neutron.conf¶
DEFAULT¶
- state_path¶
- Type:
string
- Default:
/var/lib/neutron
Where to store Neutron state files. This directory must be writable by the agent.
- bind_host¶
- Type:
host address
- Default:
0.0.0.0
The host IP to bind to.
- bind_port¶
- Type:
port number
- Default:
9696
- Minimum Value:
0
- Maximum Value:
65535
The port to bind to
- api_extensions_path¶
- Type:
string
- Default:
''
The path for API extensions. Note that this can be a colon-separated list of paths. For example: api_extensions_path = extensions:/path/to/more/exts:/even/more/exts. The __path__ of neutron.extensions is appended to this, so if your extensions are in there you do not need to specify them here.
- auth_strategy¶
- Type:
string
- Default:
keystone
The type of authentication to use
- core_plugin¶
- Type:
string
- Default:
<None>
The core plugin Neutron will use
- service_plugins¶
- Type:
list
- Default:
[]
The service plugins Neutron will use
- base_mac¶
- Type:
string
- Default:
fa:16:3e:00:00:00
The base MAC address Neutron will use for VIFs. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated.
- allow_bulk¶
- Type:
boolean
- Default:
True
Allow the usage of the bulk API
- pagination_max_limit¶
- Type:
string
- Default:
-1
The maximum number of items returned in a single response, value of ‘infinite’ or negative integer means no limit
- default_availability_zones¶
- Type:
list
- Default:
[]
Default value of availability zone hints. The availability zone aware schedulers use this when the resources availability_zone_hints is empty. Multiple availability zones can be specified by a comma separated string. This value can be empty. In this case, even if availability_zone_hints for a resource is empty, availability zone is considered for high availability while scheduling the resource.
- max_dns_nameservers¶
- Type:
integer
- Default:
5
Maximum number of DNS nameservers per subnet
- max_subnet_host_routes¶
- Type:
integer
- Default:
20
Maximum number of host routes per subnet
- ipv6_pd_enabled¶
- Type:
boolean
- Default:
False
Warning: This feature is experimental with low test coverage, and the Dibbler client which is used for this feature is no longer maintained! Enables IPv6 Prefix Delegation for automatic subnet CIDR allocation. Set to True to enable IPv6 Prefix Delegation for subnet allocation in a PD-capable environment. Users making subnet creation requests for IPv6 subnets without providing a CIDR or subnetpool ID will be given a CIDR via the Prefix Delegation mechanism. Note that enabling PD will override the behavior of the default IPv6 subnetpool.
Warning
This option is deprecated for removal since 2023.2. Its value may be silently ignored in the future.
- Reason:
The Dibbler client used for this feature is no longer maintained. See LP#1916428
- dhcp_lease_duration¶
- Type:
integer
- Default:
86400
DHCP lease duration (in seconds). Use -1 to tell dnsmasq to use infinite lease times.
- dns_domain¶
- Type:
string
- Default:
openstacklocal
Domain to use for building the hostnames
- external_dns_driver¶
- Type:
string
- Default:
<None>
Driver for external DNS integration.
- dhcp_agent_notification¶
- Type:
boolean
- Default:
True
Allow sending resource operation notification to DHCP agent
- host¶
- Type:
host address
- Default:
example.domain
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Hostname to be used by the Neutron server, agents and services running on this machine. All the agents and services running on this machine must use the same host value.
- network_link_prefix¶
- Type:
string
- Default:
<None>
This string is prepended to the normal URL that is returned in links to the OpenStack Network API. If it is empty (the default), the URLs are returned unchanged.
- notify_nova_on_port_status_changes¶
- Type:
boolean
- Default:
True
Send notification to Nova when port status changes
- notify_nova_on_port_data_changes¶
- Type:
boolean
- Default:
True
Send notification to Nova when port data (fixed_ips/floatingip) changes so Nova can update its cache.
- send_events_interval¶
- Type:
integer
- Default:
2
Number of seconds between sending events to Nova if there are any events to send.
- setproctitle¶
- Type:
string
- Default:
on
Set process name to match child worker role. Available options are: ‘off’ - retains the previous behavior; ‘on’ - renames processes to ‘neutron-server: role (original string)’; ‘brief’ - renames the same as ‘on’, but without the original string, such as ‘neutron-server: role’.
- ipam_driver¶
- Type:
string
- Default:
internal
Neutron IPAM (IP address management) driver to use. By default, the reference implementation of the Neutron IPAM driver is used.
- vlan_transparent¶
- Type:
boolean
- Default:
False
If True, then allow plugins that support it to create VLAN transparent networks.
- filter_validation¶
- Type:
boolean
- Default:
True
If True, then allow plugins to decide whether to perform validations on filter parameters. Filter validation is enabled if this config is turned on and it is supported by all plugins
- global_physnet_mtu¶
- Type:
integer
- Default:
1500
MTU of the underlying physical network. Neutron uses this value to calculate MTU for all virtual network components. For flat and VLAN networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay protocol overhead from this value. Defaults to 1500, the standard value for Ethernet.
- http_retries¶
- Type:
integer
- Default:
3
- Minimum Value:
0
Number of times client connections (Nova, Ironic) should be retried on a failed HTTP call. 0 (zero) means connection is attempted only once (not retried). Setting to any positive integer means that on failure the connection is retried that many times. For example, setting to 3 means total attempts to connect will be 4.
- enable_traditional_dhcp¶
- Type:
boolean
- Default:
True
If False, neutron-server will disable the following DHCP-agent related functions: 1. DHCP provisioning block 2. DHCP scheduler API extension 3. Network scheduling mechanism 4. DHCP RPC/notification
- my_ip¶
- Type:
string
- Default:
213.32.73.150
IPv4 address of this host. If no address is provided and one cannot be determined, 127.0.0.1 will be used.
- my_ipv6¶
- Type:
string
- Default:
2001:41d0:302:1000::42c
IPv6 address of this host. If no address is provided and one cannot be determined, ::1 will be used.
- enable_signals¶
- Type:
boolean
- Default:
True
If False, neutron-server will not listen for signals like SIGINT or SIGTERM. This is useful when running behind a WSGI server like apache/mod_wsgi.
- backlog¶
- Type:
integer
- Default:
4096
Number of backlog requests to configure the socket with
- retry_until_window¶
- Type:
integer
- Default:
30
Number of seconds to keep retrying to listen
- use_ssl¶
- Type:
boolean
- Default:
False
Enable SSL on the API server
- periodic_interval¶
- Type:
integer
- Default:
40
Seconds between running periodic tasks.
- api_workers¶
- Type:
integer
- Default:
<None>
- Minimum Value:
1
Number of separate API worker processes for service. If not specified, the default is equal to the number of CPUs available for best performance, capped by potential RAM usage.
- rpc_workers¶
- Type:
integer
- Default:
<None>
- Minimum Value:
0
Number of RPC worker processes for service. If not specified, the default is equal to half the number of API workers. If set to 0, no RPC worker is launched.
- rpc_state_report_workers¶
- Type:
integer
- Default:
1
- Minimum Value:
0
Number of RPC worker processes dedicated to the state reports queue. If set to 0, no dedicated RPC worker for state reports queue is launched.
- periodic_fuzzy_delay¶
- Type:
integer
- Default:
5
Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)
- rpc_response_max_timeout¶
- Type:
integer
- Default:
600
Maximum seconds to wait for a response from an RPC call.
- interface_driver¶
- Type:
string
- Default:
<None>
The driver used to manage virtual interfaces.
- metadata_proxy_socket¶
- Type:
string
- Default:
$state_path/metadata_proxy
Location for Metadata Proxy UNIX domain socket.
- metadata_proxy_user¶
- Type:
string
- Default:
''
User (uid or name) running metadata proxy after its initialization (if empty: agent effective user).
- metadata_proxy_group¶
- Type:
string
- Default:
''
Group (gid or name) running metadata proxy after its initialization (if empty: agent effective group).
- agent_down_time¶
- Type:
integer
- Default:
75
- Maximum Value:
2147483.0
Seconds to regard the agent as down; should be at least twice report_interval, to be sure the agent is down for good.
- dhcp_load_type¶
- Type:
string
- Default:
networks
- Valid Values:
networks, subnets, ports
Representing the resource type whose load is being reported by the agent. This can be “networks”, “subnets” or “ports”. When specified (Default is networks), the server will extract particular load sent as part of its agent configuration object from the agent report state, which is the number of resources being consumed, at every report_interval. dhcp_load_type can be used in combination with network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.WeightScheduler When the network_scheduler_driver is WeightScheduler, dhcp_load_type can be configured to represent the choice for the resource being balanced. Example: dhcp_load_type=networks
- enable_new_agents¶
- Type:
boolean
- Default:
True
Agents start with admin_state_up=False when enable_new_agents=False. In this case, a user’s resources will not be scheduled automatically to an agent until an admin sets admin_state_up to True.
