeline specification. If the ratelimit filter
is removed from the pipeline, limiting is disabled. You must also define the rate limit filter. The lines
appear as follows:
[pipeline:openstack_compute_api_v2]
pipeline = faultwrap authtoken keystonecontext ratelimit
osapi_compute_app_v2
[pipeline:openstack_volume_api_v1]
pipeline = faultwrap authtoken keystonecontext ratelimit
osapi_volume_app_v1
[filter:ratelimit]
paste.filter_factory =
nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
To modify the limits, add a limits specification to the [filter:ratelimit] section of the file.
Specify the limits in this order:
1. HTTP method
2. friendly URI
3. regex
4. limit
5. interval
250
CHAPTER 3. COMPUTE
The following example shows the default rate-limiting values:
[filter:ratelimit]
paste.filter_factory =
nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
limits =(POST, "*", .*, 120, MINUTE);(POST, "*/servers", ^/servers, 120,
MINUTE);(PUT, "*", .*, 120, MINUTE);(GET, "*changes-since*", .*changessince.*, 120, MINUTE);(DELETE, "*", .*, 120, MINUTE);(GET, "*/os-fping",
^/os-fping, 12, MINUTE)
Configuration reference
The Compute API configuration options are documented in Table 3.9, “Description of API configuration
options”.
3.8. CONFIGURE THE EC2 API
You can set options in the nova.conf configuration file to control which network address and port
the EC2 API listens on, the formatting of some API responses, and authentication related options.
To customize these options for OpenStack EC2 API, use the configuration option settings documented
in Table 3.24, “Description of EC2 configuration options” .
3.9. FIBRE CHANNEL SUPPORT IN COMPUTE
Fibre Channel support in OpenStack Compute is remote block storage attached to compute nodes for
VMs.
In the Grizzly release, Fibre Channel supported only the KVM hypervisor.
Compute and Block Storage support Fibre Channel automatic zoning on Brocade and Cisco switches.
On other hardware Fibre Channel arrays must be pre-zoned or directly attached to the KVM hosts.
3.9.1. KVM host requirements
You must install these packages on the KVM host:
sysfsutils - Nova uses the systool application in this package.
sg3-utils or sg3_utils - Nova uses the sg_scan and sginfo applications.
Installing the multipath-tools package is optional.
3.9.2. Install required packages
Use this command to install the system packages:
# yum install sysfsutils sg3_utils multipath-tools
3.10. ISCSI INTERFACE AND OFFLOAD SUPPORT IN COMPUTE
251
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
iSCSI interface and offload support is only present since Kilo.
Compute supports open-iscsi iSCSI interfaces for offload cards. Offload hardware must be present and
configured on every compute node where offload is desired. Once an open-iscsi interface is
configured, the iface name (iface.iscsi_ifacename) should be passed to libvirt via the
iscsi_iface parameter for use. All iscsi sessions will be bound to this iSCSI interface.
Currently supported transports (iface.transport_name) are be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx,
ocs . No configuration changes are needed outside of Compute node.
iSER is currently supported via the separate iSER LibvirtISERVolumeDriver and will be rejected if used
via the iscsi_iface parameter.
3.10.1. iSCSI iface configuration
Note the distinction between the transport name (iface.transport_name) and iface name
(iface.iscsi_ifacename). The actual iface name must be specified via the iscsi_iface
parameter to libvirt for offload to work.
The default name for an iscsi iface (open-iscsi parameter iface.iscsi_ifacename) is in the
format transport_name.hwaddress when generated by iscsiadm.
iscsiadm can be used to view and generate current iface configuration. Every network
interface that supports an open-iscsi transport can have one or more iscsi ifaces associated
with it. If no ifaces have been configured for a network interface supported by an open-iscsi
transport, this command will create a default iface configuration for that network interface. For
example :
# iscsiadm -m iface
default tcp,<empty>,<empty>,<empty>,<empty>
iser iser,<empty>,<empty>,<empty>,<empty>
bnx2i.00:05:b5:d2:a0:c2 bnx2i,00:05:b5:d2:a0:c2,5.10.10.20,
<empty>,<empty>
cxgb4i.00:07:43:28:b2:58 cxgb4i,00:07:43:28:b2:58,102.50.50.80,
<empty>,<empty>
qla4xxx.00:c0:dd:08:63:ea qla4xxx,00:c0:dd:08:63:ea,20.15.0.9,
<empty>,<empty>
The output is in the format : iface_name
transport_name,hwaddress,ipaddress,net_ifacename,initiatorname.
Individual iface configuration can be viewed via
# iscsiadm -m iface -I IFACE_NAME
# BEGIN RECORD 2.0-873
iface.iscsi_ifacename = cxgb4i.00:07:43:28:b2:58
iface.net_ifacename = <empty>
iface.ipaddress = 102.50.50.80
iface.hwaddress = 00:07:43:28:b2:58
iface.transport_name = cxgb4i
iface.initiatorname = <empty>
# END RECORD
252
CHAPTER 3. COMPUTE
Configuration can be updated as desired via
# iscsiadm -m iface-I IFACE_NAME--op=update -n iface.SETTING -v
VALUE
All iface configurations need a minimum of iface.iface_name, iface.transport_name
and iface.hwaddress to be correctly configured to work. Some transports may require
iface.ipaddress and iface.net_ifacename as well to bind correctly.
Detailed configuration instructions can be found in the Linux* Open-iSCSI README file .
3.11. HYPERVISORS
Red Hat OpenStack Platform is only supported for use with the libvirt driver (using KVM as the
hypervisor on Compute nodes) or the VMware vCenter hypervisor driver. See the VMware Integration
Guide for more information regarding the configuration of the VMware vCenter driver.
With this release of Red Hat OpenStack Platform, Ironic is now fully supported. Ironic allows you to
provision bare-metal machines using common technologies (such as PXE boot and IPMI) to cover a
wide range of hardware while supporting pluggable drivers to allow the addition of vendor-specific
functionality.
Red Hat does not provide support for other Compute virtualization drivers such as the deprecated
VMware "direct-to-ESX" hypervisor, and non-KVM libvirt hypervisors.
3.11.1. Hypervisor configuration basics
The node where the nova-compute service is installed and operates on the same node that runs all of
the virtual machines. This is referred to as the compute node in this guide.
By default, the selected hypervisor is KVM. To change to another hypervisor, change the virt_type
option in the [libvirt] section of nova.conf and restart the nova-compute service.
Here are the general nova.conf options that are used to configure the compute node's hypervisor:
Table 3.28, “Description of hypervisor configuration options” .
Specific options for particular hypervisors can be found in the following sections.
3.11.2. KVM
KVM is configured as the default hypervisor for Compute.
NOTE
This document contains several sections about hypervisor selection. If you are reading
this document linearly, you do not want to load the KVM module before you install
nova-compute. The nova-compute service depends on qemu-kvm, which installs
/lib/udev/rules.d/45-qemu-kvm.rules, which sets the correct permissions on
the /dev/kvm device node.
To enable KVM explicitly, add the following configuration options to the /etc/nova/nova.conf file:
compute_driver = libvirt.LibvirtDriver
253
Red Hat OpenStack Platform 9 Configuration Reference
[libvirt]
virt_type = kvm
The KVM hypervisor supports the following virtual machine image formats:
Raw
QEMU Copy-on-write (qcow2)
QED Qemu Enhanced Disk
VMware virtual machine disk format (vmdk)
This section describes how to enable KVM on your system. For more information, see Installing
virtualization packages on an existing Red Hat Enterprise Linux system from the Red Hat Enterprise
Linux Virtualization Host Configuration and Guest Installation Guide.
3.11.2.1. Enable KVM
The following sections outline how to enable KVM based hardware virtualisation on different
architectures and platforms. To perform these steps, you must be logged in as the root user.
3.11.2.1.1. For x86 based systems
1. To determine whether the svm or vmx CPU extensions are present, run this command:
# grep -E 'svm|vmx' /proc/cpuinfo
This command generates output if the CPU is capable of hardware virtualization. Even if output
is shown, you might still need to enable virtualization in the system BIOS for full support.
If no output appears, consult your system documentation to ensure that your CPU and
motherboard support hardware virtualization. Verify that any relevant hardware virtualization
options are enabled in the system BIOS.
The BIOS for each manufacturer is different. If you must enable virtualization in the BIOS, look
for an option containing the words virtualization, VT, VMX, or SVM.
2. To list the loaded kernel modules and verify that the kvm modules are loaded, run this
command:
# lsmod | grep kvm
If the output includes kvm_intel or kvm_amd, the kvm hardware virtualization modules are
loaded and your kernel meets the module requirements for OpenStack Compute.
If the output does not show that the kvm module is loaded, run this command to load it:
# modprobe -a kvm
Run the command for your CPU. For Intel, run this command:
# modprobe -a kvm-intel
254
CHAPTER 3. COMPUTE
For AMD, run this command:
# modprobe -a kvm-amd
Because a KVM installation can change user group membership, you might need to log in again
for changes to take effect.
If the kernel modules do not load automatically, use the procedures listed in these
subsections.
If the checks indicate that required hardware virtualization support or kernel modules are disabled or
unavailable, you must either enable this support on the system or find a system with this support.
NOTE
Some systems require that you enable VT support in the system BIOS. If you believe
your processor supports hardware acceleration but the previous command did not
produce output, reboot your machine, enter the system BIOS, and enable the VT option.
If KVM acceleration is not supported, configure Compute to use a different hypervisor, such as QEMU
or Xen.
These procedures help you load the kernel modules for Intel-based and AMD-based processors if they
do not load automatically during KVM installation.
3.11.2.1.1.1. Intel-based processors
If your compute host is Intel-based, run these commands as root to load the kernel modules:
# modprobe kvm
# modprobe kvm-intel
See Persistent Module Loading in Red Hat Enterprise Linux 6 , or Persistent Module Loading in Red Hat
Enterprise Linux 7 respectively, for instructions on how to load the kvm and kvm-amd modules
automatically.
3.11.2.1.1.2. AMD-based processors
If your compute host is AMD-based, run these commands as root to load the kernel modules:
# modprobe kvm
# modprobe kvm-amd
See Persistent Module Loading in Red Hat Enterprise Linux 6 , or Persistent Module Loading in Red Hat
Enterprise Linux 7 respectively, for instructions on how to load the kvm and kvm-intel modules
automatically.
3.11.2.1.2. For POWER based systems
KVM as a hypervisor is supported on POWER system's PowerNV platform.
1. To determine if your POWER platform supports KVM based virtualization run the following
command:
255
Red Hat OpenStack Platform 9 Configuration Reference
# grep PowerNV /proc/cpuinfo
If the previous command generates the following output, then CPU supports KVM based
virtualization
platform: PowerNV
If no output is displayed, then your POWER platform does not support KVM based hardware
virtualization.
2. To list the loaded kernel modules and verify that the kvm modules are loaded, run the
following command:
# lsmod | grep kvm
If the output includes kvm_hv, the kvm hardware virtualization modules are loaded and your
kernel meets the module requirements for OpenStack Compute.
If the output does not show that the kvm module is loaded, run the following command to load
it:
# modprobe -a kvm
For PowerNV platform, run the following command:
# modprobe -a kvm-hv
Because a KVM installation can change user group membership, you might need to log in again
for changes to take effect.
3.11.2.2. Specify the CPU model of KVM guests
The Compute service enables you to control the guest CPU model that is exposed to KVM virtual
machines. Use cases include:
To maximize performance of virtual machines by exposing new host CPU features to the guest
To ensure a consistent default CPU across all machines, removing reliance of variable QEMU
defaults
In libvirt, the CPU is specified by providing a base CPU model name (which is a shorthand for a set of
feature flags), a set of additional feature flags, and the topology (sockets/cores/threads). The libvirt
KVM driver provides a number of standard CPU model names. These models are defined in the
/usr/share/libvirt/cpu_map.xml file. Check this file to determine which models are supported
by your local installation.
Two Compute configuration options in the [libvirt] group of nova.conf define which type of CPU
model is exposed to the hypervisor when using KVM: cpu_mode and cpu_model.
The cpu_mode option can take one of the following values: none, host-passthrough, host-model,
and custom.
Host model (default for KVM & QEMU)
256
CHAPTER 3. COMPUTE
If your nova.conf file contains cpu_mode=host-model, libvirt identifies the CPU model in
/usr/share/libvirt/cpu_map.xml file that most closely matches the host, and requests
additional CPU flags to complete the match. This configuration provides the maximum functionality and
performance and maintains good reliability and compatibility if the guest is migrated to another host
with slightly different host CPUs.
Host pass through
If your nova.conf file contains cpu_mode=host-passthrough, libvirt tells KVM to pass through the
host CPU with no modifications. The difference to host-model, instead of only matching feature flags,
every last detail of the host CPU is matched. This gives the best performance, and can be important to
some apps which check low level CPU details, but it comes at a cost with respect to migration. The
guest can only be migrated to a matching host CPU.
Custom
If your nova.conf file contains cpu_mode=custom, you can explicitly specify one of the supported
named models using the cpu_model configuration option. For example, to configure the KVM guests to
expose Nehalem CPUs, your nova.conf file should contain:
[libvirt]
cpu_mode = custom
cpu_model = Nehalem
None (default for all libvirt-driven hypervisors other than KVM & QEMU)
If your nova.conf file contains cpu_mode=none, libvirt does not specify a CPU model. Instead, the
hypervisor chooses the default model.
3.11.2.3. Guest agent support
Use guest agents to enable optional access between compute nodes and guests through a socket,
using the QMP protocol.
To enable this feature, you must set hw_qemu_guest_agent=yes as a metadata parameter on the
image you want to use to create the guest-agent-capable instances from. You can explicitly disable
the feature by setting hw_qemu_guest_agent=no in the image metadata.
3.11.2.4. KVM performance tweaks
The VHostNet kernel module improves network performance. To load the kernel module, run the
following command as root:
# modprobe vhost_net
3.11.2.5. Troubleshoot KVM
Trying to launch a new virtual machine instance fails with the ERRORstate, and the following error
appears in the /var/log/nova/nova-compute.log file:
libvirtError: internal error no supported architecture for os type 'hvm'
257
Red Hat OpenStack Platform 9 Configuration Reference
This message indicates that the KVM kernel modules were not loaded.
If you cannot start VMs after installation without rebooting, the permissions might not be set correctly.
This can happen if you load the KVM module before you install nova-compute. To check whether the
group is set to kvm, run:
# ls -l /dev/kvm
If it is not set to kvm, run:
# udevadm trigger
3.11.3. QEMU
From the perspective of the Compute service, the QEMU hypervisor is very similar to the KVM
hypervisor. Both are controlled through libvirt, both support the same feature set, and all virtual
machine images that are compatible with KVM are also compatible with QEMU. The main difference is
that QEMU does not support native virtualization. Consequently, QEMU has worse performance than
KVM and is a poor choice for a production deployment.
The typical uses cases for QEMU are
Running on older hardware that lacks virtualization support.
Running the Compute service inside of a virtual machine for development or testing purposes,
where the hypervisor does not support native virtualization for guests.
To enable QEMU, add these settings to nova.conf:
compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = qemu
For some operations you may also have to install the guestmount utility:
# yum install libguestfs-tools
The QEMU hypervisor supports the following virtual machine image formats:
Raw
QEMU Copy-on-write (qcow2)
VMware virtual machine disk format (vmdk)
3.12. SCHEDULING
Compute uses the nova-scheduler service to determine how to dispatch compute requests. For
example, the nova-scheduler service determines on which host a VM should launch. In the context
of filters, the term host means a physical node that has a nova-compute service running on it. You can
configure the scheduler through a variety of options.
Compute is configured with the following default scheduler options in the /etc/nova/nova.conf
258
CHAPTER 3. COMPUTE
file:
scheduler_driver_task_period = 60
scheduler_driver = nova.scheduler.filter_scheduler.FilterScheduler
scheduler_available_filters = nova.scheduler.filters.all_filters
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter,
RamFilter, ComputeFilter, ComputeCapabilitiesFilter,
ImagePropertiesFilter, ServerGroupAntiAffinityFilter,
ServerGroupAffinityFilter
By default, the scheduler_driver is configured as a filter scheduler, as described in the next
section. In the default configuration, this scheduler considers hosts that meet all the following criteria:
Have not been attempted for scheduling purposes (RetryFilter).
Are in the requested availability zone (AvailabilityZoneFilter).
Have sufficient RAM available (RamFilter).
Can service the request (ComputeFilter).
Satisfy the extra specs associated with the instance type (ComputeCapabilitiesFilter).
Satisfy any architecture, hypervisor type, or virtual machine mode properties specified on the
instance's image properties (ImagePropertiesFilter).
Are on a different host than other instances of a group (if requested)
(ServerGroupAntiAffinityFilter).
Are in a set of group hosts (if requested) (ServerGroupAffinityFilter).
The scheduler caches its list of available hosts; use the scheduler_driver_task_period option to
specify how often the list is updated.
NOTE
Do not configure service_down_time to be much smaller than
scheduler_driver_task_period; otherwise, hosts appear to be dead while the host
list is being cached.
The scheduler chooses a new host when an instance is migrated.
When evacuating instances from a host, the scheduler service honors the target host defined by the
administrator on the evacuate command. If a target is not defined by the administrator, the scheduler
determines the target host..
3.12.1. Filter scheduler
The filter scheduler (nova.scheduler.filter_scheduler.FilterScheduler) is the default
scheduler for scheduling virtual machine instances. It supports filtering and weighting to make
informed decisions on where a new instance should be created.
3.12.2. Filters
259
Red Hat OpenStack Platform 9 Configuration Reference
When the filter scheduler receives a request for a resource, it first applies filters to determine which
hosts are eligible for consideration when dispatching a resource. Filters are binary: either a host is
accepted by the filter, or it is rejected. Hosts that are accepted by the filter are then processed by a
different algorithm to decide which hosts to use for that request, described in the Weights section.
The scheduler_available_filters configuration option in nova.conf provides the Compute
service with the list of the filters that are used by the scheduler. The default setting specifies all of the
filter that are included with the Compute service:
scheduler_available_filters = nova.scheduler.filters.all_filters
This configuration option can be specified multiple times. For example, if you implemented your own
custom filter in Python called myfilter.MyFilter and you wanted to use both the built-in filters
and your custom filter, your nova.conf file would contain:
scheduler_available_filters = nova.scheduler.filters.all_filters
scheduler_available_filters = myfilter.MyFilter
The scheduler_default_filters configuration option in nova.conf defines the list of filters that
are applied by the nova-scheduler service. The default filters are:
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter,
RamFilter, ComputeFilter, ComputeCapabilitiesFilter,
ImagePropertiesFilter, ServerGroupAntiAffinityFilter,
ServerGroupAffinityFilter
The following sections describe the available filters.
3.12.2.1. AggregateCoreFilter
Filters host by CPU core numbers with a per-aggregate cpu_allocation_ratio value. If the peraggregate value is not found, the value falls back to the global setting. If the host is in more than one
aggregate and more than one value is found, the minimum value will be used. For information about
how to use this filter, see Section 3.12.5, “Host aggregates and availability zones” . See also
Section 3.12.2.14, “CoreFilter”.
3.12.2.2. AggregateDiskFilter
Filters host by disk allocation with a per-aggregate disk_allocation_ratio value. If the peraggregate value is not found, the value falls back to the global setting. If the host is in more than one
aggregate and more than one value is found, the minimum value will be used. For information about
how to use this filter, see Section 3.12.5, “Host aggregates and availability zones” . See also
Section 3.12.2.17, “DiskFilter”.
3.12.2.3. AggregateImagePropertiesIsolation
Matches properties defined in an image's metadata against those of aggregates to determine host
matches:
If a host belongs to an aggregate and the aggregate defines one or more metadata that
matches an image's properties, that host is a candidate to boot the image's instance.
If a host does not belong to any aggregate, it can boot instances from all images.
260
CHAPTER 3. COMPUTE
You can configure the AggregateImagePropertiesIsolation filter by using the following options
in the nova.conf file:
# Considers only keys matching the given namespace (string).
aggregate_image_properties_isolation_namespace = <None>
# Separator used between the namespace and keys (string).
aggregate_image_properties_isolation_separator = .
3.12.2.4. AggregateInstanceExtraSpecsFilter
Matches properties defined in extra specs for an instance type against admin-defined properties on a
host aggregate. Works with specifications that are scoped with
aggregate_instance_extra_specs. For backward compatibility, also works with non-scoped
specifications; this action is highly discouraged because it conflicts with ComputeCapabilitiesFilter
filter when you enable both filters. For information about how to use this filter, see the host aggregates
section.
3.12.2.5. AggregateIoOpsFilter
Filters host by disk allocation with a per-aggregate max_io_ops_per_host value. If the peraggregate value is not found, the value falls back to the global setting. If the host is in more than one
aggregate and more than one value is found, the minimum value will be used. For information about
how to use this filter, see Section 3.12.5, “Host aggregates and availability zones” . See also
Section 3.12.2.22, “IoOpsFilter”.
3.12.2.6. AggregateMultiTenancyIsolation
Isolates tenants to specific host aggregates. If a host is in an aggregate that has the
filter_tenant_id metadata key, the host creates instances from only that tenant or list of tenants.
A host can be in different aggregates. If a host does not belong to an aggregate with the metadata key,
the host can create instances from all tenants.
3.12.2.7. AggregateNumInstancesFilter
Filters host by number of instances with a per-aggregate max_instances_per_host value. If the
per-aggregate value is not found, the value falls back to the global setting. If the host is in more than
one aggregate and thus more than one value is found, the minimum value will be used. For information
about how to use this filter, see Section 3.12.5, “Host aggregates and availability zones” . See also
Section 3.12.2.25, “NumInstancesFilter”.
3.12.2.8. AggregateRamFilter
Filters host by RAM allocation of instances with a per-aggregate ram_allocation_ratio value. If
the per-aggregate value is not found, the value falls back to the global setting. If the host is in more
than one aggregate and thus more than one value is found, the minimum value will be used. For
information about how to use this filter, see Section 3.12.5, “Host aggregates and availability zones” .
See also Section 3.12.2.27, “RamFilter”.
3.12.2.9. AggregateTypeAffinityFilter
261
Red Hat OpenStack Platform 9 Configuration Reference
Filters host by per-aggregate instance_type value. For information about how to use this filter, see
Section 3.12.5, “Host aggregates and availability zones” . See also Section 3.12.2.34,
“TypeAffinityFilter”.
3.12.2.10. AllHostsFilter
This is a no-op filter. It does not eliminate any of the available hosts.
3.12.2.11. AvailabilityZoneFilter
Filters hosts by availability zone. You must enable this filter for the scheduler to respect availability
zones in requests.
3.12.2.12. ComputeCapabilitiesFilter
Matches properties defined in extra specs for an instance type against compute capabilities.
If an extra specs key contains a colon (:), anything before the colon is treated as a namespace and
anything after the colon is treated as the key to be matched. If a namespace is present and is not
capabilities, the filter ignores the namespace. For backward compatibility, also treats the extra
specs key as the key to be matched if no namespace is present; this action is highly discouraged
because it conflicts with AggregateInstanceExtraSpecsFilter filter when you enable both filters.
3.12.2.13. ComputeFilter
Passes all hosts that are operational and enabled.
In general, you should always enable this filter.
3.12.2.14. CoreFilter
Only schedules instances on hosts if sufficient CPU cores are available. If this filter is not set, the
scheduler might over-provision a host based on cores. For example, the virtual cores running on an
instance may exceed the physical cores.
You can configure this filter to enable a fixed amount of vCPU overcommitment by using the
cpu_allocation_ratio configuration option in nova.conf. The default setting is:
cpu_allocation_ratio = 16.0
With this setting, if 8 vCPUs are on a node, the scheduler allows instances up to 128 vCPU to be run on
that node.
To disallow vCPU overcommitment set:
cpu_allocation_ratio = 1.0
262
CHAPTER 3. COMPUTE
NOTE
The Compute API always returns the actual number of CPU cores available on a compute
node regardless of the value of the cpu_allocation_ratio configuration key. As a
result changes to the cpu_allocation_ratio are not reflected via the command line
clients or the dashboard. Changes to this configuration key are only taken into account
internally in the scheduler.
3.12.2.15. NUMATopologyFilter
Filters hosts based on the NUMA topology that was specified for the instance through the use of flavor
extra_specsin combination with the image properties, as described in detail in the related nova-spec
document: Filter will try to match the exact NUMA cells of the instance to those of the host. It will
consider the standard over-subscription limits each cell, and provide limits to the compute host
accordingly.
NOTE
If instance has no topology defined, it will be considered for any host. If instance has a
topology defined, it will be considered only for NUMA capable hosts.
3.12.2.16. DifferentHostFilter
Schedules the instance on a different host from a set of instances. To take advantage of this filter, the
requester must pass a scheduler hint, using different_host as the key and a list of instance UUIDs
as the value. This filter is the opposite of the SameHostFilter. Using the nova command-line tool,
use the --hint flag. For example:
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 --hint
different_host=a0cf03a5-d921-4877-bb5c-86d26cf818e1 --hint
different_host=8c19174f-4220-44f0-824a-cd1eeef10287 server-1
With the API, use the os:scheduler_hints key. For example:
{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"different_host": [
"a0cf03a5-d921-4877-bb5c-86d26cf818e1",
"8c19174f-4220-44f0-824a-cd1eeef10287"
]
}
}
3.12.2.17. DiskFilter
Only schedules instances on hosts if there is sufficient disk space available for root and ephemeral
storage.
You can configure this filter to enable a fixed amount of disk overcommitment by using the
263
Red Hat OpenStack Platform 9 Configuration Reference
disk_allocation_ratio configuration option in the nova.conf configuration file. The default
setting disables the possibility of the overcommitment and allows launching a VM only if there is a
sufficient amount of disk space available on a host:
disk_allocation_ratio = 1.0
DiskFilter always considers the value of the disk_available_least property and not the one of the
free_disk_gb property of a hypervisor's statistics:
$ nova hypervisor-stats
+----------------------+-------+
| Property
| Value |
+----------------------+-------+
| count
| 1
|
| current_workload
| 0
|
| disk_available_least | 29
|
| free_disk_gb
| 35
|
| free_ram_mb
| 3441 |
| local_gb
| 35
|
| local_gb_used
| 0
|
| memory_mb
| 3953 |
| memory_mb_used
| 512 |
| running_vms
| 0
|
| vcpus
| 2
|
| vcpus_used
| 0
|
+----------------------+-------+
As it can be viewed from the command output above, the amount of the available disk space can be less
than the amount of the free disk space. It happens because the disk_available_least property
accounts for the virtual size rather than the actual size of images. If you use an image format that is
sparse or copy on write so that each virtual instance does not require a 1:1 allocation of a virtual disk to
a physical storage, it may be useful to allow the overcommitment of disk space.
To enable scheduling instances while overcommitting disk resources on the node, adjust the value of
the disk_allocation_ratio configuration option to greater than 1.0:
disk_allocation_ratio > 1.0
NOTE
If the value is set to >1, keep track of the free disk space, as the value approaching 0
may result in the incorrect functioning of instances using it at the moment.
3.12.2.18. GroupAffinityFilter
NOTE
This filter is deprecated in favor of ServerGroupAffinityFilter.
The GroupAffinityFilter ensures that an instance is scheduled on to a host from a set of group hosts. To
take advantage of this filter, the requester must pass a scheduler hint, using group as the key and an
arbitrary name as the value. Using the nova command-line tool, use the --hint flag. For example:
264
CHAPTER 3. COMPUTE
$ nova boot --image IMAGE_ID --flavor 1 --hint group=GROUP server-1
This filter should not be enabled at the same time as GroupAntiAffinityFilter or neither filter will work
properly.
3.12.2.19. GroupAntiAffinityFilter
NOTE
This filter is deprecated in favor of ServerGroupAntiAffinityFilter.
The GroupAntiAffinityFilter ensures that each instance in a group is on a different host. To take
advantage of this filter, the requester must pass a scheduler hint, using group as the key and an
arbitrary name as the value. Using the nova command-line tool, use the --hint flag. For example:
$ nova boot --image IMAGE_ID --flavor 1 --hint group=GROUP server-1
This filter should not be enabled at the same time as GroupAffinityFilter or neither filter will work
properly.
3.12.2.20. ImagePropertiesFilter
Filters hosts based on properties defined on the instance's image. It passes hosts that can support the
specified image properties contained in the instance. Properties include the architecture, hypervisor
type, hypervisor version (for Xen hypervisor type only), and virtual machine mode.
For example, an instance might require a host that runs an ARM-based processor, and QEMU as the
hypervisor. You can decorate an image with these properties by using:
$ glance image-update img-uuid --property architecture=arm --property
hypervisor_type=qemu
The image properties that the filter checks for are:
architecture: describes the machine architecture required by the image. Examples are
i686, x86_64, arm, and ppc64.
hypervisor_type: describes the hypervisor required by the image. Examples are xen, qemu,
and xenapi.
NOTE
qemu is used for both QEMU and KVM hypervisor types.
hypervisor_version_requires: describes the hypervisor version required by the image.
The property is supported for Xen hypervisor type only. It can be used to enable support for
multiple hypervisor versions, and to prevent instances with newer Xen tools from being
provisioned on an older version of a hypervisor. If available, the property value is compared to
the hypervisor version of the compute host.
265
Red Hat OpenStack Platform 9 Configuration Reference
To filter the hosts by the hypervisor version, add the hypervisor_version_requires
property on the image as metadata and pass an operator and a required hypervisor version as
its value:
$ glance image-update img-uuid --property hypervisor_type=xen -property hypervisor_version_requires=">=4.3"
vm_mode: describes the hypervisor application binary interface (ABI) required by the image.
Examples are xen for Xen 3.0 paravirtual ABI, hvm for native ABI, uml for User Mode Linux
paravirtual ABI, exe for container virt executable ABI.
3.12.2.21. IsolatedHostsFilter
Allows the admin to define a special (isolated) set of images and a special (isolated) set of hosts, such
that the isolated images can only run on the isolated hosts, and the isolated hosts can only run isolated
images. The flag restrict_isolated_hosts_to_isolated_images can be used to force isolated
hosts to only run isolated images.
The admin must specify the isolated set of images and hosts in the nova.conf file using the
isolated_hosts and isolated_images configuration options. For example:
isolated_hosts = server1, server2
isolated_images = 342b492c-128f-4a42-8d3a-c5088cf27d13, ebd267a6-ca864d6c-9a0e-bd132d6b7d09
3.12.2.22. IoOpsFilter
The IoOpsFilter filters hosts by concurrent I/O operations on it. Hosts with too many concurrent I/O
operations will be filtered out. The max_io_ops_per_host option specifies the maximum number of
I/O intensive instances allowed to run on a host. A host will be ignored by the scheduler if more than
max_io_ops_per_host instances in build, resize, snapshot, migrate, rescue or unshelve task states
are running on it.
3.12.2.23. JsonFilter
The JsonFilter allows a user to construct a custom filter by passing a scheduler hint in JSON format.
The following operators are supported:
=
<
>
in
<=
>=
not
or
266
CHAPTER 3. COMPUTE
and
The filter supports the following variables:
$free_ram_mb
$free_disk_mb
$total_usable_ram_mb
$vcpus_total
$vcpus_used
Using the nova command-line tool, use the --hint flag:
$ nova boot --image 827d564a-e636-4fc4-a376-d36f7ebe1747 --flavor 1 --hint
query='[">=","$free_ram_mb",1024]' server1
With the API, use the os:scheduler_hints key:
{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"query": "[>=,$free_ram_mb,1024]"
}
}
3.12.2.24. MetricsFilter
Filters hosts based on metrics weight_setting. Only hosts with the available metrics are passed so
that the metrics weigher will not fail due to these hosts.
3.12.2.25. NumInstancesFilter
Hosts that have more instances running than specified by the max_instances_per_host option are
filtered out when this filter is in place.
3.12.2.26. PciPassthroughFilter
The filter schedules instances on a host if the host has devices that meet the device requests in the
extra_specs attribute for the flavor.
3.12.2.27. RamFilter
Only schedules instances on hosts that have sufficient RAM available. If this filter is not set, the
scheduler may over provision a host based on RAM (for example, the RAM allocated by virtual machine
instances may exceed the physical RAM).
267
Red Hat OpenStack Platform 9 Configuration Reference
You can configure this filter to enable a fixed amount of RAM overcommitment by using the
ram_allocation_ratio configuration option in nova.conf. The default setting is:
ram_allocation_ratio = 1.5
This setting enables 1.5 GB instances to run on any compute node with 1 GB of free RAM.

WARNING
Overcommitting is not an ideal solution for all memory issues. Rather, the
recommended methods to deal with memory shortage are to allocate less memory
per guest, add more physical memory to the host, or utilize swap space. If you
decide to leave memory overcommitment enabled, ensure sufficient testing is
performed. Contact Red Hat's support services for assistance with
overcommitting.
To disable RAM overcommitment, set ram_allocation_ratio to 1.0.
3.12.2.28. RetryFilter
Filters out hosts that have already been attempted for scheduling purposes. If the scheduler selects a
host to respond to a service request, and the host fails to respond to the request, this filter prevents
the scheduler from retrying that host for the service request.
This filter is only useful if the scheduler_max_attempts configuration option is set to a value
greater than zero.
3.12.2.29. SameHostFilter
Schedules the instance on the same host as another instance in a set of instances. To take advantage
of this filter, the requester must pass a scheduler hint, using same_host as the key and a list of
instance UUIDs as the value. This filter is the opposite of the DifferentHostFilter. Using the nova
command-line tool, use the --hint flag:
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 --hint
same_host=a0cf03a5-d921-4877-bb5c-86d26cf818e1 \ --hint
same_host=8c19174f-4220-44f0-824a-cd1eeef10287 server-1
With the API, use the os:scheduler_hints key:
{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"same_host": [
"a0cf03a5-d921-4877-bb5c-86d26cf818e1",
268
CHAPTER 3. COMPUTE
"8c19174f-4220-44f0-824a-cd1eeef10287"
]
}
}
3.12.2.30. ServerGroupAffinityFilter
The ServerGroupAffinityFilter ensures that an instance is scheduled on to a host from a set of group
hosts. To take advantage of this filter, the requester must create a server group with an affinity
policy, and pass a scheduler hint, using group as the key and the server group UUID as the value.
Using the nova command-line tool, use the --hint flag. For example:
$ nova server-group-create --policy affinity group-1
$ nova boot --image IMAGE_ID --flavor 1 --hint group=SERVER_GROUP_UUID
server-1
3.12.2.31. ServerGroupAntiAffinityFilter
The ServerGroupAntiAffinityFilter ensures that each instance in a group is on a different host. To take
advantage of this filter, the requester must create a server group with an anti-affinity policy, and
pass a scheduler hint, using group as the key and the server group UUID as the value. Using the nova
command-line tool, use the --hint flag. For example:
$ nova server-group-create --policy anti-affinity group-1
$ nova boot --image IMAGE_ID --flavor 1 --hint group=SERVER_GROUP_UUID
server-1
3.12.2.32. SimpleCIDRAffinityFilter
Schedules the instance based on host IP subnet range. To take advantage of this filter, the requester
must specify a range of valid IP address in CIDR format, by passing two scheduler hints:
build_near_host_ip
The first IP address in the subnet (for example, 192.168.1.1)
cidr
The CIDR that corresponds to the subnet (for example, /24)
Using the nova command-line tool, use the --hint flag. For example, to specify the IP subnet
192.168.1.1/24
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 --hint
build_near_host_ip=192.168.1.1 --hint cidr=/24 server-1
With the API, use the os:scheduler_hints key:
{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
269
Red Hat OpenStack Platform 9 Configuration Reference
"flavorRef": "1"
},
"os:scheduler_hints": {
"build_near_host_ip": "192.168.1.1",
"cidr": "24"
}
}
3.12.2.33. TrustedFilter
Filters hosts based on their trust. Only passes hosts that meet the trust requirements specified in the
instance properties.
3.12.2.34. TypeAffinityFilter
Dynamically limits hosts to one instance type. An instance can only be launched on a host, if no
instance with different instances types are running on it, or if the host has no running instances at all.
3.12.3. Weights
When resourcing instances, the filter scheduler filters and weights each host in the list of acceptable
hosts. Each time the scheduler selects a host, it virtually consumes resources on it, and subsequent
selections are adjusted accordingly. This process is useful when the customer asks for the same large
amount of instances, because weight is computed for each requested instance.
All weights are normalized before being summed up; the host with the largest weight is given the
highest priority.
If cells are used, cells are weighted by the scheduler in the same manner as hosts.
Hosts and cells are weighted based on the following options in the /etc/nova/nova.conf file:
Table 3.6. Host weighting options
Section
Option
Description
[DEFAULT]
ram_weight_multiplier
By default, the scheduler spreads instances
across all hosts evenly. Set the
ram_weight_multiplier option to a
negative number if you prefer stacking instead
of spreading. Use a floating-point value.
[DEFAULT]
scheduler_host_subset_si
ze
New instances are scheduled on a host that is
chosen randomly from a subset of the N best
hosts. This property defines the subset size
from which a host is chosen. A value of 1
chooses the first host returned by the
weighting functions. This value must be at
least 1. A value less than 1 is ignored, and 1 is
used instead. Use an integer value.
270
CHAPTER 3. COMPUTE
Section
Option
Description
[DEFAULT]
scheduler_weight_classes
Defaults to
nova.scheduler.weights.all_weigh
ers, which selects the RamWeigher and
MetricsWeigher. Hosts are then weighted and
sorted with the largest weight winning.
[metrics]
weight_multiplier
Multiplier for weighting metrics. Use a floatingpoint value.
[metrics]
weight_setting
Determines how metrics are weighted. Use a
comma-separated list of metricName=ratio.
For example: "name1=1.0, name2=-1.0" results
in: name1.value * 1.0 +
name2.value * -1.0
[metrics]
required
Specifies how to treat unavailable metrics:
True—Raises an exception. To avoid
the raised exception, you should use
the scheduler filter MetricFilter
to filter out hosts with unavailable
metrics.
False—Treated as a negative factor in
the weighting process (uses the
weight_of_unavailable
option).
[metrics]
weight_of_unavailable
If required is set to False, and any one of
the metrics set by weight_setting is
unavailable, the weight_of_unavailable
value is returned to the scheduler.
For example:
[DEFAULT]
scheduler_host_subset_size = 1
scheduler_weight_classes = nova.scheduler.weights.all_weighers
ram_weight_multiplier = 1.0
[metrics]
weight_multiplier = 1.0
weight_setting = name1=1.0, name2=-1.0
required = false
weight_of_unavailable = -10000.0
Table 3.7. Cell weighting options
271
Red Hat OpenStack Platform 9 Configuration Reference
Sectio
n
Option
Description
[cells]
mute_weight_multipli
er
Multiplier to weight mute children (hosts which have not sent
capacity or capacity updates for some time). Use a negative,
floating-point value.
[cells]
mute_weight_value
(deprecated)
Weight value assigned to mute children. Use a positive,
floating-point value with a maximum of '1.0'. This option is
deprecated, use mute_weight_multiplier instead.
[cells]
offset_weight_multip
lier
Multiplier to weight cells, so you can specify a preferred cell.
Use a floating point value.
[cells]
ram_weight_multiplie
r
By default, the scheduler spreads instances across all cells
evenly. Set the ram_weight_multiplier option to a
negative number if you prefer stacking instead of spreading.
Use a floating-point value.
[cells]
scheduler_weight_cla
sses
Defaults to nova.cells.weights.all_weighers, which
maps to all cell weighers included with Compute. Cells are then
weighted and sorted with the largest weight winning.
For example:
[cells]
scheduler_weight_classes = nova.cells.weights.all_weighers
mute_weight_multiplier = -10.0
ram_weight_multiplier = 1.0
offset_weight_multiplier = 1.0
3.12.4. Chance scheduler
As an administrator, you work with the filter scheduler. However, the Compute service also uses the
Chance Scheduler, nova.scheduler.chance.ChanceScheduler, which randomly selects from lists
of filtered hosts.
3.12.5. Host aggregates and availability zones
Host aggregates are a mechanism for partitioning hosts in an OpenStack cloud, or a region of an
OpenStack cloud, based on arbitrary characteristics. Examples where an administrator may want to do
this include where a group of hosts have additional hardware or performance characteristics.
Host aggregates are not explicitly exposed to users. Instead administrators map flavors to host
aggregates. Administrators do this by setting metadata on a host aggregate, and matching flavor extra
specifications. The scheduler then endeavors to match user requests for instance of the given flavor to
a host aggregate with the same key-value pair in its metadata. Compute nodes can be in more than
one host aggregate.
Administrators are able to optionally expose a host aggregate as an availability zone. Availability zones
are different from host aggregates in that they are explicitly exposed to the user, and hosts can only
be in a single availability zone. Administrators can configure a default availability zone where instances
272
CHAPTER 3. COMPUTE
will be scheduled when the user fails to specify one.
Command-line interface
The nova command-line tool supports the following aggregate-related commands.
nova aggregate-list
Print a list of all aggregates.
nova aggregate-create <name> [availability-zone]
Create a new aggregate named <name>, and optionally in availability zone [availability-zone] if
specified. The command returns the ID of the newly created aggregate. Hosts can be made available
to multiple host aggregates. Be careful when adding a host to an additional host aggregate when the
host is also in an availability zone. Pay attention when using the aggregate-set-metadata and
aggregate-update commands to avoid user confusion when they boot instances in different
availability zones. An error occurs if you cannot add a particular host to an aggregate zone for
which it is not intended.
nova aggregate-delete <id>
Delete an aggregate with id <id>.
nova aggregate-details <id>
Show details of the aggregate with id <id>.
nova aggregate-add-host <id> <host>
Add host with name <host> to aggregate with id <id>.
nova aggregate-remove-host <id> <host>
Remove the host with name <host> from the aggregate with id <id>.
nova aggregate-set-metadata <id> <key=value> [<key=value> ...]
Add or update metadata (key-value pairs) associated with the aggregate with id <id>.
nova aggregate-update <id> <name> [<availability_zone>]
Update the name and availability zone (optional) for the aggregate.
nova host-list
List all hosts by service.
nova host-update --maintenance [enable | disable]
Put/resume host into/from maintenance.
273
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
Only administrators can access these commands. If you try to use these commands and
the user name and tenant that you use to access the Compute service do not have the
admin role or the appropriate privileges, these errors occur:
ERROR: Policy does not allow compute_extension:aggregates to be
performed. (HTTP 403) (Request-ID: req-299fbff6-6729-4cef-93b2e7e1f96b4864)
ERROR: Policy does not allow compute_extension:hosts to be
performed. (HTTP 403) (Request-ID: req-ef2400f6-6776-4ea3-b6f17704085c27d1)
Configure scheduler to support host aggregates
One common use case for host aggregates is when you want to support scheduling instances to a
subset of compute hosts because they have a specific capability. For example, you may want to allow
users to request compute hosts that have SSD drives if they need access to faster disk I/O, or access
to compute hosts that have GPU cards to take advantage of GPU-accelerated code.
To configure the scheduler to support host aggregates, the scheduler_default_filters
configuration option must contain the AggregateInstanceExtraSpecsFilter in addition to the
other filters used by the scheduler. Add the following line to /etc/nova/nova.conf on the host that
runs the nova-scheduler service to enable host aggregates filtering, as well as the other filters that
are typically enabled:
scheduler_default_filters=AggregateInstanceExtraSpecsFilter,RetryFilter,Av
ailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,Ima
gePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter
Example: Specify compute hosts with SSDs
This example configures the Compute service to enable users to request nodes that have solid-state
drives (SSDs). You create a fast-io host aggregate in the nova availability zone and you add the
ssd=true key-value pair to the aggregate. Then, you add the node1, and node2 compute nodes to it.
$ nova aggregate-create fast-io nova
+----+---------+-------------------+-------+----------+
| Id | Name
| Availability Zone | Hosts | Metadata |
+----+---------+-------------------+-------+----------+
| 1 | fast-io | nova
|
|
|
+----+---------+-------------------+-------+----------+
$ nova aggregate-set-metadata 1 ssd=true
+----+---------+-------------------+-------+-------------------+
| Id | Name
| Availability Zone | Hosts | Metadata
|
+----+---------+-------------------+-------+-------------------+
| 1 | fast-io | nova
| []
| {u'ssd': u'true'} |
+----+---------+-------------------+-------+-------------------+
$ nova aggregate-add-host 1 node1
+----+---------+-------------------+------------+-------------------+
274
CHAPTER 3. COMPUTE
| Id | Name
| Availability Zone | Hosts
| Metadata
|
+----+---------+-------------------+------------+-------------------+
| 1 | fast-io | nova
| [u'node1'] | {u'ssd': u'true'} |
+----+---------+-------------------+------------+-------------------+
$ nova aggregate-add-host 1 node2
+----+---------+-------------------+----------------------+------------------+
| Id | Name
| Availability Zone | Hosts
| Metadata
|
+----+---------+-------------------+----------------------+------------------+
| 1 | fast-io | nova
| [u'node1', u'node2'] | {u'ssd':
u'true'} |
+----+---------+-------------------+----------------------+------------------+
Use the nova flavor-create command to create the ssd.large flavor called with an ID of 6, 8 GB of
RAM, 80 GB root disk, and four vCPUs.
$ nova flavor-create ssd.large 6 8192 80 4
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+
| ID | Name
| Memory_MB | Disk | Ephemeral | Swap | VCPUs |
RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+
| 6 | ssd.large | 8192
| 80
| 0
|
| 4
| 1.0
| True
|
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+
Once the flavor is created, specify one or more key-value pairs that match the key-value pairs on the
host aggregates with scope aggregate_instance_extra_specs. In this case, that is the
aggregate_instance_extra_specs:ssd=true key-value pair. Setting a key-value pair on a flavor is done
using the nova flavor-key command.
$ nova flavor-key ssd.large set aggregate_instance_extra_specs:ssd=true
Once it is set, you should see the extra_specs property of the ssd.large flavor populated with a
key of ssd and a corresponding value of true.
$ nova flavor-show ssd.large
+----------------------------+-------------------------------------------------+
| Property
| Value
|
+----------------------------+-------------------------------------------------+
| OS-FLV-DISABLED:disabled
| False
|
| OS-FLV-EXT-DATA:ephemeral | 0
|
| disk
| 80
|
275
Red Hat OpenStack Platform 9 Configuration Reference
| extra_specs
| {u'aggregate_instance_extra_specs:ssd':
u'true'} |
| id
| 6
|
| name
| ssd.large
|
| os-flavor-access:is_public | True
|
| ram
| 8192
|
| rxtx_factor
| 1.0
|
| swap
|
|
| vcpus
| 4
|
+----------------------------+-------------------------------------------------+
Now, when a user requests an instance with the ssd.large flavor, the scheduler only considers hosts
with the ssd=true key-value pair. In this example, these are node1 and node2.
NOTE
The key and value are case sensitive strings. The Compute scheduler performs a case
sensitive string match of the value.
XenServer hypervisor pools to support live migration
When using the XenAPI-based hypervisor, the Compute service uses host aggregates to manage
XenServer Resource pools, which are used in supporting live migration.
3.12.6. Configuration reference
To customize the Compute scheduler, use the configuration option settings documented in Table 3.48,
“Description of scheduler configuration options”.
3.13. CELLS
Cells functionality enables you to scale an OpenStack Compute cloud in a more distributed fashion
without having to use complicated technologies like database and message queue clustering. It
supports very large deployments.
When this functionality is enabled, the hosts in an OpenStack Compute cloud are partitioned into
groups called cells. Cells are configured as a tree. The top-level cell should have a host that runs a
nova-api service, but no nova-compute services. Each child cell should run all of the typical nova-*
services in a regular Compute cloud except for nova-api. You can think of cells as a normal Compute
deployment in that each cell has its own database server and message queue broker.
The nova-cells service handles communication between cells and selects cells for new instances.
This service is required for every cell. Communication between cells is pluggable, and currently the
only option is communication through RPC.
276
CHAPTER 3. COMPUTE
Cells scheduling is separate from host scheduling. nova-cells first picks a cell. Once a cell is selected
and the new build request reaches its nova-cells service, it is sent over to the host scheduler in that
cell and the build proceeds as it would have without cells.

WARNING
Cell functionality is currently considered experimental.
3.13.1. Cell configuration options
Cells are disabled by default. All cell-related configuration options appear in the [cells] section in
nova.conf. The following cell-related options are currently supported:
enable
Set to True to turn on cell functionality. Default is false.
name
Name of the current cell. Must be unique for each cell.
capabilities
List of arbitrary key=value pairs defining capabilities of the current cell. Values include
hypervisor=xenserver;kvm,os=linux.
call_timeout
How long in seconds to wait for replies from calls between cells.
scheduler_filter_classes
Filter classes that the cells scheduler should use. By default, uses
"nova.cells.filters.all_filters" to map to all cells filters included with Compute.
scheduler_weight_classes
Weight classes that the scheduler for cells uses. By default, uses
nova.cells.weights.all_weighers to map to all cells weight algorithms included with
Compute.
ram_weight_multiplier
Multiplier used to weight RAM. Negative numbers indicate that Compute should stack VMs on one
host instead of spreading out new VMs to more hosts in the cell. The default value is 10.0.
3.13.2. Configure the API (top-level) cell
The cell type must be changed in the API cell so that requests can be proxied through nova-cells down
to the correct cell properly. Edit the nova.conf file in the API cell, and specify api in the cell_type
key:
277
Red Hat OpenStack Platform 9 Configuration Reference
[DEFAULT]
compute_api_class=nova.compute.cells_api.ComputeCellsAPI
...
[cells]
cell_type= api
3.13.3. Configure the child cells
Edit the nova.conf file in the child cells, and specify compute in the cell_type key:
[DEFAULT]
# Disable quota checking in child cells. Let API cell do it exclusively.
quota_driver=nova.quota.NoopQuotaDriver
[cells]
cell_type = compute
3.13.4. Configure the database in each cell
Before bringing the services online, the database in each cell needs to be configured with information
about related cells. In particular, the API cell needs to know about its immediate children, and the child
cells must know about their immediate agents. The information needed is the RabbitMQ server
credentials for the particular cell.
Use the nova-manage cell create command to add this information to the database in each cell:
# nova-manage cell create -h
Options:
-h, --help
show this help message and exit
--name=<name>
Name for the new cell
--cell_type=<parent|child>
Whether the cell is a parent or child
--username=<username>
Username for the message broker in this cell
--password=<password>
Password for the message broker in this cell
--hostname=<hostname>
Address of the message broker in this cell
--port=<number>
Port number of the message broker in this cell
--virtual_host=<virtual_host>
The virtual host of the message broker in this
cell
--woffset=<float>
(weight offset) It might be used by some cell
scheduling code in the future
--wscale=<float>
(weight scale) It might be used by some cell
scheduling code in the future
As an example, assume an API cell named api and a child cell named cell1.
Within the api cell, specify the following RabbitMQ server information:
278
CHAPTER 3. COMPUTE
rabbit_host=10.0.0.10
rabbit_port=5672
rabbit_username=api_user
rabbit_password=api_passwd
rabbit_virtual_host=api_vhost
Within the cell1 child cell, specify the following RabbitMQ server information:
rabbit_host=10.0.1.10
rabbit_port=5673
rabbit_username=cell1_user
rabbit_password=cell1_passwd
rabbit_virtual_host=cell1_vhost
You can run this in the API cell as root:
# nova-manage cell create --name cell1 --cell_type child --username
cell1_user --password cell1_passwd --hostname 10.0.1.10 --port 5673 -virtual_host cell1_vhost --woffset 1.0 --wscale 1.0
Repeat the previous steps for all child cells.
In the child cell, run the following, as root:
# nova-manage cell create --name api --cell_type parent --username
api_user --password api_passwd --hostname 10.0.0.10 --port 5672 -virtual_host api_vhost --woffset 1.0 --wscale 1.0
To customize the Compute cells, use the configuration option settings documented in Table 3.16,
“Description of cell configuration options”.
3.13.5. Cell scheduling configuration
To determine the best cell to use to launch a new instance, Compute uses a set of filters and weights
defined in the /etc/nova/nova.conf file. The following options are available to prioritize cells for
scheduling:
scheduler_filter_classes
List of filter classes. By default nova.cells.filters.all_filters is specified, which maps to
all cells filters included with Compute (see Section 3.12.2, “Filters”).
scheduler_weight_classes
List of weight classes. By default nova.cells.weights.all_weighers is specified, which maps
to all cell weight algorithms included with Compute. The following modules are available:
mute_child. Downgrades the likelihood of child cells being chosen for scheduling
requests, which have not sent capacity or capability updates in a while. Options include
mute_weight_multiplier (multiplier for mute children; value should be negative) and
mute_weight_value (assigned to mute children; should be a positive value).
279
Red Hat OpenStack Platform 9 Configuration Reference

WARNING
The mute_weight_value is deprecated, use
mute_weight_multiplier instead.
ram_by_instance_type. Select cells with the most RAM capacity for the instance type
being requested. Because higher weights win, Compute returns the number of available
units for the instance type requested. The ram_weight_multiplier option defaults to
10.0 that adds to the weight by a factor of 10. Use a negative number to stack VMs on one
host instead of spreading out new VMs to more hosts in the cell.
weight_offset. Allows modifying the database to weight a particular cell. You can use
this when you want to disable a cell (for example, '0'), or to set a default cell by making its
weight_offset very high (for example, '999999999999999'). The highest weight will be the
first cell to be scheduled for launching an instance.
