Configuration Reference

Red Hat OpenStack Platform 13

Configuring Red Hat OpenStack Platform environments

OpenStack Documentation Team

rhos-docs@redhat.com

OpenStack Documentation Team

rhos-docs@redhat.com

Abstract

This document is for system administrators who want to look up configuration options. It contains lists of configuration options available with OpenStack and uses auto-generation to generate options and the descriptions from the code for each project.

Preface

This document describes the options available in the configuration files for each of the major services in Red Hat OpenStack Platform. The content is automatically generated based on the values in the configuration files themselves, and is provided for reference purposes only.

Warning

Manually editing configuration files is not supported. All configuration changes must be made through the Director. Red Hat provides this guide as a technical reference only.

Chapter 1. barbican

The following chapter contains information about the configuration options in the barbican service.

1.1. barbican.conf

This section contains options for the /etc/barbican/barbican.conf file.

1.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/barbican/barbican.conf file.

Table 1.1. DEFAULT
Configuration option = Default value	Type	Description
`admin_role = admin`	string value	Role used to identify an authenticated user as administrator.
`allow_anonymous_access = False`	boolean value	Allow unauthenticated users to access the API with read-only privileges. This only applies when using ContextMiddleware.
`api_paste_config = api-paste.ini`	string value	File name for the paste.deploy config for api service
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`db_auto_create = True`	boolean value	Create the Barbican database on service startup.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_limit_paging = 10`	integer value	Default page size for the limit paging URL parameter.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`host_href = http://localhost:9311`	string value	Host name, for use in HATEOAS-style references Note: Typically this would be the load balanced endpoint that clients would use to communicate back with this service. If a deployment wants to derive host from wsgi request instead then make this blank. Blank is needed to override default config value which is http://localhost:9311
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_allowed_request_size_in_bytes = 15000`	integer value	Maximum allowed http request size against the barbican-api.
`max_allowed_secret_in_bytes = 10000`	integer value	Maximum allowed secret size in bytes.
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
`max_limit_paging = 100`	integer value	Maximum page size for the limit paging URL parameter.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`sql_connection = sqlite:///barbican.sqlite`	string value	SQLAlchemy connection string for the reference implementation registry server. Any valid SQLAlchemy connection string is fine. See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine. Note: For absolute addresses, use //// slashes after sqlite:.
`sql_idle_timeout = 3600`	integer value	Period in seconds after which SQLAlchemy should reestablish its connection to the database. MySQL uses a default `wait_timeout` of 8 hours, after which it will drop idle connections. This can result in MySQL Gone Away exceptions. If you notice this, you can lower this value to ensure that SQLAlchemy reconnects before MySQL can drop the connection.
`sql_max_retries = 60`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`sql_pool_class = QueuePool`	string value	Accepts a class imported from the sqlalchemy.pool module, and handles the details of building the pool for you. If commented out, SQLAlchemy will select based on the database dialect. Other options are QueuePool (for SQLAlchemy-managed connections) and NullPool (to disabled SQLAlchemy management of connections). See http://docs.sqlalchemy.org/en/latest/core/pooling.html for more details
`sql_pool_logging = False`	boolean value	Show SQLAlchemy pool-related debugging output in logs (sets DEBUG log level output) if specified.
`sql_pool_max_overflow = 10`	integer value	The maximum overflow size of the pool used by SQLAlchemy. When the number of checked-out connections reaches the size set in sql_pool_size, additional connections will be returned up to this limit. It follows then that the total number of simultaneous connections the pool will allow is sql_pool_size + sql_pool_max_overflow. Can be set to -1 to indicate no overflow limit, so no limit will be placed on the total number of concurrent connections. Comment out to allow SQLAlchemy to select the default.
`sql_pool_size = 5`	integer value	Size of pool used by SQLAlchemy. This is the largest number of connections that will be kept persistently in the pool. Can be set to 0 to indicate no size limit. To disable pooling, use a NullPool with sql_pool_class instead. Comment out to allow SQLAlchemy to select the default.
`sql_retry_interval = 1`	integer value	Interval between retries of opening a SQL connection.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`wsgi_default_pool_size = 100`	integer value	Size of the pool of greenthreads used by wsgi
`wsgi_keep_alive = True`	boolean value	If False, closes the client socket connection explicitly.
`wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f`	string value	A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

1.1.2. certificate

The following table outlines the options available under the [certificate] group in the /etc/barbican/barbican.conf file.

Table 1.2. certificate
Configuration option = Default value	Type	Description
`enabled_certificate_plugins = [u'simple_certificate']`	multi valued	List of certificate plugins to load.
`namespace = barbican.certificate.plugin`	string value	Extension namespace to search for plugins.

1.1.3. certificate_event

The following table outlines the options available under the [certificate_event] group in the /etc/barbican/barbican.conf file.

Table 1.3. certificate_event
Configuration option = Default value	Type	Description
`enabled_certificate_event_plugins = [u'simple_certificate_event']`	multi valued	List of certificate plugins to load.
`namespace = barbican.certificate.event.plugin`	string value	Extension namespace to search for eventing plugins.

1.1.4. cors

The following table outlines the options available under the [cors] group in the /etc/barbican/barbican.conf file.

Table 1.4. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Project-Id', u'X-Identity-Status', u'X-User-Id', u'X-Storage-Token', u'X-Domain-Id', u'X-User-Domain-Id', u'X-Project-Domain-Id', u'X-Roles']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Project-Id', u'X-Identity-Status', u'X-User-Id', u'X-Storage-Token', u'X-Domain-Id', u'X-User-Domain-Id', u'X-Project-Domain-Id', u'X-Roles']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

1.1.5. crypto

The following table outlines the options available under the [crypto] group in the /etc/barbican/barbican.conf file.

Table 1.5. crypto
Configuration option = Default value	Type	Description
`enabled_crypto_plugins = [u'simple_crypto']`	multi valued	List of crypto plugins to load.
`namespace = barbican.crypto.plugin`	string value	Extension namespace to search for plugins.

1.1.6. dogtag_plugin

The following table outlines the options available under the [dogtag_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.6. dogtag_plugin
Configuration option = Default value	Type	Description
`auto_approved_profiles = caServerCert`	string value	List of automatically approved enrollment profiles
`ca_expiration_time = 1`	string value	Time in days for CA entries to expire
`dogtag_host = localhost`	string value	Hostname for the Dogtag instance
`dogtag_port = 8443`	port value	Port for the Dogtag instance
`nss_db_path = /etc/barbican/alias`	string value	Path to the NSS certificate database
`nss_password = None`	string value	Password for the NSS certificate databases
`pem_path = /etc/barbican/kra_admin_cert.pem`	string value	Path to PEM file for authentication
`plugin_name = Dogtag KRA`	string value	User friendly plugin name
`plugin_working_dir = /etc/barbican/dogtag`	string value	Working directory for Dogtag plugin
`retries = 3`	integer value	Retries when storing or generating secrets
`simple_cmc_profile = caOtherCert`	string value	Profile for simple CMC requests

1.1.7. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/barbican/barbican.conf file.

Table 1.7. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

1.1.8. keystone_notifications

The following table outlines the options available under the [keystone_notifications] group in the /etc/barbican/barbican.conf file.

Table 1.8. keystone_notifications
Configuration option = Default value	Type	Description
`allow_requeue = False`	boolean value	True enables requeue feature in case of notification processing error. Enable this only when underlying transport supports this feature.
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`enable = False`	boolean value	True enables keystone notification listener functionality.
`thread_pool_size = 10`	integer value	Define the number of max threads to be used for notification server processing functionality.
`topic = notifications`	string value	Keystone notification queue topic name. This name needs to match one of values mentioned in Keystone deployment’s notification_topics configuration e.g. notification_topics=notifications, barbican_notificationsMultiple servers may listen on a topic and messages will be dispatched to one of the servers in a round-robin fashion. That’s why Barbican service should have its own dedicated notification queue so that it receives all of Keystone notifications.
`version = 1.0`	string value	Version of tasks invoked via notifications

1.1.9. kmip_plugin

The following table outlines the options available under the [kmip_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.9. kmip_plugin
Configuration option = Default value	Type	Description
`ca_certs = None`	string value	File path to concatenated "certification authority" certificates
`certfile = None`	string value	File path to local client certificate
`host = localhost`	string value	Address of the KMIP server
`keyfile = None`	string value	File path to local client certificate keyfile
`password = None`	string value	Password for authenticating with KMIP server
`pkcs1_only = False`	boolean value	Only support PKCS#1 encoding of asymmetric keys
`plugin_name = KMIP HSM`	string value	User friendly plugin name
`port = 5696`	port value	Port for the KMIP server
`ssl_version = PROTOCOL_TLSv1_2`	string value	SSL version, maps to the module ssl’s constants
`username = None`	string value	Username for authenticating with KMIP server

1.1.10. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/barbican/barbican.conf file.

Table 1.10. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

1.1.11. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/barbican/barbican.conf file.

Table 1.11. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

1.1.12. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/barbican/barbican.conf file.

Table 1.12. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

1.1.13. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/barbican/barbican.conf file.

Table 1.13. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

1.1.14. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/barbican/barbican.conf file.

Table 1.14. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

1.1.15. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/barbican/barbican.conf file.

Table 1.15. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

1.1.16. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/barbican/barbican.conf file.

Table 1.16. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

1.1.17. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/barbican/barbican.conf file.

Table 1.17. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

1.1.18. p11_crypto_plugin

The following table outlines the options available under the [p11_crypto_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.18. p11_crypto_plugin
Configuration option = Default value	Type	Description
`aes_gcm_generate_iv = True`	boolean value	Generate IVs for CKM_AES_GCM mechanism.
`always_set_cka_sensitive = True`	boolean value	Always set CKA_SENSITIVE=CK_TRUE including CKA_EXTRACTABLE=CK_TRUE keys.
`encryption_mechanism = CKM_AES_CBC`	string value	Secret encryption mechanism
`hmac_key_type = CKK_AES`	string value	HMAC Key Type
`hmac_keygen_mechanism = CKM_AES_KEY_GEN`	string value	HMAC Key Generation Algorithm
`hmac_label = None`	string value	Master HMAC Key label (as stored in the HSM)
`library_path = None`	string value	Path to vendor PKCS11 library
`login = None`	string value	Password to login to PKCS11 session
`mkek_label = None`	string value	Master KEK label (as stored in the HSM)
`mkek_length = None`	integer value	Master KEK length in bytes.
`pkek_cache_limit = 100`	integer value	Project KEK Cache Item Limit
`pkek_cache_ttl = 900`	integer value	Project KEK Cache Time To Live, in seconds
`pkek_length = 32`	integer value	Project KEK length in bytes.
`plugin_name = PKCS11 HSM`	string value	User friendly plugin name
`rw_session = True`	boolean value	Flag for Read/Write Sessions
`seed_file = `	string value	File to pull entropy for seeding RNG
`seed_length = 32`	integer value	Amount of data to read from file for seed
`slot_id = 1`	integer value	HSM Slot ID

1.1.19. queue

The following table outlines the options available under the [queue] group in the /etc/barbican/barbican.conf file.

Table 1.19. queue
Configuration option = Default value	Type	Description
`asynchronous_workers = 1`	integer value	Number of asynchronous worker processes
`enable = False`	boolean value	True enables queuing, False invokes workers synchronously
`namespace = barbican`	string value	Queue namespace
`server_name = barbican.queue`	string value	Server name for RPC task processing server
`topic = barbican.workers`	string value	Queue topic name
`version = 1.1`	string value	Version of tasks invoked via queue

1.1.20. quotas

The following table outlines the options available under the [quotas] group in the /etc/barbican/barbican.conf file.

Table 1.20. quotas
Configuration option = Default value	Type	Description
`quota_cas = -1`	integer value	Number of CAs allowed per project
`quota_consumers = -1`	integer value	Number of consumers allowed per project
`quota_containers = -1`	integer value	Number of containers allowed per project
`quota_orders = -1`	integer value	Number of orders allowed per project
`quota_secrets = -1`	integer value	Number of secrets allowed per project

1.1.21. retry_scheduler

The following table outlines the options available under the [retry_scheduler] group in the /etc/barbican/barbican.conf file.

Table 1.21. retry_scheduler
Configuration option = Default value	Type	Description
`initial_delay_seconds = 10.0`	floating point value	Seconds (float) to wait before starting retry scheduler
`periodic_interval_max_seconds = 10.0`	floating point value	Seconds (float) to wait between periodic schedule events

1.1.22. secretstore

The following table outlines the options available under the [secretstore] group in the /etc/barbican/barbican.conf file.

Table 1.22. secretstore
Configuration option = Default value	Type	Description
`enable_multiple_secret_stores = False`	boolean value	Flag to enable multiple secret store plugin backend support. Default is False
`enabled_secretstore_plugins = [u'store_crypto']`	multi valued	List of secret store plugins to load.
`namespace = barbican.secretstore.plugin`	string value	Extension namespace to search for plugins.
`stores_lookup_suffix = None`	list value	List of suffix to use for looking up plugins which are supported with multiple backend support.

1.1.23. simple_crypto_plugin

The following table outlines the options available under the [simple_crypto_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.23. simple_crypto_plugin
Configuration option = Default value	Type	Description
`kek = dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=`	string value	Key encryption key to be used by Simple Crypto Plugin
`plugin_name = Software Only Crypto`	string value	User friendly plugin name

1.1.24. snakeoil_ca_plugin

The following table outlines the options available under the [snakeoil_ca_plugin] group in the /etc/barbican/barbican.conf file.

Table 1.24. snakeoil_ca_plugin
Configuration option = Default value	Type	Description
`ca_cert_chain_path = None`	string value	Path to CA certificate chain file
`ca_cert_key_path = None`	string value	Path to CA certificate key file
`ca_cert_path = None`	string value	Path to CA certificate file
`ca_cert_pkcs7_path = None`	string value	Path to CA chain pkcs7 file
`subca_cert_key_directory = /etc/barbican/snakeoil-cas`	string value	Directory in which to store certs/keys for subcas

1.1.25. ssl

The following table outlines the options available under the [ssl] group in the /etc/barbican/barbican.conf file.

Table 1.25. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

Chapter 2. ceilometer

The following chapter contains information about the configuration options in the ceilometer service.

2.1. ceilometer.conf

This section contains options for the /etc/ceilometer/ceilometer.conf file.

2.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.1. DEFAULT
Configuration option = Default value	Type	Description
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`batch_polled_samples = True`	boolean value	To reduce polling agent load, samples are sent to the notification agent in a batch. To gain higher throughput at the cost of load set this to False.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`event_pipeline_cfg_file = event_pipeline.yaml`	string value	Configuration file for event pipeline definition.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`host = ccsosp-undercloud.usersys.redhat.com`	unknown value	Name of this node, which must be valid in an AMQP key. Can be an opaque identifier. For ZeroMQ only, must be a valid host name, FQDN, or IP address.
`http_timeout = 600`	integer value	Timeout seconds for HTTP requests. Set it to None to disable timeout.
`hypervisor_inspector = libvirt`	string value	Inspector to use for inspecting the hypervisor layer. Known inspectors are libvirt, hyperv, vsphere and xenapi.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`libvirt_type = kvm`	string value	Libvirt domain type.
`libvirt_uri = `	string value	Override the default libvirt URI (which is dependent on libvirt_type).
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_parallel_requests = 64`	integer value	Maximum number of parallel requests for services to handle at the same time.
`pipeline_cfg_file = pipeline.yaml`	string value	Configuration file for pipeline definition.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`reseller_prefix = AUTH_`	string value	Swift reseller prefix. Must be on par with reseller_prefix in proxy-server.conf.
`reserved_metadata_keys = []`	list value	List of metadata keys reserved for metering use. And these keys are additional to the ones included in the namespace.
`reserved_metadata_length = 256`	integer value	Limit on length of reserved metadata values.
`reserved_metadata_namespace = [u'metering.']`	list value	List of metadata prefixes reserved for metering use.
`rootwrap_config = /etc/ceilometer/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`sample_source = openstack`	string value	Source for samples emitted on this instance.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

2.1.2. compute

The following table outlines the options available under the [compute] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.2. compute
Configuration option = Default value	Type	Description
`instance_discovery_method = libvirt_metadata`	string value	Ceilometer offers many methods to discover the instance running on a compute node: * naive: poll nova to get all instances * workload_partitioning: poll nova to get instances of the compute * libvirt_metadata: get instances from libvirt metadata but without instance metadata (recommended for Gnocchi backend
`resource_cache_expiry = 3600`	integer value	The expiry to totally refresh the instances resource cache, since the instance may be migrated to another host, we need to clean the legacy instances info in local cache by totally refreshing the local cache. The minimum should be the value of the config option of resource_update_interval. This option is only used for agent polling to Nova API, so it will work only when instance_discovery_method is set to naive.
`resource_update_interval = 0`	integer value	New instances will be discovered periodically based on this option (in seconds). By default, the agent discovers instances according to pipeline polling interval. If option is greater than 0, the instance list to poll will be updated based on this option’s interval. Measurements relating to the instances will match intervals defined in pipeline. This option is only used for agent polling to Nova API, so it will work only when instance_discovery_method is set to naive.

2.1.3. coordination

The following table outlines the options available under the [coordination] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.3. coordination
Configuration option = Default value	Type	Description
`backend_url = None`	string value	The backend URL to use for distributed coordination. If left empty, per-deployment central agent and per-host compute agent won’t do workload partitioning and will only function correctly if a single instance of that service is running.
`check_watchers = 10.0`	floating point value	Number of seconds between checks to see if group membership has changed

2.1.4. dispatcher_gnocchi

The following table outlines the options available under the [dispatcher_gnocchi] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.4. dispatcher_gnocchi
Configuration option = Default value	Type	Description
`archive_policy = None`	string value	The archive policy to use when the dispatcher create a new metric.
`filter_project = gnocchi`	string value	Gnocchi project used to filter out samples generated by Gnocchi service activity
`request_timeout = 6.05`	floating point value	Number of seconds before request to gnocchi times out
`resources_definition_file = gnocchi_resources.yaml`	string value	The Yaml file that defines mapping between samples and gnocchi resources/metrics

2.1.5. event

The following table outlines the options available under the [event] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.5. event
Configuration option = Default value	Type	Description
`definitions_cfg_file = event_definitions.yaml`	string value	Configuration file for event definitions.
`drop_unmatched_notifications = False`	boolean value	Drop notifications if no event definition matches. (Otherwise, we convert them with just the default traits)
`store_raw = []`	multi valued	Store the raw notification for select priority levels (info and/or error). By default, raw details are not captured.

2.1.6. hardware

The following table outlines the options available under the [hardware] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.6. hardware
Configuration option = Default value	Type	Description
`meter_definitions_file = snmp.yaml`	string value	Configuration file for defining hardware snmp meters.
`readonly_user_auth_proto = None`	string value	SNMPd v3 authentication algorithm of all the nodes running in the cloud
`readonly_user_name = ro_snmp_user`	string value	SNMPd user name of all nodes running in the cloud.
`readonly_user_password = password`	string value	SNMPd v3 authentication password of all the nodes running in the cloud.
`readonly_user_priv_password = None`	string value	SNMPd v3 encryption password of all the nodes running in the cloud.
`readonly_user_priv_proto = None`	string value	SNMPd v3 encryption algorithm of all the nodes running in the cloud
`tripleo_network_name = ctlplane`	string value	Name of the control plane Tripleo network
`url_scheme = snmp://`	string value	URL scheme to use for hardware nodes.

2.1.7. ipmi

The following table outlines the options available under the [ipmi] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.7. ipmi
Configuration option = Default value	Type	Description
`node_manager_init_retry = 3`	integer value	Number of retries upon Intel Node Manager initialization failure
`polling_retry = 3`	integer value	Tolerance of IPMI/NM polling failures before disable this pollster. Negative indicates retrying forever.

2.1.8. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.8. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

2.1.9. meter

The following table outlines the options available under the [meter] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.9. meter
Configuration option = Default value	Type	Description
`meter_definitions_cfg_file = None`	string value	Configuration file for defining meter notifications. This option is deprecated and use meter_definitions_dirs to configure meter notification file. Meter definitions configuration file will be sought according to the parameter.
`meter_definitions_dirs = [u'/etc/ceilometer/meters.d', u'/usr/lib/python2.7/site-packages/ceilometer/data/meters.d']`	multi valued	List directory to find files of defining meter notifications.

2.1.10. notification

The following table outlines the options available under the [notification] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.10. notification
Configuration option = Default value	Type	Description
`ack_on_event_error = True`	boolean value	Acknowledge message when event persistence fails.
`batch_size = 100`	integer value	Number of notification messages to wait before publishing them. Batching is advised when transformations are applied in pipeline.
`batch_timeout = 5`	integer value	Number of seconds to wait before publishing samples when batch_size is not reached (None means indefinitely)
`messaging_urls = []`	multi valued	Messaging URLs to listen for notifications. Example: rabbit://user:pass@host1:port1[,user:pass@hostN:portN]/virtual_host (DEFAULT/transport_url is used if empty). This is useful when you have dedicate messaging nodes for each service, for example, all nova notifications go to rabbit-nova:5672, while all cinder notifications go to rabbit-cinder:5672.
`notification_control_exchanges = [u'nova', u'glance', u'neutron', u'cinder', u'heat', u'keystone', u'sahara', u'trove', u'zaqar', u'swift', u'ceilometer', u'magnum', u'dns', u'ironic', u'aodh']`	multi valued	Exchanges name to listen for notifications.
`pipeline_processing_queues = 10`	integer value	Number of queues to parallelize workload across. This value should be larger than the number of active notification agents for optimal results. WARNING: Once set, lowering this value may result in lost data.
`pipelines = [u'meter', u'event']`	multi valued	Select which pipeline managers to enable to generate data
`workers = 1`	integer value	Number of workers for notification service, default value is 1.
`workload_partitioning = False`	boolean value	Enable workload partitioning, allowing multiple notification agents to be run simultaneously.

2.1.11. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.11. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

2.1.12. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.12. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

2.1.13. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.13. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

2.1.14. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.14. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

2.1.15. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.15. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

2.1.16. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.16. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

2.1.17. polling

The following table outlines the options available under the [polling] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.17. polling
Configuration option = Default value	Type	Description
`cfg_file = polling.yaml`	string value	Configuration file for polling definition.
`partitioning_group_prefix = None`	string value	Work-load partitioning group prefix. Use only if you want to run multiple polling agents with different config files. For each sub-group of the agent pool with the same partitioning_group_prefix a disjoint subset of pollsters should be loaded.

2.1.18. publisher

The following table outlines the options available under the [publisher] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.18. publisher
Configuration option = Default value	Type	Description
`telemetry_secret = change this for valid signing`	string value	Secret value for signing messages. Set value empty if signing is not required to avoid computational overhead.

2.1.19. publisher_notifier

The following table outlines the options available under the [publisher_notifier] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.19. publisher_notifier
Configuration option = Default value	Type	Description
`event_topic = event`	string value	The topic that ceilometer uses for event notifications.
`metering_topic = metering`	string value	The topic that ceilometer uses for metering notifications.
`telemetry_driver = messagingv2`	string value	The driver that ceilometer uses for metering notifications.

2.1.20. rgw_admin_credentials

The following table outlines the options available under the [rgw_admin_credentials] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.20. rgw_admin_credentials
Configuration option = Default value	Type	Description
`access_key = None`	string value	Access key for Radosgw Admin.
`secret_key = None`	string value	Secret key for Radosgw Admin.

2.1.21. service_credentials

The following table outlines the options available under the [service_credentials] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.21. service_credentials
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`interface = public`	string value	Type of endpoint in Identity service catalog to use for communication with OpenStack services.
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	Region name to use for OpenStack service endpoints.
`system-scope = None`	string value	Scope for system operations
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username

2.1.22. service_types

The following table outlines the options available under the [service_types] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.22. service_types
Configuration option = Default value	Type	Description
`cinder = volumev3`	string value	Cinder service type.
`glance = image`	string value	Glance service type.
`neutron = network`	string value	Neutron service type.
`neutron_lbaas_version = v2`	string value	Neutron load balancer version.
`nova = compute`	string value	Nova service type.
`radosgw = None`	string value	Radosgw service type.
`swift = object-store`	string value	Swift service type.

2.1.23. vmware

The following table outlines the options available under the [vmware] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.23. vmware
Configuration option = Default value	Type	Description
`api_retry_count = 10`	integer value	Number of times a VMware vSphere API may be retried.
`ca_file = None`	string value	CA bundle file to use in verifying the vCenter server certificate.
`host_ip = 127.0.0.1`	unknown value	IP address of the VMware vSphere host.
`host_password = `	string value	Password of VMware vSphere.
`host_port = 443`	port value	Port of the VMware vSphere host.
`host_username = `	string value	Username of VMware vSphere.
`insecure = False`	boolean value	If true, the vCenter server certificate is not verified. If false, then the default CA truststore is used for verification. This option is ignored if "ca_file" is set.
`task_poll_interval = 0.5`	floating point value	Sleep time in seconds for polling an ongoing async task.
`wsdl_location = None`	string value	Optional vim service WSDL location e.g http://<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds.

2.1.24. xenapi

The following table outlines the options available under the [xenapi] group in the /etc/ceilometer/ceilometer.conf file.

Table 2.24. xenapi
Configuration option = Default value	Type	Description
`connection_password = None`	string value	Password for connection to XenServer/Xen Cloud Platform.
`connection_url = None`	string value	URL for connection to XenServer/Xen Cloud Platform.
`connection_username = root`	string value	Username for connection to XenServer/Xen Cloud Platform.

Chapter 3. cinder

The following chapter contains information about the configuration options in the cinder service.

3.1. cinder.conf

This section contains options for the /etc/cinder/cinder.conf file.

3.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/cinder/cinder.conf file.

Table 3.1. DEFAULT
Configuration option = Default value	Type	Description
`allocated_capacity_weight_multiplier = -1.0`	floating point value	Multiplier used for weighing allocated capacity. Positive numbers mean to stack vs spread.
`allow_availability_zone_fallback = False`	boolean value	If the requested Cinder availability zone is unavailable, fall back to the value of default_availability_zone, then storage_availability_zone, instead of failing.
`allow_inuse_volume_type_modification = False`	boolean value	DEPRECATED: Allow the ability to modify the extra-spec settings of an in-use volume-type.
`allowed_direct_url_schemes = []`	list value	A list of url schemes that can be downloaded directly via the direct_url. Currently supported schemes: [file, cinder].
`api_paste_config = api-paste.ini`	string value	File name for the paste.deploy config for api service
`api_rate_limit = True`	boolean value	Enables or disables rate limit of the API.
`auth_strategy = keystone`	string value	The strategy to use for auth. Supports noauth or keystone.
`az_cache_duration = 3600`	integer value	Cache volume availability zones in memory for the provided duration in seconds
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`backend_availability_zone = None`	string value	Availability zone for this volume backend. If not set, the storage_availability_zone option value is used as the default for all backends.
`backup_api_class = cinder.backup.api.API`	string value	The full class name of the volume backup API class
`backup_ceph_chunk_size = 134217728`	integer value	The chunk size, in bytes, that a backup is broken into before transfer to the Ceph object store.
`backup_ceph_conf = /etc/ceph/ceph.conf`	string value	Ceph configuration file to use.
`backup_ceph_image_journals = False`	boolean value	If True, apply JOURNALING and EXCLUSIVE_LOCK feature bits to the backup RBD objects to allow mirroring
`backup_ceph_pool = backups`	string value	The Ceph pool where volume backups are stored.
`backup_ceph_stripe_count = 0`	integer value	RBD stripe count to use when creating a backup image.
`backup_ceph_stripe_unit = 0`	integer value	RBD stripe unit to use when creating a backup image.
`backup_ceph_user = cinder`	string value	The Ceph user to connect with. Default here is to use the same user as for Cinder volumes. If not using cephx this should be set to None.
`backup_compression_algorithm = zlib`	string value	Compression algorithm (None to disable)
`backup_container = None`	string value	Custom directory to use for backups.
`backup_driver = cinder.backup.drivers.swift.SwiftBackupDriver`	string value	Driver to use for backups.
`backup_enable_progress_timer = True`	boolean value	Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the backend storage. The default value is True to enable the timer.
`backup_file_size = 1999994880`	integer value	The maximum size in bytes of the files used to hold backups. If the volume being backed up exceeds this size, then it will be backed up into multiple files.backup_file_size must be a multiple of backup_sha_block_size_bytes.
`backup_gcs_block_size = 32768`	integer value	The size in bytes that changes are tracked for incremental backups. backup_gcs_object_size has to be multiple of backup_gcs_block_size.
`backup_gcs_bucket = None`	string value	The GCS bucket to use.
`backup_gcs_bucket_location = US`	string value	Location of GCS bucket.
`backup_gcs_credential_file = None`	string value	Absolute path of GCS service account credential file.
`backup_gcs_enable_progress_timer = True`	boolean value	Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the GCS backend storage. The default value is True to enable the timer.
`backup_gcs_num_retries = 3`	integer value	Number of times to retry.
`backup_gcs_object_size = 52428800`	integer value	The size in bytes of GCS backup objects.
`backup_gcs_project_id = None`	string value	Owner project id for GCS bucket.
`backup_gcs_proxy_url = None`	uri value	URL for http proxy access.
`backup_gcs_reader_chunk_size = 2097152`	integer value	GCS object will be downloaded in chunks of bytes.
`backup_gcs_retry_error_codes = [u'429']`	list value	List of GCS error codes.
`backup_gcs_storage_class = NEARLINE`	string value	Storage class of GCS bucket.
`backup_gcs_user_agent = gcscinder`	string value	Http user-agent string for gcs api.
`backup_gcs_writer_chunk_size = 2097152`	integer value	GCS object will be uploaded in chunks of bytes. Pass in a value of -1 if the file is to be uploaded as a single chunk.
`backup_manager = cinder.backup.manager.BackupManager`	string value	Full class name for the Manager for volume backup
`backup_metadata_version = 2`	integer value	Backup metadata version to be used when backing up volume metadata. If this number is bumped, make sure the service doing the restore supports the new version.
`backup_mount_options = None`	string value	Mount options passed to the NFS client. See NFS man page for details.
`backup_mount_point_base = $state_path/backup_mount`	string value	Base dir containing mount point for NFS share.
`backup_name_template = backup-%s`	string value	Template string to be used to generate backup names
`backup_native_threads_pool_size = 60`	integer value	Size of the native threads pool for the backups. Most backup drivers rely heavily on this, it can be decreased for specific drivers that don’t.
`backup_object_number_per_notification = 10`	integer value	The number of chunks or objects, for which one Ceilometer notification will be sent
`backup_posix_path = $state_path/backup`	string value	Path specifying where to store backups.
`backup_service_inithost_offload = True`	boolean value	Offload pending backup delete during backup service startup. If false, the backup service will remain down until all pending backups are deleted.
`backup_sha_block_size_bytes = 32768`	integer value	The size in bytes that changes are tracked for incremental backups. backup_file_size has to be multiple of backup_sha_block_size_bytes.
`backup_share = None`	string value	NFS share in hostname:path, ipv4addr:path, or "[ipv6addr]:path" format.
`backup_swift_auth = per_user`	string value	Swift authentication mechanism (per_user or single_user).
`backup_swift_auth_insecure = False`	boolean value	Bypass verification of server certificate when making SSL connection to Swift.
`backup_swift_auth_url = None`	uri value	The URL of the Keystone endpoint
`backup_swift_auth_version = 1`	string value	Swift authentication version. Specify "1" for auth 1.0, or "2" for auth 2.0 or "3" for auth 3.0
`backup_swift_block_size = 32768`	integer value	The size in bytes that changes are tracked for incremental backups. backup_swift_object_size has to be multiple of backup_swift_block_size.
`backup_swift_ca_cert_file = None`	string value	Location of the CA certificate file to use for swift client requests.
`backup_swift_container = volumebackups`	string value	The default Swift container to use
`backup_swift_enable_progress_timer = True`	boolean value	Enable or Disable the timer to send the periodic progress notifications to Ceilometer when backing up the volume to the Swift backend storage. The default value is True to enable the timer.
`backup_swift_key = None`	string value	Swift key for authentication
`backup_swift_object_size = 52428800`	integer value	The size in bytes of Swift backup objects
`backup_swift_project = None`	string value	Swift project/account name. Required when connecting to an auth 3.0 system
`backup_swift_project_domain = None`	string value	Swift project domain name. Required when connecting to an auth 3.0 system
`backup_swift_retry_attempts = 3`	integer value	The number of retries to make for Swift operations
`backup_swift_retry_backoff = 2`	integer value	The backoff time in seconds between Swift retries
`backup_swift_tenant = None`	string value	Swift tenant/account name. Required when connecting to an auth 2.0 system
`backup_swift_url = None`	uri value	The URL of the Swift endpoint
`backup_swift_user = None`	string value	Swift user name
`backup_swift_user_domain = None`	string value	Swift user domain name. Required when connecting to an auth 3.0 system
`backup_timer_interval = 120`	integer value	Interval, in seconds, between two progress notifications reporting the backup status
`backup_tsm_compression = True`	boolean value	Enable or Disable compression for backups
`backup_tsm_password = password`	string value	TSM password for the running username
`backup_tsm_volume_prefix = backup`	string value	Volume prefix for the backup id when backing up to TSM
`backup_use_same_host = False`	boolean value	Backup services use same backend.
`backup_use_temp_snapshot = False`	boolean value	If this is set to True, a temporary snapshot will be created for performing non-disruptive backups. Otherwise a temporary volume will be cloned in order to perform a backup.
`capacity_weight_multiplier = 1.0`	floating point value	Multiplier used for weighing free capacity. Negative numbers mean to stack vs spread.
`chap_password = `	string value	Password for specified CHAP account name.
`chap_username = `	string value	CHAP user name.
`chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf`	string value	Chiscsi (CXT) global defaults configuration file
`cinder_internal_tenant_project_id = None`	string value	ID of the project which will be used as the Cinder internal tenant.
`cinder_internal_tenant_user_id = None`	string value	ID of the user to be used in volume operations as the Cinder internal tenant.
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.
`cloned_volume_same_az = True`	boolean value	Ensure that the new volumes are the same AZ as snapshot or source volume
`cluster = None`	string value	Name of this cluster. Used to group volume hosts that share the same backend configurations to work in HA Active-Active mode. Active-Active is not yet supported.
`compute_api_class = cinder.compute.nova.API`	string value	The full class name of the compute API class to use
`config-dir = [u'~/.project/project.conf.d/', u'~/project.conf.d/', u'/etc/project/project.conf.d/', u'/etc/project.conf.d/']`	list value	Path to a config directory to pull `*.conf` files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s) specified via previous --config-file, arguments hence over-ridden options in the directory take precedence.
`config-file = [u'~/.project/project.conf', u'~/project.conf', u'/etc/project/project.conf', u'/etc/project.conf']`	unknown value	Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. Defaults to %(default)s.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consistencygroup_api_class = cinder.consistencygroup.api.API`	string value	The full class name of the consistencygroup API class
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`datacore_api_timeout = 300`	integer value	Seconds to wait for a response from a DataCore API call.
`datacore_disk_failed_delay = 15`	integer value	Seconds to wait for DataCore virtual disk to come out of the "Failed" state.
`datacore_disk_pools = []`	list value	List of DataCore disk pools that can be used by volume driver.
`datacore_disk_type = single`	string value	DataCore virtual disk type (single/mirrored). Mirrored virtual disks require two storage servers in the server group.
`datacore_iscsi_chap_enabled = False`	boolean value	Configure CHAP authentication for iSCSI connections.
`datacore_iscsi_chap_storage = None`	string value	iSCSI CHAP authentication password storage file.
`datacore_iscsi_unallowed_targets = []`	list value	List of iSCSI targets that cannot be used to attach volume. To prevent the DataCore iSCSI volume driver from using some front-end targets in volume attachment, specify this option and list the iqn and target machine for each target as the value, such as <iqn:target name>, <iqn:target name>, <iqn:target name>.
`datacore_storage_profile = None`	string value	DataCore virtual disk storage profile.
`db_driver = cinder.db`	string value	Driver to use for database access
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_availability_zone = None`	string value	Default availability zone for new volumes. If not set, the storage_availability_zone option value is used as the default for new volumes.
`default_group_type = None`	string value	Default group type to use
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_volume_type = None`	string value	Default volume type to use
`driver_client_cert = None`	string value	The path to the client certificate for verification, if the driver supports it.
`driver_client_cert_key = None`	string value	The path to the client certificate key for verification, if the driver supports it.
`driver_data_namespace = None`	string value	Namespace for driver private data values to be saved in.
`driver_ssl_cert_path = None`	string value	Can be used to specify a non default path to a CA_BUNDLE file or directory with certificates of trusted CAs, which will be used to validate the backend
`driver_ssl_cert_verify = False`	boolean value	If set to True the http client will validate the SSL certificate of the backend endpoint.
`driver_use_ssl = False`	boolean value	Tell driver to use SSL for connection to backend storage if the driver supports it.
`enable_force_upload = False`	boolean value	Enables the Force option on upload_to_image. This enables running upload_volume on in-use volumes for backends that support it.
`enable_new_services = True`	boolean value	Services to be added to the available pool on create
`enable_unsupported_driver = False`	boolean value	Set this to True when you want to allow an unsupported driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.
`enable_v2_api = True`	boolean value	DEPRECATED: Deploy v2 of the Cinder API.
`enable_v3_api = True`	boolean value	Deploy v3 of the Cinder API.
`enabled_backends = None`	list value	A list of backend names to use. These backend names should be backed by a unique [CONFIG] group with its options
`enforce_multipath_for_image_xfer = False`	boolean value	If this is set to True, attachment of volumes for image transfer will be aborted when multipathd is not running. Otherwise, it will fallback to single path.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`fatal_exception_format_errors = False`	boolean value	Make exception message format errors fatal.
`filter_function = None`	string value	String representation for an equation that will be used to filter hosts. Only used when the driver filter is set to be used by the Cinder scheduler.
`glance_api_insecure = False`	boolean value	Allow to perform insecure SSL (https) requests to glance (https will be used but cert validation will not be performed).
`glance_api_servers = None`	list value	A list of the URLs of glance API servers available to cinder ([http[s]://][hostname\|ip]:port). If protocol is not specified it defaults to http.
`glance_api_ssl_compression = False`	boolean value	Enables or disables negotiation of SSL layer compression. In some cases disabling compression can improve data throughput, such as when high network bandwidth is available and you use compressed image formats like qcow2.
`glance_ca_certificates_file = None`	string value	Location of ca certificates file to use for glance client requests.
`glance_catalog_info = image:glance:publicURL`	string value	Info to match when looking for glance in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if glance_api_servers are not provided.
`glance_core_properties = [u'checksum', u'container_format', u'disk_format', u'image_name', u'image_id', u'min_disk', u'min_ram', u'name', u'size']`	list value	Default core properties of image
`glance_num_retries = 0`	integer value	Number retries when downloading an image from glance
`glance_request_timeout = None`	integer value	http/https timeout value for glance operations. If no value (None) is supplied here, the glanceclient default value is used.
`glusterfs_backup_mount_point = $state_path/backup_mount`	string value	Base dir containing mount point for gluster share.
`glusterfs_backup_share = None`	string value	GlusterFS share in <hostname\|ipv4addr\|ipv6addr>:<gluster_vol_name> format. Eg: 1.2.3.4:backup_vol
`goodness_function = None`	string value	String representation for an equation that will be used to determine the goodness of a host. Only used when using the goodness weigher is set to be used by the Cinder scheduler.
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`group_api_class = cinder.group.api.API`	string value	The full class name of the group API class
`host = ccsosp-undercloud.usersys.redhat.com`	unknown value	Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.
`iet_conf = /etc/iet/ietd.conf`	string value	IET configuration file
`image_conversion_dir = $state_path/conversion`	string value	Directory used for temporary storage during image conversion
`image_upload_use_cinder_backend = False`	boolean value	If set to True, upload-to-image in raw format will create a cloned volume and register its location to the image service, instead of uploading the volume content. The cinder backend and locations support must be enabled in the image service.
`image_upload_use_internal_tenant = False`	boolean value	If set to True, the image volume created by upload-to-image will be placed in the internal tenant. Otherwise, the image volume is created in the current context’s tenant.
`image_volume_cache_enabled = False`	boolean value	Enable the image volume cache for this backend.
`image_volume_cache_max_count = 0`	integer value	Max number of entries allowed in the image volume cache. 0 ⇒ unlimited.
`image_volume_cache_max_size_gb = 0`	integer value	Max size of the image volume cache for this backend in GB. 0 ⇒ unlimited.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`instorage_mcs_allow_tenant_qos = False`	boolean value	Allow tenants to specify QOS on create
`instorage_mcs_iscsi_chap_enabled = True`	boolean value	Configure CHAP authentication for iSCSI connections (Default: Enabled)
`instorage_mcs_localcopy_rate = 50`	integer value	Specifies the InStorage LocalCopy copy rate to be used when creating a full volume copy. The default is rate is 50, and the valid rates are 1-100.
`instorage_mcs_localcopy_timeout = 120`	integer value	Maximum number of seconds to wait for LocalCopy to be prepared.
`instorage_mcs_vol_autoexpand = True`	boolean value	Storage system autoexpand parameter for volumes (True/False)
`instorage_mcs_vol_compression = False`	boolean value	Storage system compression option for volumes
`instorage_mcs_vol_grainsize = 256`	integer value	Storage system grain size parameter for volumes (32/64/128/256)
`instorage_mcs_vol_intier = True`	boolean value	Enable InTier for volumes
`instorage_mcs_vol_iogrp = 0`	string value	The I/O group in which to allocate volumes. It can be a comma-separated list in which case the driver will select an io_group based on least number of volumes associated with the io_group.
`instorage_mcs_vol_rsize = 2`	integer value	Storage system space-efficiency parameter for volumes (percentage)
`instorage_mcs_vol_warning = 0`	integer value	Storage system threshold for volume capacity warnings (percentage)
`instorage_mcs_volpool_name = [u'volpool']`	list value	Comma separated list of storage system storage pools for volumes.
`instorage_san_secondary_ip = None`	string value	Specifies secondary management IP or hostname to be used if san_ip is invalid or becomes inaccessible.
`iscsi_iotype = fileio`	string value	Sets the behavior of the iSCSI target to either perform blockio or fileio optionally, auto can be set and Cinder will autodetect type of backing device
`iscsi_secondary_ip_addresses = []`	list value	The list of secondary IP addresses of the iSCSI daemon
`iscsi_target_flags = `	string value	Sets the target-specific flags for the iSCSI target. Only used for tgtadm to specify backing device flags using bsoflags option. The specified string is passed as is to the underlying tool.
`iscsi_write_cache = on`	string value	Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter is valid if target_helper is set to tgtadm.
`iser_helper = tgtadm`	string value	The name of the iSER target user-land tool to use
`iser_ip_address = $my_ip`	string value	The IP address that the iSER daemon is listening on
`iser_port = 3260`	port value	The port that the iSER daemon is listening on
`iser_target_prefix = iqn.2010-10.org.openstack:`	string value	Prefix for iSER volumes
`keystone_catalog_info = identity:Identity Service:publicURL`	string value	Info to match when looking for keystone in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if backup_swift_auth_url is unset
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_age = 0`	integer value	Number of seconds between subsequent usage refreshes
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
`max_over_subscription_ratio = 20.0`	string value	Representation of the over subscription ratio when thin provisioning is enabled. Default ratio is 20.0, meaning provisioned capacity can be 20 times of the total physical capacity. If the ratio is 10.5, it means provisioned capacity can be 10.5 times of the total physical capacity. A ratio of 1.0 means provisioned capacity cannot exceed the total physical capacity. If ratio is auto, Cinder will automatically calculate the ratio based on the provisioned capacity and the used space. If not set to auto, the ratio has to be a minimum of 1.0.
`message_reap_interval = 86400`	integer value	interval between periodic task runs to clean expired messages in seconds.
`message_ttl = 2592000`	integer value	message minimum life in seconds.
`migration_create_volume_timeout_secs = 300`	integer value	Timeout for creating the volume to migrate to when performing volume migration (seconds)
`monkey_patch = False`	boolean value	Enable monkey patching
`monkey_patch_modules = []`	list value	List of modules/decorators to monkey patch
`my_ip = 10.65.176.99`	unknown value	IP address of this host
`no_snapshot_gb_quota = False`	boolean value	Whether snapshots count against gigabyte quota
`num_iser_scan_tries = 3`	integer value	The maximum number of times to rescan iSER targetto find volume
`num_shell_tries = 3`	integer value	Number of times to attempt to run flakey shell commands
`num_volume_device_scan_tries = 3`	integer value	The maximum number of times to rescan targets to find volume
`osapi_max_limit = 1000`	integer value	The maximum number of items that a collection resource returns in a single response
`osapi_volume_ext_list = []`	list value	Specify list of extensions to load when using osapi_volume_extension option with cinder.api.contrib.select_extensions
`osapi_volume_extension = [u'cinder.api.contrib.standard_extensions']`	multi valued	osapi volume extension to load
`osapi_volume_listen = 0.0.0.0`	string value	IP address on which OpenStack Volume API listens
`osapi_volume_listen_port = 8776`	port value	Port on which OpenStack Volume API listens
`osapi_volume_use_ssl = False`	boolean value	Wraps the socket in a SSL context if True is set. A certificate file and key file must be specified.
`osapi_volume_workers = None`	integer value	Number of workers for OpenStack Volume API service. The default is equal to the number of CPUs available.
`per_volume_size_limit = -1`	integer value	Max size allowed per volume, in gigabytes
`periodic_fuzzy_delay = 60`	integer value	Range, in seconds, to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)
`periodic_interval = 60`	integer value	Interval, in seconds, between running periodic tasks
`public_endpoint = None`	string value	Public url to use for versions endpoint. The default is None, which will use the request’s host_url attribute to populate the URL base. If Cinder is operating behind a proxy, you will want to change this to represent the proxy’s URL.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`query_volume_filters = [u'name', u'status', u'metadata', u'availability_zone', u'bootable', u'group_id']`	list value	Volume filter options which non-admin user could use to query volumes. Default values are: [name, status, metadata, availability_zone ,bootable, group_id]
`quota_backup_gigabytes = 1000`	integer value	Total amount of storage, in gigabytes, allowed for backups per project
`quota_backups = 10`	integer value	Number of volume backups allowed per project
`quota_consistencygroups = 10`	integer value	Number of consistencygroups allowed per project
`quota_driver = cinder.quota.DbQuotaDriver`	string value	Default driver to use for quota checks
`quota_gigabytes = 1000`	integer value	Total amount of storage, in gigabytes, allowed for volumes and snapshots per project
`quota_groups = 10`	integer value	Number of groups allowed per project
`quota_snapshots = 10`	integer value	Number of volume snapshots allowed per project
`quota_volumes = 10`	integer value	Number of volumes allowed per project
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`replication_device = None`	dict value	Multi opt of dictionaries to represent a replication target device. This option may be specified multiple times in a single config section to specify multiple replication target devices. Each entry takes the standard dict config form: replication_device = target_device_id:<required>,key1:value1,key2:value2…
`report_discard_supported = False`	boolean value	Report to clients of Cinder that the backend supports discard (aka. trim/unmap). This will not actually change the behavior of the backend or the client directly, it will only notify that it can be used.
`report_interval = 10`	integer value	Interval, in seconds, between nodes reporting state to datastore
`reservation_clean_interval = $reservation_expire`	integer value	Interval between periodic task runs to clean expired reservations in seconds.
`reservation_expire = 86400`	integer value	Number of seconds until a reservation expires
`reserved_percentage = 0`	integer value	The percentage of backend capacity is reserved
`resource_query_filters_file = /etc/cinder/resource_filters.json`	string value	Json file indicating user visible filter parameters for list queries.
`restore_discard_excess_bytes = True`	boolean value	If True, always discard excess bytes when restoring volumes i.e. pad with zeroes.
`rootwrap_config = /etc/cinder/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`scheduler_default_filters = [u'AvailabilityZoneFilter', u'CapacityFilter', u'CapabilitiesFilter']`	list value	Which filter class names to use for filtering hosts when not specified in the request.
`scheduler_default_weighers = [u'CapacityWeigher']`	list value	Which weigher class names to use for weighing hosts.
`scheduler_driver = cinder.scheduler.filter_scheduler.FilterScheduler`	string value	Default scheduler driver to use
`scheduler_host_manager = cinder.scheduler.host_manager.HostManager`	string value	The scheduler host manager class to use
`scheduler_json_config_location = `	string value	Absolute path to scheduler configuration JSON file.
`scheduler_manager = cinder.scheduler.manager.SchedulerManager`	string value	Full class name for the Manager for scheduler
`scheduler_max_attempts = 3`	integer value	Maximum number of attempts to schedule a volume
`scheduler_weight_handler = cinder.scheduler.weights.OrderedHostWeightHandler`	string value	Which handler to use for selecting the host/pool after weighing
`scst_target_driver = iscsi`	string value	SCST target implementation can choose from multiple SCST target drivers.
`scst_target_iqn_name = None`	string value	Certain ISCSI targets have predefined target names, SCST target driver uses this name.
`service_down_time = 60`	integer value	Maximum time since last check-in for a service to be considered up
`snapshot_name_template = snapshot-%s`	string value	Template string to be used to generate snapshot names
`snapshot_same_host = True`	boolean value	Create volume from snapshot at the host where snapshot resides
`ssh_hosts_key_file = $state_path/ssh_known_hosts`	string value	File containing SSH host keys for the systems with which Cinder needs to communicate. OPTIONAL: Default=$state_path/ssh_known_hosts
`state_path = /var/lib/cinder`	string value	Top-level directory for maintaining cinder’s state
`storage_availability_zone = nova`	string value	Availability zone of this node. Can be overridden per volume backend with the option "backend_availability_zone".
`storage_protocol = iscsi`	string value	Protocol for transferring data between host and storage back-end.
`storpool_replication = 3`	integer value	The default StorPool chain replication value. Used when creating a volume with no specified type if storpool_template is not set. Also used for calculating the apparent free space reported in the stats.
`storpool_template = None`	string value	The StorPool template for volumes with no type.
`strict_ssh_host_key_policy = False`	boolean value	Option to enable strict host key checking. When set to "True" Cinder will only connect to systems with a host key present in the configured "ssh_hosts_key_file". When set to "False" the host key will be saved upon first connection and used for subsequent connections. Default=False
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`swift_catalog_info = object-store:swift:publicURL`	string value	Info to match when looking for swift in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if backup_swift_url is unset
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`target_helper = tgtadm`	string value	iSCSI target user-land tool to use. tgtadm is default, use lioadm for LIO iSCSI support, scstadmin for SCST target support, ietadm for iSCSI Enterprise Target, iscsictl for Chelsio iSCSI Target or fake for testing.
`target_ip_address = $my_ip`	string value	The IP address that the iSCSI daemon is listening on
`target_port = 3260`	port value	The port that the iSCSI daemon is listening on
`target_prefix = iqn.2010-10.org.openstack:`	string value	Prefix for iSCSI volumes
`target_protocol = iscsi`	string value	Determines the iSCSI protocol for new iSCSI volumes, created with tgtadm or lioadm target helpers. In order to enable RDMA, this parameter should be set with the value "iser". The supported iSCSI protocol values are "iscsi" and "iser".
`tcp_keepalive = True`	boolean value	Sets the value of TCP_KEEPALIVE (True/False) for each server socket.
`tcp_keepalive_count = None`	integer value	Sets the value of TCP_KEEPCNT for each server socket. Not supported on OS X.
`tcp_keepalive_interval = None`	integer value	Sets the value of TCP_KEEPINTVL in seconds for each server socket. Not supported on OS X.
`tcp_keepidle = 600`	integer value	Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
`trace_flags = None`	list value	List of options that control which trace info is written to the DEBUG log level to assist developers. Valid values are method and api.
`transfer_api_class = cinder.transfer.api.API`	string value	The full class name of the volume transfer API class
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`until_refresh = 0`	integer value	Count of reservations until usage is refreshed
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_chap_auth = False`	boolean value	Option to enable/disable CHAP authentication for targets.
`use_default_quota_class = True`	boolean value	Enables or disables use of default quota class with default quota.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_forwarded_for = False`	boolean value	Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy.
`use_multipath_for_image_xfer = False`	boolean value	Do we attach/detach volumes in cinder using multipath for volume to image and image to volume transfers?
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`volume_api_class = cinder.volume.api.API`	string value	The full class name of the volume API class to use
`volume_backend_name = None`	string value	The backend name for a given driver implementation
`volume_clear = zero`	string value	Method used to wipe old volumes
`volume_clear_ionice = None`	string value	The flag to pass to ionice to alter the i/o priority of the process used to zero a volume after deletion, for example "-c3" for idle only priority.
`volume_clear_size = 0`	integer value	Size in MiB to wipe at start of old volumes. 1024 MiBat max. 0 ⇒ all
`volume_copy_blkio_cgroup_name = cinder-volume-copy`	string value	The blkio cgroup name to be used to limit bandwidth of volume copy
`volume_copy_bps_limit = 0`	integer value	The upper limit of bandwidth of volume copy. 0 ⇒ unlimited
`volume_dd_blocksize = 1M`	string value	The default block size used when copying/clearing volumes
`volume_manager = cinder.volume.manager.VolumeManager`	string value	Full class name for the Manager for volume
`volume_name_template = volume-%s`	string value	Template string to be used to generate volume names
`volume_number_multiplier = -1.0`	floating point value	Multiplier used for weighing volume number. Negative numbers mean to spread vs stack.
`volume_service_inithost_offload = False`	boolean value	Offload pending volume delete during volume service startup
`volume_transfer_key_length = 16`	integer value	The number of characters in the autogenerated auth key.
`volume_transfer_salt_length = 8`	integer value	The number of characters in the salt.
`volume_usage_audit_period = month`	string value	Time period for which to generate volume usages. The options are hour, day, month, or year.
`volumes_dir = $state_path/volumes`	string value	Volume configuration file storage directory
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`wsgi_default_pool_size = 100`	integer value	Size of the pool of greenthreads used by wsgi
`wsgi_keep_alive = True`	boolean value	If False, closes the client socket connection explicitly.
`wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f`	string value	A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zoning_mode = None`	string value	FC Zoning mode configured, only fabric is supported now.

3.1.2. backend

The following table outlines the options available under the [backend] group in the /etc/cinder/cinder.conf file.

Table 3.2. backend
Configuration option = Default value	Type	Description
`backend_host = None`	string value	Backend override of host value.

3.1.3. backend_defaults

The following table outlines the options available under the [backend_defaults] group in the /etc/cinder/cinder.conf file.