- rpc_resources_processing_step¶
- Type:
integer
- Default:
20
- Minimum Value:
1
Number of resources for neutron to divide a large RPC call into data sets. It can be reduced if RPC timeouts occur. The best value should be determined empirically in your environment.
- max_routes¶
- Type:
integer
- Default:
30
Maximum number of routes per router
- enable_snat_by_default¶
- Type:
boolean
- Default:
True
Define the default value of enable_snat if not provided in external_gateway_info.
- network_scheduler_driver¶
- Type:
string
- Default:
neutron.scheduler.dhcp_agent_scheduler.WeightScheduler
Driver to use for scheduling networks to a DHCP agent
- network_auto_schedule¶
- Type:
boolean
- Default:
True
Allow auto scheduling networks to a DHCP agent.
- allow_automatic_dhcp_failover¶
- Type:
boolean
- Default:
True
Automatically remove networks from offline DHCP agents.
- dhcp_agents_per_network¶
- Type:
integer
- Default:
1
- Minimum Value:
1
Number of DHCP agents scheduled to host a tenant network. If this number is greater than 1, the scheduler automatically assigns multiple DHCP agents for a given tenant network, providing high availability for the DHCP service. However this does not provide high availability for the IPv6 metadata service in isolated networks.
- enable_services_on_agents_with_admin_state_down¶
- Type:
boolean
- Default:
False
Enable services on an agent with admin_state_up False. If this option is False, when admin_state_up of an agent is turned False, services on it will be disabled. Agents with admin_state_up False are not selected for automatic scheduling regardless of this option. But manual scheduling to such agents is available if this option is True.
- dvr_base_mac¶
- Type:
string
- Default:
fa:16:3f:00:00:00
The base MAC address used for unique DVR instances by Neutron. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated. The ‘dvr_base_mac’ must be different from ‘base_mac’ to avoid mixing it up with MAC’s allocated for tenant ports. A 4-octet example would be dvr_base_mac = fa:16:3f:4f:00:00. The default is 3 octets
- router_distributed¶
- Type:
boolean
- Default:
False
System-wide flag to determine the type of router that tenants can create. Only admin can override.
- enable_dvr¶
- Type:
boolean
- Default:
True
Determine if setup is configured for DVR. If False, the DVR API extension will be disabled.
- host_dvr_for_dhcp¶
- Type:
boolean
- Default:
True
Flag to determine if hosting a DVR local router to the DHCP agent is desired. If False, any L3 function supported by the DHCP agent instance will not be possible, for instance: DNS.
- router_scheduler_driver¶
- Type:
string
- Default:
neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler
Driver to use for scheduling a router to a default L3 agent
- router_auto_schedule¶
- Type:
boolean
- Default:
True
Allow auto scheduling of routers to L3 agents.
- allow_automatic_l3agent_failover¶
- Type:
boolean
- Default:
False
Automatically reschedule routers from offline L3 agents to online L3 agents.
- l3_ha¶
- Type:
boolean
- Default:
False
Enable HA mode for virtual routers.
- max_l3_agents_per_router¶
- Type:
integer
- Default:
3
Maximum number of L3 agents which a HA router will be scheduled on. If it is set to 0 then the router will be scheduled on every agent.
- l3_ha_net_cidr¶
- Type:
string
- Default:
169.254.192.0/18
Subnet used for the L3 HA admin network.
- l3_ha_network_type¶
- Type:
string
- Default:
''
The network type to use when creating the L3 HA network for an HA router. By default, or if empty, the first ‘tenant_network_types’ value is used. This is helpful when the VRRP traffic should use a specific network which is not the default one.
- l3_ha_network_physical_name¶
- Type:
string
- Default:
''
The physical network name with which the L3 HA network should be created.
- enable_default_route_ecmp¶
- Type:
boolean
- Default:
False
Define the default value for enable_default_route_ecmp if not specified on the router.
- enable_default_route_bfd¶
- Type:
boolean
- Default:
False
Define the default value for enable_default_route_bfd if not specified on the router.
- max_allowed_address_pair¶
- Type:
integer
- Default:
10
Maximum number of allowed address pairs
- allowed_conntrack_helpers¶
- Type:
list
- Default:
[{'tftp': 'udp'}, {'ftp': 'tcp'}, {'sip': 'tcp'}, {'sip': 'udp'}]
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Defines the allowed conntrack helpers, and conntrack helper module protocol constraints.
- rpc_conn_pool_size¶
- Type:
integer
- Default:
30
- Minimum Value:
1
Size of RPC connection pool.
¶ Group
Name
DEFAULT
rpc_conn_pool_size
- conn_pool_min_size¶
- Type:
integer
- Default:
2
The pool size limit for connections expiration policy
- conn_pool_ttl¶
- Type:
integer
- Default:
1200
The time-to-live in sec of idle connections in the pool
- executor_thread_pool_size¶
- Type:
integer
- Default:
64
Size of executor thread pool when executor is threading or eventlet.
¶ Group
Name
DEFAULT
rpc_thread_pool_size
- rpc_response_timeout¶
- Type:
integer
- Default:
60
Seconds to wait for a response from a call.
- transport_url¶
- Type:
string
- Default:
rabbit://
The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is:
driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query
Example: rabbit://rabbitmq:password@127.0.0.1:5672//
For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
- control_exchange¶
- Type:
string
- Default:
openstack
The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
- rpc_ping_enabled¶
- Type:
boolean
- Default:
False
Add an endpoint to answer to ping calls. Endpoint is named oslo_rpc_server_ping
- run_external_periodic_tasks¶
- Type:
boolean
- Default:
True
Some periodic tasks can be run in a separate process. Should we run them here?
- backdoor_port¶
- Type:
string
- Default:
<None>
Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
- backdoor_socket¶
- Type:
string
- Default:
<None>
Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with ‘backdoor_port’ in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option. Inside the path {pid} will be replaced with the PID of the current process.
- log_options¶
- Type:
boolean
- Default:
True
Enables or disables logging values of all registered options when starting a service (at DEBUG level).
- graceful_shutdown_timeout¶
- Type:
integer
- Default:
60
Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
- api_paste_config¶
- Type:
string
- Default:
api-paste.ini
File name for the paste.deploy config for api service
- wsgi_log_format¶
- Type:
string
- Default:
%(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f
A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
- tcp_keepidle¶
- Type:
integer
- Default:
600
Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
- wsgi_default_pool_size¶
- Type:
integer
- Default:
100
Size of the pool of greenthreads used by wsgi
- max_header_line¶
- Type:
integer
- Default:
16384
Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
- wsgi_keep_alive¶
- Type:
boolean
- Default:
True
If False, closes the client socket connection explicitly.
- client_socket_timeout¶
- Type:
integer
- Default:
900
Timeout for client connections’ socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of ‘0’ means wait forever.
- wsgi_server_debug¶
- Type:
boolean
- Default:
False
True if the server should send exception tracebacks to the clients on 500 errors. If False, the server will respond with empty bodies.
- debug¶
- Type:
boolean
- Default:
False
- Mutable:
This option can be changed without restarting.
If set to true, the logging level will be set to DEBUG instead of the default INFO level.
- log_config_append¶
- Type:
string
- Default:
<None>
- Mutable:
This option can be changed without restarting.
The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, log-date-format).
¶ Group
Name
DEFAULT
log-config
DEFAULT
log_config
- log_date_format¶
- Type:
string
- Default:
%Y-%m-%d %H:%M:%S
Defines the format string for %(asctime)s in log records. Default: the value above . This option is ignored if log_config_append is set.
- log_file¶
- Type:
string
- Default:
<None>
(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
¶ Group
Name
DEFAULT
logfile
- log_dir¶
- Type:
string
- Default:
<None>
(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
¶ Group
Name
DEFAULT
logdir
- watch_log_file¶
- Type:
boolean
- Default:
False
Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
This function is known to have bene broken for long time, and depends on the unmaintained library
- use_syslog¶
- Type:
boolean
- Default:
False
Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
- use_journal¶
- Type:
boolean
- Default:
False
Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
- syslog_log_facility¶
- Type:
string
- Default:
LOG_USER
Syslog facility to receive log lines. This option is ignored if log_config_append is set.
- use_json¶
- Type:
boolean
- Default:
False
Use JSON formatting for logging. This option is ignored if log_config_append is set.