Additionally, the following options are available for the cell scheduler:
scheduler_retries
Specifies how many times the scheduler tries to launch a new instance when no cells are available
(default=10).
scheduler_retry_delay
Specifies the delay (in seconds) between retries (default=2).
As an admin user, you can also add a filter that directs builds to a particular cell. The policy.json file
must have a line with "cells_scheduler_filter:TargetCellFilter" : "is_admin:True" to
let an admin user specify a scheduler hint to direct a build to a particular cell.
3.13.6. Optional cell configuration
Cells store all inter-cell communication data, including user names and passwords, in the database.
Because the cells data is not updated very frequently, use the [cells]cells_config option to
specify a JSON file to store cells data. With this configuration, the database is no longer consulted
when reloading the cells data. The file must have columns present in the Cell model (excluding common
database fields and the id column). You must specify the queue connection information through a
transport_url field, instead of username, password, and so on. The transport_url has the
following form:
rabbit://USERNAME:PASSWORD@HOSTNAME:PORT/VIRTUAL_HOST
The scheme can be either qpid or rabbit, as shown previously. The following sample shows this
optional configuration:
{
"parent": {
"name": "parent",
280
CHAPTER 3. COMPUTE
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": true
},
"cell1": {
"name": "cell1",
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit1.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": false
},
"cell2": {
"name": "cell2",
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit2.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": false
}
}
3.14. CONDUCTOR
The nova-conductor service enables OpenStack to function without compute nodes accessing the
database. Conceptually, it implements a new layer on top of nova-compute. It should not be deployed
on compute nodes, or else the security benefits of removing database access from nova-compute are
negated. Just like other nova services such as nova-api or nova-scheduler, it can be scaled
horizontally. You can run multiple instances of nova-conductor on different machines as needed for
scaling purposes.
The methods exposed by nova-conductor are relatively simple methods used by nova-compute to
offload its database operations. Places where nova-compute previously performed database access
are now talking to nova-conductor. However, there are plans in the medium to long term to move
more and more of what is currently in nova-compute up to the nova-conductor layer. The Compute
service will start to look like a less intelligent slave service to nova-conductor. The conductor
service will implement long running complex operations, ensuring forward progress and graceful error
handling. This will be especially beneficial for operations that cross multiple compute nodes, such as
migrations or resizes.
To customize the Conductor, use the configuration option settings documented in Table 3.19,
“Description of conductor configuration options”.
3.15. EXAMPLE NOVA.CONF CONFIGURATION FILES
The following sections describe the configuration options in the nova.conf file. You must copy the
nova.conf file to each compute node. The sample nova.conf files show examples of specific
configurations.
Small, private cloud
This example nova.conf file configures a small private cloud with cloud controller services, database
281
Red Hat OpenStack Platform 9 Configuration Reference
server, and messaging server on the same server. In this case, CONTROLLER_IP represents the IP
address of a central server, BRIDGE_INTERFACE represents the bridge such as br100, the
NETWORK_INTERFACE represents an interface to your VLAN setup, and passwords are represented
as DB_PASSWORD_COMPUTE for your Compute (nova) database password, and RABBIT PASSWORD
represents the password to your message queue installation.
[DEFAULT]
# LOGS/STATE
verbose=True
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
rootwrap_config=/etc/nova/rootwrap.conf
# SCHEDULER
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
# VOLUMES
# configured in cinder.conf
# COMPUTE
compute_driver=libvirt.LibvirtDriver
instance_name_template=instance-%08x
api_paste_config=/etc/nova/api-paste.ini
# COMPUTE/APIS: if you have separate configs for separate services
# this flag is required for both nova-api and nova-compute
allow_resize_to_same_host=True
# APIS
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extens
ions
ec2_dmz_host=192.168.206.130
s3_host=192.168.206.130
# RABBITMQ
rabbit_host=192.168.206.130
# GLANCE
image_service=nova.image.glance.GlanceImageService
# NETWORK
network_manager=nova.network.manager.FlatDHCPManager
force_dhcp_release=True
dhcpbridge_flagfile=/etc/nova/nova.conf
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
# Change my_ip to match each host
my_ip=192.168.206.130
public_interface=eth0
vlan_interface=eth0
flat_network_bridge=br100
flat_interface=eth0
# NOVNC CONSOLE
novncproxy_base_url=http://192.168.206.130:6080/vnc_auto.html
282
CHAPTER 3. COMPUTE
# Change vncserver_proxyclient_address and vncserver_listen to match each
compute host
vncserver_proxyclient_address=192.168.206.130
vncserver_listen=192.168.206.130
# AUTHENTICATION
auth_strategy=keystone
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = nova
signing_dirname = /tmp/keystone-signing-nova
# GLANCE
[glance]
api_servers=192.168.206.130:9292
# DATABASE
[database]
connection=mysql://nova:yourpassword@192.168.206.130/nova
# LIBVIRT
[libvirt]
virt_type=qemu
KVM, Flat, MySQL, and Glance, OpenStack or EC2 API
This example nova.conf file, from an internal Rackspace test system, is used for demonstrations.
[DEFAULT]
# LOGS/STATE
verbose=True
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
rootwrap_config=/etc/nova/rootwrap.conf
# SCHEDULER
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
# VOLUMES
# configured in cinder.conf
# COMPUTE
compute_driver=libvirt.LibvirtDriver
instance_name_template=instance-%08x
api_paste_config=/etc/nova/api-paste.ini
# COMPUTE/APIS: if you have separate configs for separate services
# this flag is required for both nova-api and nova-compute
allow_resize_to_same_host=True
283
Red Hat OpenStack Platform 9 Configuration Reference
# APIS
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extens
ions
ec2_dmz_host=192.168.206.130
s3_host=192.168.206.130
# RABBITMQ
rabbit_host=192.168.206.130
# GLANCE
image_service=nova.image.glance.GlanceImageService
# NETWORK
network_manager=nova.network.manager.FlatDHCPManager
force_dhcp_release=True
dhcpbridge_flagfile=/etc/nova/nova.conf
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
# Change my_ip to match each host
my_ip=192.168.206.130
public_interface=eth0
vlan_interface=eth0
flat_network_bridge=br100
flat_interface=eth0
# NOVNC CONSOLE
novncproxy_base_url=http://192.168.206.130:6080/vnc_auto.html
# Change vncserver_proxyclient_address and vncserver_listen to match each
compute host
vncserver_proxyclient_address=192.168.206.130
vncserver_listen=192.168.206.130
# AUTHENTICATION
auth_strategy=keystone
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = nova
signing_dirname = /tmp/keystone-signing-nova
# GLANCE
[glance]
api_servers=192.168.206.130:9292
# DATABASE
[database]
connection=mysql://nova:yourpassword@192.168.206.130/nova
# LIBVIRT
[libvirt]
virt_type=qemu
284
CHAPTER 3. COMPUTE
XenServer, Flat networking, MySQL, and Glance, OpenStack API
This example nova.conf file is from an internal Rackspace test system.
verbose
nodaemon
network_manager=nova.network.manager.FlatManager
image_service=nova.image.glance.GlanceImageService
flat_network_bridge=xenbr0
compute_driver=xenapi.XenAPIDriver
xenapi_connection_url=https://<XenServer IP>
xenapi_connection_username=root
xenapi_connection_password=supersecret
xenapi_image_upload_handler=nova.virt.xenapi.image.glance.GlanceStore
rescue_timeout=86400
use_ipv6=true
3.16. COMPUTE LOG FILES
The corresponding log file of each Compute service is stored in the /var/log/nova/ directory of the
host on which each service runs.
Table 3.8. Log files used by Compute services
Log file
Service name
api.log
openstack-nova-api
cert.log [a]
openstack-nova-cert
compute.log
openstack-nova-compute
conductor.log
openstack-nova-conductor
consoleauth.log
openstack-nova-consoleauth
network.log [b]
openstack-nova-network
nova-manage.log
nova-manage
scheduler.log
openstack-nova-scheduler
[a] The X509 certificate service ( openstack-nova-cert/nova-cert) is only required by the EC2 API to the
Compute service.
[b] The nova network service (openstack-nova-network/nova-network) only runs in deployments that
are not configured to use the Networking service (neutron).
3.17. COMPUTE SAMPLE CONFIGURATION FILES
285
Red Hat OpenStack Platform 9 Configuration Reference
3.17.1. nova.conf - configuration options
For a complete list of all available configuration options for each OpenStack Compute service, run
nova-<servicename> --help.
Table 3.9. Description of API configuration options
Configuration option = Default value
Description
[DEFAULT]
api_paste_config = api-paste.ini
(StrOpt) File name for the paste.deploy config for
nova-api
api_rate_limit = False
(BoolOpt) Whether to use per-user rate limiting for
the api. This option is only used by v2 api. Rate
limiting is removed from v3 api.
client_socket_timeout = 900
(IntOpt) Timeout for client connections' socket
operations. If an incoming connection is idle for this
number of seconds it will be closed. A value of '0'
means wait forever.
enable_new_services = True
(BoolOpt) Services to be added to the available pool
on create
enabled_apis = ec2, osapi_compute, metadata
(ListOpt) A list of APIs to enable by default
enabled_ssl_apis =
(ListOpt) A list of APIs with enabled SSL
instance_name_template = instance-%08x
(StrOpt) Template string to be used to generate
instance names
max_header_line = 16384
(IntOpt) Maximum line size of message headers to
be accepted. max_header_line may need to be
increased when using large tokens (typically those
generated by the Keystone v3 API with big service
catalogs).
multi_instance_display_name_template
(StrOpt) When creating multiple instances with a
single request using the os-multiple-create API
extension, this template will be used to build the
display name for each instance. The benefit is that
the instances end up with different hostnames. To
restore legacy behavior of every instance having the
same name, set this option to "%(name)s". Valid keys
for the template are: name, uuid, count.
= %(name)s-%(count)d
non_inheritable_image_properties =
cache_in_nova, bittorrent
286
(ListOpt) These are image properties which a
snapshot should not inherit from an instance
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
null_kernel = nokernel
(StrOpt) Kernel image that indicates not to use a
kernel, but to use a raw disk image instead
osapi_compute_ext_list =
(ListOpt) Specify list of extensions to load when
using osapi_compute_extension option with
nova.api.openstack.compute.contrib.select_extensio
ns
osapi_compute_extension =
(MultiStrOpt) osapi compute extension to load
['nova.api.openstack.compute.contrib.standard_extensio
ns']
osapi_compute_link_prefix = None
(StrOpt) Base URL that will be presented to users in
links to the OpenStack Compute API
osapi_compute_listen = 0.0.0.0
(StrOpt) The IP address on which the OpenStack
API will listen.
osapi_compute_listen_port = 8774
(IntOpt) The port on which the OpenStack API will
listen.
osapi_compute_workers = None
(IntOpt) Number of workers for OpenStack API
service. The default will be the number of CPUs
available.
osapi_hide_server_address_states =
(ListOpt) List of instance states that should hide
network info
building
servicegroup_driver = db
(StrOpt) The driver for servicegroup service (valid
options are: db, zk, mc)
snapshot_name_template = snapshot-%s
(StrOpt) Template string to be used to generate
snapshot names
tcp_keepidle = 600
(IntOpt) Sets the value of TCP_KEEPIDLE in seconds
for each server socket. Not supported on OS X.
use_forwarded_for = False
(BoolOpt) Treat X-Forwarded-For as the canonical
remote address. Only enable this if you have a
sanitizing proxy.
wsgi_default_pool_size = 1000
(IntOpt) Size of the pool of greenthreads used by
wsgi
wsgi_keep_alive = True
(BoolOpt) If False, closes the client socket
connection explicitly.
287
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
wsgi_log_format = %(client_ip)s "%
(StrOpt) A python format string that is used as the
template to generate log lines. The following values
can be formatted into it: client_ip, date_time,
request_line, status_code, body_length,
wall_seconds.
(request_line)s" status: %(status_code)s len: %
(body_length)s time: %(wall_seconds).7f
Table 3.10. Description of API v3 configuration options
Configuration option = Default value
Description
[osapi_v3]
enabled = False
(BoolOpt) Whether the V3 API is enabled or not
extensions_blacklist =
(ListOpt) A list of v3 API extensions to never load.
Specify the extension aliases here.
extensions_whitelist =
(ListOpt) If the list is not empty then a v3 API
extension will only be loaded if it exists in this list.
Specify the extension aliases here.
Table 3.11. Description of authentication configuration options
Configuration option = Default value
Description
[DEFAULT]
auth_strategy = keystone
(StrOpt) The strategy to use for auth: keystone,
noauth (deprecated), or noauth2. Both noauth and
noauth2 are designed for testing only, as they do no
actual credential checking. noauth provides
administrative credentials regardless of the passed
in user, noauth2 only does if 'admin' is specified as
the username.
Table 3.12. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(StrOpt) Service user password.
admin_tenant_name = admin
(StrOpt) Service tenant name.
288
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
admin_token = None
(StrOpt) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(StrOpt) Service username.
auth_admin_prefix =
(StrOpt) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(StrOpt) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_plugin = None
(StrOpt) Name of the plugin to load
auth_port = 35357
(IntOpt) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(StrOpt) Protocol of the admin Identity API endpoint
(http or https). Deprecated, use identity_uri.
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_uri = None
(StrOpt) Complete public Identity API endpoint.
auth_version = None
(StrOpt) API version of the admin Identity API
endpoint.
cache = None
(StrOpt) Env key for the swift cache.
cafile = None
(StrOpt) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(StrOpt) Required if identity server requires client
certificate
check_revocations_for_cached = False
(BoolOpt) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
289
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
delay_auth_decision = False
(BoolOpt) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(StrOpt) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
hash_algorithms = md5
(ListOpt) Hash algorithms to use for hashing PKI
tokens. This may be a single algorithm or multiple.
The algorithms are those supported by Python
standard hashlib.new(). The hashes will be tried in
the order given, so put the preferred one first for
performance. The result of the first hash will be
stored in the cache. This will typically be set to
multiple values only while migrating from a less
secure algorithm to a more secure one. Once all the
old tokens are expired this option should be set to a
single value for better performance.
http_connect_timeout = None
(IntOpt) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(IntOpt) How many times to try to reconnect when
communicating with Identity API Server.
identity_uri = None
(StrOpt) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(BoolOpt) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) Required if identity server requires client
certificate
290
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
memcache_pool_conn_get_timeout = 10
(IntOpt) (Optional) Number of seconds that an
operation will wait to get a memcache client
connection from the pool.
memcache_pool_dead_retry = 300
(IntOpt) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(IntOpt) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(IntOpt) (Optional) Socket timeout in seconds for
communicating with a memcache server.
memcache_pool_unused_timeout = 60
(IntOpt) (Optional) Number of seconds a connection
to memcached is held unused in the pool before it is
closed.
memcache_secret_key = None
(StrOpt) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(StrOpt) (Optional) If defined, indicate whether
token data should be authenticated or authenticated
and encrypted. Acceptable values are MAC or
ENCRYPT. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(BoolOpt) (Optional) Use the advanced (eventlet
safe) memcache client pool. The advanced pool will
only work under python 2.x.
revocation_cache_time = 10
(IntOpt) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(StrOpt) Directory used to cache files related to PKI
tokens.
token_cache_time = 300
(IntOpt) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 3.13. Description of availability zones configuration options
291
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
default_availability_zone = nova
(StrOpt) Default compute node availability_zone
default_schedule_zone = None
(StrOpt) Availability zone to use when user does not
specify one
internal_service_availability_zone =
(StrOpt) The availability_zone to show internal
services under
internal
Table 3.14. Description of Barbican configuration options
Configuration option = Default value
Description
[barbican]
cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
catalog_info = key-manager:barbican:public
(StrOpt) Info to match when looking for barbican in
the service catalog. Format is: separated values of
the form: <service_type>:<service_name>:
<endpoint_type>
certfile = None
(StrOpt) PEM encoded client certificate cert file
endpoint_template = None
(StrOpt) Override service catalog lookup with
template for barbican endpoint e.g.
http://localhost:9311/v1/%(project_id)s
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) PEM encoded client certificate key file
os_region_name = None
(StrOpt) Region name of this node
timeout = None
(IntOpt) Timeout value for http requests
Table 3.15. Description of CA and SSL configuration options
Configuration option = Default value
Description
[DEFAULT]
ca_file = cacert.pem
292
(StrOpt) Filename of root CA
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
ca_path = $state_path/CA
(StrOpt) Where to keep the root CA
cert = self.pem
(StrOpt) SSL certificate file
cert_manager = nova.cert.manager.CertManager
(StrOpt) Full class name for the Manager for cert
cert_topic = cert
(StrOpt) The topic cert nodes listen on
crl_file = crl.pem
(StrOpt) Filename of root Certificate Revocation List
key_file = private/cakey.pem
(StrOpt) Filename of private key
keys_path = $state_path/keys
(StrOpt) Where to keep the keys
project_cert_subject =
(StrOpt) Subject for certificate for projects, %s for
project, timestamp
/C=US/ST=California/O=OpenStack/OU=NovaDev/CN
=project-ca-%.16s-%s
ssl_ca_file = None
(StrOpt) CA certificate file to use to verify
connecting clients
ssl_cert_file = None
(StrOpt) SSL certificate of API server
ssl_key_file = None
(StrOpt) SSL private key of API server
use_project_ca = False
(BoolOpt) Should a CA be used for each project?
user_cert_subject =
(StrOpt) Subject for certificate for users, %s for
project, user, timestamp
/C=US/ST=California/O=OpenStack/OU=NovaDev/CN
=%.16s-%.16s-%s
[ssl]
ca_file = None
(StrOpt) CA certificate file to use to verify
connecting clients.
cert_file = None
(StrOpt) Certificate file to use when starting the
server securely.
key_file = None
(StrOpt) Private key file to use when starting the
server securely.
Table 3.16. Description of cell configuration options
293
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[cells]
call_timeout = 60
(IntOpt) Seconds to wait for response from a call to
a cell.
capabilities = hypervisor=xenserver;kvm,
os=linux
(ListOpt) Key/Multi-value list with the capabilities of
the cell
cell_type = compute
(StrOpt) Type of cell: api or compute
cells_config = None
(StrOpt) Configuration file from which to read cells
configuration. If given, overrides reading cells from
the database.
db_check_interval = 60
(IntOpt) Interval, in seconds, for getting fresh cell
information from the database.
driver = nova.cells.rpc_driver.CellsRPCDriver
(StrOpt) Cells communication driver to use
enable = False
(BoolOpt) Enable cell functionality
instance_update_num_instances = 1
(IntOpt) Number of instances to update per periodic
task run
instance_updated_at_threshold = 3600
(IntOpt) Number of seconds after an instance was
updated or deleted to continue to update cells
manager = nova.cells.manager.CellsManager
(StrOpt) Manager for cells
max_hop_count = 10
(IntOpt) Maximum number of hops for cells routing.
mute_child_interval = 300
(IntOpt) Number of seconds after which a lack of
capability and capacity updates signals the child cell
is to be treated as a mute.
mute_weight_multiplier = -10.0
(FloatOpt) Multiplier used to weigh mute children.
(The value should be negative.)
mute_weight_value = 1000.0
(FloatOpt) Weight value assigned to mute children.
(The value should be positive.)
name = nova
(StrOpt) Name of this cell
offset_weight_multiplier = 1.0
(FloatOpt) Multiplier used to weigh offset weigher.
reserve_percent = 10.0
(FloatOpt) Percentage of cell capacity to hold in
reserve. Affects both memory and disk utilization
294
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
topic = cells
(StrOpt) The topic cells nodes listen on
Table 3.17. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
bindir = /usr/local/bin
(StrOpt) Directory where nova binaries are installed
compute_topic = compute
(StrOpt) The topic compute nodes listen on
console_topic = console
(StrOpt) The topic console proxy nodes listen on
consoleauth_topic = consoleauth
(StrOpt) The topic console auth proxy nodes listen
on
host = localhost
(StrOpt) Name of this node. This can be an opaque
identifier. It is not necessarily a hostname, FQDN, or
IP address. However, the node name must be valid
within an AMQP key.
memcached_servers = None
(ListOpt) Memcached servers or None for in process
cache.
my_ip = 10.0.0.1
(StrOpt) IP address of this host
notify_api_faults = False
(BoolOpt) If set, send api.fault notifications on
caught exceptions in the API service.
notify_on_state_change = None
(StrOpt) If set, send compute.instance.update
notifications on instance state changes. Valid values
are None for no notifications, "vm_state" for
notifications on VM state changes, or
"vm_and_task_state" for notifications on VM and
task state changes.
pybasedir = /usr/lib/python/site-packages/nova
(StrOpt) Directory where the nova python module is
installed
report_interval = 10
(IntOpt) Seconds between nodes reporting state to
datastore
295
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
rootwrap_config = /etc/nova/rootwrap.conf
(StrOpt) Path to the rootwrap configuration file to
use for running commands as root
service_down_time = 60
(IntOpt) Maximum time since last check-in for up
service
state_path = $pybasedir
(StrOpt) Top-level directory for maintaining nova's
state
tempdir = None
(StrOpt) Explicitly specify the temporary working
directory
[keystone_authtoken]
memcached_servers = None
(ListOpt) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
[workarounds]
destroy_after_evacuate = True
(BoolOpt) Whether to destroy instances on startup
when it is suspected that they have previously been
evacuated. This can result in data loss if undesired.
See https://launchpad.net/bugs/1419785
disable_libvirt_livesnapshot = True
(BoolOpt) When using libvirt 1.2.2 fails live snapshots
intermittently under load. This config option
provides mechanism to disable livesnapshot while
this is resolved. See
https://bugs.launchpad.net/nova/+bug/1334398
disable_rootwrap = False
(BoolOpt) This option allows a fallback to sudo for
performance reasons. For example see
https://bugs.launchpad.net/nova/+bug/1415106
Table 3.18. Description of Compute configuration options
Configuration option = Default value
Description
[DEFAULT]
compute_available_monitors =
['nova.compute.monitors.all_monitors']
296
(MultiStrOpt) Monitor classes available to the
compute which may be specified more than once.
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
compute_driver = None
(StrOpt) Driver to use for controlling virtualization.
Options include: libvirt.LibvirtDriver,
xenapi.XenAPIDriver, fake.FakeDriver,
baremetal.BareMetalDriver,
vmwareapi.VMwareVCDriver, hyperv.HyperVDriver
compute_manager =
(StrOpt) Full class name for the Manager for
compute
nova.compute.manager.ComputeManager
compute_monitors =
(ListOpt) A list of monitors that can be used for
getting compute metrics.
compute_resources = vcpu
(ListOpt) The names of the extra resources to track.
compute_stats_class =
(StrOpt) Class that will manage stats for the local
compute host
nova.compute.stats.Stats
console_host = localhost
(StrOpt) Console proxy host to use to connect to
instances on this host.
console_manager =
(StrOpt) Full class name for the Manager for console
proxy
nova.console.manager.ConsoleProxyManager
default_flavor = m1.small
(StrOpt) Default flavor to use for the EC2 API only.
The Nova API does not support a default flavor.
default_notification_level = INFO
(StrOpt) Default notification level for outgoing
notifications
enable_instance_password = True
(BoolOpt) Enables returning of the instance
password by the relevant server API calls such as
create, rebuild or rescue, If the hypervisor does not
support password injection then the password
returned will not be correct
heal_instance_info_cache_interval =
(IntOpt) Number of seconds between instance
network information cache updates
60
image_cache_manager_interval = 2400
(IntOpt) Number of seconds to wait between runs of
the image cache manager. Set to -1 to disable.
Setting this to 0 will run at the default rate.
image_cache_subdirectory_name = _base
(StrOpt) Where cached images are stored under
$instances_path. This is NOT the full path - only a
folder name. For per-compute-host cached images,
set to _base_$my_ip
297
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
instance_build_timeout = 0
(IntOpt) Amount of time in seconds an instance can
be in BUILD before going into ERROR status. Set to
0 to disable.
instance_delete_interval = 300
(IntOpt) Interval in seconds for retrying failed
instance file deletes. Set to -1 to disable. Setting this
to 0 will run at the default rate.
instance_usage_audit = False
(BoolOpt) Generate periodic
compute.instance.exists notifications
instance_usage_audit_period = month
(StrOpt) Time period to generate instance usages
for. Time period must be hour, day, month or year
instances_path = $state_path/instances
(StrOpt) Where instances are stored on disk
max_concurrent_builds = 10
(IntOpt) Maximum number of instance builds to run
concurrently
maximum_instance_delete_attempts = 5
(IntOpt) The number of times to attempt to reap an
instance's files.
reboot_timeout = 0
(IntOpt) Automatically hard reboot an instance if it
has been stuck in a rebooting state longer than N
seconds. Set to 0 to disable.
reclaim_instance_interval = 0
(IntOpt) Interval in seconds for reclaiming deleted
instances
rescue_timeout = 0
(IntOpt) Automatically unrescue an instance after N
seconds. Set to 0 to disable.
resize_confirm_window = 0
(IntOpt) Automatically confirm resizes after N
seconds. Set to 0 to disable.
resume_guests_state_on_host_boot =
(BoolOpt) Whether to start guests that were running
before the host rebooted
False
running_deleted_instance_action = reap
(StrOpt) Action to take if a running deleted instance
is detected. Valid options are 'noop', 'log', 'shutdown',
or 'reap'. Set to 'noop' to take no action.
running_deleted_instance_poll_interv
al = 1800
(IntOpt) Number of seconds to wait between runs of
the cleanup task.
running_deleted_instance_timeout = 0
(IntOpt) Number of seconds after being deleted
when a running instance should be considered
eligible for cleanup.
298
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
shelved_offload_time = 0
(IntOpt) Time in seconds before a shelved instance
is eligible for removing from a host. -1 never offload,
0 offload when shelved
shelved_poll_interval = 3600
(IntOpt) Interval in seconds for polling shelved
instances to offload. Set to -1 to disable.Setting this
to 0 will run at the default rate.
shutdown_timeout = 60
(IntOpt) Total amount of time to wait in seconds for
an instance to perform a clean shutdown.
sync_power_state_interval = 600
(IntOpt) Interval to sync power states between the
database and the hypervisor. Set to -1 to disable.
Setting this to 0 will run at the default rate.
vif_plugging_is_fatal = True
(BoolOpt) Fail instance boot if vif plugging fails
vif_plugging_timeout = 300
(IntOpt) Number of seconds to wait for neutron vif
plugging events to arrive before continuing or failing
(see vif_plugging_is_fatal). If this is set to zero and
vif_plugging_is_fatal is False, events should not be
expected to arrive at all.
Table 3.19. Description of conductor configuration options
Configuration option = Default value
Description
[DEFAULT]
migrate_max_retries = -1
(IntOpt) Number of times to retry live-migration
before failing. If set to -1, try until out of hosts. If set
to 0, only try once, no retries.
[conductor]
manager =
nova.conductor.manager.ConductorManager
(StrOpt) Full class name for the Manager for
conductor
topic = conductor
(StrOpt) The topic on which conductor nodes listen
use_local = False
(BoolOpt) Perform nova-conductor operations
locally
299
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
workers = None
(IntOpt) Number of workers for OpenStack
Conductor service. The default will be the number of
CPUs available.
Table 3.20. Description of config drive configuration options
Configuration option = Default value
Description
[DEFAULT]
config_drive_format = iso9660
(StrOpt) Config drive format. One of iso9660
(default) or vfat
config_drive_skip_versions = 1.0 2007-01-
(StrOpt) List of metadata versions to skip placing
into the config drive
19 2007-03-01 2007-08-29 2007-10-10 2007-12-15
2008-02-01 2008-09-01
force_config_drive = None
(StrOpt) Set to "always" to force injection to take
place on a config drive. NOTE: The "always" will be
deprecated in the Liberty release cycle.
mkisofs_cmd = genisoimage
(StrOpt) Name and optionally path of the tool used
for ISO image creation
[hyperv]
config_drive_cdrom = False
(BoolOpt) Attaches the Config Drive image as a
cdrom drive instead of a disk drive
config_drive_inject_password = False
(BoolOpt) Sets the admin password in the config
drive image
Table 3.21. Description of console configuration options
Configuration option = Default value
Description
[DEFAULT]
console_public_hostname = localhost
(StrOpt) Publicly visible name for this console host
console_token_ttl = 600
(IntOpt) How many seconds before deleting tokens
consoleauth_manager =
(StrOpt) Manager for console auth
nova.consoleauth.manager.ConsoleAuthManager
Table 3.22. Description of database configuration options
300
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
[DEFAULT]
db_driver = nova.db
(StrOpt) The driver to use for database access
[api_database]
connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the Nova API database.
connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
[database]
301
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
backend = sqlalchemy
(StrOpt) The back end to use for the database.
connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(BoolOpt) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(IntOpt) Maximum retries in case of connection error
or deadlock error before error is raised. Set to -1 to
specify an infinite retry count.
db_max_retry_interval = 10
(IntOpt) If db_inc_retry_interval is set, the maximum
seconds between retries of a database operation.
db_retry_interval = 1
(IntOpt) Seconds between retries of a database
transaction.
idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(IntOpt) Minimum number of SQL connections to
keep open in a pool.
mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
302
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(StrOpt) The file name to use with SQLite.
sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(BoolOpt) Enable the experimental use of database
reconnect on connection lost.
use_tpool = False
(BoolOpt) Enable the experimental use of thread
pooling for all DB API calls
Table 3.23. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
backdoor_port = None
(StrOpt) Enable eventlet backdoor. Acceptable
values are 0, <port>, and <start>:<end>, where 0
results in listening on a random tcp port number;
<port> results in listening on the specified port
number (and not enabling backdoor if that port is in
use); and <start>:<end> results in listening on the
smallest unused port number within the specified
range of port numbers. The chosen port is displayed
in the service's log file.
[guestfs]
debug = False
(BoolOpt) Enable guestfs debug
Table 3.24. Description of EC2 configuration options
Configuration option = Default value
Description
[DEFAULT]
303
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
ec2_dmz_host = $my_ip
(StrOpt) The internal IP address of the EC2 API
server
ec2_host = $my_ip
(StrOpt) The IP address of the EC2 API server
ec2_listen = 0.0.0.0
(StrOpt) The IP address on which the EC2 API will
listen.
ec2_listen_port = 8773
(IntOpt) The port on which the EC2 API will listen.
ec2_path = /
(StrOpt) The path prefix used to call the ec2 API
server
ec2_port = 8773
(IntOpt) The port of the EC2 API server
ec2_private_dns_show_ip = False
(BoolOpt) Return the IP address as private dns
hostname in describe instances
ec2_scheme = http
(StrOpt) The protocol to use when connecting to the
EC2 API server (http, https)
ec2_strict_validation = True
(BoolOpt) Validate security group names according
to EC2 specification
ec2_timestamp_expiry = 300
(IntOpt) Time in seconds before ec2 timestamp
expires
ec2_workers = None
(IntOpt) Number of workers for EC2 API service. The
default will be equal to the number of CPUs
available.
keystone_ec2_insecure = False
(BoolOpt) Disable SSL certificate verification.
keystone_ec2_url =
(StrOpt) URL to get token from ec2 request.
http://localhost:5000/v2.0/ec2tokens
lockout_attempts = 5
(IntOpt) Number of failed auths before lockout.
lockout_minutes = 15
(IntOpt) Number of minutes to lockout if triggered.
lockout_window = 15
(IntOpt) Number of minutes for lockout window.
region_list =
(ListOpt) List of region=fqdn pairs separated by
commas
Table 3.25. Description of ephemeral storage encryption configuration options
304
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
[ephemeral_storage_encryption]
cipher = aes-xts-plain64
(StrOpt) The cipher and mode to be used to encrypt
ephemeral storage. Which ciphers are available
ciphers depends on kernel support. See
/proc/crypto for the list of available options.
enabled = False
(BoolOpt) Whether to encrypt ephemeral storage
key_size = 512
(IntOpt) The bit length of the encryption key to be
used to encrypt ephemeral storage (in XTS mode
only half of the bits are used for encryption key)
Table 3.26. Description of fping configuration options
Configuration option = Default value
Description
[DEFAULT]
fping_path = /usr/sbin/fping
(StrOpt) Full path to fping.
Table 3.27. Description of glance configuration options
Configuration option = Default value
Description
[DEFAULT]
osapi_glance_link_prefix = None
(StrOpt) Base URL that will be presented to users in
links to glance resources
[glance]
allowed_direct_url_schemes =
(ListOpt) A list of url scheme that can be
downloaded directly via the direct_url. Currently
supported schemes: [file].
api_insecure = False
(BoolOpt) Allow to perform insecure SSL (https)
requests to glance
api_servers = None
(ListOpt) A list of the glance api servers available to
nova. Prefix with https:// for ssl-based glance api
servers. ([hostname|ip]:port)
host = $my_ip
(StrOpt) Default glance hostname or IP address
305
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
num_retries = 0
(IntOpt) Number of retries when uploading /
downloading an image to / from glance.
port = 9292
(IntOpt) Default glance port
protocol = http
(StrOpt) Default protocol to use when connecting to
glance. Set to https for SSL.
[image_file_url]
filesystems =
(ListOpt) List of file systems that are configured in
this file in the image_file_url:<list entry name>
sections
Table 3.28. Description of hypervisor configuration options
Configuration option = Default value
Description
[DEFAULT]
default_ephemeral_format = None
(StrOpt) The default format an ephemeral_volume
will be formatted with on creation.
force_raw_images = True
(BoolOpt) Force backing images to raw format
preallocate_images = none
(StrOpt) VM image preallocation mode: "none" =>
no storage provisioning is done up front, "space" =>
storage is fully allocated at instance start
timeout_nbd = 10
(IntOpt) Amount of time, in seconds, to wait for NBD
device start up.
use_cow_images = True
(BoolOpt) Whether to use cow images
vcpu_pin_set = None
(StrOpt) Defines which pcpus that instance vcpus
can use. For example, "4-12,^8,15"
virt_mkfs = []
(MultiStrOpt) Name of the mkfs commands for
ephemeral device. The format is <os_type>=<mkfs
command>
Table 3.29. Description of bare metal configuration options
Configuration option = Default value
[ironic]
306
Description
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
admin_auth_token = None
(StrOpt) Ironic keystone auth token.
admin_password = None
(StrOpt) Ironic keystone admin password.
admin_tenant_name = None
(StrOpt) Ironic keystone tenant name.
admin_url = None
(StrOpt) Keystone public API endpoint.
admin_username = None
(StrOpt) Ironic keystone admin name
api_endpoint = None
(StrOpt) URL for Ironic API endpoint.
api_max_retries = 60
(IntOpt) How many retries when a request does
conflict.
api_retry_interval = 2
(IntOpt) How often to retry in seconds when a
request does conflict
api_version = 1
(IntOpt) Version of Ironic API service endpoint.
client_log_level = None
(StrOpt) Log level override for ironicclient. Set this
in order to override the global "default_log_levels",
"verbose", and "debug" settings. DEPRECATED: use
standard logging configuration.
Table 3.30. Description of IPv6 configuration options
Configuration option = Default value
Description
[DEFAULT]
fixed_range_v6 = fd00::/48
(StrOpt) Fixed IPv6 address block
gateway_v6 = None
(StrOpt) Default IPv6 gateway
ipv6_backend = rfc2462
(StrOpt) Backend to use for IPv6 generation
use_ipv6 = False
(BoolOpt) Use IPv6
Table 3.31. Description of key manager configuration options
Configuration option = Default value
Description
[keymgr]
307
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
api_class =
(StrOpt) The full class name of the key manager API
class
nova.keymgr.conf_key_mgr.ConfKeyManager
fixed_key = None
(StrOpt) Fixed key returned by key manager,
specified in hex
Table 3.32. Description of LDAP configuration options
Configuration option = Default value
Description
[DEFAULT]
ldap_dns_base_dn =
(StrOpt) Base DN for DNS entries in LDAP
ou=hosts,dc=example,dc=org
ldap_dns_password = password
(StrOpt) Password for LDAP DNS
ldap_dns_servers = ['dns.example.org']
(MultiStrOpt) DNS Servers for LDAP DNS driver
ldap_dns_soa_expiry = 86400
(StrOpt) Expiry interval (in seconds) for LDAP DNS
driver Statement of Authority
ldap_dns_soa_hostmaster =
(StrOpt) Hostmaster for LDAP DNS driver Statement
of Authority
hostmaster@example.org
ldap_dns_soa_minimum = 7200
(StrOpt) Minimum interval (in seconds) for LDAP
DNS driver Statement of Authority
ldap_dns_soa_refresh = 1800
(StrOpt) Refresh interval (in seconds) for LDAP DNS
driver Statement of Authority
ldap_dns_soa_retry = 3600
(StrOpt) Retry interval (in seconds) for LDAP DNS
driver Statement of Authority
ldap_dns_url = ldap://ldap.example.com:389
(StrOpt) URL for LDAP server which will store DNS
entries
ldap_dns_user =
(StrOpt) User for LDAP DNS
uid=admin,ou=people,dc=example,dc=org
Table 3.33. Description of Libvirt configuration options
Configuration option = Default value
[DEFAULT]
308
Description
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
remove_unused_base_images = True
(BoolOpt) Should unused base images be removed?
remove_unused_original_minimum_age_s
econds = 86400
(IntOpt) Unused unresized base images younger
than this will not be removed
[libvirt]
block_migration_flag =
(StrOpt) Migration flags to be set for block migration
VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED,
VIR_MIGRATE_NON_SHARED_INC
checksum_base_images = False
(BoolOpt) Write a checksum for files in _base to disk
checksum_interval_seconds = 3600
(IntOpt) How frequently to checksum base images
connection_uri =
(StrOpt) Override the default libvirt URI (which is
dependent on virt_type)
cpu_mode = None
(StrOpt) Set to "host-model" to clone the host CPU
feature flags; to "host-passthrough" to use the host
CPU model exactly; to "custom" to use a named CPU
model; to "none" to not set any CPU model. If
virt_type="kvm|qemu", it will default to "hostmodel", otherwise it will default to "none"
cpu_model = None
(StrOpt) Set to a named libvirt CPU model (see
names listed in /usr/share/libvirt/cpu_map.xml).
Only has effect if cpu_mode="custom" and
virt_type="kvm|qemu"
disk_cachemodes =
(ListOpt) Specific cachemodes to use for different
disk types e.g: file=directsync,block=none
disk_prefix = None
(StrOpt) Override the default disk prefix for the
devices attached to a server, which is dependent on
virt_type. (valid options are: sd, xvd, uvd, vd)
gid_maps =
(ListOpt) List of guid targets and ranges.Syntax is
guest-gid:host-gid:countMaximum of 5 allowed.
hw_disk_discard = None
(StrOpt) Discard option for nova managed disks
(valid options are: ignore, unmap). Need
Libvirt(1.0.6) Qemu1.5 (raw format) Qemu1.6(qcow2
format)
309
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
hw_machine_type = None
(ListOpt) For qemu or KVM guests, set this option to
specify a default machine type per host
architecture. You can find a list of supported
machine types in your environment by checking the
output of the "virsh capabilities"command. The
format of the value for this config option is hostarch=machine-type. For example:
x86_64=machinetype1,armv7l=machinetype2
image_info_filename_pattern =
(StrOpt) Allows image information files to be stored
in non-standard locations
$instances_path/$image_cache_subdirectory_name/%
(image)s.info
images_rbd_ceph_conf =
(StrOpt) Path to the ceph configuration file to use
images_rbd_pool = rbd
(StrOpt) The RADOS pool in which rbd volumes are
stored
images_type = default
(StrOpt) VM Images format. Acceptable values are:
raw, qcow2, lvm, rbd, default. If default is specified,
then use_cow_images flag is used instead of this
one.
images_volume_group = None
(StrOpt) LVM Volume Group that is used for VM
images, when you specify images_type=lvm.
inject_key = False
(BoolOpt) Inject the ssh public key at boot time
inject_partition = -2
(IntOpt) The partition to inject to : -2 => disable, -1
=> inspect (libguestfs only), 0 => not partitioned, >0
=> partition number
inject_password = False
(BoolOpt) Inject the admin password at boot time,
without an agent.
iscsi_iface = None
(StrOpt) The iSCSI transport iface to use to connect
to target in case offload support is desired.
Supported transports are be2iscsi, bnx2i, cxgb3i,
cxgb4i, qla4xxx and ocs. Default format is
transport_name.hwaddress and can be generated
manually or via iscsiadm -m iface
iscsi_use_multipath = False
(BoolOpt) Use multipath connection of the iSCSI
volume
iser_use_multipath = False
(BoolOpt) Use multipath connection of the iSER
volume
310
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
mem_stats_period_seconds = 10
(IntOpt) A number of seconds to memory usage
statistics period. Zero or negative value mean to
disable memory usage statistics.
remove_unused_kernels = False
(BoolOpt) Should unused kernel images be
removed? This is only safe to enable if all compute
nodes have been updated to support this option. This
will be enabled by default in future.
remove_unused_resized_minimum_age_se
conds = 3600
(IntOpt) Unused resized base images younger than
this will not be removed
rescue_image_id = None
(StrOpt) Rescue ami image. This will not be used if
an image id is provided by the user.
rescue_kernel_id = None
(StrOpt) Rescue aki image
rescue_ramdisk_id = None
(StrOpt) Rescue ari image
rng_dev_path = None
(StrOpt) A path to a device that will be used as
source of entropy on the host. Permitted options
are: /dev/random or /dev/hwrng
snapshot_compression = False
(BoolOpt) Compress snapshot images when possible.
This currently applies exclusively to qcow2 images
snapshot_image_format = None
(StrOpt) Snapshot image format (valid options are :
raw, qcow2, vmdk, vdi). Defaults to same as source
image
snapshots_directory =
(StrOpt) Location where libvirt driver will store
snapshots before uploading them to image service
$instances_path/snapshots
sparse_logical_volumes = False
(BoolOpt) Create sparse logical volumes (with
virtualsize) if this flag is set to True.
sysinfo_serial = auto
(StrOpt) The data source used to the populate the
host "serial" UUID exposed to guest in the virtual
BIOS. Permitted options are "hardware", "os",
"none" or "auto" (default).
uid_maps =
(ListOpt) List of uid targets and ranges. Syntax is
guest-uid:host-uid:count. Maximum of 5
allowed.
use_usb_tablet = True
(BoolOpt) Sync virtual and real mouse cursors (Not
applicable to Red Hat Enterprise Linux VMs)
311
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
use_virtio_for_bridges = True
(BoolOpt) Use virtio for bridge interfaces with
KVM/QEMU
virt_type = kvm
(StrOpt) Libvirt domain type (valid options are: kvm,
lxc, qemu, uml, xen and parallels)
volume_clear = zero
(StrOpt) Method used to wipe old volumes (valid
options are: none, zero, shred)
volume_clear_size = 0
(IntOpt) Size in MiB to wipe at start of old volumes. 0
=> all
wait_soft_reboot_seconds = 120
(IntOpt) Number of seconds to wait for instance to
shut down after soft reboot request is made. Fall
back to hard reboot if instance does not shut down
within this window.
Table 3.34. Description of live migration configuration options
Configuration option = Default value
Description
[DEFAULT]
live_migration_retry_count = 30
(IntOpt) Number of 1 second retries needed in
live_migration
[libvirt]
live_migration_bandwidth = 0
(IntOpt) Maximum bandwidth to be used during
migration, in Mbps
live_migration_flag =
(StrOpt) Migration flags to be set for live migration
VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED
live_migration_uri = qemu+tcp://%s/system
(StrOpt) Migration target URI (any included "%s" is
replaced with the migration target hostname)
Table 3.35. Description of logging configuration options
Configuration option = Default value
[DEFAULT]
312
Description
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
debug = False
(BoolOpt) Print debugging output (set logging level
to DEBUG instead of default WARNING level).
default_log_levels = amqp=WARN,
(ListOpt) List of logger=LEVEL pairs.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
requests.packages.urllib3.util.retry=WARN,
urllib3.util.retry=WARN, keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN
fatal_deprecations = False
(BoolOpt) Enables or disables fatal status of
deprecations.
fatal_exception_format_errors = False
(BoolOpt) Make exception message format errors
fatal
instance_format = "[instance: %(uuid)s] "
(StrOpt) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(StrOpt) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation.
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s .
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecated. Use logging_context_format_string
and logging_default_format_string instead.
313
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
log_config_append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation.
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s .
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecated. Use logging_context_format_string
and logging_default_format_string instead.
logging_context_format_string = %
(StrOpt) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d TRACE %(name)s %
(instance)s
(StrOpt) Data to append to log format when level is
DEBUG.
(StrOpt) Format string to use for log messages
without context.
(StrOpt) Prefix each line of exception output with
this format.
publish_errors = False
(BoolOpt) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED during I, and will change in J
to honor RFC5424.
314
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
use_syslog_rfc_format = False
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in I, and will be removed in J.
use_stderr = True
(BoolOpt) Log output to standard error.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED during I, and will change in J
to honor RFC5424.
use_syslog_rfc_format = False
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in I, and will be removed in J.
verbose = False
(BoolOpt) Print more verbose output (set logging
level to INFO instead of default WARNING level).
Table 3.36. Description of metadata configuration options
Configuration option = Default value
Description
[DEFAULT]
metadata_cache_expiration = 15
(IntOpt) Time in seconds to cache metadata; 0 to
disable metadata caching entirely (not
recommended). Increasingthis should improve
response times of the metadata API when under
heavy load. Higher values may increase
memoryusage and result in longer times for host
metadata changes to take effect.
metadata_host = $my_ip
(StrOpt) The IP address for the metadata API server
metadata_listen = 0.0.0.0
(StrOpt) The IP address on which the metadata API
will listen.
metadata_listen_port = 8775
(IntOpt) The port on which the metadata API will
listen.
metadata_manager =
(StrOpt) OpenStack metadata service manager
nova.api.manager.MetadataManager
metadata_port = 8775
(IntOpt) The port for the metadata API port
315
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
metadata_workers = None
(IntOpt) Number of workers for metadata service.
The default will be the number of CPUs available.
vendordata_driver =
(StrOpt) Driver to use for vendor data
nova.api.metadata.vendordata_json.JsonFileVendorData
vendordata_jsonfile_path = None
(StrOpt) File to load JSON formatted vendor data
from
Table 3.37. Description of network configuration options
Configuration option = Default value
Description
[DEFAULT]
allow_same_net_traffic = True
(BoolOpt) Whether to allow network traffic from
same network
auto_assign_floating_ip = False
(BoolOpt) Autoassigning floating IP to VM
cnt_vpn_clients = 0
(IntOpt) Number of addresses reserved for vpn
clients
create_unique_mac_address_attempts =
(IntOpt) Number of attempts to create unique mac
address
5
default_access_ip_network_name = None
(StrOpt) Name of network to use to set access IPs
for instances
default_floating_pool = nova
(StrOpt) Default pool for floating IPs
defer_iptables_apply = False
(BoolOpt) Whether to batch up the application of
IPTables rules during a host restart and apply all at
the end of the init phase
dhcp_domain = novalocal
(StrOpt) Domain to use for building the hostnames
dhcp_lease_time = 86400
(IntOpt) Lifetime of a DHCP lease in seconds
dhcpbridge = $bindir/nova-dhcpbridge
(StrOpt) Location of nova-dhcpbridge
dhcpbridge_flagfile = ['/etc/nova/nova-
(MultiStrOpt) Location of flagfiles for dhcpbridge
dhcpbridge.conf']
dns_server = []
316
(MultiStrOpt) If set, uses specific DNS server for
dnsmasq. Can be specified multiple times.
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
dns_update_periodic_interval = -1
(IntOpt) Number of seconds to wait between runs of
updates to DNS entries.
dnsmasq_config_file =
(StrOpt) Override the default dnsmasq settings with
this file
ebtables_exec_attempts = 3
(IntOpt) Number of times to retry ebtables
commands on failure.
ebtables_retry_interval = 1.0
(FloatOpt) Number of seconds to wait between
ebtables retries.
firewall_driver = None
(StrOpt) Firewall driver (defaults to hypervisor
specific iptables driver)
fixed_ip_disassociate_timeout = 600
(IntOpt) Seconds after which a deallocated IP is
disassociated
flat_injected = False
(BoolOpt) Whether to attempt to inject network
setup into guest
flat_interface = None
(StrOpt) FlatDhcp will bridge into this interface if set
flat_network_bridge = None
(StrOpt) Bridge for simple network instances
flat_network_dns = 8.8.4.4
(StrOpt) DNS server for simple network
floating_ip_dns_manager =
(StrOpt) Full class name for the DNS Manager for
floating IPs
nova.network.noop_dns_driver.NoopDNSDriver
force_dhcp_release = True
(BoolOpt) If True, send a dhcp release on instance
termination
force_snat_range = []
(MultiStrOpt) Traffic to this range will always be
snatted to the fallback ip, even if it would normally
be bridged out of the node. Can be specified multiple
times.
forward_bridge_interface = ['all']
(MultiStrOpt) An interface that bridges can forward
to. If this is set to all then all traffic will be
forwarded. Can be specified multiple times.
gateway = None
(StrOpt) Default IPv4 gateway
injected_network_template =
(StrOpt) Template file for injected network
$pybasedir/nova/virt/interfaces.template
317
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
instance_dns_domain =
(StrOpt) Full class name for the DNS Zone for
instance IPs
instance_dns_manager =
(StrOpt) Full class name for the DNS Manager for
instance IPs
nova.network.noop_dns_driver.NoopDNSDriver
iptables_bottom_regex =
(StrOpt) Regular expression to match the iptables
rule that should always be on the bottom.
iptables_drop_action = DROP
(StrOpt) The table that iptables to jump to when a
packet is to be dropped.
iptables_top_regex =
(StrOpt) Regular expression to match the iptables
rule that should always be on the top.
l3_lib = nova.network.l3.LinuxNetL3
(StrOpt) Indicates underlying L3 management
library
linuxnet_interface_driver =
(StrOpt) Driver used to create ethernet devices.
nova.network.linux_net.LinuxBridgeInterfaceDriver
linuxnet_ovs_integration_bridge = brint
(StrOpt) Name of Open vSwitch bridge used with
linuxnet
multi_host = False
(BoolOpt) Default value for multi_host in networks.
Also, if set, some rpc network calls will be sent
directly to host.
network_allocate_retries = 0
(IntOpt) Number of times to retry network allocation
on failures
network_api_class = nova.network.api.API
(StrOpt) The full class name of the network API
class to use
network_device_mtu = None
(IntOpt) DEPRECATED: THIS VALUE SHOULD BE
SET WHEN CREATING THE NETWORK. MTU setting
for network interface.
network_driver = nova.network.linux_net
(StrOpt) Driver to use for network creation
network_manager =
nova.network.manager.VlanManager
(StrOpt) Full class name for the Manager for
network
network_size = 256
(IntOpt) Number of addresses in each private subnet
network_topic = network
(StrOpt) The topic network nodes listen on
318
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
networks_path = $state_path/networks
(StrOpt) Location to keep network config files
num_networks = 1
(IntOpt) Number of networks to support
ovs_vsctl_timeout = 120
(IntOpt) Amount of time, in seconds, that ovs_vsctl
should wait for a response from the database. 0 is to
wait forever.
public_interface = eth0
(StrOpt) Interface for public IP addresses
routing_source_ip = $my_ip
(StrOpt) Public IP of network host
security_group_api = nova
(StrOpt) The full class name of the security API class
send_arp_for_ha = False
(BoolOpt) Send gratuitous ARPs for HA setup
send_arp_for_ha_count = 3
(IntOpt) Send this many gratuitous ARPs for HA
setup
share_dhcp_address = False
(BoolOpt) DEPRECATED: THIS VALUE SHOULD BE
SET WHEN CREATING THE NETWORK. If True in
multi_host mode, all compute hosts share the same
dhcp address. The same IP address used for DHCP
will be added on each nova-network node which is
only visible to the vms on the same host.
teardown_unused_network_gateway = False
(BoolOpt) If True, unused gateway devices (VLAN
and bridge) are deleted in VLAN network mode with
multi hosted networks
update_dns_entries = False
(BoolOpt) If True, when a DNS entry must be
updated, it sends a fanout cast to all network hosts
to update their DNS entries in multi host mode
use_network_dns_servers = False
(BoolOpt) If set, uses the dns1 and dns2 from the
network ref. as dns servers.
use_neutron_default_nets = False
(StrOpt) Control for checking for default networks
use_single_default_gateway = False
(BoolOpt) Use single default gateway. Only first nic
of vm will get default gateway from dhcp server
vlan_interface = None
(StrOpt) VLANs will bridge into this interface if set
vlan_start = 100
(IntOpt) First VLAN for private networks
[vmware]
319
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
vlan_interface = vmnic0
(StrOpt) Physical ethernet adapter name for vlan
networking
Table 3.38. Description of neutron configuration options
Configuration option = Default value
Description
[DEFAULT]
neutron_default_tenant_id = default
(StrOpt) Default tenant id when creating neutron
networks
[neutron]
admin_auth_url = http://localhost:5000/v2.0
(StrOpt) Authorization URL for connecting to
neutron in admin context. DEPRECATED: specify an
auth_plugin and appropriate credentials instead.
admin_password = None
(StrOpt) Password for connecting to neutron in
admin context DEPRECATED: specify an auth_plugin
and appropriate credentials instead.
admin_tenant_id = None
(StrOpt) Tenant id for connecting to neutron in
admin context DEPRECATED: specify an auth_plugin
and appropriate credentials instead.
admin_tenant_name = None
(StrOpt) Tenant name for connecting to neutron in
admin context. This option will be ignored if
neutron_admin_tenant_id is set. Note that with
Keystone V3 tenant names are only unique within a
domain. DEPRECATED: specify an auth_plugin and
appropriate credentials instead.
admin_user_id = None
(StrOpt) User id for connecting to neutron in admin
context. DEPRECATED: specify an auth_plugin and
appropriate credentials instead.
admin_username = None
(StrOpt) Username for connecting to neutron in
admin context DEPRECATED: specify an auth_plugin
and appropriate credentials instead.
allow_duplicate_networks = False
(BoolOpt) DEPRECATED: Allow an instance to have
multiple vNICs attached to the same Neutron
network. This option is deprecated in the 2015.1
release and will be removed in the 2015.2 release
where the default behavior will be to always allow
multiple ports from the same network to be attached
to an instance.