Table 3.3. backend_defaults
Configuration option = Default value	Type	Description
`auto_calc_max_oversubscription_ratio = False`	boolean value	K2 driver will calculate max_oversubscription_ratio on setting this option as True.
`backend_availability_zone = None`	string value	Availability zone for this volume backend. If not set, the storage_availability_zone option value is used as the default for all backends.
`backend_native_threads_pool_size = 20`	integer value	Size of the native threads pool for the backend. Increase for backends that heavily rely on this, like the RBD driver.
`backup_use_temp_snapshot = False`	boolean value	If this is set to True, a temporary snapshot will be created for performing non-disruptive backups. Otherwise a temporary volume will be cloned in order to perform a backup.
`chap = disabled`	string value	CHAP authentication mode, effective only for iscsi (disabled\|enabled)
`chap_password = `	string value	Password for specified CHAP account name.
`chap_username = `	string value	CHAP user name.
`check_max_pool_luns_threshold = False`	boolean value	Report free_capacity_gb as 0 when the limit to maximum number of pool LUNs is reached. By default, the value is False.
`chiscsi_conf = /etc/chelsio-iscsi/chiscsi.conf`	string value	Chiscsi (CXT) global defaults configuration file
`cinder_dell_emc_config_file = /etc/cinder/cinder_dell_emc_config.xml`	string value	Use this file for cinder emc plugin config data.
`cinder_eternus_config_file = /etc/cinder/cinder_fujitsu_eternus_dx.xml`	string value	config file for cinder eternus_dx volume driver
`cinder_huawei_conf_file = /etc/cinder/cinder_huawei_conf.xml`	string value	The configuration file for the Cinder Huawei driver.
`clone_volume_timeout = 680`	integer value	Create clone volume timeout.
`connection_type = iscsi`	string value	Connection type to the IBM Storage Array
`coprhd_emulate_snapshot = False`	boolean value	True \| False to indicate if the storage array in CoprHD is VMAX or VPLEX
`coprhd_hostname = None`	string value	Hostname for the CoprHD Instance
`coprhd_password = None`	string value	Password for accessing the CoprHD Instance
`coprhd_port = 4443`	port value	Port for the CoprHD Instance
`coprhd_project = None`	string value	Project to utilize within the CoprHD Instance
`coprhd_scaleio_rest_gateway_host = None`	string value	Rest Gateway IP or FQDN for Scaleio
`coprhd_scaleio_rest_gateway_port = 4984`	port value	Rest Gateway Port for Scaleio
`coprhd_scaleio_rest_server_password = None`	string value	Rest Gateway Password
`coprhd_scaleio_rest_server_username = None`	string value	Username for Rest Gateway
`coprhd_tenant = None`	string value	Tenant to utilize within the CoprHD Instance
`coprhd_username = None`	string value	Username for accessing the CoprHD Instance
`coprhd_varray = None`	string value	Virtual Array to utilize within the CoprHD Instance
`cycle_period_seconds = 300`	integer value	This defines an optional cycle period that applies to Global Mirror relationships with a cycling mode of multi. A Global Mirror relationship using the multi cycling_mode performs a complete cycle at most once each period. The default is 300 seconds, and the valid seconds are 60-86400.
`datera_503_interval = 5`	integer value	Interval between 503 retries
`datera_503_timeout = 120`	integer value	Timeout for HTTP 503 retry messages
`datera_api_port = 7717`	string value	Datera API port.
`datera_api_version = 2`	string value	Datera API version.
`datera_debug = False`	boolean value	True to set function arg and return logging
`datera_debug_replica_count_override = False`	boolean value	ONLY FOR DEBUG/TESTING PURPOSES True to set replica_count to 1
`datera_disable_profiler = False`	boolean value	Set to True to disable profiling in the Datera driver
`datera_tenant_id = None`	string value	If set to Map -→ OpenStack project ID will be mapped implicitly to Datera tenant ID If set to None -→ Datera tenant ID will not be used during volume provisioning If set to anything else -→ Datera tenant ID will be the provided value
`default_timeout = 31536000`	integer value	Default timeout for CLI operations in minutes. For example, LUN migration is a typical long running operation, which depends on the LUN size and the load of the array. An upper bound in the specific deployment can be set to avoid unnecessary long wait. By default, it is 365 days long.
`dell_sc_api_port = 3033`	port value	Dell API port
`dell_sc_server_folder = openstack`	string value	Name of the server folder to use on the Storage Center
`dell_sc_ssn = 64702`	integer value	Storage Center System Serial Number
`dell_sc_verify_cert = False`	boolean value	Enable HTTPS SC certificate verification
`dell_sc_volume_folder = openstack`	string value	Name of the volume folder to use on the Storage Center
`dell_server_os = Red Hat Linux 6.x`	string value	Server OS type to use when creating a new server on the Storage Center.
`destroy_empty_storage_group = False`	boolean value	To destroy storage group when the last LUN is removed from it. By default, the value is False.
`disable_discovery = False`	boolean value	Disabling iSCSI discovery (sendtargets) for multipath connections on K2 driver.
`disco_choice_client = None`	string value	Use soap client or rest client for communicating with DISCO. Possible values are "soap" or "rest".
`disco_client = 127.0.0.1`	IP address value	The IP of DMS client socket server
`disco_client_port = 9898`	port value	The port to connect DMS client socket server
`disco_clone_check_timeout = 3600`	integer value	How long we check whether a clone is finished before we give up
`disco_rest_ip = None`	IP address value	The IP address of the REST server
`disco_restore_check_timeout = 3600`	integer value	How long we check whether a restore is finished before we give up
`disco_retry_interval = 1`	integer value	How long we wait before retrying to get an item detail
`disco_snapshot_check_timeout = 3600`	integer value	How long we check whether a snapshot is finished before we give up
`disco_src_api_port = 8080`	port value	The port of DISCO source API
`disco_volume_name_prefix = openstack-`	string value	Prefix before volume name to differentiate DISCO volume created through openstack and the other ones
`disco_wsdl_path = /etc/cinder/DISCOService.wsdl`	string value	Path to the wsdl file to communicate with DISCO request manager
`dpl_pool = `	string value	DPL pool uuid in which DPL volumes are stored.
`dpl_port = 8357`	port value	DPL port number.
`drbdmanage_devs_on_controller = True`	boolean value	If set, the c-vol node will receive a useable /dev/drbdX device, even if the actual data is stored on other nodes only. This is useful for debugging, maintenance, and to be able to do the iSCSI export from the c-vol node.
`drbdmanage_disk_options = {"c-min-rate": "4M"}`	string value	Disk options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.
`drbdmanage_net_options = {"connect-int": "4", "allow-two-primaries": "yes", "ko-count": "30", "max-buffers": "20000", "ping-timeout": "100"}`	string value	Net options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.
`drbdmanage_redundancy = 1`	integer value	Number of nodes that should replicate the data.
`drbdmanage_resize_plugin = drbdmanage.plugins.plugins.wait_for.WaitForVolumeSize`	string value	Volume resize completion wait plugin.
`drbdmanage_resize_policy = {"timeout": "60"}`	string value	Volume resize completion wait policy.
`drbdmanage_resource_options = {"auto-promote-timeout": "300"}`	string value	Resource options to set on new resources. See http://www.drbd.org/en/doc/users-guide-90/re-drbdconf for all the details.
`drbdmanage_resource_plugin = drbdmanage.plugins.plugins.wait_for.WaitForResource`	string value	Resource deployment completion wait plugin.
`drbdmanage_resource_policy = {"ratio": "0.51", "timeout": "60"}`	string value	Resource deployment completion wait policy.
`drbdmanage_snapshot_plugin = drbdmanage.plugins.plugins.wait_for.WaitForSnapshot`	string value	Snapshot completion wait plugin.
`drbdmanage_snapshot_policy = {"count": "1", "timeout": "60"}`	string value	Snapshot completion wait policy.
`driver_client_cert = None`	string value	The path to the client certificate for verification, if the driver supports it.
`driver_client_cert_key = None`	string value	The path to the client certificate key for verification, if the driver supports it.
`driver_data_namespace = None`	string value	Namespace for driver private data values to be saved in.
`driver_ssl_cert_path = None`	string value	Can be used to specify a non default path to a CA_BUNDLE file or directory with certificates of trusted CAs, which will be used to validate the backend
`driver_ssl_cert_verify = False`	boolean value	If set to True the http client will validate the SSL certificate of the backend endpoint.
`driver_use_ssl = False`	boolean value	Tell driver to use SSL for connection to backend storage if the driver supports it.
`ds8k_devadd_unitadd_mapping = `	string value	Mapping between IODevice address and unit address.
`ds8k_host_type = auto`	string value	Set to zLinux if your OpenStack version is prior to Liberty and you’re connecting to zLinux systems. Otherwise set to auto. Valid values for this parameter are: auto, AMDLinuxRHEL, AMDLinuxSuse, AppleOSX, Fujitsu, Hp, HpTru64, HpVms, LinuxDT, LinuxRF, LinuxRHEL, LinuxSuse, Novell, SGI, SVC, SanFsAIX, SanFsLinux, Sun, VMWare, Win2000, Win2003, Win2008, Win2012, iLinux, nSeries, pLinux, pSeries, pSeriesPowerswap, zLinux, iSeries.
`ds8k_ssid_prefix = FF`	string value	Set the first two digits of SSID.
`dsware_isthin = False`	boolean value	The flag of thin storage allocation.
`dsware_manager = `	string value	Fusionstorage manager ip addr for cinder-volume.
`enable_unsupported_driver = False`	boolean value	Set this to True when you want to allow an unsupported driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.
`enforce_multipath_for_image_xfer = False`	boolean value	If this is set to True, attachment of volumes for image transfer will be aborted when multipathd is not running. Otherwise, it will fallback to single path.
`eqlx_cli_max_retries = 5`	integer value	Maximum retry count for reconnection. Default is 5.
`eqlx_group_name = group-0`	string value	Group name to use for creating volumes. Defaults to "group-0".
`eqlx_pool = default`	string value	Pool in which volumes will be created. Defaults to "default".
`excluded_domain_ip = None`	IP address value	Domain IP to be excluded from iSCSI returns.
`expiry_thres_minutes = 720`	integer value	This option specifies the threshold for last access time for images in the NFS image cache. When a cache cleaning cycle begins, images in the cache that have not been accessed in the last M minutes, where M is the value of this parameter, will be deleted from the cache to create free space on the NFS share.
`extra_capabilities = {}`	string value	User defined capabilities, a JSON formatted string specifying key/value pairs. The key/value pairs can be used by the CapabilitiesFilter to select between backends when requests specify volume types. For example, specifying a service level or the geographical location of a backend, then creating a volume type to allow the user to select by these different properties.
`filter_function = None`	string value	String representation for an equation that will be used to filter hosts. Only used when the driver filter is set to be used by the Cinder scheduler.
`flashsystem_connection_protocol = FC`	string value	Connection protocol should be FC. (Default is FC.)
`flashsystem_iscsi_portid = 0`	integer value	Default iSCSI Port ID of FlashSystem. (Default port is 0.)
`flashsystem_multihostmap_enabled = True`	boolean value	Allows vdisk to multi host mapping. (Default is True)
`flashsystem_multipath_enabled = False`	boolean value	This option no longer has any affect. It is deprecated and will be removed in the next release.
`force_delete_lun_in_storagegroup = False`	boolean value	Delete a LUN even if it is in Storage Groups. By default, the value is False.
`fusionstorageagent = `	string value	Fusionstorage agent ip addr range.
`goodness_function = None`	string value	String representation for an equation that will be used to determine the goodness of a host. Only used when using the goodness weigher is set to be used by the Cinder scheduler.
`gpfs_hosts = []`	list value	Comma-separated list of IP address or hostnames of GPFS nodes.
`gpfs_hosts_key_file = $state_path/ssh_known_hosts`	string value	File containing SSH host keys for the gpfs nodes with which driver needs to communicate. Default=$state_path/ssh_known_hosts
`gpfs_images_dir = None`	string value	Specifies the path of the Image service repository in GPFS. Leave undefined if not storing images in GPFS.
`gpfs_images_share_mode = None`	string value	Specifies the type of image copy to be used. Set this when the Image service repository also uses GPFS so that image files can be transferred efficiently from the Image service to the Block Storage service. There are two valid values: "copy" specifies that a full copy of the image is made; "copy_on_write" specifies that copy-on-write optimization strategy is used and unmodified blocks of the image file are shared efficiently.
`gpfs_max_clone_depth = 0`	integer value	Specifies an upper limit on the number of indirections required to reach a specific block due to snapshots or clones. A lengthy chain of copy-on-write snapshots or clones can have a negative impact on performance, but improves space utilization. 0 indicates unlimited clone depth.
`gpfs_mount_point_base = None`	string value	Specifies the path of the GPFS directory where Block Storage volume and snapshot files are stored.
`gpfs_private_key = `	string value	Filename of private key to use for SSH authentication.
`gpfs_sparse_volumes = True`	boolean value	Specifies that volumes are created as sparse files which initially consume no space. If set to False, the volume is created as a fully allocated file, in which case, creation may take a significantly longer time.
`gpfs_ssh_port = 22`	port value	SSH port to use.
`gpfs_storage_pool = system`	string value	Specifies the storage pool that volumes are assigned to. By default, the system storage pool is used.
`gpfs_strict_host_key_policy = False`	boolean value	Option to enable strict gpfs host key checking while connecting to gpfs nodes. Default=False
`gpfs_user_login = root`	string value	Username for GPFS nodes.
`gpfs_user_password = `	string value	Password for GPFS node user.
`hgst_net = Net 1 (IPv4)`	string value	Space network name to use for data transfer
`hgst_redundancy = 0`	string value	Should spaces be redundantly stored (1/0)
`hgst_space_group = disk`	string value	Group to own created spaces
`hgst_space_mode = 0600`	string value	UNIX mode for created spaces
`hgst_space_user = root`	string value	User to own created spaces
`hgst_storage_servers = os:gbd0`	string value	Comma separated list of Space storage servers:devices. ex: os1_stor:gbd0,os2_stor:gbd0
`hpe3par_api_url = `	string value	3PAR WSAPI Server Url like https://<3par ip>:8080/api/v1
`hpe3par_cpg = [u'OpenStack']`	list value	List of the CPG(s) to use for volume creation
`hpe3par_cpg_snap = `	string value	The CPG to use for Snapshots for volumes. If empty the userCPG will be used.
`hpe3par_debug = False`	boolean value	Enable HTTP debugging to 3PAR
`hpe3par_iscsi_chap_enabled = False`	boolean value	Enable CHAP authentication for iSCSI connections.
`hpe3par_iscsi_ips = []`	list value	List of target iSCSI addresses to use.
`hpe3par_password = `	string value	3PAR password for the user specified in hpe3par_username
`hpe3par_snapshot_expiration = `	string value	The time in hours when a snapshot expires and is deleted. This must be larger than expiration
`hpe3par_snapshot_retention = `	string value	The time in hours to retain a snapshot. You can’t delete it before this expires.
`hpe3par_username = `	string value	3PAR username with the edit role
`hpelefthand_api_url = None`	uri value	HPE LeftHand WSAPI Server Url like https://<LeftHand ip>:8081/lhos
`hpelefthand_clustername = None`	string value	HPE LeftHand cluster name
`hpelefthand_debug = False`	boolean value	Enable HTTP debugging to LeftHand
`hpelefthand_iscsi_chap_enabled = False`	boolean value	Configure CHAP authentication for iSCSI connections (Default: Disabled)
`hpelefthand_password = None`	string value	HPE LeftHand Super user password
`hpelefthand_ssh_port = 16022`	port value	Port number of SSH service.
`hpelefthand_username = None`	string value	HPE LeftHand Super user username
`hpmsa_api_protocol = https`	string value	HPMSA API interface protocol.
`hpmsa_backend_name = A`	string value	Pool or Vdisk name to use for volume creation.
`hpmsa_backend_type = virtual`	string value	linear (for Vdisk) or virtual (for Pool).
`hpmsa_iscsi_ips = []`	list value	List of comma-separated target iSCSI IP addresses.
`hpmsa_verify_certificate = False`	boolean value	Whether to verify HPMSA array SSL certificate.
`hpmsa_verify_certificate_path = None`	string value	HPMSA array SSL certificate path.
`hypermetro_devices = None`	string value	The remote device hypermetro will use.
`iet_conf = /etc/iet/ietd.conf`	string value	IET configuration file
`ignore_pool_full_threshold = False`	boolean value	Force LUN creation even if the full threshold of pool is reached. By default, the value is False.
`image_upload_use_cinder_backend = False`	boolean value	If set to True, upload-to-image in raw format will create a cloned volume and register its location to the image service, instead of uploading the volume content. The cinder backend and locations support must be enabled in the image service.
`image_upload_use_internal_tenant = False`	boolean value	If set to True, the image volume created by upload-to-image will be placed in the internal tenant. Otherwise, the image volume is created in the current context’s tenant.
`image_volume_cache_enabled = False`	boolean value	Enable the image volume cache for this backend.
`image_volume_cache_max_count = 0`	integer value	Max number of entries allowed in the image volume cache. 0 ⇒ unlimited.
`image_volume_cache_max_size_gb = 0`	integer value	Max size of the image volume cache for this backend in GB. 0 ⇒ unlimited.
`infinidat_iscsi_netspaces = []`	list value	List of names of network spaces to use for iSCSI connectivity
`infinidat_pool_name = None`	string value	Name of the pool from which volumes are allocated
`infinidat_storage_protocol = fc`	string value	Protocol for transferring data between host and storage back-end.
`infinidat_use_compression = False`	boolean value	Specifies whether to turn on compression for newly created volumes.
`initiator_auto_deregistration = False`	boolean value	Automatically deregister initiators after the related storage group is destroyed. By default, the value is False.
`initiator_auto_registration = False`	boolean value	Automatically register initiators. By default, the value is False.
`initiator_check = False`	boolean value	Use this value to enable the initiator_check.
`interval = 3`	integer value	Use this value to specify length of the interval in seconds.
`io_port_list = None`	list value	Comma separated iSCSI or FC ports to be used in Nova or Cinder.
`iscsi_initiators = None`	string value	Mapping between hostname and its iSCSI initiator IP addresses.
`iscsi_iotype = fileio`	string value	Sets the behavior of the iSCSI target to either perform blockio or fileio optionally, auto can be set and Cinder will autodetect type of backing device
`iscsi_secondary_ip_addresses = []`	list value	The list of secondary IP addresses of the iSCSI daemon
`iscsi_target_flags = `	string value	Sets the target-specific flags for the iSCSI target. Only used for tgtadm to specify backing device flags using bsoflags option. The specified string is passed as is to the underlying tool.
`iscsi_write_cache = on`	string value	Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter is valid if target_helper is set to tgtadm.
`iser_helper = tgtadm`	string value	The name of the iSER target user-land tool to use
`iser_ip_address = $my_ip`	string value	The IP address that the iSER daemon is listening on
`iser_port = 3260`	port value	The port that the iSER daemon is listening on
`iser_target_prefix = iqn.2010-10.org.openstack:`	string value	Prefix for iSER volumes
`lenovo_api_protocol = https`	string value	Lenovo api interface protocol.
`lenovo_backend_name = A`	string value	Pool or Vdisk name to use for volume creation.
`lenovo_backend_type = virtual`	string value	linear (for VDisk) or virtual (for Pool).
`lenovo_iscsi_ips = []`	list value	List of comma-separated target iSCSI IP addresses.
`lenovo_verify_certificate = False`	boolean value	Whether to verify Lenovo array SSL certificate.
`lenovo_verify_certificate_path = None`	string value	Lenovo array SSL certificate path.
`lss_range_for_cg = `	string value	Reserve LSSs for consistency group.
`lvm_conf_file = /etc/cinder/lvm.conf`	string value	LVM conf file to use for the LVM driver in Cinder; this setting is ignored if the specified file does not exist (You can also specify None to not use a conf file even if one exists).
`lvm_max_over_subscription_ratio = None`	floating point value	max_over_subscription_ratio setting for the LVM driver. If set to None (the default), the general max_over_subscription_ratio is used.
`lvm_mirrors = 0`	integer value	If >0, create LVs with multiple mirrors. Note that this requires lvm_mirrors + 2 PVs with available space
`lvm_suppress_fd_warnings = False`	boolean value	Suppress leaked file descriptor warnings in LVM commands.
`lvm_type = auto`	string value	Type of LVM volumes to deploy; (default, thin, or auto). Auto defaults to thin if thin is supported.
`management_ips = `	string value	List of Management IP addresses (separated by commas)
`max_luns_per_storage_group = 255`	integer value	Default max number of LUNs in a storage group. By default, the value is 255.
`max_over_subscription_ratio = 20.0`	string value	Representation of the over subscription ratio when thin provisioning is enabled. Default ratio is 20.0, meaning provisioned capacity can be 20 times of the total physical capacity. If the ratio is 10.5, it means provisioned capacity can be 10.5 times of the total physical capacity. A ratio of 1.0 means provisioned capacity cannot exceed the total physical capacity. If ratio is auto, Cinder will automatically calculate the ratio based on the provisioned capacity and the used space. If not set to auto, the ratio has to be a minimum of 1.0.
`metro_domain_name = None`	string value	The remote metro device domain name.
`metro_san_address = None`	string value	The remote metro device request url.
`metro_san_password = None`	string value	The remote metro device san password.
`metro_san_user = None`	string value	The remote metro device san user.
`metro_storage_pools = None`	string value	The remote metro device pool names.
`nas_host = `	string value	IP address or Hostname of NAS system.
`nas_login = admin`	string value	User name to connect to NAS system.
`nas_mount_options = None`	string value	Options used to mount the storage backend file system where Cinder volumes are stored.
`nas_password = `	string value	Password to connect to NAS system.
`nas_private_key = `	string value	Filename of private key to use for SSH authentication.
`nas_secure_file_operations = auto`	string value	Allow network-attached storage systems to operate in a secure environment where root level access is not permitted. If set to False, access is as the root user and insecure. If set to True, access is not as root. If set to auto, a check is done to determine if this is a new installation: True is used if so, otherwise False. Default is auto.
`nas_secure_file_permissions = auto`	string value	Set more secure file permissions on network-attached storage volume files to restrict broad other/world access. If set to False, volumes are created with open permissions. If set to True, volumes are created with permissions for the cinder user and group (660). If set to auto, a check is done to determine if this is a new installation: True is used if so, otherwise False. Default is auto.
`nas_share_path = `	string value	Path to the share to use for storing Cinder volumes. For example: "/srv/export1" for an NFS server export available at 10.0.5.10:/srv/export1 .
`nas_ssh_port = 22`	port value	SSH port to use to connect to NAS system.
`nas_volume_prov_type = thin`	string value	Provisioning type that will be used when creating volumes.
`naviseccli_path = None`	string value	Naviseccli Path.
`netapp_api_trace_pattern = (.*)`	string value	A regular expression to limit the API tracing. This option is honored only if enabling `api` tracing with the `trace_flags` option. By default, all APIs will be traced.
`netapp_controller_ips = None`	string value	This option is only utilized when the storage family is configured to eseries. This option is used to restrict provisioning to the specified controllers. Specify the value of this option to be a comma separated list of controller hostnames or IP addresses to be used for provisioning.
`netapp_copyoffload_tool_path = None`	string value	This option specifies the path of the NetApp copy offload tool binary. Ensure that the binary has execute permissions set which allow the effective user of the cinder-volume process to execute the file.
`netapp_enable_multiattach = False`	boolean value	This option specifies whether the driver should allow operations that require multiple attachments to a volume. An example would be live migration of servers that have volumes attached. When enabled, this backend is limited to 256 total volumes in order to guarantee volumes can be accessed by more than one host.
`netapp_host_type = None`	string value	This option defines the type of operating system for all initiators that can access a LUN. This information is used when mapping LUNs to individual hosts or groups of hosts.
`netapp_login = None`	string value	Administrative user account name used to access the storage system or proxy server.
`netapp_lun_ostype = None`	string value	This option defines the type of operating system that will access a LUN exported from Data ONTAP; it is assigned to the LUN at the time it is created.
`netapp_lun_space_reservation = enabled`	string value	This option determines if storage space is reserved for LUN allocation. If enabled, LUNs are thick provisioned. If space reservation is disabled, storage space is allocated on demand.
`netapp_password = None`	string value	Password for the administrative user account specified in the netapp_login option.
`netapp_pool_name_search_pattern = (.+)`	string value	This option is used to restrict provisioning to the specified pools. Specify the value of this option to be a regular expression which will be applied to the names of objects from the storage backend which represent pools in Cinder. This option is only utilized when the storage protocol is configured to use iSCSI or FC.
`netapp_replication_aggregate_map = None`	dict value	Multi opt of dictionaries to represent the aggregate mapping between source and destination back ends when using whole back end replication. For every source aggregate associated with a cinder pool (NetApp FlexVol), you would need to specify the destination aggregate on the replication target device. A replication target device is configured with the configuration option replication_device. Specify this option as many times as you have replication devices. Each entry takes the standard dict config form: netapp_replication_aggregate_map = backend_id:<name_of_replication_device_section>,src_aggr_name1:dest_aggr_name1,src_aggr_name2:dest_aggr_name2,…
`netapp_sa_password = None`	string value	Password for the NetApp E-Series storage array.
`netapp_server_hostname = None`	string value	The hostname (or IP address) for the storage system or proxy server.
`netapp_server_port = None`	integer value	The TCP port to use for communication with the storage system or proxy server. If not specified, Data ONTAP drivers will use 80 for HTTP and 443 for HTTPS; E-Series will use 8080 for HTTP and 8443 for HTTPS.
`netapp_size_multiplier = 1.2`	floating point value	The quantity to be multiplied by the requested volume size to ensure enough space is available on the virtual storage server (Vserver) to fulfill the volume creation request. Note: this option is deprecated and will be removed in favor of "reserved_percentage" in the Mitaka release.
`netapp_snapmirror_quiesce_timeout = 3600`	integer value	The maximum time in seconds to wait for existing SnapMirror transfers to complete before aborting during a failover.
`netapp_storage_family = ontap_cluster`	string value	The storage family type used on the storage system; valid values are ontap_cluster for using clustered Data ONTAP, or eseries for using E-Series.
`netapp_storage_protocol = None`	string value	The storage protocol to be used on the data path with the storage system.
`netapp_transport_type = http`	string value	The transport protocol used when communicating with the storage system or proxy server.
`netapp_vserver = None`	string value	This option specifies the virtual storage server (Vserver) name on the storage cluster on which provisioning of block storage volumes should occur.
`netapp_webservice_path = /devmgr/v2`	string value	This option is used to specify the path to the E-Series proxy application on a proxy server. The value is combined with the value of the netapp_transport_type, netapp_server_hostname, and netapp_server_port options to create the URL used by the driver to connect to the proxy application.
`nexenta_blocksize = 4096`	integer value	Block size for datasets
`nexenta_chunksize = 32768`	integer value	NexentaEdge iSCSI LUN object chunk size
`nexenta_client_address = `	string value	NexentaEdge iSCSI Gateway client address for non-VIP service
`nexenta_dataset_compression = on`	string value	Compression value for new ZFS folders.
`nexenta_dataset_dedup = off`	string value	Deduplication value for new ZFS folders.
`nexenta_dataset_description = `	string value	Human-readable description for the folder.
`nexenta_host = `	string value	IP address of Nexenta SA
`nexenta_iscsi_service = `	string value	NexentaEdge iSCSI service name
`nexenta_iscsi_target_portal_port = 3260`	integer value	Nexenta target portal port
`nexenta_lun_container = `	string value	NexentaEdge logical path of bucket for LUNs
`nexenta_mount_point_base = $state_path/mnt`	string value	Base directory that contains NFS share mount points
`nexenta_nbd_symlinks_dir = /dev/disk/by-path`	string value	NexentaEdge logical path of directory to store symbolic links to NBDs
`nexenta_nms_cache_volroot = True`	boolean value	If set True cache NexentaStor appliance volroot option value.
`nexenta_ns5_blocksize = 32`	integer value	Block size for datasets
`nexenta_password = nexenta`	string value	Password to connect to Nexenta SA
`nexenta_rest_address = `	string value	IP address of NexentaEdge management REST API endpoint
`nexenta_rest_password = nexenta`	string value	Password to connect to NexentaEdge
`nexenta_rest_port = 0`	integer value	HTTP(S) port to connect to Nexenta REST API server. If it is equal zero, 8443 for HTTPS and 8080 for HTTP is used
`nexenta_rest_protocol = auto`	string value	Use http or https for REST connection (default auto)
`nexenta_rest_user = admin`	string value	User name to connect to NexentaEdge
`nexenta_rrmgr_compression = 0`	integer value	Enable stream compression, level 1..9. 1 - gives best speed; 9 - gives best compression.
`nexenta_rrmgr_connections = 2`	integer value	Number of TCP connections.
`nexenta_rrmgr_tcp_buf_size = 4096`	integer value	TCP Buffer size in KiloBytes.
`nexenta_shares_config = /etc/cinder/nfs_shares`	string value	File with the list of available nfs shares
`nexenta_sparse = False`	boolean value	Enables or disables the creation of sparse datasets
`nexenta_sparsed_volumes = True`	boolean value	Enables or disables the creation of volumes as sparsed files that take no space. If disabled (False), volume is created as a regular file, which takes a long time.
`nexenta_target_group_prefix = cinder/`	string value	Prefix for iSCSI target groups on SA
`nexenta_target_prefix = iqn.1986-03.com.sun:02:cinder-`	string value	IQN prefix for iSCSI targets
`nexenta_use_https = True`	boolean value	Use secure HTTP for REST connection (default True)
`nexenta_user = admin`	string value	User name to connect to Nexenta SA
`nexenta_volume = cinder`	string value	SA Pool that holds all volumes
`nexenta_volume_group = iscsi`	string value	Volume group for ns5
`nfs_mount_attempts = 3`	integer value	The number of attempts to mount NFS shares before raising an error. At least one attempt will be made to mount an NFS share, regardless of the value specified.
`nfs_mount_options = None`	string value	Mount options passed to the NFS client. See section of the NFS man page for details.
`nfs_mount_point_base = $state_path/mnt`	string value	Base dir containing mount points for NFS shares.
`nfs_qcow2_volumes = False`	boolean value	Create volumes as QCOW2 files rather than raw files.
`nfs_shares_config = /etc/cinder/nfs_shares`	string value	File with the list of available NFS shares.
`nfs_snapshot_support = False`	boolean value	Enable support for snapshots on the NFS driver. Platforms using libvirt <1.2.7 will encounter issues with this feature.
`nfs_sparsed_volumes = True`	boolean value	Create volumes as sparsed files which take no space. If set to False volume is created as regular file. In such case volume creation takes a lot of time.
`nimble_pool_name = default`	string value	Nimble Controller pool name
`nimble_subnet_label = *`	string value	Nimble Subnet Label
`nimble_verify_cert_path = None`	string value	Path to Nimble Array SSL certificate
`nimble_verify_certificate = False`	boolean value	Whether to verify Nimble SSL Certificate
`num_iser_scan_tries = 3`	integer value	The maximum number of times to rescan iSER targetto find volume
`num_shell_tries = 3`	integer value	Number of times to attempt to run flakey shell commands
`num_volume_device_scan_tries = 3`	integer value	The maximum number of times to rescan targets to find volume
`pool_id_filter = []`	list value	Pool id permit to use.
`pool_type = default`	string value	Pool type, like sata-2copy.
`proxy = cinder.volume.drivers.ibm.ibm_storage.proxy.IBMStorageProxy`	string value	Proxy driver that connects to the IBM Storage Array
`pure_api_token = None`	string value	REST API authorization token.
`pure_automatic_max_oversubscription_ratio = True`	boolean value	Automatically determine an oversubscription ratio based on the current total data reduction values. If used this calculated value will override the max_over_subscription_ratio config option.
`pure_eradicate_on_delete = False`	boolean value	When enabled, all Pure volumes, snapshots, and protection groups will be eradicated at the time of deletion in Cinder. Data will NOT be recoverable after a delete with this set to True! When disabled, volumes and snapshots will go into pending eradication state and can be recovered.
`pure_replica_interval_default = 3600`	integer value	Snapshot replication interval in seconds.
`pure_replica_retention_long_term_default = 7`	integer value	Retain snapshots per day on target for this time (in days.)
`pure_replica_retention_long_term_per_day_default = 3`	integer value	Retain how many snapshots for each day.
`pure_replica_retention_short_term_default = 14400`	integer value	Retain all snapshots on target for this time (in seconds.)
`qnap_management_url = None`	uri value	The URL to management QNAP Storage
`qnap_poolname = None`	string value	The pool name in the QNAP Storage
`qnap_storage_protocol = iscsi`	string value	Communication protocol to access QNAP storage
`quobyte_client_cfg = None`	string value	Path to a Quobyte Client configuration file.
`quobyte_mount_point_base = $state_path/mnt`	string value	Base dir containing the mount point for the Quobyte volume.
`quobyte_qcow2_volumes = True`	boolean value	Create volumes as QCOW2 files rather than raw files.
`quobyte_sparsed_volumes = True`	boolean value	Create volumes as sparse files which take no space. If set to False, volume is created as regular file.
`quobyte_volume_url = None`	string value	Quobyte URL to the Quobyte volume using e.g. a DNS SRV record (preferred) or a host list (alternatively) like quobyte://<DIR host1>, <DIR host2>/<volume name>
`rados_connect_timeout = -1`	integer value	Timeout value (in seconds) used when connecting to ceph cluster. If value < 0, no timeout is set and default librados value is used.
`rados_connection_interval = 5`	integer value	Interval value (in seconds) between connection retries to ceph cluster.
`rados_connection_retries = 3`	integer value	Number of retries if connection to ceph cluster failed.
`rbd_ceph_conf = `	string value	Path to the ceph configuration file
`rbd_cluster_name = ceph`	string value	The name of ceph cluster
`rbd_exclusive_cinder_pool = True`	boolean value	Set to True if the pool is used exclusively by Cinder. On exclusive use driver won’t query images' provisioned size as they will match the value calculated by the Cinder core code for allocated_capacity_gb. This reduces the load on the Ceph cluster as well as on the volume service.
`rbd_flatten_volume_from_snapshot = False`	boolean value	Flatten volumes created from snapshots to remove dependency from volume to snapshot
`rbd_keyring_conf = `	string value	Path to the ceph keyring file
`rbd_max_clone_depth = 5`	integer value	Maximum number of nested volume clones that are taken before a flatten occurs. Set to 0 to disable cloning.
`rbd_pool = rbd`	string value	The RADOS pool where rbd volumes are stored
`rbd_secret_uuid = None`	string value	The libvirt uuid of the secret for the rbd_user volumes
`rbd_store_chunk_size = 4`	integer value	Volumes will be chunked into objects of this size (in megabytes).
`rbd_user = None`	string value	The RADOS client name for accessing rbd volumes - only set when using cephx authentication
`remove_empty_host = False`	boolean value	To remove the host from Unity when the last LUN is detached from it. By default, it is False.
`replication_connect_timeout = 5`	integer value	Timeout value (in seconds) used when connecting to ceph cluster to do a demotion/promotion of volumes. If value < 0, no timeout is set and default librados value is used.
`replication_device = None`	dict value	Multi opt of dictionaries to represent a replication target device. This option may be specified multiple times in a single config section to specify multiple replication target devices. Each entry takes the standard dict config form: replication_device = target_device_id:<required>,key1:value1,key2:value2…
`report_discard_supported = False`	boolean value	Report to clients of Cinder that the backend supports discard (aka. trim/unmap). This will not actually change the behavior of the backend or the client directly, it will only notify that it can be used.
`report_dynamic_total_capacity = True`	boolean value	Set to True for driver to report total capacity as a dynamic value -used + current free- and to False to report a static value -quota max bytes if defined and global size of cluster if not-.
`reserved_percentage = 0`	integer value	The percentage of backend capacity is reserved
`retries = 200`	integer value	Use this value to specify number of retries.
`san_api_port = None`	port value	Port to use to access the SAN API
`san_clustername = `	string value	Cluster name to use for creating volumes
`san_ip = `	string value	IP address of SAN controller
`san_is_local = False`	boolean value	Execute commands locally instead of over SSH; use if the volume service is running on the SAN device
`san_login = admin`	string value	Username for SAN controller
`san_password = `	string value	Password for SAN controller
`san_private_key = `	string value	Filename of private key to use for SSH authentication
`san_rest_port = 8443`	port value	REST server port number.
`san_ssh_port = 22`	port value	SSH port to use with SAN
`san_thin_provision = True`	boolean value	Use thin provisioning for SAN volumes?
`scaleio_server_certificate_path = None`	string value	Server certificate path
`scaleio_verify_server_certificate = False`	boolean value	verify server certificate
`scst_target_driver = iscsi`	string value	SCST target implementation can choose from multiple SCST target drivers.
`scst_target_iqn_name = None`	string value	Certain ISCSI targets have predefined target names, SCST target driver uses this name.
`secondary_san_ip = `	string value	IP address of secondary DSM controller
`secondary_san_login = Admin`	string value	Secondary DSM user name
`secondary_san_password = `	string value	Secondary DSM user password name
`secondary_sc_api_port = 3033`	port value	Secondary Dell API port
`sf_account_prefix = None`	string value	Create SolidFire accounts with this prefix. Any string can be used here, but the string "hostname" is special and will create a prefix using the cinder node hostname (previous default behavior). The default is NO prefix.
`sf_allow_template_caching = False`	boolean value	This option is deprecated and will be removed in the next OpenStack release. Please use the general cinder image-caching feature instead.
`sf_allow_tenant_qos = False`	boolean value	Allow tenants to specify QOS on create
`sf_api_port = 443`	port value	SolidFire API port. Useful if the device api is behind a proxy on a different port.
`sf_emulate_512 = True`	boolean value	Set 512 byte emulation on volume creation;
`sf_enable_vag = False`	boolean value	Utilize volume access groups on a per-tenant basis.
`sf_svip = None`	string value	Overrides default cluster SVIP with the one specified. This is required or deployments that have implemented the use of VLANs for iSCSI networks in their cloud.
`sf_template_account_name = openstack-vtemplate`	string value	Account name on the SolidFire Cluster to use as owner of template/cache volumes (created if does not exist).
`sf_volume_prefix = UUID-`	string value	Create SolidFire volumes with this prefix. Volume names are of the form <sf_volume_prefix><cinder-volume-id>. The default is to use a prefix of UUID-.
`sheepdog_store_address = 127.0.0.1`	string value	IP address of sheep daemon.
`sheepdog_store_port = 7000`	port value	Port of sheep daemon.
`sio_allow_non_padded_volumes = False`	boolean value	Allow volumes to be created in Storage Pools when zero padding is disabled. This option should not be enabled if multiple tenants will utilize volumes from a shared Storage Pool.
`sio_max_over_subscription_ratio = 10.0`	floating point value	max_over_subscription_ratio setting for the ScaleIO driver. This replaces the general max_over_subscription_ratio which has no effect in this driver.Maximum value allowed for ScaleIO is 10.0.
`sio_protection_domain_id = None`	string value	DEPRECATED: Protection Domain ID.
`sio_protection_domain_name = None`	string value	DEPRECATED: Protection Domain name.
`sio_rest_server_port = 443`	string value	REST server port.
`sio_round_volume_capacity = True`	boolean value	Round up volume capacity.
`sio_server_api_version = None`	string value	ScaleIO API version.
`sio_server_certificate_path = None`	string value	Server certificate path.
`sio_storage_pool_id = None`	string value	DEPRECATED: Storage Pool ID.
`sio_storage_pool_name = None`	string value	DEPRECATED: Storage Pool name.
`sio_storage_pools = None`	string value	Storage Pools.
`sio_unmap_volume_before_deletion = False`	boolean value	Unmap volume before deletion.
`sio_verify_server_certificate = False`	boolean value	Verify server certificate.
`smbfs_default_volume_format = vhd`	string value	Default format that will be used when creating volumes if no volume format is specified.
`smbfs_mount_point_base = C:\OpenStack\_mnt`	string value	Base dir containing mount points for smbfs shares.
`smbfs_pool_mappings = {}`	dict value	Mappings between share locations and pool names. If not specified, the share names will be used as pool names. Example: //addr/share:pool_name,//addr/share2:pool_name2
`smbfs_shares_config = C:\OpenStack\smbfs_shares.txt`	string value	File with the list of available smbfs shares.
`ssh_conn_timeout = 30`	integer value	SSH connection timeout in seconds
`ssh_max_pool_conn = 5`	integer value	Maximum ssh connections in the pool
`ssh_min_pool_conn = 1`	integer value	Minimum ssh connections in the pool
`storage_protocol = iscsi`	string value	Protocol for transferring data between host and storage back-end.
`storage_vnx_authentication_type = global`	string value	VNX authentication scope type. By default, the value is global.
`storage_vnx_pool_names = None`	list value	Comma-separated list of storage pool names to be used.
`storage_vnx_security_file_dir = None`	string value	Directory path that contains the VNX security file. Make sure the security file is generated first.
`storwize_peer_pool = None`	string value	Specifies the name of the peer pool for hyperswap volume, the peer pool must exist on the other site.
`storwize_preferred_host_site = {}`	dict value	Specifies the site information for host. One WWPN or multi WWPNs used in the host can be specified. For example: storwize_preferred_host_site=site1:wwpn1,site2:wwpn2&wwpn3 or storwize_preferred_host_site=site1:iqn1,site2:iqn2
`storwize_san_secondary_ip = None`	string value	Specifies secondary management IP or hostname to be used if san_ip is invalid or becomes inaccessible.
`storwize_svc_allow_tenant_qos = False`	boolean value	Allow tenants to specify QOS on create
`storwize_svc_flashcopy_rate = 50`	integer value	Specifies the Storwize FlashCopy copy rate to be used when creating a full volume copy. The default is rate is 50, and the valid rates are 1-100.
`storwize_svc_flashcopy_timeout = 120`	integer value	Maximum number of seconds to wait for FlashCopy to be prepared.
`storwize_svc_iscsi_chap_enabled = True`	boolean value	Configure CHAP authentication for iSCSI connections (Default: Enabled)
`storwize_svc_mirror_pool = None`	string value	Specifies the name of the pool in which mirrored copy is stored. Example: "pool2"
`storwize_svc_multihostmap_enabled = True`	boolean value	This option no longer has any affect. It is deprecated and will be removed in the next release.
`storwize_svc_multipath_enabled = False`	boolean value	Connect with multipath (FC only; iSCSI multipath is controlled by Nova)
`storwize_svc_stretched_cluster_partner = None`	string value	If operating in stretched cluster mode, specify the name of the pool in which mirrored copies are stored.Example: "pool2"
`storwize_svc_vol_autoexpand = True`	boolean value	Storage system autoexpand parameter for volumes (True/False)
`storwize_svc_vol_compression = False`	boolean value	Storage system compression option for volumes
`storwize_svc_vol_easytier = True`	boolean value	Enable Easy Tier for volumes
`storwize_svc_vol_grainsize = 256`	integer value	Storage system grain size parameter for volumes (32/64/128/256)
`storwize_svc_vol_iogrp = 0`	string value	The I/O group in which to allocate volumes. It can be a comma-separated list in which case the driver will select an io_group based on least number of volumes associated with the io_group.
`storwize_svc_vol_nofmtdisk = False`	boolean value	Specifies that the volume not be formatted during creation.
`storwize_svc_vol_rsize = 2`	integer value	Storage system space-efficiency parameter for volumes (percentage)
`storwize_svc_vol_warning = 0`	integer value	Storage system threshold for volume capacity warnings (percentage)
`storwize_svc_volpool_name = [u'volpool']`	list value	Comma separated list of storage system storage pools for volumes.
`suppress_requests_ssl_warnings = False`	boolean value	Suppress requests library SSL certificate warnings.
`synology_admin_port = 5000`	port value	Management port for Synology storage.
`synology_device_id = None`	string value	Device id for skip one time password check for logging in Synology storage if OTP is enabled.
`synology_one_time_pass = None`	string value	One time password of administrator for logging in Synology storage if OTP is enabled.
`synology_password = `	string value	Password of administrator for logging in Synology storage.
`synology_pool_name = `	string value	Volume on Synology storage to be used for creating lun.
`synology_ssl_verify = True`	boolean value	Do certificate validation or not if $driver_use_ssl is True
`synology_username = admin`	string value	Administrator of Synology storage.
`target_helper = tgtadm`	string value	iSCSI target user-land tool to use. tgtadm is default, use lioadm for LIO iSCSI support, scstadmin for SCST target support, ietadm for iSCSI Enterprise Target, iscsictl for Chelsio iSCSI Target or fake for testing.
`target_ip_address = $my_ip`	string value	The IP address that the iSCSI daemon is listening on
`target_port = 3260`	port value	The port that the iSCSI daemon is listening on
`target_prefix = iqn.2010-10.org.openstack:`	string value	Prefix for iSCSI volumes
`target_protocol = iscsi`	string value	Determines the iSCSI protocol for new iSCSI volumes, created with tgtadm or lioadm target helpers. In order to enable RDMA, this parameter should be set with the value "iser". The supported iSCSI protocol values are "iscsi" and "iser".
`thres_avl_size_perc_start = 20`	integer value	If the percentage of available space for an NFS share has dropped below the value specified by this option, the NFS image cache will be cleaned.
`thres_avl_size_perc_stop = 60`	integer value	When the percentage of available space on an NFS share has reached the percentage specified by this option, the driver will stop clearing files from the NFS image cache that have not been accessed in the last M minutes, where M is the value of the expiry_thres_minutes configuration option.
`tintri_api_version = v310`	string value	API version for the storage system
`tintri_image_cache_expiry_days = 30`	integer value	Delete unused image snapshots older than mentioned days
`tintri_image_shares_config = None`	string value	Path to image nfs shares file
`tintri_server_hostname = None`	string value	The hostname (or IP address) for the storage system
`tintri_server_password = None`	string value	Password for the storage system
`tintri_server_username = None`	string value	User name for the storage system
`trace_flags = None`	list value	List of options that control which trace info is written to the DEBUG log level to assist developers. Valid values are method and api.
`unique_fqdn_network = True`	boolean value	Whether or not our private network has unique FQDN on each initiator or not. For example networks with QA systems usually have multiple servers/VMs with the same FQDN. When true this will create host entries on K2 using the FQDN, when false it will use the reversed IQN/WWNN.
`unity_io_ports = []`	list value	A comma-separated list of iSCSI or FC ports to be used. Each port can be Unix-style glob expressions.
`unity_storage_pool_names = []`	list value	A comma-separated list of storage pool names to be used.
`use_chap_auth = False`	boolean value	Option to enable/disable CHAP authentication for targets.
`use_multipath_for_image_xfer = False`	boolean value	Do we attach/detach volumes in cinder using multipath for volume to image and image to volume transfers?
`vmax_array = None`	string value	Serial number of the array to connect to.
`vmax_port_groups = None`	list value	List of port groups containing frontend ports configured prior for server connection.
`vmax_service_level = None`	string value	Service level to use for provisioning storage.
`vmax_srp = None`	string value	Storage resource pool on array to use for provisioning.
`vmax_workload = None`	string value	Workload
`vmware_adapter_type = lsiLogic`	string value	Default adapter type to be used for attaching volumes.
`vmware_api_retry_count = 10`	integer value	Number of times VMware vCenter server API must be retried upon connection related issues.
`vmware_ca_file = None`	string value	CA bundle file to use in verifying the vCenter server certificate.
`vmware_cluster_name = None`	multi valued	Name of a vCenter compute cluster where volumes should be created.
`vmware_connection_pool_size = 10`	integer value	Maximum number of connections in http connection pool.
`vmware_host_ip = None`	string value	IP address for connecting to VMware vCenter server.
`vmware_host_password = None`	string value	Password for authenticating with VMware vCenter server.
`vmware_host_port = 443`	port value	Port number for connecting to VMware vCenter server.
`vmware_host_username = None`	string value	Username for authenticating with VMware vCenter server.
`vmware_host_version = None`	string value	Optional string specifying the VMware vCenter server version. The driver attempts to retrieve the version from VMware vCenter server. Set this configuration only if you want to override the vCenter server version.
`vmware_image_transfer_timeout_secs = 7200`	integer value	Timeout in seconds for VMDK volume transfer between Cinder and Glance.
`vmware_insecure = False`	boolean value	If true, the vCenter server certificate is not verified. If false, then the default CA truststore is used for verification. This option is ignored if "vmware_ca_file" is set.
`vmware_lazy_create = True`	boolean value	If true, the backend volume in vCenter server is created lazily when the volume is created without any source. The backend volume is created when the volume is attached, uploaded to image service or during backup.
`vmware_max_objects_retrieval = 100`	integer value	Max number of objects to be retrieved per batch. Query results will be obtained in batches from the server and not in one shot. Server may still limit the count to something less than the configured value.
`vmware_snapshot_format = template`	string value	Volume snapshot format in vCenter server.
`vmware_task_poll_interval = 2.0`	floating point value	The interval (in seconds) for polling remote tasks invoked on VMware vCenter server.
`vmware_tmp_dir = /tmp`	string value	Directory where virtual disks are stored during volume backup and restore.
`vmware_volume_folder = Volumes`	string value	Name of the vCenter inventory folder that will contain Cinder volumes. This folder will be created under "OpenStack/<project_folder>", where project_folder is of format "Project (<volume_project_id>)".
`vmware_wsdl_location = None`	string value	Optional VIM service WSDL Location e.g http://<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds.
`volume_backend_name = None`	string value	The backend name for a given driver implementation
`volume_clear = zero`	string value	Method used to wipe old volumes
`volume_clear_ionice = None`	string value	The flag to pass to ionice to alter the i/o priority of the process used to zero a volume after deletion, for example "-c3" for idle only priority.
`volume_clear_size = 0`	integer value	Size in MiB to wipe at start of old volumes. 1024 MiBat max. 0 ⇒ all
`volume_copy_blkio_cgroup_name = cinder-volume-copy`	string value	The blkio cgroup name to be used to limit bandwidth of volume copy
`volume_copy_bps_limit = 0`	integer value	The upper limit of bandwidth of volume copy. 0 ⇒ unlimited
`volume_dd_blocksize = 1M`	string value	The default block size used when copying/clearing volumes
`volume_driver = cinder.volume.drivers.lvm.LVMVolumeDriver`	string value	Driver to use for volume creation
`volume_group = cinder-volumes`	string value	Name for the VG that will contain exported volumes
`volumes_dir = $state_path/volumes`	string value	Volume configuration file storage directory
`vzstorage_default_volume_format = raw`	string value	Default format that will be used when creating volumes if no volume format is specified.
`vzstorage_mount_options = None`	list value	Mount options passed to the vzstorage client. See section of the pstorage-mount man page for details.
`vzstorage_mount_point_base = $state_path/mnt`	string value	Base dir containing mount points for vzstorage shares.
`vzstorage_shares_config = /etc/cinder/vzstorage_shares`	string value	File with the list of available vzstorage shares.
`vzstorage_sparsed_volumes = True`	boolean value	Create volumes as sparsed files which take no space rather than regular files when using raw format, in which case volume creation takes lot of time.
`vzstorage_used_ratio = 0.95`	floating point value	Percent of ACTUAL usage of the underlying volume before no new volumes can be allocated to the volume destination.
`windows_iscsi_lun_path = C:\iSCSIVirtualDisks`	string value	Path to store VHD backed volumes
`xtremio_array_busy_retry_count = 5`	integer value	Number of retries in case array is busy
`xtremio_array_busy_retry_interval = 5`	integer value	Interval between retries in case array is busy
`xtremio_clean_unused_ig = False`	boolean value	Should the driver remove initiator groups with no volumes after the last connection was terminated. Since the behavior till now was to leave the IG be, we default to False (not deleting IGs without connected volumes); setting this parameter to True will remove any IG after terminating its connection to the last volume.
`xtremio_cluster_name = `	string value	XMS cluster id in multi-cluster environment
`xtremio_volumes_per_glance_cache = 100`	integer value	Number of volumes created from each cached glance image
`zadara_default_snap_policy = False`	boolean value	VPSA - Attach snapshot policy for volumes
`zadara_password = None`	string value	VPSA - Password
`zadara_ssl_cert_verify = True`	boolean value	If set to True the http client will validate the SSL certificate of the VPSA endpoint.
`zadara_use_iser = True`	boolean value	VPSA - Use ISER instead of iSCSI
`zadara_user = None`	string value	VPSA - Username
`zadara_vol_encrypt = False`	boolean value	VPSA - Default encryption policy for volumes
`zadara_vol_name_template = OS_%s`	string value	VPSA - Default template for VPSA volume names
`zadara_vpsa_host = None`	string value	VPSA - Management Host name or IP address
`zadara_vpsa_poolname = None`	string value	VPSA - Storage Pool assigned for volumes
`zadara_vpsa_port = None`	port value	VPSA - Port number
`zadara_vpsa_use_ssl = False`	boolean value	VPSA - Use SSL connection
`zfssa_cache_directory = os-cinder-cache`	string value	Name of directory inside zfssa_nfs_share where cache volumes are stored.
`zfssa_cache_project = os-cinder-cache`	string value	Name of ZFSSA project where cache volumes are stored.
`zfssa_data_ip = None`	string value	Data path IP address
`zfssa_enable_local_cache = True`	boolean value	Flag to enable local caching: True, False.
`zfssa_https_port = 443`	string value	HTTPS port number
`zfssa_initiator = `	string value	iSCSI initiator IQNs. (comma separated)
`zfssa_initiator_config = `	string value	iSCSI initiators configuration.
`zfssa_initiator_group = `	string value	iSCSI initiator group.
`zfssa_initiator_password = `	string value	Secret of the iSCSI initiator CHAP user.
`zfssa_initiator_user = `	string value	iSCSI initiator CHAP user (name).
`zfssa_lun_compression = off`	string value	Data compression.
`zfssa_lun_logbias = latency`	string value	Synchronous write bias.
`zfssa_lun_sparse = False`	boolean value	Flag to enable sparse (thin-provisioned): True, False.
`zfssa_lun_volblocksize = 8k`	string value	Block size.
`zfssa_manage_policy = loose`	string value	Driver policy for volume manage.
`zfssa_nfs_mount_options = `	string value	Options to be passed while mounting share over nfs
`zfssa_nfs_pool = `	string value	Storage pool name.
`zfssa_nfs_project = NFSProject`	string value	Project name.
`zfssa_nfs_share = nfs_share`	string value	Share name.
`zfssa_nfs_share_compression = off`	string value	Data compression.
`zfssa_nfs_share_logbias = latency`	string value	Synchronous write bias-latency, throughput.
`zfssa_pool = None`	string value	Storage pool name.
`zfssa_project = None`	string value	Project name.
`zfssa_replication_ip = `	string value	IP address used for replication data. (maybe the same as data ip)
`zfssa_rest_timeout = None`	integer value	REST connection timeout. (seconds)
`zfssa_target_group = tgt-grp`	string value	iSCSI target group name.
`zfssa_target_interfaces = None`	string value	Network interfaces of iSCSI targets. (comma separated)
`zfssa_target_password = `	string value	Secret of the iSCSI target CHAP user.
`zfssa_target_portal = None`	string value	iSCSI target portal (Data-IP:Port, w.x.y.z:3260).
`zfssa_target_user = `	string value	iSCSI target CHAP user (name).

3.1.4. barbican

The following table outlines the options available under the [barbican] group in the /etc/cinder/cinder.conf file.

Table 3.4. barbican
Configuration option = Default value	Type	Description
`auth_endpoint = http://localhost/identity/v3`	string value	Use this endpoint to connect to Keystone
`barbican_api_version = None`	string value	Version of the Barbican API, for example: "v1"
`barbican_endpoint = None`	string value	Use this endpoint to connect to Barbican, for example: "http://localhost:9311/"
`number_of_retries = 60`	integer value	Number of times to retry poll for key creation completion
`retry_delay = 1`	integer value	Number of seconds to wait before retrying poll for key creation completion
`verify_ssl = True`	boolean value	Specifies if insecure TLS (https) requests. If False, the server’s certificate will not be validated

3.1.5. brcd_fabric_example

The following table outlines the options available under the [brcd_fabric_example] group in the /etc/cinder/cinder.conf file.

Table 3.5. brcd_fabric_example
Configuration option = Default value	Type	Description
`fc_fabric_address = `	string value	Management IP of fabric.
`fc_fabric_password = `	string value	Password for user.
`fc_fabric_port = 22`	port value	Connecting port
`fc_fabric_ssh_cert_path = `	string value	Local SSH certificate Path.
`fc_fabric_user = `	string value	Fabric user ID.
`fc_southbound_protocol = HTTP`	string value	South bound connector for the fabric.
`fc_virtual_fabric_id = None`	string value	Virtual Fabric ID.
`zone_activate = True`	boolean value	Overridden zoning activation state.
`zone_name_prefix = openstack`	string value	Overridden zone name prefix.
`zoning_policy = initiator-target`	string value	Overridden zoning policy.

3.1.6. cisco_fabric_example

The following table outlines the options available under the [cisco_fabric_example] group in the /etc/cinder/cinder.conf file.

Table 3.6. cisco_fabric_example
Configuration option = Default value	Type	Description
`cisco_fc_fabric_address = `	string value	Management IP of fabric
`cisco_fc_fabric_password = `	string value	Password for user
`cisco_fc_fabric_port = 22`	port value	Connecting port
`cisco_fc_fabric_user = `	string value	Fabric user ID
`cisco_zone_activate = True`	boolean value	overridden zoning activation state
`cisco_zone_name_prefix = None`	string value	overridden zone name prefix
`cisco_zoning_policy = initiator-target`	string value	overridden zoning policy
`cisco_zoning_vsan = None`	string value	VSAN of the Fabric

3.1.7. coordination

The following table outlines the options available under the [coordination] group in the /etc/cinder/cinder.conf file.

Table 3.7. coordination
Configuration option = Default value	Type	Description
`backend_url = file://$state_path`	string value	The backend URL to use for distributed coordination.

3.1.8. cors

The following table outlines the options available under the [cors] group in the /etc/cinder/cinder.conf file.

Table 3.8. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id', u'X-OpenStack-Request-ID', u'X-Trace-Info', u'X-Trace-HMAC', u'OpenStack-API-Version']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH', u'HEAD']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Subject-Token', u'X-Service-Token', u'X-OpenStack-Request-ID', u'OpenStack-API-Version']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

3.1.9. database

The following table outlines the options available under the [database] group in the /etc/cinder/cinder.conf file.

Table 3.9. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

3.1.10. fc-zone-manager

The following table outlines the options available under the [fc-zone-manager] group in the /etc/cinder/cinder.conf file.

Table 3.10. fc-zone-manager
Configuration option = Default value	Type	Description
`brcd_sb_connector = HTTP`	string value	South bound connector for zoning operation
`cisco_sb_connector = cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClientCLI`	string value	Southbound connector for zoning operation
`enable_unsupported_driver = False`	boolean value	Set this to True when you want to allow an unsupported zone manager driver to start. Drivers that haven’t maintained a working CI system and testing are marked as unsupported until CI is working again. This also marks a driver as deprecated and may be removed in the next release.
`fc_fabric_names = None`	string value	Comma separated list of Fibre Channel fabric names. This list of names is used to retrieve other SAN credentials for connecting to each SAN fabric
`fc_san_lookup_service = cinder.zonemanager.drivers.brocade.brcd_fc_san_lookup_service.BrcdFCSanLookupService`	string value	FC SAN Lookup Service
`zone_driver = cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.BrcdFCZoneDriver`	string value	FC Zone Driver responsible for zone management
`zoning_policy = initiator-target`	string value	Zoning policy configured by user; valid values include "initiator-target" or "initiator"

3.1.11. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/cinder/cinder.conf file.

Table 3.11. healthcheck
Configuration option = Default value	Type	Description
`backends = []`	list value	Additional backends that can perform health checks and report that information back as part of a request.
`detailed = False`	boolean value	Show more detailed information as part of the response
`disable_by_file_path = None`	string value	Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
`disable_by_file_paths = []`	list value	Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
`path = /healthcheck`	string value	The path to respond to healtcheck requests on.

3.1.12. key_manager

The following table outlines the options available under the [key_manager] group in the /etc/cinder/cinder.conf file.

Table 3.12. key_manager
Configuration option = Default value	Type	Description
`auth_type = None`	string value	The type of authentication credential to create. Possible values are token, password, keystone_token, and keystone_password. Required if no context is passed to the credential factory.
`auth_url = None`	string value	Use this endpoint to connect to Keystone.
`backend = barbican`	string value	Specify the key manager implementation. Options are "barbican" and "vault". Default is "barbican". Will support the values earlier set using [key_manager]/api_class for some time.
`domain_id = None`	string value	Domain ID for domain scoping. Optional for keystone_token and keystone_password auth_type.
`domain_name = None`	string value	Domain name for domain scoping. Optional for keystone_token and keystone_password auth_type.
`fixed_key = None`	string value	Fixed key returned by key manager, specified in hex
`password = None`	string value	Password for authentication. Required for password and keystone_password auth_type.
`project_domain_id = None`	string value	Project’s domain ID for project. Optional for keystone_token and keystone_password auth_type.
`project_domain_name = None`	string value	Project’s domain name for project. Optional for keystone_token and keystone_password auth_type.
`project_id = None`	string value	Project ID for project scoping. Optional for keystone_token and keystone_password auth_type.
`project_name = None`	string value	Project name for project scoping. Optional for keystone_token and keystone_password auth_type.
`reauthenticate = True`	boolean value	Allow fetching a new token if the current one is going to expire. Optional for keystone_token and keystone_password auth_type.
`token = None`	string value	Token for authentication. Required for token and keystone_token auth_type if no context is passed to the credential factory.
`trust_id = None`	string value	Trust ID for trust scoping. Optional for keystone_token and keystone_password auth_type.
`user_domain_id = None`	string value	User’s domain ID for authentication. Optional for keystone_token and keystone_password auth_type.
`user_domain_name = None`	string value	User’s domain name for authentication. Optional for keystone_token and keystone_password auth_type.
`user_id = None`	string value	User ID for authentication. Optional for keystone_token and keystone_password auth_type.
`username = None`	string value	Username for authentication. Required for password auth_type. Optional for the keystone_password auth_type.

3.1.13. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/cinder/cinder.conf file.

Table 3.13. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

3.1.14. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/cinder/cinder.conf file.

Table 3.14. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

3.1.15. nova

The following table outlines the options available under the [nova] group in the /etc/cinder/cinder.conf file.

Table 3.15. nova
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`insecure = False`	boolean value	Verify HTTPS connections.
`interface = public`	string value	Type of the nova endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of public, internal or admin.
`keyfile = None`	string value	PEM encoded client certificate key file
`region_name = None`	string value	Name of nova region to use. Useful if keystone manages more than one region.
`timeout = None`	integer value	Timeout value for http requests
`token_auth_url = None`	string value	The authentication URL for the nova connection when using the current users token

3.1.16. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/cinder/cinder.conf file.

Table 3.16. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

3.1.17. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/cinder/cinder.conf file.

Table 3.17. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

3.1.18. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/cinder/cinder.conf file.

Table 3.18. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

3.1.19. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/cinder/cinder.conf file.

Table 3.19. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

3.1.20. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/cinder/cinder.conf file.

Table 3.20. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

3.1.21. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/cinder/cinder.conf file.

Table 3.21. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

3.1.22. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/cinder/cinder.conf file.

Table 3.22. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
`max_request_body_size = 114688`	integer value	The maximum body size for each request, in bytes.
`secure_proxy_ssl_header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

3.1.23. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/cinder/cinder.conf file.

Table 3.23. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

3.1.24. oslo_reports

The following table outlines the options available under the [oslo_reports] group in the /etc/cinder/cinder.conf file.

Table 3.24. oslo_reports
Configuration option = Default value	Type	Description
`file_event_handler = None`	string value	The path to a file to watch for changes to trigger the reports, instead of signals. Setting this option disables the signal trigger for the reports. If application is running as a WSGI application it is recommended to use this instead of signals.
`file_event_handler_interval = 1`	integer value	How many seconds to wait between polls when file_event_handler is set
`log_dir = None`	string value	Path to a log directory where to create a file

3.1.25. oslo_versionedobjects

The following table outlines the options available under the [oslo_versionedobjects] group in the /etc/cinder/cinder.conf file.

Table 3.25. oslo_versionedobjects
Configuration option = Default value	Type	Description
`fatal_exception_format_errors = False`	boolean value	Make exception message format errors fatal

3.1.26. profiler

The following table outlines the options available under the [profiler] group in the /etc/cinder/cinder.conf file.

Table 3.26. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

3.1.27. service_user

The following table outlines the options available under the [service_user] group in the /etc/cinder/cinder.conf file.

Table 3.27. service_user
Configuration option = Default value	Type	Description
`send_service_user_token = False`	boolean value	When True, if sending a user token to an REST API, also send a service token.

3.1.28. ssl

The following table outlines the options available under the [ssl] group in the /etc/cinder/cinder.conf file.

Table 3.28. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

3.1.29. vault

The following table outlines the options available under the [vault] group in the /etc/cinder/cinder.conf file.

Table 3.29. vault
Configuration option = Default value	Type	Description
`root_token_id = None`	string value	root token for vault
`ssl_ca_crt_file = None`	string value	Absolute path to ca cert file
`use_ssl = False`	boolean value	SSL Enabled/Disabled
`vault_url = http://127.0.0.1:8200`	string value	Use this endpoint to connect to Vault, for example: "http://127.0.0.1:8200"

Chapter 4. designate

The following chapter contains information about the configuration options in the designate service.

4.1. designate.conf

This section contains options for the /etc/designate/designate.conf file.

4.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/designate/designate.conf file.

Table 4.1. DEFAULT
Configuration option = Default value	Type	Description
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`backlog = 4096`	integer value	Number of backlog requests to configure the socket with
`central-topic = central`	string value	Central Topic
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = designate`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default-soa-expire = 86400`	integer value	SOA expire
`default-soa-minimum = 3600`	integer value	SOA minimum value
`default-soa-refresh-max = 3600`	integer value	SOA max value
`default-soa-refresh-min = 3500`	integer value	SOA refresh-min value
`default-soa-retry = 600`	integer value	SOA retry
`default-ttl = 3600`	integer value	TTL Value
`default_log_levels = [u'amqplib=WARN', u'amqp=WARN', u'boto=WARN', u'eventlet.wsgi.server=WARN', u'iso8601=WARN', u'kazoo.client=WARN', u'keystone=INFO', u'keystonemiddleware.auth_token=INFO', u'oslo_messaging=WARN', u'oslo.messaging=INFO', u'oslo_service.loopingcall=WARN', u'sqlalchemy=WARN', u'stevedore=WARN', u'suds=INFO']`	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`mdns-topic = mdns`	string value	mDNS Topic
`network_api = neutron`	string value	Which API to use.
`notification-plugin = default`	string value	The notification plugin to use
`notify_api_faults = False`	boolean value	Send notifications if there’s a failure in the API.
`pool-manager-topic = pool_manager`	string value	Pool Manager Topic
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pybasedir = /usr/lib/python2.7/site-packages`	string value	Directory where the designate python module is installed
`quota-api-export-size = 1000`	integer value	Number of recordsets allowed in a zone export
`quota-driver = storage`	string value	Quota driver to use
`quota-recordset-records = 20`	integer value	Number of records allowed per recordset
`quota-zone-records = 500`	integer value	Number of records allowed per zone
`quota-zone-recordsets = 500`	integer value	Number of recordsets allowed per zone
`quota-zones = 10`	integer value	Number of zones allowed per tenant
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`root-helper = sudo designate-rootwrap /etc/designate/rootwrap.conf`	string value	designate-rootwrap configuration
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`state-path = /var/lib/designate`	string value	Top-level directory for maintaining designate’s state
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`supported-record-type = [u'A', u'AAAA', u'CNAME', u'MX', u'SRV', u'TXT', u'SPF', u'NS', u'PTR', u'SSHFP', u'SOA']`	list value	Supported record types
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`worker-topic = worker`	string value	Worker Topic
`xfr_timeout = 10`	integer value	Timeout in seconds for XFR’s.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

4.1.2. backend:agent:bind9

The following table outlines the options available under the [backend:agent:bind9] group in the /etc/designate/designate.conf file.

Table 4.2. backend:agent:bind9
Configuration option = Default value	Type	Description
`query-destination = 127.0.0.1`	string value	Host to query when finding zones
`rndc-config-file = None`	string value	RNDC Config File
`rndc-host = 127.0.0.1`	string value	RNDC Host
`rndc-key-file = None`	string value	RNDC Key File
`rndc-port = 953`	integer value	RNDC Port
`zone-file-path = $state_path/zones`	string value	Path where zone files are stored

4.1.3. backend:agent:denominator

The following table outlines the options available under the [backend:agent:denominator] group in the /etc/designate/designate.conf file.

Table 4.3. backend:agent:denominator
Configuration option = Default value	Type	Description
`config_file = /etc/denominator.conf`	string value	Path to Denominator configuration file
`name = fake`	string value	Name of the affected provider

4.1.4. backend:agent:djbdns

The following table outlines the options available under the [backend:agent:djbdns] group in the /etc/designate/designate.conf file.

Table 4.4. backend:agent:djbdns
Configuration option = Default value	Type	Description
`axfr-get-cmd-name = axfr-get`	string value	axfr-get executable path or rootwrap command name
`query-destination = 127.0.0.1`	string value	Host to query when finding zones
`tcpclient-cmd-name = tcpclient`	string value	tcpclient executable path or rootwrap command name
`tinydns-data-cmd-name = tinydns-data`	string value	tinydns-data executable path or rootwrap command name
`tinydns-datadir = /var/lib/djbdns`	string value	TinyDNS data directory

4.1.5. backend:agent:gdnsd

The following table outlines the options available under the [backend:agent:gdnsd] group in the /etc/designate/designate.conf file.

Table 4.5. backend:agent:gdnsd
Configuration option = Default value	Type	Description
`confdir-path = /etc/gdnsd`	string value	gdnsd configuration directory path
`gdnsd-cmd-name = gdnsd`	string value	gdnsd executable path or rootwrap command name
`query-destination = 127.0.0.1`	string value	Host to query when finding zones

4.1.6. backend:agent:knot2

The following table outlines the options available under the [backend:agent:knot2] group in the /etc/designate/designate.conf file.

Table 4.6. backend:agent:knot2
Configuration option = Default value	Type	Description
`knotc-cmd-name = knotc`	string value	knotc executable path or rootwrap command name
`query-destination = 127.0.0.1`	string value	Host to query when finding zones

4.1.7. coordination

The following table outlines the options available under the [coordination] group in the /etc/designate/designate.conf file.

Table 4.7. coordination
Configuration option = Default value	Type	Description
`backend_url = None`	string value	The backend URL to use for distributed coordination. If unset services that need coordination will function as a standalone service. This is a `tooz` url - see https://docs.openstack.org/tooz/latest/user/compatibility.html
`heartbeat_interval = 1.0`	floating point value	Number of seconds between heartbeats for distributed coordination.
`run_watchers_interval = 10.0`	floating point value	Number of seconds between checks to see if group membership has changed

4.1.8. cors

The following table outlines the options available under the [cors] group in the /etc/designate/designate.conf file.

Table 4.8. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Auth-Sudo-Tenant-ID', u'X-Auth-Sudo-Project-ID', u'X-Auth-All-Projects', u'X-Designate-Edit-Managed-Records', u'OpenStack-DNS-Hide-Counts']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH', u'HEAD']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-OpenStack-Request-ID', u'Host']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

4.1.9. database

The following table outlines the options available under the [database] group in the /etc/designate/designate.conf file.

Table 4.9. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

4.1.10. handler:neutron_floatingip

The following table outlines the options available under the [handler:neutron_floatingip] group in the /etc/designate/designate.conf file.

Table 4.10. handler:neutron_floatingip
Configuration option = Default value	Type	Description
`control-exchange = neutron`	string value	control-exchange for neutron notification
`format = None`	multi valued	format which replaced by formatv4/formatv6
`formatv4 = None`	multi valued	IPv4 format
`formatv6 = None`	multi valued	IPv6 format
`notification-topics = [u'notifications']`	list value	notification any events from neutron
`zone-id = None`	string value	Zone ID with each notification

4.1.11. handler:nova_fixed

The following table outlines the options available under the [handler:nova_fixed] group in the /etc/designate/designate.conf file.

Table 4.11. handler:nova_fixed
Configuration option = Default value	Type	Description
`control-exchange = nova`	string value	control-exchange for nova notification
`format = None`	multi valued	format which replaced by formatv4/formatv6
`formatv4 = None`	multi valued	IPv4 format
`formatv6 = None`	multi valued	IPv6 format
`notification-topics = [u'notifications']`	list value	notification any events from nova
`zone-id = None`	string value	Zone ID with each notification

4.1.12. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/designate/designate.conf file.

Table 4.12. healthcheck
Configuration option = Default value	Type	Description
`backends = []`	list value	Additional backends that can perform health checks and report that information back as part of a request.
`detailed = False`	boolean value	Show more detailed information as part of the response
`disable_by_file_path = None`	string value	Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
`disable_by_file_paths = []`	list value	Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
`path = /healthcheck`	string value	The path to respond to healtcheck requests on.

4.1.13. heartbeat_emitter

The following table outlines the options available under the [heartbeat_emitter] group in the /etc/designate/designate.conf file.

Table 4.13. heartbeat_emitter
Configuration option = Default value	Type	Description
`emitter_type = rpc`	string value	Emitter to use
`heartbeat_interval = 5.0`	floating point value	Number of seconds between heartbeats for reporting state

4.1.14. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/designate/designate.conf file.

Table 4.14. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

4.1.15. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/designate/designate.conf file.

Table 4.15. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

4.1.16. monasca:statsd

The following table outlines the options available under the [monasca:statsd] group in the /etc/designate/designate.conf file.

Table 4.16. monasca:statsd
Configuration option = Default value	Type	Description
`enabled = False`	boolean value	enable
`hostname = 127.0.0.1`	string value	hostname
`port = 8125`	integer value	UDP port

4.1.17. network_api:neutron

The following table outlines the options available under the [network_api:neutron] group in the /etc/designate/designate.conf file.

Table 4.17. network_api:neutron
Configuration option = Default value	Type	Description
`admin_password = None`	string value	password for connecting to neutron in admin context
`admin_tenant_name = None`	string value	tenant name for connecting to neutron in admin context
`admin_username = None`	string value	username for connecting to neutron in admin context
`auth_strategy = keystone`	string value	auth strategy for connecting to neutron in admin context
`auth_url = None`	string value	auth url for connecting to neutron in admin context
`ca_certificates_file = None`	string value	Location of ca certificates file to use for neutron client requests.
`endpoint_type = publicURL`	string value	Endpoint type to use
`endpoints = None`	list value	URL to use if None in the ServiceCatalog that is passed by the request context. Format: <region>\|<url>
`insecure = False`	boolean value	if set, ignore any SSL validation issues
`timeout = 30`	integer value	timeout value for connecting to neutron in seconds

4.1.18. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/designate/designate.conf file.

Table 4.18. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = $state_path`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

4.1.19. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/designate/designate.conf file.

Table 4.19. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

4.1.20. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/designate/designate.conf file.

Table 4.20. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

4.1.21. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/designate/designate.conf file.

Table 4.21. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

4.1.22. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/designate/designate.conf file.

Table 4.22. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

4.1.23. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/designate/designate.conf file.

Table 4.23. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

4.1.24. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/designate/designate.conf file.

Table 4.24. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
`max_request_body_size = 114688`	integer value	The maximum body size for each request, in bytes.
`secure_proxy_ssl_header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

4.1.25. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/designate/designate.conf file.

Table 4.25. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

4.1.26. pool_manager_cache:memcache

The following table outlines the options available under the [pool_manager_cache:memcache] group in the /etc/designate/designate.conf file.

Table 4.26. pool_manager_cache:memcache
Configuration option = Default value	Type	Description
`expiration = 3600`	integer value	Time in seconds to expire cache.
`memcached_servers = None`	list value	Memcached servers or None for in process cache.

4.1.27. pool_manager_cache:sqlalchemy

The following table outlines the options available under the [pool_manager_cache:sqlalchemy] group in the /etc/designate/designate.conf file.

Table 4.27. pool_manager_cache:sqlalchemy
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

4.1.28. producer_task:delayed_notify

The following table outlines the options available under the [producer_task:delayed_notify] group in the /etc/designate/designate.conf file.

Table 4.28. producer_task:delayed_notify
Configuration option = Default value	Type	Description
`batch_size = 100`	integer value	How many zones to receive NOTIFY on each run
`interval = 5`	integer value	Run interval in seconds
`per_page = 100`	integer value	Default amount of results returned per page

4.1.29. producer_task:periodic_exists

The following table outlines the options available under the [producer_task:periodic_exists] group in the /etc/designate/designate.conf file.

Table 4.29. producer_task:periodic_exists
Configuration option = Default value	Type	Description
`interval = 3600`	integer value	Run interval in seconds
`per_page = 100`	integer value	Default amount of results returned per page

4.1.30. producer_task:periodic_secondary_refresh

The following table outlines the options available under the [producer_task:periodic_secondary_refresh] group in the /etc/designate/designate.conf file.

Table 4.30. producer_task:periodic_secondary_refresh
Configuration option = Default value	Type	Description
`interval = 3600`	integer value	Run interval in seconds
`per_page = 100`	integer value	Default amount of results returned per page

4.1.31. producer_task:worker_periodic_recovery

The following table outlines the options available under the [producer_task:worker_periodic_recovery] group in the /etc/designate/designate.conf file.

Table 4.31. producer_task:worker_periodic_recovery
Configuration option = Default value	Type	Description
`interval = 120`	integer value	Run interval in seconds
`per_page = 100`	integer value	Default amount of results returned per page

4.1.32. producer_task:zone_purge

The following table outlines the options available under the [producer_task:zone_purge] group in the /etc/designate/designate.conf file.

Table 4.32. producer_task:zone_purge
Configuration option = Default value	Type	Description
`batch_size = 100`	integer value	How many zones to be purged on each run
`interval = 3600`	integer value	Run interval in seconds
`per_page = 100`	integer value	Default amount of results returned per page
`time_threshold = 604800`	integer value	How old deleted zones should be (deleted_at) to be purged, in seconds

4.1.33. proxy

The following table outlines the options available under the [proxy] group in the /etc/designate/designate.conf file.

Table 4.33. proxy
Configuration option = Default value	Type	Description
`http_proxy = None`	string value	Proxy HTTP requests via this proxy.
`https_proxy = None`	string value	Proxy HTTPS requests via this proxy
`no_proxy = []`	list value	These addresses should not be proxied

4.1.34. service:agent

The following table outlines the options available under the [service:agent] group in the /etc/designate/designate.conf file.

Table 4.34. service:agent
Configuration option = Default value	Type	Description
`allow-notify = []`	list value	List of IP addresses allowed to NOTIFY The Agent
`backend-driver = bind9`	string value	The backend driver to use, e.g. bind9, djbdns, knot2
`host = None`	IP address value	Agent Bind Host
`listen = [u'0.0.0.0:5358']`	list value	Agent host:port pairs to listen on
`masters = []`	list value	List of masters for the Agent, format ip:port
`notify-delay = 0.0`	floating point value	Delay after a NOTIFY arrives for a zone that the Agent will pause and drop subsequent NOTIFYs for that zone
`port = None`	port value	Agent Port Number
`tcp-backlog = 100`	integer value	The Agent TCP Backlog
`tcp-recv-timeout = 0.5`	floating point value	Agent TCP Receive Timeout
`threads = 1000`	integer value	Number of agent greenthreads to spawn
`transfer-source = None`	string value	An IP address to be used to fetch zones transferred in
`workers = None`	integer value	Number of agent worker processes to spawn

4.1.35. service:api

The following table outlines the options available under the [service:api] group in the /etc/designate/designate.conf file.

Table 4.35. service:api
Configuration option = Default value	Type	Description
`api-base-uri = http://127.0.0.1:9001/`	string value	the url used as the base for all API responses,This should consist of the scheme (http/https),the hostname, port, and any paths that are addedto the base of Designate is URLs,For example http://dns.openstack.example.com/dns
`api_host = None`	IP address value	API Bind Host
`api_paste_config = api-paste.ini`	string value	File name for the paste.deploy config for designate-api
`api_port = None`	port value	API Port Number
`auth_strategy = keystone`	string value	The strategy to use for auth. Supports noauth or keystone
`default-limit-admin = 20`	integer value	Default per-page limit for the Admin API, a value of None means show all results by default
`default-limit-v2 = 20`	integer value	Default per-page limit for the V2 API, a value of None means show all results by default
`enable-api-admin = False`	boolean value	enable-api-admin
`enable-api-v2 = True`	boolean value	enable-api-v2 which enable in a future
`enable-host-header = False`	boolean value	Enable host request headers
`enabled-extensions-admin = []`	list value	Enabled Admin API Extensions
`enabled-extensions-v2 = []`	list value	Enabled API Extensions for the V2 API
`listen = [u'0.0.0.0:9001']`	list value	API host:port pairs to listen on
`maintenance-mode = False`	boolean value	Enable API Maintenance Mode
`maintenance-mode-role = admin`	string value	Role allowed to bypass maintaince mode
`max-limit-admin = 1000`	integer value	Max per-page limit for the Admin API
`max-limit-v2 = 1000`	integer value	Max per-page limit for the V2 API
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs).
`override-proto = None`	string value	A scheme that will be used to override the request protocol scheme, even if it was set by an SSL terminating proxy.
`secure-proxy-ssl-header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine which the original request protocol scheme was, even if it was removed by an SSL terminating proxy.
`threads = 1000`	integer value	Number of api greenthreads to spawn
`workers = None`	integer value	Number of api worker processes to spawn

4.1.36. service:central

The following table outlines the options available under the [service:central] group in the /etc/designate/designate.conf file.

Table 4.36. service:central
Configuration option = Default value	Type	Description
`central_topic = central`	string value	RPC topic name of central service.
`default_pool_id = 794ccc2c-d751-44fe-b57f-8894c9f5c842`	string value	The name of the default pool
`enabled-notification-handlers = []`	list value	Enabled Notification Handlers
`managed_resource_email = hostmaster@example.com`	string value	E-Mail for Managed resources
`managed_resource_tenant_id = 00000000-0000-0000-0000-000000000000`	string value	The Tenant ID that will own any managed resources.
`max_recordset_name_len = 255`	integer value	Maximum recordset name length
`max_zone_name_len = 255`	integer value	Maximum zone name length
`min_ttl = None`	integer value	Minimum TTL allowed
`scheduler_filters = [u'default_pool']`	list value	Enabled Pool Scheduling filters
`storage-driver = sqlalchemy`	string value	The storage driver to use
`threads = 1000`	integer value	Number of central greenthreads to spawn
`workers = None`	integer value	Number of central worker processes to spawn

4.1.37. service:mdns

The following table outlines the options available under the [service:mdns] group in the /etc/designate/designate.conf file.

Table 4.37. service:mdns
Configuration option = Default value	Type	Description
`all-tcp = False`	boolean value	Send all traffic over TCP
`host = None`	IP address value	mDNS Bind Host
`listen = [u'0.0.0.0:5354']`	list value	mDNS host:port pairs to listen on
`max-message-size = 65535`	integer value	Maximum message size to emit
`mdns_topic = mdns`	string value	RPC topic name for mini-DNS
`port = None`	port value	mDNS Port Number
`query-enforce-tsig = False`	boolean value	Enforce all incoming queries (including AXFR) are TSIG signed
`storage-driver = sqlalchemy`	string value	The storage driver to use
`tcp-backlog = 100`	integer value	mDNS TCP Backlog
`tcp-recv-timeout = 0.5`	floating point value	mDNS TCP Receive Timeout
`threads = 1000`	integer value	Number of mdns greenthreads to spawn
`workers = None`	integer value	Number of mdns worker processes to spawn

4.1.38. service:pool_manager

The following table outlines the options available under the [service:pool_manager] group in the /etc/designate/designate.conf file.

Table 4.38. service:pool_manager
Configuration option = Default value	Type	Description
`cache-driver = memcache`	string value	The cache driver to use
`enable-recovery-timer = True`	boolean value	The flag for the recovery timer
`enable-sync-timer = True`	boolean value	The flag for the sync timer
`periodic-recovery-interval = 120`	integer value	The time between recovering from failures
`periodic-sync-interval = 1800`	integer value	The time between synchronizing the servers with storage
`periodic-sync-max-attempts = 3`	integer value	Number of attempts to update a zone during sync
`periodic-sync-retry-interval = 30`	integer value	Interval between zone update attempts during sync
`periodic-sync-seconds = 21600`	integer value	Zones Updated within last N seconds will be syncd.Use an empty value to sync all zones.
`poll-delay = 5`	integer value	The time to wait before sending the first request to a server
`poll-max-retries = 10`	integer value	The maximum number of times to retry sending a request and wait for a response from a server
`poll-retry-interval = 15`	integer value	The time between retrying to send a request and waiting for a response from a server
`poll-timeout = 30`	integer value	The time to wait for a response from a server
`pool-id = 794ccc2c-d751-44fe-b57f-8894c9f5c842`	string value	The ID of the pool managed by this instance of the Pool Manager
`pool_manager_topic = pool_manager`	string value	RPC topic name for pool-manager
`threads = 1000`	integer value	Number of Pool Manager greenthreads to spawn
`threshold-percentage = 100`	integer value	The percentage of servers requiring a successful update for a zone change to be considered active
`workers = None`	integer value	Number of Pool Manager worker processes to spawn

4.1.39. service:producer

The following table outlines the options available under the [service:producer] group in the /etc/designate/designate.conf file.

Table 4.39. service:producer
Configuration option = Default value	Type	Description
`enabled_tasks = None`	list value	Enabled tasks to run
`export-synchronous = True`	boolean value	Whether to allow synchronous zone exports
`storage-driver = sqlalchemy`	string value	The storage driver to use
`threads = 1000`	integer value	Number of Producer greenthreads to spawn
`workers = None`	integer value	Number of Producer worker processes to spawn

4.1.40. service:sink

The following table outlines the options available under the [service:sink] group in the /etc/designate/designate.conf file.

Table 4.40. service:sink
Configuration option = Default value	Type	Description
`enabled-notification-handlers = []`	list value	Enabled Notification Handlers
`threads = 1000`	integer value	Number of sink greenthreads to spawn
`workers = None`	integer value	Number of sink worker processes to spawn

4.1.41. service:worker

The following table outlines the options available under the [service:worker] group in the /etc/designate/designate.conf file.

Table 4.41. service:worker
Configuration option = Default value	Type	Description
`enabled = False`	boolean value	Whether to send events to worker instead of Pool Manager
`export-synchronous = True`	boolean value	Whether to allow synchronous zone exports
`notify = True`	boolean value	Whether to allow worker to send NOTIFYs, this will noop NOTIFYs in mdns if true
`poll-delay = 5`	integer value	The time to wait before sending the first request to a server
`poll-max-retries = 10`	integer value	The maximum number of times to retry sending a request and wait for a response from a server
`poll-retry-interval = 15`	integer value	The time between retrying to send a request and waiting for a response from a server
`poll-timeout = 30`	integer value	The time to wait for a response from a server
`storage-driver = sqlalchemy`	string value	The storage driver to use
`threads = 200`	integer value	Number of Worker threads to spawn per process
`threshold-percentage = 100`	integer value	The percentage of servers requiring a successful update for a domain change to be considered active
`worker_topic = worker`	string value	RPC topic for worker component
`workers = None`	integer value	Number of Worker worker processes to spawn

4.1.42. service:zone_manager

The following table outlines the options available under the [service:zone_manager] group in the /etc/designate/designate.conf file.

Table 4.42. service:zone_manager
Configuration option = Default value	Type	Description
`enabled_tasks = None`	list value	Enabled tasks to run
`export-synchronous = True`	boolean value	Whether to allow synchronous zone exports
`storage-driver = sqlalchemy`	string value	The storage driver to use
`threads = 1000`	integer value	Number of Zone Manager greenthreads to spawn
`workers = None`	integer value	Number of Zone Manager worker processes to spawn

4.1.43. ssl

The following table outlines the options available under the [ssl] group in the /etc/designate/designate.conf file.

Table 4.43. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

4.1.44. storage:sqlalchemy

The following table outlines the options available under the [storage:sqlalchemy] group in the /etc/designate/designate.conf file.

Table 4.44. storage:sqlalchemy
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

Chapter 5. glance

The following chapter contains information about the configuration options in the glance service.

5.1. glance-api.conf

This section contains options for the /etc/glance/glance-api.conf file.

5.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/glance/glance-api.conf file.

Table 5.1. DEFAULT
Configuration option = Default value	Type	Description
`admin_password = None`	string value	The administrators password. If "use_user_token" is not in effect, then admin credentials can be specified.
`admin_role = admin`	string value	Role used to identify an authenticated user as administrator. Provide a string value representing a Keystone role to identify an administrative user. Users with this role will be granted administrative privileges. The default value for this option is admin. Possible values: A string value which is a valid Keystone role Related options: None
`admin_tenant_name = None`	string value	The tenant name of the administrative user. If "use_user_token" is not in effect, then admin tenant name can be specified.
`admin_user = None`	string value	The administrators user name. If "use_user_token" is not in effect, then admin credentials can be specified.
`allow_additional_image_properties = True`	boolean value	Allow users to add additional/custom properties to images. Glance defines a standard set of properties (in its schema) that appear on every image. These properties are also known as `base properties`. In addition to these properties, Glance allows users to add custom properties to images. These are known as `additional properties`. By default, this configuration option is set to `True` and users are allowed to add additional properties. The number of additional properties that can be added to an image can be controlled via `image_property_quota` configuration option. Possible values: True False Related options: image_property_quota
`allow_anonymous_access = False`	boolean value	Allow limited access to unauthenticated users. Assign a boolean to determine API access for unathenticated users. When set to False, the API cannot be accessed by unauthenticated users. When set to True, unauthenticated users can access the API with read-only privileges. This however only applies when using ContextMiddleware. Possible values: True False Related options: None
`allowed_rpc_exception_modules = [u'glance.common.exception', u'builtins', u'exceptions']`	list value	List of allowed exception modules to handle RPC exceptions. Provide a comma separated list of modules whose exceptions are permitted to be recreated upon receiving exception data via an RPC call made to Glance. The default list includes `glance.common.exception`, `builtins`, and `exceptions`. The RPC protocol permits interaction with Glance via calls across a network or within the same system. Including a list of exception namespaces with this option enables RPC to propagate the exceptions back to the users. Possible values: A comma separated list of valid exception modules Related options: None
`api_limit_max = 1000`	integer value	Maximum number of results that could be returned by a request. As described in the help text of `limit_param_default`, some requests may return multiple results. The number of results to be returned are governed either by the `limit` parameter in the request or the `limit_param_default` configuration option. The value in either case, can’t be greater than the absolute maximum defined by this configuration option. Anything greater than this value is trimmed down to the maximum value defined here. Note Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: limit_param_default
`auth_region = None`	string value	The region for the authentication service. If "use_user_token" is not in effect and using keystone auth, then region name can be specified.
`auth_strategy = noauth`	string value	The strategy to use for authentication. If "use_user_token" is not in effect, then auth strategy can be specified.
`auth_url = None`	string value	The URL to the keystone service. If "use_user_token" is not in effect and using keystone auth, then URL of keystone can be specified.
`backlog = 4096`	integer value	Set the number of incoming connection requests. Provide a positive integer value to limit the number of requests in the backlog queue. The default queue size is 4096. An incoming connection to a TCP listener socket is queued before a connection can be established with the server. Setting the backlog for a TCP socket ensures a limited queue size for incoming traffic. Possible values: Positive integer Related options: None
`bind_host = 0.0.0.0`	unknown value	IP address to bind the glance servers to. Provide an IP address to bind the glance server to. The default value is `0.0.0.0`. Edit this option to enable the server to listen on one particular IP address on the network card. This facilitates selection of a particular network interface for the server. Possible values: A valid IPv4 address A valid IPv6 address Related options: None
`bind_port = None`	port value	Port number on which the server will listen. Provide a valid port number to bind the server’s socket to. This port is then set to identify processes and forward network messages that arrive at the server. The default bind_port value for the API server is 9292 and for the registry server is 9191. Possible values: A valid port number (0 to 65535) Related options: None
`ca_file = None`	string value	Absolute path to the CA file. Provide a string value representing a valid absolute path to the Certificate Authority file to use for client authentication. A CA file typically contains necessary trusted certificates to use for the client authentication. This is essential to ensure that a secure connection is established to the server via the internet. Possible values: Valid absolute path to the CA file Related options: None
`cert_file = None`	string value	Absolute path to the certificate file. Provide a string value representing a valid absolute path to the certificate file which is required to start the API service securely. A certificate file typically is a public key container and includes the server’s public key, server name, server information and the signature which was a result of the verification process using the CA certificate. This is required for a secure connection establishment. Possible values: Valid absolute path to the certificate file Related options: None
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. Provide a valid integer value representing time in seconds to set the period of wait before an incoming connection can be closed. The default value is 900 seconds. The value zero implies wait forever. Possible values: Zero Positive integer Related options: None
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`data_api = glance.db.sqlalchemy.api`	string value	Python module path of data access API. Specifies the path to the API to use for accessing the data model. This option determines how the image catalog data will be accessed. Possible values: glance.db.sqlalchemy.api glance.db.registry.api glance.db.simple.api If this option is set to `glance.db.sqlalchemy.api` then the image catalog data is stored in and read from the database via the SQLAlchemy Core and ORM APIs. Setting this option to `glance.db.registry.api` will force all database access requests to be routed through the Registry service. This avoids data access from the Glance API nodes for an added layer of security, scalability and manageability. Note In v2 OpenStack Images API, the registry service is optional. In order to use the Registry API in v2, the option `enable_v2_registry` must be set to `True`. Finally, when this configuration option is set to `glance.db.simple.api`, image catalog data is stored in and read from an in-memory data structure. This is primarily used for testing. Related options: enable_v2_api enable_v2_registry
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_publisher_id = image.localhost`	string value	Default publisher_id for outgoing Glance notifications. This is the value that the notification driver will use to identify messages for events originating from the Glance service. Typically, this is the hostname of the instance that generated the message. Possible values: Any reasonable instance identifier, for example: image.host1 Related options: None
`delayed_delete = False`	boolean value	Turn on/off delayed delete. Typically when an image is deleted, the `glance-api` service puts the image into `deleted` state and deletes its data at the same time. Delayed delete is a feature in Glance that delays the actual deletion of image data until a later point in time (as determined by the configuration option `scrub_time`). When delayed delete is turned on, the `glance-api` service puts the image into `pending_delete` state upon deletion and leaves the image data in the storage backend for the image scrubber to delete at a later time. The image scrubber will move the image into `deleted` state upon successful deletion of image data. Note When delayed delete is turned on, image scrubber MUST be running as a periodic task to prevent the backend storage from filling up with undesired usage. Possible values: True False Related options: `scrub_time` `wakeup_time` `scrub_pool_size`
`digest_algorithm = sha256`	string value	Digest algorithm to use for digital signature. Provide a string value representing the digest algorithm to use for generating digital signatures. By default, `sha256` is used. To get a list of the available algorithms supported by the version of OpenSSL on your platform, run the command: `openssl list-message-digest-algorithms`. Examples are sha1, sha256, and sha512. Note `digest_algorithm` is not related to Glance’s image signing and verification. It is only used to sign the universally unique identifier (UUID) as a part of the certificate file and key file validation. Possible values: An OpenSSL message digest algorithm identifier Relation options: None
`disabled_notifications = []`	list value	List of notifications to be disabled. Specify a list of notifications that should not be emitted. A notification can be given either as a notification type to disable a single event notification, or as a notification group prefix to disable all event notifications within a group. Possible values: A comma-separated list of individual notification types or notification groups to be disabled. Currently supported groups: image image.member task metadef_namespace metadef_object metadef_property metadef_resource_type metadef_tag For a complete listing and description of each event refer to: http://docs.openstack.org/developer/glance/notifications.html The values must be specified as: <group_name>.<event_name> For example: image.create,task.success,metadef_tag Related options: None
`enable_image_import = True`	boolean value	Enables the Image Import workflow introduced in Pike As [DEFAULT]/node_staging_uri is required for the Image Import, it’s disabled per default in Pike, enabled per default in Queens and removed in Rocky. This allows Glance to operate with previous version configs upon upgrade. Setting this option to False will disable the endpoints related to Image Import Refactoring work. Related options: [DEFAULT]/node_staging_uri
`enable_v1_api = True`	boolean value	Deploy the v1 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v1 OpenStack Images API. NOTES: If this option is enabled, then `enable_v1_registry` must also be set to `True` to enable mandatory usage of Registry service with v1 API. If this option is disabled, then the `enable_v1_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v2_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v2 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_registry enable_v2_api
`enable_v1_registry = True`	boolean value	Deploy the v1 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v1 API requests. NOTES: Use of Registry is mandatory in v1 API, so this option must be set to `True` if the `enable_v1_api` option is enabled. If deploying only the v2 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_api
`enable_v2_api = True`	boolean value	Deploy the v2 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v2 OpenStack Images API. NOTES: If this option is disabled, then the `enable_v2_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v1_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v1 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_registry enable_v1_api
`enable_v2_registry = True`	boolean value	Deploy the v2 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v2 API requests. NOTES: Use of Registry is optional in v2 API, so this option must only be enabled if both `enable_v2_api` is set to `True` and the `data_api` option is set to `glance.db.registry.api`. If deploying only the v1 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_api data_api
`enabled_import_methods = [u'glance-direct', u'web-download']`	list value	List of enabled Image Import Methods Both glance-direct and web-download are enabled by default. Related options: [DEFAULT]/node_staging_uri [DEFAULT]/enable_image_import
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`http_keepalive = True`	boolean value	Set keep alive option for HTTP over TCP. Provide a boolean value to determine sending of keep alive packets. If set to `False`, the server returns the header "Connection: close". If set to `True`, the server returns a "Connection: Keep-Alive" in its responses. This enables retention of the same TCP connection for HTTP conversations instead of opening a new one with each new request. This option must be set to `False` if the client socket connection needs to be closed explicitly after the response is received and read successfully by the client. Possible values: True False Related options: None
`image_cache_dir = None`	string value	Base directory for image cache. This is the location where image data is cached and served out of. All cached images are stored directly under this directory. This directory also contains three subdirectories, namely, `incomplete`, `invalid` and `queue`. The `incomplete` subdirectory is the staging area for downloading images. An image is first downloaded to this directory. When the image download is successful it is moved to the base directory. However, if the download fails, the partially downloaded image file is moved to the `invalid` subdirectory. The queue`subdirectory is used for queuing images for download. This is used primarily by the cache-prefetcher, which can be scheduled as a periodic task like cache-pruner and cache-cleaner, to cache images ahead of their usage. Upon receiving the request to cache an image, Glance touches a file in the `queue directory with the image id as the file name. The cache-prefetcher, when running, polls for the files in `queue` directory and starts downloading them in the order they were created. When the download is successful, the zero-sized file is deleted from the `queue` directory. If the download fails, the zero-sized file remains and it’ll be retried the next time cache-prefetcher runs. Possible values: A valid path Related options: `image_cache_sqlite_db`
`image_cache_driver = sqlite`	string value	The driver to use for image cache management. This configuration option provides the flexibility to choose between the different image-cache drivers available. An image-cache driver is responsible for providing the essential functions of image-cache like write images to/read images from cache, track age and usage of cached images, provide a list of cached images, fetch size of the cache, queue images for caching and clean up the cache, etc. The essential functions of a driver are defined in the base class `glance.image_cache.drivers.base.Driver`. All image-cache drivers (existing and prospective) must implement this interface. Currently available drivers are `sqlite` and `xattr`. These drivers primarily differ in the way they store the information about cached images: The `sqlite` driver uses a sqlite database (which sits on every glance node locally) to track the usage of cached images. The `xattr` driver uses the extended attributes of files to store this information. It also requires a filesystem that sets `atime` on the files when accessed. Possible values: sqlite xattr Related options: None
`image_cache_max_size = 10737418240`	integer value	The upper limit on cache size, in bytes, after which the cache-pruner cleans up the image cache. Note This is just a threshold for cache-pruner to act upon. It is NOT a hard limit beyond which the image cache would never grow. In fact, depending on how often the cache-pruner runs and how quickly the cache fills, the image cache can far exceed the size specified here very easily. Hence, care must be taken to appropriately schedule the cache-pruner and in setting this limit. Glance caches an image when it is downloaded. Consequently, the size of the image cache grows over time as the number of downloads increases. To keep the cache size from becoming unmanageable, it is recommended to run the cache-pruner as a periodic task. When the cache pruner is kicked off, it compares the current size of image cache and triggers a cleanup if the image cache grew beyond the size specified here. After the cleanup, the size of cache is less than or equal to size specified here. Possible values: Any non-negative integer Related options: None
`image_cache_sqlite_db = cache.db`	string value	The relative path to sqlite file database that will be used for image cache management. This is a relative path to the sqlite file database that tracks the age and usage statistics of image cache. The path is relative to image cache base directory, specified by the configuration option `image_cache_dir`. This is a lightweight database with just one table. Possible values: A valid relative path to sqlite file database Related options: `image_cache_dir`
`image_cache_stall_time = 86400`	integer value	The amount of time, in seconds, an incomplete image remains in the cache. Incomplete images are images for which download is in progress. Please see the description of configuration option `image_cache_dir` for more detail. Sometimes, due to various reasons, it is possible the download may hang and the incompletely downloaded image remains in the `incomplete` directory. This configuration option sets a time limit on how long the incomplete images should remain in the `incomplete` directory before they are cleaned up. Once an incomplete image spends more time than is specified here, it’ll be removed by cache-cleaner on its next run. It is recommended to run cache-cleaner as a periodic task on the Glance API nodes to keep the incomplete images from occupying disk space. Possible values: Any non-negative integer Related options: None
`image_location_quota = 10`	integer value	Maximum number of locations allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`image_member_quota = 128`	integer value	Maximum number of image members per image. This limits the maximum of users an image can be shared with. Any negative value is interpreted as unlimited. Related options: None
`image_property_quota = 128`	integer value	Maximum number of properties allowed on an image. This enforces an upper limit on the number of additional properties an image can have. Any negative value is interpreted as unlimited. Note This won’t have any impact if additional properties are disabled. Please refer to `allow_additional_image_properties`. Related options: `allow_additional_image_properties`
`image_size_cap = 1099511627776`	integer value	Maximum size of image a user can upload in bytes. An image upload greater than the size mentioned here would result in an image creation failure. This configuration option defaults to 1099511627776 bytes (1 TiB). NOTES: This value should only be increased after careful consideration and must be set less than or equal to 8 EiB (9223372036854775808). This value must be set with careful consideration of the backend storage capacity. Setting this to a very low value may result in a large number of image failures. And, setting this to a very large value may result in faster consumption of storage. Hence, this must be set according to the nature of images created and storage capacity available. Possible values: Any positive number less than or equal to 9223372036854775808
`image_tag_quota = 128`	integer value	Maximum number of tags allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`key_file = None`	string value	Absolute path to a private key file. Provide a string value representing a valid absolute path to a private key file which is required to establish the client-server connection. Possible values: Absolute path to the private key file Related options: None
`limit_param_default = 25`	integer value	The default number of results to return for a request. Responses to certain API requests, like list images, may return multiple items. The number of results returned can be explicitly controlled by specifying the `limit` parameter in the API request. However, if a `limit` parameter is not specified, this configuration value will be used as the default number of results to be returned for any API request. NOTES: The value of this configuration option may not be greater than the value specified by `api_limit_max`. Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: api_limit_max
`location_strategy = location_order`	string value	Strategy to determine the preference order of image locations. This configuration option indicates the strategy to determine the order in which an image’s locations must be accessed to serve the image’s data. Glance then retrieves the image data from the first responsive active location it finds in this list. This option takes one of two possible values `location_order` and `store_type`. The default value is `location_order`, which suggests that image data be served by using locations in the order they are stored in Glance. The `store_type` value sets the image location preference based on the order in which the storage backends are listed as a comma separated list for the configuration option `store_type_preference`. Possible values: location_order store_type Related options: store_type_preference
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_header_line = 16384`	integer value	Maximum line size of message headers. Provide an integer value representing a length to limit the size of message headers. The default value is 16384. Note `max_header_line` may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs). However, it is to be kept in mind that larger values for `max_header_line` would flood the logs. Setting `max_header_line` to 0 sets no limit for the line size of message headers. Possible values: 0 Positive integer Related options: None
`max_request_id_length = 64`	integer value	Limit the request ID length. Provide an integer value to limit the length of the request ID to the specified length. The default value is 64. Users can change this to any integer value between 0 and 16384 however keeping in mind that a larger value may flood the logs. Possible values: Integer value between 0 and 16384 Related options: None
`metadata_encryption_key = None`	string value	AES key for encrypting store location metadata. Provide a string value representing the AES cipher to use for encrypting Glance store metadata. Note The AES key to use must be set to a random string of length 16, 24 or 32 bytes. Possible values: String value representing a valid AES key Related options: None
`node_staging_uri = file:///tmp/staging/`	string value	The URL provides location where the temporary data will be stored This option is for Glance internal use only. Glance will save the image data uploaded by the user to staging endpoint during the image import process. This option does not change the staging API endpoint by any means. Note It is discouraged to use same path as [task]/work_dir Note file://<absolute-directory-path> is the only option api_image_import flow will support for now. Note The staging path must be on shared filesystem available to all Glance API nodes. Possible values: String starting with file:// followed by absolute FS path Related options: [task]/work_dir [DEFAULT]/enable_image_import (deprecated)
`owner_is_tenant = True`	boolean value	Set the image owner to tenant or the authenticated user. Assign a boolean value to determine the owner of an image. When set to True, the owner of the image is the tenant. When set to False, the owner of the image will be the authenticated user issuing the request. Setting it to False makes the image private to the associated user and sharing with other users within the same tenant (or "project") requires explicit image sharing via image membership. Possible values: True False Related options: None
`property_protection_file = None`	string value	The location of the property protection file. Provide a valid path to the property protection file which contains the rules for property protections and the roles/policies associated with them. A property protection file, when set, restricts the Glance image properties to be created, read, updated and/or deleted by a specific set of users that are identified by either roles or policies. If this configuration option is not set, by default, property protections won’t be enforced. If a value is specified and the file is not found, the glance-api service will fail to start. More information on property protections can be found at: https://docs.openstack.org/glance/latest/admin/property-protections.html Possible values: Empty string Valid path to the property protection configuration file Related options: property_protection_rule_format
`property_protection_rule_format = roles`	string value	Rule format for property protection. Provide the desired way to set property protection on Glance image properties. The two permissible values are `roles` and `policies`. The default value is `roles`. If the value is `roles`, the property protection file must contain a comma separated list of user roles indicating permissions for each of the CRUD operations on each property being protected. If set to `policies`, a policy defined in policy.json is used to express property protections for each of the CRUD operations. Examples of how property protections are enforced based on `roles` or `policies` can be found at: https://docs.openstack.org/glance/latest/admin/property-protections.html#examples Possible values: roles policies Related options: property_protection_file
`public_endpoint = None`	string value	Public url endpoint to use for Glance versions response. This is the public url endpoint that will appear in the Glance "versions" response. If no value is specified, the endpoint that is displayed in the version’s response is that of the host running the API service. Change the endpoint to represent the proxy URL if the API service is running behind a proxy. If the service is running behind a load balancer, add the load balancer’s URL for this value. Possible values: None Proxy URL Load balancer URL Related options: None
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pydev_worker_debug_host = None`	unknown value	Host address of the pydev server. Provide a string value representing the hostname or IP of the pydev server to use for debugging. The pydev server listens for debug connections on this address, facilitating remote debugging in Glance. Possible values: Valid hostname Valid IP address Related options: None
`pydev_worker_debug_port = 5678`	port value	Port number that the pydev server will listen on. Provide a port number to bind the pydev server to. The pydev process accepts debug connections on this port and facilitates remote debugging in Glance. Possible values: A valid port number Related options: None
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`registry_client_ca_file = None`	string value	Absolute path to the Certificate Authority file. Provide a string value representing a valid absolute path to the certificate authority file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_CA_FILE environment variable may be set to a filepath of the CA file. This option is ignored if the `registry_client_insecure` option is set to `True`. Possible values: String value representing a valid absolute path to the CA file. Related options: registry_client_protocol registry_client_insecure
`registry_client_cert_file = None`	string value	Absolute path to the certificate file. Provide a string value representing a valid absolute path to the certificate file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_CERT_FILE environment variable may be set to a filepath of the certificate file. Possible values: String value representing a valid absolute path to the certificate file. Related options: registry_client_protocol
`registry_client_insecure = False`	boolean value	Set verification of the registry server certificate. Provide a boolean value to determine whether or not to validate SSL connections to the registry server. By default, this option is set to `False` and the SSL connections are validated. If set to `True`, the connection to the registry server is not validated via a certifying authority and the `registry_client_ca_file` option is ignored. This is the registry’s equivalent of specifying --insecure on the command line using glanceclient for the API. Possible values: True False Related options: registry_client_protocol registry_client_ca_file
`registry_client_key_file = None`	string value	Absolute path to the private key file. Provide a string value representing a valid absolute path to the private key file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_KEY_FILE environment variable may be set to a filepath of the key file. Possible values: String value representing a valid absolute path to the key file. Related options: registry_client_protocol
`registry_client_protocol = http`	string value	Protocol to use for communication with the registry server. Provide a string value representing the protocol to use for communication with the registry server. By default, this option is set to `http` and the connection is not secure. This option can be set to `https` to establish a secure connection to the registry server. In this case, provide a key to use for the SSL connection using the `registry_client_key_file` option. Also include the CA file and cert file using the options `registry_client_ca_file` and `registry_client_cert_file` respectively. Possible values: http https Related options: registry_client_key_file registry_client_cert_file registry_client_ca_file
`registry_client_timeout = 600`	integer value	Timeout value for registry requests. Provide an integer value representing the period of time in seconds that the API server will wait for a registry request to complete. The default value is 600 seconds. A value of 0 implies that a request will never timeout. Possible values: Zero Positive integer Related options: None
`registry_host = 0.0.0.0`	unknown value	Address the registry server is hosted on. Possible values: A valid IP or hostname Related options: None
`registry_port = 9191`	port value	Port the registry server is listening on. Possible values: A valid port number Related options: None
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`scrub_pool_size = 1`	integer value	The size of thread pool to be used for scrubbing images. When there are a large number of images to scrub, it is beneficial to scrub images in parallel so that the scrub queue stays in control and the backend storage is reclaimed in a timely fashion. This configuration option denotes the maximum number of images to be scrubbed in parallel. The default value is one, which signifies serial scrubbing. Any value above one indicates parallel scrubbing. Possible values: Any non-zero positive integer Related options: `delayed_delete`
`scrub_time = 0`	integer value	The amount of time, in seconds, to delay image scrubbing. When delayed delete is turned on, an image is put into `pending_delete` state upon deletion until the scrubber deletes its image data. Typically, soon after the image is put into `pending_delete` state, it is available for scrubbing. However, scrubbing can be delayed until a later point using this configuration option. This option denotes the time period an image spends in `pending_delete` state before it is available for scrubbing. It is important to realize that this has storage implications. The larger the `scrub_time`, the longer the time to reclaim backend storage from deleted images. Possible values: Any non-negative integer Related options: `delayed_delete`
`secure_proxy_ssl_header = None`	string value	The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is "HTTP_X_FORWARDED_PROTO".
`send_identity_headers = False`	boolean value	Send headers received from identity when making requests to registry. Typically, Glance registry can be deployed in multiple flavors, which may or may not include authentication. For example, `trusted-auth` is a flavor that does not require the registry service to authenticate the requests it receives. However, the registry service may still need a user context to be populated to serve the requests. This can be achieved by the caller (the Glance API usually) passing through the headers it received from authenticating with identity for the same request. The typical headers sent are `X-User-Id`, `X-Tenant-Id`, `X-Roles`, `X-Identity-Status` and `X-Service-Catalog`. Provide a boolean value to determine whether to send the identity headers to provide tenant and user information along with the requests to registry service. By default, this option is set to `False`, which means that user and tenant information is not available readily. It must be obtained by authenticating. Hence, if this is set to `False`, `flavor` must be set to value that either includes authentication or authenticated user context. Possible values: True False Related options: flavor
`show_image_direct_url = False`	boolean value	Show direct image location when returning an image. This configuration option indicates whether to show the direct image location when returning image details to the user. The direct image location is where the image data is stored in backend storage. This image location is shown under the image property `direct_url`. When multiple image locations exist for an image, the best location is displayed based on the location strategy indicated by the configuration option `location_strategy`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_multiple_locations` MUST be set to `False`. Possible values: True False Related options: show_multiple_locations location_strategy
`show_multiple_locations = False`	boolean value	Show all image locations when returning an image. This configuration option indicates whether to show all the image locations when returning image details to the user. When multiple image locations exist for an image, the locations are ordered based on the location strategy indicated by the configuration opt `location_strategy`. The image locations are shown under the image property `locations`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! See https://wiki.openstack.org/wiki/OSSN/OSSN-0065 for more information. If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_image_direct_url` MUST be set to `False`. Possible values: True False Related options: show_image_direct_url location_strategy
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Set the wait time before a connection recheck. Provide a positive integer value representing time in seconds which is set as the idle wait time before a TCP keep alive packet can be sent to the host. The default value is 600 seconds. Setting `tcp_keepidle` helps verify at regular intervals that a connection is intact and prevents frequent TCP connection reestablishment. Possible values: Positive integer value representing time in seconds Related options: None
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`use_user_token = True`	boolean value	Whether to pass through the user token when making requests to the registry. To prevent failures with token expiration during big files upload, it is recommended to set this parameter to False.If "use_user_token" is not in effect, then admin credentials can be specified.
`user_storage_quota = 0`	string value	Maximum amount of image storage per tenant. This enforces an upper limit on the cumulative storage consumed by all images of a tenant across all stores. This is a per-tenant limit. The default unit for this configuration option is Bytes. However, storage units can be specified using case-sensitive literals `B`, `KB`, `MB`, `GB` and `TB` representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytes respectively. Note that there should not be any space between the value and unit. Value `0` signifies no quota enforcement. Negative values are invalid and result in errors. Possible values: A string that is a valid concatenation of a non-negative integer representing the storage value and an optional string literal representing storage units as mentioned above. Related options: None
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`workers = None`	integer value	Number of Glance worker processes to start. Provide a non-negative integer value to set the number of child process workers to service requests. By default, the number of CPUs available is set as the value for `workers` limited to 8. For example if the processor count is 6, 6 workers will be used, if the processor count is 24 only 8 workers will be used. The limit will only apply to the default value, if 24 workers is configured, 24 is used. Each worker process is made to listen on the port set in the configuration file and contains a greenthread pool of size 1000. Note Setting the number of workers to zero, triggers the creation of a single API process with a greenthread pool of size 1000. Possible values: 0 Positive integer value (typically equal to the number of CPUs) Related options: None
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

5.1.2. cors

The following table outlines the options available under the [cors] group in the /etc/glance/glance-api.conf file.