- use_stderr¶
- Type:
boolean
- Default:
False
Log output to standard error. This option is ignored if log_config_append is set.
- use_eventlog¶
- Type:
boolean
- Default:
False
Log output to Windows Event Log.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
Windows support is no longer maintained.
- log_color¶
- Type:
boolean
- Default:
False
(Optional) Set the ‘color’ key according to log levels. This option takes effect only when logging to stderr or stdout is used. This option is ignored if log_config_append is set.
- log_rotate_interval¶
- Type:
integer
- Default:
1
The amount of time before the log files are rotated. This option is ignored unless log_rotation_type is set to “interval”.
- log_rotate_interval_type¶
- Type:
string
- Default:
days
- Valid Values:
Seconds, Minutes, Hours, Days, Weekday, Midnight
Rotation interval type. The time of the last file change (or the time when the service was started) is used when scheduling the next rotation.
- max_logfile_count¶
- Type:
integer
- Default:
30
Maximum number of rotated log files.
- max_logfile_size_mb¶
- Type:
integer
- Default:
200
Log file maximum size in MB. This option is ignored if “log_rotation_type” is not set to “size”.
- log_rotation_type¶
- Type:
string
- Default:
none
- Valid Values:
interval, size, none
Log rotation type.
Possible values
- interval
Rotate logs at predefined time intervals.
- size
Rotate logs once they reach a predefined size.
- none
Do not rotate log files.
- logging_context_format_string¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(global_request_id)s %(request_id)s %(user_identity)s] %(instance)s%(message)s
Format string to use for log messages with context. Used by oslo_log.formatters.ContextFormatter
- logging_default_format_string¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
Format string to use for log messages when context is undefined. Used by oslo_log.formatters.ContextFormatter
- logging_debug_format_suffix¶
- Type:
string
- Default:
%(funcName)s %(pathname)s:%(lineno)d
Additional data to append to log message when logging level for the message is DEBUG. Used by oslo_log.formatters.ContextFormatter
- logging_exception_prefix¶
- Type:
string
- Default:
%(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
Prefix each line of exception output with this format. Used by oslo_log.formatters.ContextFormatter
- logging_user_identity_format¶
- Type:
string
- Default:
%(user)s %(project)s %(domain)s %(system_scope)s %(user_domain)s %(project_domain)s
Defines the format string for %(user_identity)s that is used in logging_context_format_string. Used by oslo_log.formatters.ContextFormatter
- default_log_levels¶
- Type:
list
- Default:
['amqp=WARN', 'amqplib=WARN', 'boto=WARN', 'qpid=WARN', 'sqlalchemy=WARN', 'suds=INFO', 'oslo.messaging=INFO', 'oslo_messaging=INFO', 'iso8601=WARN', 'requests.packages.urllib3.connectionpool=WARN', 'urllib3.connectionpool=WARN', 'websocket=WARN', 'requests.packages.urllib3.util.retry=WARN', 'urllib3.util.retry=WARN', 'keystonemiddleware=WARN', 'routes.middleware=WARN', 'stevedore=WARN', 'taskflow=WARN', 'keystoneauth=WARN', 'oslo.cache=INFO', 'oslo_policy=INFO', 'dogpile.core.dogpile=INFO']
List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
- publish_errors¶
- Type:
boolean
- Default:
False
Enables or disables publication of error events.
- instance_format¶
- Type:
string
- Default:
"[instance: %(uuid)s] "
The format for an instance that is passed with the log message.
- instance_uuid_format¶
- Type:
string
- Default:
"[instance: %(uuid)s] "
The format for an instance UUID that is passed with the log message.
- rate_limit_interval¶
- Type:
integer
- Default:
0
Interval, number of seconds, of log rate limiting.
- rate_limit_burst¶
- Type:
integer
- Default:
0
Maximum number of logged messages per rate_limit_interval.
- rate_limit_except_level¶
- Type:
string
- Default:
CRITICAL
- Valid Values:
CRITICAL, ERROR, INFO, WARNING, DEBUG, ‘’
Log level name used by rate limiting. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
- fatal_deprecations¶
- Type:
boolean
- Default:
False
Enables or disables fatal status of deprecations.
agent¶
- root_helper¶
- Type:
string
- Default:
sudo
Root helper application. Use ‘sudo neutron-rootwrap /etc/neutron/rootwrap.conf’ to use the real root filter facility. Change to ‘sudo’ to skip the filtering and just run the command directly.
- use_helper_for_ns_read¶
- Type:
boolean
- Default:
True
Use the root helper when listing the namespaces on a system. This may not be required depending on the security configuration. If the root helper is not required, set this to False for a performance improvement.
- root_helper_daemon¶
- Type:
string
- Default:
<None>
Root helper daemon application to use when possible.
Use ‘sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf’ to run rootwrap in “daemon mode” which has been reported to improve performance at scale. For more information on running rootwrap in “daemon mode”, see:
https://docs.openstack.org/oslo.rootwrap/latest/user/usage.html#daemon-mode
- report_interval¶
- Type:
floating point
- Default:
30
Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.
- log_agent_heartbeats¶
- Type:
boolean
- Default:
False
Log agent heartbeats
- comment_iptables_rules¶
- Type:
boolean
- Default:
True
Add comments to iptables rules. Set to false to disallow the addition of comments to generated iptables rules that describe each rule’s purpose. System must support the iptables comments module for addition of comments.
- debug_iptables_rules¶
- Type:
boolean
- Default:
False
Duplicate every iptables difference calculation to ensure the format being generated matches the format of iptables-save. This option should not be turned on for production systems because it imposes a performance penalty.
- use_random_fully¶
- Type:
boolean
- Default:
True
Use random-fully in SNAT masquerade rules.
- check_child_processes_action¶
- Type:
string
- Default:
respawn
- Valid Values:
respawn, exit
Action to be executed when a child process dies
- check_child_processes_interval¶
- Type:
integer
- Default:
60
Interval between checks of child process liveness, in seconds, use 0 to disable
- kill_scripts_path¶
- Type:
string
- Default:
/etc/neutron/kill_scripts/
Location of scripts used to kill external processes. Names of scripts here must follow the pattern: “<process-name>-kill” where <process-name> is name of the process which should be killed using this script. For example, kill script for dnsmasq process should be named “dnsmasq-kill”. If path is set to None, then default “kill” command will be used to stop processes.
- availability_zone¶
- Type:
string
- Default:
nova
Availability zone of this node
cache¶
- config_prefix¶
- Type:
string
- Default:
cache.oslo
Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.
- expiration_time¶
- Type:
integer
- Default:
600
- Minimum Value:
1
Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.
- backend_expiration_time¶
- Type:
integer
- Default:
<None>
- Minimum Value:
1
Expiration time in cache backend to purge expired records automatically. This should be greater than expiration_time and all cache_time options
- backend¶
- Type:
string
- Default:
dogpile.cache.null
- Valid Values:
oslo_cache.memcache_pool, oslo_cache.dict, oslo_cache.mongo, oslo_cache.etcd3gw, dogpile.cache.pymemcache, dogpile.cache.memcached, dogpile.cache.pylibmc, dogpile.cache.bmemcached, dogpile.cache.dbm, dogpile.cache.redis, dogpile.cache.redis_sentinel, dogpile.cache.memory, dogpile.cache.memory_pickle, dogpile.cache.null
Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.
- backend_argument¶
- Type:
multi-valued
- Default:
''
Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: “<argname>:<value>”.
- proxies¶
- Type:
list
- Default:
[]
Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.
- enabled¶
- Type:
boolean
- Default:
False
Global toggle for caching.
- debug_cache_backend¶
- Type:
boolean
- Default:
False
Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.
- memcache_servers¶
- Type:
list
- Default:
['localhost:11211']
Memcache servers in the format of “host:port”. This is used by backends dependent on Memcached.If
dogpile.cache.memcached
oroslo_cache.memcache_pool
is used and a given host refer to an IPv6 or a given domain refer to IPv6 then you should prefix the given address with the address family (inet6
) (e.ginet6[::1]:11211
,inet6:[fd12:3456:789a:1::1]:11211
,inet6:[controller-0.internalapi]:11211
). If the address family is not given then these backends will use the defaultinet
address family which corresponds to IPv4
- memcache_dead_retry¶
- Type:
integer
- Default:
300
Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
- memcache_socket_timeout¶
- Type:
floating point
- Default:
1.0
Timeout in seconds for every call to a server. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
- memcache_pool_maxsize¶
- Type:
integer
- Default:
10
Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).
- memcache_pool_unused_timeout¶
- Type:
integer
- Default:
60
Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).