320
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
auth_plugin = None
(StrOpt) Name of the plugin to load
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_strategy = keystone
(StrOpt) Authorization strategy for connecting to
neutron in admin context. DEPRECATED: specify an
auth_plugin and appropriate credentials instead. If
an auth_plugin is specified strategy will be ignored.
cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
certfile = None
(StrOpt) PEM encoded client certificate cert file
extension_sync_interval = 600
(IntOpt) Number of seconds before querying neutron
for extensions
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) PEM encoded client certificate key file
metadata_proxy_shared_secret =
(StrOpt) Shared secret to validate proxies Neutron
metadata requests
ovs_bridge = br-int
(StrOpt) Name of Integration Bridge used by Open
vSwitch
region_name = None
(StrOpt) Region name for connecting to neutron in
admin context
service_metadata_proxy = False
(BoolOpt) Set flag to indicate Neutron will proxy
metadata requests and resolve instance ids.
timeout = None
(IntOpt) Timeout value for http requests
url = http://127.0.0.1:9696
(StrOpt) URL for connecting to neutron
Table 3.39. Description of oslo_middleware configuration options
Configuration option = Default value
Description
[oslo_middleware]
max_request_body_size = 114688
(IntOpt) The maximum body size for each request, in
bytes.
321
Red Hat OpenStack Platform 9 Configuration Reference
Table 3.40. Description of PCI configuration options
Configuration option = Default value
Description
[DEFAULT]
pci_alias = []
(MultiStrOpt) An alias for a PCI passthrough device
requirement. This allows users to specify the alias in
the extra_spec for a flavor, without needing to
repeat all the PCI property requirements. For
example: pci_alias = { "name": "QuicAssist",
"product_id": "0443", "vendor_id": "8086",
"device_type": "ACCEL" } defines an alias for the
Intel QuickAssist card. (multi valued)
pci_passthrough_whitelist = []
(MultiStrOpt) White list of PCI devices available to
VMs. For example: pci_passthrough_whitelist =
[{"vendor_id": "8086", "product_id": "0443"}]
Table 3.41. Description of periodic configuration options
Configuration option = Default value
Description
[DEFAULT]
periodic_enable = True
(BoolOpt) Enable periodic tasks
periodic_fuzzy_delay = 60
(IntOpt) Range of seconds to randomly delay when
starting the periodic task scheduler to reduce
stampeding. (Disable by setting to 0)
run_external_periodic_tasks = True
(BoolOpt) Some periodic tasks can be run in a
separate process. Should they run here?
Table 3.42. Description of policy configuration options
Configuration option = Default value
Description
[DEFAULT]
allow_instance_snapshots = True
(BoolOpt) Permit instance snapshot operations.
allow_migrate_to_same_host = False
(BoolOpt) Allow migrate machine to the same host.
Useful when testing in single-host environments.
allow_resize_to_same_host = False
(BoolOpt) Allow destination machine to match
source for resize. Useful when testing in single-host
environments.
322
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
max_age = 0
(IntOpt) Number of seconds between subsequent
usage refreshes. This defaults to 0(off) to avoid
additional load but it is useful to turn on to help
keep quota usage up to date and reduce the impact
of out of sync usage issues. Note that quotas are not
updated on a periodic task, they will update on a
new reservation if max_age has passed since the last
reservation
max_local_block_devices = 3
(IntOpt) Maximum number of devices that will result
in a local image being created on the hypervisor
node. Setting this to 0 means nova will allow only
boot from volume. A negative number means
unlimited.
osapi_compute_unique_server_name_sco
pe =
(StrOpt) When set, compute API will consider
duplicate hostnames invalid within the specified
scope, regardless of case. Should be empty,
"project" or "global".
osapi_max_limit = 1000
(IntOpt) The maximum number of items returned in a
single response from a collection resource
password_length = 12
(IntOpt) Length of generated instance admin
passwords
policy_default_rule = default
(StrOpt) Default rule. Enforced when a requested
rule is not found.
policy_dirs = ['policy.d']
(MultiStrOpt) Directories where policy configuration
files are stored. They can be relative to any
directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(StrOpt) The JSON file that defines policies.
reservation_expire = 86400
(IntOpt) Number of seconds until a reservation
expires
resize_fs_using_block_device = False
(BoolOpt) Attempt to resize the filesystem by
accessing the image over a block device. This is
done by the host and may not be necessary if the
image contains a recent version of cloud-init.
Possible mechanisms require the nbd driver (for
qcow and raw), or loop (for raw).
323
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
until_refresh = 0
(IntOpt) Count of reservations until usage is
refreshed. This defaults to 0(off) to avoid additional
load but it is useful to turn on to help keep quota
usage up to date and reduce the impact of out of
sync usage issues.
Table 3.43. Description of Quobyte USP volume driver configuration options
Configuration option = Default value
Description
[libvirt]
quobyte_client_cfg = None
(StrOpt) Path to a Quobyte Client configuration file.
quobyte_mount_point_base =
(StrOpt) Directory where the Quobyte volume is
mounted on the compute node
$state_path/mnt
Table 3.44. Description of quota configuration options
Configuration option = Default value
Description
[DEFAULT]
bandwidth_poll_interval = 600
(IntOpt) Interval to pull network bandwidth usage
info. Not supported on all hypervisors. Set to -1 to
disable. Setting this to 0 will run at the default rate.
enable_network_quota = False
(BoolOpt) Enables or disables quota checking for
tenant networks
quota_cores = 20
(IntOpt) Number of instance cores allowed per
project
quota_driver = nova.quota.DbQuotaDriver
(StrOpt) Default driver to use for quota checks
quota_fixed_ips = -1
(IntOpt) Number of fixed IPs allowed per project
(this should be at least the number of instances
allowed)
quota_floating_ips = 10
(IntOpt) Number of floating IPs allowed per project
quota_injected_file_content_bytes =
(IntOpt) Number of bytes allowed per injected file
10240
quota_injected_file_path_length = 255
324
(IntOpt) Length of injected file path
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
quota_injected_files = 5
(IntOpt) Number of injected files allowed
quota_instances = 10
(IntOpt) Number of instances allowed per project
quota_key_pairs = 100
(IntOpt) Number of key pairs per user
quota_metadata_items = 128
(IntOpt) Number of metadata items allowed per
instance
quota_networks = 3
(IntOpt) Number of private networks allowed per
project
quota_ram = 51200
(IntOpt) Megabytes of instance RAM allowed per
project
quota_security_group_rules = 20
(IntOpt) Number of security rules per security group
quota_security_groups = 10
(IntOpt) Number of security groups per project
quota_server_group_members = 10
(IntOpt) Number of servers per server group
quota_server_groups = 10
(IntOpt) Number of server groups per project
[cells]
bandwidth_update_interval = 600
(IntOpt) Seconds between bandwidth updates for
cells.
Table 3.45. Description of RDP configuration options
Configuration option = Default value
Description
[rdp]
enabled = False
(BoolOpt) Enable RDP related features
html5_proxy_base_url =
(StrOpt) Location of RDP html5 console proxy, in the
form "http://127.0.0.1:6083/"
http://127.0.0.1:6083/
Table 3.46. Description of Redis configuration options
Configuration option = Default value
Description
[matchmaker_redis]
325
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
host = 127.0.0.1
(StrOpt) Host to locate redis.
password = None
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json
(StrOpt) Matchmaker ring file (JSON).
Table 3.47. Description of S3 configuration options
Configuration option = Default value
Description
[DEFAULT]
buckets_path = $state_path/buckets
(StrOpt) Path to S3 buckets
image_decryption_dir = /tmp
(StrOpt) Parent directory for tempdir used for image
decryption
s3_access_key = notchecked
(StrOpt) Access key to use for S3 server for images
s3_affix_tenant = False
(BoolOpt) Whether to affix the tenant id to the
access key when downloading from S3
s3_host = $my_ip
(StrOpt) Hostname or IP for OpenStack to use when
accessing the S3 api
s3_listen = 0.0.0.0
(StrOpt) IP address for S3 API to listen
s3_listen_port = 3333
(IntOpt) Port for S3 API to listen
s3_port = 3333
(IntOpt) Port used when accessing the S3 api
s3_secret_key = notchecked
(StrOpt) Secret key to use for S3 server for images
s3_use_ssl = False
(BoolOpt) Whether to use SSL when talking to S3
Table 3.48. Description of scheduler configuration options
Configuration option = Default value
[DEFAULT]
326
Description
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
aggregate_image_properties_isolation
_namespace = None
(StrOpt) Force the filter to consider only keys
matching the given namespace.
aggregate_image_properties_isolation
_separator = .
(StrOpt) The separator used between the
namespace and keys
baremetal_scheduler_default_filters
(ListOpt) Which filter class names to use for filtering
baremetal hosts when not specified in the request.
= RetryFilter, AvailabilityZoneFilter, ComputeFilter,
ComputeCapabilitiesFilter, ImagePropertiesFilter,
ExactRamFilter, ExactDiskFilter, ExactCoreFilter
cpu_allocation_ratio = 16.0
(FloatOpt) Virtual CPU to physical CPU allocation
ratio which affects all CPU filters. This configuration
specifies a global ratio for CoreFilter. For
AggregateCoreFilter, it will fall back to this
configuration value if no per-aggregate setting
found.
disk_allocation_ratio = 1.0
(FloatOpt) Virtual disk to physical disk allocation
ratio
io_ops_weight_multiplier = -1.0
(FloatOpt) Multiplier used for weighing host io ops.
Negative numbers mean a preference to choose
light workload compute hosts.
isolated_hosts =
(ListOpt) Host reserved for specific images
isolated_images =
(ListOpt) Images to run on isolated host
max_instances_per_host = 50
(IntOpt) Ignore hosts that have too many instances
max_io_ops_per_host = 8
(IntOpt) Tells filters to ignore hosts that have this
many or more instances currently in build, resize,
snapshot, migrate, rescue or unshelve task states
ram_allocation_ratio = 1.5
(FloatOpt) Virtual ram to physical ram allocation
ratio which affects all ram filters. This configuration
specifies a global ratio for RamFilter. For
AggregateRamFilter, it will fall back to this
configuration value if no per-aggregate setting
found.
ram_weight_multiplier = 1.0
(FloatOpt) Multiplier used for weighing ram.
Negative numbers mean to stack vs spread.
reserved_host_disk_mb = 0
(IntOpt) Amount of disk in MB to reserve for the host
327
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
reserved_host_memory_mb = 512
(IntOpt) Amount of memory in MB to reserve for the
host
restrict_isolated_hosts_to_isolated_
images = True
(BoolOpt) Whether to force isolated hosts to run
only isolated images
scheduler_available_filters =
(MultiStrOpt) Filter classes available to the
scheduler which may be specified more than once.
An entry of "nova.scheduler.filters.all_filters" maps
to all filters included with nova.
['nova.scheduler.filters.all_filters']
scheduler_default_filters = RetryFilter,
AvailabilityZoneFilter, RamFilter, ComputeFilter,
ComputeCapabilitiesFilter, ImagePropertiesFilter,
ServerGroupAntiAffinityFilter,
ServerGroupAffinityFilter
scheduler_driver =
(ListOpt) Which filter class names to use for filtering
hosts when not specified in the request.
(StrOpt) Default driver to use for the scheduler
nova.scheduler.filter_scheduler.FilterScheduler
scheduler_driver_task_period = 60
(IntOpt) How often (in seconds) to run periodic tasks
in the scheduler driver of your choice. Note this is
likely to interact with the value of
service_down_time, but exactly how they interact
will depend on your choice of scheduler driver.
scheduler_host_manager =
(StrOpt) The scheduler host manager class to use
nova.scheduler.host_manager.HostManager
scheduler_host_subset_size = 1
(IntOpt) New instances will be scheduled on a host
chosen randomly from a subset of the N best hosts.
This property defines the subset size that a host is
chosen from. A value of 1 chooses the first host
returned by the weighing functions. This value must
be at least 1. Any value less than 1 will be ignored,
and 1 will be used instead
scheduler_instance_sync_interval = 120
(IntOpt) Waiting time interval (seconds) between
sending the scheduler a list of current instance
UUIDs to verify that its view of instances is in sync
with nova. If the CONF option
`scheduler_tracks_instance_changes` is False,
changing this option will have no effect.
scheduler_json_config_location =
(StrOpt) Absolute path to scheduler configuration
JSON file.
scheduler_manager =
(StrOpt) Full class name for the Manager for
scheduler
nova.scheduler.manager.SchedulerManager
328
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
scheduler_max_attempts = 3
(IntOpt) Maximum number of attempts to schedule
an instance
scheduler_topic = scheduler
(StrOpt) The topic scheduler nodes listen on
scheduler_tracks_instance_changes =
(BoolOpt) Determines if the Scheduler tracks
changes to instances to help with its filtering
decisions.
True
scheduler_use_baremetal_filters = False
(BoolOpt) Flag to decide whether to use
baremetal_scheduler_default_filters or not.
scheduler_weight_classes =
(ListOpt) Which weight class names to use for
weighing hosts
nova.scheduler.weights.all_weighers
[cells]
ram_weight_multiplier = 10.0
(FloatOpt) Multiplier used for weighing ram.
Negative numbers mean to stack vs spread.
scheduler_filter_classes =
(ListOpt) Filter classes the cells scheduler should
use. An entry of "nova.cells.filters.all_filters" maps
to all cells filters included with nova.
nova.cells.filters.all_filters
scheduler_retries = 10
(IntOpt) How many retries when no cells are
available.
scheduler_retry_delay = 2
(IntOpt) How often to retry in seconds when no cells
are available.
scheduler_weight_classes =
(ListOpt) Weigher classes the cells scheduler should
use. An entry of "nova.cells.weights.all_weighers"
maps to all cell weighers included with nova.
nova.cells.weights.all_weighers
[metrics]
required = True
(BoolOpt) How to treat the unavailable metrics.
When a metric is NOT available for a host, if it is set
to be True, it would raise an exception, so it is
recommended to use the scheduler filter
MetricFilter to filter out those hosts. If it is set to be
False, the unavailable metric would be treated as a
negative factor in weighing process, the returned
value would be set by the option
weight_of_unavailable.
weight_multiplier = 1.0
(FloatOpt) Multiplier used for weighing metrics.
329
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
weight_of_unavailable = -10000.0
(FloatOpt) The final weight value to be returned if
required is set to False and any one of the metrics
set by weight_setting is unavailable.
weight_setting =
(ListOpt) How the metrics are going to be weighed.
This should be in the form of "<name1>=<ratio1>,
<name2>=<ratio2>, ...", where <nameX> is one of
the metrics to be weighed, and <ratioX> is the
corresponding ratio. So for "name1=1.0, name2=1.0" The final weight would be name1.value * 1.0 +
name2.value * -1.0.
Table 3.49. Description of serial console configuration options
Configuration option = Default value
Description
[serial_console]
base_url = ws://127.0.0.1:6083/
(StrOpt) Location of serial console proxy.
enabled = False
(BoolOpt) Enable serial console related features
listen = 127.0.0.1
(StrOpt) IP address on which instance serial console
should listen
port_range = 10000:20000
(StrOpt) Range of TCP ports to use for serial ports
on compute hosts
proxyclient_address = 127.0.0.1
(StrOpt) The address to which proxy clients (like
nova-serialproxy) should connect
serialproxy_host = 0.0.0.0
(StrOpt) Host on which to listen for incoming
requests
serialproxy_port = 6083
(IntOpt) Port on which to listen for incoming
requests
Table 3.50. Description of SPICE configuration options
Configuration option = Default value
Description
[spice]
agent_enabled = True
(BoolOpt) Enable spice guest agent support
enabled = False
(BoolOpt) Enable spice related features
330
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
html5proxy_base_url =
(StrOpt) Location of spice HTML5 console proxy, in
the form "http://127.0.0.1:6082/spice_auto.html"
http://127.0.0.1:6082/spice_auto.html
html5proxy_host = 0.0.0.0
(StrOpt) Host on which to listen for incoming
requests
html5proxy_port = 6082
(IntOpt) Port on which to listen for incoming
requests
keymap = en-us
(StrOpt) Keymap for spice
server_listen = 127.0.0.1
(StrOpt) IP address on which instance spice server
should listen
server_proxyclient_address = 127.0.0.1
(StrOpt) The address to which proxy clients (like
nova-spicehtml5proxy) should connect
Table 3.51. Description of testing configuration options
Configuration option = Default value
Description
[DEFAULT]
fake_call = False
(BoolOpt) If True, skip using the queue and make
local calls
fake_network = False
(BoolOpt) If passed, use fake network devices and
addresses
monkey_patch = False
(BoolOpt) Whether to log monkey patching
monkey_patch_modules =
(ListOpt) List of modules/decorators to monkey
patch
nova.api.ec2.cloud:nova.notifications.notify_decorator,
nova.compute.api:nova.notifications.notify_decorator
Table 3.52. Description of trusted computing configuration options
Configuration option = Default value
Description
[trusted_computing]
attestation_api_url =
(StrOpt) Attestation web API URL
/OpenAttestationWebServices/V1.0
attestation_auth_blob = None
(StrOpt) Attestation authorization blob - must
change
331
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
attestation_auth_timeout = 60
(IntOpt) Attestation status cache valid period length
attestation_insecure_ssl = False
(BoolOpt) Disable SSL cert verification for
Attestation service
attestation_port = 8443
(StrOpt) Attestation server port
attestation_server = None
(StrOpt) Attestation server HTTP
attestation_server_ca_file = None
(StrOpt) Attestation server Cert file for Identity
verification
Table 3.53. Description of upgrade levels configuration options
Configuration option = Default value
Description
[cells]
scheduler = nova.cells.scheduler.CellsScheduler
(StrOpt) Cells scheduler to use
[upgrade_levels]
cells = None
(StrOpt) Set a version cap for messages sent to
local cells services
cert = None
(StrOpt) Set a version cap for messages sent to cert
services
compute = None
(StrOpt) Set a version cap for messages sent to
compute services. If you plan to do a live upgrade
from havana to icehouse, you should set this option
to "icehouse-compat" before beginning the live
upgrade procedure.
conductor = None
(StrOpt) Set a version cap for messages sent to
conductor services
console = None
(StrOpt) Set a version cap for messages sent to
console services
consoleauth = None
(StrOpt) Set a version cap for messages sent to
consoleauth services
intercell = None
(StrOpt) Set a version cap for messages sent
between cells services
332
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
network = None
(StrOpt) Set a version cap for messages sent to
network services
scheduler = None
(StrOpt) Set a version cap for messages sent to
scheduler services
Table 3.54. Description of VMware configuration options
Configuration option = Default value
Description
[vmware]
api_retry_count = 10
(IntOpt) The number of times to retry on failures,
e.g., socket error, etc.
cache_prefix = None
(StrOpt) The prefix for Where cached images are
stored. This is NOT the full path - only a folder
prefix. This should only be used when a datastore
cache should be shared between compute nodes.
Note: this should only be used when the compute
nodes have a shared file system.
cluster_name = None
(MultiStrOpt) Name of a VMware Cluster
ComputeResource.
datastore_regex = None
(StrOpt) Regex to match the name of a datastore.
host_ip = None
(StrOpt) Hostname or IP address for connection to
VMware VC host.
host_password = None
(StrOpt) Password for connection to VMware VC
host.
host_port = 443
(IntOpt) Port for connection to VMware VC host.
host_username = None
(StrOpt) Username for connection to VMware VC
host.
integration_bridge = br-int
(StrOpt) Name of Integration Bridge
333
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
maximum_objects = 100
(IntOpt) The maximum number of ObjectContent
data objects that should be returned in a single
result. A positive value will cause the operation to
suspend the retrieval when the count of objects
reaches the specified maximum. The server may still
limit the count to something less than the
configured value. Any remaining objects may be
retrieved with additional requests.
pbm_default_policy = None
(StrOpt) The PBM default policy. If
pbm_wsdl_location is set and there is no defined
storage policy for the specific request then this
policy will be used.
pbm_enabled = False
(BoolOpt) The PBM status.
pbm_wsdl_location = None
(StrOpt) PBM service WSDL file location URL. e.g.
file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not
setting this will disable storage policy based
placement of instances.
task_poll_interval = 0.5
(FloatOpt) The interval used for polling of remote
tasks.
use_linked_clone = True
(BoolOpt) Whether to use linked clone
wsdl_location = None
(StrOpt) Optional VIM Service WSDL Location e.g
http://<server>/vimService.wsdl. Optional override to default location for bug work-arounds
Table 3.55. Description of VNC configuration options
Configuration option = Default value
Description
[DEFAULT]
daemon = False
(BoolOpt) Become a daemon (background process)
key = None
(StrOpt) SSL key file (if separate from cert)
novncproxy_base_url =
(StrOpt) Location of VNC console proxy, in the form
"http://127.0.0.1:6080/vnc_auto.html"
http://127.0.0.1:6080/vnc_auto.html
novncproxy_host = 0.0.0.0
334
(StrOpt) Host on which to listen for incoming
requests
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
novncproxy_port = 6080
(IntOpt) Port on which to listen for incoming
requests
record = False
(BoolOpt) Record sessions to FILE.
[session_number]
source_is_ipv6 = False
(BoolOpt) Source is ipv6
ssl_only = False
(BoolOpt) Disallow non-encrypted connections
vnc_enabled = True
(BoolOpt) Enable VNC related features
vnc_keymap = en-us
(StrOpt) Keymap for VNC
vncserver_listen = 127.0.0.1
(StrOpt) IP address on which instance vncservers
should listen
vncserver_proxyclient_address =
(StrOpt) The address to which proxy clients (like
nova-xvpvncproxy) should connect
127.0.0.1
web = /usr/share/spice-html5
(StrOpt) Run webserver on same port. Serve files
from DIR.
[vmware]
vnc_port = 5900
(IntOpt) VNC starting port
vnc_port_total = 10000
(IntOpt) Total number of VNC ports
Table 3.56. Description of volumes configuration options
Configuration option = Default value
Description
[DEFAULT]
block_device_allocate_retries = 60
(IntOpt) Number of times to retry block device
allocation on failures
block_device_allocate_retries_interv
al = 3
(IntOpt) Waiting time interval (seconds) between
block device allocation retries on failures
my_block_storage_ip = $my_ip
(StrOpt) Block storage IP address of this host
volume_api_class = nova.volume.cinder.API
(StrOpt) The full class name of the volume API class
to use
335
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
volume_usage_poll_interval = 0
(IntOpt) Interval in seconds for gathering volume
usages
[cinder]
cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
catalog_info = volumev2:cinderv2:publicURL
(StrOpt) Info to match when looking for cinder in the
service catalog. Format is: separated values of the
form: <service_type>:<service_name>:
<endpoint_type>
certfile = None
(StrOpt) PEM encoded client certificate cert file
cross_az_attach = True
(BoolOpt) Allow attach between instance and
volume in different availability zones.
endpoint_template = None
(StrOpt) Override service catalog lookup with
template for cinder endpoint e.g.
http://localhost:8776/v1/%(project_id)s
http_retries = 3
(IntOpt) Number of cinderclient retries on failed http
calls
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) PEM encoded client certificate key file
os_region_name = None
(StrOpt) Region name of this node
timeout = None
(IntOpt) Timeout value for http requests
[hyperv]
force_volumeutils_v1 = False
(BoolOpt) Force V1 volume utility class
volume_attach_retry_count = 10
(IntOpt) The number of times to retry to attach a
volume
volume_attach_retry_interval = 5
(IntOpt) Interval between volume attachment
attempts, in seconds
[libvirt]
336
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
glusterfs_mount_point_base =
(StrOpt) Directory where the glusterfs volume is
mounted on the compute node
$state_path/mnt
nfs_mount_options = None
(StrOpt) Mount options passed to the NFS client.
See section of the nfs man page for details
nfs_mount_point_base = $state_path/mnt
(StrOpt) Directory where the NFS volume is
mounted on the compute node
num_aoe_discover_tries = 3
(IntOpt) Number of times to rediscover AoE target
to find volume
num_iscsi_scan_tries = 5
(IntOpt) Number of times to rescan iSCSI target to
find volume
num_iser_scan_tries = 5
(IntOpt) Number of times to rescan iSER target to
find volume
qemu_allowed_storage_drivers =
(ListOpt) Protocols listed here will be accessed
directly from QEMU. Currently supported protocols:
[gluster]
rbd_secret_uuid = None
(StrOpt) The libvirt UUID of the secret for the
rbd_uservolumes
rbd_user = None
(StrOpt) The RADOS client name for accessing rbd
volumes
scality_sofs_config = None
(StrOpt) Path or URL to Scality SOFS configuration
file
scality_sofs_mount_point =
(StrOpt) Base dir where Scality SOFS shall be
mounted
$state_path/scality
smbfs_mount_options =
(StrOpt) Mount options passed to the SMBFS client.
See mount.cifs man page for details. Note that the
libvirt-qemu uid and gid must be specified.
smbfs_mount_point_base = $state_path/mnt
(StrOpt) Directory where the SMBFS shares are
mounted on the compute node
[xenserver]
block_device_creation_timeout = 10
(IntOpt) Time to wait for a block device to be
created
Table 3.57. Description of VPN configuration options
337
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
boot_script_template =
(StrOpt) Template for cloudpipe instance boot script
$pybasedir/nova/cloudpipe/bootscript.template
dmz_cidr =
(ListOpt) A list of dmz ranges that should be
accepted
dmz_mask = 255.255.255.0
(StrOpt) Netmask to push into openvpn config
dmz_net = 10.0.0.0
(StrOpt) Network to push into openvpn config
vpn_flavor = m1.tiny
(StrOpt) Flavor for vpn instances
vpn_image_id = 0
(StrOpt) Image ID used when starting up a cloudpipe
vpn server
vpn_ip = $my_ip
(StrOpt) Public IP for the cloudpipe VPN servers
vpn_key_suffix = -vpn
(StrOpt) Suffix to add to project name for vpn key
and secgroups
vpn_start = 1000
(IntOpt) First Vpn port for private networks
Table 3.58. Description of Xen configuration options
Configuration option = Default value
Description
[DEFAULT]
console_driver =
(StrOpt) Driver to use for the console proxy
nova.console.xvp.XVPConsoleProxy
console_xvp_conf = /etc/xvp.conf
(StrOpt) Generated XVP conf file
console_xvp_conf_template =
(StrOpt) XVP conf template
$pybasedir/nova/console/xvp.conf.template
console_xvp_log = /var/log/xvp.log
(StrOpt) XVP log file
console_xvp_multiplex_port = 5900
(IntOpt) Port for XVP to multiplex VNC connections
on
console_xvp_pid = /var/run/xvp.pid
(StrOpt) XVP master process pid file
338
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
stub_compute = False
(BoolOpt) Stub calls to compute worker for tests
[libvirt]
xen_hvmloader_path =
(StrOpt) Location where the Xen hvmloader is kept
/usr/lib/xen/boot/hvmloader
[xenserver]
agent_path = usr/sbin/xe-update-networking
(StrOpt) Specifies the path in which the XenAPI
guest agent should be located. If the agent is
present, network configuration is not injected into
the image. Used if
compute_driver=xenapi.XenAPIDriver and
flat_injected=True
agent_resetnetwork_timeout = 60
(IntOpt) Number of seconds to wait for agent reply
to resetnetwork request
agent_timeout = 30
(IntOpt) Number of seconds to wait for agent reply
agent_version_timeout = 300
(IntOpt) Number of seconds to wait for agent to be
fully operational
cache_images = all
(StrOpt) Cache glance images locally. `all` will cache
all images, `some` will only cache images that have
the image_property `cache_in_nova=True`, and
`none` turns off caching entirely
check_host = True
(BoolOpt) Ensure compute service is running on
host XenAPI connects to.
connection_concurrent = 5
(IntOpt) Maximum number of concurrent XenAPI
connections. Used only if
compute_driver=xenapi.XenAPIDriver
connection_password = None
(StrOpt) Password for connection to XenServer/Xen
Cloud Platform. Used only if
compute_driver=xenapi.XenAPIDriver
connection_url = None
(StrOpt) URL for connection to XenServer/Xen
Cloud Platform. A special value of unix://local can be
used to connect to the local unix socket. Required if
compute_driver=xenapi.XenAPIDriver
connection_username = root
(StrOpt) Username for connection to
XenServer/Xen Cloud Platform. Used only if
compute_driver=xenapi.XenAPIDriver
339
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
default_os_type = linux
(StrOpt) Default OS type
disable_agent = False
(BoolOpt) Disables the use of the XenAPI agent in
any image regardless of what image properties are
present.
image_compression_level = None
(IntOpt) Compression level for images, e.g., 9 for gzip
-9. Range is 1-9, 9 being most compressed but most
CPU intensive on dom0.
image_upload_handler =
(StrOpt) Dom0 plugin driver used to handle image
uploads.
nova.virt.xenapi.image.glance.GlanceStore
introduce_vdi_retry_wait = 20
(IntOpt) Number of seconds to wait for an SR to
settle if the VDI does not exist when first introduced
ipxe_boot_menu_url = None
(StrOpt) URL to the iPXE boot menu
ipxe_mkisofs_cmd = mkisofs
(StrOpt) Name and optionally path of the tool used
for ISO image creation
ipxe_network_name = None
(StrOpt) Name of network to use for booting iPXE
ISOs
iqn_prefix = iqn.2010-10.org.openstack
(StrOpt) IQN Prefix
login_timeout = 10
(IntOpt) Timeout in seconds for XenAPI login.
max_kernel_ramdisk_size = 16777216
(IntOpt) Maximum size in bytes of kernel or ramdisk
images
num_vbd_unplug_retries = 10
(IntOpt) Maximum number of retries to unplug VBD.
if <=0, should try once and no retry
ovs_integration_bridge = xapi1
(StrOpt) Name of Integration Bridge used by Open
vSwitch
remap_vbd_dev = False
(BoolOpt) Used to enable the remapping of VBD dev
remap_vbd_dev_prefix = sd
(StrOpt) Specify prefix to remap VBD dev to (ex.
/dev/xvdb -> /dev/sdb)
running_timeout = 60
(IntOpt) Number of seconds to wait for instance to
go to running state
340
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
sparse_copy = True
(BoolOpt) Whether to use sparse_copy for copying
data on a resize down (False will use standard dd).
This speeds up resizes down considerably since
large runs of zeros will not have to be rsynced
sr_base_path = /var/run/sr-mount
(StrOpt) Base path to the storage repository
sr_matching_filter = default-sr:true
(StrOpt) Filter for finding the SR to be used to install
guest instances on. To use the Local Storage in
default XenServer/XCP installations set this flag to
other-config:i18n-key=local-storage. To select an
SR with a different matching criteria, you could set it
to other-config:my_favorite_sr=true. On the other
hand, to fall back on the Default SR, as displayed by
XenCenter, set this flag to: default-sr:true
target_host = None
(StrOpt) The iSCSI Target Host
target_port = 3260
(StrOpt) The iSCSI Target Port, default is port 3260
torrent_base_url = None
(StrOpt) Base URL for torrent files.
torrent_download_stall_cutoff = 600
(IntOpt) Number of seconds a download can remain
at the same progress percentage w/o being
considered a stall
torrent_images = none
(StrOpt) Whether or not to download images via Bit
Torrent (all|some|none).
torrent_listen_port_end = 6891
(IntOpt) End of port range to listen on
torrent_listen_port_start = 6881
(IntOpt) Beginning of port range to listen on
torrent_max_last_accessed = 86400
(IntOpt) Cached torrent files not accessed within
this number of seconds can be reaped
torrent_max_seeder_processes_per_hos
t =1
(IntOpt) Maximum number of seeder processes to
run concurrently within a given dom0. (-1 = no limit)
torrent_seed_chance = 1.0
(FloatOpt) Probability that peer will become a
seeder. (1.0 = 100%)
torrent_seed_duration = 3600
(IntOpt) Number of seconds after downloading an
image via BitTorrent that it should be seeded for
other peers.
341
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
use_agent_default = False
(BoolOpt) Determines if the XenAPI agent should be
used when the image used does not contain a hint to
declare if the agent is present or not. The hint is a
glance property "xenapi_use_agent" that has the
value "True" or "False". Note that waiting for the
agent when it is not present will significantly
increase server boot times.
use_join_force = True
(BoolOpt) To use for hosts with different CPUs
vhd_coalesce_max_attempts = 20
(IntOpt) Max number of times to poll for VHD to
coalesce. Used only if
compute_driver=xenapi.XenAPIDriver
vhd_coalesce_poll_interval = 5.0
(FloatOpt) The interval used for polling of coalescing
vhds. Used only if
compute_driver=xenapi.XenAPIDriver
vif_driver =
(StrOpt) The XenAPI VIF driver using XenServer
Network APIs.
nova.virt.xenapi.vif.XenAPIBridgeDriver
Table 3.59. Description of XCP VNC proxy configuration options
Configuration option = Default value
Description
[DEFAULT]
xvpvncproxy_base_url =
http://127.0.0.1:6081/console
(StrOpt) Location of nova xvp VNC console proxy, in
the form "http://127.0.0.1:6081/console"
xvpvncproxy_host = 0.0.0.0
(StrOpt) Address that the XCP VNC proxy should
bind to
xvpvncproxy_port = 6081
(IntOpt) Port that the XCP VNC proxy should bind to
Table 3.60. Description of Zookeeper configuration options
Configuration option = Default value
Description
[zookeeper]
address = None
342
(StrOpt) The ZooKeeper addresses for servicegroup
service in the format of
host1:port,host2:port,host3:port
CHAPTER 3. COMPUTE
Configuration option = Default value
Description
recv_timeout = 4000
(IntOpt) The recv_timeout parameter for the zk
session
sg_prefix = /servicegroups
(StrOpt) The prefix used in ZooKeeper to store
ephemeral nodes
sg_retry_interval = 5
(IntOpt) Number of seconds to wait until retrying to
join the session
3.17.2. Additional sample configuration files
Files in this section can be found in /etc/nova.
3.17.2.1. api-paste.ini
The Compute service stores its API configuration settings in the api-paste.ini file.
############
# Metadata #
############
[composite:metadata]
use = egg:Paste#urlmap
/: meta
[pipeline:meta]
pipeline = ec2faultwrap logrequest metaapp
[app:metaapp]
paste.app_factory =
nova.api.metadata.handler:MetadataRequestHandler.factory
#######
# EC2 #
#######
[composite:ec2]
use = egg:Paste#urlmap
/: ec2cloud
[composite:ec2cloud]
use = call:nova.api.auth:pipeline_factory
noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator
ec2executor
noauth2 = ec2faultwrap logrequest ec2noauth cloudrequest validator
ec2executor
keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator
ec2executor
[filter:ec2faultwrap]
paste.filter_factory = nova.api.ec2:FaultWrapper.factory
343
Red Hat OpenStack Platform 9 Configuration Reference
[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory
[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory
[filter:ec2keystoneauth]
paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory
[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory
[filter:validator]
paste.filter_factory = nova.api.ec2:Validator.factory
[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory
#############
# OpenStack #
#############
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v1.1: openstack_compute_api_v2
/v2: openstack_compute_api_v2
/v2.1: openstack_compute_api_v21
/v3: openstack_compute_api_v3
[composite:openstack_compute_api_v2]
use = call:nova.api.auth:pipeline_factory
noauth = compute_req_id faultwrap sizelimit noauth ratelimit
osapi_compute_app_v2
noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit
osapi_compute_app_v2
keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext
ratelimit osapi_compute_app_v2
keystone_nolimit = compute_req_id faultwrap sizelimit authtoken
keystonecontext osapi_compute_app_v2
[composite:openstack_compute_api_v21]
use = call:nova.api.auth:pipeline_factory_v21
noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21
noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext
osapi_compute_app_v21
[composite:openstack_compute_api_v3]
344
CHAPTER 3. COMPUTE
use = call:nova.api.auth:pipeline_factory_v21
noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3
keystone = request_id faultwrap sizelimit authtoken keystonecontext
osapi_compute_app_v3
[filter:request_id]
paste.filter_factory = oslo.middleware:RequestId.factory
[filter:compute_req_id]
paste.filter_factory =
nova.api.compute_req_id:ComputeReqIdMiddleware.factory
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareOld.factory
[filter:noauth2]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
[filter:noauth_v3]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareV3.factory
[filter:ratelimit]
paste.filter_factory =
nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
[filter:sizelimit]
paste.filter_factory = oslo.middleware:RequestBodySizeLimiter.factory
[app:osapi_compute_app_v2]
paste.app_factory = nova.api.openstack.compute:APIRouter.factory
[app:osapi_compute_app_v21]
paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory
[app:osapi_compute_app_v3]
paste.app_factory = nova.api.openstack.compute:APIRouterV3.factory
[pipeline:oscomputeversions]
pipeline = faultwrap oscomputeversionapp
[app:oscomputeversionapp]
paste.app_factory = nova.api.openstack.compute.versions:Versions.factory
##########
# Shared #
##########
[filter:keystonecontext]
paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
345
Red Hat OpenStack Platform 9 Configuration Reference
3.17.2.2. policy.json
The policy.json file defines additional access controls that apply to the Compute service.
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"compute:create": "",
"compute:create:attach_network": "",
"compute:create:attach_volume": "",
"compute:create:forced_host": "is_admin:True",
"compute:get_all": "",
"compute:get_all_tenants": "",
"compute:start": "rule:admin_or_owner",
"compute:stop": "rule:admin_or_owner",
"compute:unlock_override": "rule:admin_api",
"compute:shelve": "",
"compute:shelve_offload": "",
"compute:unshelve": "",
"compute:resize": "",
"compute:confirm_resize": "",
"compute:revert_resize": "",
"compute:rebuild": "",
"compute:reboot": "",
"compute:volume_snapshot_create": "",
"compute:volume_snapshot_delete": "",
"admin_api": "is_admin:True",
"compute_extension:accounts": "rule:admin_api",
"compute_extension:admin_actions": "rule:admin_api",
"compute_extension:admin_actions:pause": "rule:admin_or_owner",
"compute_extension:admin_actions:unpause": "rule:admin_or_owner",
"compute_extension:admin_actions:suspend": "rule:admin_or_owner",
"compute_extension:admin_actions:resume": "rule:admin_or_owner",
"compute_extension:admin_actions:lock": "rule:admin_or_owner",
"compute_extension:admin_actions:unlock": "rule:admin_or_owner",
"compute_extension:admin_actions:resetNetwork": "rule:admin_api",
"compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
"compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
"compute_extension:admin_actions:migrateLive": "rule:admin_api",
"compute_extension:admin_actions:resetState": "rule:admin_api",
"compute_extension:admin_actions:migrate": "rule:admin_api",
"compute_extension:aggregates": "rule:admin_api",
"compute_extension:agents": "rule:admin_api",
"compute_extension:attach_interfaces": "",
346
CHAPTER 3. COMPUTE
"compute_extension:baremetal_nodes": "rule:admin_api",
"compute_extension:cells": "rule:admin_api",
"compute_extension:cells:create": "rule:admin_api",
"compute_extension:cells:delete": "rule:admin_api",
"compute_extension:cells:update": "rule:admin_api",
"compute_extension:cells:sync_instances": "rule:admin_api",
"compute_extension:certificates": "",
"compute_extension:cloudpipe": "rule:admin_api",
"compute_extension:cloudpipe_update": "rule:admin_api",
"compute_extension:console_output": "",
"compute_extension:consoles": "",
"compute_extension:createserverext": "",
"compute_extension:deferred_delete": "",
"compute_extension:disk_config": "",
"compute_extension:evacuate": "rule:admin_api",
"compute_extension:extended_server_attributes": "rule:admin_api",
"compute_extension:extended_status": "",
"compute_extension:extended_availability_zone": "",
"compute_extension:extended_ips": "",
"compute_extension:extended_ips_mac": "",
"compute_extension:extended_vif_net": "",
"compute_extension:extended_volumes": "",
"compute_extension:fixed_ips": "rule:admin_api",
"compute_extension:flavor_access": "",
"compute_extension:flavor_access:addTenantAccess": "rule:admin_api",
"compute_extension:flavor_access:removeTenantAccess":
"rule:admin_api",
"compute_extension:flavor_disabled": "",
"compute_extension:flavor_rxtx": "",
"compute_extension:flavor_swap": "",
"compute_extension:flavorextradata": "",
"compute_extension:flavorextraspecs:index": "",
"compute_extension:flavorextraspecs:show": "",
"compute_extension:flavorextraspecs:create": "rule:admin_api",
"compute_extension:flavorextraspecs:update": "rule:admin_api",
"compute_extension:flavorextraspecs:delete": "rule:admin_api",
"compute_extension:flavormanage": "rule:admin_api",
"compute_extension:floating_ip_dns": "",
"compute_extension:floating_ip_pools": "",
"compute_extension:floating_ips": "",
"compute_extension:floating_ips_bulk": "rule:admin_api",
"compute_extension:fping": "",
"compute_extension:fping:all_tenants": "rule:admin_api",
"compute_extension:hide_server_addresses": "is_admin:False",
"compute_extension:hosts": "rule:admin_api",
"compute_extension:hypervisors": "rule:admin_api",
"compute_extension:image_size": "",
"compute_extension:instance_actions": "",
"compute_extension:instance_actions:events": "rule:admin_api",
"compute_extension:instance_usage_audit_log": "rule:admin_api",
"compute_extension:keypairs": "",
"compute_extension:keypairs:index": "",
"compute_extension:keypairs:show": "",
"compute_extension:keypairs:create": "",
"compute_extension:keypairs:delete": "",
"compute_extension:multinic": "",
347
Red Hat OpenStack Platform 9 Configuration Reference
"compute_extension:networks": "rule:admin_api",
"compute_extension:networks:view": "",
"compute_extension:networks_associate": "rule:admin_api",
"compute_extension:quotas:show": "",
"compute_extension:quotas:update": "rule:admin_api",
"compute_extension:quotas:delete": "rule:admin_api",
"compute_extension:quota_classes": "",
"compute_extension:rescue": "",
"compute_extension:security_group_default_rules": "rule:admin_api",
"compute_extension:security_groups": "",
"compute_extension:server_diagnostics": "rule:admin_api",
"compute_extension:server_groups": "",
"compute_extension:server_password": "",
"compute_extension:server_usage": "",
"compute_extension:services": "rule:admin_api",
"compute_extension:shelve": "",
"compute_extension:shelveOffload": "rule:admin_api",
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
"compute_extension:simple_tenant_usage:list": "rule:admin_api",
"compute_extension:unshelve": "",
"compute_extension:users": "rule:admin_api",
"compute_extension:virtual_interfaces": "",
"compute_extension:virtual_storage_arrays": "",
"compute_extension:volumes": "",
"compute_extension:volume_attachments:index": "",
"compute_extension:volume_attachments:show": "",
"compute_extension:volume_attachments:create": "",
"compute_extension:volume_attachments:update": "",
"compute_extension:volume_attachments:delete": "",
"compute_extension:volumetypes": "",
"compute_extension:availability_zone:list": "",
"compute_extension:availability_zone:detail": "rule:admin_api",
"compute_extension:used_limits_for_admin": "rule:admin_api",
"compute_extension:migrations:index": "rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:create":
"rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:delete":
"rule:admin_api",
"compute_extension:console_auth_tokens": "rule:admin_api",
"compute_extension:os-server-external-events:create":
"rule:admin_api",
"network:get_all": "",
"network:get": "",
"network:create": "",
"network:delete": "",
"network:associate": "",
"network:disassociate": "",
"network:get_vifs_by_instance": "",
"network:allocate_for_instance": "",
"network:deallocate_for_instance": "",
"network:validate_networks": "",
"network:get_instance_uuids_by_ip_filter": "",
"network:get_instance_id_by_floating_address": "",
"network:setup_networks_on_host": "",
"network:get_backdoor_port": "",
348
CHAPTER 3. COMPUTE
"network:get_floating_ip": "",
"network:get_floating_ip_pools": "",
"network:get_floating_ip_by_address": "",
"network:get_floating_ips_by_project": "",
"network:get_floating_ips_by_fixed_address": "",
"network:allocate_floating_ip": "",
"network:associate_floating_ip": "",
"network:disassociate_floating_ip": "",
"network:release_floating_ip": "",
"network:migrate_instance_start": "",
"network:migrate_instance_finish": "",
"network:get_fixed_ip": "",
"network:get_fixed_ip_by_address": "",
"network:add_fixed_ip_to_instance": "",
"network:remove_fixed_ip_from_instance": "",
"network:add_network_to_project": "",
"network:get_instance_nw_info": "",
"network:get_dns_domains": "",
"network:add_dns_entry": "",
"network:modify_dns_entry": "",
"network:delete_dns_entry": "",
"network:get_dns_entries_by_address": "",
"network:get_dns_entries_by_name": "",
"network:create_private_dns_domain": "",
"network:create_public_dns_domain": "",
"network:delete_dns_domain": "",
"network:attach_external_network": "rule:admin_api",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:os-access-ips:discoverable": "",
"os_compute_api:os-access-ips": "",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:discoverable": "",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info":
"rule:admin_api",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-password": "",
"os_compute_api:os-admin-password:discoverable": "",
"os_compute_api:os-aggregates:discoverable": "",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-agents:discoverable": "",
"os_compute_api:os-attach-interfaces": "",
"os_compute_api:os-attach-interfaces:discoverable": "",
349
Red Hat OpenStack Platform 9 Configuration Reference
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-baremetal-nodes:discoverable": "",
"os_compute_api:os-block-device-mapping-v1:discoverable": "",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:discoverable": "",
"os_compute_api:os-certificates:create": "",
"os_compute_api:os-certificates:show": "",
"os_compute_api:os-certificates:discoverable": "",
"os_compute_api:os-cloudpipe": "rule:admin_api",
"os_compute_api:os-cloudpipe:discoverable": "",
"os_compute_api:os-consoles:discoverable": "",
"os_compute_api:os-consoles:create": "",
"os_compute_api:os-consoles:delete": "",
"os_compute_api:os-consoles:index": "",
"os_compute_api:os-consoles:show": "",
"os_compute_api:os-console-output:discoverable": "",
"os_compute_api:os-console-output": "",
"os_compute_api:os-remote-consoles": "",
"os_compute_api:os-remote-consoles:discoverable": "",
"os_compute_api:os-create-backup:discoverable": "",
"os_compute_api:os-create-backup": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete": "",
"os_compute_api:os-deferred-delete:discoverable": "",
"os_compute_api:os-disk-config": "",
"os_compute_api:os-disk-config:discoverable": "",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-evacuate:discoverable": "",
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
"os_compute_api:os-extended-server-attributes:discoverable": "",
"os_compute_api:os-extended-status": "",
"os_compute_api:os-extended-status:discoverable": "",
"os_compute_api:os-extended-availability-zone": "",
"os_compute_api:os-extended-availability-zone:discoverable": "",
"os_compute_api:extension_info:discoverable": "",
"os_compute_api:os-extended-volumes": "",
"os_compute_api:os-extended-volumes:discoverable": "",
"os_compute_api:os-fixed-ips": "rule:admin_api",
"os_compute_api:os-fixed-ips:discoverable": "",
"os_compute_api:os-flavor-access": "",
"os_compute_api:os-flavor-access:discoverable": "",
"os_compute_api:os-flavor-access:remove_tenant_access":
"rule:admin_api",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-rxtx": "",
"os_compute_api:os-flavor-rxtx:discoverable": "",
"os_compute_api:flavors:discoverable": "",
"os_compute_api:os-flavor-extra-specs:discoverable": "",
"os_compute_api:os-flavor-extra-specs:index": "",
"os_compute_api:os-flavor-extra-specs:show": "",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
350
CHAPTER 3. COMPUTE
"os_compute_api:os-flavor-manage:discoverable": "",
"os_compute_api:os-flavor-manage": "rule:admin_api",
"os_compute_api:os-floating-ip-dns": "",
"os_compute_api:os-floating-ip-dns:discoverable": "",
"os_compute_api:os-floating-ip-pools": "",
"os_compute_api:os-floating-ip-pools:discoverable": "",
"os_compute_api:os-floating-ips": "",
"os_compute_api:os-floating-ips:discoverable": "",
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
"os_compute_api:os-floating-ips-bulk:discoverable": "",
"os_compute_api:os-fping": "",
"os_compute_api:os-fping:discoverable": "",
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
"os_compute_api:os-hide-server-addresses": "is_admin:False",
"os_compute_api:os-hide-server-addresses:discoverable": "",
"os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-hosts:discoverable": "",
"os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:os-hypervisors:discoverable": "",
"os_compute_api:images:discoverable": "",
"os_compute_api:image-size": "",
"os_compute_api:image-size:discoverable": "",
"os_compute_api:os-instance-actions": "",
"os_compute_api:os-instance-actions:discoverable": "",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log:discoverable": "",
"os_compute_api:ips:discoverable": "",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:os-keypairs:discoverable": "",
"os_compute_api:os-keypairs": "",
"os_compute_api:os-keypairs:index": "",
"os_compute_api:os-keypairs:show": "",
"os_compute_api:os-keypairs:create": "",
"os_compute_api:os-keypairs:delete": "",
"os_compute_api:limits:discoverable": "",
"os_compute_api:os-lock-server:discoverable": "",
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-migrate-server:discoverable": "",
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
"os_compute_api:os-multinic": "",
"os_compute_api:os-multinic:discoverable": "",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-networks:view": "",
"os_compute_api:os-networks:discoverable": "",
"os_compute_api:os-networks-associate": "rule:admin_api",
"os_compute_api:os-networks-associate:discoverable": "",
"os_compute_api:os-pause-server:discoverable": "",
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-pci:pci_servers": "",
"os_compute_api:os-pci:discoverable": "",
"os_compute_api:os-pci:index": "rule:admin_api",
351
Red Hat OpenStack Platform 9 Configuration Reference
"os_compute_api:os-pci:detail": "rule:admin_api",
"os_compute_api:os-pci:show": "rule:admin_api",
"os_compute_api:os-personality:discoverable": "",
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
"os_compute_api:os-quota-sets:discoverable": "",
"os_compute_api:os-quota-sets:show": "",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
"os_compute_api:os-quota-class-sets": "",
"os_compute_api:os-quota-class-sets:discoverable": "",
"os_compute_api:os-rescue": "",
"os_compute_api:os-rescue:discoverable": "",
"os_compute_api:os-scheduler-hints:discoverable": "",
"os_compute_api:os-security-group-default-rules:discoverable": "",
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
"os_compute_api:os-security-groups": "",
"os_compute_api:os-security-groups:discoverable": "",
"os_compute_api:os-server-diagnostics": "rule:admin_api",
"os_compute_api:os-server-diagnostics:discoverable": "",
"os_compute_api:os-server-password": "",
"os_compute_api:os-server-password:discoverable": "",
"os_compute_api:os-server-usage": "",
"os_compute_api:os-server-usage:discoverable": "",
"os_compute_api:os-server-groups": "",
"os_compute_api:os-server-groups:discoverable": "",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-services:discoverable": "",
"os_compute_api:server-metadata:discoverable": "",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "",
"os_compute_api:os-shelve:shelve": "",
"os_compute_api:os-shelve:shelve:discoverable": "",
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-simple-tenant-usage:discoverable": "",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
"os_compute_api:os-suspend-server:discoverable": "",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks:discoverable": "",
"os_compute_api:os-shelve:unshelve": "",
"os_compute_api:os-user-data:discoverable": "",
"os_compute_api:os-virtual-interfaces": "",
"os_compute_api:os-virtual-interfaces:discoverable": "",
"os_compute_api:os-volumes": "",
"os_compute_api:os-volumes:discoverable": "",
"os_compute_api:os-volumes-attachments:index": "",
"os_compute_api:os-volumes-attachments:show": "",
"os_compute_api:os-volumes-attachments:create": "",
352
CHAPTER 3. COMPUTE
"os_compute_api:os-volumes-attachments:update": "",
"os_compute_api:os-volumes-attachments:delete": "",
"os_compute_api:os-volumes-attachments:discoverable": "",
"os_compute_api:os-availability-zone:list": "",
"os_compute_api:os-availability-zone:discoverable": "",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-used-limits:discoverable": "",
"os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "",
"os_compute_api:os-assisted-volume-snapshots:create":
"rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete":
"rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "",
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-server-external-events:create": "rule:admin_api"
}
3.17.2.3. rootwrap.conf
The rootwrap.conf file defines configuration values used by the rootwrap script when the Compute
service needs to escalate its privileges to those of the root user.