Table 5.2. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'Content-MD5', u'X-Image-Meta-Checksum', u'X-Storage-Token', u'Accept-Encoding', u'X-Auth-Token', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id', u'X-OpenStack-Request-ID']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Image-Meta-Checksum', u'X-Auth-Token', u'X-Subject-Token', u'X-Service-Token', u'X-OpenStack-Request-ID']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

5.1.3. database

The following table outlines the options available under the [database] group in the /etc/glance/glance-api.conf file.

Table 5.3. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.
`use_tpool = False`	boolean value	Enable the experimental use of thread pooling for all DB API calls

5.1.4. glance_store

The following table outlines the options available under the [glance_store] group in the /etc/glance/glance-api.conf file.

Table 5.4. glance_store
Configuration option = Default value	Type	Description
`cinder_api_insecure = False`	boolean value	Allow to perform insecure SSL requests to cinder. If this option is set to True, HTTPS endpoint connection is verified using the CA certificates file specified by `cinder_ca_certificates_file` option. Possible values: True False Related options: cinder_ca_certificates_file
`cinder_ca_certificates_file = None`	string value	Location of a CA certificates file used for cinder client requests. The specified CA certificates file, if set, is used to verify cinder connections via HTTPS endpoint. If the endpoint is HTTP, this value is ignored. `cinder_api_insecure` must be set to `True` to enable the verification. Possible values: Path to a ca certificates file Related options: cinder_api_insecure
`cinder_catalog_info = volumev2::publicURL`	string value	Information to match when looking for cinder in the service catalog. When the `cinder_endpoint_template` is not set and any of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, `cinder_store_password` is not set, cinder store uses this information to lookup cinder endpoint from the service catalog in the current context. `cinder_os_region_name`, if set, is taken into consideration to fetch the appropriate endpoint. The service catalog can be listed by the `openstack catalog list` command. Possible values: A string of of the following form: `<service_type>:<service_name>:<interface>` At least `service_type` and `interface` should be specified. `service_name` can be omitted. Related options: cinder_os_region_name cinder_endpoint_template cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password
`cinder_endpoint_template = None`	string value	Override service catalog lookup with template for cinder endpoint. When this option is set, this value is used to generate cinder endpoint, instead of looking up from the service catalog. This value is ignored if `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` are specified. If this configuration option is set, `cinder_catalog_info` will be ignored. Possible values: URL template string for cinder endpoint, where `%%(tenant)s` is replaced with the current tenant (project) name. For example: `http://cinder.openstack.example.org/v2/%%(tenant)s` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password cinder_catalog_info
`cinder_http_retries = 3`	integer value	Number of cinderclient retries on failed http calls. When a call failed by any errors, cinderclient will retry the call up to the specified times after sleeping a few seconds. Possible values: A positive integer Related options: None
`cinder_os_region_name = None`	string value	Region name to lookup cinder service from the service catalog. This is used only when `cinder_catalog_info` is used for determining the endpoint. If set, the lookup for cinder endpoint by this node is filtered to the specified region. It is useful when multiple regions are listed in the catalog. If this is not set, the endpoint is looked up from every region. Possible values: A string that is a valid region name. Related options: cinder_catalog_info
`cinder_state_transition_timeout = 300`	integer value	Time period, in seconds, to wait for a cinder volume transition to complete. When the cinder volume is created, deleted, or attached to the glance node to read/write the volume data, the volume’s state is changed. For example, the newly created volume status changes from `creating` to `available` after the creation process is completed. This specifies the maximum time to wait for the status change. If a timeout occurs while waiting, or the status is changed to an unexpected value (e.g. `error`), the image creation fails. Possible values: A positive integer Related options: None
`cinder_store_auth_address = None`	string value	The address where the cinder authentication service is listening. When all of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` options are specified, the specified values are always used for the authentication. This is useful to hide the image volumes from users by storing them in a project/tenant specific to the image service. It also enables users to share the image volume among other projects under the control of glance’s ACL. If either of these options are not set, the cinder endpoint is looked up from the service catalog, and current context’s user and project are used. Possible values: A valid authentication service address, for example: `http://openstack.example.org/identity/v2.0` Related options: cinder_store_user_name cinder_store_password cinder_store_project_name
`cinder_store_password = None`	string value	Password for the user authenticating against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid password for the user specified by `cinder_store_user_name` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name
`cinder_store_project_name = None`	string value	Project name where the image volume is stored in cinder. If this configuration option is not set, the project in current context is used. This must be used with all the following related options. If any of these are not specified, the project of the current context is used. Possible values: A valid project name Related options: `cinder_store_auth_address` `cinder_store_user_name` `cinder_store_password`
`cinder_store_user_name = None`	string value	User name to authenticate against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid user name Related options: cinder_store_auth_address cinder_store_password cinder_store_project_name
`cinder_volume_type = None`	string value	Volume type that will be used for volume creation in cinder. Some cinder backends can have several volume types to optimize storage usage. Adding this option allows an operator to choose a specific volume type in cinder that can be optimized for images. If this is not set, then the default volume type specified in the cinder configuration will be used for volume creation. Possible values: A valid volume type from cinder Related options: None
`default_store = file`	string value	The default scheme to use for storing images. Provide a string value representing the default scheme to use for storing images. If not set, Glance uses `file` as the default scheme to store images with the `file` store. Note The value given for this configuration option must be a valid scheme for a store registered with the `stores` configuration option. Possible values: file filesystem http https swift swift+http swift+https swift+config rbd sheepdog cinder vsphere Related Options: stores
`default_swift_reference = ref1`	string value	Reference to default Swift account/backing store parameters. Provide a string value representing a reference to the default set of parameters required for using swift account/backing store for image storage. The default reference value for this configuration option is ref1. This configuration option dereferences the parameters and facilitates image storage in Swift storage backend every time a new image is added. Possible values: A valid string value Related options: None
`filesystem_store_datadir = /var/lib/glance/images`	string value	Directory to which the filesystem backend store writes images. Upon start up, Glance creates the directory if it doesn’t already exist and verifies write access to the user under which `glance-api` runs. If the write access isn’t available, a `BadStoreConfiguration` exception is raised and the filesystem store may not be available for adding new images. Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: A valid path to a directory Related options: `filesystem_store_datadirs` `filesystem_store_file_perm`
`filesystem_store_datadirs = None`	multi valued	List of directories and their priorities to which the filesystem backend store writes images. The filesystem store can be configured to store images in multiple directories as opposed to using a single directory specified by the `filesystem_store_datadir` configuration option. When using multiple directories, each directory can be given an optional priority to specify the preference order in which they should be used. Priority is an integer that is concatenated to the directory path with a colon where a higher value indicates higher priority. When two directories have the same priority, the directory with most free space is used. When no priority is specified, it defaults to zero. More information on configuring filesystem store with multiple store directories can be found at http://docs.openstack.org/developer/glance/configuring.html Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: List of strings of the following form: `<a valid directory path>:<optional integer priority>` Related options: `filesystem_store_datadir` `filesystem_store_file_perm`
`filesystem_store_file_perm = 0`	integer value	File access permissions for the image files. Set the intended file access permissions for image data. This provides a way to enable other services, e.g. Nova, to consume images directly from the filesystem store. The users running the services that are intended to be given access to could be made a member of the group that owns the files created. Assigning a value less then or equal to zero for this configuration option signifies that no changes be made to the default permissions. This value will be decoded as an octal digit. For more information, please refer the documentation at http://docs.openstack.org/developer/glance/configuring.html Possible values: A valid file access permission Zero Any negative integer Related options: None
`filesystem_store_metadata_file = None`	string value	Filesystem store metadata file. The path to a file which contains the metadata to be returned with any location associated with the filesystem store. The file must contain a valid JSON object. The object should contain the keys `id` and `mountpoint`. The value for both keys should be a string. Possible values: A valid path to the store metadata file Related options: None
`http_proxy_information = {}`	dict value	The http/https proxy information to be used to connect to the remote server. This configuration option specifies the http/https proxy information that should be used to connect to the remote server. The proxy information should be a key value pair of the scheme and proxy, for example, http:10.0.0.1:3128. You can also specify proxies for multiple schemes by separating the key value pairs with a comma, for example, http:10.0.0.1:3128, https:10.0.0.1:1080. Possible values: A comma separated list of scheme:proxy pairs as described above Related options: None
`https_ca_certificates_file = None`	string value	Path to the CA bundle file. This configuration option enables the operator to use a custom Certificate Authority file to verify the remote server certificate. If this option is set, the `https_insecure` option will be ignored and the CA file specified will be used to authenticate the server certificate and establish a secure connection to the server. Possible values: A valid path to a CA file Related options: https_insecure
`https_insecure = True`	boolean value	Set verification of the remote server certificate. This configuration option takes in a boolean value to determine whether or not to verify the remote server certificate. If set to True, the remote server certificate is not verified. If the option is set to False, then the default CA truststore is used for verification. This option is ignored if `https_ca_certificates_file` is set. The remote server certificate will then be verified using the file specified using the `https_ca_certificates_file` option. Possible values: True False Related options: https_ca_certificates_file
`rados_connect_timeout = 0`	integer value	Timeout value for connecting to Ceph cluster. This configuration option takes in the timeout value in seconds used when connecting to the Ceph cluster i.e. it sets the time to wait for glance-api before closing the connection. This prevents glance-api hangups during the connection to RBD. If the value for this option is set to less than or equal to 0, no timeout is set and the default librados value is used. Possible Values: Any integer value Related options: None
`rbd_store_ceph_conf = /etc/ceph/ceph.conf`	string value	Ceph configuration file path. This configuration option takes in the path to the Ceph configuration file to be used. If the value for this option is not set by the user or is set to None, librados will locate the default configuration file which is located at /etc/ceph/ceph.conf. If using Cephx authentication, this file should include a reference to the right keyring in a client.<USER> section Possible Values: A valid path to a configuration file Related options: rbd_store_user
`rbd_store_chunk_size = 8`	integer value	Size, in megabytes, to chunk RADOS images into. Provide an integer value representing the size in megabytes to chunk Glance images into. The default chunk size is 8 megabytes. For optimal performance, the value should be a power of two. When Ceph’s RBD object storage system is used as the storage backend for storing Glance images, the images are chunked into objects of the size set using this option. These chunked objects are then stored across the distributed block data store to use for Glance. Possible Values: Any positive integer value Related options: None
`rbd_store_pool = images`	string value	RADOS pool in which images are stored. When RBD is used as the storage backend for storing Glance images, the images are stored by means of logical grouping of the objects (chunks of images) into a `pool`. Each pool is defined with the number of placement groups it can contain. The default pool that is used is images. More information on the RBD storage backend can be found here: http://ceph.com/planet/how-data-is-stored-in-ceph-cluster/ Possible Values: A valid pool name Related options: None
`rbd_store_user = None`	string value	RADOS user to authenticate as. This configuration option takes in the RADOS user to authenticate as. This is only needed when RADOS authentication is enabled and is applicable only if the user is using Cephx authentication. If the value for this option is not set by the user or is set to None, a default value will be chosen, which will be based on the client. section in rbd_store_ceph_conf. Possible Values: A valid RADOS user Related options: rbd_store_ceph_conf
`rootwrap_config = /etc/glance/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root. The cinder store requires root privileges to operate the image volumes (for connecting to iSCSI/FC volumes and reading/writing the volume data, etc.). The configuration file should allow the required commands by cinder store and os-brick library. Possible values: Path to the rootwrap config file Related options: None
`sheepdog_store_address = 127.0.0.1`	unknown value	Address to bind the Sheepdog daemon to. Provide a string value representing the address to bind the Sheepdog daemon to. The default address set for the sheep is 127.0.0.1. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages directed to the address set using `sheepdog_store_address` option to store chunks of Glance images. Possible values: A valid IPv4 address A valid IPv6 address A valid hostname Related Options: sheepdog_store_port
`sheepdog_store_chunk_size = 64`	integer value	Chunk size for images to be stored in Sheepdog data store. Provide an integer value representing the size in mebibyte (1048576 bytes) to chunk Glance images into. The default chunk size is 64 mebibytes. When using Sheepdog distributed storage system, the images are chunked into objects of this size and then stored across the distributed data store to use for Glance. Chunk sizes, if a power of two, help avoid fragmentation and enable improved performance. Possible values: Positive integer value representing size in mebibytes. Related Options: None
`sheepdog_store_port = 7000`	port value	Port number on which the sheep daemon will listen. Provide an integer value representing a valid port number on which you want the Sheepdog daemon to listen on. The default port is 7000. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages it receives on the port number set using `sheepdog_store_port` option to store chunks of Glance images. Possible values: A valid port number (0 to 65535) Related Options: sheepdog_store_address
`store_capabilities_update_min_interval = 0`	integer value	Minimum interval in seconds to execute updating dynamic storage capabilities based on current backend status. Provide an integer value representing time in seconds to set the minimum interval before an update of dynamic storage capabilities for a storage backend can be attempted. Setting `store_capabilities_update_min_interval` does not mean updates occur periodically based on the set interval. Rather, the update is performed at the elapse of this interval set, if an operation of the store is triggered. By default, this option is set to zero and is disabled. Provide an integer value greater than zero to enable this option. Note For more information on store capabilities and their updates, please visit: https://specs.openstack.org/openstack/glance-specs/specs/kilo/store-capabilities.html For more information on setting up a particular store in your deployment and help with the usage of this feature, please contact the storage driver maintainers listed here: http://docs.openstack.org/developer/glance_store/drivers/index.html Possible values: Zero Positive integer Related Options: None
`stores = [u'file', u'http']`	list value	List of enabled Glance stores. Register the storage backends to use for storing disk images as a comma separated list. The default stores enabled for storing disk images with Glance are `file` and `http`. Possible values: A comma separated list that could include: file http swift rbd sheepdog cinder vmware Related Options: default_store
`swift_buffer_on_upload = False`	boolean value	Buffer image segments before upload to Swift. Provide a boolean value to indicate whether or not Glance should buffer image data to disk while uploading to swift. This enables Glance to resume uploads on error. NOTES: When enabling this option, one should take great care as this increases disk usage on the API node. Be aware that depending upon how the file system is configured, the disk space used for buffering may decrease the actual disk space available for the glance image cache. Disk utilization will cap according to the following equation: (`swift_store_large_object_chunk_size` * `workers` * 1000) Possible values: True False Related options: swift_upload_buffer_dir
`swift_store_admin_tenants = []`	list value	List of tenants that will be granted admin access. This is a list of tenants that will be granted read/write access on all Swift containers created by Glance in multi-tenant mode. The default value is an empty list. Possible values: A comma separated list of strings representing UUIDs of Keystone projects/tenants Related options: None
`swift_store_auth_address = None`	string value	The address where the Swift authentication service is listening.
`swift_store_auth_insecure = False`	boolean value	Set verification of the server certificate. This boolean determines whether or not to verify the server certificate. If this option is set to True, swiftclient won’t check for a valid SSL certificate when authenticating. If the option is set to False, then the default CA truststore is used for verification. Possible values: True False Related options: swift_store_cacert
`swift_store_auth_version = 2`	string value	Version of the authentication service to use. Valid versions are 2 and 3 for keystone and 1 (deprecated) for swauth and rackspace.
`swift_store_cacert = None`	string value	Path to the CA bundle file. This configuration option enables the operator to specify the path to a custom Certificate Authority file for SSL verification when connecting to Swift. Possible values: A valid path to a CA file Related options: swift_store_auth_insecure
`swift_store_config_file = None`	string value	Absolute path to the file containing the swift account(s) configurations. Include a string value representing the path to a configuration file that has references for each of the configured Swift account(s)/backing stores. By default, no file path is specified and customized Swift referencing is disabled. Configuring this option is highly recommended while using Swift storage backend for image storage as it avoids storage of credentials in the database. Note Please do not configure this option if you have set `swift_store_multi_tenant` to `True`. Possible values: String value representing an absolute path on the glance-api node Related options: swift_store_multi_tenant
`swift_store_container = glance`	string value	Name of single container to store images/name prefix for multiple containers When a single container is being used to store images, this configuration option indicates the container within the Glance account to be used for storing all images. When multiple containers are used to store images, this will be the name prefix for all containers. Usage of single/multiple containers can be controlled using the configuration option `swift_store_multiple_containers_seed`. When using multiple containers, the containers will be named after the value set for this configuration option with the first N chars of the image UUID as the suffix delimited by an underscore (where N is specified by `swift_store_multiple_containers_seed`). Example: if the seed is set to 3 and swift_store_container = `glance`, then an image with UUID `fdae39a1-bac5-4238-aba4-69bcc726e848` would be placed in the container `glance_fda`. All dashes in the UUID are included when creating the container name but do not count toward the character limit, so when N=10 the container name would be `glance_fdae39a1-ba.` Possible values: If using single container, this configuration option can be any string that is a valid swift container name in Glance’s Swift account If using multiple containers, this configuration option can be any string as long as it satisfies the container naming rules enforced by Swift. The value of `swift_store_multiple_containers_seed` should be taken into account as well. Related options: `swift_store_multiple_containers_seed` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_create_container_on_put = False`	boolean value	Create container, if it doesn’t already exist, when uploading image. At the time of uploading an image, if the corresponding container doesn’t exist, it will be created provided this configuration option is set to True. By default, it won’t be created. This behavior is applicable for both single and multiple containers mode. Possible values: True False Related options: None
`swift_store_endpoint = None`	string value	The URL endpoint to use for Swift backend storage. Provide a string value representing the URL endpoint to use for storing Glance images in Swift store. By default, an endpoint is not set and the storage URL returned by `auth` is used. Setting an endpoint with `swift_store_endpoint` overrides the storage URL and is used for Glance image storage. Note The URL should include the path up to, but excluding the container. The location of an object is obtained by appending the container and object to the configured URL. Possible values: String value representing a valid URL path up to a Swift container Related Options: None
`swift_store_endpoint_type = publicURL`	string value	Endpoint Type of Swift service. This string value indicates the endpoint type to use to fetch the Swift endpoint. The endpoint type determines the actions the user will be allowed to perform, for instance, reading and writing to the Store. This setting is only used if swift_store_auth_version is greater than 1. Possible values: publicURL adminURL internalURL Related options: swift_store_endpoint
`swift_store_expire_soon_interval = 60`	integer value	Time in seconds defining the size of the window in which a new token may be requested before the current token is due to expire. Typically, the Swift storage driver fetches a new token upon the expiration of the current token to ensure continued access to Swift. However, some Swift transactions (like uploading image segments) may not recover well if the token expires on the fly. Hence, by fetching a new token before the current token expiration, we make sure that the token does not expire or is close to expiry before a transaction is attempted. By default, the Swift storage driver requests for a new token 60 seconds or less before the current token expiration. Possible values: Zero Positive integer value Related Options: None
`swift_store_key = None`	string value	Auth key for the user authenticating against the Swift authentication service.
`swift_store_large_object_chunk_size = 200`	integer value	The maximum size, in MB, of the segments when image data is segmented. When image data is segmented to upload images that are larger than the limit enforced by the Swift cluster, image data is broken into segments that are no bigger than the size specified by this configuration option. Refer to `swift_store_large_object_size` for more detail. For example: if `swift_store_large_object_size` is 5GB and `swift_store_large_object_chunk_size` is 1GB, an image of size 6.2GB will be segmented into 7 segments where the first six segments will be 1GB in size and the seventh segment will be 0.2GB. Possible values: A positive integer that is less than or equal to the large object limit enforced by Swift cluster in consideration. Related options: `swift_store_large_object_size`
`swift_store_large_object_size = 5120`	integer value	The size threshold, in MB, after which Glance will start segmenting image data. Swift has an upper limit on the size of a single uploaded object. By default, this is 5GB. To upload objects bigger than this limit, objects are segmented into multiple smaller objects that are tied together with a manifest file. For more detail, refer to http://docs.openstack.org/developer/swift/overview_large_objects.html This configuration option specifies the size threshold over which the Swift driver will start segmenting image data into multiple smaller files. Currently, the Swift driver only supports creating Dynamic Large Objects. Note This should be set by taking into account the large object limit enforced by the Swift cluster in consideration. Possible values: A positive integer that is less than or equal to the large object limit enforced by the Swift cluster in consideration. Related options: `swift_store_large_object_chunk_size`
`swift_store_multi_tenant = False`	boolean value	Store images in tenant’s Swift account. This enables multi-tenant storage mode which causes Glance images to be stored in tenant specific Swift accounts. If this is disabled, Glance stores all images in its own account. More details multi-tenant store can be found at https://wiki.openstack.org/wiki/GlanceSwiftTenantSpecificStorage Note If using multi-tenant swift store, please make sure that you do not set a swift configuration file with the swift_store_config_file option. Possible values: True False Related options: swift_store_config_file
`swift_store_multiple_containers_seed = 0`	integer value	Seed indicating the number of containers to use for storing images. When using a single-tenant store, images can be stored in one or more than one containers. When set to 0, all images will be stored in one single container. When set to an integer value between 1 and 32, multiple containers will be used to store images. This configuration option will determine how many containers are created. The total number of containers that will be used is equal to 16^N, so if this config option is set to 2, then 16^2=256 containers will be used to store images. Please refer to `swift_store_container` for more detail on the naming convention. More detail about using multiple containers can be found at https://specs.openstack.org/openstack/glance-specs/specs/kilo/swift-store-multiple-containers.html Note This is used only when swift_store_multi_tenant is disabled. Possible values: A non-negative integer less than or equal to 32 Related options: `swift_store_container` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_region = None`	string value	The region of Swift endpoint to use by Glance. Provide a string value representing a Swift region where Glance can connect to for image storage. By default, there is no region set. When Glance uses Swift as the storage backend to store images for a specific tenant that has multiple endpoints, setting of a Swift region with `swift_store_region` allows Glance to connect to Swift in the specified region as opposed to a single region connectivity. This option can be configured for both single-tenant and multi-tenant storage. Note Setting the region with `swift_store_region` is tenant-specific and is necessary `only if` the tenant has multiple endpoints across different regions. Possible values: A string value representing a valid Swift region. Related Options: None
`swift_store_retry_get_count = 0`	integer value	The number of times a Swift download will be retried before the request fails. Provide an integer value representing the number of times an image download must be retried before erroring out. The default value is zero (no retry on a failed image download). When set to a positive integer value, `swift_store_retry_get_count` ensures that the download is attempted this many more times upon a download failure before sending an error message. Possible values: Zero Positive integer value Related Options: None
`swift_store_service_type = object-store`	string value	Type of Swift service to use. Provide a string value representing the service type to use for storing images while using Swift backend storage. The default service type is set to `object-store`. Note If `swift_store_auth_version` is set to 2, the value for this configuration option needs to be `object-store`. If using a higher version of Keystone or a different auth scheme, this option may be modified. Possible values: A string representing a valid service type for Swift storage. Related Options: None
`swift_store_ssl_compression = True`	boolean value	SSL layer compression for HTTPS Swift requests. Provide a boolean value to determine whether or not to compress HTTPS Swift requests for images at the SSL layer. By default, compression is enabled. When using Swift as the backend store for Glance image storage, SSL layer compression of HTTPS Swift requests can be set using this option. If set to False, SSL layer compression of HTTPS Swift requests is disabled. Disabling this option may improve performance for images which are already in a compressed format, for example, qcow2. Possible values: True False Related Options: None
`swift_store_use_trusts = True`	boolean value	Use trusts for multi-tenant Swift store. This option instructs the Swift store to create a trust for each add/get request when the multi-tenant store is in use. Using trusts allows the Swift store to avoid problems that can be caused by an authentication token expiring during the upload or download of data. By default, `swift_store_use_trusts` is set to `True`(use of trusts is enabled). If set to `False`, a user token is used for the Swift connection instead, eliminating the overhead of trust creation. Note This option is considered only when `swift_store_multi_tenant` is set to `True` Possible values: True False Related options: swift_store_multi_tenant
`swift_store_user = None`	string value	The user to authenticate against the Swift authentication service.
`swift_upload_buffer_dir = None`	string value	Directory to buffer image segments before upload to Swift. Provide a string value representing the absolute path to the directory on the glance node where image segments will be buffered briefly before they are uploaded to swift. NOTES: * This is required only when the configuration option `swift_buffer_on_upload` is set to True. * This directory should be provisioned keeping in mind the `swift_store_large_object_chunk_size` and the maximum number of images that could be uploaded simultaneously by a given glance node. Possible values: String value representing an absolute directory path Related options: swift_buffer_on_upload swift_store_large_object_chunk_size
`vmware_api_retry_count = 10`	integer value	The number of VMware API retries. This configuration option specifies the number of times the VMware ESX/VC server API must be retried upon connection related issues or server API call overload. It is not possible to specify retry forever. Possible Values: Any positive integer value Related options: None
`vmware_ca_file = None`	string value	Absolute path to the CA bundle file. This configuration option enables the operator to use a custom Cerificate Authority File to verify the ESX/vCenter certificate. If this option is set, the "vmware_insecure" option will be ignored and the CA file specified will be used to authenticate the ESX/vCenter server certificate and establish a secure connection to the server. Possible Values: Any string that is a valid absolute path to a CA file Related options: vmware_insecure
`vmware_datastores = None`	multi valued	The datastores where the image can be stored. This configuration option specifies the datastores where the image can be stored in the VMWare store backend. This option may be specified multiple times for specifying multiple datastores. The datastore name should be specified after its datacenter path, separated by ":". An optional weight may be given after the datastore name, separated again by ":" to specify the priority. Thus, the required format becomes <datacenter_path>:<datastore_name>:<optional_weight>. When adding an image, the datastore with highest weight will be selected, unless there is not enough free space available in cases where the image size is already known. If no weight is given, it is assumed to be zero and the directory will be considered for selection last. If multiple datastores have the same weight, then the one with the most free space available is selected. Possible Values: Any string of the format: <datacenter_path>:<datastore_name>:<optional_weight> Related options: * None
`vmware_insecure = False`	boolean value	Set verification of the ESX/vCenter server certificate. This configuration option takes a boolean value to determine whether or not to verify the ESX/vCenter server certificate. If this option is set to True, the ESX/vCenter server certificate is not verified. If this option is set to False, then the default CA truststore is used for verification. This option is ignored if the "vmware_ca_file" option is set. In that case, the ESX/vCenter server certificate will then be verified using the file specified using the "vmware_ca_file" option . Possible Values: True False Related options: vmware_ca_file
`vmware_server_host = None`	unknown value	Address of the ESX/ESXi or vCenter Server target system. This configuration option sets the address of the ESX/ESXi or vCenter Server target system. This option is required when using the VMware storage backend. The address can contain an IP address (127.0.0.1) or a DNS name (www.my-domain.com). Possible Values: A valid IPv4 or IPv6 address A valid DNS name Related options: vmware_server_username vmware_server_password
`vmware_server_password = None`	string value	Server password. This configuration option takes the password for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is a password corresponding to the username specified using the "vmware_server_username" option Related options: vmware_server_host vmware_server_username
`vmware_server_username = None`	string value	Server username. This configuration option takes the username for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is the username for a user with appropriate privileges Related options: vmware_server_host vmware_server_password
`vmware_store_image_dir = /openstack_glance`	string value	The directory where the glance images will be stored in the datastore. This configuration option specifies the path to the directory where the glance images will be stored in the VMware datastore. If this option is not set, the default directory where the glance images are stored is openstack_glance. Possible Values: Any string that is a valid path to a directory Related options: None
`vmware_task_poll_interval = 5`	integer value	Interval in seconds used for polling remote tasks invoked on VMware ESX/VC server. This configuration option takes in the sleep time in seconds for polling an on-going async task as part of the VMWare ESX/VC server API call. Possible Values: Any positive integer value Related options: None

5.1.5. image_format

The following table outlines the options available under the [image_format] group in the /etc/glance/glance-api.conf file.

Table 5.5. image_format
Configuration option = Default value	Type	Description
`container_formats = [u'ami', u'ari', u'aki', u'bare', u'ovf', u'ova', u'docker']`	list value	Supported values for the container_format image attribute
`disk_formats = [u'ami', u'ari', u'aki', u'vhd', u'vhdx', u'vmdk', u'raw', u'qcow2', u'vdi', u'iso', u'ploop']`	list value	Supported values for the disk_format image attribute

5.1.6. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/glance/glance-api.conf file.

Table 5.6. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

5.1.7. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/glance/glance-api.conf file.

Table 5.7. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

5.1.8. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/glance/glance-api.conf file.

Table 5.8. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

5.1.9. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/glance/glance-api.conf file.

Table 5.9. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

5.1.10. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/glance/glance-api.conf file.

Table 5.10. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

5.1.11. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/glance/glance-api.conf file.

Table 5.11. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

5.1.12. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/glance/glance-api.conf file.

Table 5.12. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

5.1.13. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/glance/glance-api.conf file.

Table 5.13. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

5.1.14. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/glance/glance-api.conf file.

Table 5.14. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

5.1.15. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/glance/glance-api.conf file.

Table 5.15. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

5.1.16. paste_deploy

The following table outlines the options available under the [paste_deploy] group in the /etc/glance/glance-api.conf file.

Table 5.16. paste_deploy
Configuration option = Default value	Type	Description
`config_file = None`	string value	Name of the paste configuration file. Provide a string value representing the name of the paste configuration file to use for configuring piplelines for server application deployments. NOTES: Provide the name or the path relative to the glance directory for the paste configuration file and not the absolute path. The sample paste configuration file shipped with Glance need not be edited in most cases as it comes with ready-made pipelines for all common deployment flavors. If no value is specified for this option, the `paste.ini` file with the prefix of the corresponding Glance service’s configuration file name will be searched for in the known configuration directories. (For example, if this option is missing from or has no value set in `glance-api.conf`, the service will look for a file named `glance-api-paste.ini`.) If the paste configuration file is not found, the service will not start. Possible values: A string value representing the name of the paste configuration file. Related Options: flavor
`flavor = None`	string value	Deployment flavor to use in the server application pipeline. Provide a string value representing the appropriate deployment flavor used in the server application pipleline. This is typically the partial name of a pipeline in the paste configuration file with the service name removed. For example, if your paste section name in the paste configuration file is [pipeline:glance-api-keystone], set `flavor` to `keystone`. Possible values: String value representing a partial pipeline name. Related Options: config_file

5.1.17. profiler

The following table outlines the options available under the [profiler] group in the /etc/glance/glance-api.conf file.

Table 5.17. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

5.1.18. store_type_location_strategy

The following table outlines the options available under the [store_type_location_strategy] group in the /etc/glance/glance-api.conf file.

Table 5.18. store_type_location_strategy
Configuration option = Default value	Type	Description
`store_type_preference = []`	list value	Preference order of storage backends. Provide a comma separated list of store names in the order in which images should be retrieved from storage backends. These store names must be registered with the `stores` configuration option. Note The `store_type_preference` configuration option is applied only if `store_type` is chosen as a value for the `location_strategy` configuration option. An empty list will not change the location order. Possible values: Empty list Comma separated list of registered store names. Legal values are: file http rbd swift sheepdog cinder vmware Related options: location_strategy stores

5.1.19. task

The following table outlines the options available under the [task] group in the /etc/glance/glance-api.conf file.

Table 5.19. task
Configuration option = Default value	Type	Description
`task_executor = taskflow`	string value	Task executor to be used to run task scripts. Provide a string value representing the executor to use for task executions. By default, `TaskFlow` executor is used. `TaskFlow` helps make task executions easy, consistent, scalable and reliable. It also enables creation of lightweight task objects and/or functions that are combined together into flows in a declarative manner. Possible values: taskflow Related Options: None
`task_time_to_live = 48`	integer value	Time in hours for which a task lives after, either succeeding or failing
`work_dir = None`	string value	Absolute path to the work directory to use for asynchronous task operations. The directory set here will be used to operate over images - normally before they are imported in the destination store. Note When providing a value for `work_dir`, please make sure that enough space is provided for concurrent tasks to run efficiently without running out of space. A rough estimation can be done by multiplying the number of `max_workers` with an average image size (e.g 500MB). The image size estimation should be done based on the average size in your deployment. Note that depending on the tasks running you may need to multiply this number by some factor depending on what the task does. For example, you may want to double the available size if image conversion is enabled. All this being said, remember these are just estimations and you should do them based on the worst case scenario and be prepared to act in case they were wrong. Possible values: String value representing the absolute path to the working directory Related Options: None

5.1.20. taskflow_executor

The following table outlines the options available under the [taskflow_executor] group in the /etc/glance/glance-api.conf file.

Table 5.20. taskflow_executor
Configuration option = Default value	Type	Description
`conversion_format = None`	string value	Set the desired image conversion format. Provide a valid image format to which you want images to be converted before they are stored for consumption by Glance. Appropriate image format conversions are desirable for specific storage backends in order to facilitate efficient handling of bandwidth and usage of the storage infrastructure. By default, `conversion_format` is not set and must be set explicitly in the configuration file. The allowed values for this option are `raw`, `qcow2` and `vmdk`. The `raw` format is the unstructured disk format and should be chosen when RBD or Ceph storage backends are used for image storage. `qcow2` is supported by the QEMU emulator that expands dynamically and supports Copy on Write. The `vmdk` is another common disk format supported by many common virtual machine monitors like VMWare Workstation. Possible values: qcow2 raw vmdk Related options: disk_formats
`engine_mode = parallel`	string value	Set the taskflow engine mode. Provide a string type value to set the mode in which the taskflow engine would schedule tasks to the workers on the hosts. Based on this mode, the engine executes tasks either in single or multiple threads. The possible values for this configuration option are: `serial` and `parallel`. When set to `serial`, the engine runs all the tasks in a single thread which results in serial execution of tasks. Setting this to `parallel` makes the engine run tasks in multiple threads. This results in parallel execution of tasks. Possible values: serial parallel Related options: max_workers
`max_workers = 10`	integer value	Set the number of engine executable tasks. Provide an integer value to limit the number of workers that can be instantiated on the hosts. In other words, this number defines the number of parallel tasks that can be executed at the same time by the taskflow engine. This value can be greater than one when the engine mode is set to parallel. Possible values: Integer value greater than or equal to 1 Related options: engine_mode

5.2. glance-registry.conf

This section contains options for the /etc/glance/glance-registry.conf file.

5.2.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/glance/glance-registry.conf file.

Table 5.21. DEFAULT
Configuration option = Default value	Type	Description
`admin_role = admin`	string value	Role used to identify an authenticated user as administrator. Provide a string value representing a Keystone role to identify an administrative user. Users with this role will be granted administrative privileges. The default value for this option is admin. Possible values: A string value which is a valid Keystone role Related options: None
`allow_additional_image_properties = True`	boolean value	Allow users to add additional/custom properties to images. Glance defines a standard set of properties (in its schema) that appear on every image. These properties are also known as `base properties`. In addition to these properties, Glance allows users to add custom properties to images. These are known as `additional properties`. By default, this configuration option is set to `True` and users are allowed to add additional properties. The number of additional properties that can be added to an image can be controlled via `image_property_quota` configuration option. Possible values: True False Related options: image_property_quota
`allow_anonymous_access = False`	boolean value	Allow limited access to unauthenticated users. Assign a boolean to determine API access for unathenticated users. When set to False, the API cannot be accessed by unauthenticated users. When set to True, unauthenticated users can access the API with read-only privileges. This however only applies when using ContextMiddleware. Possible values: True False Related options: None
`api_limit_max = 1000`	integer value	Maximum number of results that could be returned by a request. As described in the help text of `limit_param_default`, some requests may return multiple results. The number of results to be returned are governed either by the `limit` parameter in the request or the `limit_param_default` configuration option. The value in either case, can’t be greater than the absolute maximum defined by this configuration option. Anything greater than this value is trimmed down to the maximum value defined here. Note Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: limit_param_default
`backlog = 4096`	integer value	Set the number of incoming connection requests. Provide a positive integer value to limit the number of requests in the backlog queue. The default queue size is 4096. An incoming connection to a TCP listener socket is queued before a connection can be established with the server. Setting the backlog for a TCP socket ensures a limited queue size for incoming traffic. Possible values: Positive integer Related options: None
`bind_host = 0.0.0.0`	unknown value	IP address to bind the glance servers to. Provide an IP address to bind the glance server to. The default value is `0.0.0.0`. Edit this option to enable the server to listen on one particular IP address on the network card. This facilitates selection of a particular network interface for the server. Possible values: A valid IPv4 address A valid IPv6 address Related options: None
`bind_port = None`	port value	Port number on which the server will listen. Provide a valid port number to bind the server’s socket to. This port is then set to identify processes and forward network messages that arrive at the server. The default bind_port value for the API server is 9292 and for the registry server is 9191. Possible values: A valid port number (0 to 65535) Related options: None
`ca_file = None`	string value	Absolute path to the CA file. Provide a string value representing a valid absolute path to the Certificate Authority file to use for client authentication. A CA file typically contains necessary trusted certificates to use for the client authentication. This is essential to ensure that a secure connection is established to the server via the internet. Possible values: Valid absolute path to the CA file Related options: None
`cert_file = None`	string value	Absolute path to the certificate file. Provide a string value representing a valid absolute path to the certificate file which is required to start the API service securely. A certificate file typically is a public key container and includes the server’s public key, server name, server information and the signature which was a result of the verification process using the CA certificate. This is required for a secure connection establishment. Possible values: Valid absolute path to the certificate file Related options: None
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. Provide a valid integer value representing time in seconds to set the period of wait before an incoming connection can be closed. The default value is 900 seconds. The value zero implies wait forever. Possible values: Zero Positive integer Related options: None
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`data_api = glance.db.sqlalchemy.api`	string value	Python module path of data access API. Specifies the path to the API to use for accessing the data model. This option determines how the image catalog data will be accessed. Possible values: glance.db.sqlalchemy.api glance.db.registry.api glance.db.simple.api If this option is set to `glance.db.sqlalchemy.api` then the image catalog data is stored in and read from the database via the SQLAlchemy Core and ORM APIs. Setting this option to `glance.db.registry.api` will force all database access requests to be routed through the Registry service. This avoids data access from the Glance API nodes for an added layer of security, scalability and manageability. Note In v2 OpenStack Images API, the registry service is optional. In order to use the Registry API in v2, the option `enable_v2_registry` must be set to `True`. Finally, when this configuration option is set to `glance.db.simple.api`, image catalog data is stored in and read from an in-memory data structure. This is primarily used for testing. Related options: enable_v2_api enable_v2_registry
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`digest_algorithm = sha256`	string value	Digest algorithm to use for digital signature. Provide a string value representing the digest algorithm to use for generating digital signatures. By default, `sha256` is used. To get a list of the available algorithms supported by the version of OpenSSL on your platform, run the command: `openssl list-message-digest-algorithms`. Examples are sha1, sha256, and sha512. Note `digest_algorithm` is not related to Glance’s image signing and verification. It is only used to sign the universally unique identifier (UUID) as a part of the certificate file and key file validation. Possible values: An OpenSSL message digest algorithm identifier Relation options: None
`enable_image_import = True`	boolean value	Enables the Image Import workflow introduced in Pike As [DEFAULT]/node_staging_uri is required for the Image Import, it’s disabled per default in Pike, enabled per default in Queens and removed in Rocky. This allows Glance to operate with previous version configs upon upgrade. Setting this option to False will disable the endpoints related to Image Import Refactoring work. Related options: [DEFAULT]/node_staging_uri
`enable_v1_api = True`	boolean value	Deploy the v1 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v1 OpenStack Images API. NOTES: If this option is enabled, then `enable_v1_registry` must also be set to `True` to enable mandatory usage of Registry service with v1 API. If this option is disabled, then the `enable_v1_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v2_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v2 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_registry enable_v2_api
`enable_v1_registry = True`	boolean value	Deploy the v1 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v1 API requests. NOTES: Use of Registry is mandatory in v1 API, so this option must be set to `True` if the `enable_v1_api` option is enabled. If deploying only the v2 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_api
`enable_v2_api = True`	boolean value	Deploy the v2 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v2 OpenStack Images API. NOTES: If this option is disabled, then the `enable_v2_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v1_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v1 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_registry enable_v1_api
`enable_v2_registry = True`	boolean value	Deploy the v2 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v2 API requests. NOTES: Use of Registry is optional in v2 API, so this option must only be enabled if both `enable_v2_api` is set to `True` and the `data_api` option is set to `glance.db.registry.api`. If deploying only the v1 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_api data_api
`enabled_import_methods = [u'glance-direct', u'web-download']`	list value	List of enabled Image Import Methods Both glance-direct and web-download are enabled by default. Related options: [DEFAULT]/node_staging_uri [DEFAULT]/enable_image_import
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`http_keepalive = True`	boolean value	Set keep alive option for HTTP over TCP. Provide a boolean value to determine sending of keep alive packets. If set to `False`, the server returns the header "Connection: close". If set to `True`, the server returns a "Connection: Keep-Alive" in its responses. This enables retention of the same TCP connection for HTTP conversations instead of opening a new one with each new request. This option must be set to `False` if the client socket connection needs to be closed explicitly after the response is received and read successfully by the client. Possible values: True False Related options: None
`image_location_quota = 10`	integer value	Maximum number of locations allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`image_member_quota = 128`	integer value	Maximum number of image members per image. This limits the maximum of users an image can be shared with. Any negative value is interpreted as unlimited. Related options: None
`image_property_quota = 128`	integer value	Maximum number of properties allowed on an image. This enforces an upper limit on the number of additional properties an image can have. Any negative value is interpreted as unlimited. Note This won’t have any impact if additional properties are disabled. Please refer to `allow_additional_image_properties`. Related options: `allow_additional_image_properties`
`image_size_cap = 1099511627776`	integer value	Maximum size of image a user can upload in bytes. An image upload greater than the size mentioned here would result in an image creation failure. This configuration option defaults to 1099511627776 bytes (1 TiB). NOTES: This value should only be increased after careful consideration and must be set less than or equal to 8 EiB (9223372036854775808). This value must be set with careful consideration of the backend storage capacity. Setting this to a very low value may result in a large number of image failures. And, setting this to a very large value may result in faster consumption of storage. Hence, this must be set according to the nature of images created and storage capacity available. Possible values: Any positive number less than or equal to 9223372036854775808
`image_tag_quota = 128`	integer value	Maximum number of tags allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`key_file = None`	string value	Absolute path to a private key file. Provide a string value representing a valid absolute path to a private key file which is required to establish the client-server connection. Possible values: Absolute path to the private key file Related options: None
`limit_param_default = 25`	integer value	The default number of results to return for a request. Responses to certain API requests, like list images, may return multiple items. The number of results returned can be explicitly controlled by specifying the `limit` parameter in the API request. However, if a `limit` parameter is not specified, this configuration value will be used as the default number of results to be returned for any API request. NOTES: The value of this configuration option may not be greater than the value specified by `api_limit_max`. Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: api_limit_max
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_header_line = 16384`	integer value	Maximum line size of message headers. Provide an integer value representing a length to limit the size of message headers. The default value is 16384. Note `max_header_line` may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs). However, it is to be kept in mind that larger values for `max_header_line` would flood the logs. Setting `max_header_line` to 0 sets no limit for the line size of message headers. Possible values: 0 Positive integer Related options: None
`max_request_id_length = 64`	integer value	Limit the request ID length. Provide an integer value to limit the length of the request ID to the specified length. The default value is 64. Users can change this to any ineteger value between 0 and 16384 however keeping in mind that a larger value may flood the logs. Possible values: Integer value between 0 and 16384 Related options: None
`metadata_encryption_key = None`	string value	AES key for encrypting store location metadata. Provide a string value representing the AES cipher to use for encrypting Glance store metadata. Note The AES key to use must be set to a random string of length 16, 24 or 32 bytes. Possible values: String value representing a valid AES key Related options: None
`node_staging_uri = file:///tmp/staging/`	string value	The URL provides location where the temporary data will be stored This option is for Glance internal use only. Glance will save the image data uploaded by the user to staging endpoint during the image import process. This option does not change the staging API endpoint by any means. Note It is discouraged to use same path as [task]/work_dir Note file://<absolute-directory-path> is the only option api_image_import flow will support for now. Note The staging path must be on shared filesystem available to all Glance API nodes. Possible values: String starting with file:// followed by absolute FS path Related options: [task]/work_dir [DEFAULT]/enable_image_import (deprecated)
`owner_is_tenant = True`	boolean value	Set the image owner to tenant or the authenticated user. Assign a boolean value to determine the owner of an image. When set to True, the owner of the image is the tenant. When set to False, the owner of the image will be the authenticated user issuing the request. Setting it to False makes the image private to the associated user and sharing with other users within the same tenant (or "project") requires explicit image sharing via image membership. Possible values: True False Related options: None
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pydev_worker_debug_host = None`	unknown value	Host address of the pydev server. Provide a string value representing the hostname or IP of the pydev server to use for debugging. The pydev server listens for debug connections on this address, facilitating remote debugging in Glance. Possible values: Valid hostname Valid IP address Related options: None
`pydev_worker_debug_port = 5678`	port value	Port number that the pydev server will listen on. Provide a port number to bind the pydev server to. The pydev process accepts debug connections on this port and facilitates remote debugging in Glance. Possible values: A valid port number Related options: None
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`secure_proxy_ssl_header = None`	string value	The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is "HTTP_X_FORWARDED_PROTO".
`show_image_direct_url = False`	boolean value	Show direct image location when returning an image. This configuration option indicates whether to show the direct image location when returning image details to the user. The direct image location is where the image data is stored in backend storage. This image location is shown under the image property `direct_url`. When multiple image locations exist for an image, the best location is displayed based on the location strategy indicated by the configuration option `location_strategy`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_multiple_locations` MUST be set to `False`. Possible values: True False Related options: show_multiple_locations location_strategy
`show_multiple_locations = False`	boolean value	Show all image locations when returning an image. This configuration option indicates whether to show all the image locations when returning image details to the user. When multiple image locations exist for an image, the locations are ordered based on the location strategy indicated by the configuration opt `location_strategy`. The image locations are shown under the image property `locations`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! See https://wiki.openstack.org/wiki/OSSN/OSSN-0065 for more information. If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_image_direct_url` MUST be set to `False`. Possible values: True False Related options: show_image_direct_url location_strategy
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Set the wait time before a connection recheck. Provide a positive integer value representing time in seconds which is set as the idle wait time before a TCP keep alive packet can be sent to the host. The default value is 600 seconds. Setting `tcp_keepidle` helps verify at regular intervals that a connection is intact and prevents frequent TCP connection reestablishment. Possible values: Positive integer value representing time in seconds Related options: None
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`user_storage_quota = 0`	string value	Maximum amount of image storage per tenant. This enforces an upper limit on the cumulative storage consumed by all images of a tenant across all stores. This is a per-tenant limit. The default unit for this configuration option is Bytes. However, storage units can be specified using case-sensitive literals `B`, `KB`, `MB`, `GB` and `TB` representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytes respectively. Note that there should not be any space between the value and unit. Value `0` signifies no quota enforcement. Negative values are invalid and result in errors. Possible values: A string that is a valid concatenation of a non-negative integer representing the storage value and an optional string literal representing storage units as mentioned above. Related options: None
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`workers = None`	integer value	Number of Glance worker processes to start. Provide a non-negative integer value to set the number of child process workers to service requests. By default, the number of CPUs available is set as the value for `workers` limited to 8. For example if the processor count is 6, 6 workers will be used, if the processor count is 24 only 8 workers will be used. The limit will only apply to the default value, if 24 workers is configured, 24 is used. Each worker process is made to listen on the port set in the configuration file and contains a greenthread pool of size 1000. Note Setting the number of workers to zero, triggers the creation of a single API process with a greenthread pool of size 1000. Possible values: 0 Positive integer value (typically equal to the number of CPUs) Related options: None
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

5.2.2. database

The following table outlines the options available under the [database] group in the /etc/glance/glance-registry.conf file.

Table 5.22. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.
`use_tpool = False`	boolean value	Enable the experimental use of thread pooling for all DB API calls

5.2.3. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/glance/glance-registry.conf file.

Table 5.23. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

5.2.4. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/glance/glance-registry.conf file.

Table 5.24. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

5.2.5. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/glance/glance-registry.conf file.

Table 5.25. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

5.2.6. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/glance/glance-registry.conf file.

Table 5.26. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

5.2.7. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/glance/glance-registry.conf file.

Table 5.27. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

5.2.8. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/glance/glance-registry.conf file.

Table 5.28. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

5.2.9. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/glance/glance-registry.conf file.

Table 5.29. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

5.2.10. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/glance/glance-registry.conf file.

Table 5.30. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

5.2.11. paste_deploy

The following table outlines the options available under the [paste_deploy] group in the /etc/glance/glance-registry.conf file.

Table 5.31. paste_deploy
Configuration option = Default value	Type	Description
`config_file = None`	string value	Name of the paste configuration file. Provide a string value representing the name of the paste configuration file to use for configuring piplelines for server application deployments. NOTES: Provide the name or the path relative to the glance directory for the paste configuration file and not the absolute path. The sample paste configuration file shipped with Glance need not be edited in most cases as it comes with ready-made pipelines for all common deployment flavors. If no value is specified for this option, the `paste.ini` file with the prefix of the corresponding Glance service’s configuration file name will be searched for in the known configuration directories. (For example, if this option is missing from or has no value set in `glance-api.conf`, the service will look for a file named `glance-api-paste.ini`.) If the paste configuration file is not found, the service will not start. Possible values: A string value representing the name of the paste configuration file. Related Options: flavor
`flavor = None`	string value	Deployment flavor to use in the server application pipeline. Provide a string value representing the appropriate deployment flavor used in the server application pipleline. This is typically the partial name of a pipeline in the paste configuration file with the service name removed. For example, if your paste section name in the paste configuration file is [pipeline:glance-api-keystone], set `flavor` to `keystone`. Possible values: String value representing a partial pipeline name. Related Options: config_file

5.2.12. profiler

The following table outlines the options available under the [profiler] group in the /etc/glance/glance-registry.conf file.

Table 5.32. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

5.3. glance-scrubber.conf

This section contains options for the /etc/glance/glance-scrubber.conf file.

5.3.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/glance/glance-scrubber.conf file.

Table 5.33. DEFAULT
Configuration option = Default value	Type	Description
`allow_additional_image_properties = True`	boolean value	Allow users to add additional/custom properties to images. Glance defines a standard set of properties (in its schema) that appear on every image. These properties are also known as `base properties`. In addition to these properties, Glance allows users to add custom properties to images. These are known as `additional properties`. By default, this configuration option is set to `True` and users are allowed to add additional properties. The number of additional properties that can be added to an image can be controlled via `image_property_quota` configuration option. Possible values: True False Related options: image_property_quota
`api_limit_max = 1000`	integer value	Maximum number of results that could be returned by a request. As described in the help text of `limit_param_default`, some requests may return multiple results. The number of results to be returned are governed either by the `limit` parameter in the request or the `limit_param_default` configuration option. The value in either case, can’t be greater than the absolute maximum defined by this configuration option. Anything greater than this value is trimmed down to the maximum value defined here. Note Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: limit_param_default
`daemon = False`	boolean value	Run scrubber as a daemon. This boolean configuration option indicates whether scrubber should run as a long-running process that wakes up at regular intervals to scrub images. The wake up interval can be specified using the configuration option `wakeup_time`. If this configuration option is set to `False`, which is the default value, scrubber runs once to scrub images and exits. In this case, if the operator wishes to implement continuous scrubbing of images, scrubber needs to be scheduled as a cron job. Possible values: True False Related options: `wakeup_time`
`data_api = glance.db.sqlalchemy.api`	string value	Python module path of data access API. Specifies the path to the API to use for accessing the data model. This option determines how the image catalog data will be accessed. Possible values: glance.db.sqlalchemy.api glance.db.registry.api glance.db.simple.api If this option is set to `glance.db.sqlalchemy.api` then the image catalog data is stored in and read from the database via the SQLAlchemy Core and ORM APIs. Setting this option to `glance.db.registry.api` will force all database access requests to be routed through the Registry service. This avoids data access from the Glance API nodes for an added layer of security, scalability and manageability. Note In v2 OpenStack Images API, the registry service is optional. In order to use the Registry API in v2, the option `enable_v2_registry` must be set to `True`. Finally, when this configuration option is set to `glance.db.simple.api`, image catalog data is stored in and read from an in-memory data structure. This is primarily used for testing. Related options: enable_v2_api enable_v2_registry
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`delayed_delete = False`	boolean value	Turn on/off delayed delete. Typically when an image is deleted, the `glance-api` service puts the image into `deleted` state and deletes its data at the same time. Delayed delete is a feature in Glance that delays the actual deletion of image data until a later point in time (as determined by the configuration option `scrub_time`). When delayed delete is turned on, the `glance-api` service puts the image into `pending_delete` state upon deletion and leaves the image data in the storage backend for the image scrubber to delete at a later time. The image scrubber will move the image into `deleted` state upon successful deletion of image data. Note When delayed delete is turned on, image scrubber MUST be running as a periodic task to prevent the backend storage from filling up with undesired usage. Possible values: True False Related options: `scrub_time` `wakeup_time` `scrub_pool_size`
`digest_algorithm = sha256`	string value	Digest algorithm to use for digital signature. Provide a string value representing the digest algorithm to use for generating digital signatures. By default, `sha256` is used. To get a list of the available algorithms supported by the version of OpenSSL on your platform, run the command: `openssl list-message-digest-algorithms`. Examples are sha1, sha256, and sha512. Note `digest_algorithm` is not related to Glance’s image signing and verification. It is only used to sign the universally unique identifier (UUID) as a part of the certificate file and key file validation. Possible values: An OpenSSL message digest algorithm identifier Relation options: None
`enable_image_import = True`	boolean value	Enables the Image Import workflow introduced in Pike As [DEFAULT]/node_staging_uri is required for the Image Import, it’s disabled per default in Pike, enabled per default in Queens and removed in Rocky. This allows Glance to operate with previous version configs upon upgrade. Setting this option to False will disable the endpoints related to Image Import Refactoring work. Related options: [DEFAULT]/node_staging_uri
`enable_v1_api = True`	boolean value	Deploy the v1 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v1 OpenStack Images API. NOTES: If this option is enabled, then `enable_v1_registry` must also be set to `True` to enable mandatory usage of Registry service with v1 API. If this option is disabled, then the `enable_v1_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v2_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v2 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_registry enable_v2_api
`enable_v1_registry = True`	boolean value	Deploy the v1 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v1 API requests. NOTES: Use of Registry is mandatory in v1 API, so this option must be set to `True` if the `enable_v1_api` option is enabled. If deploying only the v2 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_api
`enable_v2_api = True`	boolean value	Deploy the v2 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v2 OpenStack Images API. NOTES: If this option is disabled, then the `enable_v2_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v1_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v1 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_registry enable_v1_api
`enable_v2_registry = True`	boolean value	Deploy the v2 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v2 API requests. NOTES: Use of Registry is optional in v2 API, so this option must only be enabled if both `enable_v2_api` is set to `True` and the `data_api` option is set to `glance.db.registry.api`. If deploying only the v1 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_api data_api
`enabled_import_methods = [u'glance-direct', u'web-download']`	list value	List of enabled Image Import Methods Both glance-direct and web-download are enabled by default. Related options: [DEFAULT]/node_staging_uri [DEFAULT]/enable_image_import
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`image_location_quota = 10`	integer value	Maximum number of locations allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`image_member_quota = 128`	integer value	Maximum number of image members per image. This limits the maximum of users an image can be shared with. Any negative value is interpreted as unlimited. Related options: None
`image_property_quota = 128`	integer value	Maximum number of properties allowed on an image. This enforces an upper limit on the number of additional properties an image can have. Any negative value is interpreted as unlimited. Note This won’t have any impact if additional properties are disabled. Please refer to `allow_additional_image_properties`. Related options: `allow_additional_image_properties`
`image_size_cap = 1099511627776`	integer value	Maximum size of image a user can upload in bytes. An image upload greater than the size mentioned here would result in an image creation failure. This configuration option defaults to 1099511627776 bytes (1 TiB). NOTES: This value should only be increased after careful consideration and must be set less than or equal to 8 EiB (9223372036854775808). This value must be set with careful consideration of the backend storage capacity. Setting this to a very low value may result in a large number of image failures. And, setting this to a very large value may result in faster consumption of storage. Hence, this must be set according to the nature of images created and storage capacity available. Possible values: Any positive number less than or equal to 9223372036854775808
`image_tag_quota = 128`	integer value	Maximum number of tags allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`limit_param_default = 25`	integer value	The default number of results to return for a request. Responses to certain API requests, like list images, may return multiple items. The number of results returned can be explicitly controlled by specifying the `limit` parameter in the API request. However, if a `limit` parameter is not specified, this configuration value will be used as the default number of results to be returned for any API request. NOTES: The value of this configuration option may not be greater than the value specified by `api_limit_max`. Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: api_limit_max
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`metadata_encryption_key = None`	string value	AES key for encrypting store location metadata. Provide a string value representing the AES cipher to use for encrypting Glance store metadata. Note The AES key to use must be set to a random string of length 16, 24 or 32 bytes. Possible values: String value representing a valid AES key Related options: None
`node_staging_uri = file:///tmp/staging/`	string value	The URL provides location where the temporary data will be stored This option is for Glance internal use only. Glance will save the image data uploaded by the user to staging endpoint during the image import process. This option does not change the staging API endpoint by any means. Note It is discouraged to use same path as [task]/work_dir Note file://<absolute-directory-path> is the only option api_image_import flow will support for now. Note The staging path must be on shared filesystem available to all Glance API nodes. Possible values: String starting with file:// followed by absolute FS path Related options: [task]/work_dir [DEFAULT]/enable_image_import (deprecated)
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pydev_worker_debug_host = None`	unknown value	Host address of the pydev server. Provide a string value representing the hostname or IP of the pydev server to use for debugging. The pydev server listens for debug connections on this address, facilitating remote debugging in Glance. Possible values: Valid hostname Valid IP address Related options: None
`pydev_worker_debug_port = 5678`	port value	Port number that the pydev server will listen on. Provide a port number to bind the pydev server to. The pydev process accepts debug connections on this port and facilitates remote debugging in Glance. Possible values: A valid port number Related options: None
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`scrub_pool_size = 1`	integer value	The size of thread pool to be used for scrubbing images. When there are a large number of images to scrub, it is beneficial to scrub images in parallel so that the scrub queue stays in control and the backend storage is reclaimed in a timely fashion. This configuration option denotes the maximum number of images to be scrubbed in parallel. The default value is one, which signifies serial scrubbing. Any value above one indicates parallel scrubbing. Possible values: Any non-zero positive integer Related options: `delayed_delete`
`scrub_time = 0`	integer value	The amount of time, in seconds, to delay image scrubbing. When delayed delete is turned on, an image is put into `pending_delete` state upon deletion until the scrubber deletes its image data. Typically, soon after the image is put into `pending_delete` state, it is available for scrubbing. However, scrubbing can be delayed until a later point using this configuration option. This option denotes the time period an image spends in `pending_delete` state before it is available for scrubbing. It is important to realize that this has storage implications. The larger the `scrub_time`, the longer the time to reclaim backend storage from deleted images. Possible values: Any non-negative integer Related options: `delayed_delete`
`show_image_direct_url = False`	boolean value	Show direct image location when returning an image. This configuration option indicates whether to show the direct image location when returning image details to the user. The direct image location is where the image data is stored in backend storage. This image location is shown under the image property `direct_url`. When multiple image locations exist for an image, the best location is displayed based on the location strategy indicated by the configuration option `location_strategy`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_multiple_locations` MUST be set to `False`. Possible values: True False Related options: show_multiple_locations location_strategy
`show_multiple_locations = False`	boolean value	Show all image locations when returning an image. This configuration option indicates whether to show all the image locations when returning image details to the user. When multiple image locations exist for an image, the locations are ordered based on the location strategy indicated by the configuration opt `location_strategy`. The image locations are shown under the image property `locations`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! See https://wiki.openstack.org/wiki/OSSN/OSSN-0065 for more information. If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_image_direct_url` MUST be set to `False`. Possible values: True False Related options: show_image_direct_url location_strategy
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`user_storage_quota = 0`	string value	Maximum amount of image storage per tenant. This enforces an upper limit on the cumulative storage consumed by all images of a tenant across all stores. This is a per-tenant limit. The default unit for this configuration option is Bytes. However, storage units can be specified using case-sensitive literals `B`, `KB`, `MB`, `GB` and `TB` representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytes respectively. Note that there should not be any space between the value and unit. Value `0` signifies no quota enforcement. Negative values are invalid and result in errors. Possible values: A string that is a valid concatenation of a non-negative integer representing the storage value and an optional string literal representing storage units as mentioned above. Related options: None
`wakeup_time = 300`	integer value	Time interval, in seconds, between scrubber runs in daemon mode. Scrubber can be run either as a cron job or daemon. When run as a daemon, this configuration time specifies the time period between two runs. When the scrubber wakes up, it fetches and scrubs all `pending_delete` images that are available for scrubbing after taking `scrub_time` into consideration. If the wakeup time is set to a large number, there may be a large number of images to be scrubbed for each run. Also, this impacts how quickly the backend storage is reclaimed. Possible values: Any non-negative integer Related options: `daemon` `delayed_delete`
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

5.3.2. database

The following table outlines the options available under the [database] group in the /etc/glance/glance-scrubber.conf file.

Table 5.34. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.
`use_tpool = False`	boolean value	Enable the experimental use of thread pooling for all DB API calls

5.3.3. glance_store

The following table outlines the options available under the [glance_store] group in the /etc/glance/glance-scrubber.conf file.