- memcache_pool_connection_get_timeout¶
- Type:
integer
- Default:
10
Number of seconds that an operation will wait to get a memcache client connection.
- memcache_pool_flush_on_reconnect¶
- Type:
boolean
- Default:
False
Global toggle if memcache will be flushed on reconnect. (oslo_cache.memcache_pool backend only).
- memcache_sasl_enabled¶
- Type:
boolean
- Default:
False
Enable the SASL(Simple Authentication and SecurityLayer) if the SASL_enable is true, else disable.
- memcache_username¶
- Type:
string
- Default:
<None>
the user name for the memcached which SASL enabled
- memcache_password¶
- Type:
string
- Default:
<None>
the password for the memcached which SASL enabled
- redis_server¶
- Type:
string
- Default:
localhost:6379
Redis server in the format of “host:port”
- redis_db¶
- Type:
integer
- Default:
0
- Minimum Value:
0
Database id in Redis server
- redis_username¶
- Type:
string
- Default:
<None>
the user name for redis
- redis_password¶
- Type:
string
- Default:
<None>
the password for redis
- redis_sentinels¶
- Type:
list
- Default:
['localhost:26379']
Redis sentinel servers in the format of “host:port”
- redis_socket_timeout¶
- Type:
floating point
- Default:
1.0
Timeout in seconds for every call to a server. (dogpile.cache.redis and dogpile.cache.redis_sentinel backends only).
- redis_sentinel_service_name¶
- Type:
string
- Default:
mymaster
Service name of the redis sentinel cluster.
- tls_enabled¶
- Type:
boolean
- Default:
False
Global toggle for TLS usage when communicating with the caching servers. Currently supported by
dogpile.cache.bmemcache
,dogpile.cache.pymemcache
,oslo_cache.memcache_pool
,dogpile.cache.redis
anddogpile.cache.redis_sentinel
.
- tls_cafile¶
- Type:
string
- Default:
<None>
Path to a file of concatenated CA certificates in PEM format necessary to establish the caching servers’ authenticity. If tls_enabled is False, this option is ignored.
- tls_certfile¶
- Type:
string
- Default:
<None>
Path to a single file in PEM format containing the client’s certificate as well as any number of CA certificates needed to establish the certificate’s authenticity. This file is only required when client side authentication is necessary. If tls_enabled is False, this option is ignored.
- tls_keyfile¶
- Type:
string
- Default:
<None>
Path to a single file containing the client’s private key in. Otherwise the private key will be taken from the file specified in tls_certfile. If tls_enabled is False, this option is ignored.
- tls_allowed_ciphers¶
- Type:
string
- Default:
<None>
Set the available ciphers for sockets created with the TLS context. It should be a string in the OpenSSL cipher list format. If not specified, all OpenSSL enabled ciphers will be available. Currently supported by
dogpile.cache.bmemcache
,dogpile.cache.pymemcache
andoslo_cache.memcache_pool
.
- enable_socket_keepalive¶
- Type:
boolean
- Default:
False
Global toggle for the socket keepalive of dogpile’s pymemcache backend
- socket_keepalive_idle¶
- Type:
integer
- Default:
1
- Minimum Value:
0
The time (in seconds) the connection needs to remain idle before TCP starts sending keepalive probes. Should be a positive integer most greater than zero.
- socket_keepalive_interval¶
- Type:
integer
- Default:
1
- Minimum Value:
0
The time (in seconds) between individual keepalive probes. Should be a positive integer greater than zero.
- socket_keepalive_count¶
- Type:
integer
- Default:
1
- Minimum Value:
0
The maximum number of keepalive probes TCP should send before dropping the connection. Should be a positive integer greater than zero.
- enable_retry_client¶
- Type:
boolean
- Default:
False
Enable retry client mechanisms to handle failure. Those mechanisms can be used to wrap all kind of pymemcache clients. The wrapper allows you to define how many attempts to make and how long to wait between attemots.
- retry_attempts¶
- Type:
integer
- Default:
2
- Minimum Value:
1
Number of times to attempt an action before failing.
- retry_delay¶
- Type:
floating point
- Default:
0
Number of seconds to sleep between each attempt.
- hashclient_retry_attempts¶
- Type:
integer
- Default:
2
- Minimum Value:
1
Amount of times a client should be tried before it is marked dead and removed from the pool in the HashClient’s internal mechanisms.
- hashclient_retry_delay¶
- Type:
floating point
- Default:
1
Time in seconds that should pass between retry attempts in the HashClient’s internal mechanisms.
- dead_timeout¶
- Type:
floating point
- Default:
60
Time in seconds before attempting to add a node back in the pool in the HashClient’s internal mechanisms.
- enforce_fips_mode¶
- Type:
boolean
- Default:
False
Global toggle for enforcing the OpenSSL FIPS mode. This feature requires Python support. This is available in Python 3.9 in all environments and may have been backported to older Python versions on select environments. If the Python executable used does not support OpenSSL FIPS mode, an exception will be raised. Currently supported by
dogpile.cache.bmemcache
,dogpile.cache.pymemcache
andoslo_cache.memcache_pool
.
cors¶
- allowed_origin¶
- Type:
list
- Default:
<None>
Indicate whether this resource may be shared with the domain received in the requests “origin” header. Format: “<protocol>://<host>[:<port>]”, no trailing slash. Example: https://horizon.example.com
- allow_credentials¶
- Type:
boolean
- Default:
True
Indicate that the actual request can include user credentials
- expose_headers¶
- Type:
list
- Default:
['X-Auth-Token', 'X-Subject-Token', 'X-Service-Token', 'X-OpenStack-Request-ID', 'OpenStack-Volume-microversion']
Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
- max_age¶
- Type:
integer
- Default:
3600
Maximum cache age of CORS preflight requests.
- allow_methods¶
- Type:
list
- Default:
['GET', 'PUT', 'POST', 'DELETE', 'PATCH']
Indicate which methods can be used during the actual request.
- allow_headers¶
- Type:
list
- Default:
['X-Auth-Token', 'X-Identity-Status', 'X-Roles', 'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id', 'X-OpenStack-Request-ID']
Indicate which header field names may be used during the actual request.
database¶
- engine¶
- Type:
string
- Default:
''
Database engine for which script will be generated when using offline migration.
- sqlite_synchronous¶
- Type:
boolean
- Default:
True
If True, SQLite uses synchronous mode.
- backend¶
- Type:
string
- Default:
sqlalchemy
The back end to use for the database.
- connection¶
- Type:
string
- Default:
<None>
The SQLAlchemy connection string to use to connect to the database.
- slave_connection¶
- Type:
string
- Default:
<None>
The SQLAlchemy connection string to use to connect to the slave database.
- mysql_sql_mode¶
- Type:
string
- Default:
TRADITIONAL
The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
- mysql_wsrep_sync_wait¶
- Type:
integer
- Default:
<None>
For Galera only, configure wsrep_sync_wait causality checks on new connections. Default is None, meaning don’t configure any setting.
- connection_recycle_time¶
- Type:
integer
- Default:
3600
Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
- max_pool_size¶
- Type:
integer
- Default:
5
Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
- max_retries¶
- Type:
integer
- Default:
10
Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
- retry_interval¶
- Type:
integer
- Default:
10
Interval between retries of opening a SQL connection.
- max_overflow¶
- Type:
integer
- Default:
50
If set, use this value for max_overflow with SQLAlchemy.
- connection_debug¶
- Type:
integer
- Default:
0
- Minimum Value:
0
- Maximum Value:
100
Verbosity of SQL debugging information: 0=None, 100=Everything.
- connection_trace¶
- Type:
boolean
- Default:
False
Add Python stack traces to SQL as comment strings.
- pool_timeout¶
- Type:
integer
- Default:
<None>
If set, use this value for pool_timeout with SQLAlchemy.
- use_db_reconnect¶
- Type:
boolean
- Default:
False
Enable the experimental use of database reconnect on connection lost.
- db_retry_interval¶
- Type:
integer
- Default:
1
Seconds between retries of a database transaction.
- db_inc_retry_interval¶
- Type:
boolean
- Default:
True
If True, increases the interval between retries of a database operation up to db_max_retry_interval.
- db_max_retry_interval¶
- Type:
integer
- Default:
10
If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
- db_max_retries¶
- Type:
integer
- Default:
20
Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
- connection_parameters¶
- Type:
string
- Default:
''
Optional URL parameters to append onto the connection URL at connect time; specify as param1=value1¶m2=value2&…
designate¶
- auth_url¶
- Type:
unknown type
- Default:
<None>
Authentication URL
- auth_type¶
- Type:
unknown type
- Default:
<None>
Authentication type to load
¶ Group
Name
designate
auth_plugin
- cafile¶
- Type:
string
- Default:
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
- certfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate cert file
- collect_timing¶
- Type:
boolean
- Default:
False
Collect per-API call timing information.