It is also possible to disable the root wrapper, and default to sudo only. Configure the
disable_rootwrap option in the [workaround] section of the nova.conf configuration file.
# Configuration for nova-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
353
Red Hat OpenStack Platform 9 Configuration Reference
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
3.18. NEW, UPDATED AND DEPRECATED OPTIONS IN KILO FOR
OPENSTACK COMPUTE
Table 3.61. New options
Option = default value
(Type) Help string
[DEFAULT] ebtables_exec_attempts = 3
(IntOpt) Number of times to retry ebtables
commands on failure.
[DEFAULT] ebtables_retry_interval = 1.0
(FloatOpt) Number of seconds to wait between
ebtables retries.
[DEFAULT] io_ops_weight_multiplier = -1.0
(FloatOpt) Multiplier used for weighing host io ops.
Negative numbers mean a preference to choose
light workload compute hosts.
[DEFAULT] keystone_ec2_insecure = False
(BoolOpt) Disable SSL certificate verification.
[DEFAULT] log-config-append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation.
[DEFAULT] log-date-format = %Y-%m-%d
%H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s .
[DEFAULT] log-dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths.
[DEFAULT] log-file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout.
[DEFAULT] log-format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecated. Use logging_context_format_string
and logging_default_format_string instead.
[DEFAULT] max_concurrent_builds = 10
(IntOpt) Maximum number of instance builds to run
concurrently
354
CHAPTER 3. COMPUTE
Option = default value
(Type) Help string
[DEFAULT] metadata_cache_expiration = 15
(IntOpt) Time in seconds to cache metadata; 0 to
disable metadata caching entirely (not
recommended). Increasingthis should improve
response times of the metadata API when under
heavy load. Higher values may increase
memoryusage and result in longer times for host
metadata changes to take effect.
[DEFAULT] my_block_storage_ip = $my_ip
(StrOpt) Block storage IP address of this host
[DEFAULT] novncproxy_host = 0.0.0.0
(StrOpt) Host on which to listen for incoming
requests
[DEFAULT] novncproxy_port = 6080
(IntOpt) Port on which to listen for incoming
requests
[DEFAULT] policy_dirs = ['policy.d']
(MultiStrOpt) Directories where policy configuration
files are stored. They can be relative to any
directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
[DEFAULT] quota_networks = 3
(IntOpt) Number of private networks allowed per
project
[DEFAULT] scheduler_instance_sync_interval = 120
(IntOpt) Waiting time interval (seconds) between
sending the scheduler a list of current instance
UUIDs to verify that its view of instances is in sync
with nova. If the CONF option
`scheduler_tracks_instance_changes` is False,
changing this option will have no effect.
[DEFAULT] scheduler_tracks_instance_changes =
True
(BoolOpt) Determines if the Scheduler tracks
changes to instances to help with its filtering
decisions.
[DEFAULT] syslog-log-facility = LOG_USER
(StrOpt) Syslog facility to receive log lines.
[DEFAULT] use-syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED during I, and will change in J
to honor RFC5424.
[DEFAULT] use-syslog-rfc-format = False
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in I, and will be removed in J.
355
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[api_database] connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the Nova API database.
[api_database] connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
[api_database] connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
[api_database] idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
[api_database] max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
[api_database] max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
[api_database] max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
[api_database] mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
[api_database] pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
[api_database] retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
[api_database] slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
[api_database] sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
[barbican] cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
[barbican] catalog_info = keymanager:barbican:public
(StrOpt) Info to match when looking for barbican in
the service catalog. Format is: separated values of
the form: <service_type>:<service_name>:
<endpoint_type>
[barbican] certfile = None
(StrOpt) PEM encoded client certificate cert file
356
CHAPTER 3. COMPUTE
Option = default value
(Type) Help string
[barbican] endpoint_template = None
(StrOpt) Override service catalog lookup with
template for barbican endpoint e.g.
http://localhost:9311/v1/%(project_id)s
[barbican] insecure = False
(BoolOpt) Verify HTTPS connections.
[barbican] keyfile = None
(StrOpt) PEM encoded client certificate key file
[barbican] os_region_name = None
(StrOpt) Region name of this node
[barbican] timeout = None
(IntOpt) Timeout value for http requests
[cinder] cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
[cinder] certfile = None
(StrOpt) PEM encoded client certificate cert file
[cinder] insecure = False
(BoolOpt) Verify HTTPS connections.
[cinder] keyfile = None
(StrOpt) PEM encoded client certificate key file
[cinder] timeout = None
(IntOpt) Timeout value for http requests
[database] backend = sqlalchemy
(StrOpt) The back end to use for the database.
[database] connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the database.
[database] connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
[database] connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
[database] db_inc_retry_interval = True
(BoolOpt) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
[database] db_max_retries = 20
(IntOpt) Maximum retries in case of connection error
or deadlock error before error is raised. Set to -1 to
specify an infinite retry count.
[database] db_max_retry_interval = 10
(IntOpt) If db_inc_retry_interval is set, the maximum
seconds between retries of a database operation.
357
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[database] db_retry_interval = 1
(IntOpt) Seconds between retries of a database
transaction.
[database] idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
[database] max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
[database] max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
[database] max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
[database] min_pool_size = 1
(IntOpt) Minimum number of SQL connections to
keep open in a pool.
[database] mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
[database] pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
[database] retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
[database] slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
[database] sqlite_db = oslo.sqlite
(StrOpt) The file name to use with SQLite.
[database] sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
[database] use_db_reconnect = False
(BoolOpt) Enable the experimental use of database
reconnect on connection lost.
[guestfs] debug = False
(BoolOpt) Enable guestfs debug
358
CHAPTER 3. COMPUTE
Option = default value
(Type) Help string
[libvirt] iscsi_iface = None
(StrOpt) The iSCSI transport iface to use to connect
to target in case offload support is desired.
Supported transports are be2iscsi, bnx2i, cxgb3i,
cxgb4i, qla4xxx and ocs. Default format is
transport_name.hwaddress and can be generated
manually or via iscsiadm -m iface
[libvirt] quobyte_client_cfg = None
(StrOpt) Path to a Quobyte Client configuration file.
[libvirt] quobyte_mount_point_base =
$state_path/mnt
(StrOpt) Directory where the Quobyte volume is
mounted on the compute node
[libvirt] smbfs_mount_options =
(StrOpt) Mount options passed to the SMBFS client.
See mount.cifs man page for details. Note that the
libvirt-qemu uid and gid must be specified.
[libvirt] smbfs_mount_point_base =
$state_path/mnt
(StrOpt) Directory where the SMBFS shares are
mounted on the compute node
[neutron] auth_plugin = None
(StrOpt) Name of the plugin to load
[neutron] auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
[neutron] cafile = None
(StrOpt) PEM encoded Certificate Authority to use
when verifying HTTPs connections.
[neutron] certfile = None
(StrOpt) PEM encoded client certificate cert file
[neutron] insecure = False
(BoolOpt) Verify HTTPS connections.
[neutron] keyfile = None
(StrOpt) PEM encoded client certificate key file
[neutron] timeout = None
(IntOpt) Timeout value for http requests
[oslo_concurrency] disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
[oslo_concurrency] lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging_amqp] allow_insecure_clients =
False
(BoolOpt) Accept clients using either SSL or plain
TCP
359
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[oslo_messaging_amqp] broadcast_prefix =
broadcast
(StrOpt) address prefix used when broadcasting to
all servers
[oslo_messaging_amqp] container_name = None
(StrOpt) Name for the AMQP container
[oslo_messaging_amqp] group_request_prefix =
unicast
(StrOpt) address prefix when sending to any server
in group
[oslo_messaging_amqp] idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
[oslo_messaging_amqp] server_request_prefix =
exclusive
(StrOpt) address prefix used when sending to a
specific server
[oslo_messaging_amqp] ssl_ca_file =
(StrOpt) CA certificate PEM file for verifing server
certificate
[oslo_messaging_amqp] ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
[oslo_messaging_amqp] ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
[oslo_messaging_amqp] ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
[oslo_messaging_amqp] trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
[oslo_messaging_qpid] amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
[oslo_messaging_qpid] amqp_durable_queues =
False
(BoolOpt) Use durable queues in AMQP.
[oslo_messaging_qpid] qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
[oslo_messaging_qpid] qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
[oslo_messaging_qpid] qpid_hosts =
$qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
[oslo_messaging_qpid] qpid_password =
(StrOpt) Password for Qpid connection.
[oslo_messaging_qpid] qpid_port = 5672
(IntOpt) Qpid broker port.
[oslo_messaging_qpid] qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
360
CHAPTER 3. COMPUTE
Option = default value
(Type) Help string
[oslo_messaging_qpid] qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
[oslo_messaging_qpid] qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
[oslo_messaging_qpid] qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
[oslo_messaging_qpid] qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
[oslo_messaging_qpid] qpid_username =
(StrOpt) Username for Qpid connection.
[oslo_messaging_qpid] rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
[oslo_messaging_rabbit] amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
[oslo_messaging_rabbit] amqp_durable_queues =
False
(BoolOpt) Use durable queues in AMQP.
[oslo_messaging_rabbit] fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
[oslo_messaging_rabbit] heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold to check the
heartbeat.
[oslo_messaging_rabbit]
heartbeat_timeout_threshold = 0
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disables the heartbeat, >0 enables it.
Enabling heartbeats requires kombu>=3.0.7 and
amqp>=1.4.0). EXPERIMENTAL
[oslo_messaging_rabbit] kombu_reconnect_delay =
1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
[oslo_messaging_rabbit] kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
[oslo_messaging_rabbit] kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
[oslo_messaging_rabbit] kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
361
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[oslo_messaging_rabbit] kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 are also available.
[oslo_messaging_rabbit] rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
[oslo_messaging_rabbit] rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
[oslo_messaging_rabbit] rabbit_hosts =
$rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
[oslo_messaging_rabbit] rabbit_login_method =
AMQPLAIN
(StrOpt) The RabbitMQ login method.
[oslo_messaging_rabbit] rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
[oslo_messaging_rabbit] rabbit_password = guest
(StrOpt) The RabbitMQ password.
[oslo_messaging_rabbit] rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
[oslo_messaging_rabbit] rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
[oslo_messaging_rabbit] rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
[oslo_messaging_rabbit] rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
[oslo_messaging_rabbit] rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
[oslo_messaging_rabbit] rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
[oslo_messaging_rabbit] rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
[oslo_middleware] max_request_body_size =
114688
(IntOpt) The maximum body size for each request, in
bytes.
[serial_console] serialproxy_host = 0.0.0.0
(StrOpt) Host on which to listen for incoming
requests
[serial_console] serialproxy_port = 6083
(IntOpt) Port on which to listen for incoming
requests
362
CHAPTER 3. COMPUTE
Option = default value
(Type) Help string
[vmware] cache_prefix = None
(StrOpt) The prefix for Where cached images are
stored. This is NOT the full path - only a folder
prefix. This should only be used when a datastore
cache should be shared between compute nodes.
Note: this should only be used when the compute
nodes have a shared file system.
[vmware] pbm_default_policy = None
(StrOpt) The PBM default policy. If
pbm_wsdl_location is set and there is no defined
storage policy for the specific request then this
policy will be used.
[vmware] pbm_enabled = False
(BoolOpt) The PBM status.
[vmware] pbm_wsdl_location = None
(StrOpt) PBM service WSDL file location URL. e.g.
file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not
setting this will disable storage policy based
placement of instances.
[workarounds] destroy_after_evacuate = True
(BoolOpt) Whether to destroy instances on startup
when it is suspected that they have previously been
evacuated. This can result in data loss if undesired.
See https://launchpad.net/bugs/1419785
[workarounds] disable_libvirt_livesnapshot = True
(BoolOpt) When using libvirt 1.2.2 fails live snapshots
intermittently under load. This config option
provides mechanism to disable livesnapshot while
this is resolved. See
https://bugs.launchpad.net/nova/+bug/1334398
[workarounds] disable_rootwrap = False
(BoolOpt) This option allows a fallback to sudo for
performance reasons. For example see
https://bugs.launchpad.net/nova/+bug/1415106
Table 3.62. New default values
Option
Previous default value
New default value
[DEFAULT]
client_socket_timeout
0
900
363
Red Hat OpenStack Platform 9 Configuration Reference
Option
Previous default value
New default value
[DEFAULT] default_log_levels
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
requests.packages.urllib3.util.retr
y=WARN,
urllib3.util.retry=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN
[DEFAULT] ec2_path
/services/Cloud
/
[DEFAULT]
multi_instance_display_name_te
mplate
%(name)s-%(uuid)s
%(name)s-%(count)d
[DEFAULT]
rpc_zmq_matchmaker
oslo.messaging._drivers.matchma
ker.MatchMakerLocalhost
local
[cinder] catalog_info
volume:cinder:publicURL
volumev2:cinderv2:publicURL
Table 3.63. Deprecated options
Deprecated option
New Option
[DEFAULT] network_device_mtu
None
[DEFAULT] log-format
None
[DEFAULT] use-syslog
None
[cinder] http_timeout
[cinder] timeout
[DEFAULT] use_syslog
None
[ironic] client_log_level
None
[neutron] admin_username
None
[DEFAULT] osapi_max_request_body_size
[oslo_middleware] max_request_body_size
364
CHAPTER 3. COMPUTE
Deprecated option
New Option
[neutron] ca_certificates_file
[neutron] cafile
[neutron] auth_strategy
None
[neutron] admin_user_id
None
[neutron] admin_tenant_id
None
[DEFAULT] log_format
None
[cinder] api_insecure
[cinder] insecure
[neutron] admin_tenant_name
None
[neutron] admin_password
None
[DEFAULT] share_dhcp_address
None
[neutron] api_insecure
[neutron] insecure
[cinder] ca_certificates_file
[cinder] cafile
[neutron] admin_auth_url
None
[neutron] url_timeout
[neutron] timeout
[neutron] allow_duplicate_networks
None
365
Red Hat OpenStack Platform 9 Configuration Reference
CHAPTER 4. DASHBOARD
This chapter describes how to configure the OpenStack dashboard with Apache web server.
4.1. CONFIGURE THE DASHBOARD
You can configure the dashboard for a simple HTTP deployment.
You can configure the dashboard for a secured HTTPS deployment. While the standard installation
uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard.
Also, you can configure the size of the VNC window in the dashboard.
4.1.1. Configure the dashboard for HTTP
You can configure the dashboard for a simple HTTP deployment. The standard installation uses a nonencrypted HTTP channel.
1. Specify the host for your OpenStack Identity Service endpoint in the /etc/openstackdashboard/local_settings file with the OPENSTACK_HOST setting.
The following example shows this setting:
import os
from django.utils.translation import ugettext_lazy as _
DEBUG = False
TEMPLATE_DEBUG = DEBUG
PROD = True
USE_SSL = False
SITE_BRANDING = 'OpenStack Dashboard'
# WEBROOT is the location relative to Webserver root
# should end with a slash.
WEBROOT = '/dashboard/'
# Required for Django 1.5.
# If horizon is running in production (DEBUG is False), set this
# with the list of host/domain names that the application can serve.
# For more information see:
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
#ALLOWED_HOSTS = ['horizon.example.com', ]
ALLOWED_HOSTS = HOST_NAME
# Specify a regular expression to validate user passwords.
# HORIZON_CONFIG = {
#
"password_validator": {
#
"regex": '.*',
#
"help_text": _("Your password does not meet the
requirements.")
#
}
# }
366
CHAPTER 4. DASHBOARD
LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))
CACHES = {
'default': {
'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION' : '127.0.0.1:11211'
'SESSION_ENGINE' =
'django.contrib.sessions.backends.cache'
}
}
# Send email to the console by default
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
# Or send them to /dev/null
#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
#
#
#
#
#
Configure these for your outgoing email host
EMAIL_HOST = 'smtp.my-company.com'
EMAIL_PORT = 25
EMAIL_HOST_USER = 'djangomail'
EMAIL_HOST_PASSWORD = 'top-secret!'
# For multiple regions uncomment this configuration, and add
(endpoint, title).
# AVAILABLE_REGIONS = [
#
('http://cluster1.example.com:5000/v2.0', 'cluster1'),
#
('http://cluster2.example.com:5000/v2.0', 'cluster2'),
# ]
OPENSTACK_HOST = "127.0.0.1"
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify
the
# capabilities of the auth backend for Keystone.
# If Keystone has been configured to use LDAP as the auth backend
then set
# can_edit_user to False and name to 'ldap'.
#
# TODO(tres): Remove these once Keystone has an API to identify auth
backend.
OPENSTACK_KEYSTONE_BACKEND = {
'name': 'native',
'can_edit_user': True
}
# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the
endpoints
# in the Keystone service catalog. Use this setting when Horizon is
running
# external to the OpenStack environment. The default is
'internalURL'.
#OPENSTACK_ENDPOINT_TYPE = "publicURL"
367
Red Hat OpenStack Platform 9 Configuration Reference
# The number of Swift containers and objects to display on a single
page before
# providing a paging element (a "more" link) to paginate results.
API_RESULT_LIMIT = 1000
# If you have external monitoring links, eg:
# EXTERNAL_MONITORING = [
#
['Nagios','http://foo.com'],
#
['Ganglia','http://bar.com'],
# ]
LOGGING = {
'version': 1,
# When set to True this will disable all logging except
# for loggers specified in this configuration dictionary.
Note that
# if nothing is specified here and disable_existing_loggers
is True,
# django.db.backends will still log unless it is disabled
explicitly.
'disable_existing_loggers': False,
'handlers': {
'null': {
'level': 'DEBUG',
'class': 'django.utils.log.NullHandler',
},
'console': {
# Set the level to "DEBUG" for verbose output
logging.
'level': 'INFO',
'class': 'logging.StreamHandler',
},
},
'loggers': {
# Logging from django.db.backends is VERY verbose, send
to null
# by default.
'django.db.backends': {
'handlers': ['null'],
'propagate': False,
},
'horizon': {
'handlers': ['console'],
'propagate': False,
},
'novaclient': {
'handlers': ['console'],
'propagate': False,
},
'keystoneclient': {
'handlers': ['console'],
'propagate': False,
},
'nose.plugins.manager': {
'handlers': ['console'],
'propagate': False,
368
CHAPTER 4. DASHBOARD
}
}
}
The service catalog configuration in the Identity Service determines whether a service appears
in the dashboard..
2. Restart Apache http server.
# systemctl restart httpd
Next, restart memcached:
# systemctl restart memcached
4.1.2. Configure the dashboard for HTTPS
You can configure the dashboard for a secured HTTPS deployment. While the standard installation
uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard.
This example uses the http://openstack.example.com domain. Use a domain that fits your
current setup.
1. In the /etc/openstack-dashboard/local_settings file, update the following options:
USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
To enable HTTPS, the USE_SSL = True option is required.
The other options require that HTTPS is enabled; these options defend against cross-site
scripting.
2. Edit the /etc/httpd/conf.d/openstack-dashboard.conf file as shown in Example 4.2,
“After”:
Example 4.1. Before
WSGIScriptAlias / /usr/share/openstackdashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=apache group=apache processes=3
threads=10
Alias /static /usr/share/openstackdashboard/openstack_dashboard/static/
<Directory /usr/share/openstackdashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
369
Red Hat OpenStack Platform 9 Configuration Reference
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
Example 4.2. After
<VirtualHost *:80>
ServerName openstack.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://openstack.example.com
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in
your environment
SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all
communications
# with a server go over SSL. This mitigates the threat from
attacks such
# as SSL-Strip which replaces links on the wire, stripping away
https prefixes
# and potentially allowing an attacker to view confidential
information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstackdashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=apache group=apache processes=3
threads=10
Alias /static /usr/share/openstackdashboard/openstack_dashboard/static/
<Directory /usr/share/openstackdashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
370
CHAPTER 4. DASHBOARD
# Require all granted
</Directory>
</VirtualHost>
In this configuration, the Apache HTTP server listens on port 443 and redirects all non-secure
requests to the HTTPS protocol. The secured section defines the private key, public key, and
certificate to use.
3. Restart the Apache HTTP server.
# systemctl restart httpd
4. Restart memcached:
# systemctl restart memcached
If you try to access the dashboard through HTTP, the browser redirects you to the HTTPS
page.
NOTE
Configuring the dashboard for HTTPS also requires enabling SSL for the noVNC
proxy service. On the controller node, add the following additional options to
the [DEFAULT] section of the /etc/nova/nova.conf file:
[DEFAULT]
...
ssl_only = true
cert = /etc/apache2/SSL/openstack.example.com.crt
key = /etc/apache2/SSL/openstack.example.com.key
On the compute nodes, ensure the nonvncproxy_base_url option points to a
URL with an HTTPS scheme:
[DEFAULT]
...
novncproxy_base_url =
https://controller:6080/vnc_auto.html
4.2. ADDITIONAL SAMPLE CONFIGURATION FILES
Find the following files in /etc/openstack-dashboard.
4.2.1. keystone_policy.json
The keystone_policy.json file defines additional access controls for the dashboard that apply to
the Identity service.
371
Red Hat OpenStack Platform 9 Configuration Reference
NOTE
The keystone_policy.json file must match the Identity service
/etc/keystone/policy.json policy file.
{
"admin_required": [
[
"role:admin"
],
[
"is_admin:1"
]
],
"service_role": [
[
"role:service"
]
],
"service_or_admin": [
[
"rule:admin_required"
],
[
"rule:service_role"
]
],
"owner": [
[
"user_id:%(user_id)s"
]
],
"admin_or_owner": [
[
"rule:admin_required"
],
[
"rule:owner"
]
],
"default": [
[
"rule:admin_required"
]
],
"identity:get_service": [
[
"rule:admin_required"
]
],
"identity:list_services": [
[
"rule:admin_required"
]
],
372
CHAPTER 4. DASHBOARD
"identity:create_service": [
[
"rule:admin_required"
]
],
"identity:update_service": [
[
"rule:admin_required"
]
],
"identity:delete_service": [
[
"rule:admin_required"
]
],
"identity:get_endpoint": [
[
"rule:admin_required"
]
],
"identity:list_endpoints": [
[
"rule:admin_required"
]
],
"identity:create_endpoint": [
[
"rule:admin_required"
]
],
"identity:update_endpoint": [
[
"rule:admin_required"
]
],
"identity:delete_endpoint": [
[
"rule:admin_required"
]
],
"identity:get_domain": [
[
"rule:admin_required"
]
],
"identity:list_domains": [
[
"rule:admin_required"
]
],
"identity:create_domain": [
[
"rule:admin_required"
]
],
"identity:update_domain": [
373
Red Hat OpenStack Platform 9 Configuration Reference
[
"rule:admin_required"
]
],
"identity:delete_domain": [
[
"rule:admin_required"
]
],
"identity:get_project": [
[
"rule:admin_required"
]
],
"identity:list_projects": [
[
"rule:admin_required"
]
],
"identity:list_user_projects": [
[
"rule:admin_or_owner"
]
],
"identity:create_project": [
[
"rule:admin_required"
]
],
"identity:update_project": [
[
"rule:admin_required"
]
],
"identity:delete_project": [
[
"rule:admin_required"
]
],
"identity:get_user": [
[
"rule:admin_required"
]
],
"identity:list_users": [
[
"rule:admin_required"
]
],
"identity:create_user": [
[
"rule:admin_required"
]
],
"identity:update_user": [
[
374
CHAPTER 4. DASHBOARD
"rule:admin_or_owner"
]
],
"identity:delete_user": [
[
"rule:admin_required"
]
],
"identity:get_group": [
[
"rule:admin_required"
]
],
"identity:list_groups": [
[
"rule:admin_required"
]
],
"identity:list_groups_for_user": [
[
"rule:admin_or_owner"
]
],
"identity:create_group": [
[
"rule:admin_required"
]
],
"identity:update_group": [
[
"rule:admin_required"
]
],
"identity:delete_group": [
[
"rule:admin_required"
]
],
"identity:list_users_in_group": [
[
"rule:admin_required"
]
],
"identity:remove_user_from_group": [
[
"rule:admin_required"
]
],
"identity:check_user_in_group": [
[
"rule:admin_required"
]
],
"identity:add_user_to_group": [
[
"rule:admin_required"
375
Red Hat OpenStack Platform 9 Configuration Reference
]
],
"identity:get_credential": [
[
"rule:admin_required"
]
],
"identity:list_credentials": [
[
"rule:admin_required"
]
],
"identity:create_credential": [
[
"rule:admin_required"
]
],
"identity:update_credential": [
[
"rule:admin_required"
]
],
"identity:delete_credential": [
[
"rule:admin_required"
]
],
"identity:get_role": [
[
"rule:admin_required"
]
],
"identity:list_roles": [
[
"rule:admin_required"
]
],
"identity:create_role": [
[
"rule:admin_required"
]
],
"identity:update_role": [
[
"rule:admin_required"
]
],
"identity:delete_role": [
[
"rule:admin_required"
]
],
"identity:check_grant": [
[
"rule:admin_required"
]
376
CHAPTER 4. DASHBOARD
],
"identity:list_grants": [
[
"rule:admin_required"
]
],
"identity:create_grant": [
[
"rule:admin_required"
]
],
"identity:revoke_grant": [
[
"rule:admin_required"
]
],
"identity:list_role_assignments": [
[
"rule:admin_required"
]
],
"identity:get_policy": [
[
"rule:admin_required"
]
],
"identity:list_policies": [
[
"rule:admin_required"
]
],
"identity:create_policy": [
[
"rule:admin_required"
]
],
"identity:update_policy": [
[
"rule:admin_required"
]
],
"identity:delete_policy": [
[
"rule:admin_required"
]
],
"identity:check_token": [
[
"rule:admin_required"
]
],
"identity:validate_token": [
[
"rule:service_or_admin"
]
],
377
Red Hat OpenStack Platform 9 Configuration Reference
"identity:validate_token_head": [
[
"rule:service_or_admin"
]
],
"identity:revocation_list": [
[
"rule:service_or_admin"
]
],
"identity:revoke_token": [
[
"rule:admin_or_owner"
]
],
"identity:create_trust": [
[
"user_id:%(trust.trustor_user_id)s"
]
],
"identity:get_trust": [
[
"rule:admin_or_owner"
]
],
"identity:list_trusts": [
[
"@"
]
],
"identity:list_roles_for_trust": [
[
"@"
]
],
"identity:check_role_for_trust": [
[
"@"
]
],
"identity:get_role_for_trust": [
[
"@"
]
],
"identity:delete_trust": [
[
"@"
]
]
}
4.2.2. nova_policy.json
The nova_policy.json file defines additional access controls for the dashboard that apply to the
Compute service.
378
CHAPTER 4. DASHBOARD
NOTE
The nova_policy.json file must match the Compute /etc/nova/policy.json
policy file.
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"compute:create": "",
"compute:create:attach_network": "",
"compute:create:attach_volume": "",
"compute:create:forced_host": "is_admin:True",
"compute:get": "",
"compute:get_all": "",
"compute:get_all_tenants": "",
"compute:update": "",
"compute:get_instance_metadata": "",
"compute:get_all_instance_metadata": "",
"compute:get_all_instance_system_metadata": "",
"compute:update_instance_metadata": "",
"compute:delete_instance_metadata": "",
"compute:get_instance_faults": "",
"compute:get_diagnostics": "",
"compute:get_instance_diagnostics": "",
"compute:start": "rule:admin_or_owner",
"compute:stop": "rule:admin_or_owner",
"compute:get_lock": "",
"compute:lock": "",
"compute:unlock": "",
"compute:unlock_override": "rule:admin_api",
"compute:get_vnc_console": "",
"compute:get_spice_console": "",
"compute:get_rdp_console": "",
"compute:get_serial_console": "",
"compute:get_mks_console": "",
"compute:get_console_output": "",
"compute:reset_network": "",
"compute:inject_network_info": "",
"compute:add_fixed_ip": "",
"compute:remove_fixed_ip": "",
"compute:attach_volume": "",
"compute:detach_volume": "",
"compute:swap_volume": "",
"compute:attach_interface": "",
"compute:detach_interface": "",
"compute:set_admin_password": "",
"compute:rescue": "",
"compute:unrescue": "",
"compute:suspend": "",
"compute:resume": "",
"compute:pause": "",
"compute:unpause": "",
"compute:shelve": "",
"compute:shelve_offload": "",
379
Red Hat OpenStack Platform 9 Configuration Reference
"compute:unshelve": "",
"compute:snapshot": "",
"compute:snapshot_volume_backed": "",
"compute:backup": "",
"compute:resize": "",
"compute:confirm_resize": "",
"compute:revert_resize": "",
"compute:rebuild": "",
"compute:reboot": "",
"compute:delete": "rule:admin_or_owner",
"compute:soft_delete": "rule:admin_or_owner",
"compute:force_delete": "rule:admin_or_owner",
"compute:security_groups:add_to_instance": "",
"compute:security_groups:remove_from_instance": "",
"compute:delete": "",
"compute:soft_delete": "",
"compute:force_delete": "",
"compute:restore": "",
"compute:volume_snapshot_create": "",
"compute:volume_snapshot_delete": "",
"admin_api": "is_admin:True",
"compute_extension:accounts": "rule:admin_api",
"compute_extension:admin_actions": "rule:admin_api",
"compute_extension:admin_actions:pause": "rule:admin_or_owner",
"compute_extension:admin_actions:unpause": "rule:admin_or_owner",
"compute_extension:admin_actions:suspend": "rule:admin_or_owner",
"compute_extension:admin_actions:resume": "rule:admin_or_owner",
"compute_extension:admin_actions:lock": "rule:admin_or_owner",
"compute_extension:admin_actions:unlock": "rule:admin_or_owner",
"compute_extension:admin_actions:resetNetwork": "rule:admin_api",
"compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
"compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
"compute_extension:admin_actions:migrateLive": "rule:admin_api",
"compute_extension:admin_actions:resetState": "rule:admin_api",
"compute_extension:admin_actions:migrate": "rule:admin_api",
"compute_extension:v3:os-admin-actions": "rule:admin_api",
"compute_extension:v3:os-admin-actions:pause": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:unpause":
"rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:suspend":
"rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:resume": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:lock": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:unlock": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:reset_network":
"rule:admin_api",
"compute_extension:v3:os-admin-actions:inject_network_info":
"rule:admin_api",
"compute_extension:v3:os-admin-actions:create_backup":
"rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:migrate_live":
"rule:admin_api",
"compute_extension:v3:os-admin-actions:reset_state": "rule:admin_api",
"compute_extension:v3:os-admin-actions:migrate": "rule:admin_api",
"compute_extension:v3:os-admin-password": "",
"compute_extension:aggregates": "rule:admin_api",
380
CHAPTER 4. DASHBOARD
"compute_extension:v3:os-aggregates": "rule:admin_api",
"compute_extension:agents": "rule:admin_api",
"compute_extension:v3:os-agents": "rule:admin_api",
"compute_extension:attach_interfaces": "",
"compute_extension:v3:os-attach-interfaces": "",
"compute_extension:baremetal_nodes": "rule:admin_api",
"compute_extension:v3:os-baremetal-nodes": "rule:admin_api",
"compute_extension:cells": "rule:admin_api",
"compute_extension:v3:os-cells": "rule:admin_api",
"compute_extension:cells:create": "rule:admin_api",
"compute_extension:cells:delete": "rule:admin_api",
"compute_extension:cells:update": "rule:admin_api",
"compute_extension:cells:sync_instances": "rule:admin_api",
"compute_extension:certificates": "",
"compute_extension:v3:os-certificates": "",
"compute_extension:cloudpipe": "rule:admin_api",
"compute_extension:cloudpipe_update": "rule:admin_api",
"compute_extension:config_drive": "",
"compute_extension:console_output": "",
"compute_extension:v3:consoles:discoverable": "",
"compute_extension:v3:os-console-output": "",
"compute_extension:consoles": "",
"compute_extension:v3:os-remote-consoles": "",
"compute_extension:coverage_ext": "rule:admin_api",
"compute_extension:v3:os-coverage": "rule:admin_api",
"compute_extension:createserverext": "",
"compute_extension:deferred_delete": "",
"compute_extension:v3:os-deferred-delete": "",
"compute_extension:disk_config": "",
"compute_extension:evacuate": "rule:admin_api",
"compute_extension:v3:os-evacuate": "rule:admin_api",
"compute_extension:extended_server_attributes": "rule:admin_api",
"compute_extension:v3:os-extended-server-attributes":
"rule:admin_api",
"compute_extension:extended_status": "",
"compute_extension:v3:os-extended-status": "",
"compute_extension:extended_availability_zone": "",
"compute_extension:v3:os-extended-availability-zone": "",
"compute_extension:extended_ips": "",
"compute_extension:extended_ips_mac": "",
"compute_extension:extended_vif_net": "",
"compute_extension:v3:extension_info:discoverable": "",
"compute_extension:extended_volumes": "",
"compute_extension:v3:os-extended-volumes": "",
"compute_extension:v3:os-extended-volumes:attach": "",
"compute_extension:v3:os-extended-volumes:detach": "",
"compute_extension:fixed_ips": "rule:admin_api",
"compute_extension:v3:os-fixed-ips:discoverable": "",
"compute_extension:v3:os-fixed-ips": "rule:admin_api",
"compute_extension:flavor_access": "",
"compute_extension:v3:os-flavor-access": "",
"compute_extension:flavor_access:addTenantAccess": "rule:admin_api",
"compute_extension:flavor_access:removeTenantAccess":
"rule:admin_api",
"compute_extension:flavor_disabled": "",
"compute_extension:v3:os-flavor-disabled": "",
381
Red Hat OpenStack Platform 9 Configuration Reference
"compute_extension:flavor_rxtx": "",
"compute_extension:v3:os-flavor-rxtx": "",
"compute_extension:flavor_swap": "",
"compute_extension:flavorextradata": "",
"compute_extension:flavorextraspecs:index": "",
"compute_extension:flavorextraspecs:show": "",
"compute_extension:flavorextraspecs:create": "rule:admin_api",
"compute_extension:flavorextraspecs:update": "rule:admin_api",
"compute_extension:flavorextraspecs:delete": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:index": "",
"compute_extension:v3:flavor-extra-specs:show": "",
"compute_extension:v3:flavor-extra-specs:create": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:update": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:delete": "rule:admin_api",
"compute_extension:flavormanage": "rule:admin_api",
"compute_extension:floating_ip_dns": "",
"compute_extension:floating_ip_pools": "",
"compute_extension:floating_ips": "",
"compute_extension:floating_ips_bulk": "rule:admin_api",
"compute_extension:fping": "",
"compute_extension:fping:all_tenants": "rule:admin_api",
"compute_extension:hide_server_addresses": "is_admin:False",
"compute_extension:v3:os-hide-server-addresses": "is_admin:False",
"compute_extension:hosts": "rule:admin_api",
"compute_extension:v3:os-hosts": "rule:admin_api",
"compute_extension:hypervisors": "rule:admin_api",
"compute_extension:v3:os-hypervisors": "rule:admin_api",
"compute_extension:image_size": "",
"compute_extension:v3:os-image-metadata": "",
"compute_extension:v3:os-images": "",
"compute_extension:instance_actions": "",
"compute_extension:v3:os-instance-actions": "",
"compute_extension:instance_actions:events": "rule:admin_api",
"compute_extension:v3:os-instance-actions:events": "rule:admin_api",
"compute_extension:instance_usage_audit_log": "rule:admin_api",
"compute_extension:v3:os-instance-usage-audit-log": "rule:admin_api",
"compute_extension:v3:ips:discoverable": "",
"compute_extension:keypairs": "",
"compute_extension:keypairs:index": "",
"compute_extension:keypairs:show": "",
"compute_extension:keypairs:create": "",
"compute_extension:keypairs:delete": "",
"compute_extension:v3:os-keypairs:discoverable": "",
"compute_extension:v3:os-keypairs": "",
"compute_extension:v3:os-keypairs:index": "",
"compute_extension:v3:os-keypairs:show": "",
"compute_extension:v3:os-keypairs:create": "",
"compute_extension:v3:os-keypairs:delete": "",
"compute_extension:multinic": "",
"compute_extension:v3:os-multinic": "",
"compute_extension:networks": "rule:admin_api",
"compute_extension:networks:view": "",
"compute_extension:networks_associate": "rule:admin_api",
"compute_extension:quotas:show": "",
"compute_extension:quotas:update": "rule:admin_api",
"compute_extension:quotas:delete": "rule:admin_api",
382
CHAPTER 4. DASHBOARD
"compute_extension:v3:os-quota-sets:show": "",
"compute_extension:v3:os-quota-sets:update": "rule:admin_api",
"compute_extension:v3:os-quota-sets:delete": "rule:admin_api",
"compute_extension:quota_classes": "",
"compute_extension:v3:os-quota-class-sets": "",
"compute_extension:rescue": "",
"compute_extension:v3:os-rescue": "",
"compute_extension:security_group_default_rules": "rule:admin_api",
"compute_extension:security_groups": "",
"compute_extension:v3:os-security-groups": "",
"compute_extension:server_diagnostics": "rule:admin_api",
"compute_extension:v3:os-server-diagnostics": "rule:admin_api",
"compute_extension:server_password": "",
"compute_extension:v3:os-server-password": "",
"compute_extension:server_usage": "",
"compute_extension:v3:os-server-usage": "",
"compute_extension:services": "rule:admin_api",
"compute_extension:v3:os-services": "rule:admin_api",
"compute_extension:v3:servers:discoverable": "",
"compute_extension:shelve": "",
"compute_extension:shelveOffload": "rule:admin_api",
"compute_extension:v3:os-shelve:shelve": "",
"compute_extension:v3:os-shelve:shelve_offload": "rule:admin_api",
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
"compute_extension:v3:os-simple-tenant-usage:show":
"rule:admin_or_owner",
"compute_extension:simple_tenant_usage:list": "rule:admin_api",
"compute_extension:v3:os-simple-tenant-usage:list": "rule:admin_api",
"compute_extension:unshelve": "",
"compute_extension:v3:os-shelve:unshelve": "",
"compute_extension:users": "rule:admin_api",
"compute_extension:virtual_interfaces": "",
"compute_extension:virtual_storage_arrays": "",
"compute_extension:volumes": "",
"compute_extension:volume_attachments:index": "",
"compute_extension:volume_attachments:show": "",
"compute_extension:volume_attachments:create": "",
"compute_extension:volume_attachments:update": "",
"compute_extension:volume_attachments:delete": "",
"compute_extension:volumetypes": "",
"compute_extension:availability_zone:list": "",
"compute_extension:v3:os-availability-zone:list": "",
"compute_extension:availability_zone:detail": "rule:admin_api",
"compute_extension:v3:os-availability-zone:detail": "rule:admin_api",
"compute_extension:used_limits_for_admin": "rule:admin_api",
"compute_extension:v3:os-used-limits": "",
"compute_extension:v3:os-used-limits:tenant": "rule:admin_api",
"compute_extension:migrations:index": "rule:admin_api",
"compute_extension:v3:os-migrations:index": "rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:create":
"rule:admin_api",
"compute_extension:os-assisted-volume-snapshots:delete":
"rule:admin_api",
"compute_extension:console_auth_tokens": "rule:admin_api",
"compute_extension:os-server-external-events:create":
"rule:admin_api",
383
Red Hat OpenStack Platform 9 Configuration Reference
"volume:create": "",
"volume:get_all": "",
"volume:get_volume_metadata": "",
"volume:get_snapshot": "",
"volume:get_all_snapshots": "",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:types_extra_specs": "rule:admin_api",
"volume_extension:volume_admin_actions:reset_status":
"rule:admin_api",
"volume_extension:snapshot_admin_actions:reset_status":
"rule:admin_api",
"volume_extension:volume_admin_actions:force_delete":
"rule:admin_api",
"network:get_all": "",
"network:get": "",
"network:create": "",
"network:delete": "",
"network:associate": "",
"network:disassociate": "",
"network:get_vifs_by_instance": "",
"network:allocate_for_instance": "",
"network:deallocate_for_instance": "",
"network:validate_networks": "",
"network:get_instance_uuids_by_ip_filter": "",
"network:get_instance_id_by_floating_address": "",
"network:setup_networks_on_host": "",
"network:get_backdoor_port": "",
"network:get_floating_ip": "",
"network:get_floating_ip_pools": "",
"network:get_floating_ip_by_address": "",
"network:get_floating_ips_by_project": "",
"network:get_floating_ips_by_fixed_address": "",
"network:allocate_floating_ip": "",
"network:deallocate_floating_ip": "",
"network:associate_floating_ip": "",
"network:disassociate_floating_ip": "",
"network:release_floating_ip": "",
"network:migrate_instance_start": "",
"network:migrate_instance_finish": "",
"network:get_fixed_ip": "",
"network:get_fixed_ip_by_address": "",
"network:add_fixed_ip_to_instance": "",
"network:remove_fixed_ip_from_instance": "",
"network:add_network_to_project": "",
"network:get_instance_nw_info": "",
"network:get_dns_domains": "",
"network:add_dns_entry": "",
"network:modify_dns_entry": "",
"network:delete_dns_entry": "",
"network:get_dns_entries_by_address": "",
"network:get_dns_entries_by_name": "",
"network:create_private_dns_domain": "",
"network:create_public_dns_domain": "",
"network:delete_dns_domain": "",
"network:attach_external_network": "rule:admin_api",
"network:get_vif_by_mac_address": "",
384
CHAPTER 4. DASHBOARD
"os_compute_api:servers:detail:get_all_tenants": "is_admin:True",
"os_compute_api:servers:index:get_all_tenants": "is_admin:True",
"os_compute_api:servers:confirm_resize": "",
"os_compute_api:servers:create": "",
"os_compute_api:servers:create:attach_network": "",
"os_compute_api:servers:create:attach_volume": "",
"os_compute_api:servers:create:forced_host": "rule:admin_api",
"os_compute_api:servers:delete": "",
"os_compute_api:servers:update": "",
"os_compute_api:servers:detail": "",
"os_compute_api:servers:index": "",
"os_compute_api:servers:reboot": "",
"os_compute_api:servers:rebuild": "",
"os_compute_api:servers:resize": "",
"os_compute_api:servers:revert_resize": "",
"os_compute_api:servers:show": "",
"os_compute_api:servers:create_image": "",
"os_compute_api:servers:create_image:allow_volume_backed": "",
"os_compute_api:servers:start": "rule:admin_or_owner",
"os_compute_api:servers:stop": "rule:admin_or_owner",
"os_compute_api:os-access-ips:discoverable": "",
"os_compute_api:os-access-ips": "",
"os_compute_api:os-admin-actions": "rule:admin_api",
"os_compute_api:os-admin-actions:discoverable": "",
"os_compute_api:os-admin-actions:reset_network": "rule:admin_api",
"os_compute_api:os-admin-actions:inject_network_info":
"rule:admin_api",
"os_compute_api:os-admin-actions:reset_state": "rule:admin_api",
"os_compute_api:os-admin-password": "",
"os_compute_api:os-admin-password:discoverable": "",
"os_compute_api:os-aggregates:discoverable": "",
"os_compute_api:os-aggregates:index": "rule:admin_api",
"os_compute_api:os-aggregates:create": "rule:admin_api",
"os_compute_api:os-aggregates:show": "rule:admin_api",
"os_compute_api:os-aggregates:update": "rule:admin_api",
"os_compute_api:os-aggregates:delete": "rule:admin_api",
"os_compute_api:os-aggregates:add_host": "rule:admin_api",
"os_compute_api:os-aggregates:remove_host": "rule:admin_api",
"os_compute_api:os-aggregates:set_metadata": "rule:admin_api",
"os_compute_api:os-agents": "rule:admin_api",
"os_compute_api:os-agents:discoverable": "",
"os_compute_api:os-attach-interfaces": "",
"os_compute_api:os-attach-interfaces:discoverable": "",
"os_compute_api:os-baremetal-nodes": "rule:admin_api",
"os_compute_api:os-baremetal-nodes:discoverable": "",
"os_compute_api:os-block-device-mapping-v1:discoverable": "",
"os_compute_api:os-cells": "rule:admin_api",
"os_compute_api:os-cells:create": "rule:admin_api",
"os_compute_api:os-cells:delete": "rule:admin_api",
"os_compute_api:os-cells:update": "rule:admin_api",
"os_compute_api:os-cells:sync_instances": "rule:admin_api",
"os_compute_api:os-cells:discoverable": "",
"os_compute_api:os-certificates:create": "",
"os_compute_api:os-certificates:show": "",
"os_compute_api:os-certificates:discoverable": "",
385
Red Hat OpenStack Platform 9 Configuration Reference
"os_compute_api:os-cloudpipe": "rule:admin_api",
"os_compute_api:os-cloudpipe:discoverable": "",
"os_compute_api:os-config-drive": "",
"os_compute_api:os-consoles:discoverable": "",
"os_compute_api:os-consoles:create": "",
"os_compute_api:os-consoles:delete": "",
"os_compute_api:os-consoles:index": "",
"os_compute_api:os-consoles:show": "",
"os_compute_api:os-console-output:discoverable": "",
"os_compute_api:os-console-output": "",
"os_compute_api:os-remote-consoles": "",
"os_compute_api:os-remote-consoles:discoverable": "",
"os_compute_api:os-create-backup:discoverable": "",
"os_compute_api:os-create-backup": "rule:admin_or_owner",
"os_compute_api:os-deferred-delete": "",
"os_compute_api:os-deferred-delete:discoverable": "",
"os_compute_api:os-disk-config": "",
"os_compute_api:os-disk-config:discoverable": "",
"os_compute_api:os-evacuate": "rule:admin_api",
"os_compute_api:os-evacuate:discoverable": "",
"os_compute_api:os-extended-server-attributes": "rule:admin_api",
"os_compute_api:os-extended-server-attributes:discoverable": "",
"os_compute_api:os-extended-status": "",
"os_compute_api:os-extended-status:discoverable": "",
"os_compute_api:os-extended-availability-zone": "",
"os_compute_api:os-extended-availability-zone:discoverable": "",
"os_compute_api:extensions": "",
"os_compute_api:extension_info:discoverable": "",
"os_compute_api:os-extended-volumes": "",
"os_compute_api:os-extended-volumes:discoverable": "",
"os_compute_api:os-fixed-ips": "rule:admin_api",
"os_compute_api:os-fixed-ips:discoverable": "",
"os_compute_api:os-flavor-access": "",
"os_compute_api:os-flavor-access:discoverable": "",
"os_compute_api:os-flavor-access:remove_tenant_access":
"rule:admin_api",
"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api",
"os_compute_api:os-flavor-rxtx": "",
"os_compute_api:os-flavor-rxtx:discoverable": "",
"os_compute_api:flavors:discoverable": "",
"os_compute_api:os-flavor-extra-specs:discoverable": "",
"os_compute_api:os-flavor-extra-specs:index": "",
"os_compute_api:os-flavor-extra-specs:show": "",
"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api",
"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api",
"os_compute_api:os-flavor-manage:discoverable": "",
"os_compute_api:os-flavor-manage": "rule:admin_api",
"os_compute_api:os-floating-ip-dns": "",
"os_compute_api:os-floating-ip-dns:discoverable": "",
"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api",
"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api",
"os_compute_api:os-floating-ip-pools": "",
"os_compute_api:os-floating-ip-pools:discoverable": "",
"os_compute_api:os-floating-ips": "",
"os_compute_api:os-floating-ips:discoverable": "",
386
CHAPTER 4. DASHBOARD
"os_compute_api:os-floating-ips-bulk": "rule:admin_api",
"os_compute_api:os-floating-ips-bulk:discoverable": "",
"os_compute_api:os-fping": "",
"os_compute_api:os-fping:discoverable": "",
"os_compute_api:os-fping:all_tenants": "rule:admin_api",
"os_compute_api:os-hide-server-addresses": "is_admin:False",
"os_compute_api:os-hide-server-addresses:discoverable": "",
"os_compute_api:os-hosts": "rule:admin_api",
"os_compute_api:os-hosts:discoverable": "",
"os_compute_api:os-hypervisors": "rule:admin_api",
"os_compute_api:os-hypervisors:discoverable": "",
"os_compute_api:images:discoverable": "",
"os_compute_api:image-size": "",
"os_compute_api:image-size:discoverable": "",
"os_compute_api:os-instance-actions": "",
"os_compute_api:os-instance-actions:discoverable": "",
"os_compute_api:os-instance-actions:events": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log": "rule:admin_api",
"os_compute_api:os-instance-usage-audit-log:discoverable": "",
"os_compute_api:ips:discoverable": "",
"os_compute_api:ips:index": "rule:admin_or_owner",
"os_compute_api:ips:show": "rule:admin_or_owner",
"os_compute_api:os-keypairs:discoverable": "",
"os_compute_api:os-keypairs": "",
"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%
(user_id)s",
"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%
(user_id)s",
"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%
(user_id)s",
"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%
(user_id)s",
"os_compute_api:limits:discoverable": "",
"os_compute_api:limits": "",
"os_compute_api:os-lock-server:discoverable": "",
"os_compute_api:os-lock-server:lock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner",
"os_compute_api:os-lock-server:unlock:unlock_override":
"rule:admin_api",
"os_compute_api:os-migrate-server:discoverable": "",
"os_compute_api:os-migrate-server:migrate": "rule:admin_api",
"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api",
"os_compute_api:os-multinic": "",
"os_compute_api:os-multinic:discoverable": "",
"os_compute_api:os-networks": "rule:admin_api",
"os_compute_api:os-networks:view": "",
"os_compute_api:os-networks:discoverable": "",
"os_compute_api:os-networks-associate": "rule:admin_api",
"os_compute_api:os-networks-associate:discoverable": "",
"os_compute_api:os-pause-server:discoverable": "",
"os_compute_api:os-pause-server:pause": "rule:admin_or_owner",
"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner",
"os_compute_api:os-pci:pci_servers": "",
"os_compute_api:os-pci:discoverable": "",
"os_compute_api:os-pci:index": "rule:admin_api",
"os_compute_api:os-pci:detail": "rule:admin_api",
387
Red Hat OpenStack Platform 9 Configuration Reference
"os_compute_api:os-pci:show": "rule:admin_api",
"os_compute_api:os-personality:discoverable": "",
"os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "",
"os_compute_api:os-quota-sets:discoverable": "",
"os_compute_api:os-quota-sets:show": "rule:admin_or_owner",
"os_compute_api:os-quota-sets:defaults": "",
"os_compute_api:os-quota-sets:update": "rule:admin_api",
"os_compute_api:os-quota-sets:delete": "rule:admin_api",
"os_compute_api:os-quota-sets:detail": "rule:admin_api",
"os_compute_api:os-quota-class-sets:update": "rule:admin_api",
"os_compute_api:os-quota-class-sets:show": "is_admin:True or
quota_class:%(quota_class)s",
"os_compute_api:os-quota-class-sets:discoverable": "",
"os_compute_api:os-rescue": "",
"os_compute_api:os-rescue:discoverable": "",
"os_compute_api:os-scheduler-hints:discoverable": "",
"os_compute_api:os-security-group-default-rules:discoverable": "",
"os_compute_api:os-security-group-default-rules": "rule:admin_api",
"os_compute_api:os-security-groups": "",
"os_compute_api:os-security-groups:discoverable": "",
"os_compute_api:os-server-diagnostics": "rule:admin_api",
"os_compute_api:os-server-diagnostics:discoverable": "",
"os_compute_api:os-server-password": "",
"os_compute_api:os-server-password:discoverable": "",
"os_compute_api:os-server-usage": "",
"os_compute_api:os-server-usage:discoverable": "",
"os_compute_api:os-server-groups": "",
"os_compute_api:os-server-groups:discoverable": "",
"os_compute_api:os-services": "rule:admin_api",
"os_compute_api:os-services:discoverable": "",
"os_compute_api:server-metadata:discoverable": "",
"os_compute_api:server-metadata:index": "rule:admin_or_owner",
"os_compute_api:server-metadata:show": "rule:admin_or_owner",
"os_compute_api:server-metadata:delete": "rule:admin_or_owner",
"os_compute_api:server-metadata:create": "rule:admin_or_owner",
"os_compute_api:server-metadata:update": "rule:admin_or_owner",
"os_compute_api:server-metadata:update_all": "rule:admin_or_owner",
"os_compute_api:servers:discoverable": "",
"os_compute_api:os-shelve:shelve": "",
"os_compute_api:os-shelve:shelve:discoverable": "",
"os_compute_api:os-shelve:shelve_offload": "rule:admin_api",
"os_compute_api:os-simple-tenant-usage:discoverable": "",
"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner",
"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api",
"os_compute_api:os-suspend-server:discoverable": "",
"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner",
"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks": "rule:admin_or_owner",
"os_compute_api:os-tenant-networks:discoverable": "",
"os_compute_api:os-shelve:unshelve": "",
"os_compute_api:os-user-data:discoverable": "",
"os_compute_api:os-virtual-interfaces": "",
"os_compute_api:os-virtual-interfaces:discoverable": "",
"os_compute_api:os-volumes": "",
"os_compute_api:os-volumes:discoverable": "",
"os_compute_api:os-volumes-attachments:index": "",
388
CHAPTER 4. DASHBOARD
"os_compute_api:os-volumes-attachments:show": "",
"os_compute_api:os-volumes-attachments:create": "",
"os_compute_api:os-volumes-attachments:update": "",
"os_compute_api:os-volumes-attachments:delete": "",
"os_compute_api:os-volumes-attachments:discoverable": "",
"os_compute_api:os-availability-zone:list": "",
"os_compute_api:os-availability-zone:discoverable": "",
"os_compute_api:os-availability-zone:detail": "rule:admin_api",
"os_compute_api:os-used-limits": "rule:admin_api",
"os_compute_api:os-used-limits:discoverable": "",
"os_compute_api:os-migrations:index": "rule:admin_api",
"os_compute_api:os-migrations:discoverable": "",
"os_compute_api:os-assisted-volume-snapshots:create":
"rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:delete":
"rule:admin_api",
"os_compute_api:os-assisted-volume-snapshots:discoverable": "",
"os_compute_api:os-console-auth-tokens": "rule:admin_api",
"os_compute_api:os-server-external-events:create": "rule:admin_api"
}
4.3. DASHBOARD LOG FILES
The dashboard is served to users through the Apache web server (httpd).