Table 5.35. glance_store
Configuration option = Default value	Type	Description
`cinder_api_insecure = False`	boolean value	Allow to perform insecure SSL requests to cinder. If this option is set to True, HTTPS endpoint connection is verified using the CA certificates file specified by `cinder_ca_certificates_file` option. Possible values: True False Related options: cinder_ca_certificates_file
`cinder_ca_certificates_file = None`	string value	Location of a CA certificates file used for cinder client requests. The specified CA certificates file, if set, is used to verify cinder connections via HTTPS endpoint. If the endpoint is HTTP, this value is ignored. `cinder_api_insecure` must be set to `True` to enable the verification. Possible values: Path to a ca certificates file Related options: cinder_api_insecure
`cinder_catalog_info = volumev2::publicURL`	string value	Information to match when looking for cinder in the service catalog. When the `cinder_endpoint_template` is not set and any of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, `cinder_store_password` is not set, cinder store uses this information to lookup cinder endpoint from the service catalog in the current context. `cinder_os_region_name`, if set, is taken into consideration to fetch the appropriate endpoint. The service catalog can be listed by the `openstack catalog list` command. Possible values: A string of of the following form: `<service_type>:<service_name>:<interface>` At least `service_type` and `interface` should be specified. `service_name` can be omitted. Related options: cinder_os_region_name cinder_endpoint_template cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password
`cinder_endpoint_template = None`	string value	Override service catalog lookup with template for cinder endpoint. When this option is set, this value is used to generate cinder endpoint, instead of looking up from the service catalog. This value is ignored if `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` are specified. If this configuration option is set, `cinder_catalog_info` will be ignored. Possible values: URL template string for cinder endpoint, where `%%(tenant)s` is replaced with the current tenant (project) name. For example: `http://cinder.openstack.example.org/v2/%%(tenant)s` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password cinder_catalog_info
`cinder_http_retries = 3`	integer value	Number of cinderclient retries on failed http calls. When a call failed by any errors, cinderclient will retry the call up to the specified times after sleeping a few seconds. Possible values: A positive integer Related options: None
`cinder_os_region_name = None`	string value	Region name to lookup cinder service from the service catalog. This is used only when `cinder_catalog_info` is used for determining the endpoint. If set, the lookup for cinder endpoint by this node is filtered to the specified region. It is useful when multiple regions are listed in the catalog. If this is not set, the endpoint is looked up from every region. Possible values: A string that is a valid region name. Related options: cinder_catalog_info
`cinder_state_transition_timeout = 300`	integer value	Time period, in seconds, to wait for a cinder volume transition to complete. When the cinder volume is created, deleted, or attached to the glance node to read/write the volume data, the volume’s state is changed. For example, the newly created volume status changes from `creating` to `available` after the creation process is completed. This specifies the maximum time to wait for the status change. If a timeout occurs while waiting, or the status is changed to an unexpected value (e.g. `error`), the image creation fails. Possible values: A positive integer Related options: None
`cinder_store_auth_address = None`	string value	The address where the cinder authentication service is listening. When all of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` options are specified, the specified values are always used for the authentication. This is useful to hide the image volumes from users by storing them in a project/tenant specific to the image service. It also enables users to share the image volume among other projects under the control of glance’s ACL. If either of these options are not set, the cinder endpoint is looked up from the service catalog, and current context’s user and project are used. Possible values: A valid authentication service address, for example: `http://openstack.example.org/identity/v2.0` Related options: cinder_store_user_name cinder_store_password cinder_store_project_name
`cinder_store_password = None`	string value	Password for the user authenticating against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid password for the user specified by `cinder_store_user_name` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name
`cinder_store_project_name = None`	string value	Project name where the image volume is stored in cinder. If this configuration option is not set, the project in current context is used. This must be used with all the following related options. If any of these are not specified, the project of the current context is used. Possible values: A valid project name Related options: `cinder_store_auth_address` `cinder_store_user_name` `cinder_store_password`
`cinder_store_user_name = None`	string value	User name to authenticate against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid user name Related options: cinder_store_auth_address cinder_store_password cinder_store_project_name
`cinder_volume_type = None`	string value	Volume type that will be used for volume creation in cinder. Some cinder backends can have several volume types to optimize storage usage. Adding this option allows an operator to choose a specific volume type in cinder that can be optimized for images. If this is not set, then the default volume type specified in the cinder configuration will be used for volume creation. Possible values: A valid volume type from cinder Related options: None
`default_store = file`	string value	The default scheme to use for storing images. Provide a string value representing the default scheme to use for storing images. If not set, Glance uses `file` as the default scheme to store images with the `file` store. Note The value given for this configuration option must be a valid scheme for a store registered with the `stores` configuration option. Possible values: file filesystem http https swift swift+http swift+https swift+config rbd sheepdog cinder vsphere Related Options: stores
`default_swift_reference = ref1`	string value	Reference to default Swift account/backing store parameters. Provide a string value representing a reference to the default set of parameters required for using swift account/backing store for image storage. The default reference value for this configuration option is ref1. This configuration option dereferences the parameters and facilitates image storage in Swift storage backend every time a new image is added. Possible values: A valid string value Related options: None
`filesystem_store_datadir = /var/lib/glance/images`	string value	Directory to which the filesystem backend store writes images. Upon start up, Glance creates the directory if it doesn’t already exist and verifies write access to the user under which `glance-api` runs. If the write access isn’t available, a `BadStoreConfiguration` exception is raised and the filesystem store may not be available for adding new images. Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: A valid path to a directory Related options: `filesystem_store_datadirs` `filesystem_store_file_perm`
`filesystem_store_datadirs = None`	multi valued	List of directories and their priorities to which the filesystem backend store writes images. The filesystem store can be configured to store images in multiple directories as opposed to using a single directory specified by the `filesystem_store_datadir` configuration option. When using multiple directories, each directory can be given an optional priority to specify the preference order in which they should be used. Priority is an integer that is concatenated to the directory path with a colon where a higher value indicates higher priority. When two directories have the same priority, the directory with most free space is used. When no priority is specified, it defaults to zero. More information on configuring filesystem store with multiple store directories can be found at http://docs.openstack.org/developer/glance/configuring.html Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: List of strings of the following form: `<a valid directory path>:<optional integer priority>` Related options: `filesystem_store_datadir` `filesystem_store_file_perm`
`filesystem_store_file_perm = 0`	integer value	File access permissions for the image files. Set the intended file access permissions for image data. This provides a way to enable other services, e.g. Nova, to consume images directly from the filesystem store. The users running the services that are intended to be given access to could be made a member of the group that owns the files created. Assigning a value less then or equal to zero for this configuration option signifies that no changes be made to the default permissions. This value will be decoded as an octal digit. For more information, please refer the documentation at http://docs.openstack.org/developer/glance/configuring.html Possible values: A valid file access permission Zero Any negative integer Related options: None
`filesystem_store_metadata_file = None`	string value	Filesystem store metadata file. The path to a file which contains the metadata to be returned with any location associated with the filesystem store. The file must contain a valid JSON object. The object should contain the keys `id` and `mountpoint`. The value for both keys should be a string. Possible values: A valid path to the store metadata file Related options: None
`http_proxy_information = {}`	dict value	The http/https proxy information to be used to connect to the remote server. This configuration option specifies the http/https proxy information that should be used to connect to the remote server. The proxy information should be a key value pair of the scheme and proxy, for example, http:10.0.0.1:3128. You can also specify proxies for multiple schemes by separating the key value pairs with a comma, for example, http:10.0.0.1:3128, https:10.0.0.1:1080. Possible values: A comma separated list of scheme:proxy pairs as described above Related options: None
`https_ca_certificates_file = None`	string value	Path to the CA bundle file. This configuration option enables the operator to use a custom Certificate Authority file to verify the remote server certificate. If this option is set, the `https_insecure` option will be ignored and the CA file specified will be used to authenticate the server certificate and establish a secure connection to the server. Possible values: A valid path to a CA file Related options: https_insecure
`https_insecure = True`	boolean value	Set verification of the remote server certificate. This configuration option takes in a boolean value to determine whether or not to verify the remote server certificate. If set to True, the remote server certificate is not verified. If the option is set to False, then the default CA truststore is used for verification. This option is ignored if `https_ca_certificates_file` is set. The remote server certificate will then be verified using the file specified using the `https_ca_certificates_file` option. Possible values: True False Related options: https_ca_certificates_file
`rados_connect_timeout = 0`	integer value	Timeout value for connecting to Ceph cluster. This configuration option takes in the timeout value in seconds used when connecting to the Ceph cluster i.e. it sets the time to wait for glance-api before closing the connection. This prevents glance-api hangups during the connection to RBD. If the value for this option is set to less than or equal to 0, no timeout is set and the default librados value is used. Possible Values: Any integer value Related options: None
`rbd_store_ceph_conf = /etc/ceph/ceph.conf`	string value	Ceph configuration file path. This configuration option takes in the path to the Ceph configuration file to be used. If the value for this option is not set by the user or is set to None, librados will locate the default configuration file which is located at /etc/ceph/ceph.conf. If using Cephx authentication, this file should include a reference to the right keyring in a client.<USER> section Possible Values: A valid path to a configuration file Related options: rbd_store_user
`rbd_store_chunk_size = 8`	integer value	Size, in megabytes, to chunk RADOS images into. Provide an integer value representing the size in megabytes to chunk Glance images into. The default chunk size is 8 megabytes. For optimal performance, the value should be a power of two. When Ceph’s RBD object storage system is used as the storage backend for storing Glance images, the images are chunked into objects of the size set using this option. These chunked objects are then stored across the distributed block data store to use for Glance. Possible Values: Any positive integer value Related options: None
`rbd_store_pool = images`	string value	RADOS pool in which images are stored. When RBD is used as the storage backend for storing Glance images, the images are stored by means of logical grouping of the objects (chunks of images) into a `pool`. Each pool is defined with the number of placement groups it can contain. The default pool that is used is images. More information on the RBD storage backend can be found here: http://ceph.com/planet/how-data-is-stored-in-ceph-cluster/ Possible Values: A valid pool name Related options: None
`rbd_store_user = None`	string value	RADOS user to authenticate as. This configuration option takes in the RADOS user to authenticate as. This is only needed when RADOS authentication is enabled and is applicable only if the user is using Cephx authentication. If the value for this option is not set by the user or is set to None, a default value will be chosen, which will be based on the client. section in rbd_store_ceph_conf. Possible Values: A valid RADOS user Related options: rbd_store_ceph_conf
`rootwrap_config = /etc/glance/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root. The cinder store requires root privileges to operate the image volumes (for connecting to iSCSI/FC volumes and reading/writing the volume data, etc.). The configuration file should allow the required commands by cinder store and os-brick library. Possible values: Path to the rootwrap config file Related options: None
`sheepdog_store_address = 127.0.0.1`	unknown value	Address to bind the Sheepdog daemon to. Provide a string value representing the address to bind the Sheepdog daemon to. The default address set for the sheep is 127.0.0.1. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages directed to the address set using `sheepdog_store_address` option to store chunks of Glance images. Possible values: A valid IPv4 address A valid IPv6 address A valid hostname Related Options: sheepdog_store_port
`sheepdog_store_chunk_size = 64`	integer value	Chunk size for images to be stored in Sheepdog data store. Provide an integer value representing the size in mebibyte (1048576 bytes) to chunk Glance images into. The default chunk size is 64 mebibytes. When using Sheepdog distributed storage system, the images are chunked into objects of this size and then stored across the distributed data store to use for Glance. Chunk sizes, if a power of two, help avoid fragmentation and enable improved performance. Possible values: Positive integer value representing size in mebibytes. Related Options: None
`sheepdog_store_port = 7000`	port value	Port number on which the sheep daemon will listen. Provide an integer value representing a valid port number on which you want the Sheepdog daemon to listen on. The default port is 7000. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages it receives on the port number set using `sheepdog_store_port` option to store chunks of Glance images. Possible values: A valid port number (0 to 65535) Related Options: sheepdog_store_address
`store_capabilities_update_min_interval = 0`	integer value	Minimum interval in seconds to execute updating dynamic storage capabilities based on current backend status. Provide an integer value representing time in seconds to set the minimum interval before an update of dynamic storage capabilities for a storage backend can be attempted. Setting `store_capabilities_update_min_interval` does not mean updates occur periodically based on the set interval. Rather, the update is performed at the elapse of this interval set, if an operation of the store is triggered. By default, this option is set to zero and is disabled. Provide an integer value greater than zero to enable this option. Note For more information on store capabilities and their updates, please visit: https://specs.openstack.org/openstack/glance-specs/specs/kilo/store-capabilities.html For more information on setting up a particular store in your deployment and help with the usage of this feature, please contact the storage driver maintainers listed here: http://docs.openstack.org/developer/glance_store/drivers/index.html Possible values: Zero Positive integer Related Options: None
`stores = [u'file', u'http']`	list value	List of enabled Glance stores. Register the storage backends to use for storing disk images as a comma separated list. The default stores enabled for storing disk images with Glance are `file` and `http`. Possible values: A comma separated list that could include: file http swift rbd sheepdog cinder vmware Related Options: default_store
`swift_buffer_on_upload = False`	boolean value	Buffer image segments before upload to Swift. Provide a boolean value to indicate whether or not Glance should buffer image data to disk while uploading to swift. This enables Glance to resume uploads on error. NOTES: When enabling this option, one should take great care as this increases disk usage on the API node. Be aware that depending upon how the file system is configured, the disk space used for buffering may decrease the actual disk space available for the glance image cache. Disk utilization will cap according to the following equation: (`swift_store_large_object_chunk_size` * `workers` * 1000) Possible values: True False Related options: swift_upload_buffer_dir
`swift_store_admin_tenants = []`	list value	List of tenants that will be granted admin access. This is a list of tenants that will be granted read/write access on all Swift containers created by Glance in multi-tenant mode. The default value is an empty list. Possible values: A comma separated list of strings representing UUIDs of Keystone projects/tenants Related options: None
`swift_store_auth_address = None`	string value	The address where the Swift authentication service is listening.
`swift_store_auth_insecure = False`	boolean value	Set verification of the server certificate. This boolean determines whether or not to verify the server certificate. If this option is set to True, swiftclient won’t check for a valid SSL certificate when authenticating. If the option is set to False, then the default CA truststore is used for verification. Possible values: True False Related options: swift_store_cacert
`swift_store_auth_version = 2`	string value	Version of the authentication service to use. Valid versions are 2 and 3 for keystone and 1 (deprecated) for swauth and rackspace.
`swift_store_cacert = None`	string value	Path to the CA bundle file. This configuration option enables the operator to specify the path to a custom Certificate Authority file for SSL verification when connecting to Swift. Possible values: A valid path to a CA file Related options: swift_store_auth_insecure
`swift_store_config_file = None`	string value	Absolute path to the file containing the swift account(s) configurations. Include a string value representing the path to a configuration file that has references for each of the configured Swift account(s)/backing stores. By default, no file path is specified and customized Swift referencing is disabled. Configuring this option is highly recommended while using Swift storage backend for image storage as it avoids storage of credentials in the database. Note Please do not configure this option if you have set `swift_store_multi_tenant` to `True`. Possible values: String value representing an absolute path on the glance-api node Related options: swift_store_multi_tenant
`swift_store_container = glance`	string value	Name of single container to store images/name prefix for multiple containers When a single container is being used to store images, this configuration option indicates the container within the Glance account to be used for storing all images. When multiple containers are used to store images, this will be the name prefix for all containers. Usage of single/multiple containers can be controlled using the configuration option `swift_store_multiple_containers_seed`. When using multiple containers, the containers will be named after the value set for this configuration option with the first N chars of the image UUID as the suffix delimited by an underscore (where N is specified by `swift_store_multiple_containers_seed`). Example: if the seed is set to 3 and swift_store_container = `glance`, then an image with UUID `fdae39a1-bac5-4238-aba4-69bcc726e848` would be placed in the container `glance_fda`. All dashes in the UUID are included when creating the container name but do not count toward the character limit, so when N=10 the container name would be `glance_fdae39a1-ba.` Possible values: If using single container, this configuration option can be any string that is a valid swift container name in Glance’s Swift account If using multiple containers, this configuration option can be any string as long as it satisfies the container naming rules enforced by Swift. The value of `swift_store_multiple_containers_seed` should be taken into account as well. Related options: `swift_store_multiple_containers_seed` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_create_container_on_put = False`	boolean value	Create container, if it doesn’t already exist, when uploading image. At the time of uploading an image, if the corresponding container doesn’t exist, it will be created provided this configuration option is set to True. By default, it won’t be created. This behavior is applicable for both single and multiple containers mode. Possible values: True False Related options: None
`swift_store_endpoint = None`	string value	The URL endpoint to use for Swift backend storage. Provide a string value representing the URL endpoint to use for storing Glance images in Swift store. By default, an endpoint is not set and the storage URL returned by `auth` is used. Setting an endpoint with `swift_store_endpoint` overrides the storage URL and is used for Glance image storage. Note The URL should include the path up to, but excluding the container. The location of an object is obtained by appending the container and object to the configured URL. Possible values: String value representing a valid URL path up to a Swift container Related Options: None
`swift_store_endpoint_type = publicURL`	string value	Endpoint Type of Swift service. This string value indicates the endpoint type to use to fetch the Swift endpoint. The endpoint type determines the actions the user will be allowed to perform, for instance, reading and writing to the Store. This setting is only used if swift_store_auth_version is greater than 1. Possible values: publicURL adminURL internalURL Related options: swift_store_endpoint
`swift_store_expire_soon_interval = 60`	integer value	Time in seconds defining the size of the window in which a new token may be requested before the current token is due to expire. Typically, the Swift storage driver fetches a new token upon the expiration of the current token to ensure continued access to Swift. However, some Swift transactions (like uploading image segments) may not recover well if the token expires on the fly. Hence, by fetching a new token before the current token expiration, we make sure that the token does not expire or is close to expiry before a transaction is attempted. By default, the Swift storage driver requests for a new token 60 seconds or less before the current token expiration. Possible values: Zero Positive integer value Related Options: None
`swift_store_key = None`	string value	Auth key for the user authenticating against the Swift authentication service.
`swift_store_large_object_chunk_size = 200`	integer value	The maximum size, in MB, of the segments when image data is segmented. When image data is segmented to upload images that are larger than the limit enforced by the Swift cluster, image data is broken into segments that are no bigger than the size specified by this configuration option. Refer to `swift_store_large_object_size` for more detail. For example: if `swift_store_large_object_size` is 5GB and `swift_store_large_object_chunk_size` is 1GB, an image of size 6.2GB will be segmented into 7 segments where the first six segments will be 1GB in size and the seventh segment will be 0.2GB. Possible values: A positive integer that is less than or equal to the large object limit enforced by Swift cluster in consideration. Related options: `swift_store_large_object_size`
`swift_store_large_object_size = 5120`	integer value	The size threshold, in MB, after which Glance will start segmenting image data. Swift has an upper limit on the size of a single uploaded object. By default, this is 5GB. To upload objects bigger than this limit, objects are segmented into multiple smaller objects that are tied together with a manifest file. For more detail, refer to http://docs.openstack.org/developer/swift/overview_large_objects.html This configuration option specifies the size threshold over which the Swift driver will start segmenting image data into multiple smaller files. Currently, the Swift driver only supports creating Dynamic Large Objects. Note This should be set by taking into account the large object limit enforced by the Swift cluster in consideration. Possible values: A positive integer that is less than or equal to the large object limit enforced by the Swift cluster in consideration. Related options: `swift_store_large_object_chunk_size`
`swift_store_multi_tenant = False`	boolean value	Store images in tenant’s Swift account. This enables multi-tenant storage mode which causes Glance images to be stored in tenant specific Swift accounts. If this is disabled, Glance stores all images in its own account. More details multi-tenant store can be found at https://wiki.openstack.org/wiki/GlanceSwiftTenantSpecificStorage Note If using multi-tenant swift store, please make sure that you do not set a swift configuration file with the swift_store_config_file option. Possible values: True False Related options: swift_store_config_file
`swift_store_multiple_containers_seed = 0`	integer value	Seed indicating the number of containers to use for storing images. When using a single-tenant store, images can be stored in one or more than one containers. When set to 0, all images will be stored in one single container. When set to an integer value between 1 and 32, multiple containers will be used to store images. This configuration option will determine how many containers are created. The total number of containers that will be used is equal to 16^N, so if this config option is set to 2, then 16^2=256 containers will be used to store images. Please refer to `swift_store_container` for more detail on the naming convention. More detail about using multiple containers can be found at https://specs.openstack.org/openstack/glance-specs/specs/kilo/swift-store-multiple-containers.html Note This is used only when swift_store_multi_tenant is disabled. Possible values: A non-negative integer less than or equal to 32 Related options: `swift_store_container` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_region = None`	string value	The region of Swift endpoint to use by Glance. Provide a string value representing a Swift region where Glance can connect to for image storage. By default, there is no region set. When Glance uses Swift as the storage backend to store images for a specific tenant that has multiple endpoints, setting of a Swift region with `swift_store_region` allows Glance to connect to Swift in the specified region as opposed to a single region connectivity. This option can be configured for both single-tenant and multi-tenant storage. Note Setting the region with `swift_store_region` is tenant-specific and is necessary `only if` the tenant has multiple endpoints across different regions. Possible values: A string value representing a valid Swift region. Related Options: None
`swift_store_retry_get_count = 0`	integer value	The number of times a Swift download will be retried before the request fails. Provide an integer value representing the number of times an image download must be retried before erroring out. The default value is zero (no retry on a failed image download). When set to a positive integer value, `swift_store_retry_get_count` ensures that the download is attempted this many more times upon a download failure before sending an error message. Possible values: Zero Positive integer value Related Options: None
`swift_store_service_type = object-store`	string value	Type of Swift service to use. Provide a string value representing the service type to use for storing images while using Swift backend storage. The default service type is set to `object-store`. Note If `swift_store_auth_version` is set to 2, the value for this configuration option needs to be `object-store`. If using a higher version of Keystone or a different auth scheme, this option may be modified. Possible values: A string representing a valid service type for Swift storage. Related Options: None
`swift_store_ssl_compression = True`	boolean value	SSL layer compression for HTTPS Swift requests. Provide a boolean value to determine whether or not to compress HTTPS Swift requests for images at the SSL layer. By default, compression is enabled. When using Swift as the backend store for Glance image storage, SSL layer compression of HTTPS Swift requests can be set using this option. If set to False, SSL layer compression of HTTPS Swift requests is disabled. Disabling this option may improve performance for images which are already in a compressed format, for example, qcow2. Possible values: True False Related Options: None
`swift_store_use_trusts = True`	boolean value	Use trusts for multi-tenant Swift store. This option instructs the Swift store to create a trust for each add/get request when the multi-tenant store is in use. Using trusts allows the Swift store to avoid problems that can be caused by an authentication token expiring during the upload or download of data. By default, `swift_store_use_trusts` is set to `True`(use of trusts is enabled). If set to `False`, a user token is used for the Swift connection instead, eliminating the overhead of trust creation. Note This option is considered only when `swift_store_multi_tenant` is set to `True` Possible values: True False Related options: swift_store_multi_tenant
`swift_store_user = None`	string value	The user to authenticate against the Swift authentication service.
`swift_upload_buffer_dir = None`	string value	Directory to buffer image segments before upload to Swift. Provide a string value representing the absolute path to the directory on the glance node where image segments will be buffered briefly before they are uploaded to swift. NOTES: * This is required only when the configuration option `swift_buffer_on_upload` is set to True. * This directory should be provisioned keeping in mind the `swift_store_large_object_chunk_size` and the maximum number of images that could be uploaded simultaneously by a given glance node. Possible values: String value representing an absolute directory path Related options: swift_buffer_on_upload swift_store_large_object_chunk_size
`vmware_api_retry_count = 10`	integer value	The number of VMware API retries. This configuration option specifies the number of times the VMware ESX/VC server API must be retried upon connection related issues or server API call overload. It is not possible to specify retry forever. Possible Values: Any positive integer value Related options: None
`vmware_ca_file = None`	string value	Absolute path to the CA bundle file. This configuration option enables the operator to use a custom Cerificate Authority File to verify the ESX/vCenter certificate. If this option is set, the "vmware_insecure" option will be ignored and the CA file specified will be used to authenticate the ESX/vCenter server certificate and establish a secure connection to the server. Possible Values: Any string that is a valid absolute path to a CA file Related options: vmware_insecure
`vmware_datastores = None`	multi valued	The datastores where the image can be stored. This configuration option specifies the datastores where the image can be stored in the VMWare store backend. This option may be specified multiple times for specifying multiple datastores. The datastore name should be specified after its datacenter path, separated by ":". An optional weight may be given after the datastore name, separated again by ":" to specify the priority. Thus, the required format becomes <datacenter_path>:<datastore_name>:<optional_weight>. When adding an image, the datastore with highest weight will be selected, unless there is not enough free space available in cases where the image size is already known. If no weight is given, it is assumed to be zero and the directory will be considered for selection last. If multiple datastores have the same weight, then the one with the most free space available is selected. Possible Values: Any string of the format: <datacenter_path>:<datastore_name>:<optional_weight> Related options: * None
`vmware_insecure = False`	boolean value	Set verification of the ESX/vCenter server certificate. This configuration option takes a boolean value to determine whether or not to verify the ESX/vCenter server certificate. If this option is set to True, the ESX/vCenter server certificate is not verified. If this option is set to False, then the default CA truststore is used for verification. This option is ignored if the "vmware_ca_file" option is set. In that case, the ESX/vCenter server certificate will then be verified using the file specified using the "vmware_ca_file" option . Possible Values: True False Related options: vmware_ca_file
`vmware_server_host = None`	unknown value	Address of the ESX/ESXi or vCenter Server target system. This configuration option sets the address of the ESX/ESXi or vCenter Server target system. This option is required when using the VMware storage backend. The address can contain an IP address (127.0.0.1) or a DNS name (www.my-domain.com). Possible Values: A valid IPv4 or IPv6 address A valid DNS name Related options: vmware_server_username vmware_server_password
`vmware_server_password = None`	string value	Server password. This configuration option takes the password for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is a password corresponding to the username specified using the "vmware_server_username" option Related options: vmware_server_host vmware_server_username
`vmware_server_username = None`	string value	Server username. This configuration option takes the username for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is the username for a user with appropriate privileges Related options: vmware_server_host vmware_server_password
`vmware_store_image_dir = /openstack_glance`	string value	The directory where the glance images will be stored in the datastore. This configuration option specifies the path to the directory where the glance images will be stored in the VMware datastore. If this option is not set, the default directory where the glance images are stored is openstack_glance. Possible Values: Any string that is a valid path to a directory Related options: None
`vmware_task_poll_interval = 5`	integer value	Interval in seconds used for polling remote tasks invoked on VMware ESX/VC server. This configuration option takes in the sleep time in seconds for polling an on-going async task as part of the VMWare ESX/VC server API call. Possible Values: Any positive integer value Related options: None

5.3.4. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/glance/glance-scrubber.conf file.

Table 5.36. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

5.3.5. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/glance/glance-scrubber.conf file.

Table 5.37. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

5.4. glance-cache.conf

This section contains options for the /etc/glance/glance-cache.conf file.

5.4.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/glance/glance-cache.conf file.

Table 5.38. DEFAULT
Configuration option = Default value	Type	Description
`admin_password = None`	string value	The administrators password. If "use_user_token" is not in effect, then admin credentials can be specified.
`admin_tenant_name = None`	string value	The tenant name of the administrative user. If "use_user_token" is not in effect, then admin tenant name can be specified.
`admin_user = None`	string value	The administrators user name. If "use_user_token" is not in effect, then admin credentials can be specified.
`allow_additional_image_properties = True`	boolean value	Allow users to add additional/custom properties to images. Glance defines a standard set of properties (in its schema) that appear on every image. These properties are also known as `base properties`. In addition to these properties, Glance allows users to add custom properties to images. These are known as `additional properties`. By default, this configuration option is set to `True` and users are allowed to add additional properties. The number of additional properties that can be added to an image can be controlled via `image_property_quota` configuration option. Possible values: True False Related options: image_property_quota
`api_limit_max = 1000`	integer value	Maximum number of results that could be returned by a request. As described in the help text of `limit_param_default`, some requests may return multiple results. The number of results to be returned are governed either by the `limit` parameter in the request or the `limit_param_default` configuration option. The value in either case, can’t be greater than the absolute maximum defined by this configuration option. Anything greater than this value is trimmed down to the maximum value defined here. Note Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: limit_param_default
`auth_region = None`	string value	The region for the authentication service. If "use_user_token" is not in effect and using keystone auth, then region name can be specified.
`auth_strategy = noauth`	string value	The strategy to use for authentication. If "use_user_token" is not in effect, then auth strategy can be specified.
`auth_url = None`	string value	The URL to the keystone service. If "use_user_token" is not in effect and using keystone auth, then URL of keystone can be specified.
`data_api = glance.db.sqlalchemy.api`	string value	Python module path of data access API. Specifies the path to the API to use for accessing the data model. This option determines how the image catalog data will be accessed. Possible values: glance.db.sqlalchemy.api glance.db.registry.api glance.db.simple.api If this option is set to `glance.db.sqlalchemy.api` then the image catalog data is stored in and read from the database via the SQLAlchemy Core and ORM APIs. Setting this option to `glance.db.registry.api` will force all database access requests to be routed through the Registry service. This avoids data access from the Glance API nodes for an added layer of security, scalability and manageability. Note In v2 OpenStack Images API, the registry service is optional. In order to use the Registry API in v2, the option `enable_v2_registry` must be set to `True`. Finally, when this configuration option is set to `glance.db.simple.api`, image catalog data is stored in and read from an in-memory data structure. This is primarily used for testing. Related options: enable_v2_api enable_v2_registry
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`digest_algorithm = sha256`	string value	Digest algorithm to use for digital signature. Provide a string value representing the digest algorithm to use for generating digital signatures. By default, `sha256` is used. To get a list of the available algorithms supported by the version of OpenSSL on your platform, run the command: `openssl list-message-digest-algorithms`. Examples are sha1, sha256, and sha512. Note `digest_algorithm` is not related to Glance’s image signing and verification. It is only used to sign the universally unique identifier (UUID) as a part of the certificate file and key file validation. Possible values: An OpenSSL message digest algorithm identifier Relation options: None
`enable_image_import = True`	boolean value	Enables the Image Import workflow introduced in Pike As [DEFAULT]/node_staging_uri is required for the Image Import, it’s disabled per default in Pike, enabled per default in Queens and removed in Rocky. This allows Glance to operate with previous version configs upon upgrade. Setting this option to False will disable the endpoints related to Image Import Refactoring work. Related options: [DEFAULT]/node_staging_uri
`enable_v1_api = True`	boolean value	Deploy the v1 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v1 OpenStack Images API. NOTES: If this option is enabled, then `enable_v1_registry` must also be set to `True` to enable mandatory usage of Registry service with v1 API. If this option is disabled, then the `enable_v1_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v2_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v2 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_registry enable_v2_api
`enable_v1_registry = True`	boolean value	Deploy the v1 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v1 API requests. NOTES: Use of Registry is mandatory in v1 API, so this option must be set to `True` if the `enable_v1_api` option is enabled. If deploying only the v2 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v1_api
`enable_v2_api = True`	boolean value	Deploy the v2 OpenStack Images API. When this option is set to `True`, Glance service will respond to requests on registered endpoints conforming to the v2 OpenStack Images API. NOTES: If this option is disabled, then the `enable_v2_registry` option, which is enabled by default, is also recommended to be disabled. This option is separate from `enable_v1_api`, both v1 and v2 OpenStack Images API can be deployed independent of each other. If deploying only the v1 Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_registry enable_v1_api
`enable_v2_registry = True`	boolean value	Deploy the v2 API Registry service. When this option is set to `True`, the Registry service will be enabled in Glance for v2 API requests. NOTES: Use of Registry is optional in v2 API, so this option must only be enabled if both `enable_v2_api` is set to `True` and the `data_api` option is set to `glance.db.registry.api`. If deploying only the v1 OpenStack Images API, this option, which is enabled by default, should be disabled. Possible values: True False Related options: enable_v2_api data_api
`enabled_import_methods = [u'glance-direct', u'web-download']`	list value	List of enabled Image Import Methods Both glance-direct and web-download are enabled by default. Related options: [DEFAULT]/node_staging_uri [DEFAULT]/enable_image_import
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`image_cache_dir = None`	string value	Base directory for image cache. This is the location where image data is cached and served out of. All cached images are stored directly under this directory. This directory also contains three subdirectories, namely, `incomplete`, `invalid` and `queue`. The `incomplete` subdirectory is the staging area for downloading images. An image is first downloaded to this directory. When the image download is successful it is moved to the base directory. However, if the download fails, the partially downloaded image file is moved to the `invalid` subdirectory. The queue`subdirectory is used for queuing images for download. This is used primarily by the cache-prefetcher, which can be scheduled as a periodic task like cache-pruner and cache-cleaner, to cache images ahead of their usage. Upon receiving the request to cache an image, Glance touches a file in the `queue directory with the image id as the file name. The cache-prefetcher, when running, polls for the files in `queue` directory and starts downloading them in the order they were created. When the download is successful, the zero-sized file is deleted from the `queue` directory. If the download fails, the zero-sized file remains and it’ll be retried the next time cache-prefetcher runs. Possible values: A valid path Related options: `image_cache_sqlite_db`
`image_cache_driver = sqlite`	string value	The driver to use for image cache management. This configuration option provides the flexibility to choose between the different image-cache drivers available. An image-cache driver is responsible for providing the essential functions of image-cache like write images to/read images from cache, track age and usage of cached images, provide a list of cached images, fetch size of the cache, queue images for caching and clean up the cache, etc. The essential functions of a driver are defined in the base class `glance.image_cache.drivers.base.Driver`. All image-cache drivers (existing and prospective) must implement this interface. Currently available drivers are `sqlite` and `xattr`. These drivers primarily differ in the way they store the information about cached images: The `sqlite` driver uses a sqlite database (which sits on every glance node locally) to track the usage of cached images. The `xattr` driver uses the extended attributes of files to store this information. It also requires a filesystem that sets `atime` on the files when accessed. Possible values: sqlite xattr Related options: None
`image_cache_max_size = 10737418240`	integer value	The upper limit on cache size, in bytes, after which the cache-pruner cleans up the image cache. Note This is just a threshold for cache-pruner to act upon. It is NOT a hard limit beyond which the image cache would never grow. In fact, depending on how often the cache-pruner runs and how quickly the cache fills, the image cache can far exceed the size specified here very easily. Hence, care must be taken to appropriately schedule the cache-pruner and in setting this limit. Glance caches an image when it is downloaded. Consequently, the size of the image cache grows over time as the number of downloads increases. To keep the cache size from becoming unmanageable, it is recommended to run the cache-pruner as a periodic task. When the cache pruner is kicked off, it compares the current size of image cache and triggers a cleanup if the image cache grew beyond the size specified here. After the cleanup, the size of cache is less than or equal to size specified here. Possible values: Any non-negative integer Related options: None
`image_cache_sqlite_db = cache.db`	string value	The relative path to sqlite file database that will be used for image cache management. This is a relative path to the sqlite file database that tracks the age and usage statistics of image cache. The path is relative to image cache base directory, specified by the configuration option `image_cache_dir`. This is a lightweight database with just one table. Possible values: A valid relative path to sqlite file database Related options: `image_cache_dir`
`image_cache_stall_time = 86400`	integer value	The amount of time, in seconds, an incomplete image remains in the cache. Incomplete images are images for which download is in progress. Please see the description of configuration option `image_cache_dir` for more detail. Sometimes, due to various reasons, it is possible the download may hang and the incompletely downloaded image remains in the `incomplete` directory. This configuration option sets a time limit on how long the incomplete images should remain in the `incomplete` directory before they are cleaned up. Once an incomplete image spends more time than is specified here, it’ll be removed by cache-cleaner on its next run. It is recommended to run cache-cleaner as a periodic task on the Glance API nodes to keep the incomplete images from occupying disk space. Possible values: Any non-negative integer Related options: None
`image_location_quota = 10`	integer value	Maximum number of locations allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`image_member_quota = 128`	integer value	Maximum number of image members per image. This limits the maximum of users an image can be shared with. Any negative value is interpreted as unlimited. Related options: None
`image_property_quota = 128`	integer value	Maximum number of properties allowed on an image. This enforces an upper limit on the number of additional properties an image can have. Any negative value is interpreted as unlimited. Note This won’t have any impact if additional properties are disabled. Please refer to `allow_additional_image_properties`. Related options: `allow_additional_image_properties`
`image_size_cap = 1099511627776`	integer value	Maximum size of image a user can upload in bytes. An image upload greater than the size mentioned here would result in an image creation failure. This configuration option defaults to 1099511627776 bytes (1 TiB). NOTES: This value should only be increased after careful consideration and must be set less than or equal to 8 EiB (9223372036854775808). This value must be set with careful consideration of the backend storage capacity. Setting this to a very low value may result in a large number of image failures. And, setting this to a very large value may result in faster consumption of storage. Hence, this must be set according to the nature of images created and storage capacity available. Possible values: Any positive number less than or equal to 9223372036854775808
`image_tag_quota = 128`	integer value	Maximum number of tags allowed on an image. Any negative value is interpreted as unlimited. Related options: None
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`limit_param_default = 25`	integer value	The default number of results to return for a request. Responses to certain API requests, like list images, may return multiple items. The number of results returned can be explicitly controlled by specifying the `limit` parameter in the API request. However, if a `limit` parameter is not specified, this configuration value will be used as the default number of results to be returned for any API request. NOTES: The value of this configuration option may not be greater than the value specified by `api_limit_max`. Setting this to a very large value may slow down database queries and increase response times. Setting this to a very low value may result in poor user experience. Possible values: Any positive integer Related options: api_limit_max
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`metadata_encryption_key = None`	string value	AES key for encrypting store location metadata. Provide a string value representing the AES cipher to use for encrypting Glance store metadata. Note The AES key to use must be set to a random string of length 16, 24 or 32 bytes. Possible values: String value representing a valid AES key Related options: None
`node_staging_uri = file:///tmp/staging/`	string value	The URL provides location where the temporary data will be stored This option is for Glance internal use only. Glance will save the image data uploaded by the user to staging endpoint during the image import process. This option does not change the staging API endpoint by any means. Note It is discouraged to use same path as [task]/work_dir Note file://<absolute-directory-path> is the only option api_image_import flow will support for now. Note The staging path must be on shared filesystem available to all Glance API nodes. Possible values: String starting with file:// followed by absolute FS path Related options: [task]/work_dir [DEFAULT]/enable_image_import (deprecated)
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pydev_worker_debug_host = None`	unknown value	Host address of the pydev server. Provide a string value representing the hostname or IP of the pydev server to use for debugging. The pydev server listens for debug connections on this address, facilitating remote debugging in Glance. Possible values: Valid hostname Valid IP address Related options: None
`pydev_worker_debug_port = 5678`	port value	Port number that the pydev server will listen on. Provide a port number to bind the pydev server to. The pydev process accepts debug connections on this port and facilitates remote debugging in Glance. Possible values: A valid port number Related options: None
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`registry_client_ca_file = None`	string value	Absolute path to the Certificate Authority file. Provide a string value representing a valid absolute path to the certificate authority file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_CA_FILE environment variable may be set to a filepath of the CA file. This option is ignored if the `registry_client_insecure` option is set to `True`. Possible values: String value representing a valid absolute path to the CA file. Related options: registry_client_protocol registry_client_insecure
`registry_client_cert_file = None`	string value	Absolute path to the certificate file. Provide a string value representing a valid absolute path to the certificate file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_CERT_FILE environment variable may be set to a filepath of the certificate file. Possible values: String value representing a valid absolute path to the certificate file. Related options: registry_client_protocol
`registry_client_insecure = False`	boolean value	Set verification of the registry server certificate. Provide a boolean value to determine whether or not to validate SSL connections to the registry server. By default, this option is set to `False` and the SSL connections are validated. If set to `True`, the connection to the registry server is not validated via a certifying authority and the `registry_client_ca_file` option is ignored. This is the registry’s equivalent of specifying --insecure on the command line using glanceclient for the API. Possible values: True False Related options: registry_client_protocol registry_client_ca_file
`registry_client_key_file = None`	string value	Absolute path to the private key file. Provide a string value representing a valid absolute path to the private key file to use for establishing a secure connection to the registry server. Note This option must be set if `registry_client_protocol` is set to `https`. Alternatively, the GLANCE_CLIENT_KEY_FILE environment variable may be set to a filepath of the key file. Possible values: String value representing a valid absolute path to the key file. Related options: registry_client_protocol
`registry_client_protocol = http`	string value	Protocol to use for communication with the registry server. Provide a string value representing the protocol to use for communication with the registry server. By default, this option is set to `http` and the connection is not secure. This option can be set to `https` to establish a secure connection to the registry server. In this case, provide a key to use for the SSL connection using the `registry_client_key_file` option. Also include the CA file and cert file using the options `registry_client_ca_file` and `registry_client_cert_file` respectively. Possible values: http https Related options: registry_client_key_file registry_client_cert_file registry_client_ca_file
`registry_client_timeout = 600`	integer value	Timeout value for registry requests. Provide an integer value representing the period of time in seconds that the API server will wait for a registry request to complete. The default value is 600 seconds. A value of 0 implies that a request will never timeout. Possible values: Zero Positive integer Related options: None
`registry_host = 0.0.0.0`	unknown value	Address the registry server is hosted on. Possible values: A valid IP or hostname Related options: None
`registry_port = 9191`	port value	Port the registry server is listening on. Possible values: A valid port number Related options: None
`show_image_direct_url = False`	boolean value	Show direct image location when returning an image. This configuration option indicates whether to show the direct image location when returning image details to the user. The direct image location is where the image data is stored in backend storage. This image location is shown under the image property `direct_url`. When multiple image locations exist for an image, the best location is displayed based on the location strategy indicated by the configuration option `location_strategy`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_multiple_locations` MUST be set to `False`. Possible values: True False Related options: show_multiple_locations location_strategy
`show_multiple_locations = False`	boolean value	Show all image locations when returning an image. This configuration option indicates whether to show all the image locations when returning image details to the user. When multiple image locations exist for an image, the locations are ordered based on the location strategy indicated by the configuration opt `location_strategy`. The image locations are shown under the image property `locations`. NOTES: Revealing image locations can present a GRAVE SECURITY RISK as image locations can sometimes include credentials. Hence, this is set to `False` by default. Set this to `True` with EXTREME CAUTION and ONLY IF you know what you are doing! See https://wiki.openstack.org/wiki/OSSN/OSSN-0065 for more information. If an operator wishes to avoid showing any image location(s) to the user, then both this option and `show_image_direct_url` MUST be set to `False`. Possible values: True False Related options: show_image_direct_url location_strategy
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`use_user_token = True`	boolean value	Whether to pass through the user token when making requests to the registry. To prevent failures with token expiration during big files upload, it is recommended to set this parameter to False.If "use_user_token" is not in effect, then admin credentials can be specified.
`user_storage_quota = 0`	string value	Maximum amount of image storage per tenant. This enforces an upper limit on the cumulative storage consumed by all images of a tenant across all stores. This is a per-tenant limit. The default unit for this configuration option is Bytes. However, storage units can be specified using case-sensitive literals `B`, `KB`, `MB`, `GB` and `TB` representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytes respectively. Note that there should not be any space between the value and unit. Value `0` signifies no quota enforcement. Negative values are invalid and result in errors. Possible values: A string that is a valid concatenation of a non-negative integer representing the storage value and an optional string literal representing storage units as mentioned above. Related options: None
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

5.4.2. glance_store

The following table outlines the options available under the [glance_store] group in the /etc/glance/glance-cache.conf file.

Table 5.39. glance_store
Configuration option = Default value	Type	Description
`cinder_api_insecure = False`	boolean value	Allow to perform insecure SSL requests to cinder. If this option is set to True, HTTPS endpoint connection is verified using the CA certificates file specified by `cinder_ca_certificates_file` option. Possible values: True False Related options: cinder_ca_certificates_file
`cinder_ca_certificates_file = None`	string value	Location of a CA certificates file used for cinder client requests. The specified CA certificates file, if set, is used to verify cinder connections via HTTPS endpoint. If the endpoint is HTTP, this value is ignored. `cinder_api_insecure` must be set to `True` to enable the verification. Possible values: Path to a ca certificates file Related options: cinder_api_insecure
`cinder_catalog_info = volumev2::publicURL`	string value	Information to match when looking for cinder in the service catalog. When the `cinder_endpoint_template` is not set and any of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, `cinder_store_password` is not set, cinder store uses this information to lookup cinder endpoint from the service catalog in the current context. `cinder_os_region_name`, if set, is taken into consideration to fetch the appropriate endpoint. The service catalog can be listed by the `openstack catalog list` command. Possible values: A string of of the following form: `<service_type>:<service_name>:<interface>` At least `service_type` and `interface` should be specified. `service_name` can be omitted. Related options: cinder_os_region_name cinder_endpoint_template cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password
`cinder_endpoint_template = None`	string value	Override service catalog lookup with template for cinder endpoint. When this option is set, this value is used to generate cinder endpoint, instead of looking up from the service catalog. This value is ignored if `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` are specified. If this configuration option is set, `cinder_catalog_info` will be ignored. Possible values: URL template string for cinder endpoint, where `%%(tenant)s` is replaced with the current tenant (project) name. For example: `http://cinder.openstack.example.org/v2/%%(tenant)s` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name cinder_store_password cinder_catalog_info
`cinder_http_retries = 3`	integer value	Number of cinderclient retries on failed http calls. When a call failed by any errors, cinderclient will retry the call up to the specified times after sleeping a few seconds. Possible values: A positive integer Related options: None
`cinder_os_region_name = None`	string value	Region name to lookup cinder service from the service catalog. This is used only when `cinder_catalog_info` is used for determining the endpoint. If set, the lookup for cinder endpoint by this node is filtered to the specified region. It is useful when multiple regions are listed in the catalog. If this is not set, the endpoint is looked up from every region. Possible values: A string that is a valid region name. Related options: cinder_catalog_info
`cinder_state_transition_timeout = 300`	integer value	Time period, in seconds, to wait for a cinder volume transition to complete. When the cinder volume is created, deleted, or attached to the glance node to read/write the volume data, the volume’s state is changed. For example, the newly created volume status changes from `creating` to `available` after the creation process is completed. This specifies the maximum time to wait for the status change. If a timeout occurs while waiting, or the status is changed to an unexpected value (e.g. `error`), the image creation fails. Possible values: A positive integer Related options: None
`cinder_store_auth_address = None`	string value	The address where the cinder authentication service is listening. When all of `cinder_store_auth_address`, `cinder_store_user_name`, `cinder_store_project_name`, and `cinder_store_password` options are specified, the specified values are always used for the authentication. This is useful to hide the image volumes from users by storing them in a project/tenant specific to the image service. It also enables users to share the image volume among other projects under the control of glance’s ACL. If either of these options are not set, the cinder endpoint is looked up from the service catalog, and current context’s user and project are used. Possible values: A valid authentication service address, for example: `http://openstack.example.org/identity/v2.0` Related options: cinder_store_user_name cinder_store_password cinder_store_project_name
`cinder_store_password = None`	string value	Password for the user authenticating against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid password for the user specified by `cinder_store_user_name` Related options: cinder_store_auth_address cinder_store_user_name cinder_store_project_name
`cinder_store_project_name = None`	string value	Project name where the image volume is stored in cinder. If this configuration option is not set, the project in current context is used. This must be used with all the following related options. If any of these are not specified, the project of the current context is used. Possible values: A valid project name Related options: `cinder_store_auth_address` `cinder_store_user_name` `cinder_store_password`
`cinder_store_user_name = None`	string value	User name to authenticate against cinder. This must be used with all the following related options. If any of these are not specified, the user of the current context is used. Possible values: A valid user name Related options: cinder_store_auth_address cinder_store_password cinder_store_project_name
`cinder_volume_type = None`	string value	Volume type that will be used for volume creation in cinder. Some cinder backends can have several volume types to optimize storage usage. Adding this option allows an operator to choose a specific volume type in cinder that can be optimized for images. If this is not set, then the default volume type specified in the cinder configuration will be used for volume creation. Possible values: A valid volume type from cinder Related options: None
`default_store = file`	string value	The default scheme to use for storing images. Provide a string value representing the default scheme to use for storing images. If not set, Glance uses `file` as the default scheme to store images with the `file` store. Note The value given for this configuration option must be a valid scheme for a store registered with the `stores` configuration option. Possible values: file filesystem http https swift swift+http swift+https swift+config rbd sheepdog cinder vsphere Related Options: stores
`default_swift_reference = ref1`	string value	Reference to default Swift account/backing store parameters. Provide a string value representing a reference to the default set of parameters required for using swift account/backing store for image storage. The default reference value for this configuration option is ref1. This configuration option dereferences the parameters and facilitates image storage in Swift storage backend every time a new image is added. Possible values: A valid string value Related options: None
`filesystem_store_datadir = /var/lib/glance/images`	string value	Directory to which the filesystem backend store writes images. Upon start up, Glance creates the directory if it doesn’t already exist and verifies write access to the user under which `glance-api` runs. If the write access isn’t available, a `BadStoreConfiguration` exception is raised and the filesystem store may not be available for adding new images. Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: A valid path to a directory Related options: `filesystem_store_datadirs` `filesystem_store_file_perm`
`filesystem_store_datadirs = None`	multi valued	List of directories and their priorities to which the filesystem backend store writes images. The filesystem store can be configured to store images in multiple directories as opposed to using a single directory specified by the `filesystem_store_datadir` configuration option. When using multiple directories, each directory can be given an optional priority to specify the preference order in which they should be used. Priority is an integer that is concatenated to the directory path with a colon where a higher value indicates higher priority. When two directories have the same priority, the directory with most free space is used. When no priority is specified, it defaults to zero. More information on configuring filesystem store with multiple store directories can be found at http://docs.openstack.org/developer/glance/configuring.html Note This directory is used only when filesystem store is used as a storage backend. Either `filesystem_store_datadir` or `filesystem_store_datadirs` option must be specified in `glance-api.conf`. If both options are specified, a `BadStoreConfiguration` will be raised and the filesystem store may not be available for adding new images. Possible values: List of strings of the following form: `<a valid directory path>:<optional integer priority>` Related options: `filesystem_store_datadir` `filesystem_store_file_perm`
`filesystem_store_file_perm = 0`	integer value	File access permissions for the image files. Set the intended file access permissions for image data. This provides a way to enable other services, e.g. Nova, to consume images directly from the filesystem store. The users running the services that are intended to be given access to could be made a member of the group that owns the files created. Assigning a value less then or equal to zero for this configuration option signifies that no changes be made to the default permissions. This value will be decoded as an octal digit. For more information, please refer the documentation at http://docs.openstack.org/developer/glance/configuring.html Possible values: A valid file access permission Zero Any negative integer Related options: None
`filesystem_store_metadata_file = None`	string value	Filesystem store metadata file. The path to a file which contains the metadata to be returned with any location associated with the filesystem store. The file must contain a valid JSON object. The object should contain the keys `id` and `mountpoint`. The value for both keys should be a string. Possible values: A valid path to the store metadata file Related options: None
`http_proxy_information = {}`	dict value	The http/https proxy information to be used to connect to the remote server. This configuration option specifies the http/https proxy information that should be used to connect to the remote server. The proxy information should be a key value pair of the scheme and proxy, for example, http:10.0.0.1:3128. You can also specify proxies for multiple schemes by separating the key value pairs with a comma, for example, http:10.0.0.1:3128, https:10.0.0.1:1080. Possible values: A comma separated list of scheme:proxy pairs as described above Related options: None
`https_ca_certificates_file = None`	string value	Path to the CA bundle file. This configuration option enables the operator to use a custom Certificate Authority file to verify the remote server certificate. If this option is set, the `https_insecure` option will be ignored and the CA file specified will be used to authenticate the server certificate and establish a secure connection to the server. Possible values: A valid path to a CA file Related options: https_insecure
`https_insecure = True`	boolean value	Set verification of the remote server certificate. This configuration option takes in a boolean value to determine whether or not to verify the remote server certificate. If set to True, the remote server certificate is not verified. If the option is set to False, then the default CA truststore is used for verification. This option is ignored if `https_ca_certificates_file` is set. The remote server certificate will then be verified using the file specified using the `https_ca_certificates_file` option. Possible values: True False Related options: https_ca_certificates_file
`rados_connect_timeout = 0`	integer value	Timeout value for connecting to Ceph cluster. This configuration option takes in the timeout value in seconds used when connecting to the Ceph cluster i.e. it sets the time to wait for glance-api before closing the connection. This prevents glance-api hangups during the connection to RBD. If the value for this option is set to less than or equal to 0, no timeout is set and the default librados value is used. Possible Values: Any integer value Related options: None
`rbd_store_ceph_conf = /etc/ceph/ceph.conf`	string value	Ceph configuration file path. This configuration option takes in the path to the Ceph configuration file to be used. If the value for this option is not set by the user or is set to None, librados will locate the default configuration file which is located at /etc/ceph/ceph.conf. If using Cephx authentication, this file should include a reference to the right keyring in a client.<USER> section Possible Values: A valid path to a configuration file Related options: rbd_store_user
`rbd_store_chunk_size = 8`	integer value	Size, in megabytes, to chunk RADOS images into. Provide an integer value representing the size in megabytes to chunk Glance images into. The default chunk size is 8 megabytes. For optimal performance, the value should be a power of two. When Ceph’s RBD object storage system is used as the storage backend for storing Glance images, the images are chunked into objects of the size set using this option. These chunked objects are then stored across the distributed block data store to use for Glance. Possible Values: Any positive integer value Related options: None
`rbd_store_pool = images`	string value	RADOS pool in which images are stored. When RBD is used as the storage backend for storing Glance images, the images are stored by means of logical grouping of the objects (chunks of images) into a `pool`. Each pool is defined with the number of placement groups it can contain. The default pool that is used is images. More information on the RBD storage backend can be found here: http://ceph.com/planet/how-data-is-stored-in-ceph-cluster/ Possible Values: A valid pool name Related options: None
`rbd_store_user = None`	string value	RADOS user to authenticate as. This configuration option takes in the RADOS user to authenticate as. This is only needed when RADOS authentication is enabled and is applicable only if the user is using Cephx authentication. If the value for this option is not set by the user or is set to None, a default value will be chosen, which will be based on the client. section in rbd_store_ceph_conf. Possible Values: A valid RADOS user Related options: rbd_store_ceph_conf
`rootwrap_config = /etc/glance/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root. The cinder store requires root privileges to operate the image volumes (for connecting to iSCSI/FC volumes and reading/writing the volume data, etc.). The configuration file should allow the required commands by cinder store and os-brick library. Possible values: Path to the rootwrap config file Related options: None
`sheepdog_store_address = 127.0.0.1`	unknown value	Address to bind the Sheepdog daemon to. Provide a string value representing the address to bind the Sheepdog daemon to. The default address set for the sheep is 127.0.0.1. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages directed to the address set using `sheepdog_store_address` option to store chunks of Glance images. Possible values: A valid IPv4 address A valid IPv6 address A valid hostname Related Options: sheepdog_store_port
`sheepdog_store_chunk_size = 64`	integer value	Chunk size for images to be stored in Sheepdog data store. Provide an integer value representing the size in mebibyte (1048576 bytes) to chunk Glance images into. The default chunk size is 64 mebibytes. When using Sheepdog distributed storage system, the images are chunked into objects of this size and then stored across the distributed data store to use for Glance. Chunk sizes, if a power of two, help avoid fragmentation and enable improved performance. Possible values: Positive integer value representing size in mebibytes. Related Options: None
`sheepdog_store_port = 7000`	port value	Port number on which the sheep daemon will listen. Provide an integer value representing a valid port number on which you want the Sheepdog daemon to listen on. The default port is 7000. The Sheepdog daemon, also called sheep, manages the storage in the distributed cluster by writing objects across the storage network. It identifies and acts on the messages it receives on the port number set using `sheepdog_store_port` option to store chunks of Glance images. Possible values: A valid port number (0 to 65535) Related Options: sheepdog_store_address
`store_capabilities_update_min_interval = 0`	integer value	Minimum interval in seconds to execute updating dynamic storage capabilities based on current backend status. Provide an integer value representing time in seconds to set the minimum interval before an update of dynamic storage capabilities for a storage backend can be attempted. Setting `store_capabilities_update_min_interval` does not mean updates occur periodically based on the set interval. Rather, the update is performed at the elapse of this interval set, if an operation of the store is triggered. By default, this option is set to zero and is disabled. Provide an integer value greater than zero to enable this option. Note For more information on store capabilities and their updates, please visit: https://specs.openstack.org/openstack/glance-specs/specs/kilo/store-capabilities.html For more information on setting up a particular store in your deployment and help with the usage of this feature, please contact the storage driver maintainers listed here: http://docs.openstack.org/developer/glance_store/drivers/index.html Possible values: Zero Positive integer Related Options: None
`stores = [u'file', u'http']`	list value	List of enabled Glance stores. Register the storage backends to use for storing disk images as a comma separated list. The default stores enabled for storing disk images with Glance are `file` and `http`. Possible values: A comma separated list that could include: file http swift rbd sheepdog cinder vmware Related Options: default_store
`swift_buffer_on_upload = False`	boolean value	Buffer image segments before upload to Swift. Provide a boolean value to indicate whether or not Glance should buffer image data to disk while uploading to swift. This enables Glance to resume uploads on error. NOTES: When enabling this option, one should take great care as this increases disk usage on the API node. Be aware that depending upon how the file system is configured, the disk space used for buffering may decrease the actual disk space available for the glance image cache. Disk utilization will cap according to the following equation: (`swift_store_large_object_chunk_size` * `workers` * 1000) Possible values: True False Related options: swift_upload_buffer_dir
`swift_store_admin_tenants = []`	list value	List of tenants that will be granted admin access. This is a list of tenants that will be granted read/write access on all Swift containers created by Glance in multi-tenant mode. The default value is an empty list. Possible values: A comma separated list of strings representing UUIDs of Keystone projects/tenants Related options: None
`swift_store_auth_address = None`	string value	The address where the Swift authentication service is listening.
`swift_store_auth_insecure = False`	boolean value	Set verification of the server certificate. This boolean determines whether or not to verify the server certificate. If this option is set to True, swiftclient won’t check for a valid SSL certificate when authenticating. If the option is set to False, then the default CA truststore is used for verification. Possible values: True False Related options: swift_store_cacert
`swift_store_auth_version = 2`	string value	Version of the authentication service to use. Valid versions are 2 and 3 for keystone and 1 (deprecated) for swauth and rackspace.
`swift_store_cacert = None`	string value	Path to the CA bundle file. This configuration option enables the operator to specify the path to a custom Certificate Authority file for SSL verification when connecting to Swift. Possible values: A valid path to a CA file Related options: swift_store_auth_insecure
`swift_store_config_file = None`	string value	Absolute path to the file containing the swift account(s) configurations. Include a string value representing the path to a configuration file that has references for each of the configured Swift account(s)/backing stores. By default, no file path is specified and customized Swift referencing is disabled. Configuring this option is highly recommended while using Swift storage backend for image storage as it avoids storage of credentials in the database. Note Please do not configure this option if you have set `swift_store_multi_tenant` to `True`. Possible values: String value representing an absolute path on the glance-api node Related options: swift_store_multi_tenant
`swift_store_container = glance`	string value	Name of single container to store images/name prefix for multiple containers When a single container is being used to store images, this configuration option indicates the container within the Glance account to be used for storing all images. When multiple containers are used to store images, this will be the name prefix for all containers. Usage of single/multiple containers can be controlled using the configuration option `swift_store_multiple_containers_seed`. When using multiple containers, the containers will be named after the value set for this configuration option with the first N chars of the image UUID as the suffix delimited by an underscore (where N is specified by `swift_store_multiple_containers_seed`). Example: if the seed is set to 3 and swift_store_container = `glance`, then an image with UUID `fdae39a1-bac5-4238-aba4-69bcc726e848` would be placed in the container `glance_fda`. All dashes in the UUID are included when creating the container name but do not count toward the character limit, so when N=10 the container name would be `glance_fdae39a1-ba.` Possible values: If using single container, this configuration option can be any string that is a valid swift container name in Glance’s Swift account If using multiple containers, this configuration option can be any string as long as it satisfies the container naming rules enforced by Swift. The value of `swift_store_multiple_containers_seed` should be taken into account as well. Related options: `swift_store_multiple_containers_seed` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_create_container_on_put = False`	boolean value	Create container, if it doesn’t already exist, when uploading image. At the time of uploading an image, if the corresponding container doesn’t exist, it will be created provided this configuration option is set to True. By default, it won’t be created. This behavior is applicable for both single and multiple containers mode. Possible values: True False Related options: None
`swift_store_endpoint = None`	string value	The URL endpoint to use for Swift backend storage. Provide a string value representing the URL endpoint to use for storing Glance images in Swift store. By default, an endpoint is not set and the storage URL returned by `auth` is used. Setting an endpoint with `swift_store_endpoint` overrides the storage URL and is used for Glance image storage. Note The URL should include the path up to, but excluding the container. The location of an object is obtained by appending the container and object to the configured URL. Possible values: String value representing a valid URL path up to a Swift container Related Options: None
`swift_store_endpoint_type = publicURL`	string value	Endpoint Type of Swift service. This string value indicates the endpoint type to use to fetch the Swift endpoint. The endpoint type determines the actions the user will be allowed to perform, for instance, reading and writing to the Store. This setting is only used if swift_store_auth_version is greater than 1. Possible values: publicURL adminURL internalURL Related options: swift_store_endpoint
`swift_store_expire_soon_interval = 60`	integer value	Time in seconds defining the size of the window in which a new token may be requested before the current token is due to expire. Typically, the Swift storage driver fetches a new token upon the expiration of the current token to ensure continued access to Swift. However, some Swift transactions (like uploading image segments) may not recover well if the token expires on the fly. Hence, by fetching a new token before the current token expiration, we make sure that the token does not expire or is close to expiry before a transaction is attempted. By default, the Swift storage driver requests for a new token 60 seconds or less before the current token expiration. Possible values: Zero Positive integer value Related Options: None
`swift_store_key = None`	string value	Auth key for the user authenticating against the Swift authentication service.
`swift_store_large_object_chunk_size = 200`	integer value	The maximum size, in MB, of the segments when image data is segmented. When image data is segmented to upload images that are larger than the limit enforced by the Swift cluster, image data is broken into segments that are no bigger than the size specified by this configuration option. Refer to `swift_store_large_object_size` for more detail. For example: if `swift_store_large_object_size` is 5GB and `swift_store_large_object_chunk_size` is 1GB, an image of size 6.2GB will be segmented into 7 segments where the first six segments will be 1GB in size and the seventh segment will be 0.2GB. Possible values: A positive integer that is less than or equal to the large object limit enforced by Swift cluster in consideration. Related options: `swift_store_large_object_size`
`swift_store_large_object_size = 5120`	integer value	The size threshold, in MB, after which Glance will start segmenting image data. Swift has an upper limit on the size of a single uploaded object. By default, this is 5GB. To upload objects bigger than this limit, objects are segmented into multiple smaller objects that are tied together with a manifest file. For more detail, refer to http://docs.openstack.org/developer/swift/overview_large_objects.html This configuration option specifies the size threshold over which the Swift driver will start segmenting image data into multiple smaller files. Currently, the Swift driver only supports creating Dynamic Large Objects. Note This should be set by taking into account the large object limit enforced by the Swift cluster in consideration. Possible values: A positive integer that is less than or equal to the large object limit enforced by the Swift cluster in consideration. Related options: `swift_store_large_object_chunk_size`
`swift_store_multi_tenant = False`	boolean value	Store images in tenant’s Swift account. This enables multi-tenant storage mode which causes Glance images to be stored in tenant specific Swift accounts. If this is disabled, Glance stores all images in its own account. More details multi-tenant store can be found at https://wiki.openstack.org/wiki/GlanceSwiftTenantSpecificStorage Note If using multi-tenant swift store, please make sure that you do not set a swift configuration file with the swift_store_config_file option. Possible values: True False Related options: swift_store_config_file
`swift_store_multiple_containers_seed = 0`	integer value	Seed indicating the number of containers to use for storing images. When using a single-tenant store, images can be stored in one or more than one containers. When set to 0, all images will be stored in one single container. When set to an integer value between 1 and 32, multiple containers will be used to store images. This configuration option will determine how many containers are created. The total number of containers that will be used is equal to 16^N, so if this config option is set to 2, then 16^2=256 containers will be used to store images. Please refer to `swift_store_container` for more detail on the naming convention. More detail about using multiple containers can be found at https://specs.openstack.org/openstack/glance-specs/specs/kilo/swift-store-multiple-containers.html Note This is used only when swift_store_multi_tenant is disabled. Possible values: A non-negative integer less than or equal to 32 Related options: `swift_store_container` `swift_store_multi_tenant` `swift_store_create_container_on_put`
`swift_store_region = None`	string value	The region of Swift endpoint to use by Glance. Provide a string value representing a Swift region where Glance can connect to for image storage. By default, there is no region set. When Glance uses Swift as the storage backend to store images for a specific tenant that has multiple endpoints, setting of a Swift region with `swift_store_region` allows Glance to connect to Swift in the specified region as opposed to a single region connectivity. This option can be configured for both single-tenant and multi-tenant storage. Note Setting the region with `swift_store_region` is tenant-specific and is necessary `only if` the tenant has multiple endpoints across different regions. Possible values: A string value representing a valid Swift region. Related Options: None
`swift_store_retry_get_count = 0`	integer value	The number of times a Swift download will be retried before the request fails. Provide an integer value representing the number of times an image download must be retried before erroring out. The default value is zero (no retry on a failed image download). When set to a positive integer value, `swift_store_retry_get_count` ensures that the download is attempted this many more times upon a download failure before sending an error message. Possible values: Zero Positive integer value Related Options: None
`swift_store_service_type = object-store`	string value	Type of Swift service to use. Provide a string value representing the service type to use for storing images while using Swift backend storage. The default service type is set to `object-store`. Note If `swift_store_auth_version` is set to 2, the value for this configuration option needs to be `object-store`. If using a higher version of Keystone or a different auth scheme, this option may be modified. Possible values: A string representing a valid service type for Swift storage. Related Options: None
`swift_store_ssl_compression = True`	boolean value	SSL layer compression for HTTPS Swift requests. Provide a boolean value to determine whether or not to compress HTTPS Swift requests for images at the SSL layer. By default, compression is enabled. When using Swift as the backend store for Glance image storage, SSL layer compression of HTTPS Swift requests can be set using this option. If set to False, SSL layer compression of HTTPS Swift requests is disabled. Disabling this option may improve performance for images which are already in a compressed format, for example, qcow2. Possible values: True False Related Options: None
`swift_store_use_trusts = True`	boolean value	Use trusts for multi-tenant Swift store. This option instructs the Swift store to create a trust for each add/get request when the multi-tenant store is in use. Using trusts allows the Swift store to avoid problems that can be caused by an authentication token expiring during the upload or download of data. By default, `swift_store_use_trusts` is set to `True`(use of trusts is enabled). If set to `False`, a user token is used for the Swift connection instead, eliminating the overhead of trust creation. Note This option is considered only when `swift_store_multi_tenant` is set to `True` Possible values: True False Related options: swift_store_multi_tenant
`swift_store_user = None`	string value	The user to authenticate against the Swift authentication service.
`swift_upload_buffer_dir = None`	string value	Directory to buffer image segments before upload to Swift. Provide a string value representing the absolute path to the directory on the glance node where image segments will be buffered briefly before they are uploaded to swift. NOTES: * This is required only when the configuration option `swift_buffer_on_upload` is set to True. * This directory should be provisioned keeping in mind the `swift_store_large_object_chunk_size` and the maximum number of images that could be uploaded simultaneously by a given glance node. Possible values: String value representing an absolute directory path Related options: swift_buffer_on_upload swift_store_large_object_chunk_size
`vmware_api_retry_count = 10`	integer value	The number of VMware API retries. This configuration option specifies the number of times the VMware ESX/VC server API must be retried upon connection related issues or server API call overload. It is not possible to specify retry forever. Possible Values: Any positive integer value Related options: None
`vmware_ca_file = None`	string value	Absolute path to the CA bundle file. This configuration option enables the operator to use a custom Cerificate Authority File to verify the ESX/vCenter certificate. If this option is set, the "vmware_insecure" option will be ignored and the CA file specified will be used to authenticate the ESX/vCenter server certificate and establish a secure connection to the server. Possible Values: Any string that is a valid absolute path to a CA file Related options: vmware_insecure
`vmware_datastores = None`	multi valued	The datastores where the image can be stored. This configuration option specifies the datastores where the image can be stored in the VMWare store backend. This option may be specified multiple times for specifying multiple datastores. The datastore name should be specified after its datacenter path, separated by ":". An optional weight may be given after the datastore name, separated again by ":" to specify the priority. Thus, the required format becomes <datacenter_path>:<datastore_name>:<optional_weight>. When adding an image, the datastore with highest weight will be selected, unless there is not enough free space available in cases where the image size is already known. If no weight is given, it is assumed to be zero and the directory will be considered for selection last. If multiple datastores have the same weight, then the one with the most free space available is selected. Possible Values: Any string of the format: <datacenter_path>:<datastore_name>:<optional_weight> Related options: * None
`vmware_insecure = False`	boolean value	Set verification of the ESX/vCenter server certificate. This configuration option takes a boolean value to determine whether or not to verify the ESX/vCenter server certificate. If this option is set to True, the ESX/vCenter server certificate is not verified. If this option is set to False, then the default CA truststore is used for verification. This option is ignored if the "vmware_ca_file" option is set. In that case, the ESX/vCenter server certificate will then be verified using the file specified using the "vmware_ca_file" option . Possible Values: True False Related options: vmware_ca_file
`vmware_server_host = None`	unknown value	Address of the ESX/ESXi or vCenter Server target system. This configuration option sets the address of the ESX/ESXi or vCenter Server target system. This option is required when using the VMware storage backend. The address can contain an IP address (127.0.0.1) or a DNS name (www.my-domain.com). Possible Values: A valid IPv4 or IPv6 address A valid DNS name Related options: vmware_server_username vmware_server_password
`vmware_server_password = None`	string value	Server password. This configuration option takes the password for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is a password corresponding to the username specified using the "vmware_server_username" option Related options: vmware_server_host vmware_server_username
`vmware_server_username = None`	string value	Server username. This configuration option takes the username for authenticating with the VMware ESX/ESXi or vCenter Server. This option is required when using the VMware storage backend. Possible Values: Any string that is the username for a user with appropriate privileges Related options: vmware_server_host vmware_server_password
`vmware_store_image_dir = /openstack_glance`	string value	The directory where the glance images will be stored in the datastore. This configuration option specifies the path to the directory where the glance images will be stored in the VMware datastore. If this option is not set, the default directory where the glance images are stored is openstack_glance. Possible Values: Any string that is a valid path to a directory Related options: None
`vmware_task_poll_interval = 5`	integer value	Interval in seconds used for polling remote tasks invoked on VMware ESX/VC server. This configuration option takes in the sleep time in seconds for polling an on-going async task as part of the VMWare ESX/VC server API call. Possible Values: Any positive integer value Related options: None

5.4.3. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/glance/glance-cache.conf file.

Table 5.40. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

Chapter 6. heat

The following chapter contains information about the configuration options in the heat service.

6.1. heat.conf

This section contains options for the /etc/heat/heat.conf file.

6.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/heat/heat.conf file.

Table 6.1. DEFAULT
Configuration option = Default value	Type	Description
`action_retry_limit = 5`	integer value	Number of times to retry to bring a resource to a non-error state. Set to 0 to disable retries.
`auth_encryption_key = notgood but just long enough i t`	string value	Key used to encrypt authentication info in the database. Length of this key must be 32 characters.
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`client_retry_limit = 2`	integer value	Number of times to retry when a client encounters an expected intermittent error. Set to 0 to disable retries.
`cloud_backend = heat.engine.clients.OpenStackClients`	string value	Fully qualified class name to use as a client backend.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`convergence_engine = True`	boolean value	Enables engine with convergence architecture. All stacks with this option will be created using convergence engine.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_deployment_signal_transport = CFN_SIGNAL`	string value	Template default for how the server should signal to heat with the deployment output values. CFN_SIGNAL will allow an HTTP POST to a CFN keypair signed URL (requires enabled heat-api-cfn). TEMP_URL_SIGNAL will create a Swift TempURL to be signaled via HTTP PUT (requires object-store endpoint which supports TempURL). HEAT_SIGNAL will allow calls to the Heat API resource-signal using the provided keystone credentials. ZAQAR_SIGNAL will create a dedicated zaqar queue to be signaled using the provided keystone credentials.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_notification_level = INFO`	string value	Default notification level for outgoingnotifications.
`default_publisher_id = None`	string value	Default publisher_id for outgoing notifications.
`default_software_config_transport = POLL_SERVER_CFN`	string value	Template default for how the server should receive the metadata required for software configuration. POLL_SERVER_CFN will allow calls to the cfn API action DescribeStackResource authenticated with the provided keypair (requires enabled heat-api-cfn). POLL_SERVER_HEAT will allow calls to the Heat API resource-show using the provided keystone credentials (requires keystone v3 API, and configured stack_user_* config options). POLL_TEMP_URL will create and populate a Swift TempURL with metadata for polling (requires object-store endpoint which supports TempURL).ZAQAR_MESSAGE will create a dedicated zaqar queue and post the metadata for polling.
`default_user_data_format = HEAT_CFNTOOLS`	string value	Template default for how the user_data should be formatted for the server. For HEAT_CFNTOOLS, the user_data is bundled as part of the heat-cfntools cloud-init boot configuration data. For RAW the user_data is passed to Nova unmodified. For SOFTWARE_CONFIG user_data is bundled as part of the software config data, and metadata is derived from any associated SoftwareDeployment resources.
`deferred_auth_method = trusts`	string value	Select deferred auth method, stored password or trusts.
`enable_cloud_watch_lite = False`	boolean value	Enable the legacy OS::Heat::CWLiteAlarm resource.
`enable_stack_abandon = False`	boolean value	Enable the preview Stack Abandon feature.
`enable_stack_adopt = False`	boolean value	Enable the preview Stack Adopt feature.
`encrypt_parameters_and_properties = False`	boolean value	Encrypt template parameters that were marked as hidden and also all the resource properties before storing them in database.
`engine_life_check_timeout = 2`	integer value	RPC timeout for the engine liveness check that is used for stack locking.
`environment_dir = /etc/heat/environment.d`	string value	The directory to search for environment files.
`error_wait_time = 240`	integer value	The amount of time in seconds after an error has occurred that tasks may continue to run before being cancelled.
`event_purge_batch_size = 200`	integer value	Controls how many events will be pruned whenever a stack’s events are purged. Set this lower to keep more events at the expense of more frequent purges.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`heat_metadata_server_url = None`	string value	URL of the Heat metadata server. NOTE: Setting this is only needed if you require instances to use a different endpoint than in the keystone catalog
`heat_stack_user_role = heat_stack_user`	string value	Keystone role for heat template-defined users.
`heat_waitcondition_server_url = None`	string value	URL of the Heat waitcondition server.
`heat_watch_server_url = `	string value	URL of the Heat CloudWatch server.
`hidden_stack_tags = [u'data-processing-cluster']`	list value	Stacks containing these tag names will be hidden. Multiple tags should be given in a comma-delimited list (eg. hidden_stack_tags=hide_me,me_too).
`host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of the engine node. This can be an opaque identifier. It is not necessarily a hostname, FQDN, or IP address.
`instance_connection_https_validate_certificates = 1`	string value	Instance connection to CFN/CW API validate certs if SSL is used.
`instance_connection_is_secure = 0`	string value	Instance connection to CFN/CW API via https.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`keystone_backend = heat.engine.clients.os.keystone.heat_keystoneclient.KsClientWrapper`	string value	Fully qualified class name to use as a keystone backend.
`loadbalancer_template = None`	string value	Custom template for the built-in loadbalancer nested stack.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_events_per_stack = 1000`	integer value	Rough number of maximum events that will be available per stack. Actual number of events can be a bit higher since purge checks take place randomly 200/event_purge_batch_size percent of the time. Older events are deleted when events are purged. Set to 0 for unlimited events per stack.
`max_interface_check_attempts = 10`	integer value	Number of times to check whether an interface has been attached or detached.
`max_json_body_size = 1048576`	integer value	Maximum raw byte size of JSON request body. Should be larger than max_template_size.
`max_nested_stack_depth = 5`	integer value	Maximum depth allowed when using nested stacks.
`max_resources_per_stack = 1000`	integer value	Maximum resources allowed per top-level stack. -1 stands for unlimited.
`max_server_name_length = 53`	integer value	Maximum length of a server name to be used in nova.
`max_stacks_per_tenant = 100`	integer value	Maximum number of stacks any one tenant may have active at one time.
`max_template_size = 524288`	integer value	Maximum raw byte size of any template.
`num_engine_workers = None`	integer value	Number of heat-engine processes to fork and run. Will default to either to 4 or number of CPUs on the host, whichever is greater.
`observe_on_update = False`	boolean value	On update, enables heat to collect existing resource properties from reality and converge to updated template.
`onready = None`	string value	Deprecated.
`periodic_interval = 60`	integer value	Seconds between running periodic tasks.
`plugin_dirs = [u'/usr/lib64/heat', u'/usr/lib/heat', u'/usr/local/lib/heat', u'/usr/local/lib64/heat']`	list value	List of directories to search for plug-ins.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`reauthentication_auth_method = `	string value	Allow reauthentication on token expiry, such that long-running tasks may complete. Note this defeats the expiry of any provided user tokens.
`region_name_for_services = None`	string value	Default region name used to get services endpoints.
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`stack_action_timeout = 3600`	integer value	Timeout in seconds for stack action (ie. create or update).
`stack_domain_admin = None`	string value	Keystone username, a user with roles sufficient to manage users and projects in the stack_user_domain.
`stack_domain_admin_password = None`	string value	Keystone password for stack_domain_admin user.
`stack_scheduler_hints = False`	boolean value	When this feature is enabled, scheduler hints identifying the heat stack context of a server or volume resource are passed to the configured schedulers in nova and cinder, for creates done using heat resource types OS::Cinder::Volume, OS::Nova::Server, and AWS::EC2::Instance. heat_root_stack_id will be set to the id of the root stack of the resource, heat_stack_id will be set to the id of the resource’s parent stack, heat_stack_name will be set to the name of the resource’s parent stack, heat_path_in_stack will be set to a list of comma delimited strings of stackresourcename and stackname with list[0] being rootstackname, heat_resource_name will be set to the resource’s name, and heat_resource_uuid will be set to the resource’s orchestration id.
`stack_user_domain_id = None`	string value	Keystone domain ID which contains heat template-defined users. If this option is set, stack_user_domain_name option will be ignored.
`stack_user_domain_name = None`	string value	Keystone domain name which contains heat template-defined users. If `stack_user_domain_id` option is set, this option is ignored.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`template_dir = /etc/heat/templates`	string value	The directory to search for template files.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`trusts_delegated_roles = []`	list value	Subset of trustor roles to be delegated to heat. If left unset, all roles of a user will be delegated to heat when creating a stack.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

6.1.2. auth_password

The following table outlines the options available under the [auth_password] group in the /etc/heat/heat.conf file.

Table 6.2. auth_password
Configuration option = Default value	Type	Description
`allowed_auth_uris = []`	list value	Allowed keystone endpoints for auth_uri when multi_cloud is enabled. At least one endpoint needs to be specified.
`multi_cloud = False`	boolean value	Allow orchestration of multiple clouds.

6.1.3. clients

The following table outlines the options available under the [clients] group in the /etc/heat/heat.conf file.

Table 6.3. clients
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = publicURL`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = False`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.4. clients_aodh

The following table outlines the options available under the [clients_aodh] group in the /etc/heat/heat.conf file.

Table 6.4. clients_aodh
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.5. clients_barbican

The following table outlines the options available under the [clients_barbican] group in the /etc/heat/heat.conf file.

Table 6.5. clients_barbican
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.6. clients_ceilometer

The following table outlines the options available under the [clients_ceilometer] group in the /etc/heat/heat.conf file.

Table 6.6. clients_ceilometer
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.7. clients_cinder

The following table outlines the options available under the [clients_cinder] group in the /etc/heat/heat.conf file.

Table 6.7. clients_cinder
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`http_log_debug = False`	boolean value	Allow client’s debug log output.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.8. clients_designate

The following table outlines the options available under the [clients_designate] group in the /etc/heat/heat.conf file.

Table 6.8. clients_designate
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.9. clients_glance

The following table outlines the options available under the [clients_glance] group in the /etc/heat/heat.conf file.

Table 6.9. clients_glance
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.10. clients_heat

The following table outlines the options available under the [clients_heat] group in the /etc/heat/heat.conf file.

Table 6.10. clients_heat
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.
`url = `	string value	Optional heat url in format like http://0.0.0.0:8004/v1/%(tenant_id)s.

6.1.11. clients_keystone

The following table outlines the options available under the [clients_keystone] group in the /etc/heat/heat.conf file.

Table 6.11. clients_keystone
Configuration option = Default value	Type	Description
`auth_uri = `	string value	Unversioned keystone url in format like http://0.0.0.0:5000.
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.12. clients_magnum

The following table outlines the options available under the [clients_magnum] group in the /etc/heat/heat.conf file.

Table 6.12. clients_magnum
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.13. clients_manila

The following table outlines the options available under the [clients_manila] group in the /etc/heat/heat.conf file.

Table 6.13. clients_manila
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.14. clients_mistral

The following table outlines the options available under the [clients_mistral] group in the /etc/heat/heat.conf file.

Table 6.14. clients_mistral
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.15. clients_monasca

The following table outlines the options available under the [clients_monasca] group in the /etc/heat/heat.conf file.

Table 6.15. clients_monasca
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.16. clients_neutron

The following table outlines the options available under the [clients_neutron] group in the /etc/heat/heat.conf file.

Table 6.16. clients_neutron
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.17. clients_nova

The following table outlines the options available under the [clients_nova] group in the /etc/heat/heat.conf file.

Table 6.17. clients_nova
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`http_log_debug = False`	boolean value	Allow client’s debug log output.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.18. clients_octavia

The following table outlines the options available under the [clients_octavia] group in the /etc/heat/heat.conf file.

Table 6.18. clients_octavia
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.19. clients_sahara

The following table outlines the options available under the [clients_sahara] group in the /etc/heat/heat.conf file.

Table 6.19. clients_sahara
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.20. clients_senlin

The following table outlines the options available under the [clients_senlin] group in the /etc/heat/heat.conf file.

Table 6.20. clients_senlin
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.21. clients_swift

The following table outlines the options available under the [clients_swift] group in the /etc/heat/heat.conf file.

Table 6.21. clients_swift
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.22. clients_trove

The following table outlines the options available under the [clients_trove] group in the /etc/heat/heat.conf file.

Table 6.22. clients_trove
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.23. clients_zaqar

The following table outlines the options available under the [clients_zaqar] group in the /etc/heat/heat.conf file.

Table 6.23. clients_zaqar
Configuration option = Default value	Type	Description
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`endpoint_type = None`	string value	Type of endpoint in Identity service catalog to use for communication with the OpenStack service.
`insecure = None`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.

6.1.24. cors

The following table outlines the options available under the [cors] group in the /etc/heat/heat.conf file.

Table 6.24. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id', u'X-OpenStack-Request-ID']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Subject-Token', u'X-Service-Token', u'X-OpenStack-Request-ID']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

6.1.25. database

The following table outlines the options available under the [database] group in the /etc/heat/heat.conf file.

Table 6.25. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

6.1.26. ec2authtoken

The following table outlines the options available under the [ec2authtoken] group in the /etc/heat/heat.conf file.

Table 6.26. ec2authtoken
Configuration option = Default value	Type	Description
`allowed_auth_uris = []`	list value	Allowed keystone endpoints for auth_uri when multi_cloud is enabled. At least one endpoint needs to be specified.
`auth_uri = None`	string value	Authentication Endpoint URI.
`ca_file = None`	string value	Optional CA cert file to use in SSL connections.
`cert_file = None`	string value	Optional PEM-formatted certificate chain file.
`insecure = False`	boolean value	If set, then the server’s certificate will not be verified.
`key_file = None`	string value	Optional PEM-formatted file that contains the private key.
`multi_cloud = False`	boolean value	Allow orchestration of multiple clouds.

6.1.27. eventlet_opts

The following table outlines the options available under the [eventlet_opts] group in the /etc/heat/heat.conf file.

Table 6.27. eventlet_opts
Configuration option = Default value	Type	Description
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.
`wsgi_keep_alive = True`	boolean value	If False, closes the client socket connection explicitly.

6.1.28. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/heat/heat.conf file.

Table 6.28. healthcheck
Configuration option = Default value	Type	Description
`backends = []`	list value	Additional backends that can perform health checks and report that information back as part of a request.
`detailed = False`	boolean value	Show more detailed information as part of the response
`disable_by_file_path = None`	string value	Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
`disable_by_file_paths = []`	list value	Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
`path = /healthcheck`	string value	The path to respond to healtcheck requests on.

6.1.29. heat_api

The following table outlines the options available under the [heat_api] group in the /etc/heat/heat.conf file.

Table 6.29. heat_api
Configuration option = Default value	Type	Description
`backlog = 4096`	integer value	Number of backlog requests to configure the socket with.
`bind_host = 0.0.0.0`	IP address value	Address to bind the server. Useful when selecting a particular network interface.
`bind_port = 8004`	port value	The port on which the server will listen.
`cert_file = None`	string value	Location of the SSL certificate file to use for SSL mode.
`key_file = None`	string value	Location of the SSL key file to use for enabling SSL mode.
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs).
`tcp_keepidle = 600`	integer value	The value for the socket option TCP_KEEPIDLE. This is the time in seconds that the connection must be idle before TCP starts sending keepalive probes.
`workers = 0`	integer value	Number of workers for Heat service. Default value 0 means, that service will start number of workers equal number of cores on server.

6.1.30. heat_api_cfn

The following table outlines the options available under the [heat_api_cfn] group in the /etc/heat/heat.conf file.

Table 6.30. heat_api_cfn
Configuration option = Default value	Type	Description
`backlog = 4096`	integer value	Number of backlog requests to configure the socket with.
`bind_host = 0.0.0.0`	IP address value	Address to bind the server. Useful when selecting a particular network interface.
`bind_port = 8000`	port value	The port on which the server will listen.
`cert_file = None`	string value	Location of the SSL certificate file to use for SSL mode.
`key_file = None`	string value	Location of the SSL key file to use for enabling SSL mode.
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs).
`tcp_keepidle = 600`	integer value	The value for the socket option TCP_KEEPIDLE. This is the time in seconds that the connection must be idle before TCP starts sending keepalive probes.
`workers = 1`	integer value	Number of workers for Heat service.

6.1.31. heat_api_cloudwatch

The following table outlines the options available under the [heat_api_cloudwatch] group in the /etc/heat/heat.conf file.