- default_domain_id¶
- Type:
unknown type
- Default:
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default_domain_name¶
- Type:
unknown type
- Default:
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID to scope to
- domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name to scope to
- insecure¶
- Type:
boolean
- Default:
False
Verify HTTPS connections.
- keyfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate key file
- password¶
- Type:
unknown type
- Default:
<None>
User’s password
- project_domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID containing project
- project_domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name containing project
- project_id¶
- Type:
unknown type
- Default:
<None>
Project ID to scope to
¶ Group
Name
designate
tenant-id
designate
tenant_id
- project_name¶
- Type:
unknown type
- Default:
<None>
Project name to scope to
¶ Group
Name
designate
tenant-name
designate
tenant_name
- split_loggers¶
- Type:
boolean
- Default:
False
Log requests to multiple loggers.
- system_scope¶
- Type:
unknown type
- Default:
<None>
Scope for system operations
- tenant_id¶
- Type:
unknown type
- Default:
<None>
Tenant ID
- tenant_name¶
- Type:
unknown type
- Default:
<None>
Tenant Name
- timeout¶
- Type:
integer
- Default:
<None>
Timeout value for http requests
- trust_id¶
- Type:
unknown type
- Default:
<None>
ID of the trust to use as a trustee use
- user_domain_id¶
- Type:
unknown type
- Default:
<None>
User’s domain id
- user_domain_name¶
- Type:
unknown type
- Default:
<None>
User’s domain name
- user_id¶
- Type:
unknown type
- Default:
<None>
User id
- username¶
- Type:
unknown type
- Default:
<None>
Username
¶ Group
Name
designate
user-name
designate
user_name
- url¶
- Type:
URI
- Default:
<None>
URL for connecting to designate
- allow_reverse_dns_lookup¶
- Type:
boolean
- Default:
True
Allow the creation of PTR records
- ipv4_ptr_zone_prefix_size¶
- Type:
unknown type
- Default:
24
- Minimum Value:
8
- Maximum Value:
24
Number of bits in an IPv4 PTR zone that will be considered network prefix. It has to align to byte boundary. Minimum value is 8. Maximum value is 24. As a consequence, range of values is 8, 16 and 24
- ipv6_ptr_zone_prefix_size¶
- Type:
unknown type
- Default:
120
- Minimum Value:
4
- Maximum Value:
124
Number of bits in an IPv6 PTR zone that will be considered network prefix. It has to align to nyble boundary. Minimum value is 4. Maximum value is 124. As a consequence, range of values is 4, 8, 12, 16,…, 124
- ptr_zone_email¶
- Type:
string
- Default:
''
The email address to be used when creating PTR zones. If not specified, the email address will be admin@<dns_domain>
experimental¶
- linuxbridge¶
- Type:
boolean
- Default:
False
Enable execution of the experimental Linuxbridge agent.
- ipv6_pd_enabled¶
- Type:
boolean
- Default:
False
Enable execution of the experimental IPv6 Prefix Delegation functionality in the L3 agent.
healthcheck¶
- path¶
- Type:
string
- Default:
/healthcheck
The path to respond to healtcheck requests on.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- detailed¶
- Type:
boolean
- Default:
False
Show more detailed information as part of the response. Security note: Enabling this option may expose sensitive details about the service being monitored. Be sure to verify that it will not violate your security policies.
- backends¶
- Type:
list
- Default:
[]
Additional backends that can perform health checks and report that information back as part of a request.
- allowed_source_ranges¶
- Type:
list
- Default:
[]
A list of network addresses to limit source ip allowed to access healthcheck information. Any request from ip outside of these network addresses are ignored.
- ignore_proxied_requests¶
- Type:
boolean
- Default:
False
Ignore requests with proxy headers.
- disable_by_file_path¶
- Type:
string
- Default:
<None>
Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
- disable_by_file_paths¶
- Type:
list
- Default:
[]
Check the presence of a file based on a port to determine if an application is running on a port. Expects a “port:path” list of strings. Used by DisableByFilesPortsHealthcheck plugin.
- enable_by_file_paths¶
- Type:
list
- Default:
[]
Check the presence of files. Used by EnableByFilesHealthcheck plugin.
ironic¶
- auth_url¶
- Type:
unknown type
- Default:
<None>
Authentication URL
- auth_type¶
- Type:
unknown type
- Default:
<None>
Authentication type to load
¶ Group
Name
ironic
auth_plugin
- cafile¶
- Type:
string
- Default:
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
- certfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate cert file
- collect_timing¶
- Type:
boolean
- Default:
False
Collect per-API call timing information.
- default_domain_id¶
- Type:
unknown type
- Default:
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default_domain_name¶
- Type:
unknown type
- Default:
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID to scope to
- domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name to scope to
- insecure¶
- Type:
boolean
- Default:
False
Verify HTTPS connections.
- keyfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate key file
- password¶
- Type:
unknown type
- Default:
<None>
User’s password
- project_domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID containing project
- project_domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name containing project
- project_id¶
- Type:
unknown type
- Default:
<None>
Project ID to scope to
¶ Group
Name
ironic
tenant-id
ironic
tenant_id
- project_name¶
- Type:
unknown type
- Default:
<None>
Project name to scope to
¶ Group
Name
ironic
tenant-name
ironic
tenant_name
- split_loggers¶
- Type:
boolean
- Default:
False
Log requests to multiple loggers.
- system_scope¶
- Type:
unknown type
- Default:
<None>
Scope for system operations
- tenant_id¶
- Type:
unknown type
- Default:
<None>
Tenant ID
- tenant_name¶
- Type:
unknown type
- Default:
<None>
Tenant Name
- timeout¶
- Type:
integer
- Default:
<None>
Timeout value for http requests
- trust_id¶
- Type:
unknown type
- Default:
<None>
ID of the trust to use as a trustee use
- user_domain_id¶
- Type:
unknown type
- Default:
<None>
User’s domain id
- user_domain_name¶
- Type:
unknown type
- Default:
<None>
User’s domain name
- user_id¶
- Type:
unknown type
- Default:
<None>
User id
- username¶
- Type:
unknown type
- Default:
<None>
Username
¶ Group
Name
ironic
user-name
ironic
user_name
- enable_notifications¶
- Type:
boolean
- Default:
False
Send notification events to Ironic. (For example on relevant port status changes.)
keystone_authtoken¶
- www_authenticate_uri¶
- Type:
string
- Default:
<None>
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.
¶ Group
Name
keystone_authtoken
auth_uri
- auth_uri¶
- Type:
string
- Default:
<None>
Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
Warning
This option is deprecated for removal since Queens. Its value may be silently ignored in the future.
- Reason:
The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
- auth_version¶
- Type:
string
- Default:
<None>
API version of the Identity API endpoint.
- interface¶
- Type:
string
- Default:
internal
Interface to use for the Identity API endpoint. Valid values are “public”, “internal” (default) or “admin”.
- delay_auth_decision¶
- Type:
boolean
- Default:
False
Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
- http_connect_timeout¶
- Type:
integer
- Default:
<None>
Request timeout value for communicating with Identity API server.
- http_request_max_retries¶
- Type:
integer
- Default:
3
How many times are we trying to reconnect when communicating with Identity API Server.
- cache¶
- Type:
string
- Default:
<None>
Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the
memcached_servers
option instead.
- certfile¶
- Type:
string
- Default:
<None>
Required if identity server requires client certificate
- keyfile¶
- Type:
string
- Default:
<None>
Required if identity server requires client certificate
- cafile¶
- Type:
string
- Default:
<None>
A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
- insecure¶
- Type:
boolean
- Default:
False
Verify HTTPS connections.
- region_name¶
- Type:
string
- Default:
<None>
The region in which the identity server can be found.
- memcached_servers¶
- Type:
list
- Default:
<None>
Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
¶ Group
Name
keystone_authtoken
memcache_servers
- token_cache_time¶
- Type:
integer
- Default:
300
In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
- memcache_security_strategy¶
- Type:
string
- Default:
None
- Valid Values:
None, MAC, ENCRYPT
(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
- memcache_secret_key¶
- Type:
string
- Default:
<None>
(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
- memcache_pool_dead_retry¶
- Type:
integer
- Default:
300
(Optional) Number of seconds memcached server is considered dead before it is tried again.
- memcache_pool_maxsize¶
- Type:
integer
- Default:
10
(Optional) Maximum total number of open connections to every memcached server.