As a result, dashboard-related logs appear in files in the /var/log/httpd directory on the system
where the dashboard is hosted.
Log file names are based on the installer used and how the log files are named is defined in
/etc/httpd/conf.d/ file, which is the Dashboard httpd configuration file, which is again dependent
on installer.
The following table describes these files:
Table 4.1. Dashboard/httpd log files
Log file
Description
access_log
Logs all attempts to access the web server.
error_log
Logs all unsuccessful attempts to access the web server, along with the reason
that each attempt failed.
389
Red Hat OpenStack Platform 9 Configuration Reference
CHAPTER 5. DATABASE SERVICE
The Database service provides a scalable and reliable Cloud Database-as-a-Service functionality for
both relational and non-relational database engines.
The following tables provide a comprehensive list of the Database service configuration options.
Table 5.1. Description of API configuration options
Configuration option = Default value
Description
[DEFAULT]
admin_roles = admin
(ListOpt) Roles to add to an admin user.
api_paste_config = api-paste.ini
(StrOpt) File name for the paste.deploy config for
trove-api.
bind_host = 0.0.0.0
(StrOpt) IP address the API server will listen on.
bind_port = 8779
(IntOpt) Port the API server will listen on.
black_list_regex = None
(StrOpt) Exclude IP addresses that match this
regular expression.
db_api_implementation =
(StrOpt) API Implementation for Trove database
access.
trove.db.sqlalchemy.api
hostname_require_valid_ip = True
(BoolOpt) Require user hostnames to be valid IP
addresses.
http_delete_rate = 200
(IntOpt) Maximum number of HTTP 'DELETE'
requests (per minute).
http_get_rate = 200
(IntOpt) Maximum number of HTTP 'GET' requests
(per minute).
http_mgmt_post_rate = 200
(IntOpt) Maximum number of management HTTP
'POST' requests (per minute).
http_post_rate = 200
(IntOpt) Maximum number of HTTP 'POST' requests
(per minute).
http_put_rate = 200
(IntOpt) Maximum number of HTTP 'PUT' requests
(per minute).
injected_config_location =
/etc/trove/conf.d
(StrOpt) Path to folder on the Guest where config
files will be injected during instance creation.
instances_page_size = 20
(IntOpt) Page size for listing instances.
390
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
max_header_line = 16384
(IntOpt) Maximum line size of message headers to
be accepted. max_header_line may need to be
increased when using large tokens (typically those
generated by the Keystone v3 API with big service
catalogs).
os_region_name = RegionOne
(StrOpt) Region name of this node. Used when
searching catalog.
region = LOCAL_DEV
(StrOpt) The region this service is located.
tcp_keepidle = 600
(IntOpt) Sets the value of TCP_KEEPIDLE in seconds
for each server socket. Not supported on OS X.
trove_api_workers = None
(IntOpt) Number of workers for the API service. The
default will be the number of CPUs available.
trove_auth_url = http://0.0.0.0:5000/v2.0
(StrOpt) Trove authentication URL.
trove_conductor_workers = None
(IntOpt) Number of workers for the Conductor
service. The default will be the number of CPUs
available.
trove_security_group_name_prefix =
(StrOpt) Prefix to use when creating Security
Groups.
SecGroup
trove_security_group_rule_cidr =
0.0.0.0/0
(StrOpt) CIDR to use when creating Security Group
Rules.
trove_security_groups_support = True
(BoolOpt) Whether Trove should add Security
Groups on create.
users_page_size = 20
(IntOpt) Page size for listing users.
Table 5.2. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(StrOpt) Service user password.
admin_tenant_name = admin
(StrOpt) Service tenant name.
391
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
admin_token = None
(StrOpt) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(StrOpt) Service username.
auth_admin_prefix =
(StrOpt) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(StrOpt) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_plugin = None
(StrOpt) Name of the plugin to load
auth_port = 35357
(IntOpt) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(StrOpt) Protocol of the admin Identity API endpoint
(http or https). Deprecated, use identity_uri.
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_uri = None
(StrOpt) Complete public Identity API endpoint.
auth_version = None
(StrOpt) API version of the admin Identity API
endpoint.
cache = None
(StrOpt) Env key for the swift cache.
cafile = None
(StrOpt) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(StrOpt) Required if identity server requires client
certificate
check_revocations_for_cached = False
(BoolOpt) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
392
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
delay_auth_decision = False
(BoolOpt) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(StrOpt) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
hash_algorithms = md5
(ListOpt) Hash algorithms to use for hashing PKI
tokens. This may be a single algorithm or multiple.
The algorithms are those supported by Python
standard hashlib.new(). The hashes will be tried in
the order given, so put the preferred one first for
performance. The result of the first hash will be
stored in the cache. This will typically be set to
multiple values only while migrating from a less
secure algorithm to a more secure one. Once all the
old tokens are expired this option should be set to a
single value for better performance.
http_connect_timeout = None
(IntOpt) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(IntOpt) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(StrOpt) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(BoolOpt) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) Required if identity server requires client
certificate
393
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
memcache_pool_conn_get_timeout = 10
(IntOpt) (Optional) Number of seconds that an
operation will wait to get a memcached client
connection from the pool.
memcache_pool_dead_retry = 300
(IntOpt) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(IntOpt) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(IntOpt) (Optional) Socket timeout in seconds for
communicating with a memcached server.
memcache_pool_unused_timeout = 60
(IntOpt) (Optional) Number of seconds a connection
to memcached is held unused in the pool before it is
closed.
memcache_secret_key = None
(StrOpt) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(StrOpt) (Optional) If defined, indicate whether
token data should be authenticated or authenticated
and encrypted. Acceptable values are MAC or
ENCRYPT. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(BoolOpt) (Optional) Use the advanced (eventlet
safe) memcached client pool. The advanced pool will
only work under python 2.x.
region_name = None
(StrOpt) The region in which the identity server can
be found.
revocation_cache_time = 10
(IntOpt) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(StrOpt) Directory used to cache files related to PKI
tokens.
394
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
token_cache_time = 300
(IntOpt) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 5.3. Description of backup configuration options
Configuration option = Default value
Description
[DEFAULT]
backup_aes_cbc_key = default_aes_cbc_key
(StrOpt) Default OpenSSL aes_cbc key.
backup_chunk_size = 65536
(IntOpt) Chunk size (in bytes) to stream to the Swift
container. This should be in multiples of 128 bytes,
since this is the size of an md5 digest block allowing
the process to update the file checksum during
streaming. See:
http://stackoverflow.com/questions/1131220/
backup_runner =
(StrOpt) Runner to use for backups.
trove.guestagent.backup.backup_types.InnoBackupEx
backup_runner_options = {}
(DictOpt) Additional options to be passed to the
backup runner.
backup_segment_max_size = 2147483648
(IntOpt) Maximum size (in bytes) of each segment of
the backup file.
backup_swift_container = database_backups
(StrOpt) Swift container to put backups in.
backup_use_gzip_compression = True
(BoolOpt) Compress backups using gzip.
backup_use_openssl_encryption = True
(BoolOpt) Encrypt backups using OpenSSL.
backup_use_snet = False
(BoolOpt) Send backup files over snet.
backups_page_size = 20
(IntOpt) Page size for listing backups.
Table 5.4. Description of CA and SSL configuration options
Configuration option = Default value
Description
[ssl]
395
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
ca_file = None
(StrOpt) CA certificate file to use to verify
connecting clients
cert_file = None
(StrOpt) Certificate file to use when starting the
server securely
key_file = None
(StrOpt) Private key file to use when starting the
server securely
Table 5.5. Description of clients configuration options
Configuration option = Default value
Description
[DEFAULT]
remote_cinder_client =
(StrOpt) Client to send Cinder calls to.
trove.common.remote.cinder_client
remote_dns_client =
(StrOpt) Client to send DNS calls to.
trove.common.remote.dns_client
remote_guest_client =
(StrOpt) Client to send Guest Agent calls to.
trove.common.remote.guest_client
remote_heat_client =
(StrOpt) Client to send Heat calls to.
trove.common.remote.heat_client
remote_neutron_client =
(StrOpt) Client to send Neutron calls to.
trove.common.remote.neutron_client
remote_nova_client =
(StrOpt) Client to send Nova calls to.
trove.common.remote.nova_client
remote_swift_client =
(StrOpt) Client to send Swift calls to.
trove.common.remote.swift_client
Table 5.6. Description of cluster configuration options
Configuration option = Default value
Description
[DEFAULT]
cluster_delete_time_out = 180
396
(IntOpt) Maximum time (in seconds) to wait for a
cluster delete.
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
cluster_usage_timeout = 36000
(IntOpt) Maximum time (in seconds) to wait for a
cluster to become active.
clusters_page_size = 20
(IntOpt) Page size for listing clusters.
Table 5.7. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
configurations_page_size = 20
(IntOpt) Page size for listing configurations.
databases_page_size = 20
(IntOpt) Page size for listing databases.
default_datastore = None
(StrOpt) The default datastore id or name to use if
one is not provided by the user. If the default value is
None, the field becomes required in the instance
create request.
default_neutron_networks =
(ListOpt) List of IDs for management networks
which should be attached to the instance regardless
of what NICs are specified in the create API call.
default_password_length = 36
(IntOpt) Character length of generated passwords.
executor_thread_pool_size = 64
(IntOpt) Size of executor thread pool.
expected_filetype_suffixes = json
(ListOpt) Filetype endings not to be reattached to an
ID by the utils method correct_id_with_req.
host = 0.0.0.0
(StrOpt) Host to listen for RPC messages.
memcached_servers = None
(ListOpt) Memcached servers or None for in process
cache.
pybasedir = /usr/lib/python2.7/site-
(StrOpt) Directory where the Trove python module
is installed.
packages/trove
pydev_path = None
(StrOpt) Set path to pydevd library, used if pydevd is
not found in python sys.path.
taskmanager_queue = taskmanager
(StrOpt) Message queue name the Taskmanager will
listen to.
template_path = /etc/trove/templates/
(StrOpt) Path which leads to datastore templates.
397
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
timeout_wait_for_service = 120
(IntOpt) Maximum time (in seconds) to wait for a
service to become alive.
usage_timeout = 900
(IntOpt) Maximum time (in seconds) to wait for a
Guest to become active.
[keystone_authtoken]
memcached_servers = None
(ListOpt) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
Table 5.8. Description of Compute configuration options
Configuration option = Default value
Description
[DEFAULT]
ip_regex = None
(StrOpt) List IP addresses that match this regular
expression.
nova_compute_endpoint_type = publicURL
(StrOpt) Service endpoint type to use when
searching catalog.
nova_compute_service_type = compute
(StrOpt) Service type to use when searching catalog.
nova_compute_url = None
(StrOpt) URL without the tenant segment.
root_grant = ALL
(ListOpt) Permissions to grant to the 'root' user.
root_grant_option = True
(BoolOpt) Assign the 'root' user GRANT permissions.
Table 5.9. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
backlog = 4096
(IntOpt) Number of backlog requests to configure
the socket with
pydev_debug = disabled
(StrOpt) Enable or disable pydev remote debugging.
If value is 'auto' tries to connect to remote debugger
server, but in case of error continues running with
debugging disabled.
398
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
pydev_debug_host = None
(StrOpt) Pydev debug server host (localhost by
default).
pydev_debug_port = None
(IntOpt) Pydev debug server port (5678 by default).
[profiler]
enabled = False
(BoolOpt) If False fully disable profiling feature.
trace_sqlalchemy = True
(BoolOpt) If False doesn't trace SQL requests.
Table 5.10. Description of DNS configuration options
Configuration option = Default value
Description
[DEFAULT]
dns_account_id =
(StrOpt) Tenant ID for DNSaaS.
dns_auth_url =
(StrOpt) Authentication URL for DNSaaS.
dns_domain_id =
(StrOpt) Domain ID used for adding DNS entries.
dns_domain_name =
(StrOpt) Domain name used for adding DNS entries.
dns_driver = trove.dns.driver.DnsDriver
(StrOpt) Driver for DNSaaS.
dns_endpoint_url = 0.0.0.0
(StrOpt) Endpoint URL for DNSaaS.
dns_hostname =
(StrOpt) Hostname used for adding DNS entries.
dns_instance_entry_factory =
(StrOpt) Factory for adding DNS entries.
trove.dns.driver.DnsInstanceEntryFactory
dns_management_base_url =
(StrOpt) Management URL for DNSaaS.
dns_passkey =
(StrOpt) Passkey for DNSaaS.
dns_region =
(StrOpt) Region name for DNSaaS.
dns_service_type =
(StrOpt) Service Type for DNSaaS.
dns_time_out = 120
(IntOpt) Maximum time (in seconds) to wait for a
DNS entry add.
399
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
dns_ttl = 300
(IntOpt) Time (in seconds) before a refresh of DNS
information occurs.
dns_username =
(StrOpt) Username for DNSaaS.
trove_dns_support = False
(BoolOpt) Whether Trove should add DNS entries on
create (using Designate DNSaaS).
Table 5.11. Description of guest agent configuration options
Configuration option = Default value
Description
[DEFAULT]
agent_call_high_timeout = 60
(IntOpt) Maximum time (in seconds) to wait for
Guest Agent 'slow' requests (such as restarting the
database).
agent_call_low_timeout = 5
(IntOpt) Maximum time (in seconds) to wait for
Guest Agent 'quick'requests (such as retrieving a
list of users or databases).
agent_heartbeat_expiry = 60
(IntOpt) Time (in seconds) after which a guest is
considered unreachable
agent_heartbeat_time = 10
(IntOpt) Maximum time (in seconds) for the Guest
Agent to reply to a heartbeat request.
agent_replication_snapshot_timeout =
(IntOpt) Maximum time (in seconds) to wait for
taking a Guest Agent replication snapshot.
36000
guest_config = /etc/trove/trove-guestagent.conf
(StrOpt) Path to the Guest Agent config file to be
injected during instance creation.
guest_id = None
(StrOpt) ID of the Guest Instance.
guest_info = guest_info.conf
(StrOpt) The guest info filename found in the
injected config location. If a full path is specified
then it will be used as the path to the guest info file
ignore_dbs = mysql, information_schema,
performance_schema
(ListOpt) Databases to exclude when listing
databases.
ignore_users = os_admin, root
(ListOpt) Users to exclude when listing users.
mount_options = defaults,noatime
(StrOpt) Options to use when mounting a volume.
400
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
storage_namespace =
trove.guestagent.strategies.storage.swift
(StrOpt) Namespace to load the default storage
strategy from.
storage_strategy = SwiftStorage
(StrOpt) Default strategy to store backups.
usage_sleep_time = 5
(IntOpt) Time to sleep during the check for an active
Guest.
Table 5.12. Description of Orchestration module configuration options
Configuration option = Default value
Description
[DEFAULT]
heat_endpoint_type = publicURL
(StrOpt) Service endpoint type to use when
searching catalog.
heat_service_type = orchestration
(StrOpt) Service type to use when searching catalog.
heat_time_out = 60
(IntOpt) Maximum time (in seconds) to wait for a
Heat request to complete.
heat_url = None
(StrOpt) URL without the tenant segment.
Table 5.13. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
debug = False
(BoolOpt) Print debugging output (set logging level
to DEBUG instead of default INFO level).
default_log_levels = amqp=WARN,
(ListOpt) List of logger=LEVEL pairs. This option is
ignored if log_config_append is set.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
requests.packages.urllib3.util.retry=WARN,
urllib3.util.retry=WARN, keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN,
taskflow=WARN
fatal_deprecations = False
(BoolOpt) Enables or disables fatal status of
deprecations.
401
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
format_options = -m 5
(StrOpt) Options to use when formatting a volume.
instance_format = "[instance: %(uuid)s] "
(StrOpt) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(StrOpt) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation. Note that when logging
configuration files are used then all logging
configuration is set in the configuration file and
other logging configuration options are ignored (for
example, log_format).
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s . This option is ignored
if log_config_append is set.
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths. This option is ignored if
log_config_append is set.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout. This
option is ignored if log_config_append is set.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecate, use logging_context_format_string and
logging_default_format_string instead. This option is
ignored if log_config_append is set.
logging_context_format_string = %
(StrOpt) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
402
(StrOpt) Data to append to log format when level is
DEBUG.
(StrOpt) Format string to use for log messages
without context.
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
logging_exception_prefix = %(asctime)s.%
(StrOpt) Prefix each line of exception output with
this format.
(msecs)03d %(process)d ERROR %(name)s %
(instance)s
network_label_regex = ^private$
(StrOpt) Regular expression to match Trove
network labels.
publish_errors = False
(BoolOpt) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines. This
option is ignored if log_config_append is set.
use_stderr = True
(BoolOpt) Log output to standard error. This option
is ignored if log_config_append is set.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED and will be changed later to
honor RFC5424. This option is ignored if
log_config_append is set.
use_syslog_rfc_format = True
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in Kilo, and will be removed in Mitaka,
along with this option. This option is ignored if
log_config_append is set.
verbose = True
(BoolOpt) If set to false, will disable INFO logging
level, making WARNING the default.
watch_log_file = False
(BoolOpt) (Optional) Uses logging handler designed
to watch file system. When log file is moved or
removed this handler will open a new log file with
specified path instantaneously. It makes sense only
if log-file option is specified and Linux platform is
used. This option is ignored if log_config_append is
set.
Table 5.14. Description of network configuration options
Configuration option = Default value
Description
[DEFAULT]
403
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
network_driver =
(StrOpt) Describes the actual network manager
used for the management of network attributes
(security groups, floating IPs, etc.).
trove.network.nova.NovaNetwork
neutron_endpoint_type = publicURL
(StrOpt) Service endpoint type to use when
searching catalog.
neutron_service_type = network
(StrOpt) Service type to use when searching catalog.
neutron_url = None
(StrOpt) URL without the tenant segment.
Table 5.15. Description of nova configuration options
Configuration option = Default value
Description
[DEFAULT]
nova_proxy_admin_pass =
(StrOpt) Admin password used to connect to Nova.
nova_proxy_admin_tenant_id =
(StrOpt) Admin tenant ID used to connect to Nova.
nova_proxy_admin_tenant_name =
(StrOpt) Admin tenant name used to connect to
Nova.
nova_proxy_admin_user =
(StrOpt) Admin username used to connect to Nova.
Table 5.16. Description of quota configuration options
Configuration option = Default value
Description
[DEFAULT]
max_accepted_volume_size = 5
(IntOpt) Default maximum volume size (in GB) for an
instance.
max_backups_per_user = 50
(IntOpt) Default maximum number of backups
created by a tenant.
max_instances_per_user = 5
(IntOpt) Default maximum number of instances per
tenant.
max_volumes_per_user = 20
(IntOpt) Default maximum volume capacity (in GB)
spanning across all Trove volumes per tenant.
quota_driver = trove.quota.quota.DbQuotaDriver
(StrOpt) Default driver to use for quota checks.
404
CHAPTER 5. DATABASE SERVICE
Table 5.17. Description of Redis configuration options
Configuration option = Default value
Description
[DEFAULT]
password =
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
[matchmaker_redis]
host = 127.0.0.1
(StrOpt) Host to locate redis.
password =
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
Table 5.18. Description of swift configuration options
Configuration option = Default value
Description
[DEFAULT]
swift_endpoint_type = publicURL
(StrOpt) Service endpoint type to use when
searching catalog.
swift_service_type = object-store
(StrOpt) Service type to use when searching catalog.
swift_url = None
(StrOpt) URL ending in AUTH_.
Table 5.19. Description of taskmanager configuration options
Configuration option = Default value
Description
[DEFAULT]
cloudinit_location = /etc/trove/cloudinit
(StrOpt) Path to folder with cloudinit scripts.
datastore_manager = None
(StrOpt) Manager class in the Guest Agent, set up by
the Taskmanager on instance provision.
datastore_registry_ext = {}
(DictOpt) Extension for default datastore managers.
Allows the use of custom managers for each of the
datastores supported by Trove.
exists_notification_interval = 3600
(IntOpt) Seconds to wait between pushing events.
405
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
exists_notification_transformer = None
(StrOpt) Transformer for exists notifications.
reboot_time_out = 120
(IntOpt) Maximum time (in seconds) to wait for a
server reboot.
resize_time_out = 600
(IntOpt) Maximum time (in seconds) to wait for a
server resize.
restore_usage_timeout = 36000
(IntOpt) Maximum time (in seconds) to wait for a
Guest instance restored from a backup to become
active.
revert_time_out = 600
(IntOpt) Maximum time (in seconds) to wait for a
server resize revert.
server_delete_time_out = 60
(IntOpt) Maximum time (in seconds) to wait for a
server delete.
state_change_wait_time = 180
(IntOpt) Maximum time (in seconds) to wait for a
state change.
update_status_on_fail = True
(BoolOpt) Set the service and instance task statuses
to ERROR when an instance fails to become active
within the configured usage_timeout.
usage_sleep_time = 5
(IntOpt) Time to sleep during the check for an active
Guest.
use_heat = False
(BoolOpt) Use Heat for provisioning.
use_nova_server_config_drive = False
(BoolOpt) Use config drive for file injection when
booting instance.
use_nova_server_volume = False
(BoolOpt) Whether to provision a Cinder volume for
the Nova instance.
verify_swift_checksum_on_restore =
(BoolOpt) Enable verification of Swift checksum
before starting restore. Makes sure the checksum of
original backup matches the checksum of the Swift
backup file.
True
Table 5.20. Description of upgrades configuration options
Configuration option = Default value
[upgrade_levels]
406
Description
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
conductor = icehouse
(StrOpt) Set a version cap for messages sent to
conductor services
guestagent = icehouse
(StrOpt) Set a version cap for messages sent to
guestagent services
taskmanager = icehouse
(StrOpt) Set a version cap for messages sent to
taskmanager services
Table 5.21. Description of volume configuration options
Configuration option = Default value
Description
[DEFAULT]
block_device_mapping = vdb
(StrOpt) Block device to map onto the created
instance.
cinder_endpoint_type = publicURL
(StrOpt) Service endpoint type to use when
searching catalog.
cinder_service_type = volumev2
(StrOpt) Service type to use when searching catalog.
cinder_url = None
(StrOpt) URL without the tenant segment.
cinder_volume_type = None
(StrOpt) Volume type to use when provisioning a
Cinder volume.
device_path = /dev/vdb
(StrOpt) Device path for volume if volume support is
enabled.
trove_volume_support = True
(BoolOpt) Whether to provision a Cinder volume for
datadir.
volume_format_timeout = 120
(IntOpt) Maximum time (in seconds) to wait for a
volume format.
volume_fstype = ext3
(StrOpt) File system type used to format a volume.
volume_time_out = 60
(IntOpt) Maximum time (in seconds) to wait for a
volume attach.
5.1. CONFIGURE THE DATABASE
Use the options to configure the used databases:
407
Red Hat OpenStack Platform 9 Configuration Reference
Table 5.22. Description of MariaDB database configuration options
Configuration option = Default value
Description
[mariadb]
backup_incremental_strategy =
{'InnoBackupEx': 'InnoBackupExIncremental'}
backup_namespace =
(DictOpt) Incremental Backup Runner based on the
default strategy. For strategies that do not
implement an incremental backup, the runner will
use the default full backup.
(StrOpt) Namespace to load backup strategies from.
trove.guestagent.strategies.backup.mysql_impl
backup_strategy = InnoBackupEx
(StrOpt) Default strategy to perform backups.
device_path = /dev/vdb
(StrOpt) Device path for volume if volume support is
enabled.
mount_point = /var/lib/mysql
(StrOpt) Filesystem path for mounting volumes if
volume support is enabled.
replication_namespace =
trove.guestagent.strategies.replication.mysql_binlog
(StrOpt) Namespace to load replication strategies
from.
replication_strategy =
(StrOpt) Default strategy for replication.
MysqlBinlogReplication
restore_namespace =
(StrOpt) Namespace to load restore strategies from.
trove.guestagent.strategies.restore.mysql_impl
root_controller =
(StrOpt) Root controller implementation for mysql.
trove.extensions.common.service.DefaultRootController
root_on_create = False
(BoolOpt) Enable the automatic creation of the root
user for the service during instance-create. The
generated password for the root user is immediately
returned in the response of instance-create as the
'password' field.
tcp_ports = 3306
(ListOpt) List of TCP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
udp_ports =
(ListOpt) List of UDP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
usage_timeout = 400
(IntOpt) Maximum time (in seconds) to wait for a
Guest to become active.
408
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
volume_support = True
(BoolOpt) Whether to provision a Cinder volume for
datadir.
Table 5.23. Description of MySQL database configuration options
Configuration option = Default value
Description
[mysql]
backup_incremental_strategy =
{'InnoBackupEx': 'InnoBackupExIncremental'}
backup_namespace =
(DictOpt) Incremental Backup Runner based on the
default strategy. For strategies that do not
implement an incremental backup, the runner will
use the default full backup.
(StrOpt) Namespace to load backup strategies from.
trove.guestagent.strategies.backup.mysql_impl
backup_strategy = InnoBackupEx
(StrOpt) Default strategy to perform backups.
device_path = /dev/vdb
(StrOpt) Device path for volume if volume support is
enabled.
mount_point = /var/lib/mysql
(StrOpt) Filesystem path for mounting volumes if
volume support is enabled.
replication_namespace =
trove.guestagent.strategies.replication.mysql_gtid
(StrOpt) Namespace to load replication strategies
from.
replication_strategy = MysqlGTIDReplication
(StrOpt) Default strategy for replication.
restore_namespace =
(StrOpt) Namespace to load restore strategies from.
trove.guestagent.strategies.restore.mysql_impl
root_controller =
(StrOpt) Root controller implementation for mysql.
trove.extensions.common.service.DefaultRootController
root_on_create = False
(BoolOpt) Enable the automatic creation of the root
user for the service during instance-create. The
generated password for the root user is immediately
returned in the response of instance-create as the
'password' field.
tcp_ports = 3306
(ListOpt) List of TCP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
409
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
udp_ports =
(ListOpt) List of UDP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
usage_timeout = 400
(IntOpt) Maximum time (in seconds) to wait for a
Guest to become active.
volume_support = True
(BoolOpt) Whether to provision a Cinder volume for
datadir.
5.2. CONFIGURE THE RPC MESSAGING SYSTEM
OpenStack projects use an open standard for messaging middleware known as AMQP. This messaging
middleware enables the OpenStack services that run on multiple servers to talk to each other.
OpenStack Trove RPC supports two implementations of AMQP: RabbitMQ and Qpid.
5.2.1. Configure RabbitMQ
Use these options to configure the RabbitMQ messaging system:
Table 5.24. Description of RabbitMQ configuration options
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold we check the
heartbeat.
heartbeat_timeout_threshold = 60
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disables the heartbeat). EXPERIMENTAL
kombu_reconnect_delay = 1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
kombu_reconnect_timeout = 60
(IntOpt) How long to wait before considering a
reconnect attempt to have failed. This value should
not be longer than rpc_response_timeout.
410
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 may be available on
some distributions.
rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN
(StrOpt) The RabbitMQ login method.
rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(StrOpt) The RabbitMQ password.
rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
411
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies: first one with the payload, a
second one to ensure the other has finished to send
the payload. This option defaults to False in Liberty
and can be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
5.2.2. Configure Qpid
Use these options to configure the Qpid messaging system:
Table 5.25. Description of Qpid configuration options
Configuration option = Default value
Description
[oslo_messaging_qpid]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
412
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies: first one with the payload, a
second one to ensure the other has finished to send
the payload. This option defaults to False in Liberty
and can be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
5.2.3. Configure messaging
Use these common options to configure the RabbitMQ, and Qpid messaging drivers:
Table 5.26. Description of AMQP configuration options
Configuration option = Default value
Description
[DEFAULT]
conductor_manager =
trove.conductor.manager.Manager
(StrOpt) Qualified class name to use for conductor
manager.
conductor_queue = trove-conductor
(StrOpt) Message queue name the Conductor will
listen on.
control_exchange = openstack
(StrOpt) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
notification_driver = []
(MultiStrOpt) The Drivers(s) to handle sending
notifications. Possible values are messaging,
messagingv2 , routing, log, test, and noop.
notification_service_id = {'mysql':
(DictOpt) Unique ID to tag notification events.
'2f3ff068-2bfb-4f70-9a9d-a6bb65bc084b', 'mariadb':
'7a4f82cc-10d2-4bc6-aadc-d9aacc2a3cb5'}
notification_topics = notifications
(ListOpt) AMQP topic used for OpenStack
notifications.
413
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
transport_url = None
(StrOpt) A URL representing the messaging driver to
use and its full configuration. If not set, we fall back
to the rpc_backend option and driver specific
configuration.
Table 5.27. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
num_tries = 3
(IntOpt) Number of times to check if a volume exists.
report_interval = 30
(IntOpt) The interval (in seconds) which periodic
tasks are run.
rpc_backend = rabbit
(StrOpt) The messaging driver to use, defaults to
rabbit. Other drivers include qpid and zmq.
rpc_cast_timeout = 30
(IntOpt) Seconds to wait before a cast expires (TTL).
Only supported by impl_zmq.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
rpc_poll_timeout = 1
(IntOpt) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
rpc_response_timeout = 60
(IntOpt) Seconds to wait for a response from a call.
[oslo_concurrency]
disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging_amqp]
allow_insecure_clients = False
414
(BoolOpt) Accept clients using either SSL or plain
TCP
CHAPTER 5. DATABASE SERVICE
Configuration option = Default value
Description
broadcast_prefix = broadcast
(StrOpt) address prefix used when broadcasting to
all servers
container_name = None
(StrOpt) Name for the AMQP container
group_request_prefix = unicast
(StrOpt) address prefix when sending to any server
in group
idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
password =
(StrOpt) Password for message broker
authentication
sasl_config_dir =
(StrOpt) Path to directory that contains the SASL
configuration
sasl_config_name =
(StrOpt) Name of configuration file (without .conf
suffix)
sasl_mechanisms =
(StrOpt) Space separated list of acceptable SASL
mechanisms
server_request_prefix = exclusive
(StrOpt) address prefix used when sending to a
specific server
ssl_ca_file =
(StrOpt) CA certificate PEM file to verify server
certificate
ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
username =
(StrOpt) User name for message broker
authentication
5.3. NEW, UPDATED AND DEPRECATED OPTIONS IN LIBERTY FOR
DATABASE SERVICE
415
Red Hat OpenStack Platform 9 Configuration Reference
Table 5.28. New options
Option = default value
(Type) Help string
[DEFAULT] executor_thread_pool_size = 64
(IntOpt) Size of executor thread pool.
[DEFAULT] exists_notification_interval = 3600
(IntOpt) Seconds to wait between pushing events.
[DEFAULT] nova_proxy_admin_tenant_id =
(StrOpt) Admin tenant ID used to connect to Nova.
[DEFAULT] password =
(StrOpt) Password for Redis server (optional).
[DEFAULT] port = 6379
(IntOpt) Use this port to connect to redis host.
[DEFAULT] rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
[DEFAULT] rpc_poll_timeout = 1
(IntOpt) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
[DEFAULT] rpc_zmq_all_req_rep = True
(BoolOpt) Use REQ/REP pattern for all methods
CALL/CAST/FANOUT.
[DEFAULT] rpc_zmq_concurrency = eventlet
(StrOpt) Type of concurrency used. Either "native"
or "eventlet"
[DEFAULT] timeout_wait_for_service = 120
(IntOpt) Maximum time (in seconds) to wait for a
service to become alive.
[DEFAULT] watch_log_file = False
(BoolOpt) (Optional) Uses logging handler designed
to watch file system. When log file is moved or
removed this handler will open a new log file with
specified path instantaneously. It makes sense only
if log-file option is specified and Linux platform is
used. This option is ignored if log_config_append is
set.
[DEFAULT] zmq_use_broker = True
(BoolOpt) Shows whether zmq-messaging uses
broker or not.
[keystone_authtoken] region_name = None
(StrOpt) The region in which the identity server can
be found.
[mariadb] backup_incremental_strategy =
{'InnoBackupEx': 'InnoBackupExIncremental'}
(DictOpt) Incremental Backup Runner based on the
default strategy. For strategies that do not
implement an incremental backup, the runner will
use the default full backup.
[mariadb] backup_namespace =
trove.guestagent.strategies.backup.mysql_impl
(StrOpt) Namespace to load backup strategies from.
416
CHAPTER 5. DATABASE SERVICE
Option = default value
(Type) Help string
[mariadb] backup_strategy = InnoBackupEx
(StrOpt) Default strategy to perform backups.
[mariadb] device_path = /dev/vdb
(StrOpt) Device path for volume if volume support is
enabled.
[mariadb] mount_point = /var/lib/mysql
(StrOpt) Filesystem path for mounting volumes if
volume support is enabled.
[mariadb] replication_namespace =
trove.guestagent.strategies.replication.mysql_binlo
g
(StrOpt) Namespace to load replication strategies
from.
[mariadb] replication_strategy =
MysqlBinlogReplication
(StrOpt) Default strategy for replication.
[mariadb] restore_namespace =
trove.guestagent.strategies.restore.mysql_impl
(StrOpt) Namespace to load restore strategies from.
[mariadb] root_controller =
trove.extensions.common.service.DefaultRootContr
oller
(StrOpt) Root controller implementation for mysql.
[mariadb] root_on_create = False
(BoolOpt) Enable the automatic creation of the root
user for the service during instance-create. The
generated password for the root user is immediately
returned in the response of instance-create as the
'password' field.
[mariadb] tcp_ports = 3306
(ListOpt) List of TCP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
[mariadb] udp_ports =
(ListOpt) List of UDP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
[mariadb] usage_timeout = 400
(IntOpt) Maximum time (in seconds) to wait for a
Guest to become active.
[mariadb] volume_support = True
(BoolOpt) Whether to provision a Cinder volume for
datadir.
[mysql] root_controller =
trove.extensions.common.service.DefaultRootContr
oller
(StrOpt) Root controller implementation for mysql.
[oslo_messaging_amqp] password =
(StrOpt) Password for message broker
authentication
417
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[oslo_messaging_amqp] sasl_config_dir =
(StrOpt) Path to directory that contains the SASL
configuration
[oslo_messaging_amqp] sasl_config_name =
(StrOpt) Name of configuration file (without .conf
suffix)
[oslo_messaging_amqp] sasl_mechanisms =
(StrOpt) Space separated list of acceptable SASL
mechanisms
[oslo_messaging_amqp] username =
(StrOpt) User name for message broker
authentication
[oslo_messaging_qpid] send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
[oslo_messaging_rabbit] kombu_reconnect_timeout
= 60
(IntOpt) How long to wait before considering a
reconnect attempt to have failed. This value should
not be longer than rpc_response_timeout.
[oslo_messaging_rabbit] send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
[pxc] api_strategy =
trove.common.strategies.cluster.experimental.pxc.a
pi.PXCAPIStrategy
(StrOpt) Class that implements datastore-specific
API logic.
[pxc] backup_incremental_strategy =
{'InnoBackupEx': 'InnoBackupExIncremental'}
(DictOpt) Incremental Backup Runner based on the
default strategy. For strategies that do not
implement an incremental backup, the runner will
use the default full backup.
418
CHAPTER 5. DATABASE SERVICE
Option = default value
(Type) Help string
[pxc] backup_namespace =
trove.guestagent.strategies.backup.mysql_impl
(StrOpt) Namespace to load backup strategies from.
[pxc] backup_strategy = InnoBackupEx
(StrOpt) Default strategy to perform backups.
[pxc] cluster_support = True
(BoolOpt) Enable clusters to be created and
managed.
[pxc] device_path = /dev/vdb
(StrOpt) Device path for volume if volume support is
enabled.
[pxc] guestagent_strategy =
trove.common.strategies.cluster.experimental.pxc.g
uestagent.PXCGuestAgentStrategy
(StrOpt) Class that implements datastore-specific
Guest Agent API logic.
[pxc] ignore_users = os_admin, root, clusterrepuser
(ListOpt) Users to exclude when listing users.
[pxc] min_cluster_member_count = 3
(IntOpt) Minimum number of members in PXC
cluster.
[pxc] mount_point = /var/lib/mysql
(StrOpt) Filesystem path for mounting volumes if
volume support is enabled.
[pxc] replication_namespace =
trove.guestagent.strategies.replication.mysql_gtid
(StrOpt) Namespace to load replication strategies
from.
[pxc] replication_strategy = MysqlGTIDReplication
(StrOpt) Default strategy for replication.
[pxc] replication_user = slave_user
(StrOpt) Userid for replication slave.
[pxc] restore_namespace =
trove.guestagent.strategies.restore.mysql_impl
(StrOpt) Namespace to load restore strategies from.
[pxc] root_controller =
trove.extensions.common.service.DefaultRootContr
oller
(StrOpt) Root controller implementation for pxc.
[pxc] root_on_create = False
(BoolOpt) Enable the automatic creation of the root
user for the service during instance-create. The
generated password for the root user is immediately
returned in the response of instance-create as the
'password' field.
[pxc] taskmanager_strategy =
trove.common.strategies.cluster.experimental.pxc.ta
skmanager.PXCTaskManagerStrategy
(StrOpt) Class that implements datastore-specific
task manager logic.
419
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[pxc] tcp_ports = 3306, 4444, 4567, 4568
(ListOpt) List of TCP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
[pxc] udp_ports =
(ListOpt) List of UDP ports and/or port ranges to
open in the security group (only applicable if
trove_security_groups_support is True).
[pxc] usage_timeout = 450
(IntOpt) Maximum time (in seconds) to wait for a
Guest to become active.
[pxc] volume_support = True
(BoolOpt) Whether to provision a Cinder volume for
datadir.
[redis] api_strategy =
trove.common.strategies.cluster.experimental.redis.
api.RedisAPIStrategy
(StrOpt) Class that implements datastore-specific
API logic.
[redis] cluster_support = True
(BoolOpt) Enable clusters to be created and
managed.
[redis] guestagent_strategy =
trove.common.strategies.cluster.experimental.redis.
guestagent.RedisGuestAgentStrategy
(StrOpt) Class that implements datastore-specific
Guest Agent API logic.
[redis] replication_namespace =
trove.guestagent.strategies.replication.experimenta
l.redis_sync
(StrOpt) Namespace to load replication strategies
from.
[redis] root_controller =
trove.extensions.common.service.DefaultRootContr
oller
(StrOpt) Root controller implementation for redis.
[redis] taskmanager_strategy =
trove.common.strategies.cluster.experimental.redis.
taskmanager.RedisTaskManagerStrategy
(StrOpt) Class that implements datastore-specific
task manager logic.
Table 5.29. New default values
Option
Previous default value
New default value
[DEFAULT]
cluster_usage_timeout
675
36000
420
CHAPTER 5. DATABASE SERVICE
Option
Previous default value
New default value
[DEFAULT] default_log_levels
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
requests.packages.urllib3.util.retr
y=WARN,
urllib3.util.retry=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN,
taskflow=WARN
[DEFAULT] ignore_dbs
lost+found,
#mysql50#lost+found, mysql,
information_schema
mysql, information_schema,
performance_schema
[DEFAULT]
logging_exception_prefix
%(asctime)s.%(msecs)03d %
(process)d TRACE %(name)s %
(instance)s
%(asctime)s.%(msecs)03d %
(process)d ERROR %(name)s %
(instance)s
[DEFAULT]
notification_service_id
{'vertica': 'a8d805ae-a3b2-c4fdgb23-b62cee5201ae', 'db2':
'e040cd37-263d-4869-aaa6c62aa97523b5', 'postgresql':
'ac277e0d-4f21-40aa-b3471ea31e571720', 'mysql':
'2f3ff068-2bfb-4f70-9a9da6bb65bc084b', 'couchbase':
'fa62fe68-74d9-4779-a24e36f19602c415', 'mongodb':
'c8c907af-7375-456f-b929b637ff9209ee', 'couchdb':
'f0a9ab7b-66f7-4352-93d7071521d44c7c', 'redis': 'b216ffc51947-456c-a4cf-70f94c05f7d0',
'cassandra': '459a230d-4e974344-9067-2a54a310b0ed'}
{'mongodb': 'c8c907af-7375456f-b929-b637ff9209ee',
'percona': 'fd1723f5-68d2-409c994f-a4a197892a17', 'mysql':
'2f3ff068-2bfb-4f70-9a9da6bb65bc084b', 'pxc':
'75a628c3-f81b-4ffb-b10a4087c26bc854', 'db2':
'e040cd37-263d-4869-aaa6c62aa97523b5', 'cassandra':
'459a230d-4e97-4344-90672a54a310b0ed', 'mariadb':
'7a4f82cc-10d2-4bc6-aadcd9aacc2a3cb5', 'postgresql':
'ac277e0d-4f21-40aa-b3471ea31e571720', 'couchbase':
'fa62fe68-74d9-4779-a24e36f19602c415', 'couchdb':
'f0a9ab7b-66f7-4352-93d7071521d44c7c', 'redis': 'b216ffc51947-456c-a4cf-70f94c05f7d0',
'vertica': 'a8d805ae-a3b2-c4fdgb23-b62cee5201ae'}
[DEFAULT] report_interval
10
30
421
Red Hat OpenStack Platform 9 Configuration Reference
Option
Previous default value
New default value
[DEFAULT]
rpc_zmq_matchmaker
local
redis
[DEFAULT] usage_timeout
600
900
[DEFAULT]
use_syslog_rfc_format
False
True
[DEFAULT] verbose
False
True
[matchmaker_redis] password
None
[oslo_messaging_rabbit]
heartbeat_timeout_threshold
0
60
[redis] backup_namespace
None
trove.guestagent.strategies.back
up.experimental.redis_impl
[redis] backup_strategy
None
RedisBackup
[redis] replication_strategy
None
RedisSyncReplication
[redis] restore_namespace
None
trove.guestagent.strategies.resto
re.experimental.redis_impl
[redis] tcp_ports
6379
6379, 16379
[redis] volume_support
False
True
Table 5.30. Deprecated options
Deprecated option
New Option
[DEFAULT] use_syslog
None
[DEFAULT] rpc_thread_pool_size
[DEFAULT] executor_thread_pool_size
[DEFAULT] log_format
None
422
CHAPTER 6. DATA PROCESSING SERVICE
CHAPTER 6. DATA PROCESSING SERVICE
The Data processing service (sahara) provides a scalable data-processing stack and associated
management interfaces.
The following tables provide a comprehensive list of the Data processing service configuration options.
Table 6.1. Description of AMQP configuration options
Configuration option = Default value
Description
[DEFAULT]
control_exchange = openstack
(String) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
transport_url = None
(String) A URL representing the messaging driver to
use and its full configuration. If not set, we fall back
to the rpc_backend option and driver specific
configuration.
Table 6.2. Description of API configuration options
Configuration option = Default value
Description
[oslo_middleware]
max_request_body_size = 114688
(Integer) The maximum body size for each request,
in bytes.
secure_proxy_ssl_header = X-Forwarded-
(String) DEPRECATED: The HTTP Header that will be
used to determine what the original request protocol
scheme was, even if it was hidden by an SSL
termination proxy.
Proto
[retries]
retries_number = 5
(Integer) Number of times to retry the request to
client before failing
retry_after = 10
(Integer) Time between the retries to client (in
seconds).
[service_auth]
admin_password = password
(String) The service admin password
admin_project_domain = admin
(String) The admin project domain name
423
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
admin_tenant_name = admin
(String) The service admin tenant name
admin_user = admin
(String) The service admin user name
admin_user_domain = admin
(String) The admin user domain name
auth_url = http://127.0.0.1:5000/v2.0
(String) Authentication endpoint
auth_version = 2
(String) The auth version used to authenticate
endpoint_type = public
(String) The endpoint_type to be used
region = RegionOne
(String) The deployment region
service_name = lbaas
(String) The name of the service
Table 6.3. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(String) Service user password.
admin_tenant_name = admin
(String) Service tenant name.
admin_token = None
(String) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(String) Service username.
auth_admin_prefix =
(String) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(String) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_port = 35357
(Integer) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
424
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
auth_protocol = https
(String) Protocol of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_section = None
(Unknown) Config Section from which to load plugin
specific options
auth_type = None
(Unknown) Authentication type to load
auth_uri = None
(String) Complete public Identity API endpoint.
auth_version = None
(String) API version of the admin Identity API
endpoint.
cache = None
(String) Env key for the swift cache.
cafile = None
(String) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(String) Required if identity server requires client
certificate
check_revocations_for_cached = False
(Boolean) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
delay_auth_decision = False
(Boolean) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(String) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
425
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
hash_algorithms = md5
(List) Hash algorithms to use for hashing PKI tokens.
This may be a single algorithm or multiple. The
algorithms are those supported by Python standard
hashlib.new(). The hashes will be tried in the order
given, so put the preferred one first for performance.
The result of the first hash will be stored in the
cache. This will typically be set to multiple values
only while migrating from a less secure algorithm to
a more secure one. Once all the old tokens are
expired this option should be set to a single value for
better performance.
http_connect_timeout = None
(Integer) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(Integer) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(String) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(Boolean) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(Boolean) Verify HTTPS connections.
keyfile = None
(String) Required if identity server requires client
certificate
memcache_pool_conn_get_timeout = 10
(Integer) (Optional) Number of seconds that an
operation will wait to get a memcached client
connection from the pool.
memcache_pool_dead_retry = 300
(Integer) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(Integer) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(Integer) (Optional) Socket timeout in seconds for
communicating with a memcached server.
memcache_pool_unused_timeout = 60
(Integer) (Optional) Number of seconds a
connection to memcached is held unused in the pool
before it is closed.
426
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
memcache_secret_key = None
(String) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(String) (Optional) If defined, indicate whether token
data should be authenticated or authenticated and
encrypted. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(Boolean) (Optional) Use the advanced (eventlet
safe) memcached client pool. The advanced pool will
only work under python 2.x.
region_name = None
(String) The region in which the identity server can
be found.
revocation_cache_time = 10
(Integer) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(String) Directory used to cache files related to PKI
tokens.
token_cache_time = 300
(Integer) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 6.4. Description of clients configuration options
Configuration option = Default value
Description
[cinder]
api_insecure = False
(Boolean) Allow to perform insecure SSL requests to
cinder.
api_version = 2
(Integer) Version of the Cinder API to use.
ca_file = None
(String) Location of ca certificates file to use for
cinder client requests.
427
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
endpoint_type = internalURL
(String) Endpoint type for cinder client requests
[heat]
api_insecure = False
(Boolean) Allow to perform insecure SSL requests to
heat.
ca_file = None
(String) Location of ca certificates file to use for
heat client requests.
endpoint_type = internalURL
(String) Endpoint type for heat client requests
[keystone]
api_insecure = False
(Boolean) Allow to perform insecure SSL requests to
keystone.
ca_file = None
(String) Location of ca certificates file to use for
keystone client requests.
endpoint_type = internalURL
(String) Endpoint type for keystone client requests
[manila]
api_insecure = True
(Boolean) Allow to perform insecure SSL requests to
manila.
api_version = 1
(Integer) Version of the manila API to use.
ca_file = None
(String) Location of ca certificates file to use for
manila client requests.
[neutron]
api_insecure = False
(Boolean) Allow to perform insecure SSL requests to
neutron.
ca_file = None
(String) Location of ca certificates file to use for
neutron client requests.
endpoint_type = internalURL
(String) Endpoint type for neutron client requests
[nova]
api_insecure = False
428
(Boolean) Allow to perform insecure SSL requests to
nova.
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
ca_file = None
(String) Location of ca certificates file to use for
nova client requests.
endpoint_type = internalURL
(String) Endpoint type for nova client requests
[swift]
api_insecure = False
(Boolean) Allow to perform insecure SSL requests to
swift.
ca_file = None
(String) Location of ca certificates file to use for
swift client requests.
endpoint_type = internalURL
(String) Endpoint type for swift client requests
Table 6.5. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
admin_project_domain_name = default
(String) The name of the domain for the service
project(ex. tenant).
admin_user_domain_name = default
(String) The name of the domain to which the admin
user belongs.
api_workers = 1
(Integer) Number of workers for Sahara API service
(0 means all-in-one-thread configuration).
cleanup_time_for_incomplete_clusters
(Integer) Maximal time (in hours) for clusters
allowed to be in states other than "Active",
"Deleting" or "Error". If a cluster is not in "Active",
"Deleting" or "Error" state and last update of it was
longer than
"cleanup_time_for_incomplete_clusters" hours ago
then it will be deleted automatically. (0 value means
that automatic clean up is disabled).
=0
cluster_remote_threshold = 70
(Integer) The same as global_remote_threshold, but
for a single cluster.
compute_topology_file =
(String) File with nova compute topology. It should
contain mapping between nova computes and racks.
etc/sahara/compute.topology
429
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
coordinator_heartbeat_interval = 1
(Integer) Interval size between heartbeat execution
in seconds. Heartbeats are executed to make sure
that connection to the coordination server is active.
default_ntp_server = pool.ntp.org
(String) Default ntp server for time sync
disable_event_log = False
(Boolean) Disables event log feature.
enable_data_locality = False
(Boolean) Enables data locality for hadoop cluster.
Also enables data locality for Swift used by hadoop.
If enabled, 'compute_topology' and 'swift_topology'
configuration parameters should point to
OpenStack and Swift topology correspondingly.
enable_hypervisor_awareness = True
(Boolean) Enables four-level topology for data
locality. Works only if corresponding plugin supports
such mode.
executor_thread_pool_size = 64
(Integer) Size of executor thread pool.
global_remote_threshold = 100
(Integer) Maximum number of remote operations
that will be running at the same time. Note that each
remote operation requires its own process to run.
hash_ring_replicas_count = 40
(Integer) Number of points that belongs to each
member on a hash ring. The larger number leads to a
better distribution.
heat_enable_wait_condition = True
(Boolean) Enable wait condition feature to reduce
polling during cluster creation
heat_stack_tags = data-processing-cluster
(List) List of tags to be used during operating with
stack.
infrastructure_engine = heat
(String) DEPRECATED: An engine which will be used
to provision infrastructure for Hadoop cluster.
job_binary_max_KB = 5120
(Integer) Maximum length of job binary data in
kilobytes that may be stored or retrieved in a single
operation.
job_canceling_timeout = 300
(Integer) Timeout for canceling job execution (in
seconds). Sahara will try to cancel job execution
during this time.
job_workflow_postfix =
(String) Postfix for storing jobs in hdfs. Will be added
to '/user/<hdfs user>/' path.
430
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
memcached_servers = None
(List) Memcached servers or None for in process
cache.
min_transient_cluster_active_time =
(Integer) Minimal "lifetime" in seconds for a
transient cluster. Cluster is guaranteed to be "alive"
within this time period.
30
node_domain = novalocal
(String) The suffix of the node's FQDN. In novanetwork that is the dhcp_domain config parameter.
os_region_name = None
(String) Region name used to get services
endpoints.
periodic_coordinator_backend_url =
None
(String) The backend URL to use for distributed
periodic tasks coordination.
periodic_enable = True
(Boolean) Enable periodic tasks.
periodic_fuzzy_delay = 60
(Integer) Range in seconds to randomly delay when
starting the periodic task scheduler to reduce
stampeding. (Disable by setting to 0).
periodic_interval_max = 60
(Integer) Max interval size between periodic tasks
execution in seconds.
periodic_workers_number = 1
(Integer) Number of threads to run periodic tasks.
plugins = vanilla, spark, cdh, ambari
(List) List of plugins to be loaded. Sahara preserves
the order of the list when returning it.
proxy_command =
(String) Proxy command used to connect to
instances. If set, this command should open a netcat
socket, that Sahara will use for SSH and HTTP
connections. Use {host} and {port} to describe the
destination. Other available keywords: {tenant_id},
{network_id}, {router_id}.
remote = ssh
(String) A method for Sahara to execute commands
on VMs.
rootwrap_command = sudo sahara-rootwrap
(String) Rootwrap command to leverage. Use in
conjunction with use_rootwrap=True
/etc/sahara/rootwrap.conf
swift_topology_file =
etc/sahara/swift.topology
use_barbican_key_manager = False
(String) File with Swift topology.It should contain
mapping between Swift nodes and racks.