Table 6.31. heat_api_cloudwatch
Configuration option = Default value	Type	Description
`backlog = 4096`	integer value	Number of backlog requests to configure the socket with.
`bind_host = 0.0.0.0`	IP address value	Address to bind the server. Useful when selecting a particular network interface.
`bind_port = 8003`	port value	The port on which the server will listen.
`cert_file = None`	string value	Location of the SSL certificate file to use for SSL mode.
`key_file = None`	string value	Location of the SSL key file to use for enabling SSL mode.
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs.)
`tcp_keepidle = 600`	integer value	The value for the socket option TCP_KEEPIDLE. This is the time in seconds that the connection must be idle before TCP starts sending keepalive probes.
`workers = 1`	integer value	Number of workers for Heat service.

6.1.32. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/heat/heat.conf file.

Table 6.32. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

6.1.33. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/heat/heat.conf file.

Table 6.33. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

6.1.34. noauth

The following table outlines the options available under the [noauth] group in the /etc/heat/heat.conf file.

Table 6.34. noauth
Configuration option = Default value	Type	Description
`token_response = `	string value	JSON file containing the content returned by the noauth middleware.

6.1.35. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/heat/heat.conf file.

Table 6.35. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

6.1.36. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/heat/heat.conf file.

Table 6.36. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

6.1.37. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/heat/heat.conf file.

Table 6.37. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

6.1.38. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/heat/heat.conf file.

Table 6.38. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

6.1.39. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/heat/heat.conf file.

Table 6.39. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

6.1.40. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/heat/heat.conf file.

Table 6.40. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
`max_request_body_size = 114688`	integer value	The maximum body size for each request, in bytes.
`secure_proxy_ssl_header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

6.1.41. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/heat/heat.conf file.

Table 6.41. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

6.1.42. paste_deploy

The following table outlines the options available under the [paste_deploy] group in the /etc/heat/heat.conf file.

Table 6.42. paste_deploy
Configuration option = Default value	Type	Description
`api_paste_config = api-paste.ini`	string value	The API paste config file to use.
`flavor = None`	string value	The flavor to use.

6.1.43. profiler

The following table outlines the options available under the [profiler] group in the /etc/heat/heat.conf file.

Table 6.43. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

6.1.44. revision

The following table outlines the options available under the [revision] group in the /etc/heat/heat.conf file.

Table 6.44. revision
Configuration option = Default value	Type	Description
`heat_revision = unknown`	string value	Heat build revision. If you would prefer to manage your build revision separately, you can move this section to a different file and add it as another config option.

6.1.45. ssl

The following table outlines the options available under the [ssl] group in the /etc/heat/heat.conf file.

Table 6.45. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

6.1.46. trustee

The following table outlines the options available under the [trustee] group in the /etc/heat/heat.conf file.

Table 6.46. trustee
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`system-scope = None`	string value	Scope for system operations
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username

6.1.47. volumes

The following table outlines the options available under the [volumes] group in the /etc/heat/heat.conf file.

Table 6.47. volumes
Configuration option = Default value	Type	Description
`backups_enabled = True`	boolean value	Indicate if cinder-backup service is enabled. This is a temporary workaround until cinder-backup service becomes discoverable, see LP#1334856.

Chapter 7. ironic

The following chapter contains information about the configuration options in the ironic service.

7.1. ironic.conf

This section contains options for the /etc/ironic/ironic.conf file.

7.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/ironic/ironic.conf file.

Table 7.1. DEFAULT
Configuration option = Default value	Type	Description
`auth_strategy = keystone`	string value	Authentication strategy used by ironic-api. "noauth" should not be used in a production environment because all authentication will be disabled.
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`bindir = $pybasedir/bin`	string value	Directory where ironic binaries are installed.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`debug_tracebacks_in_api = False`	boolean value	Return server tracebacks in the API response for any error responses. WARNING: this is insecure and should not be used in a production environment.
`default_boot_interface = None`	string value	Default boot interface to be used for nodes that do not have boot_interface field set. A complete list of boot interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.boot" entrypoint.
`default_console_interface = None`	string value	Default console interface to be used for nodes that do not have console_interface field set. A complete list of console interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.console" entrypoint.
`default_deploy_interface = None`	string value	Default deploy interface to be used for nodes that do not have deploy_interface field set. A complete list of deploy interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.deploy" entrypoint.
`default_inspect_interface = None`	string value	Default inspect interface to be used for nodes that do not have inspect_interface field set. A complete list of inspect interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.inspect" entrypoint.
`default_log_levels = [u'amqp=WARNING', u'amqplib=WARNING', u'qpid.messaging=INFO', u'oslo_messaging=INFO', u'oslo.messaging=INFO', u'sqlalchemy=WARNING', u'stevedore=INFO', u'eventlet.wsgi.server=INFO', u'iso8601=WARNING', u'requests=WARNING', u'neutronclient=WARNING', u'glanceclient=WARNING', u'urllib3.connectionpool=WARNING', u'keystonemiddleware.auth_token=INFO', u'keystoneauth.session=INFO']`	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_management_interface = None`	string value	Default management interface to be used for nodes that do not have management_interface field set. A complete list of management interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.management" entrypoint.
`default_network_interface = None`	string value	Default network interface to be used for nodes that do not have network_interface field set. A complete list of network interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.network" entrypoint.
`default_portgroup_mode = active-backup`	string value	Default mode for portgroups. Allowed values can be found in the linux kernel documentation on bonding: https://www.kernel.org/doc/Documentation/networking/bonding.txt.
`default_power_interface = None`	string value	Default power interface to be used for nodes that do not have power_interface field set. A complete list of power interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.power" entrypoint.
`default_raid_interface = None`	string value	Default raid interface to be used for nodes that do not have raid_interface field set. A complete list of raid interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.raid" entrypoint.
`default_rescue_interface = None`	string value	Default rescue interface to be used for nodes that do not have rescue_interface field set. A complete list of rescue interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.rescue" entrypoint.
`default_resource_class = None`	string value	Resource class to use for new nodes when no resource class is provided in the creation request.
`default_storage_interface = None`	string value	Default storage interface to be used for nodes that do not have storage_interface field set. A complete list of storage interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.storage" entrypoint.
`default_vendor_interface = None`	string value	Default vendor interface to be used for nodes that do not have vendor_interface field set. A complete list of vendor interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.vendor" entrypoint.
`enabled_boot_interfaces = [u'pxe']`	list value	Specify the list of boot interfaces to load during service initialization. Missing boot interfaces, or boot interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one boot interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented boot interfaces. A complete list of boot interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.boot" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled boot interfaces on every ironic-conductor service.
`enabled_console_interfaces = [u'no-console']`	list value	Specify the list of console interfaces to load during service initialization. Missing console interfaces, or console interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one console interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented console interfaces. A complete list of console interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.console" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled console interfaces on every ironic-conductor service.
`enabled_deploy_interfaces = [u'iscsi', u'direct']`	list value	Specify the list of deploy interfaces to load during service initialization. Missing deploy interfaces, or deploy interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one deploy interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented deploy interfaces. A complete list of deploy interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.deploy" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled deploy interfaces on every ironic-conductor service.
`enabled_drivers = [u'pxe_ipmitool']`	list value	Specify the list of drivers to load during service initialization. Missing drivers, or drivers which fail to initialize, will prevent the conductor service from starting. The option default is a recommended set of production-oriented drivers. A complete list of drivers present on your system may be found by enumerating the "ironic.drivers" entrypoint. An example may be found in the developer documentation online.
`enabled_hardware_types = [u'ipmi']`	list value	Specify the list of hardware types to load during service initialization. Missing hardware types, or hardware types which fail to initialize, will prevent the conductor service from starting. This option defaults to a recommended set of production-oriented hardware types. A complete list of hardware types present on your system may be found by enumerating the "ironic.hardware.types" entrypoint.
`enabled_inspect_interfaces = [u'no-inspect']`	list value	Specify the list of inspect interfaces to load during service initialization. Missing inspect interfaces, or inspect interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one inspect interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented inspect interfaces. A complete list of inspect interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.inspect" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled inspect interfaces on every ironic-conductor service.
`enabled_management_interfaces = [u'ipmitool']`	list value	Specify the list of management interfaces to load during service initialization. Missing management interfaces, or management interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one management interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented management interfaces. A complete list of management interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.management" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled management interfaces on every ironic-conductor service.
`enabled_network_interfaces = [u'flat', u'noop']`	list value	Specify the list of network interfaces to load during service initialization. Missing network interfaces, or network interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one network interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented network interfaces. A complete list of network interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.network" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled network interfaces on every ironic-conductor service.
`enabled_power_interfaces = [u'ipmitool']`	list value	Specify the list of power interfaces to load during service initialization. Missing power interfaces, or power interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one power interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented power interfaces. A complete list of power interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.power" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled power interfaces on every ironic-conductor service.
`enabled_raid_interfaces = [u'agent', u'no-raid']`	list value	Specify the list of raid interfaces to load during service initialization. Missing raid interfaces, or raid interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one raid interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented raid interfaces. A complete list of raid interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.raid" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled raid interfaces on every ironic-conductor service.
`enabled_rescue_interfaces = [u'no-rescue']`	list value	Specify the list of rescue interfaces to load during service initialization. Missing rescue interfaces, or rescue interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one rescue interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented rescue interfaces. A complete list of rescue interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.rescue" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled rescue interfaces on every ironic-conductor service.
`enabled_storage_interfaces = [u'cinder', u'noop']`	list value	Specify the list of storage interfaces to load during service initialization. Missing storage interfaces, or storage interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one storage interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented storage interfaces. A complete list of storage interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.storage" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled storage interfaces on every ironic-conductor service.
`enabled_vendor_interfaces = [u'ipmitool', u'no-vendor']`	list value	Specify the list of vendor interfaces to load during service initialization. Missing vendor interfaces, or vendor interfaces which fail to initialize, will prevent the ironic-conductor service from starting. At least one vendor interface that is supported by each enabled hardware type must be enabled here, or the ironic-conductor service will not start. Must not be an empty list. The default value is a recommended set of production-oriented vendor interfaces. A complete list of vendor interfaces present on your system may be found by enumerating the "ironic.hardware.interfaces.vendor" entrypoint. When setting this value, please make sure that every enabled hardware type will have the same set of enabled vendor interfaces on every ironic-conductor service.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`fatal_exception_format_errors = False`	boolean value	Used if there is a formatting error when generating an exception message (a programming error). If True, raise an exception; if False, use the unformatted message.
`force_raw_images = True`	boolean value	If True, convert backing images to "raw" disk image format.
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`grub_config_template = $pybasedir/common/grub_conf.template`	string value	Template file for grub configuration file.
`hash_distribution_replicas = 1`	integer value	[Experimental Feature] Number of hosts to map onto each hash partition. Setting this to more than one will cause additional conductor services to prepare deployment environments and potentially allow the Ironic cluster to recover more quickly if a conductor instance is terminated.
`hash_partition_exponent = 5`	integer value	Exponent to determine number of hash partitions to use when distributing load across conductors. Larger values will result in more even distribution of load and less load when rebalancing the ring, but more memory usage. Number of partitions per conductor is (2^hash_partition_exponent). This determines the granularity of rebalancing: given 10 hosts, and an exponent of the 2, there are 40 partitions in the ring.A few thousand partitions should make rebalancing smooth in most cases. The default is suitable for up to a few hundred conductors. Configuring for too many partitions has a negative impact on CPU usage.
`hash_ring_reset_interval = 15`	integer value	Time (in seconds) after which the hash ring is considered outdated and is refreshed on the next access.
`host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. This can be an opaque identifier. It is not necessarily a hostname, FQDN, or IP address. However, the node name must be valid within an AMQP key, and if using ZeroMQ, a valid hostname, FQDN, or IP address.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`isolinux_bin = /usr/lib/syslinux/isolinux.bin`	string value	Path to isolinux binary file.
`isolinux_config_template = $pybasedir/common/isolinux_config.template`	string value	Template file for isolinux configuration file.
`ldlinux_c32 = None`	string value	Path to ldlinux.c32 file. This file is required for syslinux 5.0 or later. If not specified, the file is looked for in "/usr/lib/syslinux/modules/bios/ldlinux.c32" and "/usr/share/syslinux/ldlinux.c32".
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`my_ip = 10.65.176.99`	string value	IP address of this host. If unset, will determine the IP programmatically. If unable to do so, will use "127.0.0.1".
`notification_level = None`	string value	Specifies the minimum level for which to send notifications. If not set, no notifications will be sent. The default is for this option to be unset.
`parallel_image_downloads = False`	boolean value	Run image downloads and raw format conversions in parallel.
`pecan_debug = False`	boolean value	Enable pecan debug mode. WARNING: this is insecure and should not be used in a production environment.
`pin_release_version = None`	string value	Used for rolling upgrades. Setting this option downgrades (or pins) the Bare Metal API, the internal ironic RPC communication, and the database objects to their respective versions, so they are compatible with older services. When doing a rolling upgrade from version N to version N+1, set (to pin) this to N. To unpin (default), leave it unset and the latest versions will be used.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pybasedir = /usr/lib/python2.7/site-packages/ironic`	string value	Directory where the ironic python module is installed.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rootwrap_config = /etc/ironic/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root.
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`state_path = $pybasedir`	string value	Top-level directory for maintaining ironic’s state.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tempdir = /tmp`	string value	Temporary working directory, default is Python temp dir.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

7.1.2. agent

The following table outlines the options available under the [agent] group in the /etc/ironic/ironic.conf file.

Table 7.2. agent
Configuration option = Default value	Type	Description
`agent_api_version = v1`	string value	API version to use for communicating with the ramdisk agent.
`deploy_logs_collect = on_failure`	string value	Whether Ironic should collect the deployment logs on deployment failure (on_failure), always or never.
`deploy_logs_local_path = /var/log/ironic/deploy`	string value	The path to the directory where the logs should be stored, used when the deploy_logs_storage_backend is configured to "local".
`deploy_logs_storage_backend = local`	string value	The name of the storage backend where the logs will be stored.
`deploy_logs_swift_container = ironic_deploy_logs_container`	string value	The name of the Swift container to store the logs, used when the deploy_logs_storage_backend is configured to "swift".
`deploy_logs_swift_days_to_expire = 30`	integer value	Number of days before a log object is marked as expired in Swift. If None, the logs will be kept forever or until manually deleted. Used when the deploy_logs_storage_backend is configured to "swift".
`manage_agent_boot = True`	boolean value	Whether Ironic will manage booting of the agent ramdisk. If set to False, you will need to configure your mechanism to allow booting the agent ramdisk.
`memory_consumed_by_agent = 0`	integer value	The memory size in MiB consumed by agent when it is booted on a bare metal node. This is used for checking if the image can be downloaded and deployed on the bare metal node after booting agent ramdisk. This may be set according to the memory consumed by the agent ramdisk image.
`post_deploy_get_power_state_retries = 6`	integer value	Number of times to retry getting power state to check if bare metal node has been powered off after a soft power off.
`post_deploy_get_power_state_retry_interval = 5`	integer value	Amount of time (in seconds) to wait between polling power state after trigger soft poweroff.
`stream_raw_images = True`	boolean value	Whether the agent ramdisk should stream raw images directly onto the disk or not. By streaming raw images directly onto the disk the agent ramdisk will not spend time copying the image to a tmpfs partition (therefore consuming less memory) prior to writing it to the disk. Unless the disk where the image will be copied to is really slow, this option should be set to True. Defaults to True.

7.1.3. ansible

The following table outlines the options available under the [ansible] group in the /etc/ironic/ironic.conf file.

Table 7.3. ansible
Configuration option = Default value	Type	Description
`ansible_extra_args = None`	string value	Extra arguments to pass on every invocation of Ansible.
`ansible_playbook_script = ansible-playbook`	string value	Path to "ansible-playbook" script. Default will search the $PATH configured for user running ironic-conductor process. Provide the full path when ansible-playbook is not in $PATH or installed in not default location.
`config_file_path = $pybasedir/drivers/modules/ansible/playbooks/ansible.cfg`	string value	Path to ansible configuration file. If set to empty, system default will be used.
`default_clean_playbook = clean.yaml`	string value	Path (relative to $playbooks_path or absolute) to the default playbook used for node cleaning. It may be overriden by per-node ansible_clean_playbook option in node’s driver_info field.
`default_clean_steps_config = clean_steps.yaml`	string value	Path (relative to $playbooks_path or absolute) to the default auxiliary cleaning steps file used during the node cleaning. It may be overriden by per-node ansible_clean_steps_config option in node’s driver_info field.
`default_deploy_playbook = deploy.yaml`	string value	Path (relative to $playbooks_path or absolute) to the default playbook used for deployment. It may be overriden by per-node ansible_deploy_playbook option in node’s driver_info field.
`default_key_file = None`	string value	Absolute path to the private SSH key file to use by Ansible by default when connecting to the ramdisk over SSH. Default is to use default SSH keys configured for the user running the ironic-conductor service. Private keys with password must be pre-loaded into ssh-agent. It may be overriden by per-node ansible_key_file option in node’s driver_info field.
`default_shutdown_playbook = shutdown.yaml`	string value	Path (relative to $playbooks_path or absolute) to the default playbook used for graceful in-band shutdown of the node. It may be overriden by per-node ansible_shutdown_playbook option in node’s driver_info field.
`default_username = ansible`	string value	Name of the user to use for Ansible when connecting to the ramdisk over SSH. It may be overriden by per-node ansible_username option in node’s driver_info field.
`extra_memory = 10`	integer value	Extra amount of memory in MiB expected to be consumed by Ansible-related processes on the node. Affects decision whether image will fit into RAM.
`image_store_cafile = None`	string value	Specific CA bundle to use for validating SSL connections to the image store. If not specified, CA available in the ramdisk will be used. Is not used by default playbooks included with the driver. Suitable for environments that use self-signed certificates.
`image_store_certfile = None`	string value	Client cert to use for SSL connections to image store. Is not used by default playbooks included with the driver.
`image_store_insecure = False`	boolean value	Skip verifying SSL connections to the image store when downloading the image. Setting it to "True" is only recommended for testing environments that use self-signed certificates.
`image_store_keyfile = None`	string value	Client key to use for SSL connections to image store. Is not used by default playbooks included with the driver.
`playbooks_path = $pybasedir/drivers/modules/ansible/playbooks`	string value	Path to directory with playbooks, roles and local inventory.
`post_deploy_get_power_state_retries = 6`	integer value	Number of times to retry getting power state to check if bare metal node has been powered off after a soft power off. Value of 0 means do not retry on failure.
`post_deploy_get_power_state_retry_interval = 5`	integer value	Amount of time (in seconds) to wait between polling power state after trigger soft poweroff.
`verbosity = None`	integer value	Set ansible verbosity level requested when invoking "ansible-playbook" command. 4 includes detailed SSH session logging. Default is 4 when global debug is enabled and 0 otherwise.

7.1.4. api

The following table outlines the options available under the [api] group in the /etc/ironic/ironic.conf file.

Table 7.4. api
Configuration option = Default value	Type	Description
`api_workers = None`	integer value	Number of workers for OpenStack Ironic API service. The default is equal to the number of CPUs available if that can be determined, else a default worker count of 1 is returned.
`enable_ssl_api = False`	boolean value	Enable the integrated stand-alone API to service requests via HTTPS instead of HTTP. If there is a front-end service performing HTTPS offloading from the service, this option should be False; note, you will want to change public API endpoint to represent SSL termination URL with public_endpoint option.
`host_ip = 0.0.0.0`	string value	The IP address on which ironic-api listens.
`max_limit = 1000`	integer value	The maximum number of items returned in a single response from a collection resource.
`port = 6385`	port value	The TCP port on which ironic-api listens.
`public_endpoint = None`	string value	Public URL to use when building the links to the API resources (for example, "https://ironic.rocks:6384"). If None the links will be built using the request’s host URL. If the API is operating behind a proxy, you will want to change this to represent the proxy’s URL. Defaults to None.
`ramdisk_heartbeat_timeout = 300`	integer value	Maximum interval (in seconds) for agent heartbeats.
`restrict_lookup = True`	boolean value	Whether to restrict the lookup API to only nodes in certain states.

7.1.5. audit

The following table outlines the options available under the [audit] group in the /etc/ironic/ironic.conf file.

Table 7.5. audit
Configuration option = Default value	Type	Description
`audit_map_file = /etc/ironic/api_audit_map.conf`	string value	Path to audit map file for ironic-api service. Used only when API audit is enabled.
`enabled = False`	boolean value	Enable auditing of API requests (for ironic-api service).
`ignore_req_list = `	string value	Comma separated list of Ironic REST API HTTP methods to be ignored during audit logging. For example: auditing will not be done on any GET or POST requests if this is set to "GET,POST". It is used only when API audit is enabled.

7.1.6. cimc

The following table outlines the options available under the [cimc] group in the /etc/ironic/ironic.conf file.

Table 7.6. cimc
Configuration option = Default value	Type	Description
`action_interval = 10`	integer value	Amount of time in seconds to wait in between power operations
`max_retry = 6`	integer value	Number of times a power operation needs to be retried

7.1.7. cinder

The following table outlines the options available under the [cinder] group in the /etc/ironic/ironic.conf file.

Table 7.7. cinder
Configuration option = Default value	Type	Description
`action_retries = 3`	integer value	Number of retries in the case of a failed action (currently only used when detaching volumes).
`action_retry_interval = 5`	integer value	Retry interval in seconds in the case of a failed action (only specific actions are retried).
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`retries = 3`	integer value	Client retries in the case of a failed request connection.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = volumev3`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`url = None`	uri value	URL for connecting to cinder. If set, the value must start with either http:// or https://.
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.8. cisco_ucs

The following table outlines the options available under the [cisco_ucs] group in the /etc/ironic/ironic.conf file.

Table 7.8. cisco_ucs
Configuration option = Default value	Type	Description
`action_interval = 5`	integer value	Amount of time in seconds to wait in between power operations
`max_retry = 6`	integer value	Number of times a power operation needs to be retried

7.1.9. conductor

The following table outlines the options available under the [conductor] group in the /etc/ironic/ironic.conf file.

Table 7.9. conductor
Configuration option = Default value	Type	Description
`api_url = None`	uri value	URL of Ironic API service. If not set ironic can get the current value from the keystone service catalog. If set, the value must start with either http:// or https://.
`automated_clean = True`	boolean value	Enables or disables automated cleaning. Automated cleaning is a configurable set of steps, such as erasing disk drives, that are performed on the node to ensure it is in a baseline state and ready to be deployed to. This is done after instance deletion as well as during the transition from a "manageable" to "available" state. When enabled, the particular steps performed to clean a node depend on which driver that node is managed by; see the individual driver’s documentation for details. NOTE: The introduction of the cleaning operation causes instance deletion to take significantly longer. In an environment where all tenants are trusted (eg, because there is only one tenant), this option could be safely disabled.
`check_provision_state_interval = 60`	integer value	Interval between checks of provision timeouts, in seconds.
`check_rescue_state_interval = 60`	integer value	Interval (seconds) between checks of rescue timeouts.
`clean_callback_timeout = 1800`	integer value	Timeout (seconds) to wait for a callback from the ramdisk doing the cleaning. If the timeout is reached the node will be put in the "clean failed" provision state. Set to 0 to disable timeout.
`configdrive_swift_container = ironic_configdrive_container`	string value	Name of the Swift container to store config drive data. Used when configdrive_use_object_store is True.
`deploy_callback_timeout = 1800`	integer value	Timeout (seconds) to wait for a callback from a deploy ramdisk. Set to 0 to disable timeout.
`force_power_state_during_sync = True`	boolean value	During sync_power_state, should the hardware power state be set to the state recorded in the database (True) or should the database be updated based on the hardware state (False).
`heartbeat_interval = 10`	integer value	Seconds between conductor heart beats.
`heartbeat_timeout = 60`	integer value	Maximum time (in seconds) since the last check-in of a conductor. A conductor is considered inactive when this time has been exceeded.
`inspect_timeout = 1800`	integer value	Timeout (seconds) for waiting for node inspection. 0 - unlimited.
`node_locked_retry_attempts = 3`	integer value	Number of attempts to grab a node lock.
`node_locked_retry_interval = 1`	integer value	Seconds to sleep between node lock attempts.
`periodic_max_workers = 8`	integer value	Maximum number of worker threads that can be started simultaneously by a periodic task. Should be less than RPC thread pool size.
`power_state_change_timeout = 30`	integer value	Number of seconds to wait for power operations to complete, i.e., so that a baremetal node is in the desired power state. If timed out, the power operation is considered a failure.
`power_state_sync_max_retries = 3`	integer value	During sync_power_state failures, limit the number of times Ironic should try syncing the hardware node power state with the node power state in DB
`rescue_callback_timeout = 1800`	integer value	Timeout (seconds) to wait for a callback from the rescue ramdisk. If the timeout is reached the node will be put in the "rescue failed" provision state. Set to 0 to disable timeout.
`send_sensor_data = False`	boolean value	Enable sending sensor data message via the notification bus
`send_sensor_data_interval = 600`	integer value	Seconds between conductor sending sensor data message to ceilometer via the notification bus.
`send_sensor_data_types = [u'ALL']`	list value	List of comma separated meter types which need to be sent to Ceilometer. The default value, "ALL", is a special value meaning send all the sensor data.
`send_sensor_data_wait_timeout = 300`	integer value	The time in seconds to wait for send sensors data periodic task to be finished before allowing periodic call to happen again. Should be less than send_sensor_data_interval value.
`send_sensor_data_workers = 4`	integer value	The maximum number of workers that can be started simultaneously for send data from sensors periodic task.
`soft_power_off_timeout = 600`	integer value	Timeout (in seconds) of soft reboot and soft power off operation. This value always has to be positive.
`sync_local_state_interval = 180`	integer value	When conductors join or leave the cluster, existing conductors may need to update any persistent local state as nodes are moved around the cluster. This option controls how often, in seconds, each conductor will check for nodes that it should "take over". Set it to a negative value to disable the check entirely.
`sync_power_state_interval = 60`	integer value	Interval between syncing the node power state to the database, in seconds.
`workers_pool_size = 100`	integer value	The size of the workers greenthread pool. Note that 2 threads will be reserved by the conductor itself for handling heart beats and periodic tasks.

7.1.10. console

The following table outlines the options available under the [console] group in the /etc/ironic/ironic.conf file.

Table 7.10. console
Configuration option = Default value	Type	Description
`socat_address = $my_ip`	IP address value	IP address of Socat service running on the host of ironic conductor. Used only by Socat console.
`subprocess_checking_interval = 1`	integer value	Time interval (in seconds) for checking the status of console subprocess.
`subprocess_timeout = 10`	integer value	Time (in seconds) to wait for the console subprocess to start.
`terminal = shellinaboxd`	string value	Path to serial console terminal program. Used only by Shell In A Box console.
`terminal_cert_dir = None`	string value	Directory containing the terminal SSL cert (PEM) for serial console access. Used only by Shell In A Box console.
`terminal_pid_dir = None`	string value	Directory for holding terminal pid files. If not specified, the temporary directory will be used.
`terminal_timeout = 600`	integer value	Timeout (in seconds) for the terminal session to be closed on inactivity. Set to 0 to disable timeout. Used only by Socat console.

7.1.11. cors

The following table outlines the options available under the [cors] group in the /etc/ironic/ironic.conf file.

Table 7.11. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = []`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'OPTIONS', u'GET', u'HEAD', u'POST', u'PUT', u'DELETE', u'TRACE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = []`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

7.1.12. database

The following table outlines the options available under the [database] group in the /etc/ironic/ironic.conf file.

Table 7.12. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_engine = InnoDB`	string value	MySQL engine to use.
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

7.1.13. deploy

The following table outlines the options available under the [deploy] group in the /etc/ironic/ironic.conf file.

Table 7.13. deploy
Configuration option = Default value	Type	Description
`configdrive_use_object_store = False`	boolean value	Whether to upload the config drive to object store. Set this option to True to store config drive in swift or radosgw.
`continue_if_disk_secure_erase_fails = False`	boolean value	Defines what to do if an ATA secure erase operation fails during cleaning in the Ironic Python Agent. If False, the cleaning operation will fail and the node will be put in `clean failed` state. If True, shred will be invoked and cleaning will continue.
`default_boot_option = None`	string value	Default boot option to use when no boot option is requested in node’s driver_info. Currently the default is "netboot", but it will be changed to "local" in the future. It is recommended to set an explicit value for this option.
`erase_devices_metadata_priority = None`	integer value	Priority to run in-band clean step that erases metadata from devices, via the Ironic Python Agent ramdisk. If unset, will use the priority set in the ramdisk (defaults to 99 for the GenericHardwareManager). If set to 0, will not run during cleaning.
`erase_devices_priority = None`	integer value	Priority to run in-band erase devices via the Ironic Python Agent ramdisk. If unset, will use the priority set in the ramdisk (defaults to 10 for the GenericHardwareManager). If set to 0, will not run during cleaning.
`http_root = /httpboot`	string value	ironic-conductor node’s HTTP root path.
`http_url = None`	string value	ironic-conductor node’s HTTP server URL. Example: http://192.1.2.3:8080
`object_store_endpoint_type = swift`	string value	Type of object store endpoint type to be used as a backend
`power_off_after_deploy_failure = True`	boolean value	Whether to power off a node after deploy failure. Defaults to True.
`shred_final_overwrite_with_zeros = True`	boolean value	Whether to write zeros to a node’s block devices after writing random data. This will write zeros to the device even when deploy.shred_random_overwrite_iterations is 0. This option is only used if a device could not be ATA Secure Erased. Defaults to True.
`shred_random_overwrite_iterations = 1`	integer value	During shred, overwrite all block devices N times with random data. This is only used if a device could not be ATA Secure Erased. Defaults to 1.

7.1.14. dhcp

The following table outlines the options available under the [dhcp] group in the /etc/ironic/ironic.conf file.

Table 7.14. dhcp
Configuration option = Default value	Type	Description
`dhcp_provider = neutron`	string value	DHCP provider to use. "neutron" uses Neutron, and "none" uses a no-op provider.

7.1.15. disk_partitioner

The following table outlines the options available under the [disk_partitioner] group in the /etc/ironic/ironic.conf file.

Table 7.15. disk_partitioner
Configuration option = Default value	Type	Description
`check_device_interval = 1`	integer value	After Ironic has completed creating the partition table, it continues to check for activity on the attached iSCSI device status at this interval prior to copying the image to the node, in seconds
`check_device_max_retries = 20`	integer value	The maximum number of times to check that the device is not accessed by another process. If the device is still busy after that, the disk partitioning will be treated as having failed.

7.1.16. disk_utils

The following table outlines the options available under the [disk_utils] group in the /etc/ironic/ironic.conf file.

Table 7.16. disk_utils
Configuration option = Default value	Type	Description
`bios_boot_partition_size = 1`	integer value	Size of BIOS Boot partition in MiB when configuring GPT partitioned systems for local boot in BIOS.
`dd_block_size = 1M`	string value	Block size to use when writing to the nodes disk.
`efi_system_partition_size = 200`	integer value	Size of EFI system partition in MiB when configuring UEFI systems for local boot.
`iscsi_verify_attempts = 3`	integer value	Maximum attempts to verify an iSCSI connection is active, sleeping 1 second between attempts.
`partprobe_attempts = 10`	integer value	Maximum number of attempts to try to read the partition.

7.1.17. drac

The following table outlines the options available under the [drac] group in the /etc/ironic/ironic.conf file.

Table 7.17. drac
Configuration option = Default value	Type	Description
`query_raid_config_job_status_interval = 120`	integer value	Interval (in seconds) between periodic RAID job status checks to determine whether the asynchronous RAID configuration was successfully finished or not.

7.1.18. glance

The following table outlines the options available under the [glance] group in the /etc/ironic/ironic.conf file.

Table 7.18. glance
Configuration option = Default value	Type	Description
`allowed_direct_url_schemes = []`	list value	A list of URL schemes that can be downloaded directly via the direct_url. Currently supported schemes: [file].
`auth-url = None`	string value	Authentication URL
`auth_strategy = keystone`	string value	Authentication strategy to use when connecting to glance.
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`glance_api_insecure = False`	boolean value	Allow to perform insecure SSL (https) requests to glance.
`glance_api_servers = None`	list value	A list of the glance api servers available to ironic. Prefix with https:// for SSL-based glance API servers. Format is [hostname\|IP]:port.
`glance_api_version = 2`	integer value	Glance API version (1 or 2) to use.
`glance_cafile = None`	string value	Optional path to a CA certificate bundle to be used to validate the SSL certificate served by glance. It is used when glance_api_insecure is set to False.
`glance_num_retries = 0`	integer value	Number of retries when downloading an image from glance.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = image`	string value	The default service_type for endpoint URL discovery.
`swift_account = None`	string value	The account that Glance uses to communicate with Swift. The format is "AUTH_uuid". "uuid" is the UUID for the account configured in the glance-api.conf. For example: "AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30". If not set, the default value is calculated based on the ID of the project used to access Swift (as set in the [swift] section). Swift temporary URL format: "endpoint_url/api_version/[account/]container/object_id"
`swift_api_version = v1`	string value	The Swift API version to create a temporary URL for. Defaults to "v1". Swift temporary URL format: "endpoint_url/api_version/[account/]container/object_id"
`swift_container = glance`	string value	The Swift container Glance is configured to store its images in. Defaults to "glance", which is the default in glance-api.conf. Swift temporary URL format: "endpoint_url/api_version/[account/]container/object_id"
`swift_endpoint_url = None`	string value	The "endpoint" (scheme, hostname, optional port) for the Swift URL of the form "endpoint_url/api_version/[account/]container/object_id". Do not include trailing "/". For example, use "https://swift.example.com". If using RADOS Gateway, endpoint may also contain /swift path; if it does not, it will be appended. Used for temporary URLs, will be fetched from the service catalog, if not provided.
`swift_store_multiple_containers_seed = 0`	integer value	This should match a config by the same name in the Glance configuration file. When set to 0, a single-tenant store will only use one container to store all images. When set to an integer value between 1 and 32, a single-tenant store will use multiple containers to store images, and this value will determine how many containers are created.
`swift_temp_url_cache_enabled = False`	boolean value	Whether to cache generated Swift temporary URLs. Setting it to true is only useful when an image caching proxy is used. Defaults to False.
`swift_temp_url_duration = 1200`	integer value	The length of time in seconds that the temporary URL will be valid for. Defaults to 20 minutes. If some deploys get a 401 response code when trying to download from the temporary URL, try raising this duration. This value must be greater than or equal to the value for swift_temp_url_expected_download_start_delay
`swift_temp_url_expected_download_start_delay = 0`	integer value	This is the delay (in seconds) from the time of the deploy request (when the Swift temporary URL is generated) to when the IPA ramdisk starts up and URL is used for the image download. This value is used to check if the Swift temporary URL duration is large enough to let the image download begin. Also if temporary URL caching is enabled this will determine if a cached entry will still be valid when the download starts. swift_temp_url_duration value must be greater than or equal to this option’s value. Defaults to 0.
`swift_temp_url_key = None`	string value	The secret token given to Swift to allow temporary URL downloads. Required for temporary URLs. For the Swift backend, the key on the service project (as set in the [swift] section) is used by default.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.19. ilo

The following table outlines the options available under the [ilo] group in the /etc/ironic/ironic.conf file.

Table 7.19. ilo
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to validate iLO.
`clean_priority_clear_secure_boot_keys = 0`	integer value	Priority for clear_secure_boot_keys clean step. This step is not enabled by default. It can be enabled to clear all secure boot keys enrolled with iLO.
`clean_priority_reset_bios_to_default = 10`	integer value	Priority for reset_bios_to_default clean step.
`clean_priority_reset_ilo = 0`	integer value	Priority for reset_ilo clean step.
`clean_priority_reset_ilo_credential = 30`	integer value	Priority for reset_ilo_credential clean step. This step requires "ilo_change_password" parameter to be updated in nodes’s driver_info with the new password.
`clean_priority_reset_secure_boot_keys_to_default = 20`	integer value	Priority for reset_secure_boot_keys clean step. This step will reset the secure boot keys to manufacturing defaults.
`client_port = 443`	port value	Port to be used for iLO operations
`client_timeout = 60`	integer value	Timeout (in seconds) for iLO operations
`default_boot_mode = auto`	string value	Default boot mode to be used in provisioning when "boot_mode" capability is not provided in the "properties/capabilities" of the node. The default is "auto" for backward compatibility. When "auto" is specified, default boot mode will be selected based on boot mode settings on the system.
`power_retry = 6`	integer value	Number of times a power operation needs to be retried
`power_wait = 2`	integer value	Amount of time in seconds to wait in between power operations
`swift_ilo_container = ironic_ilo_container`	string value	The Swift iLO container to store data.
`swift_object_expiry_timeout = 900`	integer value	Amount of time in seconds for Swift objects to auto-expire.
`use_web_server_for_images = False`	boolean value	Set this to True to use http web server to host floppy images and generated boot ISO. This requires http_root and http_url to be configured in the [deploy] section of the config file. If this is set to False, then Ironic will use Swift to host the floppy images and generated boot_iso.

7.1.20. inspector

The following table outlines the options available under the [inspector] group in the /etc/ironic/ironic.conf file.

Table 7.20. inspector
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`enabled = False`	boolean value	whether to enable inspection using ironic-inspector. This option does not affect new-style dynamic drivers and the fake_inspector driver.
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = baremetal-introspection`	string value	The default service_type for endpoint URL discovery.
`service_url = None`	string value	ironic-inspector HTTP endpoint. If this is not set, the service catalog will be used.
`status_check_period = 60`	integer value	period (in seconds) to check status of nodes on inspection
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.21. ipmi

The following table outlines the options available under the [ipmi] group in the /etc/ironic/ironic.conf file.

Table 7.21. ipmi
Configuration option = Default value	Type	Description
`command_retry_timeout = 60`	integer value	Maximum time in seconds to retry retryable IPMI operations. (An operation is retryable, for example, if the requested operation fails because the BMC is busy.) Setting this too high can cause the sync power state periodic task to hang when there are slow or unresponsive BMCs.
`min_command_interval = 5`	integer value	Minimum time, in seconds, between IPMI operations sent to a server. There is a risk with some hardware that setting this too low may cause the BMC to crash. Recommended setting is 5 seconds.
`retry_timeout = None`	integer value	Maximum time in seconds to retry IPMI operations. Setting this too high can cause the sync power state periodic task to hang when there are slow or unresponsive BMCs.

7.1.22. irmc

The following table outlines the options available under the [irmc] group in the /etc/ironic/ironic.conf file.

Table 7.22. irmc
Configuration option = Default value	Type	Description
`auth_method = basic`	string value	Authentication method to be used for iRMC operations
`clean_priority_restore_irmc_bios_config = 0`	integer value	Priority for restore_irmc_bios_config clean step.
`client_timeout = 60`	integer value	Timeout (in seconds) for iRMC operations
`gpu_ids = []`	list value	List of vendor IDs and device IDs for GPU device to inspect. List items are in format vendorID/deviceID and separated by commas. GPU inspection will use this value to count the number of GPU device in a node. If this option is not defined, then leave out pci_gpu_devices in capabilities property. Sample gpu_ids value: 0x1000/0x0079,0x2100/0x0080
`port = 443`	port value	Port to be used for iRMC operations
`remote_image_server = None`	string value	IP of remote image server
`remote_image_share_name = share`	string value	share name of remote_image_server
`remote_image_share_root = /remote_image_share_root`	string value	Ironic conductor node’s "NFS" or "CIFS" root path
`remote_image_share_type = CIFS`	string value	Share type of virtual media
`remote_image_user_domain = `	string value	Domain name of remote_image_user_name
`remote_image_user_name = None`	string value	User name of remote_image_server
`remote_image_user_password = None`	string value	Password of remote_image_user_name
`sensor_method = ipmitool`	string value	Sensor data retrieval method.
`snmp_community = public`	string value	SNMP community. Required for versions "v1" and "v2c"
`snmp_polling_interval = 10`	integer value	SNMP polling interval in seconds
`snmp_port = 161`	port value	SNMP port
`snmp_security = None`	string value	SNMP security name. Required for version "v3"
`snmp_version = v2c`	string value	SNMP protocol version

7.1.23. ironic_lib

The following table outlines the options available under the [ironic_lib] group in the /etc/ironic/ironic.conf file.

Table 7.23. ironic_lib
Configuration option = Default value	Type	Description
`root_helper = sudo ironic-rootwrap /etc/ironic/rootwrap.conf`	string value	Command that is prefixed to commands that are run as root. If not specified, no commands are run as root.

7.1.24. iscsi

The following table outlines the options available under the [iscsi] group in the /etc/ironic/ironic.conf file.

Table 7.24. iscsi
Configuration option = Default value	Type	Description
`portal_port = 3260`	port value	The port number on which the iSCSI portal listens for incoming connections.

7.1.25. keystone

The following table outlines the options available under the [keystone] group in the /etc/ironic/ironic.conf file.

Table 7.25. keystone
Configuration option = Default value	Type	Description
`region_name = None`	string value	The region used for getting endpoints of OpenStack services.

7.1.26. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/ironic/ironic.conf file.

Table 7.26. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

7.1.27. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/ironic/ironic.conf file.

Table 7.27. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

7.1.28. metrics

The following table outlines the options available under the [metrics] group in the /etc/ironic/ironic.conf file.

Table 7.28. metrics
Configuration option = Default value	Type	Description
`agent_backend = noop`	string value	Backend for the agent ramdisk to use for metrics. Default possible backends are "noop" and "statsd".
`agent_global_prefix = None`	string value	Prefix all metric names sent by the agent ramdisk with this value. The format of metric names is [global_prefix.][uuid.][host_name.]prefix.metric_name.
`agent_prepend_host = False`	boolean value	Prepend the hostname to all metric names sent by the agent ramdisk. The format of metric names is [global_prefix.][uuid.][host_name.]prefix.metric_name.
`agent_prepend_host_reverse = True`	boolean value	Split the prepended host value by "." and reverse it for metrics sent by the agent ramdisk (to better match the reverse hierarchical form of domain names).
`agent_prepend_uuid = False`	boolean value	Prepend the node’s Ironic uuid to all metric names sent by the agent ramdisk. The format of metric names is [global_prefix.][uuid.][host_name.]prefix.metric_name.
`backend = noop`	string value	Backend to use for the metrics system.
`global_prefix = None`	string value	Prefix all metric names with this value. By default, there is no global prefix. The format of metric names is [global_prefix.][host_name.]prefix.metric_name.
`prepend_host = False`	boolean value	Prepend the hostname to all metric names. The format of metric names is [global_prefix.][host_name.]prefix.metric_name.
`prepend_host_reverse = True`	boolean value	Split the prepended host value by "." and reverse it (to better match the reverse hierarchical form of domain names).

7.1.29. metrics_statsd

The following table outlines the options available under the [metrics_statsd] group in the /etc/ironic/ironic.conf file.

Table 7.29. metrics_statsd
Configuration option = Default value	Type	Description
`agent_statsd_host = localhost`	string value	Host for the agent ramdisk to use with the statsd backend. This must be accessible from networks the agent is booted on.
`agent_statsd_port = 8125`	port value	Port for the agent ramdisk to use with the statsd backend.
`statsd_host = localhost`	string value	Host for use with the statsd backend.
`statsd_port = 8125`	port value	Port to use with the statsd backend.

7.1.30. neutron

The following table outlines the options available under the [neutron] group in the /etc/ironic/ironic.conf file.

Table 7.30. neutron
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_strategy = keystone`	string value	Authentication strategy to use when connecting to neutron. Running neutron in noauth mode (related to but not affected by this setting) is insecure and should only be used for testing.
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`cleaning_network = None`	string value	Neutron network UUID or name for the ramdisk to be booted into for cleaning nodes. Required for "neutron" network interface. It is also required if cleaning nodes when using "flat" network interface or "neutron" DHCP provider. If a name is provided, it must be unique among all networks or cleaning will fail.
`cleaning_network_security_groups = []`	list value	List of Neutron Security Group UUIDs to be applied during cleaning of the nodes. Optional for the "neutron" network interface and not used for the "flat" or "noop" network interfaces. If not specified, default security group is used.
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`port_setup_delay = 0`	integer value	Delay value to wait for Neutron agents to setup sufficient DHCP configuration for port.
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`provisioning_network = None`	string value	Neutron network UUID or name for the ramdisk to be booted into for provisioning nodes. Required for "neutron" network interface. If a name is provided, it must be unique among all networks or deploy will fail.
`provisioning_network_security_groups = []`	list value	List of Neutron Security Group UUIDs to be applied during provisioning of the nodes. Optional for the "neutron" network interface and not used for the "flat" or "noop" network interfaces. If not specified, default security group is used.
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`rescuing_network = None`	string value	Neutron network UUID or name for booting the ramdisk for rescue mode. This is not the network that the rescue ramdisk will use post-boot — the tenant network is used for that. Required for "neutron" network interface, if rescue mode will be used. It is not used for the "flat" or "noop" network interfaces. If a name is provided, it must be unique among all networks or rescue will fail.
`rescuing_network_security_groups = []`	list value	List of Neutron Security Group UUIDs to be applied during the node rescue process. Optional for the "neutron" network interface and not used for the "flat" or "noop" network interfaces. If not specified, the default security group is used.
`retries = 3`	integer value	Client retries in the case of a failed request.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = network`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`url = None`	string value	URL for connecting to neutron. Default value translates to http://$my_ip:9696 when auth_strategy is noauth, and to discovery from Keystone catalog when auth_strategy is keystone.
`url_timeout = 30`	integer value	Timeout value for connecting to neutron in seconds.
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.31. oneview

The following table outlines the options available under the [oneview] group in the /etc/ironic/ironic.conf file.

Table 7.31. oneview
Configuration option = Default value	Type	Description
`allow_insecure_connections = False`	boolean value	Option to allow insecure connection with OneView.
`enable_periodic_tasks = True`	boolean value	Whether to enable the periodic tasks for OneView driver be aware when OneView hardware resources are taken and released by Ironic or OneView users and proactively manage nodes in clean fail state according to Dynamic Allocation model of hardware resources allocation in OneView.
`manager_url = None`	string value	URL where OneView is available.
`password = None`	string value	OneView password to be used.
`periodic_check_interval = 300`	integer value	Period (in seconds) for periodic tasks to be executed when enable_periodic_tasks=True.
`tls_cacert_file = None`	string value	Path to CA certificate.
`username = None`	string value	OneView username to be used.

7.1.32. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/ironic/ironic.conf file.

Table 7.32. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

7.1.33. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/ironic/ironic.conf file.

Table 7.33. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

7.1.34. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/ironic/ironic.conf file.

Table 7.34. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

7.1.35. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/ironic/ironic.conf file.

Table 7.35. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

7.1.36. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/ironic/ironic.conf file.

Table 7.36. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

7.1.37. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/ironic/ironic.conf file.

Table 7.37. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

7.1.38. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/ironic/ironic.conf file.

Table 7.38. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

7.1.39. profiler

The following table outlines the options available under the [profiler] group in the /etc/ironic/ironic.conf file.

Table 7.39. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

7.1.40. pxe

The following table outlines the options available under the [pxe] group in the /etc/ironic/ironic.conf file.

Table 7.40. pxe
Configuration option = Default value	Type	Description
`default_ephemeral_format = ext4`	string value	Default file system format for ephemeral partition, if one is created.
`dir_permission = None`	integer value	The permission that will be applied to the TFTP folders upon creation. This should be set to the permission such that the tftpserver has access to read the contents of the configured TFTP folder. This setting is only required when the operating system’s umask is restrictive such that ironic-conductor is creating files that cannot be read by the TFTP server. Setting to <None> will result in the operating system’s umask to be utilized for the creation of new tftp folders. It is recommended that an octal representation is specified. For example: 0o755
`image_cache_size = 20480`	integer value	Maximum size (in MiB) of cache for master images, including those in use.
`image_cache_ttl = 10080`	integer value	Maximum TTL (in minutes) for old master images in cache.
`images_path = /var/lib/ironic/images/`	string value	On the ironic-conductor node, directory where images are stored on disk.
`instance_master_path = /var/lib/ironic/master_images`	string value	On the ironic-conductor node, directory where master instance images are stored on disk. Setting to the empty string disables image caching.
`ip_version = 4`	string value	The IP version that will be used for PXE booting. Defaults to 4. EXPERIMENTAL
`ipxe_boot_script = $pybasedir/drivers/modules/boot.ipxe`	string value	On ironic-conductor node, the path to the main iPXE script file.
`ipxe_enabled = False`	boolean value	Enable iPXE boot.
`ipxe_timeout = 0`	integer value	Timeout value (in seconds) for downloading an image via iPXE. Defaults to 0 (no timeout)
`ipxe_use_swift = False`	boolean value	Download deploy and rescue images directly from swift using temporary URLs. If set to false (default), images are downloaded to the ironic-conductor node and served over its local HTTP server. Applicable only when ipxe_enabled option is set to true.
`pxe_append_params = nofb nomodeset vga=normal`	string value	Additional append parameters for baremetal PXE boot.
`pxe_bootfile_name = pxelinux.0`	string value	Bootfile DHCP parameter.
`pxe_bootfile_name_by_arch = {}`	dict value	Bootfile DHCP parameter per node architecture. For example: aarch64:grubaa64.efi
`pxe_config_template = $pybasedir/drivers/modules/pxe_config.template`	string value	On ironic-conductor node, template file for PXE configuration.
`pxe_config_template_by_arch = {}`	dict value	On ironic-conductor node, template file for PXE configuration per node architecture. For example: aarch64:/opt/share/grubaa64_pxe_config.template
`tftp_master_path = /tftpboot/master_images`	string value	On ironic-conductor node, directory where master TFTP images are stored on disk. Setting to <None> disables image caching.
`tftp_root = /tftpboot`	string value	ironic-conductor node’s TFTP root path. The ironic-conductor must have read/write access to this path.
`tftp_server = $my_ip`	string value	IP address of ironic-conductor node’s TFTP server.
`uefi_pxe_bootfile_name = bootx64.efi`	string value	Bootfile DHCP parameter for UEFI boot mode.
`uefi_pxe_config_template = $pybasedir/drivers/modules/pxe_grub_config.template`	string value	On ironic-conductor node, template file for PXE configuration for UEFI boot loader.

7.1.41. service_catalog

The following table outlines the options available under the [service_catalog] group in the /etc/ironic/ironic.conf file.

Table 7.41. service_catalog
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = baremetal`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.42. snmp

The following table outlines the options available under the [snmp] group in the /etc/ironic/ironic.conf file.

Table 7.42. snmp
Configuration option = Default value	Type	Description
`power_timeout = 10`	integer value	Seconds to wait for power action to be completed
`reboot_delay = 0`	integer value	Time (in seconds) to sleep between when rebooting (powering off and on again)
`udp_transport_retries = 5`	integer value	Maximum number of UDP request retries, 0 means no retries.
`udp_transport_timeout = 1.0`	floating point value	Response timeout in seconds used for UDP transport. Timeout should be a multiple of 0.5 seconds and is applicable to each retry.

7.1.43. ssl

The following table outlines the options available under the [ssl] group in the /etc/ironic/ironic.conf file.

Table 7.43. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

7.1.44. swift

The following table outlines the options available under the [swift] group in the /etc/ironic/ironic.conf file.

Table 7.44. swift
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = object-store`	string value	The default service_type for endpoint URL discovery.
`swift_max_retries = 2`	integer value	Maximum number of times to retry a Swift request, before failing.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

7.1.45. xclarity

The following table outlines the options available under the [xclarity] group in the /etc/ironic/ironic.conf file.

Table 7.45. xclarity
Configuration option = Default value	Type	Description
`manager_ip = None`	string value	IP address of XClarity controller.
`password = None`	string value	Password for XClarity controller username.
`port = 443`	port value	Port to be used for XClarity operations.
`username = None`	string value	Username to access the XClarity controller.

Chapter 8. ironic-inspector

The following chapter contains information about the configuration options in the ironic-inspector service.

8.1. inspector.conf

This section contains options for the /etc/ironic-inspector/inspector.conf file.

8.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.1. DEFAULT
Configuration option = Default value	Type	Description
`api_max_limit = 1000`	integer value	Limit the number of elements an API list-call returns
`auth_strategy = keystone`	string value	Authentication method used on the ironic-inspector API. Either "noauth" or "keystone" are currently valid options. "noauth" will disable all authentication.
`clean_up_period = 60`	integer value	Amount of time in seconds, after which repeat clean up of timed out nodes and old nodes status information.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_log_levels = [u'sqlalchemy=WARNING', u'iso8601=WARNING', u'requests=WARNING', u'urllib3.connectionpool=WARNING', u'keystonemiddleware=WARNING', u'swiftclient=WARNING', u'keystoneauth=WARNING', u'ironicclient=WARNING']`	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`introspection_delay = 5`	integer value	Delay (in seconds) between two introspections.
`ipmi_address_fields = [u'ilo_address', u'drac_host', u'drac_address', u'cimc_address']`	list value	Ironic driver_info fields that are equivalent to ipmi_address.
`listen_address = 0.0.0.0`	string value	IP to listen on.
`listen_port = 5050`	port value	Port to listen on.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_concurrency = 1000`	integer value	The green thread pool size.
`node_status_keep_time = 0`	integer value	For how much time (in seconds) to keep status information about nodes after introspection was finished for them. Set to 0 (the default) to disable the timeout.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rootwrap_config = /etc/ironic-inspector/rootwrap.conf`	string value	Path to the rootwrap configuration file to use for running commands as root
`ssl_cert_path = `	string value	Path to SSL certificate
`ssl_key_path = `	string value	Path to SSL key
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`timeout = 3600`	integer value	Timeout after which introspection is considered failed, set to 0 to disable.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_ssl = False`	boolean value	SSL Enabled/Disabled
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

8.1.2. capabilities

The following table outlines the options available under the [capabilities] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.2. capabilities
Configuration option = Default value	Type	Description
`boot_mode = False`	boolean value	Whether to store the boot mode (BIOS or UEFI).
`cpu_flags = {u'aes': u'cpu_aes', u'svm': u'cpu_vt', u'pdpe1gb': u'cpu_hugepages_1g', u'smx': u'cpu_txt', u'pse': u'cpu_hugepages', u'vmx': u'cpu_vt'}`	dict value	Mapping between a CPU flag and a capability to set if this flag is present.

8.1.3. cors

The following table outlines the options available under the [cors] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.3. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-OpenStack-Ironic-Inspector-API-Minimum-Version', u'X-OpenStack-Ironic-Inspector-API-Maximum-Version', u'X-OpenStack-Ironic-Inspector-API-Version']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'POST', u'PUT', u'HEAD', u'PATCH', u'DELETE', u'OPTIONS']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = []`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

8.1.4. database

The following table outlines the options available under the [database] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.4. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

8.1.5. discovery

The following table outlines the options available under the [discovery] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.5. discovery
Configuration option = Default value	Type	Description
`enroll_node_driver = fake`	string value	The name of the Ironic driver used by the enroll hook when creating a new node in Ironic.

8.1.6. dnsmasq_pxe_filter

The following table outlines the options available under the [dnsmasq_pxe_filter] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.6. dnsmasq_pxe_filter
Configuration option = Default value	Type	Description
`dhcp_hostsdir = /var/lib/ironic-inspector/dhcp-hostsdir`	string value	The MAC address cache directory, exposed to dnsmasq.This directory is expected to be in exclusive control of the driver.
`dnsmasq_start_command = `	string value	A (shell) command line to start the dnsmasq service upon filter initialization. Default: don’t start.
`dnsmasq_stop_command = `	string value	A (shell) command line to stop the dnsmasq service upon inspector (error) exit. Default: don’t stop.
`purge_dhcp_hostsdir = True`	boolean value	Purge the hostsdir upon driver initialization. Setting to false should only be performed when the deployment of inspector is such that there are multiple processes executing inside of the same host and namespace. In this case, the Operator is responsible for setting up a custom cleaning facility.

8.1.7. iptables

The following table outlines the options available under the [iptables] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.7. iptables
Configuration option = Default value	Type	Description
`dnsmasq_interface = br-ctlplane`	string value	Interface on which dnsmasq listens, the default is for VM’s.
`ethoib_interfaces = []`	list value	List of Etherent Over InfiniBand interfaces on the Inspector host which are used for physical access to the DHCP network. Multiple interfaces would be attached to a bond or bridge specified in dnsmasq_interface. The MACs of the InfiniBand nodes which are not in desired state are going to be blacklisted based on the list of neighbor MACs on these interfaces.
`firewall_chain = ironic-inspector`	string value	iptables chain name to use.
`manage_firewall = True`	boolean value	Whether to manage firewall rules for PXE port. This configuration option was deprecated in favor of the `driver` option in the `pxe_filter` section. Please, use the `noop` filter driver to disable the firewall filtering or the `iptables` filter driver to enable it.

8.1.8. ironic

The following table outlines the options available under the [ironic] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.8. ironic
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_strategy = keystone`	string value	Method to use for authentication: noauth or keystone.
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`ironic_url = http://localhost:6385/`	string value	Ironic API URL, used to set Ironic API URL when auth_strategy option is noauth or auth_type is "none" to work with standalone Ironic without keystone.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`max_retries = 30`	integer value	Maximum number of retries in case of conflict error (HTTP 409).
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`os_endpoint_type = internalURL`	string value	Ironic endpoint type.
`os_region = None`	string value	Keystone region used to get Ironic endpoints.
`os_service_type = baremetal`	string value	Ironic service type.
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`retry_interval = 2`	integer value	Interval between retries in case of conflict error (HTTP 409).
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = baremetal`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

8.1.9. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.9. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

8.1.10. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.10. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

8.1.11. pci_devices

The following table outlines the options available under the [pci_devices] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.11. pci_devices
Configuration option = Default value	Type	Description
`alias = []`	multi valued	An alias for PCI device identified by vendor_id and product_id fields. Format: {"vendor_id": "1234", "product_id": "5678", "name": "pci_dev1"}

8.1.12. processing

The following table outlines the options available under the [processing] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.12. processing
Configuration option = Default value	Type	Description
`add_ports = pxe`	string value	Which MAC addresses to add as ports during introspection. Possible values: all (all MAC addresses), active (MAC addresses of NIC with IP addresses), pxe (only MAC address of NIC node PXE booted from, falls back to "active" if PXE MAC is not supplied by the ramdisk).
`always_store_ramdisk_logs = False`	boolean value	Whether to store ramdisk logs even if it did not return an error message (dependent upon "ramdisk_logs_dir" option being set).
`default_processing_hooks = ramdisk_error,root_disk_selection,scheduler,validate_interfaces,capabilities,pci_devices`	string value	Comma-separated list of default hooks for processing pipeline. Hook scheduler updates the node with the minimum properties required by the Nova scheduler. Hook validate_interfaces ensures that valid NIC data was provided by the ramdisk. Do not exclude these two unless you really know what you’re doing.
`disk_partitioning_spacing = True`	boolean value	Whether to leave 1 GiB of disk size untouched for partitioning. Only has effect when used with the IPA as a ramdisk, for older ramdisk local_gb is calculated on the ramdisk side.
`keep_ports = all`	string value	Which ports (already present on a node) to keep after introspection. Possible values: all (do not delete anything), present (keep ports which MACs were present in introspection data), added (keep only MACs that we added during introspection).
`node_not_found_hook = None`	string value	The name of the hook to run when inspector receives inspection information from a node it isn’t already aware of. This hook is ignored by default.
`overwrite_existing = True`	boolean value	Whether to overwrite existing values in node database. Disable this option to make introspection a non-destructive operation.
`power_off = True`	boolean value	Whether to power off a node after introspection.
`processing_hooks = $default_processing_hooks`	string value	Comma-separated list of enabled hooks for processing pipeline. The default for this is $default_processing_hooks, hooks can be added before or after the defaults like this: "prehook,$default_processing_hooks,posthook".
`ramdisk_logs_dir = None`	string value	If set, logs from ramdisk will be stored in this directory.
`ramdisk_logs_filename_format = {uuid}_{dt:%Y%m%d-%H%M%S.%f}.tar.gz`	string value	File name template for storing ramdisk logs. The following replacements can be used: {uuid} - node UUID or "unknown", {bmc} - node BMC address or "unknown", {dt} - current UTC date and time, {mac} - PXE booting MAC or "unknown".
`store_data = none`	string value	Method for storing introspection data. If set to none, introspection data will not be stored.
`store_data_location = None`	string value	Name of the key to store the location of stored data in the extra column of the Ironic database.

8.1.13. pxe_filter

The following table outlines the options available under the [pxe_filter] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.13. pxe_filter
Configuration option = Default value	Type	Description
`driver = iptables`	string value	PXE boot filter driver to use, such as iptables
`sync_period = 15`	integer value	Amount of time in seconds, after which repeat periodic update of the filter.

8.1.14. swift

The following table outlines the options available under the [swift] group in the /etc/ironic-inspector/inspector.conf file.

Table 8.14. swift
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`container = ironic-inspector`	string value	Default Swift container to use when creating objects.
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`delete_after = 0`	integer value	Number of seconds that the Swift object will last before being deleted. (set to 0 to never delete the object).
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`max-version = None`	string value	The maximum major version of a given API, intended to be used as the upper bound of a range with min_version. Mutually exclusive with version.
`max_retries = 2`	integer value	Maximum number of times to retry a Swift request, before failing.
`min-version = None`	string value	The minimum major version of a given API, intended to be used as the lower bound of a range with max_version. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is "latest".
`os_endpoint_type = internalURL`	string value	Swift endpoint type.
`os_region = None`	string value	Keystone region to get endpoint for.
`os_service_type = object-store`	string value	Swift service type.
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = object-store`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`version = None`	string value	Minimum Major API version within a given Major API version for endpoint URL discovery. Mutually exclusive with min_version and max_version

Chapter 9. keystone

The following chapter contains information about the configuration options in the keystone service.

9.1. keystone.conf

This section contains options for the /etc/keystone/keystone.conf file.

9.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/keystone/keystone.conf file.

Table 9.1. DEFAULT
Configuration option = Default value	Type	Description
`admin_endpoint = None`	uri value	The base admin endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:35357/v3/users`, then this will option will be automatically treated as `http://server:35357`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
`admin_token = None`	string value	Using this feature is NOT recommended. Instead, use the `keystone-manage bootstrap` command. The value of this option is treated as a "shared secret" that can be used to bootstrap Keystone through the API. This "token" does not represent a user (it has no identity), and carries no explicit authorization (it effectively bypasses most authorization checks). If set to `None`, the value is ignored and the `admin_token` middleware is effectively disabled.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = keystone`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`crypt_strength = 10000`	integer value	The value passed as the keyword "rounds" to passlib’s encrypt method. This option represents a trade off between security and performance. Higher values lead to slower performance, but higher security. Changing this option will only affect newly created passwords as existing password hashes already have a fixed number of rounds applied, so it is safe to tune this option in a running cluster. For more information, see https://pythonhosted.org/passlib/password_hash_api.html#choosing-the-right-rounds-value
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_publisher_id = None`	string value	Default `publisher_id` for outgoing notifications. If left undefined, Keystone will default to using the server’s host name.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`insecure_debug = False`	boolean value	If set to true, then the server will return information in HTTP responses that may allow an unauthenticated or authenticated user to get more information than normal, such as additional details about why authentication failed. This may be useful for debugging but is insecure.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`list_limit = None`	integer value	The maximum number of entities that will be returned in a collection. This global limit may be then overridden for a specific driver, by specifying a list_limit in the appropriate section (for example, `[assignment]`). No limit is set by default. In larger deployments, it is recommended that you set this to a reasonable number to prevent operations like listing all users and projects from placing an unnecessary load on the system.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_param_size = 64`	integer value	Limit the sizes of user & project ID/names.
`max_project_tree_depth = 5`	integer value	Maximum depth of the project hierarchy, excluding the project acting as a domain at the top of the hierarchy. WARNING: Setting it to a large value may adversely impact performance.
`max_token_size = 255`	integer value	Similar to `[DEFAULT] max_param_size`, but provides an exception for token values. With Fernet tokens, this can be set as low as 255. With UUID tokens, this should be set to 32).
`member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab`	string value	Similar to the `[DEFAULT] member_role_name` option, this represents the default role ID used to associate users with their default projects in the v2 API. This will be used as the explicit role where one is not specified by the v2 API. You do not need to set this value unless you want keystone to use an existing role with a different ID, other than the arbitrarily defined `_member_` role (in which case, you should set `[DEFAULT] member_role_name` as well).
`member_role_name = _member_`	string value	This is the role name used in combination with the `[DEFAULT] member_role_id` option; see that option for more detail. You do not need to set this option unless you want keystone to use an existing role (in which case, you should set `[DEFAULT] member_role_id` as well).
`notification_format = cadf`	string value	Define the notification format for identity service events. A `basic` notification only has information about the resource being operated on. A `cadf` notification has the same information, as well as information about the initiator of the event. The `cadf` option is entirely backwards compatible with the `basic` option, but is fully CADF-compliant, and is recommended for auditing use cases.
`notification_opt_out = [u'identity.authenticate.success', u'identity.authenticate.pending', u'identity.authenticate.failed']`	multi valued	You can reduce the number of notifications keystone emits by explicitly opting out. Keystone will not emit notifications that match the patterns expressed in this list. Values are expected to be in the form of `identity.<resource_type>.<operation>`. By default, all notifications related to authentication are automatically suppressed. This field can be set multiple times in order to opt-out of multiple notification topics. For example, the following suppresses notifications describing user creation or successful authentication events: notification_opt_out=identity.user.create notification_opt_out=identity.authenticate.success
`public_endpoint = None`	uri value	The base public endpoint URL for Keystone that is advertised to clients (NOTE: this does NOT affect how Keystone listens for connections). Defaults to the base host URL of the request. For example, if keystone receives a request to `http://server:5000/v3/users`, then this will option will be automatically treated as `http://server:5000`. You should only need to set option if either the value of the base URL contains a path that keystone does not automatically infer (`/prefix/v3`), or if the endpoint should be found on a different host.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO`	string value	The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy.
`strict_password_check = False`	boolean value	If set to true, strict password length checking is performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an HTTP 403 Forbidden error. If set to false, passwords are automatically truncated to the maximum length.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

9.1.2. application_credential

The following table outlines the options available under the [application_credential] group in the /etc/keystone/keystone.conf file.

Table 9.2. application_credential
Configuration option = Default value	Type	Description
`cache_time = None`	integer value	Time to cache application credential data in seconds. This has no effect unless global caching is enabled.
`caching = True`	boolean value	Toggle for application credential caching. This has no effect unless global caching is enabled.
`driver = sql`	string value	Entry point for the application credential backend driver in the `keystone.application_credential` namespace. Keystone only provides a `sql` driver, so there is no reason to change this unless you are providing a custom entry point.
`user_limit = -1`	integer value	Maximum number of application credentials a user is permitted to create. A value of -1 means unlimited. If a limit is not set, users are permitted to create application credentials at will, which could lead to bloat in the keystone database or open keystone to a DoS attack.

9.1.3. assignment

The following table outlines the options available under the [assignment] group in the /etc/keystone/keystone.conf file.

Table 9.3. assignment
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the assignment backend driver (where role assignments are stored) in the `keystone.assignment` namespace. Only a SQL driver is supplied by keystone itself. Unless you are writing proprietary drivers for keystone, you do not need to set this option.
`prohibited_implied_role = [u'admin']`	list value	A list of role names which are prohibited from being an implied role.

9.1.4. auth

The following table outlines the options available under the [auth] group in the /etc/keystone/keystone.conf file.

Table 9.4. auth
Configuration option = Default value	Type	Description
`application_credential = None`	string value	Entry point for the application_credential auth plugin module in the `keystone.auth.application_credential` namespace. You do not need to set this unless you are overriding keystone’s own `application_credential` authentication plugin.
`external = None`	string value	Entry point for the external (`REMOTE_USER`) auth plugin module in the `keystone.auth.external` namespace. Supplied drivers are `DefaultDomain` and `Domain`. The default driver is `DefaultDomain`, which assumes that all users identified by the username specified to keystone in the `REMOTE_USER` variable exist within the context of the default domain. The `Domain` option expects an additional environment variable be presented to keystone, `REMOTE_DOMAIN`, containing the domain name of the `REMOTE_USER` (if `REMOTE_DOMAIN` is not set, then the default domain will be used instead). You do not need to set this unless you are taking advantage of "external authentication", where the application server (such as Apache) is handling authentication instead of keystone.
`mapped = None`	string value	Entry point for the mapped auth plugin module in the `keystone.auth.mapped` namespace. You do not need to set this unless you are overriding keystone’s own `mapped` authentication plugin.
`methods = [u'external', u'password', u'token', u'oauth1', u'mapped', u'application_credential']`	list value	Allowed authentication methods. Note: You should disable the `external` auth method if you are currently using federation. External auth and federation both use the REMOTE_USER variable. Since both the mapped and external plugin are being invoked to validate attributes in the request environment, it can cause conflicts.
`oauth1 = None`	string value	Entry point for the OAuth 1.0a auth plugin module in the `keystone.auth.oauth1` namespace. You do not need to set this unless you are overriding keystone’s own `oauth1` authentication plugin.
`password = None`	string value	Entry point for the password auth plugin module in the `keystone.auth.password` namespace. You do not need to set this unless you are overriding keystone’s own password authentication plugin.
`token = None`	string value	Entry point for the token auth plugin module in the `keystone.auth.token` namespace. You do not need to set this unless you are overriding keystone’s own token authentication plugin.

9.1.5. cache

The following table outlines the options available under the [cache] group in the /etc/keystone/keystone.conf file.

Table 9.5. cache
Configuration option = Default value	Type	Description
`backend = dogpile.cache.null`	string value	Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.
`backend_argument = []`	multi valued	Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: "<argname>:<value>".
`config_prefix = cache.oslo`	string value	Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.
`debug_cache_backend = False`	boolean value	Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.
`enabled = True`	boolean value	Global toggle for caching.
`expiration_time = 600`	integer value	Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.
`memcache_dead_retry = 300`	integer value	Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_pool_connection_get_timeout = 10`	integer value	Number of seconds that an operation will wait to get a memcache client connection.
`memcache_pool_maxsize = 10`	integer value	Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).
`memcache_pool_unused_timeout = 60`	integer value	Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).
`memcache_servers = [u'localhost:11211']`	list value	Memcache servers in the format of "host:port". (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_socket_timeout = 3`	integer value	Timeout in seconds for every call to a server. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`proxies = []`	list value	Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.

9.1.6. catalog

The following table outlines the options available under the [catalog] group in the /etc/keystone/keystone.conf file.

Table 9.6. catalog
Configuration option = Default value	Type	Description
`cache_time = None`	integer value	Time to cache catalog data (in seconds). This has no effect unless global and catalog caching are both enabled. Catalog data (services, endpoints, etc.) typically does not change frequently, and so a longer duration than the global default may be desirable.
`caching = True`	boolean value	Toggle for catalog caching. This has no effect unless global caching is enabled. In a typical deployment, there is no reason to disable this.
`driver = sql`	string value	Entry point for the catalog driver in the `keystone.catalog` namespace. Keystone provides a `sql` option (which supports basic CRUD operations through SQL), a `templated` option (which loads the catalog from a templated catalog file on disk), and a `endpoint_filter.sql` option (which supports arbitrary service catalogs per project).
`list_limit = None`	integer value	Maximum number of entities that will be returned in a catalog collection. There is typically no reason to set this, as it would be unusual for a deployment to have enough services or endpoints to exceed a reasonable limit.
`template_file = default_catalog.templates`	string value	Absolute path to the file used for the templated catalog backend. This option is only used if the `[catalog] driver` is set to `templated`.

9.1.7. cors

The following table outlines the options available under the [cors] group in the /etc/keystone/keystone.conf file.

Table 9.7. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Subject-Token', u'X-Project-Id', u'X-Project-Name', u'X-Project-Domain-Id', u'X-Project-Domain-Name', u'X-Domain-Id', u'X-Domain-Name']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Subject-Token']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

9.1.8. credential

The following table outlines the options available under the [credential] group in the /etc/keystone/keystone.conf file.

Table 9.8. credential
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the credential backend driver in the `keystone.credential` namespace. Keystone only provides a `sql` driver, so there’s no reason to change this unless you are providing a custom entry point.
`key_repository = /etc/keystone/credential-keys/`	string value	Directory containing Fernet keys used to encrypt and decrypt credentials stored in the credential backend. Fernet keys used to encrypt credentials have no relationship to Fernet keys used to encrypt Fernet tokens. Both sets of keys should be managed separately and require different rotation policies. Do not share this repository with the repository used to manage keys for Fernet tokens.
`provider = fernet`	string value	Entry point for credential encryption and decryption operations in the `keystone.credential.provider` namespace. Keystone only provides a `fernet` driver, so there’s no reason to change this unless you are providing a custom entry point to encrypt and decrypt credentials.

9.1.9. database

The following table outlines the options available under the [database] group in the /etc/keystone/keystone.conf file.

Table 9.9. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

9.1.10. domain_config

The following table outlines the options available under the [domain_config] group in the /etc/keystone/keystone.conf file.

Table 9.10. domain_config
Configuration option = Default value	Type	Description
`cache_time = 300`	integer value	Time-to-live (TTL, in seconds) to cache domain-specific configuration data. This has no effect unless `[domain_config] caching` is enabled.
`caching = True`	boolean value	Toggle for caching of the domain-specific configuration backend. This has no effect unless global caching is enabled. There is normally no reason to disable this.
`driver = sql`	string value	Entry point for the domain-specific configuration driver in the `keystone.resource.domain_config` namespace. Only a `sql` option is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.

9.1.11. endpoint_filter

The following table outlines the options available under the [endpoint_filter] group in the /etc/keystone/keystone.conf file.

Table 9.11. endpoint_filter
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the endpoint filter driver in the `keystone.endpoint_filter` namespace. Only a `sql` option is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.
`return_all_endpoints_if_no_filter = True`	boolean value	This controls keystone’s behavior if the configured endpoint filters do not result in any endpoints for a user + project pair (and therefore a potentially empty service catalog). If set to true, keystone will return the entire service catalog. If set to false, keystone will return an empty service catalog.

9.1.12. endpoint_policy

The following table outlines the options available under the [endpoint_policy] group in the /etc/keystone/keystone.conf file.

Table 9.12. endpoint_policy
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the endpoint policy driver in the `keystone.endpoint_policy` namespace. Only a `sql` driver is provided by keystone, so there is no reason to set this unless you are providing a custom entry point.

9.1.13. eventlet_server

The following table outlines the options available under the [eventlet_server] group in the /etc/keystone/keystone.conf file.

Table 9.13. eventlet_server
Configuration option = Default value	Type	Description
`admin_bind_host = 0.0.0.0`	unknown value	The IP address of the network interface for the admin service to listen on.
`admin_port = 35357`	port value	The port number for the admin service to listen on.
`public_bind_host = 0.0.0.0`	unknown value	The IP address of the network interface for the public service to listen on.
`public_port = 5000`	port value	The port number for the public service to listen on.

9.1.14. federation

The following table outlines the options available under the [federation] group in the /etc/keystone/keystone.conf file.

Table 9.14. federation
Configuration option = Default value	Type	Description
`assertion_prefix = `	string value	Prefix to use when filtering environment variable names for federated assertions. Matched variables are passed into the federated mapping engine.
`caching = True`	boolean value	Toggle for federation caching. This has no effect unless global caching is enabled. There is typically no reason to disable this.
`driver = sql`	string value	Entry point for the federation backend driver in the `keystone.federation` namespace. Keystone only provides a `sql` driver, so there is no reason to set this option unless you are providing a custom entry point.
`federated_domain_name = Federated`	string value	An arbitrary domain name that is reserved to allow federated ephemeral users to have a domain concept. Note that an admin will not be able to create a domain with this name or update an existing domain to this name. You are not advised to change this value unless you really have to.
`remote_id_attribute = None`	string value	Value to be used to obtain the entity ID of the Identity Provider from the environment. For `mod_shib`, this would be `Shib-Identity-Provider`. For `mod_auth_openidc`, this could be `HTTP_OIDC_ISS`. For `mod_auth_mellon`, this could be `MELLON_IDP`.
`sso_callback_template = /etc/keystone/sso_callback_template.html`	string value	Absolute path to an HTML file used as a Single Sign-On callback handler. This page is expected to redirect the user from keystone back to a trusted dashboard host, by form encoding a token in a POST request. Keystone’s default value should be sufficient for most deployments.
`trusted_dashboard = []`	multi valued	A list of trusted dashboard hosts. Before accepting a Single Sign-On request to return a token, the origin host must be a member of this list. This configuration option may be repeated for multiple values. You must set this in order to use web-based SSO flows. For example: trusted_dashboard=https://acme.example.com/auth/websso trusted_dashboard=https://beta.example.com/auth/websso

9.1.15. fernet_tokens

The following table outlines the options available under the [fernet_tokens] group in the /etc/keystone/keystone.conf file.

Table 9.15. fernet_tokens
Configuration option = Default value	Type	Description
`key_repository = /etc/keystone/fernet-keys/`	string value	Directory containing Fernet token keys. This directory must exist before using `keystone-manage fernet_setup` for the first time, must be writable by the user running `keystone-manage fernet_setup` or `keystone-manage fernet_rotate`, and of course must be readable by keystone’s server process. The repository may contain keys in one of three states: a single staged key (always index 0) used for token validation, a single primary key (always the highest index) used for token creation and validation, and any number of secondary keys (all other index values) used for token validation. With multiple keystone nodes, each node must share the same key repository contents, with the exception of the staged key (index 0). It is safe to run `keystone-manage fernet_rotate` once on any one node to promote a staged key (index 0) to be the new primary (incremented from the previous highest index), and produce a new staged key (a new key with index 0); the resulting repository can then be atomically replicated to other nodes without any risk of race conditions (for example, it is safe to run `keystone-manage fernet_rotate` on host A, wait any amount of time, create a tarball of the directory on host A, unpack it on host B to a temporary location, and atomically move (`mv`) the directory into place on host B). Running `keystone-manage fernet_rotate` twice on a key repository without syncing other nodes will result in tokens that can not be validated by all nodes.
`max_active_keys = 3`	integer value	This controls how many keys are held in rotation by `keystone-manage fernet_rotate` before they are discarded. The default value of 3 means that keystone will maintain one staged key (always index 0), one primary key (the highest numerical index), and one secondary key (every other index). Increasing this value means that additional secondary keys will be kept in the rotation.

9.1.16. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/keystone/keystone.conf file.

Table 9.16. healthcheck
Configuration option = Default value	Type	Description
`backends = []`	list value	Additional backends that can perform health checks and report that information back as part of a request.
`detailed = False`	boolean value	Show more detailed information as part of the response
`disable_by_file_path = None`	string value	Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
`disable_by_file_paths = []`	list value	Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
`path = /healthcheck`	string value	The path to respond to healtcheck requests on.

9.1.17. identity

The following table outlines the options available under the [identity] group in the /etc/keystone/keystone.conf file.