- memcache_pool_socket_timeout¶
- Type:
integer
- Default:
3
(Optional) Socket timeout in seconds for communicating with a memcached server.
- memcache_pool_unused_timeout¶
- Type:
integer
- Default:
60
(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
- memcache_pool_conn_get_timeout¶
- Type:
integer
- Default:
10
(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
- memcache_use_advanced_pool¶
- Type:
boolean
- Default:
True
(Optional) Use the advanced (eventlet safe) memcached client pool.
- include_service_catalog¶
- Type:
boolean
- Default:
True
(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
- enforce_token_bind¶
- Type:
string
- Default:
permissive
Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
- service_token_roles¶
- Type:
list
- Default:
['service']
A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
- service_token_roles_required¶
- Type:
boolean
- Default:
False
For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
- service_type¶
- Type:
string
- Default:
<None>
The name or type of the service as it appears in the service catalog. This is used to validate tokens that have restricted access rules.
- auth_type¶
- Type:
unknown type
- Default:
<None>
Authentication type to load
¶ Group
Name
keystone_authtoken
auth_plugin
- auth_section¶
- Type:
unknown type
- Default:
<None>
Config Section from which to load plugin specific options
nova¶
- region_name¶
- Type:
string
- Default:
<None>
Name of Nova region to use. Useful if Keystone manages more than one region.
- endpoint_type¶
- Type:
string
- Default:
public
- Valid Values:
public, admin, internal
Type of the Nova endpoint to use. This endpoint will be looked up in the Keystone catalog and should be one of public, internal or admin.
- auth_url¶
- Type:
unknown type
- Default:
<None>
Authentication URL
- auth_type¶
- Type:
unknown type
- Default:
<None>
Authentication type to load
¶ Group
Name
nova
auth_plugin
- cafile¶
- Type:
string
- Default:
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
- certfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate cert file
- collect_timing¶
- Type:
boolean
- Default:
False
Collect per-API call timing information.
- default_domain_id¶
- Type:
unknown type
- Default:
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default_domain_name¶
- Type:
unknown type
- Default:
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID to scope to
- domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name to scope to
- insecure¶
- Type:
boolean
- Default:
False
Verify HTTPS connections.
- keyfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate key file
- password¶
- Type:
unknown type
- Default:
<None>
User’s password
- project_domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID containing project
- project_domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name containing project
- project_id¶
- Type:
unknown type
- Default:
<None>
Project ID to scope to
¶ Group
Name
nova
tenant-id
nova
tenant_id
- project_name¶
- Type:
unknown type
- Default:
<None>
Project name to scope to
¶ Group
Name
nova
tenant-name
nova
tenant_name
- split_loggers¶
- Type:
boolean
- Default:
False
Log requests to multiple loggers.
- system_scope¶
- Type:
unknown type
- Default:
<None>
Scope for system operations
- tenant_id¶
- Type:
unknown type
- Default:
<None>
Tenant ID
- tenant_name¶
- Type:
unknown type
- Default:
<None>
Tenant Name
- timeout¶
- Type:
integer
- Default:
<None>
Timeout value for http requests
- trust_id¶
- Type:
unknown type
- Default:
<None>
ID of the trust to use as a trustee use
- user_domain_id¶
- Type:
unknown type
- Default:
<None>
User’s domain id
- user_domain_name¶
- Type:
unknown type
- Default:
<None>
User’s domain name
- user_id¶
- Type:
unknown type
- Default:
<None>
User id
oslo_concurrency¶
- disable_process_locking¶
- Type:
boolean
- Default:
False
Enables or disables inter-process locks.
- lock_path¶
- Type:
string
- Default:
<None>
Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.
oslo_messaging_kafka¶
- kafka_max_fetch_bytes¶
- Type:
integer
- Default:
1048576
Max fetch bytes of Kafka consumer
- kafka_consumer_timeout¶
- Type:
floating point
- Default:
1.0
Default timeout(s) for Kafka consumers
- pool_size¶
- Type:
integer
- Default:
10
Pool Size for Kafka Consumers
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
Driver no longer uses connection pool.
- conn_pool_min_size¶
- Type:
integer
- Default:
2
The pool size limit for connections expiration policy
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
Driver no longer uses connection pool.
- conn_pool_ttl¶
- Type:
integer
- Default:
1200
The time-to-live in sec of idle connections in the pool
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
Driver no longer uses connection pool.
- consumer_group¶
- Type:
string
- Default:
oslo_messaging_consumer
Group id for Kafka consumer. Consumers in one group will coordinate message consumption
- producer_batch_timeout¶
- Type:
floating point
- Default:
0.0
Upper bound on the delay for KafkaProducer batching in seconds
- producer_batch_size¶
- Type:
integer
- Default:
16384
Size of batch for the producer async send
- compression_codec¶
- Type:
string
- Default:
none
- Valid Values:
none, gzip, snappy, lz4, zstd
The compression codec for all data generated by the producer. If not set, compression will not be used. Note that the allowed values of this depend on the kafka version
- enable_auto_commit¶
- Type:
boolean
- Default:
False
Enable asynchronous consumer commits
- max_poll_records¶
- Type:
integer
- Default:
500
The maximum number of records returned in a poll call
- security_protocol¶
- Type:
string
- Default:
PLAINTEXT
- Valid Values:
PLAINTEXT, SASL_PLAINTEXT, SSL, SASL_SSL
Protocol used to communicate with brokers
- sasl_mechanism¶
- Type:
string
- Default:
PLAIN
Mechanism when security protocol is SASL
- ssl_cafile¶
- Type:
string
- Default:
''
CA certificate PEM file used to verify the server certificate
- ssl_client_cert_file¶
- Type:
string
- Default:
''
Client certificate PEM file used for authentication.
- ssl_client_key_file¶
- Type:
string
- Default:
''
Client key PEM file used for authentication.
- ssl_client_key_password¶
- Type:
string
- Default:
''
Client key password file used for authentication.
oslo_messaging_notifications¶
- driver¶
- Type:
multi-valued
- Default:
''
The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
¶ Group
Name
DEFAULT
notification_driver
- transport_url¶
- Type:
string
- Default:
<None>
A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.
¶ Group
Name
DEFAULT
notification_transport_url
- topics¶
- Type:
list
- Default:
['notifications']
AMQP topic used for OpenStack notifications.
¶ Group
Name
rpc_notifier2
topics
DEFAULT
notification_topics
- retry¶
- Type:
integer
- Default:
-1
The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
oslo_messaging_rabbit¶
- amqp_durable_queues¶
- Type:
boolean
- Default:
False
Use durable queues in AMQP. If rabbit_quorum_queue is enabled, queues will be durable and this value will be ignored.
- amqp_auto_delete¶
- Type:
boolean
- Default:
False
Auto-delete queues in AMQP.
¶ Group
Name
DEFAULT
amqp_auto_delete
- ssl¶
- Type:
boolean
- Default:
False
Connect over SSL.
¶ Group
Name
oslo_messaging_rabbit
rabbit_use_ssl
- ssl_version¶
- Type:
string
- Default:
''
SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
¶ Group
Name
oslo_messaging_rabbit
kombu_ssl_version
- ssl_key_file¶
- Type:
string
- Default:
''
SSL key file (valid only if SSL enabled).
¶ Group
Name
oslo_messaging_rabbit
kombu_ssl_keyfile
- ssl_cert_file¶
- Type:
string
- Default:
''
SSL cert file (valid only if SSL enabled).
¶ Group
Name
oslo_messaging_rabbit
kombu_ssl_certfile
- ssl_ca_file¶
- Type:
string
- Default:
''
SSL certification authority file (valid only if SSL enabled).
¶ Group
Name
oslo_messaging_rabbit
kombu_ssl_ca_certs
- ssl_enforce_fips_mode¶
- Type:
boolean
- Default:
False
Global toggle for enforcing the OpenSSL FIPS mode. This feature requires Python support. This is available in Python 3.9 in all environments and may have been backported to older Python versions on select environments. If the Python executable used does not support OpenSSL FIPS mode, an exception will be raised.
- heartbeat_in_pthread¶
- Type:
boolean
- Default:
False
(DEPRECATED) It is recommend not to use this option anymore. Run the health check heartbeat thread through a native python thread by default. If this option is equal to False then the health check heartbeat will inherit the execution model from the parent process. For example if the parent process has monkey patched the stdlib by using eventlet/greenlet then the heartbeat will be run through a green thread. This option should be set to True only for the wsgi services.
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
The option is related to Eventlet which will be removed. In addition this has never worked as expected with services using eventlet for core service framework.