(Boolean) Enable the usage of the OpenStack Key
Management service provided by barbican.
431
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
use_floating_ips = True
(Boolean) If set to True, Sahara will use floating IPs
to communicate with instances. To make sure that
all instances have floating IPs assigned in Nova
Network set "auto_assign_floating_ip=True" in
nova.conf. If Neutron is used for networking, make
sure that all Node Groups have "floating_ip_pool"
parameter defined.
use_identity_api_v3 = True
(Boolean) Enables Sahara to use Keystone API v3. If
that flag is disabled, per-job clusters will not be
terminated automatically.
use_namespaces = False
(Boolean) Use network namespaces for
communication (only valid to use in conjunction with
use_neutron=True).
use_neutron = False
(Boolean) Use Neutron Networking (False indicates
the use of Nova networking).
use_rootwrap = False
(Boolean) Use rootwrap facility to allow non-root
users to run the sahara-all server instance and
access private network IPs (only valid to use in
conjunction with use_namespaces=True)
[castellan]
barbican_api_endpoint = None
(String) The endpoint to use for connecting to the
barbican api controller. By default, castellan will use
the URL from the service catalog.
barbican_api_version = v1
(String) Version of the barbican API, for example:
"v1"
[certificates]
barbican_auth = barbican_acl_auth
(String) Name of the Barbican authentication
method to use
cert_manager_type = barbican
(String) Certificate Manager plugin. Defaults to
barbican.
[cluster_verifications]
verification_enable = True
432
(Boolean) Option to enable verifications for all
clusters
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
verification_periodic_interval = 600
(Integer) Interval between two consecutive periodic
tasks forverifications, in seconds.
[conductor]
use_local = True
(Boolean) Perform sahara-conductor operations
locally.
[keystone_authtoken]
memcached_servers = None
(List) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
Table 6.6. Description of CORS configuration options
Configuration option = Default value
Description
[cors]
allow_credentials = True
(Boolean) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(List) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(List) Indicate which methods can be used during the
actual request.
allowed_origin = None
(List) Indicate whether this resource may be shared
with the domain received in the requests "origin"
header.
expose_headers = Content-Type, Cache-Control,
(List) Indicate which headers are safe to expose to
the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
(Integer) Maximum cache age of CORS preflight
requests.
[cors.subdomain]
allow_credentials = True
(Boolean) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(List) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
433
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
allow_methods = GET, POST, PUT, DELETE,
(List) Indicate which methods can be used during the
actual request.
OPTIONS
allowed_origin = None
(List) Indicate whether this resource may be shared
with the domain received in the requests "origin"
header.
expose_headers = Content-Type, Cache-Control,
(List) Indicate which headers are safe to expose to
the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
(Integer) Maximum cache age of CORS preflight
requests.
Table 6.7. Description of database configuration options
Configuration option = Default value
Description
[DEFAULT]
db_driver = sahara.db
(String) Driver to use for database access.
[database]
backend = sqlalchemy
(String) The back end to use for the database.
connection = None
(String) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(Integer) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(Boolean) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(Boolean) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(Integer) Maximum retries in case of connection
error or deadlock error before error is raised. Set to
-1 to specify an infinite retry count.
db_max_retry_interval = 10
(Integer) If db_inc_retry_interval is set, the
maximum seconds between retries of a database
operation.
434
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
db_retry_interval = 1
(Integer) Seconds between retries of a database
transaction.
idle_timeout = 3600
(Integer) Timeout before idle SQL connections are
reaped.
max_overflow = 50
(Integer) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(Integer) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(Integer) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(Integer) Minimum number of SQL connections to
keep open in a pool.
mysql_sql_mode = TRADITIONAL
(String) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(Integer) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(Integer) Interval between retries of opening a SQL
connection.
slave_connection = None
(String) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(String) The file name to use with SQLite.
sqlite_synchronous = True
(Boolean) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(Boolean) Enable the experimental use of database
reconnect on connection lost.
Table 6.8. Description of domain configuration options
Configuration option = Default value
Description
[DEFAULT]
435
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
proxy_user_domain_name = None
(String) The domain Sahara will use to create new
proxy users for Swift object access.
proxy_user_role_names = Member
(List) A list of the role names that the proxy user
should assume through trust for Swift object access.
use_domain_for_proxy_users = False
(Boolean) Enables Sahara to use a domain for
creating temporary proxy users to access Swift. If
this is enabled a domain must be created for Sahara
to use.
Table 6.9. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
debug = False
(Boolean) If set to true, the logging level will be set
to DEBUG instead of the default INFO level.
default_log_levels = amqplib=WARN,
(List) List of package logging levels in logger=LEVEL
pairs. This option is ignored if log_config_append is
set.
qpid.messaging=INFO, stevedore=INFO,
eventlet.wsgi.server=WARN, sqlalchemy=WARN,
boto=WARN, suds=INFO, keystone=INFO,
paramiko=WARN, requests=WARN, iso8601=WARN,
oslo_messaging=INFO, neutronclient=INFO
fatal_deprecations = False
(Boolean) Enables or disables fatal status of
deprecations.
instance_format = "[instance: %(uuid)s] "
(String) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(String) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
436
(String) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation. Note that when logging
configuration files are used then all logging
configuration is set in the configuration file and
other logging configuration options are ignored (for
example, logging_context_format_string).
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
log_date_format = %Y-%m-%d %H:%M:%S
(String) Defines the format string for %%(asctime)s
in log records. Default: %(default)s . This option is
ignored if log_config_append is set.
log_dir = None
(String) (Optional) The base directory used for
relative log_file paths. This option is ignored if
log_config_append is set.
log_file = None
(String) (Optional) Name of log file to send logging
output to. If no default is set, logging will go to
stderr as defined by use_stderr. This option is
ignored if log_config_append is set.
logging_context_format_string = %
(String) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d ERROR %(name)s %
(instance)s
logging_user_identity_format = %(user)s
%(tenant)s %(domain)s %(user_domain)s %
(project_domain)s
(String) Additional data to append to log message
when logging level for the message is DEBUG.
(String) Format string to use for log messages when
context is undefined.
(String) Prefix each line of exception output with
this format.
(String) Defines the format string for %
(user_identity)s that is used in
logging_context_format_string.
publish_errors = False
(Boolean) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(String) Syslog facility to receive log lines. This
option is ignored if log_config_append is set.
use_stderr = True
(Boolean) Log output to standard error. This option
is ignored if log_config_append is set.
use_syslog = False
(Boolean) Use syslog for logging. Existing syslog
format is DEPRECATED and will be changed later to
honor RFC5424. This option is ignored if
log_config_append is set.
437
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
verbose = True
(Boolean) DEPRECATED: If set to false, the logging
level will be set to WARNING instead of the default
INFO level.
watch_log_file = False
(Boolean) Uses logging handler designed to watch
file system. When log file is moved or removed this
handler will open a new log file with specified path
instantaneously. It makes sense only if log_file
option is specified and Linux platform is used. This
option is ignored if log_config_append is set.
Table 6.10. Description of Auth options for Swift access for VM configuration options
Configuration option = Default value
Description
[object_store_access]
public_identity_ca_file = None
(String) Location of ca certificate file to use for
identity client requests via public endpoint
public_object_store_ca_file = None
(String) Location of ca certificate file to use for
object-store client requests via public endpoint
Table 6.11. Description of policy configuration options
Configuration option = Default value
Description
[oslo_policy]
policy_default_rule = default
(String) Default rule. Enforced when a requested rule
is not found.
policy_dirs = ['policy.d']
(Multi-valued) Directories where policy
configuration files are stored. They can be relative
to any directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(String) The JSON file that defines policies.
Table 6.12. Description of Qpid configuration options
Configuration option = Default value
[oslo_messaging_qpid]
438
Description
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
Table 6.13. Description of RabbitMQ configuration options
439
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(Boolean) Auto-delete queues in AMQP.
amqp_durable_queues = False
(Boolean) Use durable queues in AMQP.
channel_max = None
(Integer) Maximum number of channels to allow
default_notification_exchange =
(String) Exchange name for for sending notifications
${control_exchange}_notification
= -1
(Integer) Reconnecting retry count in case of
connectivity problem during sending notification, -1
means infinite retry.
default_rpc_exchange =
(String) Exchange name for sending RPC messages
default_notification_retry_attempts
${control_exchange}_rpc
default_rpc_retry_attempts = -1
(Integer) Reconnecting retry count in case of
connectivity problem during sending RPC message, 1 means infinite retry. If actual retry attempts in not
0 the rpc request could be processed more then one
time
fake_rabbit = False
(Boolean) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
frame_max = None
(Integer) The maximum byte size for an AMQP frame
heartbeat_interval = 1
(Integer) How often to send heartbeats for
consumer's connections
heartbeat_rate = 2
(Integer) How often times during the
heartbeat_timeout_threshold we check the
heartbeat.
heartbeat_timeout_threshold = 60
(Integer) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disable the heartbeat). EXPERIMENTAL
host_connection_reconnect_delay = 0.25
(Floating point) Set delay for reconnection to some
host which has connection error
kombu_compression = None
(String) EXPERIMENTAL: Possible values are: gzip,
bz2. If not set compression will not be used. This
option may notbe available in future versions.
440
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
kombu_failover_strategy = round-robin
(String) Determines how the next RabbitMQ node is
chosen in case the one we are currently connected
to becomes unavailable. Takes effect only if more
than one RabbitMQ node is provided in config.
kombu_missing_consumer_retry_timeout
(Integer) How long to wait a missing client beforce
abandoning to send it its replies. This value should
not be longer than rpc_response_timeout.
= 60
kombu_reconnect_delay = 1.0
(Floating point) How long to wait before
reconnecting in response to an AMQP consumer
cancel notification.
kombu_ssl_ca_certs =
(String) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(String) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(String) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(String) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 may be available on
some distributions.
notification_listener_prefetch_count
= 100
(Integer) Max number of not acknowledged message
which RabbitMQ can send to notification listener.
notification_persistence = False
(Boolean) Persist notification messages.
notification_retry_delay = 0.25
(Floating point) Reconnecting retry delay in case of
connectivity problem during sending notification
message
pool_max_overflow = 0
(Integer) Maximum number of connections to create
above `pool_max_size`.
pool_max_size = 10
(Integer) Maximum number of connections to keep
queued.
pool_recycle = 600
(Integer) Lifetime of a connection (since creation) in
seconds or None for no recycling. Expired
connections are closed on acquire.
pool_stale = 60
(Integer) Threshold at which inactive (since release)
connections are considered stale in seconds or None
for no staleness. Stale connections are closed on
acquire.
441
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
pool_timeout = 30
(Integer) Default number of seconds to wait for a
connections to available
rabbit_ha_queues = False
(Boolean) Try to use HA queues in RabbitMQ (x-hapolicy: all). If you change this option, you must wipe
the RabbitMQ database. In RabbitMQ 3.0, queue
mirroring is no longer controlled by the x-ha-policy
argument when declaring a queue. If you just want to
make sure that all queues (except those with autogenerated names) are mirrored across all nodes, run:
"rabbitmqctl set_policy HA '^(?!amq\.).*' '{"hamode": "all"}' "
rabbit_host = localhost
(String) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(List) RabbitMQ HA cluster host:port pairs.
rabbit_interval_max = 30
(Integer) Maximum interval of RabbitMQ connection
retries. Default is 30 seconds.
rabbit_login_method = AMQPLAIN
(String) The RabbitMQ login method.
rabbit_max_retries = 0
(Integer) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(String) The RabbitMQ password.
rabbit_port = 5672
(Port number) The RabbitMQ broker port where a
single node is used.
rabbit_qos_prefetch_count = 0
(Integer) Specifies the number of messages to
prefetch. Setting to zero allows unlimited messages.
rabbit_retry_backoff = 2
(Integer) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(Integer) How frequently to retry connecting with
RabbitMQ.
rabbit_transient_queues_ttl = 1800
(Integer) Positive integer representing duration in
seconds for queue TTL (x-expires). Queues which
are unused for the duration of the TTL are
automatically deleted. The parameter affects only
reply and fanout queues.
rabbit_use_ssl = False
(Boolean) Connect over SSL for RabbitMQ.
442
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
rabbit_userid = guest
(String) The RabbitMQ userid.
rabbit_virtual_host = /
(String) The RabbitMQ virtual host.
rpc_listener_prefetch_count = 100
(Integer) Max number of not acknowledged message
which RabbitMQ can send to rpc listener.
rpc_queue_expiration = 60
(Integer) Time to live for rpc queues without
consumers in seconds.
rpc_reply_exchange =
(String) Exchange name for receiving RPC replies
${control_exchange}_rpc_reply
rpc_reply_listener_prefetch_count =
100
(Integer) Max number of not acknowledged message
which RabbitMQ can send to rpc reply listener.
rpc_reply_retry_attempts = -1
(Integer) Reconnecting retry count in case of
connectivity problem during sending reply. -1 means
infinite retry during rpc_timeout
rpc_reply_retry_delay = 0.25
(Floating point) Reconnecting retry delay in case of
connectivity problem during sending reply.
rpc_retry_delay = 0.25
(Floating point) Reconnecting retry delay in case of
connectivity problem during sending RPC message
socket_timeout = 0.25
(Floating point) Set socket timeout in seconds for
connection's socket
ssl = None
(Boolean) Enable SSL
ssl_options = None
(Dict) Arguments passed to ssl.wrap_socket
tcp_user_timeout = 0.25
(Floating point) Set TCP_USER_TIMEOUT in seconds
for connection's socket
Table 6.14. Description of Redis configuration options
Configuration option = Default value
Description
[matchmaker_redis]
check_timeout = 20000
(Integer) Time in ms to wait before the transaction is
killed.
host = 127.0.0.1
(String) Host to locate redis.
443
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
password =
(String) Password for Redis server (optional).
port = 6379
(Port number) Use this port to connect to redis host.
sentinel_group_name = oslo-messaging-
(String) Redis replica set name.
zeromq
sentinel_hosts =
(List) List of Redis Sentinel hosts (fault tolerance
mode) e.g. [host:port, host1:port ... ]
socket_timeout = 1000
(Integer) Timeout in ms on blocking socket
operations
wait_timeout = 500
(Integer) Time in ms to wait between connection
attempts.
Table 6.15. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
rpc_backend = rabbit
(String) The messaging driver to use, defaults to
rabbit. Other drivers include amqp and zmq.
rpc_cast_timeout = -1
(Integer) Seconds to wait before a cast expires
(TTL). The default value of -1 specifies an infinite
linger period. The value of 0 specifies no linger
period. Pending messages shall be discarded
immediately when the socket is closed. Only
supported by impl_zmq.
rpc_conn_pool_size = 30
(Integer) Size of RPC connection pool.
rpc_poll_timeout = 1
(Integer) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
rpc_response_timeout = 60
(Integer) Seconds to wait for a response from a call.
[oslo_concurrency]
disable_process_locking = False
444
(Boolean) Enables or disables inter-process locks.
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
lock_path = None
(String) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
[oslo_messaging]
event_stream_topic = neutron_lbaas_event
(String) topic name for receiving events from a
queue
[oslo_messaging_amqp]
allow_insecure_clients = False
(Boolean) Accept clients using either SSL or plain
TCP
broadcast_prefix = broadcast
(String) address prefix used when broadcasting to
all servers
container_name = None
(String) Name for the AMQP container
group_request_prefix = unicast
(String) address prefix when sending to any server
in group
idle_timeout = 0
(Integer) Timeout for inactive connections (in
seconds)
password =
(String) Password for message broker
authentication
sasl_config_dir =
(String) Path to directory that contains the SASL
configuration
sasl_config_name =
(String) Name of configuration file (without .conf
suffix)
sasl_mechanisms =
(String) Space separated list of acceptable SASL
mechanisms
server_request_prefix = exclusive
(String) address prefix used when sending to a
specific server
ssl_ca_file =
(String) CA certificate PEM file to verify server
certificate
445
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
ssl_cert_file =
(String) Identifying certificate PEM file to present to
clients
ssl_key_file =
(String) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(String) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(Boolean) Debug: dump AMQP frames to stdout
username =
(String) User name for message broker
authentication
[oslo_messaging_notifications]
driver = []
(Multi-valued) The Drivers(s) to handle sending
notifications. Possible values are messaging,
messagingv2, routing, log, test, noop
enable = False
(Boolean) Enables sending notifications to
Ceilometer
level = INFO
(String) Notification level for outgoing notifications
publisher_id = None
(String) Notification publisher_id for outgoing
notifications
topics = notifications
(List) AMQP topic used for OpenStack notifications.
transport_url = None
(String) A URL representing the messaging driver to
use for notifications. If not set, we fall back to the
same configuration used for RPC.
Table 6.16. Description of timeouts configuration options
Configuration option = Default value
Description
[timeouts]
delete_instances_timeout = 10800
(Integer) Wait for instances to be deleted, in seconds
detach_volume_timeout = 300
(Integer) Timeout for detaching volumes from
instance, in seconds
ips_assign_timeout = 10800
(Integer) Assign IPs timeout, in seconds
446
CHAPTER 6. DATA PROCESSING SERVICE
Configuration option = Default value
Description
wait_until_accessible = 10800
(Integer) Wait for instance accessibility, in seconds
6.1. NEW, UPDATED, AND DEPRECATED OPTIONS IN MITAKA FOR
DATA PROCESSING SERVICE
Table 6.17. New options
Configuration option = Default value
Description
[DEFAULT]
coordinator_heartbeat_interval = 1
(IntOpt) Interval size between heartbeat execution
in seconds. Heartbeats are executed to make sure
that connection to the coordination server is active.
[DEFAULT] hash_ring_replicas_count =
40
(IntOpt) Number of points that belongs to each
member on a hash ring. The larger number leads to a
better distribution.
[DEFAULT]
periodic_coordinator_backend_url =
None
(StrOpt) The backend URL to use for distributed
periodic tasks coordination.
[DEFAULT] periodic_workers_number =
1
(IntOpt) Number of threads to run periodic tasks.
[DEFAULT] use_barbican_key_manager =
False
(BoolOpt) Enable the usage of the OpenStack Key
Management service provided by barbican.
[castellan] barbican_api_endpoint =
None
(StrOpt) The endpoint to use for connecting to the
barbican api controller. By default, castellan will use
the URL from the service catalog.
[castellan] barbican_api_version =
v1
(StrOpt) Version of the barbican API, for example:
"v1"
[cluster_verifications]
verification_enable = True
(BoolOpt) Option to enable verifications for all
clusters
[cluster_verifications]
verification_periodic_interval = 600
(IntOpt) Interval between two consecutive periodic
tasks forverifications, in seconds.
[oslo_messaging_notifications]
enable = False
(BoolOpt) Enables sending notifications to
Ceilometer
[oslo_messaging_notifications]
level = INFO
(StrOpt) Notification level for outgoing notifications
447
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_messaging_notifications]
publisher_id = None
(StrOpt) Notification publisher_id for outgoing
notifications
Table 6.18. New default values
Option
Previous default value
New default value
[DEFAULT] api_workers
0
1
[DEFAULT] plugins
hdp, cdh
cdh
Table 6.19. Deprecated options
Configuration option = Default value
Description
[DEFAULT] enable_notifications
[oslo_messaging_notifications] enable
[DEFAULT] notification_level
[oslo_messaging_notifications] level
[DEFAULT] notification_publisher_id
[oslo_messaging_notifications] publisher_id
[DEFAULT] use_syslog
None
448
CHAPTER 7. IDENTITY SERVICE
CHAPTER 7. IDENTITY SERVICE
This chapter details the OpenStack Identity service configuration options.
7.1. IDENTITY SERVICE CONFIGURATION FILE
The Identity service is configured in the /etc/keystone/keystone.conf file.
The following tables provide a comprehensive list of the Identity service options.
Table 7.1. Description of API configuration options
Configuration option = Default value
Description
[DEFAULT]
admin_endpoint = None
(StrOpt) The base admin endpoint URL for Keystone
that is advertised to clients (NOTE: this does NOT
affect how Keystone listens for connections).
Defaults to the base host URL of the request. E.g. a
request to http://server:35357/v3/users will
default to http://server:35357. You should only
need to set this value if the base URL contains a
path (e.g. /prefix/v3) or the endpoint should be
found on a different server.
admin_token = ADMIN
(StrOpt) A "shared secret" that can be used to
bootstrap Keystone. This "token" does not represent
a user, and carries no explicit authorization. To
disable in production (highly recommended), remove
AdminTokenAuthMiddleware from your paste
application pipelines (for example, in keystonepaste.ini).
domain_id_immutable = True
(BoolOpt) Set this to false if you want to enable the
ability for user, group and project entities to be
moved between domains by updating their
domain_id. Allowing such movement is not
recommended if the scope of a domain admin is
being restricted by use of an appropriate policy file
(see policy.v3cloudsample as an example).
list_limit = None
(IntOpt) The maximum number of entities that will be
returned in a collection, with no limit set by default.
This global limit may be then overridden for a
specific driver, by specifying a list_limit in the
appropriate section (e.g. [assignment]).
max_param_size = 64
(IntOpt) Limit the sizes of user & project ID/names.
449
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
max_project_tree_depth = 5
(IntOpt) Maximum depth of the project hierarchy.
WARNING: setting it to a large value may adversely
impact performance.
max_token_size = 8192
(IntOpt) Similar to max_param_size, but provides an
exception for token values.
member_role_id =
(StrOpt) Similar to the member_role_name option,
this represents the default role ID used to associate
users with their default projects in the v2 API. This
will be used as the explicit role where one is not
specified by the v2 API.
9fe2ff9ee4384b1894a90878d3e92bab
member_role_name = _member_
(StrOpt) This is the role name used in combination
with the member_role_id option; see that option for
more detail.
public_endpoint = None
(StrOpt) The base public endpoint URL for Keystone
that is advertised to clients (NOTE: this does NOT
affect how Keystone listens for connections).
Defaults to the base host URL of the request. E.g. a
request to http://server:5000/v3/users will default
to http://server:5000. You should only need to set
this value if the base URL contains a path (e.g.
/prefix/v3) or the endpoint should be found on a
different server.
secure_proxy_ssl_header = None
(StrOpt) The HTTP header used to determine the
scheme for the original request, even if it was
removed by an SSL terminating proxy. Typical value
is "HTTP_X_FORWARDED_PROTO".
strict_password_check = False
(BoolOpt) If set to true, strict password length
checking is performed for password manipulation. If
a password exceeds the maximum length, the
operation will fail with an HTTP 403 Forbidden error.
If set to false, passwords are automatically
truncated to the maximum length.
[endpoint_filter]
driver = sql
(StrOpt) Entrypoint for the endpoint filter backend
driver in the keystone.endpoint_filter namespace.
return_all_endpoints_if_no_filter =
(BoolOpt) Toggle to return all active endpoints if no
filter exists.
True
[endpoint_policy]
450
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
driver = sql
(StrOpt) Entrypoint for the endpoint policy backend
driver in the keystone.endpoint_policy namespace.
enabled = True
(BoolOpt) Enable endpoint_policy functionality.
[eventlet_server]
admin_bind_host = 0.0.0.0
(StrOpt) The IP address of the network interface for
the admin service to listen on.
admin_port = 35357
(IntOpt) The port number which the admin service
listens on.
admin_workers = None
(IntOpt) The number of worker processes to serve
the admin eventlet application. Defaults to number
of CPUs (minimum of 2).
client_socket_timeout = 900
(IntOpt) Timeout for socket operations on a client
connection. If an incoming connection is idle for this
number of seconds it will be closed. A value of '0'
means wait forever.
public_bind_host = 0.0.0.0
(StrOpt) The IP address of the network interface for
the public service to listen on.
public_port = 5000
(IntOpt) The port number which the public service
listens on.
public_workers = None
(IntOpt) The number of worker processes to serve
the public eventlet application. Defaults to number
of CPUs (minimum of 2).
tcp_keepalive = False
(BoolOpt) Set this to true if you want to enable
TCP_KEEPALIVE on server sockets, i.e. sockets
used by the Keystone wsgi server for client
connections.
tcp_keepidle = 600
(IntOpt) Sets the value of TCP_KEEPIDLE in seconds
for each server socket. Only applies if tcp_keepalive
is true.
wsgi_keep_alive = True
(BoolOpt) If set to false, disables keepalives on the
server; all connections will be closed after serving
one request.
[oslo_middleware]
451
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
max_request_body_size = 114688
(IntOpt) The maximum body size for each request, in
bytes.
secure_proxy_ssl_header = X-Forwarded-
(StrOpt) The HTTP Header that will be used to
determine what the original request protocol
scheme was, even if it was hidden by an SSL
termination proxy.
Proto
[paste_deploy]
config_file = keystone-paste.ini
(StrOpt) Name of the paste configuration file that
defines the available pipelines.
[resource]
cache_time = None
(IntOpt) TTL (in seconds) to cache resource data.
This has no effect unless global caching is enabled.
caching = True
(BoolOpt) Toggle for resource caching. This has no
effect unless global caching is enabled.
driver = None
(StrOpt) Entrypoint for the resource backend driver
in the keystone.resource namespace. Supplied
drivers are ldap and sql. If a resource driver is not
specified, the assignment driver will choose the
resource driver.
list_limit = None
(IntOpt) Maximum number of entities that will be
returned in a resource collection.
Table 7.2. Description of assignment configuration options
Configuration option = Default value
Description
[assignment]
driver = None
(StrOpt) Entrypoint for the assignment backend
driver in the keystone.assignment namespace.
Supplied drivers are ldap and sql. If an assignment
driver is not specified, the identity driver will choose
the assignment driver.
Table 7.3. Description of authorization configuration options
452
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
[auth]
external = None
(StrOpt) Entrypoint for the external
(REMOTE_USER) auth plugin module in the
keystone.auth.external namespace. Supplied drivers
are DefaultDomain and Domain. The default driver is
DefaultDomain.
methods = external, password, token, oauth1
(ListOpt) Allowed authentication methods.
oauth1 = None
(StrOpt) Entrypoint for the oAuth1.0 auth plugin
module in the keystone.auth.oauth1 namespace.
password = None
(StrOpt) Entrypoint for the password auth plugin
module in the keystone.auth.password namespace.
token = None
(StrOpt) Entrypoint for the token auth plugin module
in the keystone.auth.token namespace.
Table 7.4. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(StrOpt) Service user password.
admin_tenant_name = admin
(StrOpt) Service tenant name.
admin_token = None
(StrOpt) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(StrOpt) Service username.
auth_admin_prefix =
(StrOpt) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(StrOpt) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_plugin = None
(StrOpt) Name of the plugin to load
453
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
auth_port = 35357
(IntOpt) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(StrOpt) Protocol of the admin Identity API endpoint
(http or https). Deprecated, use identity_uri.
auth_section = None
(StrOpt) Config Section from which to load plugin
specific options
auth_uri = None
(StrOpt) Complete public Identity API endpoint.
auth_version = None
(StrOpt) API version of the admin Identity API
endpoint.
cache = None
(StrOpt) Env key for the swift cache.
cafile = None
(StrOpt) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(StrOpt) Required if identity server requires client
certificate
check_revocations_for_cached = False
(BoolOpt) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
delay_auth_decision = False
(BoolOpt) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(StrOpt) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
454
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
hash_algorithms = md5
(ListOpt) Hash algorithms to use for hashing PKI
tokens. This may be a single algorithm or multiple.
The algorithms are those supported by Python
standard hashlib.new(). The hashes will be tried in
the order given, so put the preferred one first for
performance. The result of the first hash will be
stored in the cache. This will typically be set to
multiple values only while migrating from a less
secure algorithm to a more secure one. Once all the
old tokens are expired this option should be set to a
single value for better performance.
http_connect_timeout = None
(IntOpt) Request timeout value for communicating
with Identity API server.
http_request_max_retries = 3
(IntOpt) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(StrOpt) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(BoolOpt) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(BoolOpt) Verify HTTPS connections.
keyfile = None
(StrOpt) Required if identity server requires client
certificate
memcache_pool_conn_get_timeout = 10
(IntOpt) (Optional) Number of seconds that an
operation will wait to get a memcached client
connection from the pool.
memcache_pool_dead_retry = 300
(IntOpt) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(IntOpt) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(IntOpt) (Optional) Socket timeout in seconds for
communicating with a memcached server.
memcache_pool_unused_timeout = 60
(IntOpt) (Optional) Number of seconds a connection
to memcached is held unused in the pool before it is
closed.
455
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
memcache_secret_key = None
(StrOpt) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(StrOpt) (Optional) If defined, indicate whether
token data should be authenticated or authenticated
and encrypted. Acceptable values are MAC or
ENCRYPT. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
memcache_use_advanced_pool = False
(BoolOpt) (Optional) Use the advanced (eventlet
safe) memcached client pool. The advanced pool will
only work under python 2.x.
region_name = None
(StrOpt) The region in which the identity server can
be found.
revocation_cache_time = 10
(IntOpt) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(StrOpt) Directory used to cache files related to PKI
tokens.
token_cache_time = 300
(IntOpt) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 7.5. Description of CA and SSL configuration options
Configuration option = Default value
Description
[eventlet_server_ssl]
ca_certs = /etc/keystone/ssl/certs/ca.pem
(StrOpt) Path of the CA cert file for SSL.
cert_required = False
(BoolOpt) Require client certificate.
certfile = /etc/keystone/ssl/certs/keystone.pem
(StrOpt) Path of the certfile for SSL. For nonproduction environments, you may be interested in
using `keystone-manage ssl_setup` to generate
self-signed certificates.
456
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
enable = False
(BoolOpt) Toggle for SSL support on the Keystone
eventlet servers.
keyfile =
(StrOpt) Path of the keyfile for SSL.
/etc/keystone/ssl/private/keystonekey.pem
[signing]
ca_certs = /etc/keystone/ssl/certs/ca.pem
(StrOpt) Path of the CA for token signing.
ca_key = /etc/keystone/ssl/private/cakey.pem
(StrOpt) Path of the CA key for token signing.
cert_subject =
(StrOpt) Certificate subject (auto generated
certificate) for token signing.
/C=US/ST=Unset/L=Unset/O=Unset/CN=www.exampl
e.com
certfile =
/etc/keystone/ssl/certs/signing_cert.pem
(StrOpt) Path of the certfile for token signing. For
non-production environments, you may be
interested in using `keystone-manage pki_setup` to
generate self-signed certificates.
key_size = 2048
(IntOpt) Key size (in bits) for token signing cert (auto
generated certificate).
keyfile =
(StrOpt) Path of the keyfile for token signing.
/etc/keystone/ssl/private/signing_key.pem
valid_days = 3650
(IntOpt) Days the token signing cert is valid for (auto
generated certificate).
[ssl]
ca_key = /etc/keystone/ssl/private/cakey.pem
(StrOpt) Path of the CA key file for SSL.
cert_subject =
(StrOpt) SSL certificate subject (auto generated
certificate).
/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
key_size = 1024
(IntOpt) SSL key length (in bits) (auto generated
certificate).
valid_days = 3650
(IntOpt) Days the certificate is valid for once signed
(auto generated certificate).
Table 7.6. Description of catalog configuration options
457
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[catalog]
cache_time = None
(IntOpt) Time to cache catalog data (in seconds).
This has no effect unless global and catalog caching
are enabled.
caching = True
(BoolOpt) Toggle for catalog caching. This has no
effect unless global caching is enabled.
driver = sql
(StrOpt) Entrypoint for the catalog backend driver in
the keystone.catalog namespace. Supplied drivers
are kvs, sql, templated, and endpoint_filter.sql
list_limit = None
(IntOpt) Maximum number of entities that will be
returned in a catalog collection.
template_file = default_catalog.templates
(StrOpt) Catalog template file name for use with the
template catalog backend.
Table 7.7. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
executor_thread_pool_size = 64
(IntOpt) Size of executor thread pool.
memcached_servers = None
(ListOpt) Memcached servers or None for in process
cache.
[keystone_authtoken]
memcached_servers = None
(ListOpt) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
[oslo_concurrency]
disable_process_locking = False
(BoolOpt) Enables or disables inter-process locks.
lock_path = None
(StrOpt) Directory to use for lock files. For security,
the specified directory should only be writable by
the user running the processes that need locking.
Defaults to environment variable
OSLO_LOCK_PATH. If external locks are used, a
lock path must be set.
458
CHAPTER 7. IDENTITY SERVICE
Table 7.8. Description of CORS configuration options
Configuration option = Default value
Description
[cors]
allow_credentials = True
(BoolOpt) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(ListOpt) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(ListOpt) Indicate which methods can be used during
the actual request.
allowed_origin = None
(StrOpt) Indicate whether this resource may be
shared with the domain received in the requests
"origin" header.
expose_headers = Content-Type, Cache-Control,
(ListOpt) Indicate which headers are safe to expose
to the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
(IntOpt) Maximum cache age of CORS preflight
requests.
[cors.subdomain]
allow_credentials = True
(BoolOpt) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(ListOpt) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(ListOpt) Indicate which methods can be used during
the actual request.
allowed_origin = None
(StrOpt) Indicate whether this resource may be
shared with the domain received in the requests
"origin" header.
expose_headers = Content-Type, Cache-Control,
(ListOpt) Indicate which headers are safe to expose
to the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
(IntOpt) Maximum cache age of CORS preflight
requests.
Table 7.9. Description of credential configuration options
459
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[credential]
driver = sql
(StrOpt) Entrypoint for the credential backend
driver in the keystone.credential namespace.
Table 7.10. Description of database configuration options
Configuration option = Default value
Description
[database]
backend = sqlalchemy
(StrOpt) The back end to use for the database.
connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(IntOpt) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(BoolOpt) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(BoolOpt) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(IntOpt) Maximum retries in case of connection error
or deadlock error before error is raised. Set to -1 to
specify an infinite retry count.
db_max_retry_interval = 10
(IntOpt) If db_inc_retry_interval is set, the maximum
seconds between retries of a database operation.
db_retry_interval = 1
(IntOpt) Seconds between retries of a database
transaction.
idle_timeout = 3600
(IntOpt) Timeout before idle SQL connections are
reaped.
max_overflow = None
(IntOpt) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(IntOpt) Maximum number of SQL connections to
keep open in a pool.
460
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
max_retries = 10
(IntOpt) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(IntOpt) Minimum number of SQL connections to
keep open in a pool.
mysql_sql_mode = TRADITIONAL
(StrOpt) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(IntOpt) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(IntOpt) Interval between retries of opening a SQL
connection.
slave_connection = None
(StrOpt) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(StrOpt) The file name to use with SQLite.
sqlite_synchronous = True
(BoolOpt) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(BoolOpt) Enable the experimental use of database
reconnect on connection lost.
Table 7.11. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
pydev_debug_host = None
(StrOpt) Host to connect to for remote debugger.
pydev_debug_port = None
(IntOpt) Port to connect to for remote debugger.
standard_threads = False
(BoolOpt) Do not monkey-patch threading system
modules.
[audit]
namespace = openstack
(StrOpt) namespace prefix for generated id
461
Red Hat OpenStack Platform 9 Configuration Reference
Table 7.12. Description of domain configuration options
Configuration option = Default value
Description
[domain_config]
cache_time = 300
(IntOpt) TTL (in seconds) to cache domain config
data. This has no effect unless domain config
caching is enabled.
caching = True
(BoolOpt) Toggle for domain config caching. This has
no effect unless global caching is enabled.
driver = sql
(StrOpt) Entrypoint for the domain config backend
driver in the keystone.resource.domain_config
namespace.
Table 7.13. Description of federation configuration options
Configuration option = Default value
Description
[federation]
assertion_prefix =
(StrOpt) Value to be used when filtering assertion
parameters from the environment.
driver = sql
(StrOpt) Entrypoint for the federation backend
driver in the keystone.federation namespace.
federated_domain_name = Federated
(StrOpt) A domain name that is reserved to allow
federated ephemeral users to have a domain
concept. Note that an admin will not be able to
create a domain with this name or update an
existing domain to this name. You are not advised to
change this value unless you really have to.
remote_id_attribute = None
(StrOpt) Value to be used to obtain the entity ID of
the Identity Provider from the environment (e.g. if
using the mod_shib plugin this value is `ShibIdentity-Provider`).
sso_callback_template =
(StrOpt) Location of Single Sign-On callback
handler, will return a token to a trusted dashboard
host.
/etc/keystone/sso_callback_template.html
462
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
trusted_dashboard = []
(MultiStrOpt) A list of trusted dashboard hosts.
Before accepting a Single Sign-On request to return
a token, the origin host must be a member of the
trusted_dashboard list. This configuration option
may be repeated for multiple values. For example:
trusted_dashboard=http://acme.com/auth/websso
trusted_dashboard=http://beta.com/auth/websso
Table 7.14. Description of Fernet tokens configuration options
Configuration option = Default value
Description
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
(StrOpt) Directory containing Fernet token keys.
max_active_keys = 3
(IntOpt) This controls how many keys are held in
rotation by keystone-manage fernet_rotate before
they are discarded. The default value of 3 means
that keystone will maintain one staged key, one
primary key, and one secondary key. Increasing this
value means that additional secondary keys will be
kept in the rotation.
Table 7.15. Description of identity configuration options
Configuration option = Default value
Description
[identity]
cache_time = 600
(IntOpt) Time to cache identity data (in seconds).
This has no effect unless global and identity caching
are enabled.
caching = True
(BoolOpt) Toggle for identity caching. This has no
effect unless global caching is enabled.
default_domain_id = default
(StrOpt) This references the domain to use for all
Identity API v2 requests (which are not aware of
domains). A domain with this ID will be created for
you by keystone-manage db_sync in migration 008.
The domain referenced by this ID cannot be deleted
on the v3 API, to prevent accidentally breaking the
v2 API. There is nothing special about this domain,
other than the fact that it must exist to order to
maintain support for your v2 clients.
463
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
domain_config_dir = /etc/keystone/domains
(StrOpt) Path for Keystone to locate the domain
specific identity configuration files if
domain_specific_drivers_enabled is set to true.
domain_configurations_from_database
(BoolOpt) Extract the domain specific configuration
options from the resource backend where they have
been stored with the domain data. This feature is
disabled by default (in which case the domain
specific options will be loaded from files in the
domain configuration directory); set to true to
enable.
= False
domain_specific_drivers_enabled = False
(BoolOpt) A subset (or all) of domains can have their
own identity driver, each with their own partial
configuration options, stored in either the resource
backend or in a file in a domain configuration
directory (depending on the setting of
domain_configurations_from_database). Only values
specific to the domain need to be specified in this
manner. This feature is disabled by default; set to
true to enable.
driver = sql
(StrOpt) Entrypoint for the identity backend driver in
the keystone.identity namespace. Supplied drivers
are ldap and sql.
list_limit = None
(IntOpt) Maximum number of entities that will be
returned in an identity collection.
max_password_length = 4096
(IntOpt) Maximum supported length for user
passwords; decrease to improve performance.
Table 7.16. Description of KVS configuration options
Configuration option = Default value
Description
[kvs]
backends =
(ListOpt) Extra dogpile.cache backend modules to
register with the dogpile.cache library.
config_prefix = keystone.kvs
(StrOpt) Prefix for building the configuration
dictionary for the KVS region. This should not need
to be changed unless there is another dogpile.cache
region with the same configuration name.
default_lock_timeout = 5
(IntOpt) Default lock timeout (in seconds) for
distributed locking.
464
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
enable_key_mangler = True
(BoolOpt) Toggle to disable using a key-mangling
function to ensure fixed length keys. This is toggleable for debugging purposes, it is highly
recommended to always leave this set to true.
Table 7.17. Description of LDAP configuration options
Configuration option = Default value
Description
[ldap]
alias_dereferencing = default
(StrOpt) The LDAP dereferencing option for queries.
The "default" option falls back to using default
dereferencing configured by your ldap.conf.
allow_subtree_delete = False
(BoolOpt) Delete subtrees using the subtree delete
control. Only enable this option if your LDAP server
supports subtree deletion.
auth_pool_connection_lifetime = 60
(IntOpt) End user auth connection lifetime in
seconds.
auth_pool_size = 100
(IntOpt) End user auth connection pool size.
chase_referrals = None
(BoolOpt) Override the system's default referral
chasing behavior for queries.
debug_level = None
(IntOpt) Sets the LDAP debugging level for LDAP
calls. A value of 0 means that debugging is not
enabled. This value is a bitmask, consult your LDAP
documentation for possible values.
dumb_member = cn=dumb,dc=nonexistent
(StrOpt) DN of the "dummy member" to use when
"use_dumb_member" is enabled.
group_additional_attribute_mapping =
(ListOpt) Additional attribute mappings for groups.
Attribute mapping format is <ldap_attr>:
<user_attr>, where ldap_attr is the attribute in the
LDAP entry and user_attr is the Identity API
attribute.
group_allow_create = True
(BoolOpt) Allow group creation in LDAP backend.
group_allow_delete = True
(BoolOpt) Allow group deletion in LDAP backend.
group_allow_update = True
(BoolOpt) Allow group update in LDAP backend.
465
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
group_attribute_ignore =
(ListOpt) List of attributes stripped off the group on
update.
group_desc_attribute = description
(StrOpt) LDAP attribute mapped to group
description.
group_filter = None
(StrOpt) LDAP search filter for groups.
group_id_attribute = cn
(StrOpt) LDAP attribute mapped to group id.
group_member_attribute = member
(StrOpt) LDAP attribute mapped to show group
membership.
group_name_attribute = ou
(StrOpt) LDAP attribute mapped to group name.
group_objectclass = groupOfNames
(StrOpt) LDAP objectclass for groups.
group_tree_dn = None
(StrOpt) Search base for groups. Defaults to the
suffix value.
page_size = 0
(IntOpt) Maximum results per page; a value of zero
("0") disables paging.
password = None
(StrOpt) Password for the BindDN to query the
LDAP server.
pool_connection_lifetime = 600
(IntOpt) Connection lifetime in seconds.
pool_connection_timeout = -1
(IntOpt) Connector timeout in seconds. Value -1
indicates indefinite wait for response.
pool_retry_delay = 0.1
(FloatOpt) Time span in seconds to wait between
two reconnect trials.
pool_retry_max = 3
(IntOpt) Maximum count of reconnect trials.
pool_size = 10
(IntOpt) Connection pool size.
project_additional_attribute_mapping
(ListOpt) Additional attribute mappings for projects.
Attribute mapping format is <ldap_attr>:
<user_attr>, where ldap_attr is the attribute in the
LDAP entry and user_attr is the Identity API
attribute.
=
project_allow_create = True
466
(BoolOpt) Allow project creation in LDAP backend.
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
project_allow_delete = True
(BoolOpt) Allow project deletion in LDAP backend.
project_allow_update = True
(BoolOpt) Allow project update in LDAP backend.
project_attribute_ignore =
(ListOpt) List of attributes stripped off the project
on update.
project_desc_attribute = description
(StrOpt) LDAP attribute mapped to project
description.
project_domain_id_attribute =
businessCategory
(StrOpt) LDAP attribute mapped to project
domain_id.
project_enabled_attribute = enabled
(StrOpt) LDAP attribute mapped to project enabled.
project_enabled_emulation = False
(BoolOpt) If true, Keystone uses an alternative
method to determine if a project is enabled or not by
checking if they are a member of the
"project_enabled_emulation_dn" group.
project_enabled_emulation_dn = None
(StrOpt) DN of the group entry to hold enabled
projects when using enabled emulation.
project_filter = None
(StrOpt) LDAP search filter for projects.
project_id_attribute = cn
(StrOpt) LDAP attribute mapped to project id.
project_member_attribute = member
(StrOpt) LDAP attribute mapped to project
membership for user.
project_name_attribute = ou
(StrOpt) LDAP attribute mapped to project name.
project_objectclass = groupOfNames
(StrOpt) LDAP objectclass for projects.
project_tree_dn = None
(StrOpt) Search base for projects. Defaults to the
suffix value.
query_scope = one
(StrOpt) The LDAP scope for queries, "one"
represents oneLevel/singleLevel and "sub"
represents subtree/wholeSubtree options.
role_additional_attribute_mapping =
(ListOpt) Additional attribute mappings for roles.
Attribute mapping format is <ldap_attr>:
<user_attr>, where ldap_attr is the attribute in the
LDAP entry and user_attr is the Identity API
attribute.
467
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
role_allow_create = True
(BoolOpt) Allow role creation in LDAP backend.
role_allow_delete = True
(BoolOpt) Allow role deletion in LDAP backend.
role_allow_update = True
(BoolOpt) Allow role update in LDAP backend.
role_attribute_ignore =
(ListOpt) List of attributes stripped off the role on
update.
role_filter = None
(StrOpt) LDAP search filter for roles.
role_id_attribute = cn
(StrOpt) LDAP attribute mapped to role id.
role_member_attribute = roleOccupant
(StrOpt) LDAP attribute mapped to role
membership.
role_name_attribute = ou
(StrOpt) LDAP attribute mapped to role name.
role_objectclass = organizationalRole
(StrOpt) LDAP objectclass for roles.
role_tree_dn = None
(StrOpt) Search base for roles.
suffix = cn=example,cn=com
(StrOpt) LDAP server suffix
tls_cacertdir = None
(StrOpt) CA certificate directory path for
communicating with LDAP servers.
tls_cacertfile = None
(StrOpt) CA certificate file path for communicating
with LDAP servers.
tls_req_cert = demand
(StrOpt) Specifies what checks to perform on client
certificates in an incoming TLS session.
url = ldap://localhost
(StrOpt) URL for connecting to the LDAP server.
use_auth_pool = False
(BoolOpt) Enable LDAP connection pooling for end
user authentication. If use_pool is disabled, then this
setting is meaningless and is not used at all.
use_dumb_member = False
(BoolOpt) If true, will add a dummy member to
groups. This is required if the objectclass for groups
requires the "member" attribute.
use_pool = False
(BoolOpt) Enable LDAP connection pooling.
468
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
use_tls = False
(BoolOpt) Enable TLS for communicating with LDAP
servers.
user = None
(StrOpt) User BindDN to query the LDAP server.
user_additional_attribute_mapping =
(ListOpt) List of additional LDAP attributes used for
mapping additional attribute mappings for users.
Attribute mapping format is <ldap_attr>:
<user_attr>, where ldap_attr is the attribute in the
LDAP entry and user_attr is the Identity API
attribute.
user_allow_create = True
(BoolOpt) Allow user creation in LDAP backend.
user_allow_delete = True
(BoolOpt) Allow user deletion in LDAP backend.
user_allow_update = True
(BoolOpt) Allow user updates in LDAP backend.
user_attribute_ignore = default_project_id
(ListOpt) List of attributes stripped off the user on
update.
user_default_project_id_attribute =
(StrOpt) LDAP attribute mapped to
default_project_id for users.
None
user_enabled_attribute = enabled
(StrOpt) LDAP attribute mapped to user enabled
flag.
user_enabled_default = True
(StrOpt) Default value to enable users. This should
match an appropriate int value if the LDAP server
uses non-boolean (bitmask) values to indicate if a
user is enabled or disabled. If this is not set to "True"
the typical value is "512". This is typically used when
"user_enabled_attribute = userAccountControl".
user_enabled_emulation = False
(BoolOpt) If true, Keystone uses an alternative
method to determine if a user is enabled or not by
checking if they are a member of the
"user_enabled_emulation_dn" group.
user_enabled_emulation_dn = None
(StrOpt) DN of the group entry to hold enabled users
when using enabled emulation.
469
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
user_enabled_invert = False
(BoolOpt) Invert the meaning of the boolean enabled
values. Some LDAP servers use a boolean lock
attribute where "true" means an account is disabled.
Setting "user_enabled_invert = true" will allow these
lock attributes to be used. This setting will have no
effect if "user_enabled_mask" or
"user_enabled_emulation" settings are in use.
user_enabled_mask = 0
(IntOpt) Bitmask integer to indicate the bit that the
enabled value is stored in if the LDAP server
represents "enabled" as a bit on an integer rather
than a boolean. A value of "0" indicates the mask is
not used. If this is not set to "0" the typical value is
"2". This is typically used when
"user_enabled_attribute = userAccountControl".
user_filter = None
(StrOpt) LDAP search filter for users.
user_id_attribute = cn
(StrOpt) LDAP attribute mapped to user id.
WARNING: must not be a multivalued attribute.
user_mail_attribute = mail
(StrOpt) LDAP attribute mapped to user email.
user_name_attribute = sn
(StrOpt) LDAP attribute mapped to user name.
user_objectclass = inetOrgPerson
(StrOpt) LDAP objectclass for users.
user_pass_attribute = userPassword
(StrOpt) LDAP attribute mapped to password.
user_tree_dn = None
(StrOpt) Search base for users. Defaults to the suffix
value.
Table 7.18. Description of logging configuration options
Configuration option = Default value
Description
[DEFAULT]
debug = False
470
(BoolOpt) Print debugging output (set logging level
to DEBUG instead of default INFO level).
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
default_log_levels = amqp=WARN,
(ListOpt) List of logger=LEVEL pairs. This option is
ignored if log_config_append is set.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
requests.packages.urllib3.util.retry=WARN,
urllib3.util.retry=WARN, keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN,
taskflow=WARN
fatal_deprecations = False
(BoolOpt) Enables or disables fatal status of
deprecations.
instance_format = "[instance: %(uuid)s] "
(StrOpt) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(StrOpt) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
(StrOpt) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation. Note that when logging
configuration files are used then all logging
configuration is set in the configuration file and
other logging configuration options are ignored (for
example, log_format).
log_date_format = %Y-%m-%d %H:%M:%S
(StrOpt) Format string for %%(asctime)s in log
records. Default: %(default)s . This option is ignored
if log_config_append is set.
log_dir = None
(StrOpt) (Optional) The base directory used for
relative --log-file paths. This option is ignored if
log_config_append is set.
log_file = None
(StrOpt) (Optional) Name of log file to output to. If
no default is set, logging will go to stdout. This
option is ignored if log_config_append is set.
log_format = None
(StrOpt) DEPRECATED. A logging.Formatter log
message format string which may use any of the
available logging.LogRecord attributes. This option
is deprecate, use logging_context_format_string and
logging_default_format_string instead. This option is
ignored if log_config_append is set.
471
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
logging_context_format_string = %
(StrOpt) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d ERROR %(name)s %
(instance)s
(StrOpt) Data to append to log format when level is
DEBUG.
(StrOpt) Format string to use for log messages
without context.
(StrOpt) Prefix each line of exception output with
this format.
publish_errors = False
(BoolOpt) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(StrOpt) Syslog facility to receive log lines. This
option is ignored if log_config_append is set.
use_stderr = True
(BoolOpt) Log output to standard error. This option
is ignored if log_config_append is set.
use_syslog = False
(BoolOpt) Use syslog for logging. Existing syslog
format is DEPRECATED and will be changed later to
honor RFC5424. This option is ignored if
log_config_append is set.
use_syslog_rfc_format = True
(BoolOpt) (Optional) Enables or disables syslog
rfc5424 format for logging. If enabled, prefixes the
MSG part of the syslog message with APP-NAME
(RFC5424). The format without the APP-NAME is
deprecated in Kilo, and will be removed in Mitaka,
along with this option. This option is ignored if
log_config_append is set.
verbose = True
(BoolOpt) If set to false, will disable INFO logging
level, making WARNING the default.
watch_log_file = False
(BoolOpt) (Optional) Uses logging handler designed
to watch file system. When log file is moved or
removed this handler will open a new log file with
specified path instantaneously. It makes sense only
if log-file option is specified and Linux platform is
used. This option is ignored if log_config_append is
set.
472
CHAPTER 7. IDENTITY SERVICE
Table 7.19. Description of mapping configuration options
Configuration option = Default value
Description
[identity_mapping]
backward_compatible_ids = True
(BoolOpt) The format of user and group IDs changed
in Juno for backends that do not generate UUIDs
(e.g. LDAP), with keystone providing a hash mapping
to the underlying attribute in LDAP. By default this
mapping is disabled, which ensures that existing IDs
will not change. Even when the mapping is enabled
by using domain specific drivers, any users and
groups from the default domain being handled by
LDAP will still not be mapped to ensure their IDs
remain backward compatible. Setting this value to
False will enable the mapping for even the default
LDAP driver. It is only safe to do this if you do not
already have assignments for users and groups from
the default LDAP domain, and it is acceptable for
Keystone to provide the different IDs to clients than
it did previously. Typically this means that the only
time you can set this value to False is when
configuring a fresh installation.
driver = sql
(StrOpt) Entrypoint for the identity mapping
backend driver in the keystone.identity.id_mapping
namespace.
generator = sha256
(StrOpt) Entrypoint for the public ID generator for
user and group entities in the
keystone.identity.id_generator namespace. The
Keystone identity mapper only supports generators
that produce no more than 64 characters.
Table 7.20. Description of memcache configuration options
Configuration option = Default value
Description
[memcache]
servers = localhost:11211
(ListOpt) Memcache servers in the format of
"host:port".
socket_timeout = 3
(IntOpt) Timeout in seconds for every call to a
server. This is used by the key value store system
(e.g. token pooled memcached persistence
backend).
Table 7.21. Description of OAuth configuration options
473
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oauth1]
access_token_duration = 86400
(IntOpt) Duration (in seconds) for the OAuth Access
Token.
driver = sql
(StrOpt) Entrypoint for hte OAuth backend driver in
the keystone.oauth1 namespace.
request_token_duration = 28800
(IntOpt) Duration (in seconds) for the OAuth
Request Token.