Table 9.17. identity
Configuration option = Default value	Type	Description
`cache_time = 600`	integer value	Time to cache identity data (in seconds). This has no effect unless global and identity caching are enabled.
`caching = True`	boolean value	Toggle for identity caching. This has no effect unless global caching is enabled. There is typically no reason to disable this.
`default_domain_id = default`	string value	This references the domain to use for all Identity API v2 requests (which are not aware of domains). A domain with this ID can optionally be created for you by `keystone-manage bootstrap`. The domain referenced by this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special about this domain, other than the fact that it must exist to order to maintain support for your v2 clients. There is typically no reason to change this value.
`domain_config_dir = /etc/keystone/domains`	string value	Absolute path where keystone should locate domain-specific `[identity]` configuration files. This option has no effect unless `[identity] domain_specific_drivers_enabled` is set to true. There is typically no reason to change this value.
`domain_configurations_from_database = False`	boolean value	By default, domain-specific configuration data is read from files in the directory identified by `[identity] domain_config_dir`. Enabling this configuration option allows you to instead manage domain-specific configurations through the API, which are then persisted in the backend (typically, a SQL database), rather than using configuration files on disk.
`domain_specific_drivers_enabled = False`	boolean value	A subset (or all) of domains can have their own identity driver, each with their own partial configuration options, stored in either the resource backend or in a file in a domain configuration directory (depending on the setting of `[identity] domain_configurations_from_database`). Only values specific to the domain need to be specified in this manner. This feature is disabled by default, but may be enabled by default in a future release; set to true to enable.
`driver = sql`	string value	Entry point for the identity backend driver in the `keystone.identity` namespace. Keystone provides a `sql` and `ldap` driver. This option is also used as the default driver selection (along with the other configuration variables in this section) in the event that `[identity] domain_specific_drivers_enabled` is enabled, but no applicable domain-specific configuration is defined for the domain in question. Unless your deployment primarily relies on `ldap` AND is not using domain-specific configuration, you should typically leave this set to `sql`.
`list_limit = None`	integer value	Maximum number of entities that will be returned in an identity collection.
`max_password_length = 4096`	integer value	Maximum allowed length for user passwords. Decrease this value to improve performance. Changing this value does not effect existing passwords.
`password_hash_algorithm = bcrypt`	string value	The password hashing algorithm to use for passwords stored within keystone.
`password_hash_rounds = None`	integer value	This option represents a trade off between security and performance. Higher values lead to slower performance, but higher security. Changing this option will only affect newly created passwords as existing password hashes already have a fixed number of rounds applied, so it is safe to tune this option in a running cluster. The default for bcrypt is 12, must be between 4 and 31, inclusive. The default for scrypt is 16, must be within `range(1,32)`. The default for pbkdf_sha512 is 60000, must be within `range(1,1<<32)` WARNING: If using scrypt, increasing this value increases BOTH time AND memory requirements to hash a password.
`salt_bytesize = None`	integer value	Number of bytes to use in scrypt and pbkfd2_sha512 hashing salt. Default for scrypt is 16 bytes. Default for pbkfd2_sha512 is 16 bytes. Limited to a maximum of 96 bytes due to the size of the column used to store password hashes.
`scrypt_block_size = None`	integer value	Optional block size to pass to scrypt hash function (the `r` parameter). Useful for tuning scrypt to optimal performance for your CPU architecture. This option is only used when the `password_hash_algorithm` option is set to `scrypt`. Defaults to 8.
`scrypt_parallelism = None`	integer value	Optional parallelism to pass to scrypt hash function (the `p` parameter). This option is only used when the `password_hash_algorithm` option is set to `scrypt`. Defaults to 1.

9.1.18. identity_mapping

The following table outlines the options available under the [identity_mapping] group in the /etc/keystone/keystone.conf file.

Table 9.18. identity_mapping
Configuration option = Default value	Type	Description
`backward_compatible_ids = True`	boolean value	The format of user and group IDs changed in Juno for backends that do not generate UUIDs (for example, LDAP), with keystone providing a hash mapping to the underlying attribute in LDAP. By default this mapping is disabled, which ensures that existing IDs will not change. Even when the mapping is enabled by using domain-specific drivers (`[identity] domain_specific_drivers_enabled`), any users and groups from the default domain being handled by LDAP will still not be mapped to ensure their IDs remain backward compatible. Setting this value to false will enable the new mapping for all backends, including the default LDAP driver. It is only guaranteed to be safe to enable this option if you do not already have assignments for users and groups from the default LDAP domain, and you consider it to be acceptable for Keystone to provide the different IDs to clients than it did previously (existing IDs in the API will suddenly change). Typically this means that the only time you can set this value to false is when configuring a fresh installation, although that is the recommended value.
`driver = sql`	string value	Entry point for the identity mapping backend driver in the `keystone.identity.id_mapping` namespace. Keystone only provides a `sql` driver, so there is no reason to change this unless you are providing a custom entry point.
`generator = sha256`	string value	Entry point for the public ID generator for user and group entities in the `keystone.identity.id_generator` namespace. The Keystone identity mapper only supports generators that produce 64 bytes or less. Keystone only provides a `sha256` entry point, so there is no reason to change this value unless you’re providing a custom entry point.

9.1.19. ldap

The following table outlines the options available under the [ldap] group in the /etc/keystone/keystone.conf file.

Table 9.19. ldap
Configuration option = Default value	Type	Description
`alias_dereferencing = default`	string value	The LDAP dereferencing option to use for queries involving aliases. A value of `default` falls back to using default dereferencing behavior configured by your `ldap.conf`. A value of `never` prevents aliases from being dereferenced at all. A value of `searching` dereferences aliases only after name resolution. A value of `finding` dereferences aliases only during name resolution. A value of `always` dereferences aliases in all cases.
`auth_pool_connection_lifetime = 60`	integer value	The maximum end user authentication connection lifetime to the LDAP server in seconds. When this lifetime is exceeded, the connection will be unbound and removed from the connection pool. This option has no effect unless `[ldap] use_auth_pool` is also enabled.
`auth_pool_size = 100`	integer value	The size of the connection pool to use for end user authentication. This option has no effect unless `[ldap] use_auth_pool` is also enabled.
`chase_referrals = None`	boolean value	Sets keystone’s referral chasing behavior across directory partitions. If left unset, the system’s default behavior will be used.
`connection_timeout = -1`	integer value	The connection timeout to use with the LDAP server. A value of `-1` means that connections will never timeout.
`debug_level = None`	integer value	Sets the LDAP debugging level for LDAP calls. A value of 0 means that debugging is not enabled. This value is a bitmask, consult your LDAP documentation for possible values.
`group_ad_nesting = False`	boolean value	If enabled, group queries will use Active Directory specific filters for nested groups.
`group_additional_attribute_mapping = []`	list value	A list of LDAP attribute to keystone group attribute pairs used for mapping additional attributes to groups in keystone. The expected format is `<ldap_attr>:<group_attr>`, where `ldap_attr` is the attribute in the LDAP object and `group_attr` is the attribute which should appear in the identity API.
`group_attribute_ignore = []`	list value	List of group attributes to ignore on create and update. or whether a specific group attribute should be filtered for list or show group.
`group_desc_attribute = description`	string value	The LDAP attribute mapped to group descriptions in keystone.
`group_filter = None`	string value	The LDAP search filter to use for groups.
`group_id_attribute = cn`	string value	The LDAP attribute mapped to group IDs in keystone. This must NOT be a multivalued attribute. Group IDs are expected to be globally unique across keystone domains and URL-safe.
`group_member_attribute = member`	string value	The LDAP attribute used to indicate that a user is a member of the group.
`group_members_are_ids = False`	boolean value	Enable this option if the members of the group object class are keystone user IDs rather than LDAP DNs. This is the case when using `posixGroup` as the group object class in Open Directory.
`group_name_attribute = ou`	string value	The LDAP attribute mapped to group names in keystone. Group names are expected to be unique only within a keystone domain and are not expected to be URL-safe.
`group_objectclass = groupOfNames`	string value	The LDAP object class to use for groups. If setting this option to `posixGroup`, you may also be interested in enabling the `[ldap] group_members_are_ids` option.
`group_tree_dn = None`	string value	The search base to use for groups. Defaults to the `[ldap] suffix` value.
`page_size = 0`	integer value	Defines the maximum number of results per page that keystone should request from the LDAP server when listing objects. A value of zero (`0`) disables paging.
`password = None`	string value	The password of the administrator bind DN to use when querying the LDAP server, if your LDAP server requires it.
`pool_connection_lifetime = 600`	integer value	The maximum connection lifetime to the LDAP server in seconds. When this lifetime is exceeded, the connection will be unbound and removed from the connection pool. This option has no effect unless `[ldap] use_pool` is also enabled.
`pool_connection_timeout = -1`	integer value	The connection timeout to use when pooling LDAP connections. A value of `-1` means that connections will never timeout. This option has no effect unless `[ldap] use_pool` is also enabled.
`pool_retry_delay = 0.1`	floating point value	The number of seconds to wait before attempting to reconnect to the LDAP server. This option has no effect unless `[ldap] use_pool` is also enabled.
`pool_retry_max = 3`	integer value	The maximum number of times to attempt reconnecting to the LDAP server before aborting. A value of zero prevents retries. This option has no effect unless `[ldap] use_pool` is also enabled.
`pool_size = 10`	integer value	The size of the LDAP connection pool. This option has no effect unless `[ldap] use_pool` is also enabled.
`query_scope = one`	string value	The search scope which defines how deep to search within the search base. A value of `one` (representing `oneLevel` or `singleLevel`) indicates a search of objects immediately below to the base object, but does not include the base object itself. A value of `sub` (representing `subtree` or `wholeSubtree`) indicates a search of both the base object itself and the entire subtree below it.
`suffix = cn=example,cn=com`	string value	The default LDAP server suffix to use, if a DN is not defined via either `[ldap] user_tree_dn` or `[ldap] group_tree_dn`.
`tls_cacertdir = None`	string value	An absolute path to a CA certificate directory to use when communicating with LDAP servers. There is no reason to set this option if you’ve also set `[ldap] tls_cacertfile`.
`tls_cacertfile = None`	string value	An absolute path to a CA certificate file to use when communicating with LDAP servers. This option will take precedence over `[ldap] tls_cacertdir`, so there is no reason to set both.
`tls_req_cert = demand`	string value	Specifies which checks to perform against client certificates on incoming TLS sessions. If set to `demand`, then a certificate will always be requested and required from the LDAP server. If set to `allow`, then a certificate will always be requested but not required from the LDAP server. If set to `never`, then a certificate will never be requested.
`url = ldap://localhost`	string value	URL(s) for connecting to the LDAP server. Multiple LDAP URLs may be specified as a comma separated string. The first URL to successfully bind is used for the connection.
`use_auth_pool = True`	boolean value	Enable LDAP connection pooling for end user authentication. There is typically no reason to disable this.
`use_pool = True`	boolean value	Enable LDAP connection pooling for queries to the LDAP server. There is typically no reason to disable this.
`use_tls = False`	boolean value	Enable TLS when communicating with LDAP servers. You should also set the `[ldap] tls_cacertfile` and `[ldap] tls_cacertdir` options when using this option. Do not set this option if you are using LDAP over SSL (LDAPS) instead of TLS.
`user = None`	string value	The user name of the administrator bind DN to use when querying the LDAP server, if your LDAP server requires it.
`user_additional_attribute_mapping = []`	list value	A list of LDAP attribute to keystone user attribute pairs used for mapping additional attributes to users in keystone. The expected format is `<ldap_attr>:<user_attr>`, where `ldap_attr` is the attribute in the LDAP object and `user_attr` is the attribute which should appear in the identity API.
`user_attribute_ignore = [u'default_project_id']`	list value	List of user attributes to ignore on create and update, or whether a specific user attribute should be filtered for list or show user.
`user_default_project_id_attribute = None`	string value	The LDAP attribute mapped to a user’s default_project_id in keystone. This is most commonly used when keystone has write access to LDAP.
`user_description_attribute = description`	string value	The LDAP attribute mapped to user descriptions in keystone.
`user_enabled_attribute = enabled`	string value	The LDAP attribute mapped to the user enabled attribute in keystone. If setting this option to `userAccountControl`, then you may be interested in setting `[ldap] user_enabled_mask` and `[ldap] user_enabled_default` as well.
`user_enabled_default = True`	string value	The default value to enable users. This should match an appropriate integer value if the LDAP server uses non-boolean (bitmask) values to indicate if a user is enabled or disabled. If this is not set to `True`, then the typical value is `512`. This is typically used when `[ldap] user_enabled_attribute = userAccountControl`.
`user_enabled_emulation = False`	boolean value	If enabled, keystone uses an alternative method to determine if a user is enabled or not by checking if they are a member of the group defined by the `[ldap] user_enabled_emulation_dn` option. Enabling this option causes keystone to ignore the value of `[ldap] user_enabled_invert`.
`user_enabled_emulation_dn = None`	string value	DN of the group entry to hold enabled users when using enabled emulation. Setting this option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
`user_enabled_emulation_use_group_config = False`	boolean value	Use the `[ldap] group_member_attribute` and `[ldap] group_objectclass` settings to determine membership in the emulated enabled group. Enabling this option has no effect unless `[ldap] user_enabled_emulation` is also enabled.
`user_enabled_invert = False`	boolean value	Logically negate the boolean value of the enabled attribute obtained from the LDAP server. Some LDAP servers use a boolean lock attribute where "true" means an account is disabled. Setting `[ldap] user_enabled_invert = true` will allow these lock attributes to be used. This option will have no effect if either the `[ldap] user_enabled_mask` or `[ldap] user_enabled_emulation` options are in use.
`user_enabled_mask = 0`	integer value	Bitmask integer to select which bit indicates the enabled value if the LDAP server represents "enabled" as a bit on an integer rather than as a discrete boolean. A value of `0` indicates that the mask is not used. If this is not set to `0` the typical value is `2`. This is typically used when `[ldap] user_enabled_attribute = userAccountControl`. Setting this option causes keystone to ignore the value of `[ldap] user_enabled_invert`.
`user_filter = None`	string value	The LDAP search filter to use for users.
`user_id_attribute = cn`	string value	The LDAP attribute mapped to user IDs in keystone. This must NOT be a multivalued attribute. User IDs are expected to be globally unique across keystone domains and URL-safe.
`user_mail_attribute = mail`	string value	The LDAP attribute mapped to user emails in keystone.
`user_name_attribute = sn`	string value	The LDAP attribute mapped to user names in keystone. User names are expected to be unique only within a keystone domain and are not expected to be URL-safe.
`user_objectclass = inetOrgPerson`	string value	The LDAP object class to use for users.
`user_pass_attribute = userPassword`	string value	The LDAP attribute mapped to user passwords in keystone.
`user_tree_dn = None`	string value	The search base to use for users. Defaults to the `[ldap] suffix` value.

9.1.20. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/keystone/keystone.conf file.

Table 9.20. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

9.1.21. memcache

The following table outlines the options available under the [memcache] group in the /etc/keystone/keystone.conf file.

Table 9.21. memcache
Configuration option = Default value	Type	Description
`dead_retry = 300`	integer value	Number of seconds memcached server is considered dead before it is tried again. This is used by the key value store system.
`pool_connection_get_timeout = 10`	integer value	Number of seconds that an operation will wait to get a memcache client connection. This is used by the key value store system.
`pool_maxsize = 10`	integer value	Max total number of open connections to every memcached server. This is used by the key value store system.
`pool_unused_timeout = 60`	integer value	Number of seconds a connection to memcached is held unused in the pool before it is closed. This is used by the key value store system.
`socket_timeout = 3`	integer value	Timeout in seconds for every call to a server. This is used by the key value store system.

9.1.22. oauth1

The following table outlines the options available under the [oauth1] group in the /etc/keystone/keystone.conf file.

Table 9.22. oauth1
Configuration option = Default value	Type	Description
`access_token_duration = 86400`	integer value	Number of seconds for the OAuth Access Token to remain valid after being created. This is the amount of time the consumer has to interact with the service provider (which is typically keystone). Setting this option to zero means that access tokens will last forever.
`driver = sql`	string value	Entry point for the OAuth backend driver in the `keystone.oauth1` namespace. Typically, there is no reason to set this option unless you are providing a custom entry point.
`request_token_duration = 28800`	integer value	Number of seconds for the OAuth Request Token to remain valid after being created. This is the amount of time the user has to authorize the token. Setting this option to zero means that request tokens will last forever.

9.1.23. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/keystone/keystone.conf file.

Table 9.23. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

9.1.24. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/keystone/keystone.conf file.

Table 9.24. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

9.1.25. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/keystone/keystone.conf file.

Table 9.25. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

9.1.26. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/keystone/keystone.conf file.

Table 9.26. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

9.1.27. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/keystone/keystone.conf file.

Table 9.27. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

9.1.28. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/keystone/keystone.conf file.

Table 9.28. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
`max_request_body_size = 114688`	integer value	The maximum body size for each request, in bytes.
`secure_proxy_ssl_header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

9.1.29. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/keystone/keystone.conf file.

Table 9.29. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

9.1.30. paste_deploy

The following table outlines the options available under the [paste_deploy] group in the /etc/keystone/keystone.conf file.

Table 9.30. paste_deploy
Configuration option = Default value	Type	Description
`config_file = keystone-paste.ini`	string value	Name of (or absolute path to) the Paste Deploy configuration file that composes middleware and the keystone application itself into actual WSGI entry points. See http://pythonpaste.org/deploy/ for additional documentation on the file’s format.

9.1.31. policy

The following table outlines the options available under the [policy] group in the /etc/keystone/keystone.conf file.

Table 9.31. policy
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the policy backend driver in the `keystone.policy` namespace. Supplied drivers are `rules` (which does not support any CRUD operations for the v3 policy API) and `sql`. Typically, there is no reason to set this option unless you are providing a custom entry point.
`list_limit = None`	integer value	Maximum number of entities that will be returned in a policy collection.

9.1.32. profiler

The following table outlines the options available under the [profiler] group in the /etc/keystone/keystone.conf file.

Table 9.32. profiler
Configuration option = Default value	Type	Description
`connection_string = messaging://`	string value	Connection string for a notifier backend. Default value is messaging:// which sets the notifier to oslo_messaging. Examples of possible values: messaging://: use oslo_messaging driver for sending notifications. mongodb://127.0.0.1:27017 : use mongodb driver for sending notifications. elasticsearch://127.0.0.1:9200 : use elasticsearch driver for sending notifications.
`enabled = False`	boolean value	Enables the profiling for all services on this node. Default value is False (fully disable the profiling feature). Possible values: True: Enables the feature False: Disables the feature. The profiling cannot be started via this project operations. If the profiling is triggered by another project, this project part will be empty.
`es_doc_type = notification`	string value	Document type for notification indexing in elasticsearch.
`es_scroll_size = 10000`	integer value	Elasticsearch splits large requests in batches. This parameter defines maximum size of each batch (for example: es_scroll_size=10000).
`es_scroll_time = 2m`	string value	This parameter is a time value parameter (for example: es_scroll_time=2m), indicating for how long the nodes that participate in the search will maintain relevant resources in order to continue and support it.
`hmac_keys = SECRET_KEY`	string value	Secret key(s) to use for encrypting context data for performance profiling. This string value should have the following format: <key1>[,<key2>,…<keyn>], where each key is some random string. A user who triggers the profiling via the REST API has to set one of these keys in the headers of the REST API call to include profiling results of this node for this particular project. Both "enabled" flag and "hmac_keys" config options should be set to enable profiling. Also, to generate correct profiling information across all services at least one key needs to be consistent between OpenStack projects. This ensures it can be used from client side to generate the trace, containing information from all possible resources.
`sentinel_service_name = mymaster`	string value	Redissentinel uses a service name to identify a master redis service. This parameter defines the name (for example: sentinal_service_name=mymaster).
`socket_timeout = 0.1`	floating point value	Redissentinel provides a timeout option on the connections. This parameter defines that timeout (for example: socket_timeout=0.1).
`trace_sqlalchemy = False`	boolean value	Enables SQL requests profiling in services. Default value is False (SQL requests won’t be traced). Possible values: True: Enables SQL requests profiling. Each SQL query will be part of the trace and can the be analyzed by how much time was spent for that. False: Disables SQL requests profiling. The spent time is only shown on a higher level of operations. Single SQL queries cannot be analyzed this way.

9.1.33. resource

The following table outlines the options available under the [resource] group in the /etc/keystone/keystone.conf file.

Table 9.33. resource
Configuration option = Default value	Type	Description
`admin_project_domain_name = None`	string value	Name of the domain that owns the `admin_project_name`. If left unset, then there is no admin project. `[resource] admin_project_name` must also be set to use this option.
`admin_project_name = None`	string value	This is a special project which represents cloud-level administrator privileges across services. Tokens scoped to this project will contain a true `is_admin_project` attribute to indicate to policy systems that the role assignments on that specific project should apply equally across every project. If left unset, then there is no admin project, and thus no explicit means of cross-project role assignments. `[resource] admin_project_domain_name` must also be set to use this option.
`cache_time = None`	integer value	Time to cache resource data in seconds. This has no effect unless global caching is enabled.
`caching = True`	boolean value	Toggle for resource caching. This has no effect unless global caching is enabled.
`domain_name_url_safe = off`	string value	This controls whether the names of domains are restricted from containing URL-reserved characters. If set to `new`, attempts to create or update a domain with a URL-unsafe name will fail. If set to `strict`, attempts to scope a token with a URL-unsafe domain name will fail, thereby forcing all domain names to be updated to be URL-safe.
`driver = sql`	string value	Entry point for the resource driver in the `keystone.resource` namespace. Only a `sql` driver is supplied by keystone. Unless you are writing proprietary drivers for keystone, you do not need to set this option.
`list_limit = None`	integer value	Maximum number of entities that will be returned in a resource collection.
`project_name_url_safe = off`	string value	This controls whether the names of projects are restricted from containing URL-reserved characters. If set to `new`, attempts to create or update a project with a URL-unsafe name will fail. If set to `strict`, attempts to scope a token with a URL-unsafe project name will fail, thereby forcing all project names to be updated to be URL-safe.

9.1.34. revoke

The following table outlines the options available under the [revoke] group in the /etc/keystone/keystone.conf file.

Table 9.34. revoke
Configuration option = Default value	Type	Description
`cache_time = 3600`	integer value	Time to cache the revocation list and the revocation events (in seconds). This has no effect unless global and `[revoke] caching` are both enabled.
`caching = True`	boolean value	Toggle for revocation event caching. This has no effect unless global caching is enabled.
`driver = sql`	string value	Entry point for the token revocation backend driver in the `keystone.revoke` namespace. Keystone only provides a `sql` driver, so there is no reason to set this option unless you are providing a custom entry point.
`expiration_buffer = 1800`	integer value	The number of seconds after a token has expired before a corresponding revocation event may be purged from the backend.

9.1.35. role

The following table outlines the options available under the [role] group in the /etc/keystone/keystone.conf file.

Table 9.35. role
Configuration option = Default value	Type	Description
`cache_time = None`	integer value	Time to cache role data, in seconds. This has no effect unless both global caching and `[role] caching` are enabled.
`caching = True`	boolean value	Toggle for role caching. This has no effect unless global caching is enabled. In a typical deployment, there is no reason to disable this.
`driver = None`	string value	Entry point for the role backend driver in the `keystone.role` namespace. Keystone only provides a `sql` driver, so there’s no reason to change this unless you are providing a custom entry point.
`list_limit = None`	integer value	Maximum number of entities that will be returned in a role collection. This may be useful to tune if you have a large number of discrete roles in your deployment.

9.1.36. saml

The following table outlines the options available under the [saml] group in the /etc/keystone/keystone.conf file.

Table 9.36. saml
Configuration option = Default value	Type	Description
`assertion_expiration_time = 3600`	integer value	Determines the lifetime for any SAML assertions generated by keystone, using `NotOnOrAfter` attributes.
`certfile = /etc/keystone/ssl/certs/signing_cert.pem`	string value	Absolute path to the public certificate file to use for SAML signing. The value cannot contain a comma (`,`).
`idp_contact_company = Example, Inc.`	string value	This is the company name of the identity provider’s contact person.
`idp_contact_email = support@example.com`	string value	This is the email address of the identity provider’s contact person.
`idp_contact_name = SAML Identity Provider Support`	string value	This is the given name of the identity provider’s contact person.
`idp_contact_surname = Support`	string value	This is the surname of the identity provider’s contact person.
`idp_contact_telephone = +1 800 555 0100`	string value	This is the telephone number of the identity provider’s contact person.
`idp_contact_type = other`	string value	This is the type of contact that best describes the identity provider’s contact person.
`idp_entity_id = None`	uri value	This is the unique entity identifier of the identity provider (keystone) to use when generating SAML assertions. This value is required to generate identity provider metadata and must be a URI (a URL is recommended). For example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/idp`.
`idp_lang = en`	string value	This is the language used by the identity provider’s organization.
`idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml`	string value	Absolute path to the identity provider metadata file. This file should be generated with the `keystone-manage saml_idp_metadata` command. There is typically no reason to change this value.
`idp_organization_display_name = OpenStack SAML Identity Provider`	string value	This is the name of the identity provider’s organization to be displayed.
`idp_organization_name = SAML Identity Provider`	string value	This is the name of the identity provider’s organization.
`idp_organization_url = https://example.com/`	uri value	This is the URL of the identity provider’s organization. The URL referenced here should be useful to humans.
`idp_sso_endpoint = None`	uri value	This is the single sign-on (SSO) service location of the identity provider which accepts HTTP POST requests. A value is required to generate identity provider metadata. For example: `https://keystone.example.com/v3/OS-FEDERATION/saml2/sso`.
`keyfile = /etc/keystone/ssl/private/signing_key.pem`	string value	Absolute path to the private key file to use for SAML signing. The value cannot contain a comma (`,`).
`relay_state_prefix = ss:mem:`	string value	The prefix of the RelayState SAML attribute to use when generating enhanced client and proxy (ECP) assertions. In a typical deployment, there is no reason to change this value.
`xmlsec1_binary = xmlsec1`	string value	Name of, or absolute path to, the binary to be used for XML signing. Although only the XML Security Library (`xmlsec1`) is supported, it may have a non-standard name or path on your system. If keystone cannot find the binary itself, you may need to install the appropriate package, use this option to specify an absolute path, or adjust keystone’s PATH environment variable.

9.1.37. security_compliance

The following table outlines the options available under the [security_compliance] group in the /etc/keystone/keystone.conf file.

Table 9.37. security_compliance
Configuration option = Default value	Type	Description
`change_password_upon_first_use = False`	boolean value	Enabling this option requires users to change their password when the user is created, or upon administrative reset. Before accessing any services, affected users will have to change their password. To ignore this requirement for specific users, such as service users, set the `options` attribute `ignore_change_password_upon_first_use` to `True` for the desired user via the update user API. This feature is disabled by default. This feature is only applicable with the `sql` backend for the `[identity] driver`.
`disable_user_account_days_inactive = None`	integer value	The maximum number of days a user can go without authenticating before being considered "inactive" and automatically disabled (locked). This feature is disabled by default; set any value to enable it. This feature depends on the `sql` backend for the `[identity] driver`. When a user exceeds this threshold and is considered "inactive", the user’s `enabled` attribute in the HTTP API may not match the value of the user’s `enabled` column in the user table.
`lockout_duration = 1800`	integer value	The number of seconds a user account will be locked when the maximum number of failed authentication attempts (as specified by `[security_compliance] lockout_failure_attempts`) is exceeded. Setting this option will have no effect unless you also set `[security_compliance] lockout_failure_attempts` to a non-zero value. This feature depends on the `sql` backend for the `[identity] driver`.
`lockout_failure_attempts = None`	integer value	The maximum number of times that a user can fail to authenticate before the user account is locked for the number of seconds specified by `[security_compliance] lockout_duration`. This feature is disabled by default. If this feature is enabled and `[security_compliance] lockout_duration` is not set, then users may be locked out indefinitely until the user is explicitly enabled via the API. This feature depends on the `sql` backend for the `[identity] driver`.
`minimum_password_age = 0`	integer value	The number of days that a password must be used before the user can change it. This prevents users from changing their passwords immediately in order to wipe out their password history and reuse an old password. This feature does not prevent administrators from manually resetting passwords. It is disabled by default and allows for immediate password changes. This feature depends on the `sql` backend for the `[identity] driver`. Note: If `[security_compliance] password_expires_days` is set, then the value for this option should be less than the `password_expires_days`.
`password_expires_days = None`	integer value	The number of days for which a password will be considered valid before requiring it to be changed. This feature is disabled by default. If enabled, new password changes will have an expiration date, however existing passwords would not be impacted. This feature depends on the `sql` backend for the `[identity] driver`.
`password_regex = None`	string value	The regular expression used to validate password strength requirements. By default, the regular expression will match any password. The following is an example of a pattern which requires at least 1 letter, 1 digit, and have a minimum length of 7 characters: ^(?=.\d)(?=.[a-zA-Z]).{7,}$ This feature depends on the `sql` backend for the `[identity] driver`.
`password_regex_description = None`	string value	Describe your password regular expression here in language for humans. If a password fails to match the regular expression, the contents of this configuration variable will be returned to users to explain why their requested password was insufficient.
`unique_last_password_count = 1`	integer value	This controls the number of previous user password iterations to keep in history, in order to enforce that newly created passwords are unique. The total number which includes the new password should not be greater or equal to this value. Setting the value to one (the default) disables this feature. Thus, to enable this feature, values must be greater than 1. This feature depends on the `sql` backend for the `[identity] driver`.

9.1.38. shadow_users

The following table outlines the options available under the [shadow_users] group in the /etc/keystone/keystone.conf file.

Table 9.38. shadow_users
Configuration option = Default value	Type	Description
`driver = sql`	string value	Entry point for the shadow users backend driver in the `keystone.identity.shadow_users` namespace. This driver is used for persisting local user references to externally-managed identities (via federation, LDAP, etc). Keystone only provides a `sql` driver, so there is no reason to change this option unless you are providing a custom entry point.

9.1.39. signing

The following table outlines the options available under the [signing] group in the /etc/keystone/keystone.conf file.

Table 9.39. signing
Configuration option = Default value	Type	Description
`ca_certs = /etc/keystone/ssl/certs/ca.pem`	string value	Absolute path to the public certificate authority (CA) file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_key`. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
`ca_key = /etc/keystone/ssl/private/cakey.pem`	string value	Absolute path to the private certificate authority (CA) key file to use when creating self-signed certificates with `keystone-manage pki_setup`. Set this together with `[signing] ca_certs`. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
`cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com`	string value	The certificate subject to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
`certfile = /etc/keystone/ssl/certs/signing_cert.pem`	string value	Absolute path to the public certificate file to use for signing responses to revocation lists requests. Set this together with `[signing] keyfile`. For non-production environments, you may be interested in using `keystone-manage pki_setup` to generate self-signed certificates.
`key_size = 2048`	integer value	Key size (in bits) to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.
`keyfile = /etc/keystone/ssl/private/signing_key.pem`	string value	Absolute path to the private key file to use for signing responses to revocation lists requests. Set this together with `[signing] certfile`.
`valid_days = 3650`	integer value	The validity period (in days) to use when generating a self-signed token signing certificate. There is no reason to set this option unless you are requesting revocation lists in a non-production environment. Use a `[signing] certfile` issued from a trusted certificate authority instead.

9.1.40. token

The following table outlines the options available under the [token] group in the /etc/keystone/keystone.conf file.

Table 9.40. token
Configuration option = Default value	Type	Description
`allow_expired_window = 172800`	integer value	This controls the number of seconds that a token can be retrieved for beyond the built-in expiry time. This allows long running operations to succeed. Defaults to two days.
`allow_rescope_scoped_token = True`	boolean value	This toggles whether scoped tokens may be re-scoped to a new project or domain, thereby preventing users from exchanging a scoped token (including those with a default project scope) for any other token. This forces users to either authenticate for unscoped tokens (and later exchange that unscoped token for tokens with a more specific scope) or to provide their credentials in every request for a scoped token to avoid re-scoping altogether.
`bind = []`	list value	This is a list of external authentication mechanisms which should add token binding metadata to tokens, such as `kerberos` or `x509`. Binding metadata is enforced according to the `[token] enforce_token_bind` option.
`cache_on_issue = True`	boolean value	Enable storing issued token data to token validation cache so that first token validation doesn’t actually cause full validation cycle. This option has no effect unless global caching and token caching are enabled.
`cache_time = None`	integer value	The number of seconds to cache token creation and validation data. This has no effect unless both global and `[token] caching` are enabled.
`caching = True`	boolean value	Toggle for caching token creation and validation data. This has no effect unless global caching is enabled.
`driver = sql`	string value	Entry point for the token persistence backend driver in the `keystone.token.persistence` namespace. Keystone provides the `sql` driver. The `sql` option (default) depends on the options in your `[database]` section. If you’re using the `fernet` `[token] provider`, this backend will not be utilized to persist tokens at all.
`enforce_token_bind = permissive`	string value	This controls the token binding enforcement policy on tokens presented to keystone with token binding metadata (as specified by the `[token] bind` option). `disabled` completely bypasses token binding validation. `permissive` and `strict` do not require tokens to have binding metadata (but will validate it if present), whereas `required` will always demand tokens to having binding metadata. `permissive` will allow unsupported binding metadata to pass through without validation (usually to be validated at another time by another component), whereas `strict` and `required` will demand that the included binding metadata be supported by keystone.
`expiration = 3600`	integer value	The amount of time that a token should remain valid (in seconds). Drastically reducing this value may break "long-running" operations that involve multiple services to coordinate together, and will force users to authenticate with keystone more frequently. Drastically increasing this value will increase load on the `[token] driver`, as more tokens will be simultaneously valid. Keystone tokens are also bearer tokens, so a shorter duration will also reduce the potential security impact of a compromised token.
`infer_roles = True`	boolean value	This controls whether roles should be included with tokens that are not directly assigned to the token’s scope, but are instead linked implicitly to other role assignments.
`provider = fernet`	string value	Entry point for the token provider in the `keystone.token.provider` namespace. The token provider controls the token construction, validation, and revocation operations. Keystone includes `fernet` and `uuid` token providers. `uuid` tokens must be persisted (using the backend specified in the `[token] driver` option), but do not require any extra configuration or setup. `fernet` tokens do not need to be persisted at all, but require that you run `keystone-manage fernet_setup` (also see the `keystone-manage fernet_rotate` command).
`revoke_by_id = True`	boolean value	This toggles support for revoking individual tokens by the token identifier and thus various token enumeration operations (such as listing all tokens issued to a specific user). These operations are used to determine the list of tokens to consider revoked. Do not disable this option if you’re using the `kvs` `[revoke] driver`.

9.1.41. tokenless_auth

The following table outlines the options available under the [tokenless_auth] group in the /etc/keystone/keystone.conf file.

Table 9.41. tokenless_auth
Configuration option = Default value	Type	Description
`issuer_attribute = SSL_CLIENT_I_DN`	string value	The name of the WSGI environment variable used to pass the issuer of the client certificate to keystone. This attribute is used as an identity provider ID for the X.509 tokenless authorization along with the protocol to look up its corresponding mapping. In a typical deployment, there is no reason to change this value.
`protocol = x509`	string value	The federated protocol ID used to represent X.509 tokenless authorization. This is used in combination with the value of `[tokenless_auth] issuer_attribute` to find a corresponding federated mapping. In a typical deployment, there is no reason to change this value.
`trusted_issuer = []`	multi valued	The list of distinguished names which identify trusted issuers of client certificates allowed to use X.509 tokenless authorization. If the option is absent then no certificates will be allowed. The format for the values of a distinguished name (DN) must be separated by a comma and contain no spaces. Furthermore, because an individual DN may contain commas, this configuration option may be repeated multiple times to represent multiple values. For example, keystone.conf would include two consecutive lines in order to trust two different DNs, such as `trusted_issuer = CN=john,OU=keystone,O=openstack` and `trusted_issuer = CN=mary,OU=eng,O=abc`.

9.1.42. trust

The following table outlines the options available under the [trust] group in the /etc/keystone/keystone.conf file.

Table 9.42. trust
Configuration option = Default value	Type	Description
`allow_redelegation = False`	boolean value	Allows authorization to be redelegated from one user to another, effectively chaining trusts together. When disabled, the `remaining_uses` attribute of a trust is constrained to be zero.
`driver = sql`	string value	Entry point for the trust backend driver in the `keystone.trust` namespace. Keystone only provides a `sql` driver, so there is no reason to change this unless you are providing a custom entry point.
`enabled = True`	boolean value	Delegation and impersonation features using trusts can be optionally disabled.
`max_redelegation_count = 3`	integer value	Maximum number of times that authorization can be redelegated from one user to another in a chain of trusts. This number may be reduced further for a specific trust.

9.1.43. unified_limit

The following table outlines the options available under the [unified_limit] group in the /etc/keystone/keystone.conf file.

Table 9.43. unified_limit
Configuration option = Default value	Type	Description
`cache_time = None`	integer value	Time to cache unified limit data, in seconds. This has no effect unless both global caching and `[unified_limit] caching` are enabled.
`caching = True`	boolean value	Toggle for unified limit caching. This has no effect unless global caching is enabled. In a typical deployment, there is no reason to disable this.
`driver = sql`	string value	Entry point for the unified limit backend driver in the `keystone.unified_limit` namespace. Keystone only provides a `sql` driver, so there’s no reason to change this unless you are providing a custom entry point.
`list_limit = None`	integer value	Maximum number of entities that will be returned in a role collection. This may be useful to tune if you have a large number of unified limits in your deployment.

Chapter 10. neutron

The following chapter contains information about the configuration options in the neutron service.

10.1. dhcp_agent.ini

This section contains options for the /etc/neutron/dhcp_agent.ini file.

10.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/dhcp_agent.ini file.

Table 10.1. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`dhcp_broadcast_reply = False`	boolean value	Use broadcast in DHCP replies.
`dhcp_confs = $state_path/dhcp`	string value	Location to store DHCP server config files.
`dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq`	string value	The driver used to manage the DHCP server.
`dhcp_rebinding_time = 0`	integer value	DHCP rebinding time T2 (in seconds). If set to 0, it will default to 7/8 of the lease time.
`dhcp_renewal_time = 0`	integer value	DHCP renewal time T1 (in seconds). If set to 0, it will default to half of the lease time.
`dnsmasq_base_log_dir = None`	string value	Base log dir for dnsmasq logging. The log contains DHCP and DNS log information and is useful for debugging issues with either DHCP or DNS. If this section is null, disable dnsmasq log.
`dnsmasq_config_file = `	string value	Override the default dnsmasq settings with this file.
`dnsmasq_dns_servers = []`	list value	Comma-separated list of the DNS servers which will be used as forwarders.
`dnsmasq_lease_max = 16777216`	integer value	Limit number of leases to prevent a denial-of-service.
`dnsmasq_local_resolv = False`	boolean value	Enables the dnsmasq service to provide name resolution for instances via DNS resolvers on the host running the DHCP agent. Effectively removes the --no-resolv option from the dnsmasq process arguments. Adding custom DNS resolvers to the dnsmasq_dns_servers option disables this feature.
`enable_isolated_metadata = False`	boolean value	The DHCP server can assist with providing metadata support on isolated networks. Setting this value to True will cause the DHCP server to append specific host routes to the DHCP request. The metadata service will only be activated when the subnet does not contain any router port. The guest instance must be configured to request host routes via DHCP (Option 121). This option doesn’t have any effect when force_metadata is set to True.
`enable_metadata_network = False`	boolean value	Allows for serving metadata requests coming from a dedicated metadata access network whose CIDR is 169.254.169.254/16 (or larger prefix), and is connected to a Neutron router from which the VMs send metadata:1 request. In this case DHCP Option 121 will not be injected in VMs, as they will be able to reach 169.254.169.254 through a router. This option requires enable_isolated_metadata = True.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`force_metadata = False`	boolean value	In some cases the Neutron router is not present to provide the metadata IP but the DHCP server can be used to provide this info. Setting this value will force the DHCP server to append specific host routes to the DHCP request. If this option is set, then the metadata service will be activated for all the networks.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`interface_driver = None`	string value	The driver used to manage the virtual interface.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`num_sync_threads = 4`	integer value	Number of threads to use during sync process. Should not exceed connection pool size configured on server.
`ovs_integration_bridge = br-int`	string value	Name of Open vSwitch bridge to use
`ovs_use_veth = False`	boolean value	Uses veth for an OVS interface or not. Support kernels with limited namespace support (e.g. RHEL 6.5) and rate limiting on router’s gateway port so long as ovs_use_veth is set to True.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`resync_interval = 5`	integer value	The DHCP agent will resync its state with Neutron to recover from any transient notification or RPC errors. The interval is number of seconds between attempts.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.1.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/dhcp_agent.ini file.

Table 10.2. agent
Configuration option = Default value	Type	Description
`availability_zone = nova`	string value	Availability zone of this node
`log_agent_heartbeats = False`	boolean value	Log agent heartbeats
`report_interval = 30`	floating point value	Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.

10.1.3. ovs

The following table outlines the options available under the [ovs] group in the /etc/neutron/dhcp_agent.ini file.

Table 10.3. ovs
Configuration option = Default value	Type	Description
`bridge_mac_table_size = 50000`	integer value	The maximum number of MAC addresses to learn on a bridge managed by the Neutron OVS agent. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch according to the documentation.
`ovsdb_connection = tcp:127.0.0.1:6640`	string value	The connection string for the OVSDB backend. Will be used by ovsdb-client when monitoring and used for the all ovsdb commands when native ovsdb_interface is enabled
`ovsdb_interface = native`	string value	The interface for interacting with the OVSDB
`ovsdb_timeout = 10`	integer value	Timeout in seconds for ovsdb commands. If the timeout expires, ovsdb commands will fail with ALARMCLOCK error.
`ssl_ca_cert_file = None`	string value	The Certificate Authority (CA) certificate to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_cert_file = None`	string value	The SSL certificate file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_key_file = None`	string value	The SSL private key file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection

10.2. l3_agent.ini

This section contains options for the /etc/neutron/l3_agent.ini file.

10.2.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/l3_agent.ini file.

Table 10.4. DEFAULT
Configuration option = Default value	Type	Description
`agent_mode = legacy`	string value	The working mode for the agent. Allowed modes are: legacy - this preserves the existing behavior where the L3 agent is deployed on a centralized networking node to provide L3 services like DNAT, and SNAT. Use this mode if you do not want to adopt DVR. dvr - this mode enables DVR functionality and must be used for an L3 agent that runs on a compute host. dvr_snat - this enables centralized SNAT support in conjunction with DVR. This mode must be used for an L3 agent running on a centralized node (or in single-host deployments, e.g. devstack). dvr_no_external - this mode enables only East/West DVR routing functionality for a L3 agent that runs on a compute host, the North/South functionality such as DNAT and SNAT will be provided by the centralized network node that is running in dvr_snat mode. This mode should be used when there is no external network connectivity on the compute host.
`api_workers = None`	integer value	Number of separate API worker processes for service. If not specified, the default is equal to the number of CPUs available for best performance.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`enable_metadata_proxy = True`	boolean value	Allow running metadata proxy.
`external_ingress_mark = 0x2`	string value	Iptables mangle mark used to mark ingress from external network. This mark will be masked with 0xffff so that only the lower 16 bits will be used.
`external_network_bridge = `	string value	Name of bridge used for external network traffic. When this parameter is set, the L3 agent will plug an interface directly into an external bridge which will not allow any wiring by the L2 agent. Using this will result in incorrect port statuses. This option is deprecated and will be removed in Ocata.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`gateway_external_network_id = `	string value	When external_network_bridge is set, each L3 agent can be associated with no more than one external network. This value should be set to the UUID of that external network. To allow L3 agent support multiple external networks, both the external_network_bridge and gateway_external_network_id must be left empty.
`ha_confs_path = $state_path/ha_confs`	string value	Location to store keepalived/conntrackd config files
`ha_keepalived_state_change_server_threads = 4`	integer value	Number of concurrent threads for keepalived server connection requests. More threads create a higher CPU load on the agent node.
`ha_vrrp_advert_int = 2`	integer value	The advertisement interval in seconds
`ha_vrrp_auth_password = None`	string value	VRRP authentication password
`ha_vrrp_auth_type = PASS`	string value	VRRP authentication type
`ha_vrrp_health_check_interval = 0`	integer value	The VRRP health check interval in seconds. Values > 0 enable VRRP health checks. Setting it to 0 disables VRRP health checks. Recommended value is 5. This will cause pings to be sent to the gateway IP address(es) - requires ICMP_ECHO_REQUEST to be enabled on the gateway. If gateway fails, all routers will be reported as master, and master election will be repeated in round-robin fashion, until one of the router restore the gateway connection.
`handle_internal_only_routers = True`	boolean value	Indicates that this L3 agent should also handle routers that do not have an external network gateway configured. This option should be True only for a single agent in a Neutron deployment, and may be False for all agents if all routers must have an external network gateway.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`interface_driver = None`	string value	The driver used to manage the virtual interface.
`ipv6_gateway = `	string value	With IPv6, the network used for the external gateway does not need to have an associated subnet, since the automatically assigned link-local address (LLA) can be used. However, an IPv6 gateway address is needed for use as the next-hop for the default route. If no IPv6 gateway address is configured here, (and only then) the neutron router will be configured to get its default route from router advertisements (RAs) from the upstream router; in which case the upstream router must also be configured to send these RAs. The ipv6_gateway, when configured, should be the LLA of the interface on the upstream router. If a next-hop using a global unique address (GUA) is desired, it needs to be done via a subnet allocated to the network and not through this parameter.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_rtr_adv_interval = 100`	integer value	MaxRtrAdvInterval setting for radvd.conf
`metadata_access_mark = 0x1`	string value	Iptables mangle mark used to mark metadata valid requests. This mark will be masked with 0xffff so that only the lower 16 bits will be used.
`metadata_port = 9697`	port value	TCP Port used by Neutron metadata namespace proxy.
`min_rtr_adv_interval = 30`	integer value	MinRtrAdvInterval setting for radvd.conf
`ovs_integration_bridge = br-int`	string value	Name of Open vSwitch bridge to use
`ovs_use_veth = False`	boolean value	Uses veth for an OVS interface or not. Support kernels with limited namespace support (e.g. RHEL 6.5) and rate limiting on router’s gateway port so long as ovs_use_veth is set to True.
`pd_confs = $state_path/pd`	string value	Location to store IPv6 PD files.
`periodic_fuzzy_delay = 5`	integer value	Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)
`periodic_interval = 40`	integer value	Seconds between running periodic tasks.
`prefix_delegation_driver = dibbler`	string value	Driver used for ipv6 prefix delegation. This needs to be an entry point defined in the neutron.agent.linux.pd_drivers namespace. See setup.cfg for entry points included with the neutron source.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`ra_confs = $state_path/ra`	string value	Location to store IPv6 RA config files
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`rpc_state_report_workers = 1`	integer value	Number of RPC worker processes dedicated to state reports queue.
`rpc_workers = 1`	integer value	Number of RPC worker processes for service.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`vendor_pen = 8888`	string value	A decimal value as Vendor’s Registered Private Enterprise Number as required by RFC3315 DUID-EN.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.2.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/l3_agent.ini file.

Table 10.5. agent
Configuration option = Default value	Type	Description
`availability_zone = nova`	string value	Availability zone of this node
`extensions = []`	list value	Extensions list to use
`log_agent_heartbeats = False`	boolean value	Log agent heartbeats
`report_interval = 30`	floating point value	Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.

10.2.3. ovs

The following table outlines the options available under the [ovs] group in the /etc/neutron/l3_agent.ini file.

Table 10.6. ovs
Configuration option = Default value	Type	Description
`bridge_mac_table_size = 50000`	integer value	The maximum number of MAC addresses to learn on a bridge managed by the Neutron OVS agent. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch according to the documentation.
`ovsdb_connection = tcp:127.0.0.1:6640`	string value	The connection string for the OVSDB backend. Will be used by ovsdb-client when monitoring and used for the all ovsdb commands when native ovsdb_interface is enabled
`ovsdb_interface = native`	string value	The interface for interacting with the OVSDB
`ovsdb_timeout = 10`	integer value	Timeout in seconds for ovsdb commands. If the timeout expires, ovsdb commands will fail with ALARMCLOCK error.
`ssl_ca_cert_file = None`	string value	The Certificate Authority (CA) certificate to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_cert_file = None`	string value	The SSL certificate file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_key_file = None`	string value	The SSL private key file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection

10.3. linuxbridge_agent.ini

This section contains options for the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

10.3.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.7. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.3.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.8. agent
Configuration option = Default value	Type	Description
`dscp = None`	integer value	The DSCP value to use for outer headers during tunnel encapsulation.
`dscp_inherit = False`	boolean value	If set to True, the DSCP value of tunnel interfaces is overwritten and set to inherit. The DSCP value of the inner header is then copied to the outer header.
`extensions = []`	list value	Extensions list to use
`polling_interval = 2`	integer value	The number of seconds the agent will wait between polling for local device changes.
`quitting_rpc_timeout = 10`	integer value	Set new timeout in seconds for new rpc calls after agent receives SIGTERM. If value is set to 0, rpc timeout won’t be changed

10.3.3. linux_bridge

The following table outlines the options available under the [linux_bridge] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.9. linux_bridge
Configuration option = Default value	Type	Description
`bridge_mappings = []`	list value	List of <physical_network>:<physical_bridge>
`physical_interface_mappings = []`	list value	Comma-separated list of <physical_network>:<physical_interface> tuples mapping physical network names to the agent’s node-specific physical network interfaces to be used for flat and VLAN networks. All physical networks listed in network_vlan_ranges on the server should have mappings to appropriate interfaces on each agent.

10.3.4. network_log

The following table outlines the options available under the [network_log] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.10. network_log
Configuration option = Default value	Type	Description
`burst_limit = 25`	integer value	Maximum number of packets per rate_limit.
`local_output_log_base = None`	string value	Output logfile path on agent side, default syslog file.
`rate_limit = 100`	integer value	Maximum packets logging per second.

10.3.5. securitygroup

The following table outlines the options available under the [securitygroup] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.11. securitygroup
Configuration option = Default value	Type	Description
`enable_ipset = True`	boolean value	Use ipset to speed-up the iptables based security groups. Enabling ipset support requires that ipset is installed on L2 agent node.
`enable_security_group = True`	boolean value	Controls whether the neutron security group API is enabled in the server. It should be false when using no security groups or using the nova security group API.
`firewall_driver = None`	string value	Driver for security groups firewall in the L2 agent

10.3.6. vxlan

The following table outlines the options available under the [vxlan] group in the /etc/neutron/plugins/ml2/linuxbridge_agent.ini file.

Table 10.12. vxlan
Configuration option = Default value	Type	Description
`arp_responder = False`	boolean value	Enable local ARP responder which provides local responses instead of performing ARP broadcast into the overlay. Enabling local ARP responder is not fully compatible with the allowed-address-pairs extension.
`enable_vxlan = True`	boolean value	Enable VXLAN on the agent. Can be enabled when agent is managed by ml2 plugin using linuxbridge mechanism driver
`l2_population = False`	boolean value	Extension to use alongside ml2 plugin’s l2population mechanism driver. It enables the plugin to populate VXLAN forwarding table.
`local_ip = None`	IP address value	IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or IPv6 address that resides on one of the host network interfaces. The IP version of this value must match the value of the overlay_ip_version option in the ML2 plug-in configuration file on the neutron server node(s).
`multicast_ranges = []`	list value	Optional comma-separated list of <multicast address>:<vni_min>:<vni_max> triples describing how to assign a multicast address to VXLAN according to its VNI ID.
`tos = None`	integer value	TOS for vxlan interface protocol packets. This option is deprecated in favor of the dscp option in the AGENT section and will be removed in a future release. To convert the TOS value to DSCP, divide by 4.
`ttl = None`	integer value	TTL for vxlan interface protocol packets.
`udp_dstport = None`	port value	The UDP port used for VXLAN communication. By default, the Linux kernel doesn’t use the IANA assigned standard value, so if you want to use it, this option must be set to 4789. It is not set by default because of backward compatibiltiy.
`udp_srcport_max = 0`	port value	The maximum of the UDP source port range used for VXLAN communication.
`udp_srcport_min = 0`	port value	The minimum of the UDP source port range used for VXLAN communication.
`vxlan_group = 224.0.0.1`	string value	Multicast group(s) for vxlan interface. A range of group addresses may be specified by using CIDR notation. Specifying a range allows different VNIs to use different group addresses, reducing or eliminating spurious broadcast traffic to the tunnel endpoints. To reserve a unique group for each possible (24-bit) VNI, use a /8 such as 239.0.0.0/8. This setting must be the same on all the agents.

10.4. metadata_agent.ini

This section contains options for the /etc/neutron/metadata_agent.ini file.

10.4.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/metadata_agent.ini file.

Table 10.13. DEFAULT
Configuration option = Default value	Type	Description
`auth_ca_cert = None`	string value	Certificate Authority public key (CA cert) file for ssl
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`metadata_backlog = 4096`	integer value	Number of backlog requests to configure the metadata server socket with
`metadata_proxy_group = `	string value	Group (gid or name) running metadata proxy after its initialization (if empty: agent effective group).
`metadata_proxy_shared_secret = `	string value	When proxying metadata requests, Neutron signs the Instance-ID header with a shared secret to prevent spoofing. You may select any string for a secret, but it must match here and in the configuration used by the Nova Metadata Server. NOTE: Nova uses the same config key, but in [neutron] section.
`metadata_proxy_socket = $state_path/metadata_proxy`	string value	Location for Metadata Proxy UNIX domain socket.
`metadata_proxy_socket_mode = deduce`	string value	Metadata Proxy UNIX domain socket mode, 4 values allowed: deduce: deduce mode from metadata_proxy_user/group values, user: set metadata proxy socket mode to 0o644, to use when metadata_proxy_user is agent effective user or root, group: set metadata proxy socket mode to 0o664, to use when metadata_proxy_group is agent effective group or root, all: set metadata proxy socket mode to 0o666, to use otherwise.
`metadata_proxy_user = `	string value	User (uid or name) running metadata proxy after its initialization (if empty: agent effective user).
`metadata_workers = 4`	integer value	Number of separate worker processes for metadata server (defaults to half of the number of CPUs)
`nova_client_cert = `	string value	Client certificate for nova metadata api server.
`nova_client_priv_key = `	string value	Private key of client certificate.
`nova_metadata_host = 127.0.0.1`	unknown value	IP address or DNS name of Nova metadata server.
`nova_metadata_insecure = False`	boolean value	Allow to perform insecure SSL (https) requests to nova metadata
`nova_metadata_port = 8775`	port value	TCP Port used by Nova metadata server.
`nova_metadata_protocol = http`	string value	Protocol to access nova metadata, http or https
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.4.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/metadata_agent.ini file.

Table 10.14. agent
Configuration option = Default value	Type	Description
`log_agent_heartbeats = False`	boolean value	Log agent heartbeats
`report_interval = 30`	floating point value	Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.

10.4.3. cache

The following table outlines the options available under the [cache] group in the /etc/neutron/metadata_agent.ini file.

Table 10.15. cache
Configuration option = Default value	Type	Description
`backend = dogpile.cache.null`	string value	Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.
`backend_argument = []`	multi valued	Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: "<argname>:<value>".
`config_prefix = cache.oslo`	string value	Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.
`debug_cache_backend = False`	boolean value	Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.
`enabled = False`	boolean value	Global toggle for caching.
`expiration_time = 600`	integer value	Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.
`memcache_dead_retry = 300`	integer value	Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_pool_connection_get_timeout = 10`	integer value	Number of seconds that an operation will wait to get a memcache client connection.
`memcache_pool_maxsize = 10`	integer value	Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).
`memcache_pool_unused_timeout = 60`	integer value	Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).
`memcache_servers = [u'localhost:11211']`	list value	Memcache servers in the format of "host:port". (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_socket_timeout = 3`	integer value	Timeout in seconds for every call to a server. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`proxies = []`	list value	Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.

10.5. metering_agent.ini

This section contains options for the /etc/neutron/metering_agent.ini file.

10.5.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/metering_agent.ini file.

Table 10.16. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`driver = neutron.services.metering.drivers.noop.noop_driver.NoopMeteringDriver`	string value	Metering driver
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`interface_driver = None`	string value	The driver used to manage the virtual interface.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`measure_interval = 30`	integer value	Interval between two metering measures
`ovs_integration_bridge = br-int`	string value	Name of Open vSwitch bridge to use
`ovs_use_veth = False`	boolean value	Uses veth for an OVS interface or not. Support kernels with limited namespace support (e.g. RHEL 6.5) and rate limiting on router’s gateway port so long as ovs_use_veth is set to True.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`report_interval = 300`	integer value	Interval between two metering reports
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.5.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/metering_agent.ini file.

Table 10.17. agent
Configuration option = Default value	Type	Description
`log_agent_heartbeats = False`	boolean value	Log agent heartbeats
`report_interval = 30`	floating point value	Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.

10.5.3. ovs

The following table outlines the options available under the [ovs] group in the /etc/neutron/metering_agent.ini file.

Table 10.18. ovs
Configuration option = Default value	Type	Description
`bridge_mac_table_size = 50000`	integer value	The maximum number of MAC addresses to learn on a bridge managed by the Neutron OVS agent. Values outside a reasonable range (10 to 1,000,000) might be overridden by Open vSwitch according to the documentation.
`ovsdb_connection = tcp:127.0.0.1:6640`	string value	The connection string for the OVSDB backend. Will be used by ovsdb-client when monitoring and used for the all ovsdb commands when native ovsdb_interface is enabled
`ovsdb_interface = native`	string value	The interface for interacting with the OVSDB
`ovsdb_timeout = 10`	integer value	Timeout in seconds for ovsdb commands. If the timeout expires, ovsdb commands will fail with ALARMCLOCK error.
`ssl_ca_cert_file = None`	string value	The Certificate Authority (CA) certificate to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_cert_file = None`	string value	The SSL certificate file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_key_file = None`	string value	The SSL private key file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection

10.6. ml2_conf.ini

This section contains options for the /etc/neutron/plugins/ml2/ml2_conf.ini file.

10.6.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.19. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.6.2. l2pop

The following table outlines the options available under the [l2pop] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.20. l2pop
Configuration option = Default value	Type	Description
`agent_boot_time = 180`	integer value	Delay within which agent is expected to update existing ports when it restarts

10.6.3. ml2

The following table outlines the options available under the [ml2] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.21. ml2
Configuration option = Default value	Type	Description
`extension_drivers = []`	list value	An ordered list of extension driver entrypoints to be loaded from the neutron.ml2.extension_drivers namespace. For example: extension_drivers = port_security,qos
`external_network_type = None`	string value	Default network type for external networks when no provider attributes are specified. By default it is None, which means that if provider attributes are not specified while creating external networks then they will have the same type as tenant networks. Allowed values for external_network_type config option depend on the network type values configured in type_drivers config option.
`mechanism_drivers = []`	list value	An ordered list of networking mechanism driver entrypoints to be loaded from the neutron.ml2.mechanism_drivers namespace.
`overlay_ip_version = 4`	integer value	IP version of all overlay (tunnel) network endpoints. Use a value of 4 for IPv4 or 6 for IPv6.
`path_mtu = 0`	integer value	Maximum size of an IP packet (MTU) that can traverse the underlying physical network infrastructure without fragmentation when using an overlay/tunnel protocol. This option allows specifying a physical network MTU value that differs from the default global_physnet_mtu value.
`physical_network_mtus = []`	list value	A list of mappings of physical networks to MTU values. The format of the mapping is <physnet>:<mtu val>. This mapping allows specifying a physical network MTU value that differs from the default global_physnet_mtu value.
`tenant_network_types = [u'local']`	list value	Ordered list of network_types to allocate as tenant networks. The default value local is useful for single-box testing but provides no connectivity between hosts.
`type_drivers = [u'local', u'flat', u'vlan', u'gre', u'vxlan', u'geneve']`	list value	List of network type driver entrypoints to be loaded from the neutron.ml2.type_drivers namespace.

10.6.4. ml2_type_flat

The following table outlines the options available under the [ml2_type_flat] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.22. ml2_type_flat
Configuration option = Default value	Type	Description
`flat_networks = *`	list value	List of physical_network names with which flat networks can be created. Use default * to allow flat networks with arbitrary physical_network names. Use an empty list to disable flat networks.

10.6.5. ml2_type_geneve

The following table outlines the options available under the [ml2_type_geneve] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.23. ml2_type_geneve
Configuration option = Default value	Type	Description
`max_header_size = 30`	integer value	Geneve encapsulation header size is dynamic, this value is used to calculate the maximum MTU for the driver. This is the sum of the sizes of the outer ETH + IP + UDP + GENEVE header sizes. The default size for this field is 50, which is the size of the Geneve header without any additional option headers.
`vni_ranges = []`	list value	Comma-separated list of <vni_min>:<vni_max> tuples enumerating ranges of Geneve VNI IDs that are available for tenant network allocation

10.6.6. ml2_type_gre

The following table outlines the options available under the [ml2_type_gre] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.24. ml2_type_gre
Configuration option = Default value	Type	Description
`tunnel_id_ranges = []`	list value	Comma-separated list of <tun_min>:<tun_max> tuples enumerating ranges of GRE tunnel IDs that are available for tenant network allocation

10.6.7. ml2_type_vlan

The following table outlines the options available under the [ml2_type_vlan] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.25. ml2_type_vlan
Configuration option = Default value	Type	Description
`network_vlan_ranges = []`	list value	List of <physical_network>:<vlan_min>:<vlan_max> or <physical_network> specifying physical_network names usable for VLAN provider and tenant networks, as well as ranges of VLAN tags on each available for allocation to tenant networks.

10.6.8. ml2_type_vxlan

The following table outlines the options available under the [ml2_type_vxlan] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.26. ml2_type_vxlan
Configuration option = Default value	Type	Description
`vni_ranges = []`	list value	Comma-separated list of <vni_min>:<vni_max> tuples enumerating ranges of VXLAN VNI IDs that are available for tenant network allocation
`vxlan_group = None`	string value	Multicast group for VXLAN. When configured, will enable sending all broadcast traffic to this multicast group. When left unconfigured, will disable multicast VXLAN mode.

10.6.9. securitygroup

The following table outlines the options available under the [securitygroup] group in the /etc/neutron/plugins/ml2/ml2_conf.ini file.

Table 10.27. securitygroup
Configuration option = Default value	Type	Description
`enable_ipset = True`	boolean value	Use ipset to speed-up the iptables based security groups. Enabling ipset support requires that ipset is installed on L2 agent node.
`enable_security_group = True`	boolean value	Controls whether the neutron security group API is enabled in the server. It should be false when using no security groups or using the nova security group API.
`firewall_driver = None`	string value	Driver for security groups firewall in the L2 agent

10.7. neutron.conf

This section contains options for the /etc/neutron/neutron.conf file.

10.7.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/neutron.conf file.

Table 10.28. DEFAULT
Configuration option = Default value	Type	Description
`agent_down_time = 75`	integer value	Seconds to regard the agent is down; should be at least twice report_interval, to be sure the agent is down for good.
`allow_automatic_dhcp_failover = True`	boolean value	Automatically remove networks from offline DHCP agents.
`allow_automatic_l3agent_failover = False`	boolean value	Automatically reschedule routers from offline L3 agents to online L3 agents.
`allow_bulk = True`	boolean value	Allow the usage of the bulk API
`allow_overlapping_ips = False`	boolean value	Allow overlapping IP support in Neutron. Attention: the following parameter MUST be set to False if Neutron is being used in conjunction with Nova security groups.
`api_extensions_path = `	string value	The path for API extensions. Note that this can be a colon-separated list of paths. For example: api_extensions_path = extensions:/path/to/more/exts:/even/more/exts. The path of neutron.extensions is appended to this, so if your extensions are in there you don’t need to specify them here.
`api_paste_config = api-paste.ini`	string value	File name for the paste.deploy config for api service
`api_workers = None`	integer value	Number of separate API worker processes for service. If not specified, the default is equal to the number of CPUs available for best performance.
`auth_strategy = keystone`	string value	The type of authentication to use
`backlog = 4096`	integer value	Number of backlog requests to configure the socket with
`base_mac = fa:16:3e:00:00:00`	string value	The base MAC address Neutron will use for VIFs. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated.
`bind_host = 0.0.0.0`	unknown value	The host IP to bind to.
`bind_port = 9696`	port value	The port to bind to
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = neutron`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`core_plugin = None`	string value	The core plugin Neutron will use
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_availability_zones = []`	list value	Default value of availability zone hints. The availability zone aware schedulers use this when the resources availability_zone_hints is empty. Multiple availability zones can be specified by a comma separated string. This value can be empty. In this case, even if availability_zone_hints for a resource is empty, availability zone is considered for high availability while scheduling the resource.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`dhcp_agent_notification = True`	boolean value	Allow sending resource operation notification to DHCP agent
`dhcp_agents_per_network = 1`	integer value	Number of DHCP agents scheduled to host a tenant network. If this number is greater than 1, the scheduler automatically assigns multiple DHCP agents for a given tenant network, providing high availability for DHCP service.
`dhcp_lease_duration = 86400`	integer value	DHCP lease duration (in seconds). Use -1 to tell dnsmasq to use infinite lease times.
`dhcp_load_type = networks`	string value	Representing the resource type whose load is being reported by the agent. This can be "networks", "subnets" or "ports". When specified (Default is networks), the server will extract particular load sent as part of its agent configuration object from the agent report state, which is the number of resources being consumed, at every report_interval.dhcp_load_type can be used in combination with network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.WeightScheduler When the network_scheduler_driver is WeightScheduler, dhcp_load_type can be configured to represent the choice for the resource being balanced. Example: dhcp_load_type=networks
`dns_domain = openstacklocal`	string value	Domain to use for building the hostnames
`dvr_base_mac = fa:16:3f:00:00:00`	string value	The base mac address used for unique DVR instances by Neutron. The first 3 octets will remain unchanged. If the 4th octet is not 00, it will also be used. The others will be randomly generated. The dvr_base_mac must be different from base_mac to avoid mixing them up with MAC’s allocated for tenant ports. A 4 octet example would be dvr_base_mac = fa:16:3f:4f:00:00. The default is 3 octet
`enable_dvr = True`	boolean value	Determine if setup is configured for DVR. If False, DVR API extension will be disabled.
`enable_new_agents = True`	boolean value	Agent starts with admin_state_up=False when enable_new_agents=False. In the case, user’s resources will not be scheduled automatically to the agent until admin changes admin_state_up to True.
`enable_services_on_agents_with_admin_state_down = False`	boolean value	Enable services on an agent with admin_state_up False. If this option is False, when admin_state_up of an agent is turned False, services on it will be disabled. Agents with admin_state_up False are not selected for automatic scheduling regardless of this option. But manual scheduling to such agents is available if this option is True.
`enable_snat_by_default = True`	boolean value	Define the default value of enable_snat if not provided in external_gateway_info.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`external_dns_driver = None`	string value	Driver for external DNS integration.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`global_physnet_mtu = 1500`	integer value	MTU of the underlying physical network. Neutron uses this value to calculate MTU for all virtual network components. For flat and VLAN networks, neutron uses this value without modification. For overlay networks such as VXLAN, neutron automatically subtracts the overlay protocol overhead from this value. Defaults to 1500, the standard value for Ethernet.
`host = ccsosp-undercloud.usersys.redhat.com`	unknown value	Hostname to be used by the Neutron server, agents and services running on this machine. All the agents and services running on this machine must use the same host value.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`interface_driver = None`	string value	The driver used to manage the virtual interface.
`ipam_driver = internal`	string value	Neutron IPAM (IP address management) driver to use. By default, the reference implementation of the Neutron IPAM driver is used.
`ipv6_pd_enabled = False`	boolean value	Enables IPv6 Prefix Delegation for automatic subnet CIDR allocation. Set to True to enable IPv6 Prefix Delegation for subnet allocation in a PD-capable environment. Users making subnet creation requests for IPv6 subnets without providing a CIDR or subnetpool ID will be given a CIDR via the Prefix Delegation mechanism. Note that enabling PD will override the behavior of the default IPv6 subnetpool.
`l3_ha = False`	boolean value	Enable HA mode for virtual routers.
`l3_ha_net_cidr = 169.254.192.0/18`	string value	Subnet used for the l3 HA admin network.
`l3_ha_network_physical_name = `	string value	The physical network name with which the HA network can be created.
`l3_ha_network_type = `	string value	The network type to use when creating the HA network for an HA router. By default or if empty, the first tenant_network_types is used. This is helpful when the VRRP traffic should use a specific network which is not the default one.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_allowed_address_pair = 10`	integer value	Maximum number of allowed address pairs
`max_dns_nameservers = 5`	integer value	Maximum number of DNS nameservers per subnet
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
`max_l3_agents_per_router = 3`	integer value	Maximum number of L3 agents which a HA router will be scheduled on. If it is set to 0 then the router will be scheduled on every agent.
`max_routes = 30`	integer value	Maximum number of routes per router
`max_subnet_host_routes = 20`	integer value	Maximum number of host routes per subnet
`metadata_proxy_group = `	string value	Group (gid or name) running metadata proxy after its initialization (if empty: agent effective group).
`metadata_proxy_socket = $state_path/metadata_proxy`	string value	Location for Metadata Proxy UNIX domain socket.
`metadata_proxy_user = `	string value	User (uid or name) running metadata proxy after its initialization (if empty: agent effective user).
`network_auto_schedule = True`	boolean value	Allow auto scheduling networks to DHCP agent.
`network_link_prefix = None`	string value	This string is prepended to the normal URL that is returned in links to the OpenStack Network API. If it is empty (the default), the URLs are returned unchanged.
`network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.WeightScheduler`	string value	Driver to use for scheduling network to DHCP agent
`notify_nova_on_port_data_changes = True`	boolean value	Send notification to nova when port data (fixed_ips/floatingip) changes so nova can update its cache.
`notify_nova_on_port_status_changes = True`	boolean value	Send notification to nova when port status changes
`pagination_max_limit = -1`	string value	The maximum number of items returned in a single response, value was infinite or negative integer means no limit
`periodic_fuzzy_delay = 5`	integer value	Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)
`periodic_interval = 40`	integer value	Seconds between running periodic tasks.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`retry_until_window = 30`	integer value	Number of seconds to keep retrying to listen
`router_auto_schedule = True`	boolean value	Allow auto scheduling of routers to L3 agent.
`router_distributed = False`	boolean value	System-wide flag to determine the type of router that tenants can create. Only admin can override.
`router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.LeastRoutersScheduler`	string value	Driver to use for scheduling router to a default L3 agent
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_state_report_workers = 1`	integer value	Number of RPC worker processes dedicated to state reports queue.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_workers = 1`	integer value	Number of RPC worker processes for service.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`send_events_interval = 2`	integer value	Number of seconds between sending events to nova if there are any events to send.
`service_plugins = []`	list value	The service plugins Neutron will use
`state_path = /var/lib/neutron`	string value	Where to store Neutron state files. This directory must be writable by the agent.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_ssl = False`	boolean value	Enable SSL on the API server
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`vlan_transparent = False`	boolean value	If True, then allow plugins that support it to create VLAN transparent networks.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`wsgi_default_pool_size = 100`	integer value	Size of the pool of greenthreads used by wsgi
`wsgi_keep_alive = True`	boolean value	If False, closes the client socket connection explicitly.
`wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f`	string value	A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

10.7.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/neutron.conf file.

Table 10.29. agent
Configuration option = Default value	Type	Description
`availability_zone = nova`	string value	Availability zone of this node
`check_child_processes_action = respawn`	string value	Action to be executed when a child process dies
`check_child_processes_interval = 60`	integer value	Interval between checks of child process liveness (seconds), use 0 to disable
`comment_iptables_rules = True`	boolean value	Add comments to iptables rules. Set to false to disallow the addition of comments to generated iptables rules that describe each rule’s purpose. System must support the iptables comments module for addition of comments.
`debug_iptables_rules = False`	boolean value	Duplicate every iptables difference calculation to ensure the format being generated matches the format of iptables-save. This option should not be turned on for production systems because it imposes a performance penalty.
`log_agent_heartbeats = False`	boolean value	Log agent heartbeats
`report_interval = 30`	floating point value	Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half or less than agent_down_time.
`root_helper = sudo`	string value	Root helper application. Use sudo neutron-rootwrap /etc/neutron/rootwrap.conf to use the real root filter facility. Change to sudo to skip the filtering and just run the command directly.
`root_helper_daemon = None`	string value	Root helper daemon application to use when possible. For the agent which needs to execute commands in Dom0 in the hypervisor of XenServer, this item should be set to xenapi_root_helper, so that it will keep a XenAPI session to pass commands to Dom0.
`use_helper_for_ns_read = True`	boolean value	Use the root helper when listing the namespaces on a system. This may not be required depending on the security configuration. If the root helper is not required, set this to False for a performance improvement.

10.7.3. cors

The following table outlines the options available under the [cors] group in the /etc/neutron/neutron.conf file.

Table 10.30. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id', u'X-OpenStack-Request-ID']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Subject-Token', u'X-Service-Token', u'X-OpenStack-Request-ID', u'OpenStack-Volume-microversion']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

10.7.4. database

The following table outlines the options available under the [database] group in the /etc/neutron/neutron.conf file.

Table 10.31. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`engine = `	string value	Database engine for which script will be generated when using offline migration.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

10.7.5. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/neutron/neutron.conf file.

Table 10.32. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

10.7.6. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/neutron/neutron.conf file.

Table 10.33. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

10.7.7. nova

The following table outlines the options available under the [nova] group in the /etc/neutron/neutron.conf file.

Table 10.34. nova
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint_type = public`	string value	Type of the nova endpoint to use. This endpoint will be looked up in the keystone catalog and should be one of public, internal or admin.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region_name = None`	string value	Name of nova region to use. Useful if keystone manages more than one region.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User id
`username = None`	string value	Username

10.7.8. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/neutron/neutron.conf file.

Table 10.35. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

10.7.9. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/neutron/neutron.conf file.

Table 10.36. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

10.7.10. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/neutron/neutron.conf file.

Table 10.37. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

10.7.11. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/neutron/neutron.conf file.

Table 10.38. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

10.7.12. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/neutron/neutron.conf file.

Table 10.39. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

10.7.13. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/neutron/neutron.conf file.

Table 10.40. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

10.7.14. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/neutron/neutron.conf file.

Table 10.41. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

10.7.15. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/neutron/neutron.conf file.

Table 10.42. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

10.7.16. quotas

The following table outlines the options available under the [quotas] group in the /etc/neutron/neutron.conf file.

Table 10.43. quotas
Configuration option = Default value	Type	Description
`default_quota = -1`	integer value	Default number of resource allowed per tenant. A negative value means unlimited.
`quota_driver = neutron.db.quota.driver.DbQuotaDriver`	string value	Default driver to use for quota checks.
`quota_floatingip = 50`	integer value	Number of floating IPs allowed per tenant. A negative value means unlimited.
`quota_network = 100`	integer value	Number of networks allowed per tenant. A negative value means unlimited.
`quota_port = 500`	integer value	Number of ports allowed per tenant. A negative value means unlimited.
`quota_router = 10`	integer value	Number of routers allowed per tenant. A negative value means unlimited.
`quota_security_group = 10`	integer value	Number of security groups allowed per tenant. A negative value means unlimited.
`quota_security_group_rule = 100`	integer value	Number of security rules allowed per tenant. A negative value means unlimited.
`quota_subnet = 100`	integer value	Number of subnets allowed per tenant, A negative value means unlimited.
`track_quota_usage = True`	boolean value	Keep in track in the database of current resource quota usage. Plugins which do not leverage the neutron database should set this flag to False.

10.7.17. ssl

The following table outlines the options available under the [ssl] group in the /etc/neutron/neutron.conf file.

Table 10.44. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

10.8. openvswitch_agent.ini

This section contains options for the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

10.8.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.45. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.8.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.46. agent
Configuration option = Default value	Type	Description
`agent_type = Open vSwitch agent`	string value	Selects the Agent Type reported
`arp_responder = False`	boolean value	Enable local ARP responder if it is supported. Requires OVS 2.1 and ML2 l2population driver. Allows the switch (when supporting an overlay) to respond to an ARP request locally without performing a costly ARP broadcast into the overlay.
`dont_fragment = True`	boolean value	Set or un-set the don’t fragment (DF) bit on outgoing IP packet carrying GRE/VXLAN tunnel.
`drop_flows_on_start = False`	boolean value	Reset flow table on start. Setting this to True will cause brief traffic interruption.
`enable_distributed_routing = False`	boolean value	Make the l2 agent run in DVR mode.
`extensions = []`	list value	Extensions list to use
`l2_population = False`	boolean value	Use ML2 l2population mechanism driver to learn remote MAC and IPs and improve tunnel scalability.
`minimize_polling = True`	boolean value	Minimize polling by monitoring ovsdb for interface changes.
`ovsdb_monitor_respawn_interval = 30`	integer value	The number of seconds to wait before respawning the ovsdb monitor after losing communication with it.
`tunnel_csum = False`	boolean value	Set or un-set the tunnel header checksum on outgoing IP packet carrying GRE/VXLAN tunnel.
`tunnel_types = []`	list value	Network types supported by the agent (gre and/or vxlan).
`veth_mtu = 9000`	integer value	MTU size of veth interfaces
`vxlan_udp_port = 4789`	port value	The UDP port to use for VXLAN tunnels.

10.8.3. network_log

The following table outlines the options available under the [network_log] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.47. network_log
Configuration option = Default value	Type	Description
`burst_limit = 25`	integer value	Maximum number of packets per rate_limit.
`local_output_log_base = None`	string value	Output logfile path on agent side, default syslog file.
`rate_limit = 100`	integer value	Maximum packets logging per second.

10.8.4. ovs

The following table outlines the options available under the [ovs] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.48. ovs
Configuration option = Default value	Type	Description
`bridge_mappings = []`	list value	Comma-separated list of <physical_network>:<bridge> tuples mapping physical network names to the agent’s node-specific Open vSwitch bridge names to be used for flat and VLAN networks. The length of bridge names should be no more than 11. Each bridge must exist, and should have a physical network interface configured as a port. All physical networks configured on the server should have mappings to appropriate bridges on each agent. Note: If you remove a bridge from this mapping, make sure to disconnect it from the integration bridge as it won’t be managed by the agent anymore.
`datapath_type = system`	string value	OVS datapath to use. system is the default value and corresponds to the kernel datapath. To enable the userspace datapath set this value to netdev.
`int_peer_patch_port = patch-tun`	string value	Peer patch port in integration bridge for tunnel bridge.
`integration_bridge = br-int`	string value	Integration bridge to use. Do not change this parameter unless you have a good reason to. This is the name of the OVS integration bridge. There is one per hypervisor. The integration bridge acts as a virtual patch bay. All VM VIFs are attached to this bridge and then patched according to their network connectivity.
`local_ip = None`	IP address value	IP address of local overlay (tunnel) network endpoint. Use either an IPv4 or IPv6 address that resides on one of the host network interfaces. The IP version of this value must match the value of the overlay_ip_version option in the ML2 plug-in configuration file on the neutron server node(s).
`of_connect_timeout = 300`	integer value	Timeout in seconds to wait for the local switch connecting the controller. Used only for native driver.
`of_interface = native`	string value	OpenFlow interface to use.
`of_listen_address = 127.0.0.1`	IP address value	Address to listen on for OpenFlow connections. Used only for native driver.
`of_listen_port = 6633`	port value	Port to listen on for OpenFlow connections. Used only for native driver.
`of_request_timeout = 300`	integer value	Timeout in seconds to wait for a single OpenFlow request. Used only for native driver.
`ovsdb_connection = tcp:127.0.0.1:6640`	string value	The connection string for the OVSDB backend. Will be used by ovsdb-client when monitoring and used for the all ovsdb commands when native ovsdb_interface is enabled
`ovsdb_interface = native`	string value	The interface for interacting with the OVSDB
`ssl_ca_cert_file = None`	string value	The Certificate Authority (CA) certificate to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_cert_file = None`	string value	The SSL certificate file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`ssl_key_file = None`	string value	The SSL private key file to use when interacting with OVSDB. Required when using an "ssl:" prefixed ovsdb_connection
`tun_peer_patch_port = patch-int`	string value	Peer patch port in tunnel bridge for integration bridge.
`tunnel_bridge = br-tun`	string value	Tunnel bridge to use.
`use_veth_interconnection = False`	boolean value	Use veths instead of patch ports to interconnect the integration bridge to physical networks. Support kernel without Open vSwitch patch port support so long as it is set to True.
`vhostuser_socket_dir = /var/run/openvswitch`	string value	OVS vhost-user socket directory.