- kombu_reconnect_delay¶
- Type:
floating point
- Default:
1.0
- Minimum Value:
0.0
- Maximum Value:
4.5
How long to wait (in seconds) before reconnecting in response to an AMQP consumer cancel notification.
¶ Group
Name
DEFAULT
kombu_reconnect_delay
- kombu_compression¶
- Type:
string
- Default:
<None>
EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
- kombu_missing_consumer_retry_timeout¶
- Type:
integer
- Default:
60
How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
¶ Group
Name
oslo_messaging_rabbit
kombu_reconnect_timeout
- kombu_failover_strategy¶
- Type:
string
- Default:
round-robin
- Valid Values:
round-robin, shuffle
Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
- rabbit_login_method¶
- Type:
string
- Default:
AMQPLAIN
- Valid Values:
PLAIN, AMQPLAIN, EXTERNAL, RABBIT-CR-DEMO
The RabbitMQ login method.
¶ Group
Name
DEFAULT
rabbit_login_method
- rabbit_retry_interval¶
- Type:
integer
- Default:
1
How frequently to retry connecting with RabbitMQ.
- rabbit_retry_backoff¶
- Type:
integer
- Default:
2
How long to backoff for between retries when connecting to RabbitMQ.
¶ Group
Name
DEFAULT
rabbit_retry_backoff
- rabbit_interval_max¶
- Type:
integer
- Default:
30
Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
- rabbit_ha_queues¶
- Type:
boolean
- Default:
False
Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: “rabbitmqctl set_policy HA ‘^(?!amq.).*’ ‘{“ha-mode”: “all”}’ “
¶ Group
Name
DEFAULT
rabbit_ha_queues
- rabbit_quorum_queue¶
- Type:
boolean
- Default:
False
Use quorum queues in RabbitMQ (x-queue-type: quorum). The quorum queue is a modern queue type for RabbitMQ implementing a durable, replicated FIFO queue based on the Raft consensus algorithm. It is available as of RabbitMQ 3.8.0. If set this option will conflict with the HA queues (
rabbit_ha_queues
) aka mirrored queues, in other words the HA queues should be disabled. Quorum queues are also durable by default so the amqp_durable_queues option is ignored when this option is enabled.
- rabbit_transient_quorum_queue¶
- Type:
boolean
- Default:
False
Use quorum queues for transients queues in RabbitMQ. Enabling this option will then make sure those queues are also using quorum kind of rabbit queues, which are HA by default.
- rabbit_quorum_delivery_limit¶
- Type:
integer
- Default:
0
Each time a message is redelivered to a consumer, a counter is incremented. Once the redelivery count exceeds the delivery limit the message gets dropped or dead-lettered (if a DLX exchange has been configured) Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
- rabbit_quorum_max_memory_length¶
- Type:
integer
- Default:
0
By default all messages are maintained in memory if a quorum queue grows in length it can put memory pressure on a cluster. This option can limit the number of messages in the quorum queue. Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
¶ Group
Name
oslo_messaging_rabbit
rabbit_quroum_max_memory_length
- rabbit_quorum_max_memory_bytes¶
- Type:
integer
- Default:
0
By default all messages are maintained in memory if a quorum queue grows in length it can put memory pressure on a cluster. This option can limit the number of memory bytes used by the quorum queue. Used only when rabbit_quorum_queue is enabled, Default 0 which means dont set a limit.
¶ Group
Name
oslo_messaging_rabbit
rabbit_quroum_max_memory_bytes
- rabbit_transient_queues_ttl¶
- Type:
integer
- Default:
1800
- Minimum Value:
0
Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues. Setting 0 as value will disable the x-expires. If doing so, make sure you have a rabbitmq policy to delete the queues or you deployment will create an infinite number of queue over time.In case rabbit_stream_fanout is set to True, this option will control data retention policy (x-max-age) for messages in the fanout queue rather then the queue duration itself. So the oldest data in the stream queue will be discarded from it once reaching TTL Setting to 0 will disable x-max-age for stream which make stream grow indefinitely filling up the diskspace
- rabbit_qos_prefetch_count¶
- Type:
integer
- Default:
0
Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
- heartbeat_timeout_threshold¶
- Type:
integer
- Default:
60
Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disables heartbeat).
- heartbeat_rate¶
- Type:
integer
- Default:
3
How often times during the heartbeat_timeout_threshold we check the heartbeat.
- direct_mandatory_flag¶
- Type:
boolean
- Default:
True
(DEPRECATED) Enable/Disable the RabbitMQ mandatory flag for direct send. The direct send is used as reply, so the MessageUndeliverable exception is raised in case the client queue does not exist.MessageUndeliverable exception will be used to loop for a timeout to lets a chance to sender to recover.This flag is deprecated and it will not be possible to deactivate this functionality anymore
Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
Mandatory flag no longer deactivable.
- enable_cancel_on_failover¶
- Type:
boolean
- Default:
False
Enable x-cancel-on-ha-failover flag so that rabbitmq server will cancel and notify consumerswhen queue is down
- use_queue_manager¶
- Type:
boolean
- Default:
False
Should we use consistant queue names or random ones
- hostname¶
- Type:
string
- Default:
node1.example.com
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Hostname used by queue manager. Defaults to the value returned by socket.gethostname().
- processname¶
- Type:
string
- Default:
nova-api
This option has a sample default set, which means that its actual default value may vary from the one documented above.
Process name used by queue manager
- rabbit_stream_fanout¶
- Type:
boolean
- Default:
False
Use stream queues in RabbitMQ (x-queue-type: stream). Streams are a new persistent and replicated data structure (“queue type”) in RabbitMQ which models an append-only log with non-destructive consumer semantics. It is available as of RabbitMQ 3.9.0. If set this option will replace all fanout queues with only one stream queue.
oslo_middleware¶
- enable_proxy_headers_parsing¶
- Type:
boolean
- Default:
False
Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
oslo_policy¶
- enforce_scope¶
- Type:
boolean
- Default:
True
This option controls whether or not to enforce scope when evaluating policies. If
True
, the scope of the token used in the request is compared to thescope_types
of the policy being enforced. If the scopes do not match, anInvalidScope
exception will be raised. IfFalse
, a message will be logged informing operators that policies are being invoked with mismatching scope.Warning
This option is deprecated for removal. Its value may be silently ignored in the future.
- Reason:
This configuration was added temporarily to facilitate a smooth transition to the new RBAC. OpenStack will always enforce scope checks. This configuration option is deprecated and will be removed in the 2025.2 cycle.
- enforce_new_defaults¶
- Type:
boolean
- Default:
True
This option controls whether or not to use old deprecated defaults when evaluating policies. If
True
, the old deprecated defaults are not going to be evaluated. This means if any existing token is allowed for old defaults but is disallowed for new defaults, it will be disallowed. It is encouraged to enable this flag along with theenforce_scope
flag so that you can get the benefits of new defaults andscope_type
together. IfFalse
, the deprecated policy check string is logically OR’d with the new policy check string, allowing for a graceful upgrade experience between releases with new policies, which is the default behavior.
- policy_file¶
- Type:
string
- Default:
policy.yaml
The relative or absolute path of a file that maps roles to permissions for a given service. Relative paths must be specified in relation to the configuration file setting this option.
- policy_default_rule¶
- Type:
string
- Default:
default
Default rule. Enforced when a requested rule is not found.
- policy_dirs¶
- Type:
multi-valued
- Default:
policy.d
Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
- remote_content_type¶
- Type:
string
- Default:
application/x-www-form-urlencoded
- Valid Values:
application/x-www-form-urlencoded, application/json
Content Type to send and receive data for REST based policy check
- remote_ssl_verify_server_crt¶
- Type:
boolean
- Default:
False
server identity verification for REST based policy check
- remote_ssl_ca_crt_file¶
- Type:
string
- Default:
<None>
Absolute path to ca cert file for REST based policy check
- remote_ssl_client_crt_file¶
- Type:
string
- Default:
<None>
Absolute path to client cert for REST based policy check
- remote_ssl_client_key_file¶
- Type:
string
- Default:
<None>
Absolute path client key file REST based policy check
- remote_timeout¶
- Type:
floating point
- Default:
60
- Minimum Value:
0
Timeout in seconds for REST based policy check
oslo_reports¶
- log_dir¶
- Type:
string
- Default:
<None>
Path to a log directory where to create a file
- file_event_handler¶
- Type:
string
- Default:
<None>
The path to a file to watch for changes to trigger the reports, instead of signals. Setting this option disables the signal trigger for the reports. If application is running as a WSGI application it is recommended to use this instead of signals.