Table 7.22. Description of os_inherit configuration options
Configuration option = Default value
Description
[os_inherit]
enabled = False
(BoolOpt) role-assignment inheritance to projects
from owning domain or from projects higher in the
hierarchy can be optionally enabled.
Table 7.23. Description of policy configuration options
Configuration option = Default value
Description
[oslo_policy]
policy_default_rule = default
(StrOpt) Default rule. Enforced when a requested
rule is not found.
policy_dirs = ['policy.d']
(MultiStrOpt) Directories where policy configuration
files are stored. They can be relative to any
directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(StrOpt) The JSON file that defines policies.
[policy]
driver = sql
474
(StrOpt) Entrypoint for the policy backend driver in
the keystone.policy namespace. Supplied drivers are
rules and sql.
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
list_limit = None
(IntOpt) Maximum number of entities that will be
returned in a policy collection.
Table 7.24. Description of revoke configuration options
Configuration option = Default value
Description
[revoke]
cache_time = 3600
(IntOpt) Time to cache the revocation list and the
revocation events (in seconds). This has no effect
unless global and token caching are enabled.
caching = True
(BoolOpt) Toggle for revocation event caching. This
has no effect unless global caching is enabled.
driver = sql
(StrOpt) Entrypoint for an implementation of the
backend for persisting revocation events in the
keystone.revoke namespace. Supplied drivers are
kvs and sql.
expiration_buffer = 1800
(IntOpt) This value (calculated in seconds) is added
to token expiration before a revocation event may
be removed from the backend.
Table 7.25. Description of role configuration options
Configuration option = Default value
Description
[role]
cache_time = None
(IntOpt) TTL (in seconds) to cache role data. This
has no effect unless global caching is enabled.
caching = True
(BoolOpt) Toggle for role caching. This has no effect
unless global caching is enabled.
driver = None
(StrOpt) Entrypoint for the role backend driver in the
keystone.role namespace. Supplied drivers are ldap
and sql.
list_limit = None
(IntOpt) Maximum number of entities that will be
returned in a role collection.
Table 7.26. Description of authorization configuration options
475
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[auth]
saml2 = keystone.auth.plugins.mapped.Mapped
(StrOpt) The saml2 auth plugin module.
Table 7.27. Description of SAML configuration options
Configuration option = Default value
Description
[saml]
assertion_expiration_time = 3600
(IntOpt) Default TTL, in seconds, for any generated
SAML assertion created by Keystone.
certfile =
(StrOpt) Path of the certfile for SAML signing. For
non-production environments, you may be
interested in using `keystone-manage pki_setup` to
generate self-signed certificates. Note, the path
cannot contain a comma.
/etc/keystone/ssl/certs/signing_cert.pem
idp_contact_company = None
(StrOpt) Company of contact person.
idp_contact_email = None
(StrOpt) Email address of contact person.
idp_contact_name = None
(StrOpt) Given name of contact person
idp_contact_surname = None
(StrOpt) Surname of contact person.
idp_contact_telephone = None
(StrOpt) Telephone number of contact person.
idp_contact_type = other
(StrOpt) The contact type describing the main point
of contact for the identity provider.
idp_entity_id = None
(StrOpt) Entity ID value for unique Identity Provider
identification. Usually FQDN is set with a suffix. A
value is required to generate IDP Metadata. For
example: https://keystone.example.com/v3/OSFEDERATION/saml2/idp
idp_lang = en
(StrOpt) Language used by the organization.
idp_metadata_path =
/etc/keystone/saml2_idp_metadata.xml
(StrOpt) Path to the Identity Provider Metadata file.
This file should be generated with the keystonemanage saml_idp_metadata command.
idp_organization_display_name = None
(StrOpt) Organization name to be displayed.
476
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
idp_organization_name = None
(StrOpt) Organization name the installation belongs
to.
idp_organization_url = None
(StrOpt) URL of the organization.
idp_sso_endpoint = None
(StrOpt) Identity Provider Single-Sign-On service
value, required in the Identity Provider's metadata. A
value is required to generate IDP Metadata. For
example: https://keystone.example.com/v3/OSFEDERATION/saml2/sso
keyfile =
(StrOpt) Path of the keyfile for SAML signing. Note,
the path cannot contain a comma.
/etc/keystone/ssl/private/signing_key.pem
relay_state_prefix = ss:mem:
(StrOpt) The prefix to use for the RelayState SAML
attribute, used when generating ECP wrapped
assertions.
xmlsec1_binary = xmlsec1
(StrOpt) Binary to be called for XML signing. Install
the appropriate package, specify absolute path or
adjust your PATH environment variable if the binary
cannot be found.
Table 7.28. Description of security configuration options
Configuration option = Default value
Description
[DEFAULT]
crypt_strength = 10000
(IntOpt) The value passed as the keyword "rounds"
to passlib's encrypt method.
Table 7.29. Description of token configuration options
Configuration option = Default value
Description
[token]
allow_rescope_scoped_token = True
(BoolOpt) Allow rescoping of scoped token. Setting
allow_rescoped_scoped_token to false prevents a
user from exchanging a scoped token for any other
token.
bind =
(ListOpt) External auth mechanisms that should add
bind information to token, e.g., kerberos,x509.
477
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
cache_time = None
(IntOpt) Time to cache tokens (in seconds). This has
no effect unless global and token caching are
enabled.
caching = True
(BoolOpt) Toggle for token system caching. This has
no effect unless global caching is enabled.
driver = sql
(StrOpt) Entrypoint for the token persistence
backend driver in the keystone.token.persistence
namespace. Supplied drivers are kvs, memcache,
memcache_pool, and sql.
enforce_token_bind = permissive
(StrOpt) Enforcement policy on tokens presented to
Keystone with bind information. One of disabled,
permissive, strict, required or a specifically required
bind mode, e.g., kerberos or x509 to require binding
to that authentication.
expiration = 3600
(IntOpt) Amount of time a token should remain valid
(in seconds).
hash_algorithm = md5
(StrOpt) The hash algorithm to use for PKI tokens.
This can be set to any algorithm that hashlib
supports. WARNING: Before changing this value, the
auth_token middleware must be configured with the
hash_algorithms, otherwise token revocation will not
be processed correctly.
provider = uuid
(StrOpt) Controls the token construction, validation,
and revocation operations. Entrypoint in the
keystone.token.provider namespace. Core providers
are [fernet|pkiz|pki|uuid].
revoke_by_id = True
(BoolOpt) Revoke token by token identifier. Setting
revoke_by_id to true enables various forms of
enumerating tokens, e.g. `list tokens for user`. These
enumerations are processed to determine the list of
tokens to revoke. Only disable if you are switching to
using the Revoke extension with a backend other
than KVS, which stores events in memory.
Table 7.30. Description of Tokenless Authorization configuration options
Configuration option = Default value
[tokenless_auth]
478
Description
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
issuer_attribute = SSL_CLIENT_I_DN
(StrOpt) The issuer attribute that is served as an IdP
ID for the X.509 tokenless authorization along with
the protocol to look up its corresponding mapping. It
is the environment variable in the WSGI environment
that references to the issuer of the client certificate.
protocol = x509
(StrOpt) The protocol name for the X.509 tokenless
authorization along with the option issuer_attribute
below can look up its corresponding mapping.
trusted_issuer = []
(MultiStrOpt) The list of trusted issuers to further
filter the certificates that are allowed to participate
in the X.509 tokenless authorization. If the option is
absent then no certificates will be allowed. The
naming format for the attributes of a Distinguished
Name(DN) must be separated by a comma and
contain no spaces. This configuration option may be
repeated for multiple values. For example:
trusted_issuer=CN=john,OU=keystone,O=openstac
k trusted_issuer=CN=mary,OU=eng,O=abc
Table 7.31. Description of trust configuration options
Configuration option = Default value
Description
[trust]
allow_redelegation = False
(BoolOpt) Enable redelegation feature.
driver = sql
(StrOpt) Entrypoint for the trust backend driver in
the keystone.trust namespace.
enabled = True
(BoolOpt) Delegation and impersonation features
can be optionally disabled.
max_redelegation_count = 3
(IntOpt) Maximum depth of trust redelegation.
Table 7.32. Description of RPC configuration options
Configuration option = Default value
Description
[DEFAULT]
rpc_backend = rabbit
(StrOpt) The messaging driver to use, defaults to
rabbit. Other drivers include qpid and zmq.
479
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
rpc_cast_timeout = 30
(IntOpt) Seconds to wait before a cast expires (TTL).
Only supported by impl_zmq.
rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
rpc_poll_timeout = 1
(IntOpt) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
rpc_response_timeout = 60
(IntOpt) Seconds to wait for a response from a call.
[oslo_messaging_amqp]
allow_insecure_clients = False
(BoolOpt) Accept clients using either SSL or plain
TCP
broadcast_prefix = broadcast
(StrOpt) address prefix used when broadcasting to
all servers
container_name = None
(StrOpt) Name for the AMQP container
group_request_prefix = unicast
(StrOpt) address prefix when sending to any server
in group
idle_timeout = 0
(IntOpt) Timeout for inactive connections (in
seconds)
password =
(StrOpt) Password for message broker
authentication
sasl_config_dir =
(StrOpt) Path to directory that contains the SASL
configuration
sasl_config_name =
(StrOpt) Name of configuration file (without .conf
suffix)
sasl_mechanisms =
(StrOpt) Space separated list of acceptable SASL
mechanisms
server_request_prefix = exclusive
(StrOpt) address prefix used when sending to a
specific server
ssl_ca_file =
(StrOpt) CA certificate PEM file to verify server
certificate
ssl_cert_file =
(StrOpt) Identifying certificate PEM file to present
to clients
480
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
ssl_key_file =
(StrOpt) Private key PEM file used to sign cert_file
certificate
ssl_key_password = None
(StrOpt) Password for decrypting ssl_key_file (if
encrypted)
trace = False
(BoolOpt) Debug: dump AMQP frames to stdout
username =
(StrOpt) User name for message broker
authentication
Table 7.33. Description of AMQP configuration options
Configuration option = Default value
Description
[DEFAULT]
control_exchange = keystone
(StrOpt) The default exchange under which topics
are scoped. May be overridden by an exchange name
specified in the transport_url option.
default_publisher_id = None
(StrOpt) Default publisher_id for outgoing
notifications
notification_driver = []
(MultiStrOpt) The Drivers(s) to handle sending
notifications. Possible values are messaging,
messagingv2, routing, log, test, noop
notification_format = basic
(StrOpt) Define the notification format for Identity
Service events. A "basic" notification has
information about the resource being operated on. A
"cadf" notification has the same information, as well
as information about the initiator of the event.
notification_topics = notifications
(ListOpt) AMQP topic used for OpenStack
notifications.
transport_url = None
(StrOpt) A URL representing the messaging driver to
use and its full configuration. If not set, we fall back
to the rpc_backend option and driver specific
configuration.
Table 7.34. Description of Qpid configuration options
481
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_messaging_qpid]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
qpid_heartbeat = 60
(IntOpt) Seconds between connection keepalive
heartbeats.
qpid_hostname = localhost
(StrOpt) Qpid broker hostname.
qpid_hosts = $qpid_hostname:$qpid_port
(ListOpt) Qpid HA cluster host:port pairs.
qpid_password =
(StrOpt) Password for Qpid connection.
qpid_port = 5672
(IntOpt) Qpid broker port.
qpid_protocol = tcp
(StrOpt) Transport to use, either 'tcp' or 'ssl'.
qpid_receiver_capacity = 1
(IntOpt) The number of prefetched messages held by
receiver.
qpid_sasl_mechanisms =
(StrOpt) Space separated list of SASL mechanisms
to use for auth.
qpid_tcp_nodelay = True
(BoolOpt) Whether to disable the Nagle algorithm.
qpid_topology_version = 1
(IntOpt) The qpid topology version to use. Version 1
is what was originally used by impl_qpid. Version 2
includes some backwards-incompatible changes
that allow broker federation to work. Users should
update to version 2 when they are able to take
everything down, as it requires a clean break.
qpid_username =
(StrOpt) Username for Qpid connection.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
482
CHAPTER 7. IDENTITY SERVICE
Table 7.35. Description of RabbitMQ configuration options
Configuration option = Default value
Description
[oslo_messaging_rabbit]
amqp_auto_delete = False
(BoolOpt) Auto-delete queues in AMQP.
amqp_durable_queues = False
(BoolOpt) Use durable queues in AMQP.
fake_rabbit = False
(BoolOpt) Deprecated, use
rpc_backend=kombu+memory or rpc_backend=fake
heartbeat_rate = 2
(IntOpt) How often times during the
heartbeat_timeout_threshold we check the
heartbeat.
heartbeat_timeout_threshold = 60
(IntOpt) Number of seconds after which the Rabbit
broker is considered down if heartbeat's keep-alive
fails (0 disable the heartbeat). EXPERIMENTAL
kombu_reconnect_delay = 1.0
(FloatOpt) How long to wait before reconnecting in
response to an AMQP consumer cancel notification.
kombu_reconnect_timeout = 60
(IntOpt) How long to wait before considering a
reconnect attempt to have failed. This value should
not be longer than rpc_response_timeout.
kombu_ssl_ca_certs =
(StrOpt) SSL certification authority file (valid only if
SSL enabled).
kombu_ssl_certfile =
(StrOpt) SSL cert file (valid only if SSL enabled).
kombu_ssl_keyfile =
(StrOpt) SSL key file (valid only if SSL enabled).
kombu_ssl_version =
(StrOpt) SSL version to use (valid only if SSL
enabled). Valid values are TLSv1 and SSLv23. SSLv2,
SSLv3, TLSv1_1, and TLSv1_2 may be available on
some distributions.
rabbit_ha_queues = False
(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy:
all). If you change this option, you must wipe the
RabbitMQ database.
rabbit_host = localhost
(StrOpt) The RabbitMQ broker address where a
single node is used.
rabbit_hosts = $rabbit_host:$rabbit_port
(ListOpt) RabbitMQ HA cluster host:port pairs.
rabbit_login_method = AMQPLAIN
(StrOpt) The RabbitMQ login method.
483
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
rabbit_max_retries = 0
(IntOpt) Maximum number of RabbitMQ connection
retries. Default is 0 (infinite retry count).
rabbit_password = guest
(StrOpt) The RabbitMQ password.
rabbit_port = 5672
(IntOpt) The RabbitMQ broker port where a single
node is used.
rabbit_retry_backoff = 2
(IntOpt) How long to backoff for between retries
when connecting to RabbitMQ.
rabbit_retry_interval = 1
(IntOpt) How frequently to retry connecting with
RabbitMQ.
rabbit_use_ssl = False
(BoolOpt) Connect over SSL for RabbitMQ.
rabbit_userid = guest
(StrOpt) The RabbitMQ userid.
rabbit_virtual_host = /
(StrOpt) The RabbitMQ virtual host.
send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
Table 7.36. Description of Redis configuration options
Configuration option = Default value
Description
[DEFAULT]
host = 127.0.0.1
(StrOpt) Host to locate redis.
password =
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
[matchmaker_redis]
484
CHAPTER 7. IDENTITY SERVICE
Configuration option = Default value
Description
host = 127.0.0.1
(StrOpt) Host to locate redis.
password =
(StrOpt) Password for Redis server (optional).
port = 6379
(IntOpt) Use this port to connect to redis host.
7.2. IDENTITY SERVICE SAMPLE CONFIGURATION FILES
You can find the files described in this section in the /etc/keystone directory.
7.2.1. keystone.conf
Use the keystone.conf file to configure most Identity service options:
[DEFAULT]
#
# From keystone
#
# A "shared secret" that can be used to bootstrap Keystone. This "token"
does
# not represent a user, and carries no explicit authorization. To disable
in
# production (highly recommended), remove AdminTokenAuthMiddleware from
your
# paste application pipelines (for example, in keystone-paste.ini).
(string
# value)
#admin_token = ADMIN
# (Deprecated) The port which the OpenStack Compute service listens on.
This
# option was only used for string replacement in the templated catalog
backend.
# Templated catalogs should replace the "$(compute_port)s" substitution
with
# the static port of the compute service. As of Juno, this option is
deprecated
# and will be removed in the L release. (integer value)
#compute_port = 8774
# The base public endpoint URL for Keystone that is advertised to clients
# (NOTE: this does NOT affect how Keystone listens for connections).
Defaults
# to the base host URL of the request. E.g. a request to
# http://server:5000/v3/users will default to http://server:5000. You
should
# only need to set this value if the base URL contains a path (e.g.
/prefix/v3)
485
Red Hat OpenStack Platform 9 Configuration Reference
# or the endpoint should be found on a different server. (string value)
#public_endpoint = <None>
# The base admin endpoint URL for Keystone that is advertised to clients
(NOTE:
# this does NOT affect how Keystone listens for connections). Defaults to
the
# base host URL of the request. E.g. a request to
http://server:35357/v3/users
# will default to http://server:35357. You should only need to set this
value
# if the base URL contains a path (e.g. /prefix/v3) or the endpoint should
be
# found on a different server. (string value)
#admin_endpoint = <None>
# Maximum depth of the project hierarchy. WARNING: setting it to a large
value
# may adversely impact performance. (integer value)
#max_project_tree_depth = 5
# Limit the sizes of user & project ID/names. (integer value)
#max_param_size = 64
# Similar to max_param_size, but provides an exception for token values.
# (integer value)
#max_token_size = 8192
# Similar to the member_role_name option, this represents the default role
ID
# used to associate users with their default projects in the v2 API. This
will
# be used as the explicit role where one is not specified by the v2 API.
# (string value)
#member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# This is the role name used in combination with the member_role_id
option; see
# that option for more detail. (string value)
#member_role_name = _member_
# The value passed as the keyword "rounds" to passlib's encrypt method.
# (integer value)
#crypt_strength = 40000
# The maximum number of entities that will be returned in a collection,
with no
# limit set by default. This global limit may be then overridden for a
specific
# driver, by specifying a list_limit in the appropriate section (e.g.
# [assignment]). (integer value)
#list_limit = <None>
# Set this to false if you want to enable the ability for user, group and
# project entities to be moved between domains by updating their
domain_id.
486
CHAPTER 7. IDENTITY SERVICE
# Allowing such movement is not recommended if the scope of a domain admin
is
# being restricted by use of an appropriate policy file (see
# policy.v3cloudsample as an example). (boolean value)
#domain_id_immutable = true
# If set to true, strict password length checking is performed for
password
# manipulation. If a password exceeds the maximum length, the operation
will
# fail with an HTTP 403 Forbidden error. If set to false, passwords are
# automatically truncated to the maximum length. (boolean value)
#strict_password_check = false
# The HTTP header used to determine the scheme for the original request,
even
# if it was removed by an SSL terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO". (string value)
#secure_proxy_ssl_header = <None>
#
# From keystone.notifications
#
# Default publisher_id for outgoing notifications (string value)
#default_publisher_id = <None>
# Define the notification format for Identity Service events. A "basic"
# notification has information about the resource being operated on. A
"cadf"
# notification has the same information, as well as information about the
# initiator of the event. Valid options are: basic and cadf (string value)
#notification_format = basic
#
# From keystone.openstack.common.eventlet_backdoor
#
# Enable eventlet backdoor. Acceptable values are 0, <port>, and
# <start>:<end>, where 0 results in listening on a random tcp port number;
# <port> results in listening on the specified port number (and not
enabling
# backdoor if that port is in use); and <start>:<end> results in listening
on
# the smallest unused port number within the specified range of port
numbers.
# The chosen port is displayed in the service's log file. (string value)
#backdoor_port = <None>
#
# From oslo.log
#
# Print debugging output (set logging level to DEBUG instead of default
WARNING
# level). (boolean value)
487
Red Hat OpenStack Platform 9 Configuration Reference
#debug = false
# Print more verbose output (set logging level to INFO instead of default
# WARNING level). (boolean value)
#verbose = false
# The name of a logging configuration file. This file is appended to any
# existing logging configuration files. For details about logging
configuration
# files, see the Python logging module documentation. (string value)
# Deprecated group/name - [DEFAULT]/log_config
#log_config_append = <None>
# DEPRECATED. A logging.Formatter log message format string which may use
any
# of the available logging.LogRecord attributes. This option is
deprecated.
# Please use logging_context_format_string and
logging_default_format_string
# instead. (string value)
#log_format = <None>
# Format string for %%(asctime)s in log records. Default: %(default)s .
(string
# value)
#log_date_format = %Y-%m-%d %H:%M:%S
# (Optional) Name of log file to output to. If no default is set, logging
will
# go to stdout. (string value)
# Deprecated group/name - [DEFAULT]/logfile
#log_file = <None>
# (Optional) The base directory used for relative --log-file paths.
(string
# value)
# Deprecated group/name - [DEFAULT]/logdir
#log_dir = <None>
# Use syslog for logging. Existing syslog format is DEPRECATED during I,
and
# will change in J to honor RFC5424. (boolean value)
#use_syslog = false
# (Optional) Enables or disables syslog rfc5424 format for logging. If
enabled,
# prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The
# format without the APP-NAME is deprecated in I, and will be removed in
J.
# (boolean value)
#use_syslog_rfc_format = false
# Syslog facility to receive log lines. (string value)
#syslog_log_facility = LOG_USER
# Log output to standard error. (boolean value)
488
CHAPTER 7. IDENTITY SERVICE
#use_stderr = true
# Format string to use for log messages with context. (string value)
#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %
(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%
(message)s
# Format string to use for log messages without context. (string value)
#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %
(levelname)s %(name)s [-] %(instance)s%(message)s
# Data to append to log format when level is DEBUG. (string value)
#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
# Prefix each line of exception output with this format. (string value)
#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d TRACE %
(name)s %(instance)s
# List of logger=LEVEL pairs. (list value)
#default_log_levels =
amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.
messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.
retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middlewa
re=WARN,stevedore=WARN
# Enables or disables publication of error events. (boolean value)
#publish_errors = false
# Enables or disables fatal status of deprecations. (boolean value)
#fatal_deprecations = false
# The format for an instance that is passed with the log message. (string
# value)
#instance_format = "[instance: %(uuid)s] "
# The format for an instance UUID that is passed with the log message.
(string
# value)
#instance_uuid_format = "[instance: %(uuid)s] "
#
# From oslo.messaging
#
# ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or
IP.
# The "host" option should point or resolve to this address. (string
value)
#rpc_zmq_bind_address = *
# MatchMaker driver. (string value)
#rpc_zmq_matchmaker =
oslo_messaging._drivers.matchmaker.MatchMakerLocalhost
# ZeroMQ receiver listening port. (integer value)
489
Red Hat OpenStack Platform 9 Configuration Reference
#rpc_zmq_port = 9501
# Number of ZeroMQ contexts, defaults to 1. (integer value)
#rpc_zmq_contexts = 1
# Maximum number of ingress messages to locally buffer per topic. Default
is
# unlimited. (integer value)
#rpc_zmq_topic_backlog = <None>
# Directory for holding IPC sockets. (string value)
#rpc_zmq_ipc_dir = /var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP address. Must
match
# "host" option, if running Nova. (string value)
#rpc_zmq_host = localhost
# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
# (integer value)
#rpc_cast_timeout = 30
# Heartbeat frequency. (integer value)
#matchmaker_heartbeat_freq = 300
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl = 600
# Size of RPC thread pool. (integer value)
#rpc_thread_pool_size = 64
# Driver or drivers to handle sending notifications. (multi valued)
#notification_driver =
# AMQP topic used for OpenStack notifications. (list value)
# Deprecated group/name - [rpc_notifier2]/topics
#notification_topics = notifications
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout = 60
# A URL representing the messaging driver to use and its full
configuration. If
# not set, we fall back to the rpc_backend option and driver specific
# configuration. (string value)
#transport_url = <None>
# The messaging driver to use, defaults to rabbit. Other drivers include
qpid
# and zmq. (string value)
#rpc_backend = rabbit
# The default exchange under which topics are scoped. May be overridden by
an
# exchange name specified in the transport_url option. (string value)
#control_exchange = keystone
490
CHAPTER 7. IDENTITY SERVICE
[assignment]
#
# From keystone
#
# Assignment backend driver. (string value)
#driver = <None>
[auth]
#
# From keystone
#
# Default auth methods. (list value)
#methods = external,password,token,oauth1
# The password auth plugin module. (string value)
#password = keystone.auth.plugins.password.Password
# The token auth plugin module. (string value)
#token = keystone.auth.plugins.token.Token
# The external (REMOTE_USER) auth plugin module. (string value)
#external = keystone.auth.plugins.external.DefaultDomain
# The oAuth1.0 auth plugin module. (string value)
#oauth1 = keystone.auth.plugins.oauth1.OAuth
[cache]
#
# From keystone
#
# Prefix for building the configuration dictionary for the cache region.
This
# should not need to be changed unless there is another dogpile.cache
region
# with the same configuration name. (string value)
#config_prefix = cache.keystone
# Default TTL, in seconds, for any cached item in the dogpile.cache
region.
# This applies to any cached method that doesn't have an explicit cache
# expiration time defined for it. (integer value)
#expiration_time = 600
# Dogpile.cache backend module. It is recommended that Memcache with
pooling
# (keystone.cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
491
Red Hat OpenStack Platform 9 Configuration Reference
# production deployments. Small workloads (single process) like devstack
can
# use the dogpile.cache.memory backend. (string value)
#backend = keystone.common.cache.noop
# Arguments supplied to the backend module. Specify this option once per
# argument to be passed to the dogpile.cache backend. Example format:
# "<argname>:<value>". (multi valued)
#backend_argument =
# Proxy classes to import that will affect the way the dogpile.cache
backend
# functions. See the dogpile.cache documentation on changing-backendbehavior.
# (list value)
#proxies =
# Global toggle for all caching using the should_cache_fn mechanism.
(boolean
# value)
#enabled = false
# Extra debugging from the cache backend (cache keys, get/set/delete/etc
# calls). This is only really useful if you need to see the specific
cache# backend get/set/delete calls with the keys/values. Typically this
should be
# left set to false. (boolean value)
#debug_cache_backend = false
# Memcache servers in the format of "host:port". (dogpile.cache.memcache
and
# keystone.cache.memcache_pool backends only). (list value)
#memcache_servers = localhost:11211
# Number of seconds memcached server is considered dead before it is tried
# again. (dogpile.cache.memcache and keystone.cache.memcache_pool backends
# only). (integer value)
#memcache_dead_retry = 300
# Timeout in seconds for every call to a server. (dogpile.cache.memcache
and
# keystone.cache.memcache_pool backends only). (integer value)
#memcache_socket_timeout = 3
# Max total number of open connections to every memcached server.
# (keystone.cache.memcache_pool backend only). (integer value)
#memcache_pool_maxsize = 10
# Number of seconds a connection to memcached is held unused in the pool
before
# it is closed. (keystone.cache.memcache_pool backend only). (integer
value)
#memcache_pool_unused_timeout = 60
# Number of seconds that an operation will wait to get a memcache client
492
CHAPTER 7. IDENTITY SERVICE
# connection. (integer value)
#memcache_pool_connection_get_timeout = 10
[catalog]
#
# From keystone
#
# Catalog template file name for use with the template catalog backend.
(string
# value)
#template_file = default_catalog.templates
# Catalog backend driver. (string value)
#driver = keystone.catalog.backends.sql.Catalog
# Toggle for catalog caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# Time to cache catalog data (in seconds). This has no effect unless
global and
# catalog caching are enabled. (integer value)
#cache_time = <None>
# Maximum number of entities that will be returned in a catalog
collection.
# (integer value)
#list_limit = <None>
[credential]
#
# From keystone
#
# Credential backend driver. (string value)
#driver = keystone.credential.backends.sql.Credential
[database]
#
# From oslo.db
#
# The file name to use with SQLite. (string value)
# Deprecated group/name - [DEFAULT]/sqlite_db
#sqlite_db = oslo.sqlite
# If True, SQLite uses synchronous mode. (boolean value)
# Deprecated group/name - [DEFAULT]/sqlite_synchronous
#sqlite_synchronous = true
493
Red Hat OpenStack Platform 9 Configuration Reference
# The back end to use for the database. (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend = sqlalchemy
# The SQLAlchemy connection string to use to connect to the database.
(string
# value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
# The SQLAlchemy connection string to use to connect to the slave
database.
# (string value)
#slave_connection = <None>
# The SQL mode to be used for MySQL sessions. This option, including the
# default, overrides any server-set SQL mode. To use whatever SQL mode is
set
# by the server configuration, set this to no value. Example:
mysql_sql_mode=
# (string value)
#mysql_sql_mode = TRADITIONAL
# Timeout before idle SQL
# Deprecated group/name # Deprecated group/name # Deprecated group/name #idle_timeout = 3600
connections are reaped. (integer value)
[DEFAULT]/sql_idle_timeout
[DATABASE]/sql_idle_timeout
[sql]/idle_timeout
# Minimum number of SQL connections to keep open in a pool. (integer
value)
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
# Deprecated group/name - [DATABASE]/sql_min_pool_size
#min_pool_size = 1
# Maximum number of SQL connections to keep open in a pool. (integer
value)
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
# Deprecated group/name - [DATABASE]/sql_max_pool_size
#max_pool_size = <None>
# Maximum number of database connection retries during startup. Set to -1
to
# specify an infinite retry count. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_retries
# Deprecated group/name - [DATABASE]/sql_max_retries
#max_retries = 10
# Interval between retries of opening a SQL connection. (integer value)
# Deprecated group/name - [DEFAULT]/sql_retry_interval
# Deprecated group/name - [DATABASE]/reconnect_interval
#retry_interval = 10
494
CHAPTER 7. IDENTITY SERVICE
# If set, use this value for max_overflow with SQLAlchemy. (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
#max_overflow = <None>
# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug = 0
# Add Python stack traces to SQL as comment strings. (boolean value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace
#connection_trace = false
# If set, use this value for pool_timeout with SQLAlchemy. (integer value)
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
#pool_timeout = <None>
# Enable the experimental use of database reconnect on connection lost.
# (boolean value)
#use_db_reconnect = false
# Seconds between retries of a database transaction. (integer value)
#db_retry_interval = 1
# If True, increases the interval between retries of a database operation
up to
# db_max_retry_interval. (boolean value)
#db_inc_retry_interval = true
# If db_inc_retry_interval is set, the maximum seconds between retries of
a
# database operation. (integer value)
#db_max_retry_interval = 10
# Maximum retries in case of connection error or deadlock error before
error is
# raised. Set to -1 to specify an infinite retry count. (integer value)
#db_max_retries = 20
[domain_config]
#
# From keystone
#
# Domain config backend driver. (string value)
#driver = keystone.resource.config_backends.sql.DomainConfig
# Toggle for domain config caching. This has no effect unless global
caching is
# enabled. (boolean value)
#caching = true
# TTL (in seconds) to cache domain config data. This has no effect unless
495
Red Hat OpenStack Platform 9 Configuration Reference
# domain config caching is enabled. (integer value)
#cache_time = 300
[endpoint_filter]
#
# From keystone
#
# Endpoint Filter backend driver (string value)
#driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# Toggle to return all active endpoints if no filter exists. (boolean
value)
#return_all_endpoints_if_no_filter = true
[endpoint_policy]
#
# From keystone
#
# Endpoint policy backend driver (string value)
#driver = keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
[eventlet_server]
#
# From keystone
#
# The number of worker processes to serve the public eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/public_workers
#public_workers = <None>
# The number of worker processes to serve the admin eventlet application.
# Defaults to number of CPUs (minimum of 2). (integer value)
# Deprecated group/name - [DEFAULT]/admin_workers
#admin_workers = <None>
# The IP address of the network interface for the public service to listen
on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/public_bind_host
#public_bind_host = 0.0.0.0
# The port number which the public service listens on. (integer value)
# Deprecated group/name - [DEFAULT]/public_port
#public_port = 5000
# The IP address of the network interface for the admin service to listen
496
CHAPTER 7. IDENTITY SERVICE
on.
# (string value)
# Deprecated group/name - [DEFAULT]/bind_host
# Deprecated group/name - [DEFAULT]/admin_bind_host
#admin_bind_host = 0.0.0.0
# The port number which the admin service listens on. (integer value)
# Deprecated group/name - [DEFAULT]/admin_port
#admin_port = 35357
# Set this to true if you want to enable TCP_KEEPALIVE on server sockets,
i.e.
# sockets used by the Keystone wsgi server for client connections.
(boolean
# value)
# Deprecated group/name - [DEFAULT]/tcp_keepalive
#tcp_keepalive = false
# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only
# applies if tcp_keepalive is true. (integer value)
# Deprecated group/name - [DEFAULT]/tcp_keepidle
#tcp_keepidle = 600
[eventlet_server_ssl]
#
# From keystone
#
# Toggle for SSL support on the Keystone eventlet servers. (boolean value)
# Deprecated group/name - [ssl]/enable
#enable = false
# Path of the certfile for SSL. For non-production environments, you may be
# interested in using `keystone-manage ssl_setup` to generate self-signed
# certificates. (string value)
# Deprecated group/name - [ssl]/certfile
#certfile = /etc/keystone/ssl/certs/keystone.pem
# Path of the keyfile for SSL. (string value)
# Deprecated group/name - [ssl]/keyfile
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
# Path of the CA cert file for SSL. (string value)
# Deprecated group/name - [ssl]/ca_certs
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Require client certificate. (boolean value)
# Deprecated group/name - [ssl]/cert_required
#cert_required = false
[federation]
#
497
Red Hat OpenStack Platform 9 Configuration Reference
# From keystone
#
# Federation backend driver. (string value)
#driver = keystone.contrib.federation.backends.sql.Federation
# Value to be used when filtering assertion parameters from the
environment.
# (string value)
#assertion_prefix =
# Value to be used to obtain the entity ID of the Identity Provider from
the
# environment (e.g. if using the mod_shib plugin this value is `ShibIdentity# Provider`). (string value)
#remote_id_attribute = <None>
# A domain name that is reserved to allow federated ephemeral users to
have a
# domain concept. Note that an admin will not be able to create a domain
with
# this name or update an existing domain to this name. You are not advised
to
# change this value unless you really have to. Changing this option to
empty
# string or None will not have any impact and default name will be used.
# (string value)
#federated_domain_name = Federated
# A list of trusted dashboard hosts. Before accepting a Single Sign-On
request
# to return a token, the origin host must be a member of the
trusted_dashboard
# list. This configuration option may be repeated for multiple values. For
# example: trusted_dashboard=http://acme.com
trusted_dashboard=http://beta.com
# (multi valued)
#trusted_dashboard =
# Location of Single Sign-On callback handler, will return a token to a
trusted
# dashboard host. (string value)
#sso_callback_template = /etc/keystone/sso_callback_template.html
[fernet_tokens]
#
# From keystone
#
# Directory containing Fernet token keys. (string value)
#key_repository = /etc/keystone/fernet-keys/
# This controls how many keys are held in rotation by keystone-manage
498
CHAPTER 7. IDENTITY SERVICE
# fernet_rotate before they are discarded. The default value of 3 means
that
# keystone will maintain one staged key, one primary key, and one secondary
# key. Increasing this value means that additional secondary keys will be
kept
# in the rotation. (integer value)
#max_active_keys = 3
[identity]
#
# From keystone
#
# This references the domain to use for all Identity API v2 requests (which
are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008. The domain referenced by this
ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2
API.
# There is nothing special about this domain, other than the fact that it
must
# exist to order to maintain support for your v2 clients. (string value)
#default_domain_id = default
# A subset (or all) of domains can have their own identity driver, each
with
# their own partial configuration options, stored in either the resource
# backend or in a file in a domain configuration directory (depending on
the
# setting of domain_configurations_from_database). Only values specific to
the
# domain need to be specified in this manner. This feature is disabled by
# default; set to true to enable. (boolean value)
#domain_specific_drivers_enabled = false
# Extract the domain specific configuration options from the resource
backend
# where they have been stored with the domain data. This feature is
disabled by
# default (in which case the domain specific options will be loaded from
files
# in the domain configuration directory); set to true to enable. (boolean
# value)
#domain_configurations_from_database = false
# Path for Keystone to locate the domain specific identity configuration
files
# if domain_specific_drivers_enabled is set to true. (string value)
#domain_config_dir = /etc/keystone/domains
# Identity backend driver. (string value)
#driver = keystone.identity.backends.sql.Identity
499
Red Hat OpenStack Platform 9 Configuration Reference
# Toggle for identity caching. This has no effect unless global caching is
# enabled. (boolean value)
#caching = true
# Time to cache identity data (in seconds). This has no effect unless
global
# and identity caching are enabled. (integer value)
#cache_time = 600
# Maximum supported length for user passwords; decrease to improve
performance.
# (integer value)
#max_password_length = 4096
# Maximum number of entities that will be returned in an identity
collection.
# (integer value)
#list_limit = <None>
[identity_mapping]
#
# From keystone
#
# Keystone Identity Mapping backend driver. (string value)
#driver = keystone.identity.mapping_backends.sql.Mapping
# Public ID generator for user and group entities. The Keystone identity
mapper
# only supports generators that produce no more than 64 characters.
(string
# value)
#generator = keystone.identity.id_generators.sha256.Generator
# The format of user and group IDs changed in Juno for backends that do
not
# generate UUIDs (e.g. LDAP), with keystone providing a hash mapping to
the
# underlying attribute in LDAP. By default this mapping is disabled, which
# ensures that existing IDs will not change. Even when the mapping is
enabled
# by using domain specific drivers, any users and groups from the default
# domain being handled by LDAP will still not be mapped to ensure their
IDs
# remain backward compatible. Setting this value to False will enable the
# mapping for even the default LDAP driver. It is only safe to do this if
you
# do not already have assignments for users and groups from the default
LDAP
# domain, and it is acceptable for Keystone to provide the different IDs
to
# clients than it did previously. Typically this means that the only time
you
# can set this value to False is when configuring a fresh installation.
500
CHAPTER 7. IDENTITY SERVICE
# (boolean value)
#backward_compatible_ids = true
[kvs]
#
# From keystone
#
# Extra dogpile.cache backend modules to register with the dogpile.cache
# library. (list value)
#backends =
# Prefix for building the configuration dictionary for the KVS region. This
# should not need to be changed unless there is another dogpile.cache
region
# with the same configuration name. (string value)
#config_prefix = keystone.kvs
# Toggle to disable using a key-mangling function to ensure fixed length
keys.
# This is toggle-able for debugging purposes, it is highly recommended to
# always leave this set to true. (boolean value)
#enable_key_mangler = true
# Default lock timeout (in seconds) for distributed locking. (integer
value)
#default_lock_timeout = 5
[ldap]
#
# From keystone
#
# URL for connecting to the LDAP server. (string value)
#url = ldap://localhost
# User BindDN to query the LDAP server. (string value)
#user = <None>
# Password for the BindDN to query the LDAP server. (string value)
#password = <None>
# LDAP server suffix (string value)
#suffix = cn=example,cn=com
# If true, will add a dummy member to groups. This is required if the
# objectclass for groups requires the "member" attribute. (boolean value)
#use_dumb_member = false
# DN of the "dummy member" to use when "use_dumb_member" is enabled.
(string
# value)
501
Red Hat OpenStack Platform 9 Configuration Reference
#dumb_member = cn=dumb,dc=nonexistent
# Delete subtrees using the subtree delete control. Only enable this
option if
# your LDAP server supports subtree deletion. (boolean value)
#allow_subtree_delete = false
# The LDAP scope for queries, this can be either "one"
(onelevel/singleLevel)
# or "sub" (subtree/wholeSubtree). (string value)
#query_scope = one
# Maximum results per page; a value of zero ("0") disables paging.
(integer
# value)
#page_size = 0
# The LDAP dereferencing option for queries. This can be either "never",
# "searching", "always", "finding" or "default". The "default" option
falls
# back to using default dereferencing configured by your ldap.conf.
(string
# value)
#alias_dereferencing = default
# Sets the LDAP debugging level for LDAP calls. A value of 0 means that
# debugging is not enabled. This value is a bitmask, consult your LDAP
# documentation for possible values. (integer value)
#debug_level = <None>
# Override the system's default referral chasing behavior for queries.
(boolean
# value)
#chase_referrals = <None>
# Search base for users. (string value)
#user_tree_dn = <None>
# LDAP search filter for users. (string value)
#user_filter = <None>
# LDAP objectclass for users. (string value)
#user_objectclass = inetOrgPerson
# LDAP attribute mapped to user id. WARNING: must not be a multivalued
# attribute. (string value)
#user_id_attribute = cn
# LDAP attribute mapped to user name. (string value)
#user_name_attribute = sn
# LDAP attribute mapped to user email. (string value)
#user_mail_attribute = mail
# LDAP attribute mapped to password. (string value)
#user_pass_attribute = userPassword
502
CHAPTER 7. IDENTITY SERVICE
# LDAP attribute mapped to user enabled flag. (string value)
#user_enabled_attribute = enabled
# Invert the meaning of the boolean enabled values. Some LDAP servers use
a
# boolean lock attribute where "true" means an account is disabled.
Setting
# "user_enabled_invert = true" will allow these lock attributes to be
used.
# This setting will have no effect if "user_enabled_mask" or
# "user_enabled_emulation" settings are in use. (boolean value)
#user_enabled_invert = false
# Bitmask integer to indicate the bit that the enabled value is stored in
if
# the LDAP server represents "enabled" as a bit on an integer rather than
a
# boolean. A value of "0" indicates the mask is not used. If this is not
set to
# "0" the typical value is "2". This is typically used when
# "user_enabled_attribute = userAccountControl". (integer value)
#user_enabled_mask = 0
# Default value to enable users. This should match an appropriate int
value if
# the LDAP server uses non-boolean (bitmask) values to indicate if a user
is
# enabled or disabled. If this is not set to "True" the typical value is
"512".
# This is typically used when "user_enabled_attribute =
userAccountControl".
# (string value)
#user_enabled_default = True
# List of attributes stripped off the user on update. (list value)
#user_attribute_ignore = default_project_id,tenants
# LDAP attribute mapped to default_project_id for users. (string value)
#user_default_project_id_attribute = <None>
# Allow user creation in LDAP backend. (boolean value)
#user_allow_create = true
# Allow user updates in LDAP backend. (boolean value)
#user_allow_update = true
# Allow user deletion in LDAP backend. (boolean value)
#user_allow_delete = true
# If true, Keystone uses an alternative method to determine if a user is
# enabled or not by checking if they are a member of the
# "user_enabled_emulation_dn" group. (boolean value)
#user_enabled_emulation = false
# DN of the group entry to hold enabled users when using enabled
503
Red Hat OpenStack Platform 9 Configuration Reference
emulation.
# (string value)
#user_enabled_emulation_dn = <None>
# List of additional LDAP attributes used for mapping additional attribute
# mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>,
# where ldap_attr is the attribute in the LDAP entry and user_attr is the
# Identity API attribute. (list value)
#user_additional_attribute_mapping =
# Search base for projects (string value)
# Deprecated group/name - [ldap]/tenant_tree_dn
#project_tree_dn = <None>
# LDAP search filter for projects. (string value)
# Deprecated group/name - [ldap]/tenant_filter
#project_filter = <None>
# LDAP objectclass for projects. (string value)
# Deprecated group/name - [ldap]/tenant_objectclass
#project_objectclass = groupOfNames
# LDAP attribute mapped to project id. (string value)
# Deprecated group/name - [ldap]/tenant_id_attribute
#project_id_attribute = cn
# LDAP attribute mapped to project membership for user. (string value)
# Deprecated group/name - [ldap]/tenant_member_attribute
#project_member_attribute = member
# LDAP attribute mapped to project name. (string value)
# Deprecated group/name - [ldap]/tenant_name_attribute
#project_name_attribute = ou
# LDAP attribute mapped to project description. (string value)
# Deprecated group/name - [ldap]/tenant_desc_attribute
#project_desc_attribute = description
# LDAP attribute mapped to project enabled. (string value)
# Deprecated group/name - [ldap]/tenant_enabled_attribute
#project_enabled_attribute = enabled
# LDAP attribute mapped to project domain_id. (string value)
# Deprecated group/name - [ldap]/tenant_domain_id_attribute
#project_domain_id_attribute = businessCategory
# List of attributes stripped off the project on update. (list value)
# Deprecated group/name - [ldap]/tenant_attribute_ignore
#project_attribute_ignore =
# Allow project creation in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_create
#project_allow_create = true
# Allow project update in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_update
504
CHAPTER 7. IDENTITY SERVICE
#project_allow_update = true
# Allow project deletion in LDAP backend. (boolean value)
# Deprecated group/name - [ldap]/tenant_allow_delete
#project_allow_delete = true
# If true, Keystone uses an alternative method to determine if a project
is
# enabled or not by checking if they are a member of the
# "project_enabled_emulation_dn" group. (boolean value)
# Deprecated group/name - [ldap]/tenant_enabled_emulation
#project_enabled_emulation = false
# DN of the group entry to hold enabled projects when using enabled
emulation.
# (string value)
# Deprecated group/name - [ldap]/tenant_enabled_emulation_dn
#project_enabled_emulation_dn = <None>
# Additional attribute mappings for projects. Attribute mapping format is
# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP
entry
# and user_attr is the Identity API attribute. (list value)
# Deprecated group/name - [ldap]/tenant_additional_attribute_mapping
#project_additional_attribute_mapping =
# Search base for roles. (string value)
#role_tree_dn = <None>
# LDAP search filter for roles. (string value)
#role_filter = <None>
# LDAP objectclass for roles. (string value)
#role_objectclass = organizationalRole
# LDAP attribute mapped to role id. (string value)
#role_id_attribute = cn
# LDAP attribute mapped to role name. (string value)
#role_name_attribute = ou
# LDAP attribute mapped to role membership. (string value)
#role_member_attribute = roleOccupant
# List of attributes stripped off the role on update. (list value)
#role_attribute_ignore =
# Allow role creation in LDAP backend. (boolean value)
#role_allow_create = true
# Allow role update in LDAP backend. (boolean value)
#role_allow_update = true
# Allow role deletion in LDAP backend. (boolean value)
#role_allow_delete = true
505
Red Hat OpenStack Platform 9 Configuration Reference
# Additional attribute mappings for roles. Attribute mapping format is
# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP
entry
# and user_attr is the Identity API attribute. (list value)
#role_additional_attribute_mapping =
# Search base for groups. (string value)
#group_tree_dn = <None>
# LDAP search filter for groups. (string value)
#group_filter = <None>
# LDAP objectclass for groups. (string value)
#group_objectclass = groupOfNames
# LDAP attribute mapped to group id. (string value)
#group_id_attribute = cn
# LDAP attribute mapped to group name. (string value)
#group_name_attribute = ou
# LDAP attribute mapped to show group membership. (string value)
#group_member_attribute = member
# LDAP attribute mapped to group description. (string value)
#group_desc_attribute = description
# List of attributes stripped off the group on update. (list value)
#group_attribute_ignore =
# Allow group creation in LDAP backend. (boolean value)
#group_allow_create = true
# Allow group update in LDAP backend. (boolean value)
#group_allow_update = true
# Allow group deletion in LDAP backend. (boolean value)
#group_allow_delete = true
# Additional attribute mappings for groups. Attribute mapping format is
# <ldap_attr>:<user_attr>, where ldap_attr is the attribute in the LDAP
entry
# and user_attr is the Identity API attribute. (list value)
#group_additional_attribute_mapping =
# CA certificate file path for communicating with LDAP servers. (string
value)
#tls_cacertfile = <None>
# CA certificate directory path for communicating with LDAP servers.
(string
# value)
#tls_cacertdir = <None>
# Enable TLS for communicating with LDAP servers. (boolean value)
#use_tls = false
506
CHAPTER 7. IDENTITY SERVICE
# Valid options for tls_req_cert are demand, never, and allow. (string
value)
#tls_req_cert = demand
# Enable LDAP connection pooling. (boolean value)
#use_pool = false
# Connection pool size. (integer value)
#pool_size = 10
# Maximum count of reconnect trials. (integer value)
#pool_retry_max = 3
# Time span in seconds to wait between two reconnect trials. (floating
point
# value)
#pool_retry_delay = 0.1
# Connector timeout in seconds. Value -1 indicates indefinite wait for
# response. (integer value)
#pool_connection_timeout = -1
# Connection lifetime in seconds. (integer value)
#pool_connection_lifetime = 600
# Enable LDAP connection pooling for end user authentication. If use_pool
is
# disabled, then this setting is meaningless and is not used at all.
(boolean
# value)
#use_auth_pool = false
# End user auth connection pool size. (integer value)
#auth_pool_size = 100
# End user auth connection lifetime in seconds. (integer value)
#auth_pool_connection_lifetime = 60
[matchmaker_redis]
#
# From oslo.messaging
#
# Host to locate redis. (string value)
#host = 127.0.0.1
# Use this port to connect to redis host. (integer value)
#port = 6379
# Password for Redis server (optional). (string value)
#password = <None>
507
Red Hat OpenStack Platform 9 Configuration Reference
[matchmaker_ring]
#
# From oslo.messaging
#
# Matchmaker ring file (JSON). (string value)
# Deprecated group/name - [DEFAULT]/matchmaker_ringfile
#ringfile = /etc/oslo/matchmaker_ring.json
[memcache]
#
# From keystone
#
# Memcache servers in the format of "host:port". (list value)
#servers = localhost:11211
# Number of seconds memcached server is considered dead before it is tried
# again. This is used by the key value store system (e.g. token pooled
# memcached persistence backend). (integer value)
#dead_retry = 300
# Timeout in seconds for every call to a server. This is used by the key
value
# store system (e.g. token pooled memcached persistence backend). (integer
# value)
#socket_timeout = 3
# Max total number of open connections to every memcached server. This is
used
# by the key value store system (e.g. token pooled memcached persistence
# backend). (integer value)
#pool_maxsize = 10
# Number of seconds a connection to memcached is held unused in the pool
before
# it is closed. This is used by the key value store system (e.g. token
pooled
# memcached persistence backend). (integer value)
#pool_unused_timeout = 60
# Number of seconds that an operation will wait to get a memcache client
# connection. This is used by the key value store system (e.g. token
pooled
# memcached persistence backend). (integer value)
#pool_connection_get_timeout = 10
[oauth1]
#
# From keystone
#
508
CHAPTER 7. IDENTITY SERVICE
# Credential backend driver. (string value)
#driver = keystone.contrib.oauth1.backends.sql.OAuth1
# Duration (in seconds) for the OAuth Request Token. (integer value)
#request_token_duration = 28800
# Duration (in seconds) for the OAuth Access Token. (integer value)
#access_token_duration = 86400
[os_inherit]
#
# From keystone
#
# role-assignment inheritance to projects from owning domain or from
projects
# higher in the hierarchy can be optionally enabled. (boolean value)
#enabled = false
[oslo_messaging_amqp]
#
# From oslo.messaging
#
# address prefix used when sending to a specific server (string value)
# Deprecated group/name - [amqp1]/server_request_prefix
#server_request_prefix = exclusive
# address prefix used when broadcasting to all servers (string value)
# Deprecated group/name - [amqp1]/broadcast_prefix
#broadcast_prefix = broadcast
# address prefix when sending to any server in group (string value)
# Deprecated group/name - [amqp1]/group_request_prefix
#group_request_prefix = unicast
# Name for the AMQP container (string value)
# Deprecated group/name - [amqp1]/container_name
#container_name = <None>
# Timeout for inactive connections (in seconds) (integer value)
# Deprecated group/name - [amqp1]/idle_timeout
#idle_timeout = 0
# Debug: dump AMQP frames to stdout (boolean value)
# Deprecated group/name - [amqp1]/trace
#trace = false
# CA certificate PEM file for verifing server certificate (string value)
# Deprecated group/name - [amqp1]/ssl_ca_file
#ssl_ca_file =
509
Red Hat OpenStack Platform 9 Configuration Reference
# Identifying certificate PEM file to present to clients (string value)
# Deprecated group/name - [amqp1]/ssl_cert_file
#ssl_cert_file =
# Private key PEM file used to sign cert_file certificate (string value)
# Deprecated group/name - [amqp1]/ssl_key_file
#ssl_key_file =
# Password for decrypting ssl_key_file (if encrypted) (string value)
# Deprecated group/name - [amqp1]/ssl_key_password
#ssl_key_password = <None>
# Accept clients using either SSL or plain TCP (boolean value)
# Deprecated group/name - [amqp1]/allow_insecure_clients
#allow_insecure_clients = false
[oslo_messaging_qpid]
#
# From oslo.messaging
#
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
# Auto-delete queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
# Size of RPC connection pool. (integer value)
# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
#rpc_conn_pool_size = 30
# Qpid broker hostname. (string value)
# Deprecated group/name - [DEFAULT]/qpid_hostname
#qpid_hostname = localhost
# Qpid broker port. (integer value)
# Deprecated group/name - [DEFAULT]/qpid_port
#qpid_port = 5672
# Qpid HA cluster host:port pairs. (list value)
# Deprecated group/name - [DEFAULT]/qpid_hosts
#qpid_hosts = $qpid_hostname:$qpid_port
# Username for Qpid connection. (string value)
# Deprecated group/name - [DEFAULT]/qpid_username
#qpid_username =
# Password for Qpid connection. (string value)
# Deprecated group/name - [DEFAULT]/qpid_password
#qpid_password =
510
CHAPTER 7. IDENTITY SERVICE
# Space separated list of SASL mechanisms to use for auth. (string value)
# Deprecated group/name - [DEFAULT]/qpid_sasl_mechanisms
#qpid_sasl_mechanisms =
# Seconds between connection keepalive heartbeats. (integer value)
# Deprecated group/name - [DEFAULT]/qpid_heartbeat
#qpid_heartbeat = 60
# Transport to use, either 'tcp' or 'ssl'. (string value)
# Deprecated group/name - [DEFAULT]/qpid_protocol
#qpid_protocol = tcp
# Whether to disable the Nagle algorithm. (boolean value)
# Deprecated group/name - [DEFAULT]/qpid_tcp_nodelay
#qpid_tcp_nodelay = true
# The number of prefetched messages held by receiver. (integer value)
# Deprecated group/name - [DEFAULT]/qpid_receiver_capacity
#qpid_receiver_capacity = 1
# The qpid topology version to use. Version 1 is what was originally used
by
# impl_qpid. Version 2 includes some backwards-incompatible changes that
allow
# broker federation to work. Users should update to version 2 when they
are
# able to take everything down, as it requires a clean break. (integer
value)
# Deprecated group/name - [DEFAULT]/qpid_topology_version
#qpid_topology_version = 1
[oslo_messaging_rabbit]
#
# From oslo.messaging
#
# Use durable queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues = false
# Auto-delete queues in AMQP. (boolean value)
# Deprecated group/name - [DEFAULT]/amqp_auto_delete
#amqp_auto_delete = false
# Size of RPC connection pool. (integer value)
# Deprecated group/name - [DEFAULT]/rpc_conn_pool_size
#rpc_conn_pool_size = 30
# SSL version to use (valid only if SSL enabled). Valid values are TLSv1
and
# SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some
# distributions. (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_version
#kombu_ssl_version =
511
Red Hat OpenStack Platform 9 Configuration Reference
# SSL key file (valid only if SSL enabled). (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_keyfile
#kombu_ssl_keyfile =
# SSL cert file (valid only if SSL enabled). (string value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_certfile
#kombu_ssl_certfile =
# SSL certification authority file (valid only if SSL enabled). (string
value)
# Deprecated group/name - [DEFAULT]/kombu_ssl_ca_certs
#kombu_ssl_ca_certs =
# How long to wait before reconnecting in response to an AMQP consumer
cancel
# notification. (floating point value)
# Deprecated group/name - [DEFAULT]/kombu_reconnect_delay
#kombu_reconnect_delay = 1.0
# The RabbitMQ broker address where a single node is used. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_host
#rabbit_host = localhost
# The RabbitMQ broker port where a single node is used. (integer value)
# Deprecated group/name - [DEFAULT]/rabbit_port
#rabbit_port = 5672
# RabbitMQ HA cluster host:port pairs. (list value)
# Deprecated group/name - [DEFAULT]/rabbit_hosts
#rabbit_hosts = $rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_use_ssl
#rabbit_use_ssl = false
# The RabbitMQ userid. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_userid
#rabbit_userid = guest
# The RabbitMQ password. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_password
#rabbit_password = guest
# The RabbitMQ login method. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_login_method
#rabbit_login_method = AMQPLAIN
# The RabbitMQ virtual host. (string value)
# Deprecated group/name - [DEFAULT]/rabbit_virtual_host
#rabbit_virtual_host = /
# How frequently to retry connecting with RabbitMQ. (integer value)
#rabbit_retry_interval = 1
# How long to backoff for between retries when connecting to RabbitMQ.
512
CHAPTER 7. IDENTITY SERVICE
(integer
# value)
# Deprecated group/name - [DEFAULT]/rabbit_retry_backoff
#rabbit_retry_backoff = 2
# Maximum number of RabbitMQ connection retries. Default is 0 (infinite
retry
# count). (integer value)
# Deprecated group/name - [DEFAULT]/rabbit_max_retries
#rabbit_max_retries = 0
# Use HA queues in RabbitMQ (x-ha-policy: all). If you change this option,
you
# must wipe the RabbitMQ database. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_ha_queues
#rabbit_ha_queues = false
# Number of seconds after which the Rabbit broker is considered down if
# heartbeat's keep-alive fails (0 disable the heartbeat). (integer value)
#heartbeat_timeout_threshold = 60
# How often times during the heartbeat_timeout_threshold we check the
# heartbeat. (integer value)
#heartbeat_rate = 2
# Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake (boolean
value)
# Deprecated group/name - [DEFAULT]/fake_rabbit
#fake_rabbit = false
[oslo_middleware]
#
# From oslo.middleware
#
# The maximum body size for each request, in bytes. (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
# Deprecated group/name - [DEFAULT]/max_request_body_size
#max_request_body_size = 114688
[oslo_policy]
#
# From oslo.policy
#
# The JSON file that defines policies. (string value)
# Deprecated group/name - [DEFAULT]/policy_file
#policy_file = policy.json
# Default rule. Enforced when a requested rule is not found. (string
value)
# Deprecated group/name - [DEFAULT]/policy_default_rule
513
Red Hat OpenStack Platform 9 Configuration Reference
#policy_default_rule = default
# Directories where policy configuration files are stored. They can be
relative
# to any directory in the search path defined by the config_dir option, or
# absolute paths. The file defined by policy_file must exist for these
# directories to be searched. Missing or empty directories are ignored.
(multi
# valued)
# Deprecated group/name - [DEFAULT]/policy_dirs
#policy_dirs = policy.d
[paste_deploy]
#
# From keystone
#
# Name of the paste configuration file that defines the available
pipelines.