10.8.5. securitygroup

The following table outlines the options available under the [securitygroup] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.49. securitygroup
Configuration option = Default value	Type	Description
`enable_ipset = True`	boolean value	Use ipset to speed-up the iptables based security groups. Enabling ipset support requires that ipset is installed on L2 agent node.
`enable_security_group = True`	boolean value	Controls whether the neutron security group API is enabled in the server. It should be false when using no security groups or using the nova security group API.
`firewall_driver = None`	string value	Driver for security groups firewall in the L2 agent

10.8.6. xenapi

The following table outlines the options available under the [xenapi] group in the /etc/neutron/plugins/ml2/openvswitch_agent.ini file.

Table 10.50. xenapi
Configuration option = Default value	Type	Description
`connection_password = None`	string value	Password for connection to XenServer/Xen Cloud Platform.
`connection_url = None`	string value	URL for connection to XenServer/Xen Cloud Platform.
`connection_username = None`	string value	Username for connection to XenServer/Xen Cloud Platform.

10.9. sriov_agent.ini

This section contains options for the /etc/neutron/plugins/ml2/sriov_agent.ini file.

10.9.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/neutron/plugins/ml2/sriov_agent.ini file.

Table 10.51. DEFAULT
Configuration option = Default value	Type	Description
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.

10.9.2. agent

The following table outlines the options available under the [agent] group in the /etc/neutron/plugins/ml2/sriov_agent.ini file.

Table 10.52. agent
Configuration option = Default value	Type	Description
`extensions = []`	list value	Extensions list to use

10.9.3. sriov_nic

The following table outlines the options available under the [sriov_nic] group in the /etc/neutron/plugins/ml2/sriov_agent.ini file.

Table 10.53. sriov_nic
Configuration option = Default value	Type	Description
`exclude_devices = []`	list value	Comma-separated list of <network_device>:<vfs_to_exclude> tuples, mapping network_device to the agent’s node-specific list of virtual functions that should not be used for virtual networking. vfs_to_exclude is a semicolon-separated list of virtual functions to exclude from network_device. The network_device in the mapping should appear in the physical_device_mappings list.
`physical_device_mappings = []`	list value	Comma-separated list of <physical_network>:<network_device> tuples mapping physical network names to the agent’s node-specific physical network device interfaces of SR-IOV physical function to be used for VLAN networks. All physical networks listed in network_vlan_ranges on the server should have mappings to appropriate interfaces on each agent.

Chapter 11. nova

The following chapter contains information about the configuration options in the nova service.

11.1. nova.conf

This section contains options for the /etc/nova/nova.conf file.

11.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/nova/nova.conf file.

Table 11.1. DEFAULT
Configuration option = Default value	Type	Description
`allow_resize_to_same_host = False`	boolean value	Allow destination machine to match source for resize. Useful when testing in single-host environments. By default it is not allowed to resize to the same host. Setting this option to true will add the same host to the destination options. Also set to true if you allow the ServerGroupAffinityFilter and need to resize.
`allow_same_net_traffic = True`	boolean value	Determine whether to allow network traffic from same network. When set to true, hosts on the same subnet are not filtered and are allowed to pass all types of traffic between them. On a flat network, this allows all instances from all projects unfiltered communication. With VLAN networking, this allows access between instances within the same project. This option only applies when using the `nova-network` service. When using another networking services, such as Neutron, security groups or other approaches should be used. Possible values: True: Network traffic should be allowed pass between all instances on the same network, regardless of their tenant and security policies False: Network traffic should not be allowed pass between instances unless it is unblocked in a security group Related options: `use_neutron`: This must be set to `False` to enable `nova-network` networking `firewall_driver`: This must be set to `nova.virt.libvirt.firewall.IptablesFirewallDriver` to ensure the libvirt firewall driver is enabled.
`auto_assign_floating_ip = False`	boolean value	Autoassigning floating IP to VM When set to True, floating IP is auto allocated and associated to the VM upon creation. Related options: use_neutron: this options only works with nova-network.
`backdoor_port = None`	string value	Enable eventlet backdoor. Acceptable values are 0, <port>, and <start>:<end>, where 0 results in listening on a random tcp port number; <port> results in listening on the specified port number (and not enabling backdoor if that port is in use); and <start>:<end> results in listening on the smallest unused port number within the specified range of port numbers. The chosen port is displayed in the service’s log file.
`backdoor_socket = None`	string value	Enable eventlet backdoor, using the provided path as a unix socket that can receive connections. This option is mutually exclusive with backdoor_port in that only one should be provided. If both are provided then the existence of this option overrides the usage of that option.
`bandwidth_poll_interval = 600`	integer value	Interval to pull network bandwidth usage info. Not supported on all hypervisors. If a hypervisor doesn’t support bandwidth usage, it will not get the info in the usage events. Possible values: 0: Will run at the default periodic interval. Any value < 0: Disables the option. Any positive integer in seconds.
`bindir = /usr/local/bin`	string value	The directory where the Nova binaries are installed. This option is only relevant if the networking capabilities from Nova are used (see services below). Nova’s networking capabilities are targeted to be fully replaced by Neutron in the future. It is very unlikely that you need to change this option from its default value. Possible values: The full path to a directory.
`block_device_allocate_retries = 60`	integer value	Number of times to retry block device allocation on failures. Starting with Liberty, Cinder can use image volume cache. This may help with block device allocation performance. Look at the cinder image_volume_cache_enabled configuration option. Possible values: 60 (default) If value is 0, then one attempt is made. Any negative value is treated as 0. For any value > 0, total attempts are (value + 1)
`block_device_allocate_retries_interval = 3`	integer value	Interval (in seconds) between block device allocation retries on failures. This option allows the user to specify the time interval between consecutive retries. block_device_allocate_retries option specifies the maximum number of retries. Possible values: 0: Disables the option. Any positive integer in seconds enables the option. Related options: `block_device_allocate_retries` in compute_manager_opts group.
`cert = self.pem`	string value	Path to SSL certificate file.
`cnt_vpn_clients = 0`	integer value	This option represents the number of IP addresses to reserve at the top of the address range for VPN clients. It also will be ignored if the configuration option for `network_manager` is not set to the default of nova.network.manager.VlanManager. Possible values: Any integer, 0 or greater. Related options: `use_neutron` `network_manager`
`compute_driver = None`	string value	Defines which driver to use for controlling virtualization. Possible values: `libvirt.LibvirtDriver` `xenapi.XenAPIDriver` `fake.FakeDriver` `ironic.IronicDriver` `vmwareapi.VMwareVCDriver` `hyperv.HyperVDriver` `powervm.PowerVMDriver`
`compute_monitors = []`	list value	A comma-separated list of monitors that can be used for getting compute metrics. You can use the alias/name from the setuptools entry points for nova.compute.monitors.* namespaces. If no namespace is supplied, the "cpu." namespace is assumed for backwards-compatibility. Note Only one monitor per namespace (For example: cpu) can be loaded at a time. Possible values: An empty list will disable the feature (Default). An example value that would enable both the CPU and NUMA memory bandwidth monitors that use the virt driver variant: compute_monitors = cpu.virt_driver, numa_mem_bw.virt_driver
`config_drive_format = iso9660`	string value	Configuration drive format Configuration drive format that will contain metadata attached to the instance when it boots. Possible values: iso9660: A file system image standard that is widely supported across operating systems. NOTE: Mind the libvirt bug (https://bugs.launchpad.net/nova/+bug/1246201) - If your hypervisor driver is libvirt, and you want live migrate to work without shared storage, then use VFAT. vfat: For legacy reasons, you can configure the configuration drive to use VFAT format instead of ISO 9660. Related options: This option is meaningful when one of the following alternatives occur: force_config_drive option set to true the REST API call to create the instance contains an enable flag for config drive option the image used to create the instance requires a config drive, this is defined by img_config_drive property for that image. A compute node running Hyper-V hypervisor can be configured to attach configuration drive as a CD drive. To attach the configuration drive as a CD drive, set config_drive_cdrom option at hyperv section, to true.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`console_host = ccsosp-undercloud.usersys.redhat.com`	string value	Console proxy host to be used to connect to instances on this host. It is the publicly visible name for the console host. Possible values: Current hostname (default) or any string representing hostname.
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`cpu_allocation_ratio = 0.0`	floating point value	This option helps you specify virtual CPU to physical CPU allocation ratio. From Ocata (15.0.0) this is used to influence the hosts selected by the Placement API. Note that when Placement is used, the CoreFilter is redundant, because the Placement API will have already filtered out hosts that would have failed the CoreFilter. This configuration specifies ratio for CoreFilter which can be set per compute node. For AggregateCoreFilter, it will fall back to this configuration value if no per-aggregate setting is found. Note This can be set per-compute, or if set to 0.0, the value set on the scheduler node(s) or compute node(s) will be used and defaulted to 16.0. Once set to a non-default value, it is not possible to "unset" the config to get back to the default behavior. If you want to reset back to the default, explicitly specify 16.0. Note As of the 16.0.0 Pike release, this configuration option is ignored for the ironic.IronicDriver compute driver and is hardcoded to 1.0. Possible values: Any valid positive integer or float value
`create_unique_mac_address_attempts = 5`	integer value	This option determines how many times nova-network will attempt to create a unique MAC address before giving up and raising a `VirtualInterfaceMacAddressException` error. Possible values: Any positive integer. The default is 5. Related options: `use_neutron`
`daemon = False`	boolean value	Run as a background process.
`db_driver = nova.db`	string value	The driver to use for database access
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
`default_access_ip_network_name = None`	string value	Name of the network to be used to set access IPs for instances. If there are multiple IPs to choose from, an arbitrary one will be chosen. Possible values: None (default) Any string representing network name.
`default_availability_zone = nova`	string value	Default availability zone for compute services. This option determines the default availability zone for nova-compute services, which will be used if the service(s) do not belong to aggregates with availability zone metadata. Possible values: Any string representing an existing availability zone name.
`default_ephemeral_format = None`	string value	The default format an ephemeral_volume will be formatted with on creation. Possible values: `ext2` `ext3` `ext4` `xfs` `ntfs` (only for Windows guests)
`default_flavor = m1.small`	string value	Default flavor to use for the EC2 API only. The Nova API does not support a default flavor.
`default_floating_pool = nova`	string value	Default pool for floating IPs. This option specifies the default floating IP pool for allocating floating IPs. While allocating a floating ip, users can optionally pass in the name of the pool they want to allocate from, otherwise it will be pulled from the default pool. If this option is not set, then nova is used as default floating pool. Possible values: Any string representing a floating IP pool name
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`default_schedule_zone = None`	string value	Default availability zone for instances. This option determines the default availability zone for instances, which will be used when a user does not specify one when creating an instance. The instance(s) will be bound to this availability zone for their lifetime. Possible values: Any string representing an existing availability zone name. None, which means that the instance can move from one availability zone to another during its lifetime if it is moved from one compute node to another.
`defer_iptables_apply = False`	boolean value	Whether to batch up the application of IPTables rules during a host restart and apply all at the end of the init phase.
`dhcp_domain = novalocal`	string value	This option allows you to specify the domain for the DHCP server. Possible values: Any string that is a valid domain name. Related options: `use_neutron`
`dhcp_lease_time = 86400`	integer value	The lifetime of a DHCP lease, in seconds. The default is 86400 (one day). Possible values: Any positive integer value.
`dhcpbridge = $bindir/nova-dhcpbridge`	string value	The location of the binary nova-dhcpbridge. By default it is the binary named nova-dhcpbridge that is installed with all the other nova binaries. Possible values: Any string representing the full path to the binary for dhcpbridge
`dhcpbridge_flagfile = [u'/etc/nova/nova-dhcpbridge.conf']`	multi valued	This option is a list of full paths to one or more configuration files for dhcpbridge. In most cases the default path of /etc/nova/nova-dhcpbridge.conf should be sufficient, but if you have special needs for configuring dhcpbridge, you can change or add to this list. Possible values A list of strings, where each string is the full path to a dhcpbridge configuration file.
`disk_allocation_ratio = 0.0`	floating point value	This option helps you specify virtual disk to physical disk allocation ratio. From Ocata (15.0.0) this is used to influence the hosts selected by the Placement API. Note that when Placement is used, the DiskFilter is redundant, because the Placement API will have already filtered out hosts that would have failed the DiskFilter. A ratio greater than 1.0 will result in over-subscription of the available physical disk, which can be useful for more efficiently packing instances created with images that do not use the entire virtual disk, such as sparse or compressed images. It can be set to a value between 0.0 and 1.0 in order to preserve a percentage of the disk for uses other than instances. Note This can be set per-compute, or if set to 0.0, the value set on the scheduler node(s) or compute node(s) will be used and defaulted to 1.0. Once set to a non-default value, it is not possible to "unset" the config to get back to the default behavior. If you want to reset back to the default, explicitly specify 1.0. Note As of the 16.0.0 Pike release, this configuration option is ignored for the ironic.IronicDriver compute driver and is hardcoded to 1.0. Possible values: Any valid positive integer or float value
`dmz_cidr = []`	list value	This option is a list of zero or more IP address ranges in your network’s DMZ that should be accepted. Possible values: A list of strings, each of which should be a valid CIDR.
`dns_server = []`	multi valued	Despite the singular form of the name of this option, it is actually a list of zero or more server addresses that dnsmasq will use for DNS nameservers. If this is not empty, dnsmasq will not read /etc/resolv.conf, but will only use the servers specified in this option. If the option use_network_dns_servers is True, the dns1 and dns2 servers from the network will be appended to this list, and will be used as DNS servers, too. Possible values: A list of strings, where each string is either an IP address or a FQDN. Related options: `use_network_dns_servers`
`dns_update_periodic_interval = -1`	integer value	This option determines the time, in seconds, to wait between refreshing DNS entries for the network. Possible values: A positive integer -1 to disable updates Related options: `use_neutron`
`dnsmasq_config_file = `	string value	The path to the custom dnsmasq configuration file, if any. Possible values: The full path to the configuration file, or an empty string if there is no custom dnsmasq configuration file.
`ebtables_exec_attempts = 3`	integer value	This option determines the number of times to retry ebtables commands before giving up. The minimum number of retries is 1. Possible values: Any positive integer Related options: `ebtables_retry_interval`
`ebtables_retry_interval = 1.0`	floating point value	This option determines the time, in seconds, that the system will sleep in between ebtables retries. Note that each successive retry waits a multiple of this value, so for example, if this is set to the default of 1.0 seconds, and ebtables_exec_attempts is 4, after the first failure, the system will sleep for 1 * 1.0 seconds, after the second failure it will sleep 2 * 1.0 seconds, and after the third failure it will sleep 3 * 1.0 seconds. Possible values: Any non-negative float or integer. Setting this to zero will result in no waiting between attempts. Related options: ebtables_exec_attempts
`enable_network_quota = False`	boolean value	This option is used to enable or disable quota checking for tenant networks. Related options: quota_networks
`enable_new_services = True`	boolean value	Enable new nova-compute services on this host automatically. When a new nova-compute service starts up, it gets registered in the database as an enabled service. Sometimes it can be useful to register new compute services in disabled state and then enabled them at a later point in time. This option only sets this behavior for nova-compute services, it does not auto-disable other services like nova-conductor, nova-scheduler, nova-consoleauth, or nova-osapi_compute. Possible values: `True`: Each new compute service is enabled as soon as it registers itself. `False`: Compute services must be enabled via an os-services REST API call or with the CLI with `nova service-enable <hostname> <binary>`, otherwise they are not ready to use.
`enabled_apis = [u'osapi_compute', u'metadata']`	list value	List of APIs to be enabled by default.
`enabled_ssl_apis = []`	list value	List of APIs with enabled SSL. Nova provides SSL support for the API servers. enabled_ssl_apis option allows configuring the SSL support.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fake_network = False`	boolean value	This option is used mainly in testing to avoid calls to the underlying network utilities.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`firewall_driver = nova.virt.firewall.NoopFirewallDriver`	string value	Firewall driver to use with `nova-network` service. This option only applies when using the `nova-network` service. When using another networking services, such as Neutron, this should be to set to the `nova.virt.firewall.NoopFirewallDriver`. Possible values: `nova.virt.firewall.IptablesFirewallDriver` `nova.virt.firewall.NoopFirewallDriver` `nova.virt.libvirt.firewall.IptablesFirewallDriver` […] Related options: `use_neutron`: This must be set to `False` to enable `nova-network` networking
`fixed_ip_disassociate_timeout = 600`	integer value	This is the number of seconds to wait before disassociating a deallocated fixed IP address. This is only used with the nova-network service, and has no effect when using neutron for networking. Possible values: Any integer, zero or greater. Related options: `use_neutron`
`fixed_range_v6 = fd00::/48`	string value	This option determines the fixed IPv6 address block when creating a network. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any valid IPv6 CIDR Related options: `use_neutron`
`flat_injected = False`	boolean value	This option determines whether the network setup information is injected into the VM before it is booted. While it was originally designed to be used only by nova-network, it is also used by the vmware and xenapi virt drivers to control whether network information is injected into a VM. The libvirt virt driver also uses it when we use config_drive to configure network to control whether network information is injected into a VM.
`flat_interface = None`	string value	This option is the name of the virtual interface of the VM on which the bridge will be built. While it was originally designed to be used only by nova-network, it is also used by libvirt for the bridge interface name. Possible values: Any valid virtual interface name, such as eth0
`flat_network_bridge = None`	string value	This option determines the bridge used for simple network interfaces when no bridge is specified in the VM creation request. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any string representing a valid network bridge, such as br100 Related options: `use_neutron`
`flat_network_dns = 8.8.4.4`	string value	This is the address of the DNS server for a simple network. If this option is not specified, the default of 8.8.4.4 is used. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any valid IP address. Related options: `use_neutron`
`floating_ip_dns_manager = nova.network.noop_dns_driver.NoopDNSDriver`	string value	Full class name for the DNS Manager for floating IPs. This option specifies the class of the driver that provides functionality to manage DNS entries associated with floating IPs. When a user adds a DNS entry for a specified domain to a floating IP, nova will add a DNS entry using the specified floating DNS driver. When a floating IP is deallocated, its DNS entry will automatically be deleted. Possible values: Full Python path to the class to be used Related options: use_neutron: this options only works with nova-network.
`force_config_drive = False`	boolean value	Force injection to take place on a config drive When this option is set to true configuration drive functionality will be forced enabled by default, otherwise user can still enable configuration drives via the REST API or image metadata properties. Possible values: True: Force to use of configuration drive regardless the user’s input in the REST API call. False: Do not force use of configuration drive. Config drives can still be enabled via the REST API or image metadata properties. Related options: Use the mkisofs_cmd flag to set the path where you install the genisoimage program. If genisoimage is in same path as the nova-compute service, you do not need to set this flag. To use configuration drive with Hyper-V, you must set the mkisofs_cmd value to the full path to an mkisofs.exe installation. Additionally, you must set the qemu_img_cmd value in the hyperv configuration section to the full path to an qemu-img command installation.
`force_dhcp_release = True`	boolean value	When this option is True, a call is made to release the DHCP for the instance when that instance is terminated. Related options: `use_neutron`
`force_raw_images = True`	boolean value	Force conversion of backing images to raw format. Possible values: True: Backing image files will be converted to raw image format False: Backing image files will not be converted Related options: `compute_driver`: Only the libvirt driver uses this option.
`force_snat_range = []`	multi valued	This is a list of zero or more IP ranges that traffic from the `routing_source_ip` will be SNATted to. If the list is empty, then no SNAT rules are created. Possible values: A list of strings, each of which should be a valid CIDR. Related options: `routing_source_ip`
`forward_bridge_interface = [u'all']`	multi valued	One or more interfaces that bridges can forward traffic to. If any of the items in this list is the special keyword all, then all traffic will be forwarded. Possible values: A list of zero or more interface names, or the word all.
`gateway = None`	string value	This is the default IPv4 gateway. It is used only in the testing suite. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any valid IP address. Related options: `use_neutron` `gateway_v6`
`gateway_v6 = None`	string value	This is the default IPv6 gateway. It is used only in the testing suite. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any valid IP address. Related options: `use_neutron` `gateway`
`graceful_shutdown_timeout = 60`	integer value	Specify a timeout after which a gracefully shutdown server will exit. Zero value means endless wait.
`heal_instance_info_cache_interval = 60`	integer value	Interval between instance network information cache updates. Number of seconds after which each compute node runs the task of querying Neutron for all of its instances networking information, then updates the Nova db with that information. Nova will never update it’s cache if this option is set to 0. If we don’t update the cache, the metadata service and nova-api endpoints will be proxying incorrect network data about the instance. So, it is not recommended to set this option to 0. Possible values: Any positive integer in seconds. Any value ⇐0 will disable the sync. This is not recommended.
`host = ccsosp-undercloud.usersys.redhat.com`	string value	Hostname, FQDN or IP address of this host. Used as: the oslo.messaging queue name for nova-compute worker we use this value for the binding_host sent to neutron. This means if you use a neutron agent, it should have the same value for host. cinder host attachment information Must be valid within AMQP key. Possible values: String with hostname, FQDN or IP address. Default is hostname of this host.
`image_cache_manager_interval = 2400`	integer value	Number of seconds to wait between runs of the image cache manager. Possible values: * 0: run at the default rate. * -1: disable * Any other value
`image_cache_subdirectory_name = _base`	string value	Location of cached images. This is NOT the full path - just a folder name relative to $instances_path. For per-compute-host cached images, set to base$my_ip
`injected_network_template = $pybasedir/nova/virt/interfaces.template`	string value	Path to /etc/network/interfaces template. The path to a template file for the /etc/network/interfaces-style file, which will be populated by nova and subsequently used by cloudinit. This provides a method to configure network connectivity in environments without a DHCP server. The template will be rendered using Jinja2 template engine, and receive a top-level key called `interfaces`. This key will contain a list of dictionaries, one for each interface. Refer to the cloudinit documentaion for more information: https://cloudinit.readthedocs.io/en/latest/topics/datasources.html Possible values: A path to a Jinja2-formatted template for a Debian /etc/network/interfaces file. This applies even if using a non Debian-derived guest. Related options: `flat_inject`: This must be set to `True` to ensure nova embeds network configuration information in the metadata provided through the config drive.
`instance_build_timeout = 0`	integer value	Maximum time in seconds that an instance can take to build. If this timer expires, instance status will be changed to ERROR. Enabling this option will make sure an instance will not be stuck in BUILD state for a longer period. Possible values: 0: Disables the option (default) Any positive integer in seconds: Enables the option.
`instance_delete_interval = 300`	integer value	Interval for retrying failed instance file deletes. This option depends on maximum_instance_delete_attempts. This option specifies how often to retry deletes whereas maximum_instance_delete_attempts specifies the maximum number of retry attempts that can be made. Possible values: 0: Will run at the default periodic interval. Any value < 0: Disables the option. Any positive integer in seconds. Related options: `maximum_instance_delete_attempts` from instance_cleaning_opts group.
`instance_dns_domain = `	string value	If specified, Nova checks if the availability_zone of every instance matches what the database says the availability_zone should be for the specified dns_domain. Related options: use_neutron: this options only works with nova-network.
`instance_dns_manager = nova.network.noop_dns_driver.NoopDNSDriver`	string value	Full class name for the DNS Manager for instance IPs. This option specifies the class of the driver that provides functionality to manage DNS entries for instances. On instance creation, nova will add DNS entries for the instance name and id, using the specified instance DNS driver and domain. On instance deletion, nova will remove the DNS entries. Possible values: Full Python path to the class to be used Related options: use_neutron: this options only works with nova-network.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_name_template = instance-%08x`	string value	Template string to be used to generate instance names. This template controls the creation of the database name of an instance. This is not the display name you enter when creating an instance (via Horizon or CLI). For a new deployment it is advisable to change the default value (which uses the database autoincrement) to another value which makes use of the attributes of an instance, like `instance-%(uuid)s`. If you already have instances in your deployment when you change this, your deployment will break. Possible values: A string which either uses the instance database ID (like the default) A string with a list of named database columns, for example `%(id)d` or `%(uuid)s` or `%(hostname)s`. Related options: not to be confused with: `multi_instance_display_name_template`
`instance_usage_audit = False`	boolean value	This option enables periodic compute.instance.exists notifications. Each compute node must be configured to generate system usage data. These notifications are consumed by OpenStack Telemetry service.
`instance_usage_audit_period = month`	string value	Time period to generate instance usages for. It is possible to define optional offset to given period by appending @ character followed by a number defining offset. Possible values: period, example: `hour`, `day`, `month` or `year` period with offset, example: `month@15` will result in monthly audits starting on 15th day of month.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`instances_path = $state_path/instances`	string value	Specifies where instances are stored on the hypervisor’s disk. It can point to locally attached storage or a directory on NFS. Possible values: $state_path/instances where state_path is a config option that specifies the top-level directory for maintaining nova’s state. (default) or Any string representing directory path. Related options: `[workarounds]/ensure_libvirt_rbd_instance_dir_cleanup`
`internal_service_availability_zone = internal`	string value	Availability zone for internal services. This option determines the availability zone for the various internal nova services, such as nova-scheduler, nova-conductor, etc. Possible values: Any string representing an existing availability zone name.
`iptables_bottom_regex = `	string value	This expression, if defined, will select any matching iptables rules and place them at the bottom when applying metadata changes to the rules. Possible values: Any string representing a valid regular expression, or an empty string Related options: iptables_top_regex
`iptables_drop_action = DROP`	string value	By default, packets that do not pass the firewall are DROPped. In many cases, though, an operator may find it more useful to change this from DROP to REJECT, so that the user issuing those packets may have a better idea as to what’s going on, or LOGDROP in order to record the blocked traffic before DROPping. Possible values: A string representing an iptables chain. The default is DROP.
`iptables_top_regex = `	string value	This expression, if defined, will select any matching iptables rules and place them at the top when applying metadata changes to the rules. Possible values: Any string representing a valid regular expression, or an empty string Related options: `iptables_bottom_regex`
`ipv6_backend = rfc2462`	string value	Abstracts out IPv6 address generation to pluggable backends. nova-network can be put into dual-stack mode, so that it uses both IPv4 and IPv6 addresses. In dual-stack mode, by default, instances acquire IPv6 global unicast addresses with the help of stateless address auto-configuration mechanism. Related options: use_neutron: this option only works with nova-network. use_ipv6: this option only works if ipv6 is enabled for nova-network.
`key = None`	string value	SSL key file (if separate from cert).
`l3_lib = nova.network.l3.LinuxNetL3`	string value	This option allows you to specify the L3 management library to be used. Possible values: Any dot-separated string that represents the import path to an L3 networking library. Related options: `use_neutron`
`ldap_dns_base_dn = ou=hosts,dc=example,dc=org`	string value	Base distinguished name for the LDAP search query This option helps to decide where to look up the host in LDAP.
`ldap_dns_password = password`	string value	Bind user’s password for LDAP server
`ldap_dns_servers = [u'dns.example.org']`	multi valued	DNS Servers for LDAP DNS driver Possible values: A valid URL representing a DNS server
`ldap_dns_soa_expiry = 86400`	integer value	Expiry interval (in seconds) for LDAP DNS driver Start of Authority Time interval, a secondary/slave DNS server holds the information before it is no longer considered authoritative.
`ldap_dns_soa_hostmaster = hostmaster@example.org`	string value	Hostmaster for LDAP DNS driver Statement of Authority Possible values: Any valid string representing LDAP DNS hostmaster.
`ldap_dns_soa_minimum = 7200`	integer value	Minimum interval (in seconds) for LDAP DNS driver Start of Authority It is Minimum time-to-live applies for all resource records in the zone file. This value is supplied to other servers how long they should keep the data in cache.
`ldap_dns_soa_refresh = 1800`	integer value	Refresh interval (in seconds) for LDAP DNS driver Start of Authority Time interval, a secondary/slave DNS server waits before requesting for primary DNS server’s current SOA record. If the records are different, secondary DNS server will request a zone transfer from primary. Note Lower values would cause more traffic.
`ldap_dns_soa_retry = 3600`	integer value	Retry interval (in seconds) for LDAP DNS driver Start of Authority Time interval, a secondary/slave DNS server should wait, if an attempt to transfer zone failed during the previous refresh interval.
`ldap_dns_url = ldap://ldap.example.com:389`	uri value	URL for LDAP server which will store DNS entries Possible values: A valid LDAP URL representing the server
`ldap_dns_user = uid=admin,ou=people,dc=example,dc=org`	string value	Bind user for LDAP server
`linuxnet_interface_driver = nova.network.linux_net.LinuxBridgeInterfaceDriver`	string value	This is the class used as the ethernet device driver for linuxnet bridge operations. The default value should be all you need for most cases, but if you wish to use a customized class, set this option to the full dot-separated import path for that class. Possible values: Any string representing a dot-separated class path that Nova can import.
`linuxnet_ovs_integration_bridge = br-int`	string value	The name of the Open vSwitch bridge that is used with linuxnet when connecting with Open vSwitch." Possible values: Any string representing a valid bridge name.
`live_migration_retry_count = 30`	integer value	Maximum number of 1 second retries in live_migration. It specifies number of retries to iptables when it complains. It happens when an user continuously sends live-migration request to same host leading to concurrent request to iptables. Possible values: Any positive integer representing retry count.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`log_options = True`	boolean value	Enables or disables logging values of all registered options when starting a service (at DEBUG level).
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_concurrent_builds = 10`	integer value	Limits the maximum number of instance builds to run concurrently by nova-compute. Compute service can attempt to build an infinite number of instances, if asked to do so. This limit is enforced to avoid building unlimited instance concurrently on a compute node. This value can be set per compute node. Possible Values: 0 : treated as unlimited. Any positive integer representing maximum concurrent builds.
`max_concurrent_live_migrations = 1`	integer value	Maximum number of live migrations to run concurrently. This limit is enforced to avoid outbound live migrations overwhelming the host/network and causing failures. It is not recommended that you change this unless you are very sure that doing so is safe and stable in your environment. Possible values: 0 : treated as unlimited. Negative value defaults to 0. Any positive integer representing maximum number of live migrations to run concurrently.
`max_local_block_devices = 3`	integer value	Maximum number of devices that will result in a local image being created on the hypervisor node. A negative number means unlimited. Setting max_local_block_devices to 0 means that any request that attempts to create a local disk will fail. This option is meant to limit the number of local discs (so root local disc that is the result of --image being used, and any other ephemeral and swap disks). 0 does not mean that images will be automatically converted to volumes and boot instances from volumes - it just means that all requests that attempt to create a local disk will fail. Possible values: 0: Creating a local disk is not allowed. Negative number: Allows unlimited number of local discs. Positive number: Allows only these many number of local discs. (Default value is 3).
`maximum_instance_delete_attempts = 5`	integer value	The number of times to attempt to reap an instance’s files. This option specifies the maximum number of retry attempts that can be made. Possible values: Any positive integer defines how many attempts are made. Any value ⇐0 means no delete attempts occur, but you should use `instance_delete_interval` to disable the delete attempts. Related options: * `instance_delete_interval` in interval_opts group can be used to disable this option.
`metadata_host = $my_ip`	string value	This option determines the IP address for the network metadata API server. This is really the client side of the metadata host equation that allows nova-network to find the metadata server when doing a default multi host networking. Possible values: Any valid IP address. The default is the address of the Nova API server. Related options: `metadata_port`
`metadata_listen = 0.0.0.0`	string value	IP address on which the metadata API will listen. The metadata API service listens on this IP address for incoming requests.
`metadata_listen_port = 8775`	port value	Port on which the metadata API will listen. The metadata API service listens on this port number for incoming requests.
`metadata_port = 8775`	port value	This option determines the port used for the metadata API server. Related options: `metadata_host`
`metadata_workers = None`	integer value	Number of workers for metadata service. If not specified the number of available CPUs will be used. The metadata service can be configured to run as multi-process (workers). This overcomes the problem of reduction in throughput when API request concurrency increases. The metadata service will run in the specified number of processes. Possible Values: Any positive integer None (default value)
`migrate_max_retries = -1`	integer value	Number of times to retry live-migration before failing. Possible values: If == -1, try until out of hosts (default) If == 0, only try once, no retries Integer greater than 0
`mkisofs_cmd = genisoimage`	string value	Name or path of the tool used for ISO image creation Use the mkisofs_cmd flag to set the path where you install the genisoimage program. If genisoimage is on the system path, you do not need to change the default value. To use configuration drive with Hyper-V, you must set the mkisofs_cmd value to the full path to an mkisofs.exe installation. Additionally, you must set the qemu_img_cmd value in the hyperv configuration section to the full path to an qemu-img command installation. Possible values: Name of the ISO image creator program, in case it is in the same directory as the nova-compute service Path to ISO image creator program Related options: This option is meaningful when config drives are enabled. To use configuration drive with Hyper-V, you must set the qemu_img_cmd value in the hyperv configuration section to the full path to an qemu-img command installation.
`monkey_patch = False`	boolean value	Determine if monkey patching should be applied. Related options: `monkey_patch_modules`: This must have values set for this option to have any effect
`monkey_patch_modules = [u'nova.compute.api:nova.notifications.notify_decorator']`	list value	List of modules/decorators to monkey patch. This option allows you to patch a decorator for all functions in specified modules. Possible values: nova.compute.api:nova.notifications.notify_decorator […] Related options: `monkey_patch`: This must be set to `True` for this option to have any effect
`multi_host = False`	boolean value	Default value for multi_host in networks. nova-network service can operate in a multi-host or single-host mode. In multi-host mode each compute node runs a copy of nova-network and the instances on that compute node use the compute node as a gateway to the Internet. Where as in single-host mode, a central server runs the nova-network service. All compute nodes forward traffic from the instances to the cloud controller which then forwards traffic to the Internet. If this options is set to true, some rpc network calls will be sent directly to host. Note that this option is only used when using nova-network instead of Neutron in your deployment. Related options: `use_neutron`
`multi_instance_display_name_template = %(name)s-%(count)d`	string value	When creating multiple instances with a single request using the os-multiple-create API extension, this template will be used to build the display name for each instance. The benefit is that the instances end up with different hostnames. Example display names when creating two VM’s: name-1, name-2. Possible values: Valid keys for the template are: name, uuid, count.
`my_block_storage_ip = $my_ip`	string value	The IP address which is used to connect to the block storage network. Possible values: String with valid IP address. Default is IP address of this host. Related options: my_ip - if my_block_storage_ip is not set, then my_ip value is used.
`my_ip = 10.65.176.99`	string value	The IP address which the host is using to connect to the management network. Possible values: String with valid IP address. Default is IPv4 address of this host. Related options: metadata_host my_block_storage_ip routing_source_ip vpn_ip
`network_allocate_retries = 0`	integer value	Number of times to retry network allocation. It is required to attempt network allocation retries if the virtual interface plug fails. Possible values: Any positive integer representing retry count.
`network_driver = nova.network.linux_net`	string value	Driver to use for network creation. Network driver initializes (creates bridges and so on) only when the first VM lands on a host node. All network managers configure the network using network drivers. The driver is not tied to any particular network manager. The default Linux driver implements vlans, bridges, and iptables rules using linux utilities. Note that this option is only used when using nova-network instead of Neutron in your deployment. Related options: `use_neutron`
`network_manager = nova.network.manager.VlanManager`	string value	Full class name for the Manager for network
`network_size = 256`	integer value	This option determines the number of addresses in each private subnet. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any positive integer that is less than or equal to the available network size. Note that if you are creating multiple networks, they must all fit in the available IP address space. The default is 256. Related options: `use_neutron` `num_networks`
`networks_path = $state_path/networks`	string value	The location where the network configuration files will be kept. The default is the networks directory off of the location where nova’s Python module is installed. Possible values A string containing the full path to the desired configuration directory
`non_inheritable_image_properties = [u'cache_in_nova', u'bittorrent', u'img_signature_hash_method', u'img_signature', u'img_signature_key_type', u'img_signature_certificate_uuid']`	list value	Image properties that should not be inherited from the instance when taking a snapshot. This option gives an opportunity to select which image-properties should not be inherited by newly created snapshots. Possible values: A comma-separated list whose item is an image property. Usually only the image properties that are only needed by base images can be included here, since the snapshots that are created from the base images don’t need them. Default list: cache_in_nova, bittorrent, img_signature_hash_method, img_signature, img_signature_key_type, img_signature_certificate_uuid
`num_networks = 1`	integer value	This option represents the number of networks to create if not explicitly specified when the network is created. The only time this is used is if a CIDR is specified, but an explicit network_size is not. In that case, the subnets are created by diving the IP address space of the CIDR by num_networks. The resulting subnet sizes cannot be larger than the configuration option `network_size`; in that event, they are reduced to `network_size`, and a warning is logged. Please note that this option is only used when using nova-network instead of Neutron in your deployment. Possible values: Any positive integer is technically valid, although there are practical limits based upon available IP address space and virtual interfaces. Related options: `use_neutron` `network_size`
`osapi_compute_listen = 0.0.0.0`	string value	IP address on which the OpenStack API will listen. The OpenStack API service listens on this IP address for incoming requests.
`osapi_compute_listen_port = 8774`	port value	Port on which the OpenStack API will listen. The OpenStack API service listens on this port number for incoming requests.
`osapi_compute_unique_server_name_scope = `	string value	Sets the scope of the check for unique instance names. The default doesn’t check for unique names. If a scope for the name check is set, a launch of a new instance or an update of an existing instance with a duplicate name will result in an 'InstanceExists' error. The uniqueness is case-insensitive. Setting this option can increase the usability for end users as they don’t have to distinguish among instances with the same name by their IDs. Possible values: '': An empty value means that no uniqueness check is done and duplicate names are possible. "project": The instance name check is done only for instances within the same project. "global": The instance name check is done for all instances regardless of the project.
`osapi_compute_workers = None`	integer value	Number of workers for OpenStack API service. The default will be the number of CPUs available. OpenStack API services can be configured to run as multi-process (workers). This overcomes the problem of reduction in throughput when API request concurrency increases. OpenStack API service will run in the specified number of processes. Possible Values: Any positive integer None (default value)
`ovs_vsctl_timeout = 120`	integer value	This option represents the period of time, in seconds, that the ovs_vsctl calls will wait for a response from the database before timing out. A setting of 0 means that the utility should wait forever for a response. Possible values: Any positive integer if a limited timeout is desired, or zero if the calls should wait forever for a response.
`password_length = 12`	integer value	Length of generated instance admin passwords.
`periodic_enable = True`	boolean value	Enable periodic tasks. If set to true, this option allows services to periodically run tasks on the manager. In case of running multiple schedulers or conductors you may want to run periodic tasks on only one host - in this case disable this option for all hosts but one.
`periodic_fuzzy_delay = 60`	integer value	Number of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. When compute workers are restarted in unison across a cluster, they all end up running the periodic tasks at the same time causing problems for the external services. To mitigate this behavior, periodic_fuzzy_delay option allows you to introduce a random initial delay when starting the periodic task scheduler. Possible Values: Any positive integer (in seconds) 0 : disable the random delay
`pointer_model = usbtablet`	string value	Generic property to specify the pointer type. Input devices allow interaction with a graphical framebuffer. For example to provide a graphic tablet for absolute cursor movement. If set, the hw_pointer_model image property takes precedence over this configuration option. Possible values: None: Uses default behavior provided by drivers (mouse on PS2 for libvirt x86) ps2mouse: Uses relative movement. Mouse connected by PS2 usbtablet: Uses absolute movement. Tablet connect by USB Related options: usbtablet must be configured with VNC enabled or SPICE enabled and SPICE agent disabled. When used with libvirt the instance mode should be configured as HVM.
`preallocate_images = none`	string value	The image preallocation mode to use. Image preallocation allows storage for instance images to be allocated up front when the instance is initially provisioned. This ensures immediate feedback is given if enough space isn’t available. In addition, it should significantly improve performance on writes to new blocks and may even improve I/O performance to prewritten blocks due to reduced fragmentation. Possible values: "none" ⇒ no storage provisioning is done up front "space" ⇒ storage is fully allocated at instance start
`public_interface = eth0`	string value	This is the name of the network interface for public IP addresses. The default is eth0. Possible values: Any string representing a network interface name
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`pybasedir = /usr/lib/python2.7/site-packages`	string value	The directory where the Nova python modules are installed. This directory is used to store template files for networking and remote console access. It is also the default path for other config options which need to persist Nova internal data. It is very unlikely that you need to change this option from its default value. Possible values: The full path to a directory. Related options: `state_path`
`quota_networks = 3`	integer value	This option controls the number of private networks that can be created per project (or per tenant). Related options: enable_network_quota
`ram_allocation_ratio = 0.0`	floating point value	This option helps you specify virtual RAM to physical RAM allocation ratio. From Ocata (15.0.0) this is used to influence the hosts selected by the Placement API. Note that when Placement is used, the RamFilter is redundant, because the Placement API will have already filtered out hosts that would have failed the RamFilter. This configuration specifies ratio for RamFilter which can be set per compute node. For AggregateRamFilter, it will fall back to this configuration value if no per-aggregate setting found. Note This can be set per-compute, or if set to 0.0, the value set on the scheduler node(s) or compute node(s) will be used and defaulted to 1.5. Once set to a non-default value, it is not possible to "unset" the config to get back to the default behavior. If you want to reset back to the default, explicitly specify 1.5. Note As of the 16.0.0 Pike release, this configuration option is ignored for the ironic.IronicDriver compute driver and is hardcoded to 1.0. Possible values: Any valid positive integer or float value
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`reboot_timeout = 0`	integer value	Time interval after which an instance is hard rebooted automatically. When doing a soft reboot, it is possible that a guest kernel is completely hung in a way that causes the soft reboot task to not ever finish. Setting this option to a time period in seconds will automatically hard reboot an instance if it has been stuck in a rebooting state longer than N seconds. Possible values: 0: Disables the option (default). Any positive integer in seconds: Enables the option.
`reclaim_instance_interval = 0`	integer value	Interval for reclaiming deleted instances. A value greater than 0 will enable SOFT_DELETE of instances. This option decides whether the server to be deleted will be put into the SOFT_DELETED state. If this value is greater than 0, the deleted server will not be deleted immediately, instead it will be put into a queue until it’s too old (deleted time greater than the value of reclaim_instance_interval). The server can be recovered from the delete queue by using the restore action. If the deleted server remains longer than the value of reclaim_instance_interval, it will be deleted by a periodic task in the compute service automatically. Note that this option is read from both the API and compute nodes, and must be set globally otherwise servers could be put into a soft deleted state in the API and never actually reclaimed (deleted) on the compute node. Possible values: Any positive integer(in seconds) greater than 0 will enable this option. Any value ⇐0 will disable the option.
`record = None`	string value	Filename that will be used for storing websocket frames received and sent by a proxy service (like VNC, spice, serial) running on this host. If this is not set, no recording will be done.
`remove_unused_base_images = True`	boolean value	Should unused base images be removed?
`remove_unused_original_minimum_age_seconds = 86400`	integer value	Unused unresized base images younger than this will not be removed.
`report_interval = 10`	integer value	Number of seconds indicating how frequently the state of services on a given hypervisor is reported. Nova needs to know this to determine the overall health of the deployment. Related Options: service_down_time report_interval should be less than service_down_time. If service_down_time is less than report_interval, services will routinely be considered down, because they report in too rarely.
`rescue_timeout = 0`	integer value	Interval to wait before un-rescuing an instance stuck in RESCUE. Possible values: 0: Disables the option (default) Any positive integer in seconds: Enables the option.
`reserved_host_cpus = 0`	integer value	Number of physical CPUs to reserve for the host. The host resources usage is reported back to the scheduler continuously from nova-compute running on the compute node. To prevent the host CPU from being considered as available, this option is used to reserve random pCPU(s) for the host. Possible values: Any positive integer representing number of physical CPUs to reserve for the host.
`reserved_host_disk_mb = 0`	integer value	Amount of disk resources in MB to make them always available to host. The disk usage gets reported back to the scheduler from nova-compute running on the compute nodes. To prevent the disk resources from being considered as available, this option can be used to reserve disk space for that host. Possible values: Any positive integer representing amount of disk in MB to reserve for the host.
`reserved_host_memory_mb = 512`	integer value	Amount of memory in MB to reserve for the host so that it is always available to host processes. The host resources usage is reported back to the scheduler continuously from nova-compute running on the compute node. To prevent the host memory from being considered as available, this option is used to reserve memory for the host. Possible values: Any positive integer representing amount of memory in MB to reserve for the host.
`reserved_huge_pages = None`	dict value	Number of huge/large memory pages to reserved per NUMA host cell. Possible values: A list of valid key=value which reflect NUMA node ID, page size (Default unit is KiB) and number of pages to be reserved. reserved_huge_pages = node:0,size:2048,count:64 reserved_huge_pages = node:1,size:1GB,count:1 In this example we are reserving on NUMA node 0 64 pages of 2MiB and on NUMA node 1 1 page of 1GiB.
`resize_confirm_window = 0`	integer value	Automatically confirm resizes after N seconds. Resize functionality will save the existing server before resizing. After the resize completes, user is requested to confirm the resize. The user has the opportunity to either confirm or revert all changes. Confirm resize removes the original server and changes server status from resized to active. Setting this option to a time period (in seconds) will automatically confirm the resize if the server is in resized state longer than that time. Possible values: 0: Disables the option (default) Any positive integer in seconds: Enables the option.
`resize_fs_using_block_device = False`	boolean value	Enable resizing of filesystems via a block device. If enabled, attempt to resize the filesystem by accessing the image over a block device. This is done by the host and may not be necessary if the image contains a recent version of cloud-init. Possible mechanisms require the nbd driver (for qcow and raw), or loop (for raw).
`resume_guests_state_on_host_boot = False`	boolean value	This option specifies whether to start guests that were running before the host rebooted. It ensures that all of the instances on a Nova compute node resume their state each time the compute node boots or restarts.
`rootwrap_config = /etc/nova/rootwrap.conf`	string value	Path to the rootwrap configuration file. Goal of the root wrapper is to allow a service-specific unprivileged user to run a number of actions as the root user in the safest manner possible. The configuration file used here must match the one defined in the sudoers entry.
`routing_source_ip = $my_ip`	string value	The public IP address of the network host. This is used when creating an SNAT rule. Possible values: Any valid IP address Related options: `force_snat_range`
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`running_deleted_instance_action = reap`	string value	The compute service periodically checks for instances that have been deleted in the database but remain running on the compute node. The above option enables action to be taken when such instances are identified. Possible values: reap: Powers down the instances and deletes them(default) log: Logs warning message about deletion of the resource shutdown: Powers down instances and marks them as non- bootable which can be later used for debugging/analysis noop: Takes no action Related options: running_deleted_instance_poll_interval running_deleted_instance_timeout
`running_deleted_instance_poll_interval = 1800`	integer value	Time interval in seconds to wait between runs for the clean up action. If set to 0, above check will be disabled. If "running_deleted_instance _action" is set to "log" or "reap", a value greater than 0 must be set. Possible values: Any positive integer in seconds enables the option. 0: Disables the option. 1800: Default value. Related options: running_deleted_instance_action
`running_deleted_instance_timeout = 0`	integer value	Time interval in seconds to wait for the instances that have been marked as deleted in database to be eligible for cleanup. Possible values: Any positive integer in seconds(default is 0). Related options: "running_deleted_instance_action"
`scheduler_instance_sync_interval = 120`	integer value	Interval between sending the scheduler a list of current instance UUIDs to verify that its view of instances is in sync with nova. If the CONF option scheduler_tracks_instance_changes is False, the sync calls will not be made. So, changing this option will have no effect. If the out of sync situations are not very common, this interval can be increased to lower the number of RPC messages being sent. Likewise, if sync issues turn out to be a problem, the interval can be lowered to check more frequently. Possible values: 0: Will run at the default periodic interval. Any value < 0: Disables the option. Any positive integer in seconds. Related options: This option has no impact if `scheduler_tracks_instance_changes` is set to False.
`send_arp_for_ha = False`	boolean value	When True, when a device starts up, and upon binding floating IP addresses, arp messages will be sent to ensure that the arp caches on the compute hosts are up-to-date. Related options: `send_arp_for_ha_count`
`send_arp_for_ha_count = 3`	integer value	When arp messages are configured to be sent, they will be sent with the count set to the value of this option. Of course, if this is set to zero, no arp messages will be sent. Possible values: Any integer greater than or equal to 0 Related options: `send_arp_for_ha`
`service_down_time = 60`	integer value	Maximum time in seconds since last check-in for up service Each compute node periodically updates their database status based on the specified report interval. If the compute node hasn’t updated the status for more than service_down_time, then the compute node is considered down. Related Options: report_interval (service_down_time should not be less than report_interval)
`servicegroup_driver = db`	string value	This option specifies the driver to be used for the servicegroup service. ServiceGroup API in nova enables checking status of a compute node. When a compute worker running the nova-compute daemon starts, it calls the join API to join the compute group. Services like nova scheduler can query the ServiceGroup API to check if a node is alive. Internally, the ServiceGroup client driver automatically updates the compute worker status. There are multiple backend implementations for this service: Database ServiceGroup driver and Memcache ServiceGroup driver. Possible Values: db : Database ServiceGroup driver mc : Memcache ServiceGroup driver Related Options: service_down_time (maximum time since last check-in for up service)
`share_dhcp_address = False`	boolean value	THIS VALUE SHOULD BE SET WHEN CREATING THE NETWORK. If True in multi_host mode, all compute hosts share the same dhcp address. The same IP address used for DHCP will be added on each nova-network node which is only visible to the VMs on the same host. The use of this configuration has been deprecated and may be removed in any release after Mitaka. It is recommended that instead of relying on this option, an explicit value should be passed to create_networks() as a keyword argument with the name share_address.
`shelved_offload_time = 0`	integer value	Time before a shelved instance is eligible for removal from a host. By default this option is set to 0 and the shelved instance will be removed from the hypervisor immediately after shelve operation. Otherwise, the instance will be kept for the value of shelved_offload_time(in seconds) so that during the time period the unshelve action will be faster, then the periodic task will remove the instance from hypervisor after shelved_offload_time passes. Possible values: 0: Instance will be immediately offloaded after being shelved. Any value < 0: An instance will never offload. Any positive integer in seconds: The instance will exist for the specified number of seconds before being offloaded.
`shelved_poll_interval = 3600`	integer value	Interval for polling shelved instances to offload. The periodic task runs for every shelved_poll_interval number of seconds and checks if there are any shelved instances. If it finds a shelved instance, based on the shelved_offload_time config value it offloads the shelved instances. Check shelved_offload_time config option description for details. Possible values: Any value ⇐ 0: Disables the option. Any positive integer in seconds. Related options: `shelved_offload_time`
`shutdown_timeout = 60`	integer value	Total time to wait in seconds for an instance toperform a clean shutdown. It determines the overall period (in seconds) a VM is allowed to perform a clean shutdown. While performing stop, rescue and shelve, rebuild operations, configuring this option gives the VM a chance to perform a controlled shutdown before the instance is powered off. The default timeout is 60 seconds. The timeout value can be overridden on a per image basis by means of os_shutdown_timeout that is an image metadata setting allowing different types of operating systems to specify how much time they need to shut down cleanly. Possible values: Any positive integer in seconds (default value is 60).
`source_is_ipv6 = False`	boolean value	Set to True if source host is addressed with IPv6.
`ssl_only = False`	boolean value	Disallow non-encrypted connections.
`state_path = $pybasedir`	string value	The top-level directory for maintaining Nova’s state. This directory is used to store Nova’s internal state. It is used by a variety of other config options which derive from this. In some scenarios (for example migrations) it makes sense to use a storage location which is shared between multiple compute hosts (for example via NFS). Unless the option `instances_path` gets overwritten, this directory can grow very large. Possible values: The full path to a directory. Defaults to value provided in `pybasedir`.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`sync_power_state_interval = 600`	integer value	Interval to sync power states between the database and the hypervisor. The interval that Nova checks the actual virtual machine power state and the power state that Nova has in its database. If a user powers down their VM, Nova updates the API to report the VM has been powered down. Should something turn on the VM unexpectedly, Nova will turn the VM back off to keep the system in the expected state. Possible values: 0: Will run at the default periodic interval. Any value < 0: Disables the option. Any positive integer in seconds. Related options: If `handle_virt_lifecycle_events` in workarounds_group is false and this option is negative, then instances that get out of sync between the hypervisor and the Nova database will have to be synchronized manually.
`sync_power_state_pool_size = 1000`	integer value	Number of greenthreads available for use to sync power states. This option can be used to reduce the number of concurrent requests made to the hypervisor or system with real instance power states for performance reasons, for example, with Ironic. Possible values: Any positive integer representing greenthreads count.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`teardown_unused_network_gateway = False`	boolean value	Determines whether unused gateway devices, both VLAN and bridge, are deleted if the network is in nova-network VLAN mode and is multi-hosted. Related options: `use_neutron` `vpn_ip` `fake_network`
`tempdir = None`	string value	Explicitly specify the temporary working directory.
`timeout_nbd = 10`	integer value	Amount of time, in seconds, to wait for NBD device start up.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`update_dns_entries = False`	boolean value	When this option is True, whenever a DNS entry must be updated, a fanout cast message is sent to all network hosts to update their DNS entries in multi-host mode. Related options: `use_neutron`
`update_resources_interval = 0`	integer value	Interval for updating compute resources. This option specifies how often the update_available_resources periodic task should run. A number less than 0 means to disable the task completely. Leaving this at the default of 0 will cause this to run at the default periodic interval. Setting it to any positive value will cause it to run at approximately that number of seconds. Possible values: 0: Will run at the default periodic interval. Any value < 0: Disables the option. Any positive integer in seconds.
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_cow_images = True`	boolean value	Enable use of copy-on-write (cow) images. QEMU/KVM allow the use of qcow2 as backing files. By disabling this, backing files will not be used.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_ipv6 = False`	boolean value	Assign IPv6 and IPv4 addresses when creating instances. Related options: use_neutron: this only works with nova-network.
`use_network_dns_servers = False`	boolean value	When this option is set to True, the dns1 and dns2 servers for the network specified by the user on boot will be used for DNS, as well as any specified in the `dns_server` option. Related options: `dns_server`
`use_neutron = True`	boolean value	Enable neutron as the backend for networking. Determine whether to use Neutron or Nova Network as the back end. Set to true to use neutron.
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_rootwrap_daemon = False`	boolean value	Start and use a daemon that can run the commands that need to be run with root privileges. This option is usually enabled on nodes that run nova compute processes.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_single_default_gateway = False`	boolean value	When set to True, only the firt nic of a VM will get its default gateway from the DHCP server.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`vcpu_pin_set = None`	string value	Defines which physical CPUs (pCPUs) can be used by instance virtual CPUs (vCPUs). Possible values: A comma-separated list of physical CPU numbers that virtual CPUs can be allocated to by default. Each element should be either a single CPU number, a range of CPU numbers, or a caret followed by a CPU number to be excluded from a previous range. For example: vcpu_pin_set = "4-12,^8,15"
`vif_plugging_is_fatal = True`	boolean value	Determine if instance should boot or fail on VIF plugging timeout. Nova sends a port update to Neutron after an instance has been scheduled, providing Neutron with the necessary information to finish setup of the port. Once completed, Neutron notifies Nova that it has finished setting up the port, at which point Nova resumes the boot of the instance since network connectivity is now supposed to be present. A timeout will occur if the reply is not received after a given interval. This option determines what Nova does when the VIF plugging timeout event happens. When enabled, the instance will error out. When disabled, the instance will continue to boot on the assumption that the port is ready. Possible values: True: Instances should fail after VIF plugging timeout False: Instances should continue booting after VIF plugging timeout
`vif_plugging_timeout = 300`	integer value	Timeout for Neutron VIF plugging event message arrival. Number of seconds to wait for Neutron vif plugging events to arrive before continuing or failing (see vif_plugging_is_fatal). Related options: vif_plugging_is_fatal - If `vif_plugging_timeout` is set to zero and `vif_plugging_is_fatal` is False, events should not be expected to arrive at all.
`virt_mkfs = []`	multi valued	Name of the mkfs commands for ephemeral device. The format is <os_type>=<mkfs command>
`vlan_interface = None`	string value	This option is the name of the virtual interface of the VM on which the VLAN bridge will be built. While it was originally designed to be used only by nova-network, it is also used by libvirt and xenapi for the bridge interface name. Please note that this setting will be ignored in nova-network if the configuration option for `network_manager` is not set to the default of nova.network.manager.VlanManager. Possible values: Any valid virtual interface name, such as eth0
`vlan_start = 100`	integer value	This is the VLAN number used for private networks. Note that the when creating the networks, if the specified number has already been assigned, nova-network will increment this number until it finds an available VLAN. Please note that this option is only used when using nova-network instead of Neutron in your deployment. It also will be ignored if the configuration option for `network_manager` is not set to the default of nova.network.manager.VlanManager. Possible values: Any integer between 1 and 4094. Values outside of that range will raise a ValueError exception. Related options: `network_manager` `use_neutron`
`volume_usage_poll_interval = 0`	integer value	Interval for gathering volume usages. This option updates the volume usage cache for every volume_usage_poll_interval number of seconds. Possible values: Any positive integer(in seconds) greater than 0 will enable this option. Any value ⇐0 will disable the option.
`vpn_ip = $my_ip`	string value	This option is no longer used since the /os-cloudpipe API was removed in the 16.0.0 Pike release. This is the public IP address for the cloudpipe VPN servers. It defaults to the IP address of the host. Please note that this option is only used when using nova-network instead of Neutron in your deployment. It also will be ignored if the configuration option for `network_manager` is not set to the default of nova.network.manager.VlanManager. Possible values: Any valid IP address. The default is `$my_ip`, the IP address of the VM. Related options: `network_manager` `use_neutron` `vpn_start`
`vpn_start = 1000`	port value	This is the port number to use as the first VPN port for private networks. Please note that this option is only used when using nova-network instead of Neutron in your deployment. It also will be ignored if the configuration option for `network_manager` is not set to the default of nova.network.manager.VlanManager, or if you specify a value the vpn_start parameter when creating a network. Possible values: Any integer representing a valid port number. The default is 1000. Related options: `use_neutron` `vpn_ip` `network_manager`
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`web = /usr/share/spice-html5`	string value	Path to directory with content which will be served by a web server.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

11.1.2. api

The following table outlines the options available under the [api] group in the /etc/nova/nova.conf file.

Table 11.2. api
Configuration option = Default value	Type	Description
`allow_instance_snapshots = True`	boolean value	Operators can turn off the ability for a user to take snapshots of their instances by setting this option to False. When disabled, any attempt to take a snapshot will result in a HTTP 400 response ("Bad Request").
`auth_strategy = keystone`	string value	This determines the strategy to use for authentication: keystone or noauth2. noauth2 is designed for testing only, as it does no actual credential checking. noauth2 provides administrative credentials only if admin is specified as the username.
`compute_link_prefix = None`	string value	This string is prepended to the normal URL that is returned in links to the OpenStack Compute API. If it is empty (the default), the URLs are returned unchanged. Possible values: Any string, including an empty string (the default).
`config_drive_skip_versions = 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01`	string value	When gathering the existing metadata for a config drive, the EC2-style metadata is returned for all versions that don’t appear in this option. As of the Liberty release, the available versions are: 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01 2009-04-04 The option is in the format of a single string, with each version separated by a space. Possible values: Any string that represents zero or more versions, separated by spaces.
`enable_instance_password = True`	boolean value	Enables returning of the instance password by the relevant server API calls such as create, rebuild, evacuate, or rescue. If the hypervisor does not support password injection, then the password returned will not be correct, so if your hypervisor does not support password injection, set this to False.
`fping_path = /usr/sbin/fping`	string value	The full path to the fping binary.
`glance_link_prefix = None`	string value	This string is prepended to the normal URL that is returned in links to Glance resources. If it is empty (the default), the URLs are returned unchanged. Possible values: Any string, including an empty string (the default).
`hide_server_address_states = [u'building']`	list value	This option is a list of all instance states for which network address information should not be returned from the API. Possible values: A list of strings, where each string is a valid VM state, as defined in nova/compute/vm_states.py. As of the Newton release, they are: "active" "building" "paused" "suspended" "stopped" "rescued" "resized" "soft-delete" "deleted" "error" "shelved" "shelved_offloaded"
`max_limit = 1000`	integer value	As a query can potentially return many thousands of items, you can limit the maximum number of items in a single response by setting this option.
`metadata_cache_expiration = 15`	integer value	This option is the time (in seconds) to cache metadata. When set to 0, metadata caching is disabled entirely; this is generally not recommended for performance reasons. Increasing this setting should improve response times of the metadata API when under heavy load. Higher values may increase memory usage, and result in longer times for host metadata changes to take effect.
`neutron_default_tenant_id = default`	string value	Tenant ID for getting the default network from Neutron API (also referred in some places as the project ID) to use. Related options: use_neutron_default_nets
`use_forwarded_for = False`	boolean value	When True, the X-Forwarded-For header is treated as the canonical remote address. When False (the default), the remote_address header is used. You should only enable this if you have an HTML sanitizing proxy.
`use_neutron_default_nets = False`	boolean value	When True, the TenantNetworkController will query the Neutron API to get the default networks to use. Related options: neutron_default_tenant_id
`vendordata_dynamic_connect_timeout = 5`	integer value	Maximum wait time for an external REST service to connect. Possible values: Any integer with a value greater than three (the TCP packet retransmission timeout). Note that instance start may be blocked during this wait time, so this value should be kept small. Related options: vendordata_providers vendordata_dynamic_targets vendordata_dynamic_ssl_certfile vendordata_dynamic_read_timeout vendordata_dynamic_failure_fatal
`vendordata_dynamic_failure_fatal = False`	boolean value	Should failures to fetch dynamic vendordata be fatal to instance boot? Related options: vendordata_providers vendordata_dynamic_targets vendordata_dynamic_ssl_certfile vendordata_dynamic_connect_timeout vendordata_dynamic_read_timeout
`vendordata_dynamic_read_timeout = 5`	integer value	Maximum wait time for an external REST service to return data once connected. Possible values: Any integer. Note that instance start is blocked during this wait time, so this value should be kept small. Related options: vendordata_providers vendordata_dynamic_targets vendordata_dynamic_ssl_certfile vendordata_dynamic_connect_timeout vendordata_dynamic_failure_fatal
`vendordata_dynamic_ssl_certfile = `	string value	Path to an optional certificate file or CA bundle to verify dynamic vendordata REST services ssl certificates against. Possible values: An empty string, or a path to a valid certificate file Related options: vendordata_providers vendordata_dynamic_targets vendordata_dynamic_connect_timeout vendordata_dynamic_read_timeout vendordata_dynamic_failure_fatal
`vendordata_dynamic_targets = []`	list value	A list of targets for the dynamic vendordata provider. These targets are of the form <name>@<url>. The dynamic vendordata provider collects metadata by contacting external REST services and querying them for information about the instance. This behaviour is documented in the vendordata.rst file in the nova developer reference.
`vendordata_jsonfile_path = None`	string value	Cloud providers may store custom data in vendor data file that will then be available to the instances via the metadata service, and to the rendering of config-drive. The default class for this, JsonFileVendorData, loads this information from a JSON file, whose path is configured by this option. If there is no path set by this option, the class returns an empty dictionary. Possible values: Any string representing the path to the data file, or an empty string (default).
`vendordata_providers = [u'StaticJSON']`	list value	A list of vendordata providers. vendordata providers are how deployers can provide metadata via configdrive and metadata that is specific to their deployment. There are currently two supported providers: StaticJSON and DynamicJSON. StaticJSON reads a JSON file configured by the flag vendordata_jsonfile_path and places the JSON from that file into vendor_data.json and vendor_data2.json. DynamicJSON is configured via the vendordata_dynamic_targets flag, which is documented separately. For each of the endpoints specified in that flag, a section is added to the vendor_data2.json. For more information on the requirements for implementing a vendordata dynamic endpoint, please see the vendordata.rst file in the nova developer reference. Possible values: A list of vendordata providers, with StaticJSON and DynamicJSON being current options. Related options: vendordata_dynamic_targets vendordata_dynamic_ssl_certfile vendordata_dynamic_connect_timeout vendordata_dynamic_read_timeout vendordata_dynamic_failure_fatal

11.1.3. api_database

The following table outlines the options available under the [api_database] group in the /etc/nova/nova.conf file.

Table 11.3. api_database
Configuration option = Default value	Type	Description
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`max_overflow = None`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = None`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.

11.1.4. barbican

The following table outlines the options available under the [barbican] group in the /etc/nova/nova.conf file.

Table 11.4. barbican
Configuration option = Default value	Type	Description
`auth_endpoint = http://localhost/identity/v3`	string value	Use this endpoint to connect to Keystone
`barbican_api_version = None`	string value	Version of the Barbican API, for example: "v1"
`barbican_endpoint = None`	string value	Use this endpoint to connect to Barbican, for example: "http://localhost:9311/"
`number_of_retries = 60`	integer value	Number of times to retry poll for key creation completion
`retry_delay = 1`	integer value	Number of seconds to wait before retrying poll for key creation completion
`verify_ssl = True`	boolean value	Specifies if insecure TLS (https) requests. If False, the server’s certificate will not be validated

11.1.5. cache

The following table outlines the options available under the [cache] group in the /etc/nova/nova.conf file.

Table 11.5. cache
Configuration option = Default value	Type	Description
`backend = dogpile.cache.null`	string value	Cache backend module. For eventlet-based or environments with hundreds of threaded servers, Memcache with pooling (oslo_cache.memcache_pool) is recommended. For environments with less than 100 threaded servers, Memcached (dogpile.cache.memcached) or Redis (dogpile.cache.redis) is recommended. Test environments with a single instance of the server can use the dogpile.cache.memory backend.
`backend_argument = []`	multi valued	Arguments supplied to the backend module. Specify this option once per argument to be passed to the dogpile.cache backend. Example format: "<argname>:<value>".
`config_prefix = cache.oslo`	string value	Prefix for building the configuration dictionary for the cache region. This should not need to be changed unless there is another dogpile.cache region with the same configuration name.
`debug_cache_backend = False`	boolean value	Extra debugging from the cache backend (cache keys, get/set/delete/etc calls). This is only really useful if you need to see the specific cache-backend get/set/delete calls with the keys/values. Typically this should be left set to false.
`enabled = False`	boolean value	Global toggle for caching.
`expiration_time = 600`	integer value	Default TTL, in seconds, for any cached item in the dogpile.cache region. This applies to any cached method that doesn’t have an explicit cache expiration time defined for it.
`memcache_dead_retry = 300`	integer value	Number of seconds memcached server is considered dead before it is tried again. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_pool_connection_get_timeout = 10`	integer value	Number of seconds that an operation will wait to get a memcache client connection.
`memcache_pool_maxsize = 10`	integer value	Max total number of open connections to every memcached server. (oslo_cache.memcache_pool backend only).
`memcache_pool_unused_timeout = 60`	integer value	Number of seconds a connection to memcached is held unused in the pool before it is closed. (oslo_cache.memcache_pool backend only).
`memcache_servers = [u'localhost:11211']`	list value	Memcache servers in the format of "host:port". (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`memcache_socket_timeout = 3`	integer value	Timeout in seconds for every call to a server. (dogpile.cache.memcache and oslo_cache.memcache_pool backends only).
`proxies = []`	list value	Proxy classes to import that will affect the way the dogpile.cache backend functions. See the dogpile.cache documentation on changing-backend-behavior.

11.1.6. cells

The following table outlines the options available under the [cells] group in the /etc/nova/nova.conf file.

Table 11.6. cells
Configuration option = Default value	Type	Description
`bandwidth_update_interval = 600`	integer value	Bandwidth update interval. Seconds between bandwidth usage cache updates for cells. Possible values: An integer, corresponding to the interval time in seconds.
`call_timeout = 60`	integer value	Call timeout. Cell messaging module waits for response(s) to be put into the eventlet queue. This option defines the seconds waited for response from a call to a cell. Possible values: An integer, corresponding to the interval time in seconds.
`capabilities = [u'hypervisor=xenserver;kvm', u'os=linux;windows']`	list value	Cell capabilities. List of arbitrary key=value pairs defining capabilities of the current cell to be sent to the parent cells. These capabilities are intended to be used in cells scheduler filters/weighers. Possible values: key=value pairs list for example; `hypervisor=xenserver;kvm,os=linux;windows`
`cell_type = compute`	string value	Type of cell. When cells feature is enabled the hosts in the OpenStack Compute cloud are partitioned into groups. Cells are configured as a tree. The top-level cell’s cell_type must be set to `api`. All other cells are defined as a `compute cell` by default. Related option: quota_driver: Disable quota checking for the child cells. (nova.quota.NoopQuotaDriver)
`cells_config = None`	string value	Optional cells configuration. Configuration file from which to read cells configuration. If given, overrides reading cells from the database. Cells store all inter-cell communication data, including user names and passwords, in the database. Because the cells data is not updated very frequently, use this option to specify a JSON file to store cells data. With this configuration, the database is no longer consulted when reloading the cells data. The file must have columns present in the Cell model (excluding common database fields and the id column). You must specify the queue connection information through a transport_url field, instead of username, password, and so on. The transport_url has the following form: rabbit://USERNAME:PASSWORD@HOSTNAME:PORT/VIRTUAL_HOST Possible values: The scheme can be either qpid or rabbit, the following sample shows this optional configuration: { "parent": { "name": "parent", "api_url": "http://api.example.com:8774", "transport_url": "rabbit://rabbit.example.com", "weight_offset": 0.0, "weight_scale": 1.0, "is_parent": true }, "cell1": { "name": "cell1", "api_url": "http://api.example.com:8774", "transport_url": "rabbit://rabbit1.example.com", "weight_offset": 0.0, "weight_scale": 1.0, "is_parent": false }, "cell2": { "name": "cell2", "api_url": "http://api.example.com:8774", "transport_url": "rabbit://rabbit2.example.com", "weight_offset": 0.0, "weight_scale": 1.0, "is_parent": false } }
`db_check_interval = 60`	integer value	DB check interval. Cell state manager updates cell status for all cells from the DB only after this particular interval time is passed. Otherwise cached status are used. If this value is 0 or negative all cell status are updated from the DB whenever a state is needed. Possible values: Interval time, in seconds.
`enable = False`	boolean value	Enable cell v1 functionality. Note that cells v1 is considered experimental and not recommended for new Nova deployments. Cells v1 is being replaced by cells v2 which starting in the 15.0.0 Ocata release, all Nova deployments are at least a cells v2 cell of one. Setting this option, or any other options in the [cells] group, is not required for cells v2. When this functionality is enabled, it lets you to scale an OpenStack Compute cloud in a more distributed fashion without having to use complicated technologies like database and message queue clustering. Cells are configured as a tree. The top-level cell should have a host that runs a nova-api service, but no nova-compute services. Each child cell should run all of the typical nova-* services in a regular Compute cloud except for nova-api. You can think of cells as a normal Compute deployment in that each cell has its own database server and message queue broker. Related options: name: A unique cell name must be given when this functionality is enabled. cell_type: Cell type should be defined for all cells.
`instance_update_num_instances = 1`	integer value	Instance update num instances On every run of the periodic task, nova cells manager will attempt to sync instance_updated_at_threshold number of instances. When the manager gets the list of instances, it shuffles them so that multiple nova-cells services do not attempt to sync the same instances in lockstep. Possible values: Positive integer number Related options: This value is used with the `instance_updated_at_threshold` value in a periodic task run.
`instance_update_sync_database_limit = 100`	integer value	Instance update sync database limit. Number of instances to pull from the database at one time for a sync. If there are more instances to update the results will be paged through. Possible values: An integer, corresponding to a number of instances.
`instance_updated_at_threshold = 3600`	integer value	Instance updated at threshold Number of seconds after an instance was updated or deleted to continue to update cells. This option lets cells manager to only attempt to sync instances that have been updated recently. i.e., a threshold of 3600 means to only update instances that have modified in the last hour. Possible values: Threshold in seconds Related options: This value is used with the `instance_update_num_instances` value in a periodic task run.
`max_hop_count = 10`	integer value	Maximum hop count When processing a targeted message, if the local cell is not the target, a route is defined between neighbouring cells. And the message is processed across the whole routing path. This option defines the maximum hop counts until reaching the target. Possible values: Positive integer value
`mute_child_interval = 300`	integer value	Mute child interval. Number of seconds after which a lack of capability and capacity update the child cell is to be treated as a mute cell. Then the child cell will be weighed as recommend highly that it be skipped. Possible values: An integer, corresponding to the interval time in seconds.
`mute_weight_multiplier = -10000.0`	floating point value	Mute weight multiplier. Multiplier used to weigh mute children. Mute children cells are recommended to be skipped so their weight is multiplied by this negative value. Possible values: Negative numeric number
`name = nova`	string value	Name of the current cell. This value must be unique for each cell. Name of a cell is used as its id, leaving this option unset or setting the same name for two or more cells may cause unexpected behaviour. Related options: enabled: This option is meaningful only when cells service is enabled
`offset_weight_multiplier = 1.0`	floating point value	Offset weight multiplier Multiplier used to weigh offset weigher. Cells with higher weight_offsets in the DB will be preferred. The weight_offset is a property of a cell stored in the database. It can be used by a deployer to have scheduling decisions favor or disfavor cells based on the setting. Possible values: Numeric multiplier
`ram_weight_multiplier = 10.0`	floating point value	Ram weight multiplier. Multiplier used for weighing ram. Negative numbers indicate that Compute should stack VMs on one host instead of spreading out new VMs to more hosts in the cell. Possible values: Numeric multiplier
`reserve_percent = 10.0`	floating point value	Reserve percentage Percentage of cell capacity to hold in reserve, so the minimum amount of free resource is considered to be; min_free = total * (reserve_percent / 100.0) This option affects both memory and disk utilization. The primary purpose of this reserve is to ensure some space is available for users who want to resize their instance to be larger. Note that currently once the capacity expands into this reserve space this option is ignored. Possible values: An integer or float, corresponding to the percentage of cell capacity to be held in reserve.
`rpc_driver_queue_base = cells.intercell`	string value	RPC driver queue base. When sending a message to another cell by JSON-ifying the message and making an RPC cast to process_message, a base queue is used. This option defines the base queue name to be used when communicating between cells. Various topics by message type will be appended to this. Possible values: The base queue name to be used when communicating between cells.
`scheduler = nova.cells.scheduler.CellsScheduler`	string value	Cells scheduler. The class of the driver used by the cells scheduler. This should be the full Python path to the class to be used. If nothing is specified in this option, the CellsScheduler is used.
`scheduler_filter_classes = [u'nova.cells.filters.all_filters']`	list value	Scheduler filter classes. Filter classes the cells scheduler should use. An entry of "nova.cells.filters.all_filters" maps to all cells filters included with nova. As of the Mitaka release the following filter classes are available: Different cell filter: A scheduler hint of different_cell with a value of a full cell name may be specified to route a build away from a particular cell. Image properties filter: Image metadata named hypervisor_version_requires with a version specification may be specified to ensure the build goes to a cell which has hypervisors of the required version. If either the version requirement on the image or the hypervisor capability of the cell is not present, this filter returns without filtering out the cells. Target cell filter: A scheduler hint of target_cell with a value of a full cell name may be specified to route a build to a particular cell. No error handling is done as there’s no way to know whether the full path is a valid. As an admin user, you can also add a filter that directs builds to a particular cell.
`scheduler_retries = 10`	integer value	Scheduler retries. How many retries when no cells are available. Specifies how many times the scheduler tries to launch a new instance when no cells are available. Possible values: Positive integer value Related options: This value is used with the `scheduler_retry_delay` value while retrying to find a suitable cell.
`scheduler_retry_delay = 2`	integer value	Scheduler retry delay. Specifies the delay (in seconds) between scheduling retries when no cell can be found to place the new instance on. When the instance could not be scheduled to a cell after `scheduler_retries` in combination with `scheduler_retry_delay`, then the scheduling of the instance failed. Possible values: Time in seconds. Related options: This value is used with the `scheduler_retries` value while retrying to find a suitable cell.
`scheduler_weight_classes = [u'nova.cells.weights.all_weighers']`	list value	Scheduler weight classes. Weigher classes the cells scheduler should use. An entry of "nova.cells.weights.all_weighers" maps to all cell weighers included with nova. As of the Mitaka release the following weight classes are available: mute_child: Downgrades the likelihood of child cells being chosen for scheduling requests, which haven’t sent capacity or capability updates in a while. Options include mute_weight_multiplier (multiplier for mute children; value should be negative). ram_by_instance_type: Select cells with the most RAM capacity for the instance type being requested. Because higher weights win, Compute returns the number of available units for the instance type requested. The ram_weight_multiplier option defaults to 10.0 that adds to the weight by a factor of 10. Use a negative number to stack VMs on one host instead of spreading out new VMs to more hosts in the cell. weight_offset: Allows modifying the database to weight a particular cell. The highest weight will be the first cell to be scheduled for launching an instance. When the weight_offset of a cell is set to 0, it is unlikely to be picked but it could be picked if other cells have a lower weight, like if they’re full. And when the weight_offset is set to a very high value (for example, 999999999999999), it is likely to be picked if another cell do not have a higher weight.

11.1.7. cinder

The following table outlines the options available under the [cinder] group in the /etc/nova/nova.conf file.

Table 11.7. cinder
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`catalog_info = volumev3:cinderv3:publicURL`	string value	Info to match when looking for cinder in the service catalog. Possible values: Format is separated values of the form: <service_type>:<service_name>:<endpoint_type> Note: Nova does not support the Cinder v2 API since the Nova 17.0.0 Queens release. Related options: endpoint_template - Setting this option will override catalog_info
`certfile = None`	string value	PEM encoded client certificate cert file
`cross_az_attach = True`	boolean value	Allow attach between instance and volume in different availability zones. If False, volumes attached to an instance must be in the same availability zone in Cinder as the instance availability zone in Nova. This also means care should be taken when booting an instance from a volume where source is not "volume" because Nova will attempt to create a volume using the same availability zone as what is assigned to the instance. If that AZ is not in Cinder (or allow_availability_zone_fallback=False in cinder.conf), the volume create request will fail and the instance will fail the build request. By default there is no availability zone restriction on volume attach.
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint_template = None`	string value	If this option is set then it will override service catalog lookup with this template for cinder endpoint Possible values: URL for cinder endpoint API e.g. http://localhost:8776/v3/%(project_id)s Note: Nova does not support the Cinder v2 API since the Nova 17.0.0 Queens release. Related options: catalog_info - If endpoint_template is not set, catalog_info will be used.
`http_retries = 3`	integer value	Number of times cinderclient should retry on any failed http call. 0 means connection is attempted only once. Setting it to any positive integer means that on failure connection is retried that many times e.g. setting it to 3 means total attempts to connect will be 4. Possible values: Any integer value. 0 means connection is attempted only once
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`os_region_name = None`	string value	Region name of this node. This is used when picking the URL in the service catalog. Possible values: Any string representing region name
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username

11.1.8. compute

The following table outlines the options available under the [compute] group in the /etc/nova/nova.conf file.