- file_event_handler_interval¶
- Type:
integer
- Default:
1
How many seconds to wait between polls when file_event_handler is set
oslo_versionedobjects¶
- fatal_exception_format_errors¶
- Type:
boolean
- Default:
False
Make exception message format errors fatal
placement¶
- region_name¶
- Type:
string
- Default:
<None>
Name of placement region to use. Useful if Keystone manages more than one region.
- endpoint_type¶
- Type:
string
- Default:
public
- Valid Values:
public, admin, internal
Type of the placement endpoint to use. This endpoint will be looked up in the Keystone catalog and should be one of public, internal or admin.
- auth_url¶
- Type:
unknown type
- Default:
<None>
Authentication URL
- auth_type¶
- Type:
unknown type
- Default:
<None>
Authentication type to load
¶ Group
Name
placement
auth_plugin
- cafile¶
- Type:
string
- Default:
<None>
PEM encoded Certificate Authority to use when verifying HTTPs connections.
- certfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate cert file
- collect_timing¶
- Type:
boolean
- Default:
False
Collect per-API call timing information.
- default_domain_id¶
- Type:
unknown type
- Default:
<None>
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default_domain_name¶
- Type:
unknown type
- Default:
<None>
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID to scope to
- domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name to scope to
- insecure¶
- Type:
boolean
- Default:
False
Verify HTTPS connections.
- keyfile¶
- Type:
string
- Default:
<None>
PEM encoded client certificate key file
- password¶
- Type:
unknown type
- Default:
<None>
User’s password
- project_domain_id¶
- Type:
unknown type
- Default:
<None>
Domain ID containing project
- project_domain_name¶
- Type:
unknown type
- Default:
<None>
Domain name containing project
- project_id¶
- Type:
unknown type
- Default:
<None>
Project ID to scope to
¶ Group
Name
placement
tenant-id
placement
tenant_id
- project_name¶
- Type:
unknown type
- Default:
<None>
Project name to scope to
¶ Group
Name
placement
tenant-name
placement
tenant_name
- split_loggers¶
- Type:
boolean
- Default:
False
Log requests to multiple loggers.
- system_scope¶
- Type:
unknown type
- Default:
<None>
Scope for system operations
- tenant_id¶
- Type:
unknown type
- Default:
<None>
Tenant ID
- tenant_name¶
- Type:
unknown type
- Default:
<None>
Tenant Name
- timeout¶
- Type:
integer
- Default:
<None>
Timeout value for http requests
- trust_id¶
- Type:
unknown type
- Default:
<None>
ID of the trust to use as a trustee use
- user_domain_id¶
- Type:
unknown type
- Default:
<None>
User’s domain id
- user_domain_name¶
- Type:
unknown type
- Default:
<None>
User’s domain name
- user_id¶
- Type:
unknown type
- Default:
<None>
User id
- username¶
- Type:
unknown type
- Default:
<None>
Username
¶ Group
Name
placement
user-name
placement
user_name
privsep¶
Configuration options for the oslo.privsep daemon. Note that this group name can be changed by the consuming service. Check the service’s docs to see if this is the case.
- user¶
- Type:
string
- Default:
<None>
User that the privsep daemon should run as.
- group¶
- Type:
string
- Default:
<None>
Group that the privsep daemon should run as.
- capabilities¶
- Type:
unknown type
- Default:
[]
List of Linux capabilities retained by the privsep daemon.
- thread_pool_size¶
- Type:
integer
- Default:
multiprocessing.cpu_count()
- Minimum Value:
1
This option has a sample default set, which means that its actual default value may vary from the one documented above.
The number of threads available for privsep to concurrently run processes. Defaults to the number of CPU cores in the system.
- helper_command¶
- Type:
string
- Default:
<None>
Command to invoke to start the privsep daemon if not using the “fork” method. If not specified, a default is generated using “sudo privsep-helper” and arguments designed to recreate the current configuration. This command must accept suitable –privsep_context and –privsep_sock_path arguments.
- logger_name¶
- Type:
string
- Default:
oslo_privsep.daemon
Logger name to use for this privsep context. By default all contexts log with oslo_privsep.daemon.
profiler¶
- enabled¶
- Type:
boolean
- Default:
False
Enable the profiling for all services on this node.
Default value is False (fully disable the profiling feature).
Possible values:
True: Enables the feature
False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
¶ Group
Name
profiler
profiler_enabled
- trace_sqlalchemy¶
- Type:
boolean
- Default:
False
Enable SQL requests profiling in services.
Default value is False (SQL requests won’t be traced).
Possible values:
True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that.
False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.
- trace_requests¶
- Type:
boolean
- Default:
False
Enable python requests package profiling.
Supported drivers: jaeger+otlp
Default value is False.
Possible values:
True: Enables requests profiling.
False: Disables requests profiling.
- hmac_keys¶
- Type:
string
- Default:
SECRET_KEY
Secret key(s) to use for encrypting context data for performance profiling.
This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project.
Both “enabled” flag and “hmac_keys” config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
- connection_string¶
- Type:
string
- Default:
messaging://
Connection string for a notifier backend.
Default value is
messaging://
which sets the notifier to oslo_messaging.Examples of possible values:
messaging://
- use oslo_messaging driver for sending spans.redis://127.0.0.1:6379
- use redis driver for sending spans.mongodb://127.0.0.1:27017
- use mongodb driver for sending spans.elasticsearch://127.0.0.1:9200
- use elasticsearch driver for sending spans.jaeger://127.0.0.1:6831
- use jaeger tracing as driver for sending spans.
- es_doc_type¶
- Type:
string
- Default:
notification
Document type for notification indexing in elasticsearch.
- es_scroll_time¶
- Type:
string
- Default:
2m
This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
- es_scroll_size¶
- Type:
integer
- Default:
10000
Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
- socket_timeout¶
- Type:
floating point
- Default:
0.1
Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
- sentinel_service_name¶
- Type:
string
- Default:
mymaster
Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example:
sentinal_service_name=mymaster
).
- filter_error_trace¶
- Type:
boolean
- Default:
False
Enable filter traces that contain error/exception to a separated place.
Default value is set to False.
Possible values:
True: Enable filter traces that contain error/exception.
False: Disable the filter.
profiler_jaeger¶
- service_name_prefix¶
- Type:
string
- Default:
<None>
Set service name prefix to Jaeger service name.
- process_tags¶
- Type:
dict
- Default:
{}
Set process tracer tags.
profiler_otlp¶
- service_name_prefix¶
- Type:
string
- Default:
<None>
Set service name prefix to OTLP exporters.
quotas¶
- default_quota¶
- Type:
integer
- Default:
-1
Default number of resources allowed per tenant. A negative value means unlimited.
- quota_network¶
- Type:
integer
- Default:
100
Number of networks allowed per tenant. A negative value means unlimited.
- quota_subnet¶
- Type:
integer
- Default:
100
Number of subnets allowed per tenant, A negative value means unlimited.
- quota_port¶
- Type:
integer
- Default:
500
Number of ports allowed per tenant. A negative value means unlimited.
- quota_driver¶
- Type:
string
- Default:
neutron.db.quota.driver_nolock.DbQuotaNoLockDriver
Default driver to use for quota checks.
- track_quota_usage¶
- Type:
boolean
- Default:
True
When set to True, quota usage will be tracked in the Neutron database for each resource, by directly mapping to a data model class, for example, networks, subnets, ports, etc. When set to False, quota usage will be tracked by the quota engine as a count of the object type directly. For more information, see the Quota Management and Enforcement guide.
- quota_router¶
- Type:
integer
- Default:
10
Number of routers allowed per tenant. A negative value means unlimited.
- quota_floatingip¶
- Type:
integer
- Default:
50
Number of floating IPs allowed per tenant. A negative value means unlimited.
- quota_security_group¶
- Type:
integer
- Default:
10
Number of security groups allowed per tenant. A negative value means unlimited.
- quota_security_group_rule¶
- Type:
integer
- Default:
100
Number of security group rules allowed per tenant. A negative value means unlimited.
ssl¶
- ca_file¶
- Type:
string
- Default:
<None>
CA certificate file to use to verify connecting clients.
¶ Group
Name
DEFAULT
ssl_ca_file
- cert_file¶
- Type:
string
- Default:
<None>
Certificate file to use when starting the server securely.
¶ Group
Name
DEFAULT
ssl_cert_file
- key_file¶
- Type:
string
- Default:
<None>
Private key file to use when starting the server securely.
¶ Group
Name
DEFAULT
ssl_key_file
- version¶
- Type:
string
- Default:
<None>
SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
- ciphers¶
- Type:
string
- Default:
<None>
Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.