# (string value)
#config_file = keystone-paste.ini
[policy]
#
# From keystone
#
# Policy backend driver. (string value)
#driver = keystone.policy.backends.sql.Policy
# Maximum number of entities that will be returned in a policy collection.
# (integer value)
#list_limit = <None>
[resource]
#
# From keystone
#
# Resource backend driver. If a resource driver is not specified, the
# assignment driver will choose the resource driver. (string value)
#driver = <None>
# Toggle for resource caching. This has no effect unless global caching is
# enabled. (boolean value)
# Deprecated group/name - [assignment]/caching
#caching = true
# TTL (in seconds) to cache resource data. This has no effect unless
global
514
CHAPTER 7. IDENTITY SERVICE
# caching is enabled. (integer value)
# Deprecated group/name - [assignment]/cache_time
#cache_time = <None>
# Maximum number of entities that will be returned in a resource
collection.
# (integer value)
# Deprecated group/name - [assignment]/list_limit
#list_limit = <None>
[revoke]
#
# From keystone
#
# An implementation of the backend for persisting revocation events.
(string
# value)
#driver = keystone.contrib.revoke.backends.sql.Revoke
# This value (calculated in seconds) is added to token expiration before a
# revocation event may be removed from the backend. (integer value)
#expiration_buffer = 1800
# Toggle for revocation event caching. This has no effect unless global
caching
# is enabled. (boolean value)
#caching = true
# Time to cache the revocation list and the revocation events (in
seconds).
# This has no effect unless global and token caching are enabled. (integer
# value)
# Deprecated group/name - [token]/revocation_cache_time
#cache_time = 3600
[role]
#
# From keystone
#
# Role backend driver. (string value)
#driver = <None>
# Toggle for role caching. This has no effect unless global caching is
enabled.
# (boolean value)
#caching = true
# TTL (in seconds) to cache role data. This has no effect unless global
caching
# is enabled. (integer value)
515
Red Hat OpenStack Platform 9 Configuration Reference
#cache_time = <None>
# Maximum number of entities that will be returned in a role collection.
# (integer value)
#list_limit = <None>
[saml]
#
# From keystone
#
# Default TTL, in seconds, for any generated SAML assertion created by
# Keystone. (integer value)
#assertion_expiration_time = 3600
# Binary to be called for XML signing. Install the appropriate package,
specify
# absolute path or adjust your PATH environment variable if the binary
cannot
# be found. (string value)
#xmlsec1_binary = xmlsec1
# Path of the certfile for SAML signing. For non-production environments,
you
# may be interested in using `keystone-manage pki_setup` to generate self# signed certificates. Note, the path cannot contain a comma. (string
value)
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for SAML signing. Note, the path cannot contain a
comma.
# (string value)
#keyfile = /etc/keystone/ssl/private/signing_key.pem
# Entity ID value for unique Identity Provider identification. Usually
FQDN is
# set with a suffix. A value is required to generate IDP Metadata. For
example:
# https://keystone.example.com/v3/OS-FEDERATION/saml2/idp (string value)
#idp_entity_id = <None>
# Identity Provider Single-Sign-On service value, required in the Identity
# Provider's metadata. A value is required to generate IDP Metadata. For
# example: https://keystone.example.com/v3/OS-FEDERATION/saml2/sso (string
# value)
#idp_sso_endpoint = <None>
# Language used by the organization. (string value)
#idp_lang = en
# Organization name the installation belongs to. (string value)
#idp_organization_name = <None>
# Organization name to be displayed. (string value)
516
CHAPTER 7. IDENTITY SERVICE
#idp_organization_display_name = <None>
# URL of the organization. (string value)
#idp_organization_url = <None>
# Company of contact person. (string value)
#idp_contact_company = <None>
# Given name of contact person (string value)
#idp_contact_name = <None>
# Surname of contact person. (string value)
#idp_contact_surname = <None>
# Email address of contact person. (string value)
#idp_contact_email = <None>
# Telephone number of contact person. (string value)
#idp_contact_telephone = <None>
# Contact type. Allowed values are: technical, support, administrative
billing,
# and other (string value)
#idp_contact_type = other
# Path to the Identity Provider Metadata file. This file should be
generated
# with the keystone-manage saml_idp_metadata command. (string value)
#idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml
# The prefix to use for the RelayState SAML attribute, used when
generating ECP
# wrapped assertions. (string value)
#relay_state_prefix = ss:mem:
[signing]
#
# From keystone
#
# Path of the certfile for token signing. For non-production environments,
you
# may be interested in using `keystone-manage pki_setup` to generate self# signed certificates. (string value)
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for token signing. (string value)
#keyfile = /etc/keystone/ssl/private/signing_key.pem
# Path of the CA for token signing. (string value)
#ca_certs = /etc/keystone/ssl/certs/ca.pem
# Path of the CA key for token signing. (string value)
#ca_key = /etc/keystone/ssl/private/cakey.pem
517
Red Hat OpenStack Platform 9 Configuration Reference
# Key size (in bits) for token signing cert (auto generated certificate).
# (integer value)
#key_size = 2048
# Days the token signing cert is valid for (auto generated certificate).
# (integer value)
#valid_days = 3650
# Certificate subject (auto generated certificate) for token signing.
(string
# value)
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
[ssl]
#
# From keystone
#
# Path of the CA key file for SSL. (string value)
#ca_key = /etc/keystone/ssl/private/cakey.pem
# SSL key length (in bits) (auto generated certificate). (integer value)
#key_size = 1024
# Days the certificate is valid for once signed (auto generated
certificate).
# (integer value)
#valid_days = 3650
# SSL certificate subject (auto generated certificate). (string value)
#cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost
[token]
#
# From keystone
#
# External auth mechanisms that should add bind information to token,
e.g.,
# kerberos,x509. (list value)
#bind =
# Enforcement policy on tokens presented to Keystone with bind
information. One
# of disabled, permissive, strict, required or a specifically required
bind
# mode, e.g., kerberos or x509 to require binding to that authentication.
# (string value)
#enforce_token_bind = permissive
# Amount of time a token should remain valid (in seconds). (integer value)
518
CHAPTER 7. IDENTITY SERVICE
#expiration = 3600
# Controls the token construction, validation, and revocation operations.
Core
# providers are "keystone.token.providers.
[fernet|pkiz|pki|uuid].Provider".
# (string value)
#provider = keystone.token.providers.uuid.Provider
# Token persistence backend driver. (string value)
#driver = keystone.token.persistence.backends.sql.Token
# Toggle for token system caching. This has no effect unless global
caching is
# enabled. (boolean value)
#caching = true
# Time to cache tokens (in seconds). This has no effect unless global and
token
# caching are enabled. (integer value)
#cache_time = <None>
# Revoke token by token identifier. Setting revoke_by_id to true enables
# various forms of enumerating tokens, e.g. `list tokens for user`. These
# enumerations are processed to determine the list of tokens to revoke.
Only
# disable if you are switching to using the Revoke extension with a
backend
# other than KVS, which stores events in memory. (boolean value)
#revoke_by_id = true
# Allow rescoping of scoped token. Setting allow_rescoped_scoped_token to
false
# prevents a user from exchanging a scoped token for any other token.
(boolean
# value)
#allow_rescope_scoped_token = true
# The hash algorithm to use for PKI tokens. This can be set to any
algorithm
# that hashlib supports. WARNING: Before changing this value, the
auth_token
# middleware must be configured with the hash_algorithms, otherwise token
# revocation will not be processed correctly. (string value)
#hash_algorithm = md5
[trust]
#
# From keystone
#
# Delegation and impersonation features can be optionally disabled.
(boolean
# value)
519
Red Hat OpenStack Platform 9 Configuration Reference
#enabled = true
# Enable redelegation feature. (boolean value)
#allow_redelegation = false
# Maximum depth of trust redelegation. (integer value)
#max_redelegation_count = 3
# Trust backend driver. (string value)
#driver = keystone.trust.backends.sql.Trust
7.2.2. keystone-paste.ini
Use the keystone-paste.ini file to configure the Web Service Gateway Interface (WSGI)
middleware pipeline for the Identity service.
# Keystone PasteDeploy configuration file.
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:request_id]
paste.filter_factory = oslo_middleware:RequestId.factory
[filter:build_auth_context]
paste.filter_factory = keystone.middleware:AuthContextMiddleware.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory =
keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:ec2_extension_v3]
paste.filter_factory = keystone.contrib.ec2:Ec2ExtensionV3.factory
[filter:federation_extension]
paste.filter_factory =
keystone.contrib.federation.routers:FederationExtension.factory
520
CHAPTER 7. IDENTITY SERVICE
[filter:oauth1_extension]
paste.filter_factory =
keystone.contrib.oauth1.routers:OAuth1Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:endpoint_filter_extension]
paste.filter_factory =
keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
[filter:endpoint_policy_extension]
paste.filter_factory =
keystone.contrib.endpoint_policy.routers:EndpointPolicyExtension.factory
[filter:simple_cert_extension]
paste.filter_factory =
keystone.contrib.simple_cert:SimpleCertExtension.factory
[filter:revoke_extension]
paste.filter_factory =
keystone.contrib.revoke.routers:RevokeExtension.factory
[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:sizelimit]
paste.filter_factory =
oslo_middleware.sizelimit:RequestBodySizeLimiter.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:service_v3]
paste.app_factory = keystone.service:v3_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context
token_auth admin_token_auth json_body ec2_extension user_crud_extension
public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context
token_auth admin_token_auth json_body ec2_extension s3_extension
crud_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
521
Red Hat OpenStack Platform 9 Configuration Reference
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context
token_auth admin_token_auth json_body ec2_extension_v3 s3_extension
simple_cert_extension revoke_extension federation_extension
oauth1_extension endpoint_filter_extension endpoint_policy_extension
service_v3
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = sizelimit url_normalize public_version_service
[pipeline:admin_version_api]
pipeline = sizelimit url_normalize admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api
7.2.3. logging.conf
You can specify a special logging configuration file in the keystone.conf configuration file. For
example, /etc/keystone/logging.conf.
For details, see the (Python logging module documentation ).
[loggers]
keys=root,access
[handlers]
keys=production,file,access_file,devel
[formatters]
keys=minimal,normal,debug
###########
# Loggers #
###########
522
CHAPTER 7. IDENTITY SERVICE
[logger_root]
level=WARNING
handlers=file
[logger_access]
level=INFO
qualname=access
handlers=access_file
################
# Log Handlers #
################
[handler_production]
class=handlers.SysLogHandler
level=ERROR
formatter=normal
args=(('localhost', handlers.SYSLOG_UDP_PORT),
handlers.SysLogHandler.LOG_USER)
[handler_file]
class=handlers.WatchedFileHandler
level=WARNING
formatter=normal
args=('error.log',)
[handler_access_file]
class=handlers.WatchedFileHandler
level=INFO
formatter=minimal
args=('access.log',)
[handler_devel]
class=StreamHandler
level=NOTSET
formatter=debug
args=(sys.stdout,)
##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]
format=(%(name)s): %(asctime)s %(levelname)s %(message)s
[formatter_debug]
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s %
(message)s
523
Red Hat OpenStack Platform 9 Configuration Reference
7.2.4. policy.json
Use the policy.json file to define additional access controls that apply to the Identity service.
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"token_subject": "user_id:%(target.token.user_id)s",
"admin_or_token_subject": "rule:admin_required or rule:token_subject",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",
"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
524
CHAPTER 7. IDENTITY SERVICE
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_required or (rule:owner and
user_id:%(target.credential.user_id)s)",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner
and user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_required",
"identity:validate_token": "rule:service_or_admin",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_token_subject",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",
525
Red Hat OpenStack Platform 9 Configuration Reference
"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_endpoint_group": "rule:admin_required",
"identity:list_endpoint_groups": "rule:admin_required",
"identity:get_endpoint_group": "rule:admin_required",
"identity:update_endpoint_group": "rule:admin_required",
"identity:delete_endpoint_group": "rule:admin_required",
"identity:list_projects_associated_with_endpoint_group":
"rule:admin_required",
"identity:list_endpoints_associated_with_endpoint_group":
"rule:admin_required",
"identity:get_endpoint_group_in_project": "rule:admin_required",
"identity:add_endpoint_group_to_project": "rule:admin_required",
"identity:remove_endpoint_group_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:create_service_provider": "rule:admin_required",
"identity:list_service_providers": "rule:admin_required",
"identity:get_service_provider": "rule:admin_required",
"identity:update_service_provider": "rule:admin_required",
"identity:delete_service_provider": "rule:admin_required",
"identity:get_auth_catalog": "",
"identity:get_auth_projects": "",
"identity:get_auth_domains": "",
526
CHAPTER 7. IDENTITY SERVICE
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": "",
"identity:create_policy_association_for_endpoint":
"rule:admin_required",
"identity:check_policy_association_for_endpoint":
"rule:admin_required",
"identity:delete_policy_association_for_endpoint":
"rule:admin_required",
"identity:create_policy_association_for_service":
"rule:admin_required",
"identity:check_policy_association_for_service":
"rule:admin_required",
"identity:delete_policy_association_for_service":
"rule:admin_required",
"identity:create_policy_association_for_region_and_service":
"rule:admin_required",
"identity:check_policy_association_for_region_and_service":
"rule:admin_required",
"identity:delete_policy_association_for_region_and_service":
"rule:admin_required",
"identity:get_policy_for_endpoint": "rule:admin_required",
"identity:list_endpoints_for_policy": "rule:admin_required",
"identity:create_domain_config": "rule:admin_required",
"identity:get_domain_config": "rule:admin_required",
"identity:update_domain_config": "rule:admin_required",
"identity:delete_domain_config": "rule:admin_required"
}
7.2.5. Domain-specific configuration
The Identity service enables you to configure domain-specific authentication drivers. For example, you
can configure a domain to have its own LDAP or SQL server.
By default, the option to configure domain-specific drivers is disabled.
To enable domain-specific drivers, set these options in the [identity] section in the
keystone.conf file:
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains
When you enable domain-specific drivers, the Identity service looks in the domain_config_dir
directory for configuration files that are named as follows: keystone.DOMAIN_NAME.conf, where
DOMAIN_NAME is the domain name.
Any options that you define in the domain-specific configuration file override options in the primary
configuration file for the specified domain. Any domain without a domain-specific configuration file
uses only the options in the primary configuration file.
527
Red Hat OpenStack Platform 9 Configuration Reference
7.3. NEW, UPDATED AND DEPRECATED OPTIONS IN KILO FOR
OPENSTACK IDENTITY
Table 7.37. New options
Option = default value
(Type) Help string
[DEFAULT] executor_thread_pool_size = 64
(IntOpt) Size of executor thread pool.
[DEFAULT] host = 127.0.0.1
(StrOpt) Host to locate redis.
[DEFAULT] password =
(StrOpt) Password for Redis server (optional).
[DEFAULT] port = 6379
(IntOpt) Use this port to connect to redis host.
[DEFAULT] rpc_conn_pool_size = 30
(IntOpt) Size of RPC connection pool.
[DEFAULT] rpc_poll_timeout = 1
(IntOpt) The default number of seconds that poll
should wait. Poll raises timeout exception when
timeout expired.
[DEFAULT] rpc_zmq_all_req_rep = True
(BoolOpt) Use REQ/REP pattern for all methods
CALL/CAST/FANOUT.
[DEFAULT] rpc_zmq_concurrency = eventlet
(StrOpt) Type of concurrency used. Either "native"
or "eventlet"
[DEFAULT] watch_log_file = False
(BoolOpt) (Optional) Uses logging handler designed
to watch file system. When log file is moved or
removed this handler will open a new log file with
specified path instantaneously. It makes sense only
if log-file option is specified and Linux platform is
used. This option is ignored if log_config_append is
set.
[DEFAULT] zmq_use_broker = True
(BoolOpt) Shows whether zmq-messaging uses
broker or not.
[cors] allow_credentials = True
(BoolOpt) Indicate that the actual request can
include user credentials
[cors] allow_headers = Content-Type, CacheControl, Content-Language, Expires, Last-Modified,
Pragma
(ListOpt) Indicate which header field names may be
used during the actual request.
[cors] allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(ListOpt) Indicate which methods can be used during
the actual request.
528
CHAPTER 7. IDENTITY SERVICE
Option = default value
(Type) Help string
[cors] allowed_origin = None
(StrOpt) Indicate whether this resource may be
shared with the domain received in the requests
"origin" header.
[cors] expose_headers = Content-Type, CacheControl, Content-Language, Expires, Last-Modified,
Pragma
(ListOpt) Indicate which headers are safe to expose
to the API. Defaults to HTTP Simple Headers.
[cors] max_age = 3600
(IntOpt) Maximum cache age of CORS preflight
requests.
[cors.subdomain] allow_credentials = True
(BoolOpt) Indicate that the actual request can
include user credentials
[cors.subdomain] allow_headers = Content-Type,
Cache-Control, Content-Language, Expires, LastModified, Pragma
(ListOpt) Indicate which header field names may be
used during the actual request.
[cors.subdomain] allow_methods = GET, POST, PUT,
DELETE, OPTIONS
(ListOpt) Indicate which methods can be used during
the actual request.
[cors.subdomain] allowed_origin = None
(StrOpt) Indicate whether this resource may be
shared with the domain received in the requests
"origin" header.
[cors.subdomain] expose_headers = Content-Type,
Cache-Control, Content-Language, Expires, LastModified, Pragma
(ListOpt) Indicate which headers are safe to expose
to the API. Defaults to HTTP Simple Headers.
[cors.subdomain] max_age = 3600
(IntOpt) Maximum cache age of CORS preflight
requests.
[endpoint_policy] enabled = True
(BoolOpt) Enable endpoint_policy functionality.
[keystone_authtoken] region_name = None
(StrOpt) The region in which the identity server can
be found.
[oslo_messaging_amqp] password =
(StrOpt) Password for message broker
authentication
[oslo_messaging_amqp] sasl_config_dir =
(StrOpt) Path to directory that contains the SASL
configuration
[oslo_messaging_amqp] sasl_config_name =
(StrOpt) Name of configuration file (without .conf
suffix)
[oslo_messaging_amqp] sasl_mechanisms =
(StrOpt) Space separated list of acceptable SASL
mechanisms
529
Red Hat OpenStack Platform 9 Configuration Reference
Option = default value
(Type) Help string
[oslo_messaging_amqp] username =
(StrOpt) User name for message broker
authentication
[oslo_messaging_qpid] send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
[oslo_messaging_rabbit] kombu_reconnect_timeout
= 60
(IntOpt) How long to wait before considering a
reconnect attempt to have failed. This value should
not be longer than rpc_response_timeout.
[oslo_messaging_rabbit] send_single_reply = False
(BoolOpt) Send a single AMQP reply to call message.
The current behavior since oslo-incubator is to send
two AMQP replies - first one with the payload, a
second one to ensure the other has finished to send
the payload. We are going to remove it in the N
release, but we must keep backward compatible at
the same time. This option provides such
compatibility - it defaults to False in Liberty and can
be turned on for early adopters with new
installations or for testing. This option will be removed
in the Mitaka release.
[oslo_middleware] secure_proxy_ssl_header = XForwarded-Proto
(StrOpt) The HTTP Header that will be used to
determine what the original request protocol
scheme was, even if it was hidden by an SSL
termination proxy.
[tokenless_auth] issuer_attribute =
SSL_CLIENT_I_DN
(StrOpt) The issuer attribute that is served as an IdP
ID for the X.509 tokenless authorization along with
the protocol to look up its corresponding mapping. It
is the environment variable in the WSGI environment
that references to the issuer of the client certificate.
[tokenless_auth] protocol = x509
(StrOpt) The protocol name for the X.509 tokenless
authorization along with the option issuer_attribute
below can look up its corresponding mapping.
530
CHAPTER 7. IDENTITY SERVICE
Option = default value
(Type) Help string
[tokenless_auth] trusted_issuer = []
(MultiStrOpt) The list of trusted issuers to further
filter the certificates that are allowed to participate
in the X.509 tokenless authorization. If the option is
absent then no certificates will be allowed. The
naming format for the attributes of a Distinguished
Name(DN) must be separated by a comma and
contain no spaces. This configuration option may be
repeated for multiple values. For example:
trusted_issuer=CN=john,OU=keystone,O=openstac
k trusted_issuer=CN=mary,OU=eng,O=abc
Table 7.38. New default values
Option
Previous default value
New default value
[DEFAULT] crypt_strength
40000
10000
[DEFAULT] default_log_levels
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
requests.packages.urllib3.util.retr
y=WARN,
urllib3.util.retry=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connec
tionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
requests.packages.urllib3.util.retr
y=WARN,
urllib3.util.retry=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN,
taskflow=WARN
[DEFAULT]
logging_exception_prefix
%(asctime)s.%(msecs)03d %
(process)d TRACE %(name)s %
(instance)s
%(asctime)s.%(msecs)03d %
(process)d ERROR %(name)s %
(instance)s
[DEFAULT]
rpc_zmq_matchmaker
local
redis
[DEFAULT]
use_syslog_rfc_format
False
True
[DEFAULT] verbose
False
True
[auth] external
keystone.auth.plugins.external.D
efaultDomain
None
531
Red Hat OpenStack Platform 9 Configuration Reference
Option
Previous default value
New default value
[auth] oauth1
keystone.auth.plugins.oauth1.OA
uth
None
[auth] password
keystone.auth.plugins.password.
Password
None
[auth] token
keystone.auth.plugins.token.Toke
n
None
[catalog] driver
keystone.catalog.backends.sql.Ca
talog
sql
[credential] driver
keystone.credential.backends.sql.
Credential
sql
[domain_config] driver
keystone.resource.config_backen
ds.sql.DomainConfig
sql
[endpoint_filter] driver
keystone.contrib.endpoint_filter.
backends.sql.EndpointFilter
sql
[endpoint_policy] driver
keystone.contrib.endpoint_policy
.backends.sql.EndpointPolicy
sql
[federation] driver
keystone.contrib.federation.back
ends.sql.Federation
sql
[identity] driver
keystone.identity.backends.sql.Id
entity
sql
[identity_mapping] driver
keystone.identity.mapping_backe
nds.sql.Mapping
sql
[identity_mapping] generator
keystone.identity.id_generators.s
ha256.Generator
sha256
[ldap] user_attribute_ignore
default_project_id, tenants
default_project_id
[matchmaker_redis] password
None
[oauth1] driver
keystone.contrib.oauth1.backend
s.sql.OAuth1
sql
[oslo_messaging_rabbit]
heartbeat_timeout_threshold
0
60
532
CHAPTER 7. IDENTITY SERVICE
Option
Previous default value
New default value
[policy] driver
keystone.policy.backends.sql.Poli
cy
sql
[revoke] driver
keystone.contrib.revoke.backend
s.sql.Revoke
sql
[token] driver
keystone.token.persistence.backe
nds.sql.Token
sql
[token] provider
keystone.token.providers.uuid.Pr
ovider
uuid
[trust] driver
keystone.trust.backends.sql.Trus
t
sql
Table 7.39. Deprecated options
Deprecated option
New Option
[DEFAULT] use_syslog
None
[DEFAULT] log_format
None
[DEFAULT] rpc_thread_pool_size
[DEFAULT] executor_thread_pool_size
533
Red Hat OpenStack Platform 9 Configuration Reference
CHAPTER 8. IMAGE SERVICE
Compute relies on an external image service to store virtual machine images and maintain a catalog of
available images. By default, Compute is configured to use the OpenStack Image service (glance),
which is currently the only supported image service.
If your installation requires euca2ools to register new images, you must run the nova-objectstore
service. This service provides an Amazon S3 front-end for Image service, which is required by
euca2ools.
To customize the Compute service, use the configuration option settings documented in Table 3.27,
“Description of glance configuration options” and Table 3.47, “Description of S3 configuration options” .
You can modify many options in the OpenStack Image service. The following tables provide a
comprehensive list.
Table 8.1. Description of authorization token configuration options
Configuration option = Default value
Description
[keystone_authtoken]
admin_password = None
(String) Service user password.
admin_tenant_name = admin
(String) Service tenant name.
admin_token = None
(String) This option is deprecated and may be
removed in a future release. Single shared secret
with the Keystone configuration used for
bootstrapping a Keystone installation, or otherwise
bypassing the normal authentication process. This
option should not be used, use `admin_user` and
`admin_password` instead.
admin_user = None
(String) Service username.
auth_admin_prefix =
(String) Prefix to prepend at the beginning of the
path. Deprecated, use identity_uri.
auth_host = 127.0.0.1
(String) Host providing the admin Identity API
endpoint. Deprecated, use identity_uri.
auth_port = 35357
(Integer) Port of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_protocol = https
(String) Protocol of the admin Identity API endpoint.
Deprecated, use identity_uri.
auth_section = None
(Unknown) Config Section from which to load plugin
specific options
534
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
auth_type = None
(Unknown) Authentication type to load
auth_uri = None
(String) Complete public Identity API endpoint.
auth_version = None
(String) API version of the admin Identity API
endpoint.
cache = None
(String) Env key for the swift cache.
cafile = None
(String) A PEM encoded Certificate Authority to use
when verifying HTTPs connections. Defaults to
system CAs.
certfile = None
(String) Required if identity server requires client
certificate
check_revocations_for_cached = False
(Boolean) If true, the revocation list will be checked
for cached tokens. This requires that PKI tokens are
configured on the identity server.
delay_auth_decision = False
(Boolean) Do not handle authorization requests
within the middleware, but delegate the
authorization decision to downstream WSGI
components.
enforce_token_bind = permissive
(String) Used to control the use and type of token
binding. Can be set to: "disabled" to not check token
binding. "permissive" (default) to validate binding
information if the bind type is of a form known to the
server and ignore it if not. "strict" like "permissive"
but if the bind type is unknown the token will be
rejected. "required" any form of token binding is
needed to be allowed. Finally the name of a binding
method that must be present in tokens.
hash_algorithms = md5
(List) Hash algorithms to use for hashing PKI tokens.
This may be a single algorithm or multiple. The
algorithms are those supported by Python standard
hashlib.new(). The hashes will be tried in the order
given, so put the preferred one first for performance.
The result of the first hash will be stored in the
cache. This will typically be set to multiple values
only while migrating from a less secure algorithm to
a more secure one. Once all the old tokens are
expired this option should be set to a single value for
better performance.
http_connect_timeout = None
(Integer) Request timeout value for communicating
with Identity API server.
535
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
http_request_max_retries = 3
(Integer) How many times are we trying to reconnect
when communicating with Identity API Server.
identity_uri = None
(String) Complete admin Identity API endpoint. This
should specify the unversioned root endpoint e.g.
https://localhost:35357/
include_service_catalog = True
(Boolean) (Optional) Indicate whether to set the XService-Catalog header. If False, middleware will not
ask for service catalog on token validation and will
not set the X-Service-Catalog header.
insecure = False
(Boolean) Verify HTTPS connections.
keyfile = None
(String) Required if identity server requires client
certificate
memcache_pool_conn_get_timeout = 10
(Integer) (Optional) Number of seconds that an
operation will wait to get a memcached client
connection from the pool.
memcache_pool_dead_retry = 300
(Integer) (Optional) Number of seconds memcached
server is considered dead before it is tried again.
memcache_pool_maxsize = 10
(Integer) (Optional) Maximum total number of open
connections to every memcached server.
memcache_pool_socket_timeout = 3
(Integer) (Optional) Socket timeout in seconds for
communicating with a memcached server.
memcache_pool_unused_timeout = 60
(Integer) (Optional) Number of seconds a
connection to memcached is held unused in the pool
before it is closed.
memcache_secret_key = None
(String) (Optional, mandatory if
memcache_security_strategy is defined) This string
is used for key derivation.
memcache_security_strategy = None
(String) (Optional) If defined, indicate whether token
data should be authenticated or authenticated and
encrypted. If MAC, token data is authenticated (with
HMAC) in the cache. If ENCRYPT, token data is
encrypted and authenticated in the cache. If the
value is not one of these options or empty,
auth_token will raise an exception on initialization.
536
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
memcache_use_advanced_pool = False
(Boolean) (Optional) Use the advanced (eventlet
safe) memcached client pool. The advanced pool will
only work under python 2.x.
region_name = None
(String) The region in which the identity server can
be found.
revocation_cache_time = 10
(Integer) Determines the frequency at which the list
of revoked tokens is retrieved from the Identity
service (in seconds). A high number of revocation
events combined with a low cache duration may
significantly reduce performance.
signing_dir = None
(String) Directory used to cache files related to PKI
tokens.
token_cache_time = 300
(Integer) In order to prevent excessive effort spent
validating tokens, the middleware caches
previously-seen tokens for a configurable duration
(in seconds). Set to -1 to disable caching completely.
Table 8.2. Description of common configuration options
Configuration option = Default value
Description
[DEFAULT]
allow_additional_image_properties =
True
(Boolean) Whether to allow users to specify image
properties beyond what the image schema provides
api_limit_max = 1000
(Integer) Maximum permissible number of items that
could be returned by a request
backlog = 4096
(Integer) The backlog value that will be used when
creating the TCP listener socket.
bind_host = 0.0.0.0
(String) Address to bind the server. Useful when
selecting a particular network interface.
bind_port = None
(Port number) The port on which the server will
listen.
data_api = glance.db.sqlalchemy.api
(String) Python module path of data access API
537
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
digest_algorithm = sha256
(String) Digest algorithm which will be used for
digital signature. Use the command "openssl listmessage-digest-algorithms" to get the available
algorithms supported by the version of OpenSSL on
the platform. Examples are "sha1", "sha256",
"sha512", etc.
executor_thread_pool_size = 64
(Integer) Size of executor thread pool.
image_location_quota = 10
(Integer) Maximum number of locations allowed on
an image. Negative values evaluate to unlimited.
image_member_quota = 128
(Integer) Maximum number of image members per
image. Negative values evaluate to unlimited.
image_property_quota = 128
(Integer) Maximum number of properties allowed on
an image. Negative values evaluate to unlimited.
image_tag_quota = 128
(Integer) Maximum number of tags allowed on an
image. Negative values evaluate to unlimited.
limit_param_default = 25
(Integer) Default value for the number of items
returned by a request if not specified explicitly in the
request
memcached_servers = None
(List) Memcached servers or None for in process
cache.
metadata_encryption_key = None
(String) AES key for encrypting store 'location'
metadata. This includes, if used, Swift or S3
credentials. Should be set to a random string of
length 16, 24 or 32 bytes
metadata_source_path =
(String) Path to the directory where json metadata
files are stored
/etc/glance/metadefs/
property_protection_file = None
(String) The location of the property protection
file.This file contains the rules for property
protections and the roles/policies associated with it.
If this config value is not specified, by default,
property protections won't be enforced. If a value is
specified and the file is not found, then the glanceapi service will not start.
property_protection_rule_format = roles
(String) This config value indicates whether "roles"
or "policies" are used in the property protection file.
538
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
show_image_direct_url = False
(Boolean) Whether to include the backend image
storage location in image properties. Revealing
storage location can be a security risk, so use this
setting with caution!
user_storage_quota = 0
(String) Set a system wide quota for every user. This
value is the total capacity that a user can use across
all storage systems. A value of 0 means
unlimited.Optional unit can be specified for the
value. Accepted units are B, KB, MB, GB and TB
representing Bytes, KiloBytes, MegaBytes,
GigaBytes and TeraBytes respectively. If no unit is
specified then Bytes is assumed. Note that there
should not be any space between value and unit and
units are case sensitive.
workers = None
(Integer) The number of child process workers that
will be created to service requests. The default will
be equal to the number of CPUs available.
[glance_store]
rootwrap_config = /etc/glance/rootwrap.conf
(String) Path to the rootwrap configuration file to
use for running commands as root.
[image_format]
container_formats = ami, ari, aki, bare, ovf, ova,
docker
disk_formats = ami, ari, aki, vhd, vmdk, raw,
qcow2, vdi, iso
(List) Supported values for the 'container_format'
image attribute
(List) Supported values for the 'disk_format' image
attribute
[keystone_authtoken]
memcached_servers = None
(List) Optionally specify a list of memcached
server(s) to use for caching. If left undefined, tokens
will instead be cached in-process.
[task]
task_executor = taskflow
(String) Specifies which task executor to be used to
run the task scripts.
task_time_to_live = 48
(Integer) Time in hours for which a task lives after,
either succeeding or failing
539
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
work_dir = None
(String) Work dir for asynchronous task operations.
The directory set here will be used to operate over
images - normally before they are imported in the
destination store. When providing work dir, make
sure enough space is provided for concurrent tasks
to run efficiently without running out of space. A
rough estimation can be done by multiplying the
number of `max_workers` - or the N of workers
running - by an average image size (e.g 500MB). The
image size estimation should be done based on the
average size in your deployment. Note that
depending on the tasks running you may need to
multiply this number by some factor depending on
what the task does. For example, you may want to
double the available size if image conversion is
enabled. All this being said, remember these are just
estimations and you should do them based on the
worst case scenario and be prepared to act in case
they were wrong.
Table 8.3. Description of CORS configuration options
Configuration option = Default value
Description
[cors]
allow_credentials = True
(Boolean) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(List) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(List) Indicate which methods can be used during the
actual request.
allowed_origin = None
(List) Indicate whether this resource may be shared
with the domain received in the requests "origin"
header.
expose_headers = Content-Type, Cache-Control,
(List) Indicate which headers are safe to expose to
the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
[cors.subdomain]
540
(Integer) Maximum cache age of CORS preflight
requests.
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
allow_credentials = True
(Boolean) Indicate that the actual request can
include user credentials
allow_headers = Content-Type, Cache-Control,
(List) Indicate which header field names may be
used during the actual request.
Content-Language, Expires, Last-Modified, Pragma
allow_methods = GET, POST, PUT, DELETE,
OPTIONS
(List) Indicate which methods can be used during the
actual request.
allowed_origin = None
(List) Indicate whether this resource may be shared
with the domain received in the requests "origin"
header.
expose_headers = Content-Type, Cache-Control,
(List) Indicate which headers are safe to expose to
the API. Defaults to HTTP Simple Headers.
Content-Language, Expires, Last-Modified, Pragma
max_age = 3600
(Integer) Maximum cache age of CORS preflight
requests.
Table 8.4. Description of database configuration options
Configuration option = Default value
Description
[database]
backend = sqlalchemy
(String) The back end to use for the database.
connection = None
(String) The SQLAlchemy connection string to use
to connect to the database.
connection_debug = 0
(Integer) Verbosity of SQL debugging information:
0=None, 100=Everything.
connection_trace = False
(Boolean) Add Python stack traces to SQL as
comment strings.
db_inc_retry_interval = True
(Boolean) If True, increases the interval between
retries of a database operation up to
db_max_retry_interval.
db_max_retries = 20
(Integer) Maximum retries in case of connection
error or deadlock error before error is raised. Set to
-1 to specify an infinite retry count.
db_max_retry_interval = 10
(Integer) If db_inc_retry_interval is set, the
maximum seconds between retries of a database
operation.
541
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
db_retry_interval = 1
(Integer) Seconds between retries of a database
transaction.
idle_timeout = 3600
(Integer) Timeout before idle SQL connections are
reaped.
max_overflow = 50
(Integer) If set, use this value for max_overflow with
SQLAlchemy.
max_pool_size = None
(Integer) Maximum number of SQL connections to
keep open in a pool.
max_retries = 10
(Integer) Maximum number of database connection
retries during startup. Set to -1 to specify an infinite
retry count.
min_pool_size = 1
(Integer) Minimum number of SQL connections to
keep open in a pool.
mysql_sql_mode = TRADITIONAL
(String) The SQL mode to be used for MySQL
sessions. This option, including the default, overrides
any server-set SQL mode. To use whatever SQL
mode is set by the server configuration, set this to
no value. Example: mysql_sql_mode=
pool_timeout = None
(Integer) If set, use this value for pool_timeout with
SQLAlchemy.
retry_interval = 10
(Integer) Interval between retries of opening a SQL
connection.
slave_connection = None
(String) The SQLAlchemy connection string to use
to connect to the slave database.
sqlite_db = oslo.sqlite
(String) The file name to use with SQLite.
sqlite_synchronous = True
(Boolean) If True, SQLite uses synchronous mode.
use_db_reconnect = False
(Boolean) Enable the experimental use of database
reconnect on connection lost.
Table 8.5. Description of logging configuration options
Configuration option = Default value
[DEFAULT]
542
Description
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
backdoor_port = None
(StrOpt) Enable eventlet backdoor. Acceptable
values are 0, <port>, and <start>:<end>, where 0
results in listening on a random tcp port number;
<port> results in listening on the specified port
number (and not enabling backdoor if that port is in
use); and <start>:<end> results in listening on the
smallest unused port number within the specified
range of port numbers. The chosen port is displayed
in the service's log file.
Table 8.6. Description of flagmappings configuration options
Configuration option = Default value
Description
[DEFAULT]
delayed_delete = False
(Boolean) Turn on/off delayed delete.
image_cache_dir = None
(String) Base directory that the image cache uses.
image_cache_driver = sqlite
(String) The driver to use for image cache
management.
image_cache_max_size = 10737418240
(Integer) The upper limit (the maximum size of
accumulated cache in bytes) beyond which the
cache pruner, if running, starts cleaning the image
cache.
image_cache_sqlite_db = cache.db
(String) The path to the sqlite file database that will
be used for image cache management.
image_cache_stall_time = 86400
(Integer) The amount of time to let an incomplete
image remain in the cache, before the cache cleaner,
if running, will remove the incomplete image.
scrub_pool_size = 1
(Integer) The size of thread pool to be used for
scrubbing images. The default is one, which signifies
serial scrubbing. Any value above one indicates the
max number of images that may be scrubbed in
parallel.
scrub_time = 0
(Integer) The amount of time in seconds to delay
before performing a delete.
Table 8.7. Description of logging configuration options
543
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
debug = False
(Boolean) If set to true, the logging level will be set
to DEBUG instead of the default INFO level.
default_log_levels = amqp=WARN,
(List) List of package logging levels in logger=LEVEL
pairs. This option is ignored if log_config_append is
set.
amqplib=WARN, boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
requests.packages.urllib3.util.retry=WARN,
urllib3.util.retry=WARN, keystonemiddleware=WARN,
routes.middleware=WARN, stevedore=WARN,
taskflow=WARN, keystoneauth=WARN,
oslo.cache=INFO, dogpile.core.dogpile=INFO
fatal_deprecations = False
(Boolean) Enables or disables fatal status of
deprecations.
instance_format = "[instance: %(uuid)s] "
(String) The format for an instance that is passed
with the log message.
instance_uuid_format = "[instance: %(uuid)s]
(String) The format for an instance UUID that is
passed with the log message.
"
log_config_append = None
(String) The name of a logging configuration file.
This file is appended to any existing logging
configuration files. For details about logging
configuration files, see the Python logging module
documentation. Note that when logging
configuration files are used then all logging
configuration is set in the configuration file and
other logging configuration options are ignored (for
example, logging_context_format_string).
log_date_format = %Y-%m-%d %H:%M:%S
(String) Defines the format string for %%(asctime)s
in log records. Default: %(default)s . This option is
ignored if log_config_append is set.
log_dir = None
(String) (Optional) The base directory used for
relative log_file paths. This option is ignored if
log_config_append is set.
log_file = None
(String) (Optional) Name of log file to send logging
output to. If no default is set, logging will go to
stderr as defined by use_stderr. This option is
ignored if log_config_append is set.
544
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
logging_context_format_string = %
(String) Format string to use for log messages with
context.
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [%(request_id)s %(user_identity)s] %
(instance)s%(message)s
logging_debug_format_suffix = %
(funcName)s %(pathname)s:%(lineno)d
logging_default_format_string = %
(asctime)s.%(msecs)03d %(process)d %(levelname)s %
(name)s [-] %(instance)s%(message)s
logging_exception_prefix = %(asctime)s.%
(msecs)03d %(process)d ERROR %(name)s %
(instance)s
logging_user_identity_format = %(user)s
%(tenant)s %(domain)s %(user_domain)s %
(project_domain)s
(String) Additional data to append to log message
when logging level for the message is DEBUG.
(String) Format string to use for log messages when
context is undefined.
(String) Prefix each line of exception output with
this format.
(String) Defines the format string for %
(user_identity)s that is used in
logging_context_format_string.
publish_errors = False
(Boolean) Enables or disables publication of error
events.
syslog_log_facility = LOG_USER
(String) Syslog facility to receive log lines. This
option is ignored if log_config_append is set.
use_stderr = True
(Boolean) Log output to standard error. This option
is ignored if log_config_append is set.
use_syslog = False
(Boolean) Use syslog for logging. Existing syslog
format is DEPRECATED and will be changed later to
honor RFC5424. This option is ignored if
log_config_append is set.
verbose = True
(Boolean) DEPRECATED: If set to false, the logging
level will be set to WARNING instead of the default
INFO level.
watch_log_file = False
(Boolean) Uses logging handler designed to watch
file system. When log file is moved or removed this
handler will open a new log file with specified path
instantaneously. It makes sense only if log_file
option is specified and Linux platform is used. This
option is ignored if log_config_append is set.
Table 8.8. Description of policy configuration options
545
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[oslo_policy]
policy_default_rule = default
(String) Default rule. Enforced when a requested rule
is not found.
policy_dirs = ['policy.d']
(Multi-valued) Directories where policy
configuration files are stored. They can be relative
to any directory in the search path defined by the
config_dir option, or absolute paths. The file defined
by policy_file must exist for these directories to be
searched. Missing or empty directories are ignored.
policy_file = policy.json
(String) The JSON file that defines policies.
Table 8.9. Description of profiler configuration options
Configuration option = Default value
Description
[profiler]
enabled = False
(Boolean) If False fully disable profiling feature.
hmac_keys = SECRET_KEY
(String) Secret key to use to sign Glance API and
Glance Registry services tracing messages.
trace_sqlalchemy = False
(Boolean) If False doesn't trace SQL requests.
Table 8.10. Description of Redis configuration options
Configuration option = Default value
Description
[matchmaker_redis]
check_timeout = 20000
(Integer) Time in ms to wait before the transaction is
killed.
host = 127.0.0.1
(String) Host to locate redis.
password =
(String) Password for Redis server (optional).
port = 6379
(Port number) Use this port to connect to redis host.
sentinel_group_name = oslo-messaging-
(String) Redis replica set name.
zeromq
546
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
sentinel_hosts =
(List) List of Redis Sentinel hosts (fault tolerance
mode) e.g. [host:port, host1:port ... ]
socket_timeout = 1000
(Integer) Timeout in ms on blocking socket
operations
wait_timeout = 500
(Integer) Time in ms to wait between connection
attempts.
Table 8.11. Description of registry configuration options
Configuration option = Default value
Description
[DEFAULT]
admin_password = None
(String) DEPRECATED: The administrators
password. If "use_user_token" is not in effect, then
admin credentials can be specified. This option was
considered harmful and has been deprecated in M
release. It will be removed in O release. For more
information read OSSN-0060. Related functionality
with uploading big images has been implemented
with Keystone trusts support.
admin_tenant_name = None
(String) DEPRECATED: The tenant name of the
administrative user. If "use_user_token" is not in
effect, then admin tenant name can be specified.
This option was considered harmful and has been
deprecated in M release. It will be removed in O
release. For more information read OSSN-0060.
Related functionality with uploading big images has
been implemented with Keystone trusts support.
admin_user = None
(String) DEPRECATED: The administrators user
name. If "use_user_token" is not in effect, then
admin credentials can be specified. This option was
considered harmful and has been deprecated in M
release. It will be removed in O release. For more
information read OSSN-0060. Related functionality
with uploading big images has been implemented
with Keystone trusts support.
547
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
auth_region = None
(String) DEPRECATED: The region for the
authentication service. If "use_user_token" is not in
effect and using keystone auth, then region name
can be specified. This option was considered harmful
and has been deprecated in M release. It will be
removed in O release. For more information read
OSSN-0060. Related functionality with uploading
big images has been implemented with Keystone
trusts support.
auth_strategy = noauth
(String) DEPRECATED: The strategy to use for
authentication. If "use_user_token" is not in effect,
then auth strategy can be specified. This option was
considered harmful and has been deprecated in M
release. It will be removed in O release. For more
information read OSSN-0060. Related functionality
with uploading big images has been implemented
with Keystone trusts support.
auth_url = None
(String) DEPRECATED: The URL to the keystone
service. If "use_user_token" is not in effect and using
keystone auth, then URL of keystone can be
specified. This option was considered harmful and
has been deprecated in M release. It will be removed
in O release. For more information read OSSN0060. Related functionality with uploading big
images has been implemented with Keystone trusts
support.
registry_client_ca_file = None
(String) The path to the certifying authority cert file
to use in SSL connections to the registry server, if
any. Alternately, you may set the
GLANCE_CLIENT_CA_FILE environment variable to
a filepath of the CA cert file.
registry_client_cert_file = None
(String) The path to the cert file to use in SSL
connections to the registry server, if any.
Alternately, you may set the
GLANCE_CLIENT_CERT_FILE environment variable
to a filepath of the CA cert file
registry_client_insecure = False
(Boolean) When using SSL in connections to the
registry server, do not require validation via a
certifying authority. This is the registry's equivalent
of specifying --insecure on the command line using
glanceclient for the API.
548
CHAPTER 8. IMAGE SERVICE
Configuration option = Default value
Description
registry_client_key_file = None
(String) The path to the key file to use in SSL
connections to the registry server, if any.
Alternately, you may set the
GLANCE_CLIENT_KEY_FILE environment variable
to a filepath of the key file
registry_client_protocol = http
(String) The protocol to use for communication with
the registry server. Either http or https.
registry_client_timeout = 600
(Integer) The period of time, in seconds, that the API
server will wait for a registry request to complete. A
value of 0 implies no timeout.
registry_host = 0.0.0.0
(String) Address to find the registry server.
registry_port = 9191
(Port number) Port the registry server is listening
on.
Table 8.12. Description of replicator configuration options
Configuration option = Default value
Description
[DEFAULT]
args = None
(List) Arguments for the command
chunksize = 65536
(Integer) Amount of data to transfer per HTTP write.
command = None
(String) Command to be given to replicator
dontreplicate = created_at date deleted_at
(String) List of fields to not replicate.
location updated_at
mastertoken =
(String) Pass in your authentication token if you
have one. This is the token used for the master.
metaonly = False
(Boolean) Only replicate metadata, not images.
slavetoken =
(String) Pass in your authentication token if you
have one. This is the token used for the slave.
token =
(String) Pass in your authentication token if you
have one. If you use this option the same token is
used for both the master and the slave.
Table 8.13. Description of scrubber configuration options
549
Red Hat OpenStack Platform 9 Configuration Reference
Configuration option = Default value
Description
[DEFAULT]
wakeup_time = 300
(Integer) Loop time between checking for new items
to schedule for delete.
Table 8.14. Description of TaskFlow configuration options
Configuration option = Default value
Description
[taskflow_executor]
conversion_format = None
(String) The format to which images will be
automatically converted. When using the RBD
backend, this should be set to 'raw'
engine_mode = parallel
(String) The mode in which the engine will run. Can
be 'serial' or 'parallel'.
max_workers = 10
(Integer) The number of parallel activities executed
at the same time by the engine. The value can be
greater than one when the engine mode is 'parallel'.
Table 8.15. Description of testing configuration options
Configuration option = Default value
Description
[DEFAULT]
pydev_worker_debug_host = None
(String) The hostname/IP of the pydev process
listening for debug connections
pydev_worker_debug_port = 5678
(Port number) The port on which a pydev process is
listening for connections.
8.1. CONFIGURE THE API
The Image service has two APIs: the user-facing API, and the registry API for internal requests that
require access to the database.
Both of the APIs currently have the following major versions, v1 and v2.