Table 11.8. compute
Configuration option = Default value	Type	Description
`consecutive_build_service_disable_threshold = 10`	integer value	Enables reporting of build failures to the scheduler. Any nonzero value will enable sending build failure statistics to the scheduler for use by the BuildFailureWeigher. Possible values: Any positive integer enables reporting build failures. Zero to disable reporting build failures. Related options: [filter_scheduler]/build_failure_weight_multiplier
`cpu_shared_set = None`	string value	Defines which physical CPUs (pCPUs) will be used for best-effort guest vCPU resources. Currently only used by libvirt driver to place guest emulator threads when hw:emulator_threads_policy:share. cpu_shared_set = "4-12,^8,15"
`live_migration_wait_for_vif_plug = False`	boolean value	Determine if the source compute host should wait for a `network-vif-plugged` event from the (neutron) networking service before starting the actual transfer of the guest to the destination compute host. If you set this option the same on all of your compute hosts, which you should do if you use the same networking backend universally, you do not have to worry about this. Before starting the transfer of the guest, some setup occurs on the destination compute host, including plugging virtual interfaces. Depending on the networking backend on the destination host, a `network-vif-plugged` event may be triggered and then received on the source compute host and the source compute can wait for that event to ensure networking is set up on the destination host before starting the guest transfer in the hypervisor. By default, this is False for two reasons: Backward compatibility: deployments should test this out and ensure it works for them before enabling it. The compute service cannot reliably determine which types of virtual interfaces (`port.binding:vif_type`) will send `network-vif-plugged` events without an accompanying port `binding:host_id` change. Open vSwitch and linuxbridge should be OK, but OpenDaylight is at least one known backend that will not currently work in this case, see bug https://launchpad.net/bugs/1755890 for more details. Possible values: True: wait for `network-vif-plugged` events before starting guest transfer False: do not wait for `network-vif-plugged` events before starting guest transfer (this is how things have always worked before this option was introduced) Related options: [DEFAULT]/vif_plugging_is_fatal: if `live_migration_wait_for_vif_plug` is True and `vif_plugging_timeout` is greater than 0, and a timeout is reached, the live migration process will fail with an error but the guest transfer will not have started to the destination host [DEFAULT]/vif_plugging_timeout: if `live_migration_wait_for_vif_plug` is True, this controls the amount of time to wait before timing out and either failing if `vif_plugging_is_fatal` is True, or simply continuing with the live migration
`resource_provider_association_refresh = 300`	integer value	Interval for updating nova-compute-side cache of the compute node resource provider’s aggregates and traits info. This option specifies the number of seconds between attempts to update a provider’s aggregates and traits information in the local cache of the compute node. Possible values: Any positive integer in seconds.

11.1.9. conductor

The following table outlines the options available under the [conductor] group in the /etc/nova/nova.conf file.

Table 11.9. conductor
Configuration option = Default value	Type	Description
`topic = conductor`	string value	Topic exchange name on which conductor nodes listen.
`workers = None`	integer value	Number of workers for OpenStack Conductor service. The default will be the number of CPUs available.

11.1.10. console

The following table outlines the options available under the [console] group in the /etc/nova/nova.conf file.

Table 11.10. console
Configuration option = Default value	Type	Description
`allowed_origins = []`	list value	Adds list of allowed origins to the console websocket proxy to allow connections from other origin hostnames. Websocket proxy matches the host header with the origin header to prevent cross-site requests. This list specifies if any there are values other than host are allowed in the origin header. Possible values: A list where each element is an allowed origin hostnames, else an empty list

11.1.11. consoleauth

The following table outlines the options available under the [consoleauth] group in the /etc/nova/nova.conf file.

Table 11.11. consoleauth
Configuration option = Default value	Type	Description
`token_ttl = 600`	integer value	The lifetime of a console auth token (in seconds). A console auth token is used in authorizing console access for a user. Once the auth token time to live count has elapsed, the token is considered expired. Expired tokens are then deleted.

11.1.12. cors

The following table outlines the options available under the [cors] group in the /etc/nova/nova.conf file.

Table 11.12. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Openstack-Request-Id', u'X-Subject-Token', u'X-Service-Token']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

11.1.13. crypto

The following table outlines the options available under the [crypto] group in the /etc/nova/nova.conf file.

Table 11.13. crypto
Configuration option = Default value	Type	Description
`ca_file = cacert.pem`	string value	Filename of root CA (Certificate Authority). This is a container format and includes root certificates. Possible values: Any file name containing root CA, cacert.pem is default Related options: ca_path
`ca_path = $state_path/CA`	string value	Directory path where root CA is located. Related options: ca_file
`crl_file = crl.pem`	string value	Filename of root Certificate Revocation List (CRL). This is a list of certificates that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted. Related options: ca_path
`key_file = private/cakey.pem`	string value	Filename of a private key. Related options: keys_path
`keys_path = $state_path/keys`	string value	Directory path where keys are located. Related options: key_file
`project_cert_subject = /C=US/ST=California/O=OpenStack/OU=NovaDev/CN=project-ca-%.16s-%s`	string value	Subject for certificate for projects, %s for project, timestamp
`use_project_ca = False`	boolean value	Option to enable/disable use of CA for each project.
`user_cert_subject = /C=US/ST=California/O=OpenStack/OU=NovaDev/CN=%.16s-%.16s-%s`	string value	Subject for certificate for users, %s for project, user, timestamp

11.1.14. database

The following table outlines the options available under the [database] group in the /etc/nova/nova.conf file.

Table 11.14. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.
`use_tpool = False`	boolean value	Enable the experimental use of thread pooling for all DB API calls

11.1.15. devices

The following table outlines the options available under the [devices] group in the /etc/nova/nova.conf file.

Table 11.15. devices
Configuration option = Default value	Type	Description
`enabled_vgpu_types = []`	list value	A list of the vGPU types enabled in the compute node. Some pGPUs (e.g. NVIDIA GRID K1) support different vGPU types. User can use this option to specify a list of enabled vGPU types that may be assigned to a guest instance. But please note that Nova only supports a single type in the Queens release. If more than one vGPU type is specified (as a comma-separated list), only the first one will be used. An example is as the following: [devices] enabled_vgpu_types = GRID K100,Intel GVT-g,MxGPU.2,nvidia-11

11.1.16. ephemeral_storage_encryption

The following table outlines the options available under the [ephemeral_storage_encryption] group in the /etc/nova/nova.conf file.

Table 11.16. ephemeral_storage_encryption
Configuration option = Default value	Type	Description
`cipher = aes-xts-plain64`	string value	Cipher-mode string to be used. The cipher and mode to be used to encrypt ephemeral storage. The set of cipher-mode combinations available depends on kernel support. According to the dm-crypt documentation, the cipher is expected to be in the format: "<cipher>-<chainmode>-<ivmode>". Possible values: Any crypto option listed in `/proc/crypto`.
`enabled = False`	boolean value	Enables/disables LVM ephemeral storage encryption.
`key_size = 512`	integer value	Encryption key length in bits. The bit length of the encryption key to be used to encrypt ephemeral storage. In XTS mode only half of the bits are used for encryption key.

11.1.17. filter_scheduler

The following table outlines the options available under the [filter_scheduler] group in the /etc/nova/nova.conf file.

Table 11.17. filter_scheduler
Configuration option = Default value	Type	Description
`aggregate_image_properties_isolation_namespace = None`	string value	Image property namespace for use in the host aggregate. Images and hosts can be configured so that certain images can only be scheduled to hosts in a particular aggregate. This is done with metadata values set on the host aggregate that are identified by beginning with the value of this option. If the host is part of an aggregate with such a metadata key, the image in the request spec must have the value of that metadata in its properties in order for the scheduler to consider the host as acceptable. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the aggregate_image_properties_isolation filter is enabled. Possible values: A string, where the string corresponds to an image property namespace Related options: aggregate_image_properties_isolation_separator
`aggregate_image_properties_isolation_separator = .`	string value	Separator character(s) for image property namespace and name. When using the aggregate_image_properties_isolation filter, the relevant metadata keys are prefixed with the namespace defined in the aggregate_image_properties_isolation_namespace configuration option plus a separator. This option defines the separator to be used. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the aggregate_image_properties_isolation filter is enabled. Possible values: A string, where the string corresponds to an image property namespace separator character Related options: aggregate_image_properties_isolation_namespace
`available_filters = [u'nova.scheduler.filters.all_filters']`	multi valued	Filters that the scheduler can use. An unordered list of the filter classes the nova scheduler may apply. Only the filters specified in the enabled_filters option will be used, but any filter appearing in that option must also be included in this list. By default, this is set to all filters that are included with nova. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: A list of zero or more strings, where each string corresponds to the name of a filter that may be used for selecting a host Related options: enabled_filters
`baremetal_enabled_filters = [u'RetryFilter', u'AvailabilityZoneFilter', u'ComputeFilter', u'ComputeCapabilitiesFilter', u'ImagePropertiesFilter', u'ExactRamFilter', u'ExactDiskFilter', u'ExactCoreFilter']`	list value	Filters used for filtering baremetal hosts. Filters are applied in order, so place your most restrictive filters first to make the filtering process more efficient. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: A list of zero or more strings, where each string corresponds to the name of a filter to be used for selecting a baremetal host Related options: If the scheduler_use_baremetal_filters option is False, this option has no effect.
`build_failure_weight_multiplier = 1000000.0`	floating point value	Multiplier used for weighing hosts that have had recent build failures. This option determines how much weight is placed on a compute node with recent build failures. Build failures may indicate a failing, misconfigured, or otherwise ailing compute node, and avoiding it during scheduling may be beneficial. The weight is inversely proportional to the number of recent build failures the compute node has experienced. This value should be set to some high value to offset weight given by other enabled weighers due to available resources. To disable weighing compute hosts by the number of recent failures, set this to zero. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: An integer or float value, where the value corresponds to the multiplier ratio for this weigher. Related options: [compute]/consecutive_build_service_disable_threshold - Must be nonzero for a compute to report data considered by this weigher.
`cpu_weight_multiplier = 1.0`	floating point value	CPU weight multiplier ratio. Multiplier used for weighting free vCPUs. Negative numbers indicate stacking rather than spreading. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the cpu weigher is enabled. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher. Related options: `filter_scheduler.weight_classes`: This weigher must be added to list of enabled weight classes if the `weight_classes` setting is set to a non-default value.
`disk_weight_multiplier = 1.0`	floating point value	Disk weight multipler ratio. Multiplier used for weighing free disk space. Negative numbers mean to stack vs spread. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the disk weigher is enabled. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher.
`enabled_filters = [u'RetryFilter', u'AvailabilityZoneFilter', u'ComputeFilter', u'ComputeCapabilitiesFilter', u'ImagePropertiesFilter', u'ServerGroupAntiAffinityFilter', u'ServerGroupAffinityFilter']`	list value	Filters that the scheduler will use. An ordered list of filter class names that will be used for filtering hosts. These filters will be applied in the order they are listed so place your most restrictive filters first to make the filtering process more efficient. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: A list of zero or more strings, where each string corresponds to the name of a filter to be used for selecting a host Related options: All of the filters in this option must be present in the scheduler_available_filters option, or a SchedulerHostFilterNotFound exception will be raised.
`host_subset_size = 1`	integer value	Size of subset of best hosts selected by scheduler. New instances will be scheduled on a host chosen randomly from a subset of the N best hosts, where N is the value set by this option. Setting this to a value greater than 1 will reduce the chance that multiple scheduler processes handling similar requests will select the same host, creating a potential race condition. By selecting a host randomly from the N hosts that best fit the request, the chance of a conflict is reduced. However, the higher you set this value, the less optimal the chosen host may be for a given request. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: An integer, where the integer corresponds to the size of a host subset. Any integer is valid, although any value less than 1 will be treated as 1
`image_properties_default_architecture = None`	string value	The default architecture to be used when using the image properties filter. When using the ImagePropertiesFilter, it is possible that you want to define a default architecture to make the user experience easier and avoid having something like x86_64 images landing on aarch64 compute nodes because the user did not specify the hw_architecture property in Glance. Possible values: CPU Architectures such as x86_64, aarch64, s390x.
`io_ops_weight_multiplier = -1.0`	floating point value	IO operations weight multipler ratio. This option determines how hosts with differing workloads are weighed. Negative values, such as the default, will result in the scheduler preferring hosts with lighter workloads whereas positive values will prefer hosts with heavier workloads. Another way to look at it is that positive values for this option will tend to schedule instances onto hosts that are already busy, while negative values will tend to distribute the workload across more hosts. The absolute value, whether positive or negative, controls how strong the io_ops weigher is relative to other weighers. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the io_ops weigher is enabled. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher.
`isolated_hosts = []`	list value	List of hosts that can only run certain images. If there is a need to restrict some images to only run on certain designated hosts, list those host names here. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the IsolatedHostsFilter filter is enabled. Possible values: A list of strings, where each string corresponds to the name of a host Related options: scheduler/isolated_images scheduler/restrict_isolated_hosts_to_isolated_images
`isolated_images = []`	list value	List of UUIDs for images that can only be run on certain hosts. If there is a need to restrict some images to only run on certain designated hosts, list those image UUIDs here. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the IsolatedHostsFilter filter is enabled. Possible values: A list of UUID strings, where each string corresponds to the UUID of an image Related options: scheduler/isolated_hosts scheduler/restrict_isolated_hosts_to_isolated_images
`max_instances_per_host = 50`	integer value	Maximum number of instances that be active on a host. If you need to limit the number of instances on any given host, set this option to the maximum number of instances you want to allow. The num_instances_filter will reject any host that has at least as many instances as this option’s value. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the num_instances_filter filter is enabled. Possible values: An integer, where the integer corresponds to the max instances that can be scheduled on a host.
`max_io_ops_per_host = 8`	integer value	The number of instances that can be actively performing IO on a host. Instances performing IO includes those in the following states: build, resize, snapshot, migrate, rescue, unshelve. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the io_ops_filter filter is enabled. Possible values: An integer, where the integer corresponds to the max number of instances that can be actively performing IO on any given host.
`pci_weight_multiplier = 1.0`	floating point value	PCI device affinity weight multiplier. The PCI device affinity weighter computes a weighting based on the number of PCI devices on the host and the number of PCI devices requested by the instance. The `NUMATopologyFilter` filter must be enabled for this to have any significance. For more information, refer to the filter documentation: https://docs.openstack.org/nova/latest/user/filter-scheduler.html Possible values: A positive integer or float value, where the value corresponds to the multiplier ratio for this weigher.
`ram_weight_multiplier = 1.0`	floating point value	RAM weight multipler ratio. This option determines how hosts with more or less available RAM are weighed. A positive value will result in the scheduler preferring hosts with more available RAM, and a negative number will result in the scheduler preferring hosts with less available RAM. Another way to look at it is that positive values for this option will tend to spread instances across many hosts, while negative values will tend to fill up (stack) hosts as much as possible before scheduling to a less-used host. The absolute value, whether positive or negative, controls how strong the RAM weigher is relative to other weighers. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the ram weigher is enabled. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher.
`restrict_isolated_hosts_to_isolated_images = True`	boolean value	Prevent non-isolated images from being built on isolated hosts. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Also note that this setting only affects scheduling if the IsolatedHostsFilter filter is enabled. Even then, this option doesn’t affect the behavior of requests for isolated images, which will always be restricted to isolated hosts. Related options: scheduler/isolated_images scheduler/isolated_hosts
`shuffle_best_same_weighed_hosts = False`	boolean value	Enable spreading the instances between hosts with the same best weight. Enabling it is beneficial for cases when host_subset_size is 1 (default), but there is a large number of hosts with same maximal weight. This scenario is common in Ironic deployments where there are typically many baremetal nodes with identical weights returned to the scheduler. In such case enabling this option will reduce contention and chances for rescheduling events. At the same time it will make the instance packing (even in unweighed case) less dense.
`soft_affinity_weight_multiplier = 1.0`	floating point value	Multiplier used for weighing hosts for group soft-affinity. Possible values: An integer or float value, where the value corresponds to weight multiplier for hosts with group soft affinity. Only a positive value are meaningful, as negative values would make this behave as a soft anti-affinity weigher.
`soft_anti_affinity_weight_multiplier = 1.0`	floating point value	Multiplier used for weighing hosts for group soft-anti-affinity. Possible values: An integer or float value, where the value corresponds to weight multiplier for hosts with group soft anti-affinity. Only a positive value are meaningful, as negative values would make this behave as a soft affinity weigher.
`track_instance_changes = True`	boolean value	Enable querying of individual hosts for instance information. The scheduler may need information about the instances on a host in order to evaluate its filters and weighers. The most common need for this information is for the (anti-)affinity filters, which need to choose a host based on the instances already running on a host. If the configured filters and weighers do not need this information, disabling this option will improve performance. It may also be disabled when the tracking overhead proves too heavy, although this will cause classes requiring host usage data to query the database on each request instead. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Note In a multi-cell (v2) setup where the cell MQ is separated from the top-level, computes cannot directly communicate with the scheduler. Thus, this option cannot be enabled in that scenario. See also the [workarounds]/disable_group_policy_check_upcall option.
`use_baremetal_filters = False`	boolean value	Enable baremetal filters. Set this to True to tell the nova scheduler that it should use the filters specified in the baremetal_enabled_filters option. If you are not scheduling baremetal nodes, leave this at the default setting of False. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Related options: If this option is set to True, then the filters specified in the baremetal_enabled_filters are used instead of the filters specified in enabled_filters.
`weight_classes = [u'nova.scheduler.weights.all_weighers']`	list value	Weighers that the scheduler will use. Only hosts which pass the filters are weighed. The weight for any host starts at 0, and the weighers order these hosts by adding to or subtracting from the weight assigned by the previous weigher. Weights may become negative. An instance will be scheduled to one of the N most-weighted hosts, where N is scheduler_host_subset_size. By default, this is set to all weighers that are included with Nova. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: A list of zero or more strings, where each string corresponds to the name of a weigher that will be used for selecting a host

11.1.18. glance

The following table outlines the options available under the [glance] group in the /etc/nova/nova.conf file.

Table 11.18. glance
Configuration option = Default value	Type	Description
`allowed_direct_url_schemes = []`	list value	List of url schemes that can be directly accessed. This option specifies a list of url schemes that can be downloaded directly via the direct_url. This direct_URL can be fetched from Image metadata which can be used by nova to get the image more efficiently. nova-compute could benefit from this by invoking a copy when it has access to the same file system as glance. Possible values: [file], Empty list (default)
`api_servers = None`	list value	List of glance api servers endpoints available to nova. https is used for ssl-based glance api servers. Note The preferred mechanism for endpoint discovery is via keystoneauth1 loading options. Only use api_servers if you need multiple endpoints and are unable to use a load balancer for some reason. Possible values: A list of any fully qualified url of the form "scheme://hostname:port[/path]" (i.e. "http://10.0.1.0:9292" or "https://my.glance.server/image").
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`debug = False`	boolean value	Enable or disable debug logging with glanceclient.
`default_trusted_certificate_ids = []`	list value	List of certificate IDs for certificates that should be trusted. May be used as a default list of trusted certificate IDs for certificate validation. The value of this option will be ignored if the user provides a list of trusted certificate IDs with an instance API request. The value of this option will be persisted with the instance data if signature verification and certificate validation are enabled and if the user did not provide an alternative list. If left empty when certificate validation is enabled the user must provide a list of trusted certificate IDs otherwise certificate validation will fail. Related options: The value of this option may be used if both verify_glance_signatures and enable_certificate_validation are enabled.
`enable_certificate_validation = False`	boolean value	Enable certificate validation for image signature verification. During image signature verification nova will first verify the validity of the image’s signing certificate using the set of trusted certificates associated with the instance. If certificate validation fails, signature verification will not be performed and the image will be placed into an error state. This provides end users with stronger assurances that the image data is unmodified and trustworthy. If left disabled, image signature verification can still occur but the end user will not have any assurance that the signing certificate used to generate the image signature is still trustworthy. Related options: This option only takes effect if verify_glance_signatures is enabled. The value of default_trusted_certificate_ids may be used when this option is enabled.
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`num_retries = 0`	integer value	Enable glance operation retries. Specifies the number of retries when uploading / downloading an image to / from glance. 0 means no retries.
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = image`	string value	The default service_type for endpoint URL discovery.
`timeout = None`	integer value	Timeout value for http requests
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.
`verify_glance_signatures = False`	boolean value	Enable image signature verification. nova uses the image signature metadata from glance and verifies the signature of a signed image while downloading that image. If the image signature cannot be verified or if the image signature metadata is either incomplete or unavailable, then nova will not boot the image and instead will place the instance into an error state. This provides end users with stronger assurances of the integrity of the image data they are using to create servers. Related options: The options in the `key_manager` group, as the key_manager is used for the signature validation. Both enable_certificate_validation and default_trusted_certificate_ids below depend on this option being enabled.

11.1.19. guestfs

The following table outlines the options available under the [guestfs] group in the /etc/nova/nova.conf file.

Table 11.19. guestfs
Configuration option = Default value	Type	Description
`debug = False`	boolean value	Enable/disables guestfs logging. This configures guestfs to debug messages and push them to OpenStack logging system. When set to True, it traces libguestfs API calls and enable verbose debug messages. In order to use the above feature, "libguestfs" package must be installed. Related options: Since libguestfs access and modifies VM’s managed by libvirt, below options should be set to give access to those VM’s. libvirt.inject_key libvirt.inject_partition libvirt.inject_password

11.1.20. healthcheck

The following table outlines the options available under the [healthcheck] group in the /etc/nova/nova.conf file.

Table 11.20. healthcheck
Configuration option = Default value	Type	Description
`backends = []`	list value	Additional backends that can perform health checks and report that information back as part of a request.
`detailed = False`	boolean value	Show more detailed information as part of the response
`disable_by_file_path = None`	string value	Check the presence of a file to determine if an application is running on a port. Used by DisableByFileHealthcheck plugin.
`disable_by_file_paths = []`	list value	Check the presence of a file based on a port to determine if an application is running on a port. Expects a "port:path" list of strings. Used by DisableByFilesPortsHealthcheck plugin.
`path = /healthcheck`	string value	The path to respond to healtcheck requests on.

11.1.21. hyperv

The following table outlines the options available under the [hyperv] group in the /etc/nova/nova.conf file.

Table 11.21. hyperv
Configuration option = Default value	Type	Description
`config_drive_cdrom = False`	boolean value	Configuration drive cdrom OpenStack can be configured to write instance metadata to a configuration drive, which is then attached to the instance before it boots. The configuration drive can be attached as a disk drive (default) or as a CD drive. Possible values: True: Attach the configuration drive image as a CD drive. False: Attach the configuration drive image as a disk drive (Default). Related options: This option is meaningful with force_config_drive option set to True or when the REST API call to create an instance will have --config-drive=True flag. config_drive_format option must be set to iso9660 in order to use CD drive as the configuration drive image. To use configuration drive with Hyper-V, you must set the mkisofs_cmd value to the full path to an mkisofs.exe installation. Additionally, you must set the qemu_img_cmd value to the full path to an qemu-img command installation. You can configure the Compute service to always create a configuration drive by setting the force_config_drive option to True.
`config_drive_inject_password = False`	boolean value	Configuration drive inject password Enables setting the admin password in the configuration drive image. Related options: This option is meaningful when used with other options that enable configuration drive usage with Hyper-V, such as force_config_drive. Currently, the only accepted config_drive_format is iso9660.
`dynamic_memory_ratio = 1.0`	floating point value	Dynamic memory ratio Enables dynamic memory allocation (ballooning) when set to a value greater than 1. The value expresses the ratio between the total RAM assigned to an instance and its startup RAM amount. For example a ratio of 2.0 for an instance with 1024MB of RAM implies 512MB of RAM allocated at startup. Possible values: 1.0: Disables dynamic memory allocation (Default). Float values greater than 1.0: Enables allocation of total implied RAM divided by this value for startup.
`enable_instance_metrics_collection = False`	boolean value	Enable instance metrics collection Enables metrics collections for an instance by using Hyper-V’s metric APIs. Collected data can be retrieved by other apps and services, e.g.: Ceilometer.
`enable_remotefx = False`	boolean value	Enable RemoteFX feature This requires at least one DirectX 11 capable graphics adapter for Windows / Hyper-V Server 2012 R2 or newer and RDS-Virtualization feature has to be enabled. Instances with RemoteFX can be requested with the following flavor extra specs: os:resolution. Guest VM screen resolution size. Acceptable values 1024x768, 1280x1024, 1600x1200, 1920x1200, 2560x1600, 3840x2160 `3840x2160` is only available on Windows / Hyper-V Server 2016. os:monitors. Guest VM number of monitors. Acceptable values [1, 4] - Windows / Hyper-V Server 2012 R2 [1, 8] - Windows / Hyper-V Server 2016 os:vram. Guest VM VRAM amount. Only available on Windows / Hyper-V Server 2016. Acceptable values:: 64, 128, 256, 512, 1024
`instances_path_share = `	string value	Instances path share The name of a Windows share mapped to the "instances_path" dir and used by the resize feature to copy files to the target host. If left blank, an administrative share (hidden network share) will be used, looking for the same "instances_path" used locally. Possible values: "": An administrative share will be used (Default). Name of a Windows share. Related options: "instances_path": The directory which will be used if this option here is left blank.
`iscsi_initiator_list = []`	list value	List of iSCSI initiators that will be used for estabilishing iSCSI sessions. If none are specified, the Microsoft iSCSI initiator service will choose the initiator.
`limit_cpu_features = False`	boolean value	Limit CPU features This flag is needed to support live migration to hosts with different CPU features and checked during instance creation in order to limit the CPU features used by the instance.
`mounted_disk_query_retry_count = 10`	integer value	Mounted disk query retry count The number of times to retry checking for a mounted disk. The query runs until the device can be found or the retry count is reached. Possible values: Positive integer values. Values greater than 1 is recommended (Default: 10). Related options: Time interval between disk mount retries is declared with "mounted_disk_query_retry_interval" option.
`mounted_disk_query_retry_interval = 5`	integer value	Mounted disk query retry interval Interval between checks for a mounted disk, in seconds. Possible values: Time in seconds (Default: 5). Related options: This option is meaningful when the mounted_disk_query_retry_count is greater than 1. The retry loop runs with mounted_disk_query_retry_count and mounted_disk_query_retry_interval configuration options.
`power_state_check_timeframe = 60`	integer value	Power state check timeframe The timeframe to be checked for instance power state changes. This option is used to fetch the state of the instance from Hyper-V through the WMI interface, within the specified timeframe. Possible values: Timeframe in seconds (Default: 60).
`power_state_event_polling_interval = 2`	integer value	Power state event polling interval Instance power state change event polling frequency. Sets the listener interval for power state events to the given value. This option enhances the internal lifecycle notifications of instances that reboot themselves. It is unlikely that an operator has to change this value. Possible values: Time in seconds (Default: 2).
`qemu_img_cmd = qemu-img.exe`	string value	qemu-img command qemu-img is required for some of the image related operations like converting between different image types. You can get it from here: (http://qemu.weilnetz.de/) or you can install the Cloudbase OpenStack Hyper-V Compute Driver (https://cloudbase.it/openstack-hyperv-driver/) which automatically sets the proper path for this config option. You can either give the full path of qemu-img.exe or set its path in the PATH environment variable and leave this option to the default value. Possible values: Name of the qemu-img executable, in case it is in the same directory as the nova-compute service or its path is in the PATH environment variable (Default). Path of qemu-img command (DRIVELETTER:\PATH\TO\QEMU-IMG\COMMAND). Related options: If the config_drive_cdrom option is False, qemu-img will be used to convert the ISO to a VHD, otherwise the configuration drive will remain an ISO. To use configuration drive with Hyper-V, you must set the mkisofs_cmd value to the full path to an mkisofs.exe installation.
`use_multipath_io = False`	boolean value	Use multipath connections when attaching iSCSI or FC disks. This requires the Multipath IO Windows feature to be enabled. MPIO must be configured to claim such devices.
`volume_attach_retry_count = 10`	integer value	Volume attach retry count The number of times to retry attaching a volume. Volume attachment is retried until success or the given retry count is reached. Possible values: Positive integer values (Default: 10). Related options: Time interval between attachment attempts is declared with volume_attach_retry_interval option.
`volume_attach_retry_interval = 5`	integer value	Volume attach retry interval Interval between volume attachment attempts, in seconds. Possible values: Time in seconds (Default: 5). Related options: This options is meaningful when volume_attach_retry_count is greater than 1. The retry loop runs with volume_attach_retry_count and volume_attach_retry_interval configuration options.
`vswitch_name = None`	string value	External virtual switch name The Hyper-V Virtual Switch is a software-based layer-2 Ethernet network switch that is available with the installation of the Hyper-V server role. The switch includes programmatically managed and extensible capabilities to connect virtual machines to both virtual networks and the physical network. In addition, Hyper-V Virtual Switch provides policy enforcement for security, isolation, and service levels. The vSwitch represented by this config option must be an external one (not internal or private). Possible values: If not provided, the first of a list of available vswitches is used. This list is queried using WQL. Virtual switch name.
`wait_soft_reboot_seconds = 60`	integer value	Wait soft reboot seconds Number of seconds to wait for instance to shut down after soft reboot request is made. We fall back to hard reboot if instance does not shutdown within this window. Possible values: Time in seconds (Default: 60).

11.1.22. ironic

The following table outlines the options available under the [ironic] group in the /etc/nova/nova.conf file.

Table 11.22. ironic
Configuration option = Default value	Type	Description
`api_endpoint = None`	uri value	URL override for the Ironic API endpoint.
`api_max_retries = 60`	integer value	The number of times to retry when a request conflicts. If set to 0, only try once, no retries. Related options: api_retry_interval
`api_retry_interval = 2`	integer value	The number of seconds to wait before retrying the request. Related options: api_max_retries
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`serial_console_state_timeout = 10`	integer value	Timeout (seconds) to wait for node serial console state changed. Set to 0 to disable timeout.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = baremetal`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.

11.1.23. key_manager

The following table outlines the options available under the [key_manager] group in the /etc/nova/nova.conf file.

Table 11.23. key_manager
Configuration option = Default value	Type	Description
`auth_type = None`	string value	The type of authentication credential to create. Possible values are token, password, keystone_token, and keystone_password. Required if no context is passed to the credential factory.
`auth_url = None`	string value	Use this endpoint to connect to Keystone.
`backend = barbican`	string value	Specify the key manager implementation. Options are "barbican" and "vault". Default is "barbican". Will support the values earlier set using [key_manager]/api_class for some time.
`domain_id = None`	string value	Domain ID for domain scoping. Optional for keystone_token and keystone_password auth_type.
`domain_name = None`	string value	Domain name for domain scoping. Optional for keystone_token and keystone_password auth_type.
`fixed_key = None`	string value	Fixed key returned by key manager, specified in hex. Possible values: Empty string or a key in hex value
`password = None`	string value	Password for authentication. Required for password and keystone_password auth_type.
`project_domain_id = None`	string value	Project’s domain ID for project. Optional for keystone_token and keystone_password auth_type.
`project_domain_name = None`	string value	Project’s domain name for project. Optional for keystone_token and keystone_password auth_type.
`project_id = None`	string value	Project ID for project scoping. Optional for keystone_token and keystone_password auth_type.
`project_name = None`	string value	Project name for project scoping. Optional for keystone_token and keystone_password auth_type.
`reauthenticate = True`	boolean value	Allow fetching a new token if the current one is going to expire. Optional for keystone_token and keystone_password auth_type.
`token = None`	string value	Token for authentication. Required for token and keystone_token auth_type if no context is passed to the credential factory.
`trust_id = None`	string value	Trust ID for trust scoping. Optional for keystone_token and keystone_password auth_type.
`user_domain_id = None`	string value	User’s domain ID for authentication. Optional for keystone_token and keystone_password auth_type.
`user_domain_name = None`	string value	User’s domain name for authentication. Optional for keystone_token and keystone_password auth_type.
`user_id = None`	string value	User ID for authentication. Optional for keystone_token and keystone_password auth_type.
`username = None`	string value	Username for authentication. Required for password auth_type. Optional for the keystone_password auth_type.

11.1.24. keystone

The following table outlines the options available under the [keystone] group in the /etc/nova/nova.conf file.

Table 11.24. keystone
Configuration option = Default value	Type	Description
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = identity`	string value	The default service_type for endpoint URL discovery.
`timeout = None`	integer value	Timeout value for http requests
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.

11.1.25. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/nova/nova.conf file.

Table 11.25. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

11.1.26. libvirt

The following table outlines the options available under the [libvirt] group in the /etc/nova/nova.conf file.

Table 11.26. libvirt
Configuration option = Default value	Type	Description
`checksum_base_images = False`	boolean value	Write a checksum for files in _base to disk
`checksum_interval_seconds = 3600`	integer value	How frequently to checksum base images
`connection_uri = `	string value	Overrides the default libvirt URI of the chosen virtualization type. If set, Nova will use this URI to connect to libvirt. Possible values: An URI like `qemu:///system` or `xen+ssh://oirase/` for example. This is only necessary if the URI differs to the commonly known URIs for the chosen virtualization type. Related options: `virt_type`: Influences what is used as default value here.
`cpu_mode = None`	string value	Is used to set the CPU mode an instance should have. If virt_type="kvm\|qemu", it will default to "host-model", otherwise it will default to "none". Possible values: `host-model`: Clones the host CPU feature flags `host-passthrough`: Use the host CPU model exactly `custom`: Use a named CPU model `none`: Don’t set a specific CPU model. For instances with `virt_type` as KVM/QEMU, the default CPU model from QEMU will be used, which provides a basic set of CPU features that are compatible with most hosts. Related options: `cpu_model`: This should be set ONLY when `cpu_mode` is set to `custom`. Otherwise, it would result in an error and the instance launch will fail.
`cpu_model = None`	string value	Set the name of the libvirt CPU model the instance should use. Possible values: The named CPU models listed in `/usr/share/libvirt/cpu_map.xml` Related options: `cpu_mode`: This should be set to `custom` ONLY when you want to configure (via `cpu_model`) a specific named CPU model. Otherwise, it would result in an error and the instance launch will fail. `virt_type`: Only the virtualization types `kvm` and `qemu` use this.
`cpu_model_extra_flags = []`	list value	This allows specifying granular CPU feature flags when configuring CPU models. For example, to explicitly specify the `pcid` (Process-Context ID, an Intel processor feature — which is now required to address the guest performance degradation as a result of applying the "Meltdown" CVE fixes to certain Intel CPU models) flag to the "IvyBridge" virtual CPU model:: [libvirt] cpu_mode = custom cpu_model = IvyBridge cpu_model_extra_flags = pcid To specify multiple CPU flags (e.g. the Intel `VMX` to expose the virtualization extensions to the guest, or `pdpe1gb` to configure 1GB huge pages for CPU models that do not provide it): [libvirt] cpu_mode = custom cpu_model = Haswell-noTSX-IBRS cpu_model_extra_flags = PCID, VMX, pdpe1gb As it can be noticed from above, the `cpu_model_extra_flags` config attribute is case insensitive. And specifying extra flags is valid in combination with all the three possible values for `cpu_mode`: `custom` (this also requires an explicit `cpu_model` to be specified), `host-model`, or `host-passthrough`. A valid example for allowing extra CPU flags even for `host-passthrough` mode is that sometimes QEMU may disable certain CPU features — e.g. Intel’s "invtsc", Invariable Time Stamp Counter, CPU flag. And if you need to expose that CPU flag to the Nova instance, the you need to explicitly ask for it. The possible values for `cpu_model_extra_flags` depends on the CPU model in use. Refer to `/usr/share/libvirt/cpu_map.xml` possible CPU feature flags for a given CPU model. Note that when using this config attribute to set the PCID CPU flag with the `custom` CPU mode, not all virtual (i.e. libvirt / QEMU) CPU models need it: The only virtual CPU models that include the PCID capability are Intel "Haswell", "Broadwell", and "Skylake" variants. The libvirt / QEMU CPU models "Nehalem", "Westmere", "SandyBridge", and "IvyBridge" will not expose the PCID capability by default, even if the host CPUs by the same name include it. I.e. PCID needs to be explicitly specified when using the said virtual CPU models. For more information about `ssbd` and related options, please refer to the following security updates: https://www.us-cert.gov/ncas/alerts/TA18-141A https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html Besides `custom`, the libvirt driver has two other CPU modes: The default, `host-model`, tells it to do the right thing with respect to handling PCID CPU flag for the guest — assuming you are running updated processor microcode, host and guest kernel, libvirt, and QEMU. The other mode, `host-passthrough`, checks if PCID is available in the hardware, and if so directly passes it through to the Nova guests. Thus, in context of PCID, with either of these CPU modes (`host-model` or `host-passthrough`), there is no need to use the `cpu_model_extra_flags`. Related options: cpu_mode cpu_model
`disk_cachemodes = []`	list value	Specific cache modes to use for different disk types. For example: file=directsync,block=none,network=writeback For local or direct-attached storage, it is recommended that you use writethrough (default) mode, as it ensures data integrity and has acceptable I/O performance for applications running in the guest, especially for read operations. However, caching mode none is recommended for remote NFS storage, because direct I/O operations (O_DIRECT) perform better than synchronous I/O operations (with O_SYNC). Caching mode none effectively turns all guest I/O operations into direct I/O operations on the host, which is the NFS client in this environment. Possible cache modes: default: Same as writethrough. none: With caching mode set to none, the host page cache is disabled, but the disk write cache is enabled for the guest. In this mode, the write performance in the guest is optimal because write operations bypass the host page cache and go directly to the disk write cache. If the disk write cache is battery-backed, or if the applications or storage stack in the guest transfer data properly (either through fsync operations or file system barriers), then data integrity can be ensured. However, because the host page cache is disabled, the read performance in the guest would not be as good as in the modes where the host page cache is enabled, such as writethrough mode. Shareable disk devices, like for a multi-attachable block storage volume, will have their cache mode set to none regardless of configuration. writethrough: writethrough mode is the default caching mode. With caching set to writethrough mode, the host page cache is enabled, but the disk write cache is disabled for the guest. Consequently, this caching mode ensures data integrity even if the applications and storage stack in the guest do not transfer data to permanent storage properly (either through fsync operations or file system barriers). Because the host page cache is enabled in this mode, the read performance for applications running in the guest is generally better. However, the write performance might be reduced because the disk write cache is disabled. writeback: With caching set to writeback mode, both the host page cache and the disk write cache are enabled for the guest. Because of this, the I/O performance for applications running in the guest is good, but the data is not protected in a power failure. As a result, this caching mode is recommended only for temporary data where potential data loss is not a concern. directsync: Like "writethrough", but it bypasses the host page cache. unsafe: Caching mode of unsafe ignores cache transfer operations completely. As its name implies, this caching mode should be used only for temporary data where data loss is not a concern. This mode can be useful for speeding up guest installations, but you should switch to another caching mode in production environments.
`disk_prefix = None`	string value	Override the default disk prefix for the devices attached to an instance. If set, this is used to identify a free disk device name for a bus. Possible values: Any prefix which will result in a valid disk device name like sda or hda for example. This is only necessary if the device names differ to the commonly known device name prefixes for a virtualization type such as: sd, xvd, uvd, vd. Related options: `virt_type`: Influences which device type is used, which determines the default disk prefix.
`enabled_perf_events = []`	list value	This is a performance event list which could be used as monitor. These events will be passed to libvirt domain xml while creating a new instances. Then event statistics data can be collected from libvirt. The minimum libvirt version is 2.0.0. For more information about `Performance monitoring events`, refer https://libvirt.org/formatdomain.html#elementsPerf . Possible values: * A string list. For example: `enabled_perf_events = cmt, mbml, mbmt` The supported events list can be found in https://libvirt.org/html/libvirt-libvirt-domain.html , which you may need to search key words `VIR_PERF_PARAM_*`
`gid_maps = []`	list value	List of guid targets and ranges.Syntax is guest-gid:host-gid:countMaximum of 5 allowed.
`hw_disk_discard = None`	string value	Discard option for nova managed disks. Requires: Libvirt >= 1.0.6 Qemu >= 1.5 (raw format) Qemu >= 1.6 (qcow2 format)
`hw_machine_type = None`	list value	For qemu or KVM guests, set this option to specify a default machine type per host architecture. You can find a list of supported machine types in your environment by checking the output of the "virsh capabilities"command. The format of the value for this config option is host-arch=machine-type. For example: x86_64=machinetype1,armv7l=machinetype2
`image_info_filename_pattern = $instances_path/$image_cache_subdirectory_name/%(image)s.info`	string value	Allows image information files to be stored in non-standard locations
`images_rbd_ceph_conf = `	string value	Path to the ceph configuration file to use
`images_rbd_pool = rbd`	string value	The RADOS pool in which rbd volumes are stored
`images_type = default`	string value	VM Images format. If default is specified, then use_cow_images flag is used instead of this one. Related options: virt.use_cow_images images_volume_group [workarounds]/ensure_libvirt_rbd_instance_dir_cleanup
`images_volume_group = None`	string value	LVM Volume Group that is used for VM images, when you specify images_type=lvm Related options: images_type
`inject_key = False`	boolean value	Allow the injection of an SSH key at boot time. There is no agent needed within the image to do this. If libguestfs is available on the host, it will be used. Otherwise nbd is used. The file system of the image will be mounted and the SSH key, which is provided in the REST API call will be injected as SSH key for the root user and appended to the `authorized_keys` of that user. The SELinux context will be set if necessary. Be aware that the injection is not possible when the instance gets launched from a volume. This config option will enable directly modifying the instance disk and does not affect what cloud-init may do using data from config_drive option or the metadata service. Related options: `inject_partition`: That option will decide about the discovery and usage of the file system. It also can disable the injection at all.
`inject_partition = -2`	integer value	Determines the way how the file system is chosen to inject data into it. libguestfs will be used a first solution to inject data. If that’s not available on the host, the image will be locally mounted on the host as a fallback solution. If libguestfs is not able to determine the root partition (because there are more or less than one root partition) or cannot mount the file system it will result in an error and the instance won’t be boot. Possible values: -2 ⇒ disable the injection of data. -1 ⇒ find the root partition with the file system to mount with libguestfs 0 ⇒ The image is not partitioned >0 ⇒ The number of the partition to use for the injection Related options: `inject_key`: If this option allows the injection of a SSH key it depends on value greater or equal to -1 for `inject_partition`. `inject_password`: If this option allows the injection of an admin password it depends on value greater or equal to -1 for `inject_partition`. `guestfs` You can enable the debug log level of libguestfs with this config option. A more verbose output will help in debugging issues. `virt_type`: If you use `lxc` as virt_type it will be treated as a single partition image
`inject_password = False`	boolean value	Allow the injection of an admin password for instance only at `create` and `rebuild` process. There is no agent needed within the image to do this. If libguestfs is available on the host, it will be used. Otherwise nbd is used. The file system of the image will be mounted and the admin password, which is provided in the REST API call will be injected as password for the root user. If no root user is available, the instance won’t be launched and an error is thrown. Be aware that the injection is not possible when the instance gets launched from a volume. Possible values: True: Allows the injection. False (default): Disallows the injection. Any via the REST API provided admin password will be silently ignored. Related options: `inject_partition`: That option will decide about the discovery and usage of the file system. It also can disable the injection at all.
`iscsi_iface = None`	string value	The iSCSI transport iface to use to connect to target in case offload support is desired. Default format is of the form <transport_name>.<hwaddress> where <transport_name> is one of (be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx, ocs) and <hwaddress> is the MAC address of the interface and can be generated via the iscsiadm -m iface command. Do not confuse the iscsi_iface parameter to be provided here with the actual transport name.
`iser_use_multipath = False`	boolean value	Use multipath connection of the iSER volume. iSER volumes can be connected as multipath devices. This will provide high availability and fault tolerance.
`live_migration_bandwidth = 0`	integer value	Maximum bandwidth(in MiB/s) to be used during migration. If set to 0, the hypervisor will choose a suitable default. Some hypervisors do not support this feature and will return an error if bandwidth is not 0. Please refer to the libvirt documentation for further details.
`live_migration_completion_timeout = 800`	integer value	Time to wait, in seconds, for migration to successfully complete transferring data before aborting the operation. Value is per GiB of guest RAM + disk to be transferred, with lower bound of a minimum of 2 GiB. Should usually be larger than downtime delay * downtime steps. Set to 0 to disable timeouts. Related options: live_migration_downtime live_migration_downtime_steps live_migration_downtime_delay
`live_migration_downtime = 500`	integer value	Maximum permitted downtime, in milliseconds, for live migration switchover. Will be rounded up to a minimum of 100ms. You can increase this value if you want to allow live-migrations to complete faster, or avoid live-migration timeout errors by allowing the guest to be paused for longer during the live-migration switch over. Related options: live_migration_completion_timeout
`live_migration_downtime_delay = 75`	integer value	Time to wait, in seconds, between each step increase of the migration downtime. Minimum delay is 3 seconds. Value is per GiB of guest RAM + disk to be transferred, with lower bound of a minimum of 2 GiB per device.
`live_migration_downtime_steps = 10`	integer value	Number of incremental steps to reach max downtime value. Will be rounded up to a minimum of 3 steps.
`live_migration_inbound_addr = None`	string value	The IP address or hostname to be used as the target for live migration traffic. If this option is set to None, the hostname of the migration target compute node will be used. This option is useful in environments where the live-migration traffic can impact the network plane significantly. A separate network for live-migration traffic can then use this config option and avoids the impact on the management network. Possible values: A valid IP address or hostname, else None. Related options: `live_migration_tunnelled`: The live_migration_inbound_addr value is ignored if tunneling is enabled.
`live_migration_permit_auto_converge = False`	boolean value	This option allows nova to start live migration with auto converge on. Auto converge throttles down CPU if a progress of on-going live migration is slow. Auto converge will only be used if this flag is set to True and post copy is not permitted or post copy is unavailable due to the version of libvirt and QEMU in use. Related options: live_migration_permit_post_copy
`live_migration_permit_post_copy = False`	boolean value	This option allows nova to switch an on-going live migration to post-copy mode, i.e., switch the active VM to the one on the destination node before the migration is complete, therefore ensuring an upper bound on the memory that needs to be transferred. Post-copy requires libvirt>=1.3.3 and QEMU>=2.5.0. When permitted, post-copy mode will be automatically activated if a live-migration memory copy iteration does not make percentage increase of at least 10% over the last iteration. The live-migration force complete API also uses post-copy when permitted. If post-copy mode is not available, force complete falls back to pausing the VM to ensure the live-migration operation will complete. When using post-copy mode, if the source and destination hosts loose network connectivity, the VM being live-migrated will need to be rebooted. For more details, please see the Administration guide. Related options: live_migration_permit_auto_converge
`live_migration_progress_timeout = 0`	integer value	Time to wait, in seconds, for migration to make forward progress in transferring data before aborting the operation. Set to 0 to disable timeouts. This is deprecated, and now disabled by default because we have found serious bugs in this feature that caused false live-migration timeout failures. This feature will be removed or replaced in a future release.
`live_migration_scheme = None`	string value	URI scheme used for live migration. Override the default libvirt live migration scheme (which is dependent on virt_type). If this option is set to None, nova will automatically choose a sensible default based on the hypervisor. It is not recommended that you change this unless you are very sure that hypervisor supports a particular scheme. Related options: `virt_type`: This option is meaningful only when `virt_type` is set to `kvm` or `qemu`. `live_migration_uri`: If `live_migration_uri` value is not None, the scheme used for live migration is taken from `live_migration_uri` instead.
`live_migration_tunnelled = False`	boolean value	Enable tunnelled migration. This option enables the tunnelled migration feature, where migration data is transported over the libvirtd connection. If enabled, we use the VIR_MIGRATE_TUNNELLED migration flag, avoiding the need to configure the network to allow direct hypervisor to hypervisor communication. If False, use the native transport. If not set, Nova will choose a sensible default based on, for example the availability of native encryption support in the hypervisor. Enabling this option will definitely impact performance massively. Note that this option is NOT compatible with use of block migration. Related options: `live_migration_inbound_addr`: The live_migration_inbound_addr value is ignored if tunneling is enabled.
`live_migration_uri = None`	string value	Live migration target URI to use. Override the default libvirt live migration target URI (which is dependent on virt_type). Any included "%s" is replaced with the migration target hostname. If this option is set to None (which is the default), Nova will automatically generate the `live_migration_uri` value based on only 4 supported `virt_type` in following list: kvm: qemu+tcp://%s/system qemu: qemu+tcp://%s/system xen: xenmigr://%s/system parallels: parallels+tcp://%s/system Related options: `live_migration_inbound_addr`: If `live_migration_inbound_addr` value is not None and `live_migration_tunnelled` is False, the ip/hostname address of target compute node is used instead of `live_migration_uri` as the uri for live migration. `live_migration_scheme`: If `live_migration_uri` is not set, the scheme used for live migration is taken from `live_migration_scheme` instead.
`mem_stats_period_seconds = 10`	integer value	A number of seconds to memory usage statistics period. Zero or negative value mean to disable memory usage statistics.
`nfs_mount_options = None`	string value	Mount options passed to the NFS client. See section of the nfs man page for details. Mount options controls the way the filesystem is mounted and how the NFS client behaves when accessing files on this mount point. Possible values: Any string representing mount options separated by commas. Example string: vers=3,lookupcache=pos
`nfs_mount_point_base = $state_path/mnt`	string value	Directory where the NFS volume is mounted on the compute node. The default is mnt directory of the location where nova’s Python module is installed. NFS provides shared storage for the OpenStack Block Storage service. Possible values: A string representing absolute path of mount point.
`num_aoe_discover_tries = 3`	integer value	Number of times to rediscover AoE target to find volume. Nova provides support for block storage attaching to hosts via AOE (ATA over Ethernet). This option allows the user to specify the maximum number of retry attempts that can be made to discover the AoE device.
`num_iser_scan_tries = 5`	integer value	Number of times to scan iSER target to find volume. iSER is a server network protocol that extends iSCSI protocol to use Remote Direct Memory Access (RDMA). This option allows the user to specify the maximum number of scan attempts that can be made to find iSER volume.
`num_volume_scan_tries = 5`	integer value	Number of times to scan given storage protocol to find volume.
`quobyte_client_cfg = None`	string value	Path to a Quobyte Client configuration file.
`quobyte_mount_point_base = $state_path/mnt`	string value	Directory where the Quobyte volume is mounted on the compute node. Nova supports Quobyte volume driver that enables storing Block Storage service volumes on a Quobyte storage back end. This Option specifies the path of the directory where Quobyte volume is mounted. Possible values: A string representing absolute path of mount point.
`rbd_secret_uuid = None`	string value	The libvirt UUID of the secret for the rbd_user volumes.
`rbd_user = None`	string value	The RADOS client name for accessing rbd(RADOS Block Devices) volumes. Libvirt will refer to this user when connecting and authenticating with the Ceph RBD server.
`realtime_scheduler_priority = 1`	integer value	In a realtime host context vCPUs for guest will run in that scheduling priority. Priority depends on the host kernel (usually 1-99)
`remote_filesystem_transport = ssh`	string value	libvirt’s transport method for remote file operations. Because libvirt cannot use RPC to copy files over network to/from other compute nodes, other method must be used for: creating directory on remote host creating file on remote host removing file from remote host copying file to remote host
`remove_unused_resized_minimum_age_seconds = 3600`	integer value	Unused resized base images younger than this will not be removed
`rescue_image_id = None`	string value	The ID of the image to boot from to rescue data from a corrupted instance. If the rescue REST API operation doesn’t provide an ID of an image to use, the image which is referenced by this ID is used. If this option is not set, the image from the instance is used. Possible values: An ID of an image or nothing. If it points to an Amazon Machine Image (AMI), consider to set the config options `rescue_kernel_id` and `rescue_ramdisk_id` too. If nothing is set, the image of the instance is used. Related options: `rescue_kernel_id`: If the chosen rescue image allows the separate definition of its kernel disk, the value of this option is used, if specified. This is the case when Amazon's AMI/AKI/ARI image format is used for the rescue image. `rescue_ramdisk_id`: If the chosen rescue image allows the separate definition of its RAM disk, the value of this option is used if, specified. This is the case when Amazon's AMI/AKI/ARI image format is used for the rescue image.
`rescue_kernel_id = None`	string value	The ID of the kernel (AKI) image to use with the rescue image. If the chosen rescue image allows the separate definition of its kernel disk, the value of this option is used, if specified. This is the case when Amazon's AMI/AKI/ARI image format is used for the rescue image. Possible values: An ID of an kernel image or nothing. If nothing is specified, the kernel disk from the instance is used if it was launched with one. Related options: `rescue_image_id`: If that option points to an image in Amazon's AMI/AKI/ARI image format, it’s useful to use `rescue_kernel_id` too.
`rescue_ramdisk_id = None`	string value	The ID of the RAM disk (ARI) image to use with the rescue image. If the chosen rescue image allows the separate definition of its RAM disk, the value of this option is used, if specified. This is the case when Amazon's AMI/AKI/ARI image format is used for the rescue image. Possible values: An ID of a RAM disk image or nothing. If nothing is specified, the RAM disk from the instance is used if it was launched with one. Related options: `rescue_image_id`: If that option points to an image in Amazon's AMI/AKI/ARI image format, it’s useful to use `rescue_ramdisk_id` too.
`rng_dev_path = /dev/urandom`	string value	The path to an RNG (Random Number Generator) device that will be used as the source of entropy on the host. Since libvirt 1.3.4, any path (that returns random numbers when read) is accepted. The recommended source of entropy is `/dev/urandom` — it is non-blocking, therefore relatively fast; and avoids the limitations of `/dev/random`, which is a legacy interface. For more details (and comparision between different RNG sources), refer to the "Usage" section in the Linux kernel API documentation for `[u]random`: http://man7.org/linux/man-pages/man4/urandom.4.html and http://man7.org/linux/man-pages/man7/random.7.html.
`rx_queue_size = None`	integer value	Configure virtio rx queue size. This option is only usable for virtio-net device with vhost and vhost-user backend. Available only with QEMU/KVM. Requires libvirt v2.3 QEMU v2.7.
`smbfs_mount_options = `	string value	Mount options passed to the SMBFS client. Provide SMBFS options as a single string containing all parameters. See mount.cifs man page for details. Note that the libvirt-qemu `uid` and `gid` must be specified.
`smbfs_mount_point_base = $state_path/mnt`	string value	Directory where the SMBFS shares are mounted on the compute node.
`snapshot_compression = False`	boolean value	Enable snapshot compression for `qcow2` images. Note: you can set `snapshot_image_format` to `qcow2` to force all snapshots to be in `qcow2` format, independently from their original image type. Related options: snapshot_image_format
`snapshot_image_format = None`	string value	Determine the snapshot image format when sending to the image service. If set, this decides what format is used when sending the snapshot to the image service. If not set, defaults to same type as source image. Possible values: `raw`: RAW disk format `qcow2`: KVM default disk format `vmdk`: VMWare default disk format `vdi`: VirtualBox default disk format If not set, defaults to same type as source image.
`snapshots_directory = $instances_path/snapshots`	string value	Location where libvirt driver will store snapshots before uploading them to image service
`sparse_logical_volumes = False`	boolean value	Create sparse logical volumes (with virtualsize) if this flag is set to True.
`sysinfo_serial = auto`	string value	The data source used to the populate the host "serial" UUID exposed to guest in the virtual BIOS.
`tx_queue_size = None`	integer value	Configure virtio tx queue size. This option is only usable for virtio-net device with vhost-user backend. Available only with QEMU/KVM. Requires libvirt v3.7 QEMU v2.10.
`uid_maps = []`	list value	List of uid targets and ranges.Syntax is guest-uid:host-uid:countMaximum of 5 allowed.
`use_usb_tablet = True`	boolean value	Enable a mouse cursor within a graphical VNC or SPICE sessions. This will only be taken into account if the VM is fully virtualized and VNC and/or SPICE is enabled. If the node doesn’t support a graphical framebuffer, then it is valid to set this to False. Related options: * `[vnc]enabled`: If VNC is enabled, `use_usb_tablet` will have an effect. * `[spice]enabled` + `[spice].agent_enabled`: If SPICE is enabled and the spice agent is disabled, the config value of `use_usb_tablet` will have an effect.
`use_virtio_for_bridges = True`	boolean value	Use virtio for bridge interfaces with KVM/QEMU
`virt_type = kvm`	string value	Describes the virtualization type (or so called domain type) libvirt should use. The choice of this type must match the underlying virtualization strategy you have chosen for this host. Possible values: See the predefined set of case-sensitive values. Related options: `connection_uri`: depends on this `disk_prefix`: depends on this `cpu_mode`: depends on this `cpu_model`: depends on this
`volume_clear = zero`	string value	Method used to wipe ephemeral disks when they are deleted. Only takes effect if LVM is set as backing storage. Possible values: none - do not wipe deleted volumes zero - overwrite volumes with zeroes shred - overwrite volume repeatedly Related options: images_type - must be set to `lvm` volume_clear_size
`volume_clear_size = 0`	integer value	Size of area in MiB, counting from the beginning of the allocated volume, that will be cleared using method set in `volume_clear` option. Possible values: 0 - clear whole volume >0 - clear specified amount of MiB Related options: images_type - must be set to `lvm` volume_clear - must be set and the value must be different than `none` for this option to have any impact
`volume_use_multipath = False`	boolean value	Use multipath connection of the iSCSI or FC volume Volumes can be connected in the LibVirt as multipath devices. This will provide high availability and fault tolerance.
`vzstorage_cache_path = None`	string value	Path to the SSD cache file. You can attach an SSD drive to a client and configure the drive to store a local cache of frequently accessed data. By having a local cache on a client’s SSD drive, you can increase the overall cluster performance by up to 10 and more times. WARNING! There is a lot of SSD models which are not server grade and may loose arbitrary set of data changes on power loss. Such SSDs should not be used in Vstorage and are dangerous as may lead to data corruptions and inconsistencies. Please consult with the manual on which SSD models are known to be safe or verify it using vstorage-hwflush-check(1) utility. This option defines the path which should include "%(cluster_name)s" template to separate caches from multiple shares. Related options: vzstorage_mount_opts may include more detailed cache options.
`vzstorage_log_path = /var/log/vstorage/%(cluster_name)s/nova.log.gz`	string value	Path to vzstorage client log. This option defines the log of cluster operations, it should include "%(cluster_name)s" template to separate logs from multiple shares. Related options: vzstorage_mount_opts may include more detailed logging options.
`vzstorage_mount_group = qemu`	string value	Mount owner group name. This option defines the owner group of Vzstorage cluster mountpoint. Related options: vzstorage_mount_* group of parameters
`vzstorage_mount_opts = []`	list value	Extra mount options for pstorage-mount For full description of them, see https://static.openvz.org/vz-man/man1/pstorage-mount.1.gz.html Format is a python string representation of arguments list, like: "[-v, -R, 500]" Shouldn’t include -c, -l, -C, -u, -g and -m as those have explicit vzstorage_* options. Related options: All other vzstorage_* options
`vzstorage_mount_perms = 0770`	string value	Mount access mode. This option defines the access bits of Vzstorage cluster mountpoint, in the format similar to one of chmod(1) utility, like this: 0770. It consists of one to four digits ranging from 0 to 7, with missing lead digits assumed to be 0’s. Related options: vzstorage_mount_* group of parameters
`vzstorage_mount_point_base = $state_path/mnt`	string value	Directory where the Virtuozzo Storage clusters are mounted on the compute node. This option defines non-standard mountpoint for Vzstorage cluster. Related options: vzstorage_mount_* group of parameters
`vzstorage_mount_user = stack`	string value	Mount owner user name. This option defines the owner user of Vzstorage cluster mountpoint. Related options: vzstorage_mount_* group of parameters
`wait_soft_reboot_seconds = 120`	integer value	Number of seconds to wait for instance to shut down after soft reboot request is made. We fall back to hard reboot if instance does not shutdown within this window.
`xen_hvmloader_path = /usr/lib/xen/boot/hvmloader`	string value	Location where the Xen hvmloader is kept

11.1.27. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/nova/nova.conf file.

Table 11.27. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

11.1.28. metrics

The following table outlines the options available under the [metrics] group in the /etc/nova/nova.conf file.

Table 11.28. metrics
Configuration option = Default value	Type	Description
`required = True`	boolean value	This setting determines how any unavailable metrics are treated. If this option is set to True, any hosts for which a metric is unavailable will raise an exception, so it is recommended to also use the MetricFilter to filter out those hosts before weighing. This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: True or False, where False ensures any metric being unavailable for a host will set the host weight to weight_of_unavailable. Related options: weight_of_unavailable
`weight_multiplier = 1.0`	floating point value	When using metrics to weight the suitability of a host, you can use this option to change how the calculated weight influences the weight assigned to a host as follows: >1.0: increases the effect of the metric on overall weight 1.0: no change to the calculated weight >0.0,<1.0: reduces the effect of the metric on overall weight 0.0: the metric value is ignored, and the value of the weight_of_unavailable option is returned instead >-1.0,<0.0: the effect is reduced and reversed -1.0: the effect is reversed ←1.0: the effect is increased proportionally and reversed This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher. Related options: weight_of_unavailable
`weight_of_unavailable = -10000.0`	floating point value	When any of the following conditions are met, this value will be used in place of any actual metric value: One of the metrics named in weight_setting is not available for a host, and the value of required is False The ratio specified for a metric in weight_setting is 0 The weight_multiplier option is set to 0 This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: An integer or float value, where the value corresponds to the multipler ratio for this weigher. Related options: weight_setting required weight_multiplier
`weight_setting = []`	list value	This setting specifies the metrics to be weighed and the relative ratios for each metric. This should be a single string value, consisting of a series of one or more name=ratio pairs, separated by commas, where name is the name of the metric to be weighed, and ratio is the relative weight for that metric. Note that if the ratio is set to 0, the metric value is ignored, and instead the weight will be set to the value of the weight_of_unavailable option. As an example, let’s consider the case where this option is set to: `name1=1.0, name2=-1.3` The final weight will be: `(name1.value * 1.0) + (name2.value * -1.3)` This option is only used by the FilterScheduler and its subclasses; if you use a different scheduler, this option has no effect. Possible values: A list of zero or more key/value pairs separated by commas, where the key is a string representing the name of a metric and the value is a numeric weight for that metric. If any value is set to 0, the value is ignored and the weight will be set to the value of the weight_of_unavailable option. Related options: weight_of_unavailable

11.1.29. mks

The following table outlines the options available under the [mks] group in the /etc/nova/nova.conf file.

Table 11.29. mks
Configuration option = Default value	Type	Description
`enabled = False`	boolean value	Enables graphical console access for virtual machines.
`mksproxy_base_url = http://127.0.0.1:6090/`	uri value	Location of MKS web console proxy The URL in the response points to a WebMKS proxy which starts proxying between client and corresponding vCenter server where instance runs. In order to use the web based console access, WebMKS proxy should be installed and configured Possible values: Must be a valid URL of the form:`http://host:port/` or `https://host:port/`

11.1.30. neutron

The following table outlines the options available under the [neutron] group in the /etc/nova/nova.conf file.

Table 11.30. neutron
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default_floating_pool = nova`	string value	Default name for the floating IP pool. Specifies the name of floating IP pool used for allocating floating IPs. This option is only used if Neutron does not specify the floating IP pool name in port binding reponses.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`extension_sync_interval = 600`	integer value	Integer value representing the number of seconds to wait before querying Neutron for extensions. After this number of seconds the next time Nova needs to create a resource in Neutron it will requery Neutron for the extensions that it has loaded. Setting value to 0 will refresh the extensions with no wait.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`metadata_proxy_shared_secret = `	string value	This option holds the shared secret string used to validate proxy requests to Neutron metadata requests. In order to be used, the X-Metadata-Provider-Signature header must be supplied in the request. Related options: service_metadata_proxy
`ovs_bridge = br-int`	string value	Default name for the Open vSwitch integration bridge. Specifies the name of an integration bridge interface used by OpenvSwitch. This option is only used if Neutron does not specify the OVS bridge name in port binding responses.
`password = None`	string value	User’s password
`physnets = []`	list value	List of physnets present on this host. For each physnet listed, an additional section, `[neutron_physnet_$PHYSNET]`, will be added to the configuration file. Each section must be configured with a single configuration option, `numa_nodes`, which should be a list of node IDs for all NUMA nodes this physnet is associated with. For example:: [neutron] physnets = foo, bar [neutron_physnet_foo] numa_nodes = 0 [neutron_physnet_bar] numa_nodes = 0,1 Any physnet that is not listed using this option will be treated as having no particular NUMA node affinity. Tunnelled networks (VXLAN, GRE, …) cannot be accounted for in this way and are instead configured using the `[neutron_tunnel]` group. For example:: [neutron_tunnel] numa_nodes = 1 Related options: `[neutron_tunnel] numa_nodes` can be used to configure NUMA affinity for all tunneled networks `[neutron_physnet_$PHYSNET] numa_nodes` must be configured for each value of `$PHYSNET` specified by this option
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = network`	string value	The default service_type for endpoint URL discovery.
`service_metadata_proxy = False`	boolean value	When set to True, this option indicates that Neutron will be used to proxy metadata requests and resolve instance ids. Otherwise, the instance ID must be passed to the metadata request in the X-Instance-ID header. Related options: metadata_proxy_shared_secret
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`url = None`	uri value	This option specifies the URL for connecting to Neutron. Possible values: Any valid URL that points to the Neutron API service is appropriate here. This typically matches the URL returned for the network service type from the Keystone service catalog.
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.

11.1.31. notifications

The following table outlines the options available under the [notifications] group in the /etc/nova/nova.conf file.

Table 11.31. notifications
Configuration option = Default value	Type	Description
`bdms_in_notifications = False`	boolean value	If enabled, include block device information in the versioned notification payload. Sending block device information is disabled by default as providing that information can incur some overhead on the system since the information may need to be loaded from the database.
`default_level = INFO`	string value	Default notification level for outgoing notifications.
`default_publisher_id = $host`	string value	Default publisher_id for outgoing notifications. If you consider routing notifications using different publisher, change this value accordingly. Possible values: Defaults to the current hostname of this host, but it can be any valid oslo.messaging publisher_id Related options: host - Hostname, FQDN or IP address of this host.
`notification_format = both`	string value	Specifies which notification format shall be used by nova. The default value is fine for most deployments and rarely needs to be changed. This value can be set to versioned once the infrastructure moves closer to consuming the newer format of notifications. After this occurs, this option will be removed. Note that notifications can be completely disabled by setting `driver=noop` in the `[oslo_messaging_notifications]` group. Possible values: * unversioned: Only the legacy unversioned notifications are emitted. * versioned: Only the new versioned notifications are emitted. * both: Both the legacy unversioned and the new versioned notifications are emitted. (Default) The list of versioned notifications is visible in https://docs.openstack.org/nova/latest/reference/notifications.html
`notify_on_state_change = None`	string value	If set, send compute.instance.update notifications on instance state changes. Please refer to https://docs.openstack.org/nova/latest/reference/notifications.html for additional information on notifications. Possible values: None - no notifications "vm_state" - notifications are sent with VM state transition information in the `old_state` and `state` fields. The `old_task_state` and `new_task_state` fields will be set to the current task_state of the instance. "vm_and_task_state" - notifications are sent with VM and task state transition information.
`versioned_notifications_topics = [u'versioned_notifications']`	list value	Specifies the topics for the versioned notifications issued by nova. The default value is fine for most deployments and rarely needs to be changed. However, if you have a third-party service that consumes versioned notifications, it might be worth getting a topic for that service. Nova will send a message containing a versioned notification payload to each topic queue in this list. The list of versioned notifications is visible in https://docs.openstack.org/nova/latest/reference/notifications.html

11.1.32. osapi_v21

The following table outlines the options available under the [osapi_v21] group in the /etc/nova/nova.conf file.

Table 11.32. osapi_v21
Configuration option = Default value	Type	Description
`project_id_regex = None`	string value	This option is a string representing a regular expression (regex) that matches the project_id as contained in URLs. If not set, it will match normal UUIDs created by keystone. Possible values: A string representing any legal regular expression

11.1.33. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/nova/nova.conf file.

Table 11.33. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

11.1.34. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/nova/nova.conf file.

Table 11.34. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

11.1.35. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/nova/nova.conf file.

Table 11.35. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

11.1.36. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/nova/nova.conf file.

Table 11.36. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

11.1.37. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/nova/nova.conf file.

Table 11.37. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

11.1.38. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/nova/nova.conf file.

Table 11.38. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

11.1.39. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/nova/nova.conf file.

Table 11.39. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.
`max_request_body_size = 114688`	integer value	The maximum body size for each request, in bytes.
`secure_proxy_ssl_header = X-Forwarded-Proto`	string value	The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by a SSL termination proxy.

11.1.40. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/nova/nova.conf file.

Table 11.40. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

11.1.41. pci

The following table outlines the options available under the [pci] group in the /etc/nova/nova.conf file.

Configuration option = Default value Type Description

alias = []

multi valued

An alias for a PCI passthrough device requirement.

This allows users to specify the alias in the extra specs for a flavor, without needing to repeat all the PCI property requirements.

Possible Values:

A list of JSON values which describe the aliases. For example::

alias = {
  "name": "QuickAssist",
  "product_id": "0443",
  "vendor_id": "8086",
  "device_type": "type-PCI",
  "numa_policy": "required"
}

This defines an alias for the Intel QuickAssist card. (multi valued). Valid
key values are :

`name`
  Name of the PCI alias.

`product_id`
  Product ID of the device in hexadecimal.

`vendor_id`
  Vendor ID of the device in hexadecimal.

`device_type`
  Type of PCI device. Valid values are: `type-PCI`, `type-PF` and
  `type-VF`.

`numa_policy`
  Required NUMA affinity of device. Valid values are: `legacy`,
  `preferred` and `required`.

passthrough_whitelist = []

multi valued

White list of PCI devices available to VMs.

Possible values:

A JSON dictionary which describe a whitelisted PCI device. It should take the following format:

["vendor_id": "<id>",] ["product_id": "<id>",]
["address": "[[[[<domain>]:]<bus>]:][<slot>][.[<function>]]" &verbar;
 "devname": "<name>",]
{"<tag>": "<tag_value>",}

Where '[' indicates zero or one occurrences, '{' indicates zero or multiple
occurrences, and '&verbar;' mutually exclusive options. Note that any missing
fields are automatically wildcarded.

Valid key values are :

"vendor_id": Vendor ID of the device in hexadecimal.
"product_id": Product ID of the device in hexadecimal.
"address": PCI address of the device.
"devname": Device name of the device (for e.g. interface name). Not all PCI devices have a name.

"<tag>": Additional <tag> and <tag_value> used for matching PCI devices. Supported <tag>: "physical_network", "trusted".

The address key supports traditional glob style and regular expression
syntax. Valid examples are:

passthrough_whitelist = {"devname":"eth0",
                         "physical_network":"physnet"}
passthrough_whitelist = {"address":"*:0a:00.*"}
passthrough_whitelist = {"address":":0a:00.",
                         "physical_network":"physnet1"}
passthrough_whitelist = {"vendor_id":"1137",
                         "product_id":"0071"}
passthrough_whitelist = {"vendor_id":"1137",
                         "product_id":"0071",
                         "address": "0000:0a:00.1",
                         "physical_network":"physnet1"}
passthrough_whitelist = {"address":{"domain": ".*",
                                    "bus": "02", "slot": "01",
                                    "function": "[2-7]"},
                         "physical_network":"physnet1"}
passthrough_whitelist = {"address":{"domain": ".*",
                                    "bus": "02", "slot": "0[1-2]",
                                    "function": ".*"},
                         "physical_network":"physnet1"}
passthrough_whitelist = {"devname": "eth0", "physical_network":"physnet1",
                         "trusted": "true"}

The following are invalid, as they specify mutually exclusive options:

passthrough_whitelist = {"devname":"eth0",
                         "physical_network":"physnet",
                         "address":"*:0a:00.*"}

A JSON list of JSON dictionaries corresponding to the above format. For example:

passthrough_whitelist = [{"product_id":"0001", "vendor_id":"8086"},
                         {"product_id":"0002", "vendor_id":"8086"}]

11.1.42. placement

The following table outlines the options available under the [placement] group in the /etc/nova/nova.conf file.

Table 11.42. placement
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`endpoint-override = None`	string value	Always use this endpoint URL for requests for this client. NOTE: The unversioned endpoint should be specified here; to request a particular API version, use the `version`, `min-version`, and/or `max-version` options.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`os_interface = None`	string value	Endpoint interface for this node. This is used when picking the URL in the service catalog.
`os_region_name = None`	string value	Region name of this node. This is used when picking the URL in the service catalog. Possible values: Any string representing region name
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`randomize_allocation_candidates = False`	boolean value	If True, when limiting allocation candidate results, the results will be a random sampling of the full result set. If False, allocation candidates are returned in a deterministic but undefined order. That is, all things being equal, two requests for allocation candidates will return the same results in the same order; but no guarantees are made as to how that order is determined.
`region-name = None`	string value	The default region_name for endpoint URL discovery.
`service-name = None`	string value	The default service_name for endpoint URL discovery.
`service-type = placement`	string value	The default service_type for endpoint URL discovery.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username
`valid-interfaces = [u'internal', u'public']`	list value	List of interfaces, in order of preference, for endpoint URL.

11.1.43. quota

The following table outlines the options available under the [quota] group in the /etc/nova/nova.conf file.

Table 11.43. quota
Configuration option = Default value	Type	Description
`cores = 20`	integer value	The number of instance cores or vCPUs allowed per project. Possible values: A positive integer or 0. -1 to disable the quota.
`driver = nova.quota.DbQuotaDriver`	string value	The quota enforcer driver. Provides abstraction for quota checks. Users can configure a specific driver to use for quota checks. Possible values: nova.quota.DbQuotaDriver (default) or any string representing fully qualified class name.
`fixed_ips = -1`	integer value	The number of fixed IPs allowed per project. Unlike floating IPs, fixed IPs are allocated dynamically by the network component when instances boot up. This quota value should be at least the number of instances allowed Possible values: A positive integer or 0. -1 to disable the quota.
`floating_ips = 10`	integer value	The number of floating IPs allowed per project. Floating IPs are not allocated to instances by default. Users need to select them from the pool configured by the OpenStack administrator to attach to their instances. Possible values: A positive integer or 0. -1 to disable the quota.
`injected_file_content_bytes = 10240`	integer value	The number of bytes allowed per injected file. Possible values: A positive integer or 0. -1 to disable the quota.
`injected_file_path_length = 255`	integer value	The maximum allowed injected file path length. Possible values: A positive integer or 0. -1 to disable the quota.
`injected_files = 5`	integer value	The number of injected files allowed. File injection allows users to customize the personality of an instance by injecting data into it upon boot. Only text file injection is permitted: binary or ZIP files are not accepted. During file injection, any existing files that match specified files are renamed to include `.bak` extension appended with a timestamp. Possible values: A positive integer or 0. -1 to disable the quota.
`instances = 10`	integer value	The number of instances allowed per project. Possible Values A positive integer or 0. -1 to disable the quota.
`key_pairs = 100`	integer value	The maximum number of key pairs allowed per user. Users can create at least one key pair for each project and use the key pair for multiple instances that belong to that project. Possible values: A positive integer or 0. -1 to disable the quota.
`max_age = 0`	integer value	The number of seconds between subsequent usage refreshes. This defaults to 0 (off) to avoid additional load but it is useful to turn on to help keep quota usage up-to-date and reduce the impact of out of sync usage issues. Note that quotas are not updated on a periodic task, they will update on a new reservation if max_age has passed since the last reservation.
`metadata_items = 128`	integer value	The number of metadata items allowed per instance. Users can associate metadata with an instance during instance creation. This metadata takes the form of key-value pairs. Possible values: A positive integer or 0. -1 to disable the quota.
`ram = 51200`	integer value	The number of megabytes of instance RAM allowed per project. Possible values: A positive integer or 0. -1 to disable the quota.
`recheck_quota = True`	boolean value	Recheck quota after resource creation to prevent allowing quota to be exceeded. This defaults to True (recheck quota after resource creation) but can be set to False to avoid additional load if allowing quota to be exceeded because of racing requests is considered acceptable. For example, when set to False, if a user makes highly parallel REST API requests to create servers, it will be possible for them to create more servers than their allowed quota during the race. If their quota is 10 servers, they might be able to create 50 during the burst. After the burst, they will not be able to create any more servers but they will be able to keep their 50 servers until they delete them. The initial quota check is done before resources are created, so if multiple parallel requests arrive at the same time, all could pass the quota check and create resources, potentially exceeding quota. When recheck_quota is True, quota will be checked a second time after resources have been created and if the resource is over quota, it will be deleted and OverQuota will be raised, usually resulting in a 403 response to the REST API user. This makes it impossible for a user to exceed their quota with the caveat that it will, however, be possible for a REST API user to be rejected with a 403 response in the event of a collision close to reaching their quota limit, even if the user has enough quota available when they made the request.
`reservation_expire = 86400`	integer value	The number of seconds until a reservation expires. This quota represents the time period for invalidating quota reservations.
`security_group_rules = 20`	integer value	The number of security rules per security group. The associated rules in each security group control the traffic to instances in the group. Possible values: A positive integer or 0. -1 to disable the quota.
`security_groups = 10`	integer value	The number of security groups per project. Possible values: A positive integer or 0. -1 to disable the quota.
`server_group_members = 10`	integer value	The maximum number of servers per server group. Possible values: A positive integer or 0. -1 to disable the quota.
`server_groups = 10`	integer value	The maxiumum number of server groups per project. Server groups are used to control the affinity and anti-affinity scheduling policy for a group of servers or instances. Reducing the quota will not affect any existing group, but new servers will not be allowed into groups that have become over quota. Possible values: A positive integer or 0. -1 to disable the quota.
`until_refresh = 0`	integer value	The count of reservations until usage is refreshed. This defaults to 0 (off) to avoid additional load but it is useful to turn on to help keep quota usage up-to-date and reduce the impact of out of sync usage issues.

11.1.44. rdp

The following table outlines the options available under the [rdp] group in the /etc/nova/nova.conf file.

Table 11.44. rdp
Configuration option = Default value	Type	Description
`enabled = False`	boolean value	Enable Remote Desktop Protocol (RDP) related features. Hyper-V, unlike the majority of the hypervisors employed on Nova compute nodes, uses RDP instead of VNC and SPICE as a desktop sharing protocol to provide instance console access. This option enables RDP for graphical console access for virtual machines created by Hyper-V. Note: RDP should only be enabled on compute nodes that support the Hyper-V virtualization platform. Related options: `compute_driver`: Must be hyperv.
`html5_proxy_base_url = http://127.0.0.1:6083/`	uri value	The URL an end user would use to connect to the RDP HTML5 console proxy. The console proxy service is called with this token-embedded URL and establishes the connection to the proper instance. An RDP HTML5 console proxy service will need to be configured to listen on the address configured here. Typically the console proxy service would be run on a controller node. The localhost address used as default would only work in a single node environment i.e. devstack. An RDP HTML5 proxy allows a user to access via the web the text or graphical console of any Windows server or workstation using RDP. RDP HTML5 console proxy services include FreeRDP, wsgate. See https://github.com/FreeRDP/FreeRDP-WebConnect Possible values: <scheme>://<ip-address>:<port-number>/ The scheme must be identical to the scheme configured for the RDP HTML5 console proxy service. It is `http` or `https`. The IP address must be identical to the address on which the RDP HTML5 console proxy service is listening. The port must be identical to the port on which the RDP HTML5 console proxy service is listening. Related options: `rdp.enabled`: Must be set to `True` for `html5_proxy_base_url` to be effective.

11.1.45. remote_debug

The following table outlines the options available under the [remote_debug] group in the /etc/nova/nova.conf file.

Table 11.45. remote_debug
Configuration option = Default value	Type	Description
`host = None`	unknown value	Debug host (IP or name) to connect to. This command line parameter is used when you want to connect to a nova service via a debugger running on a different host. Note that using the remote debug option changes how Nova uses the eventlet library to support async IO. This could result in failures that do not occur under normal operation. Use at your own risk. Possible Values: IP address of a remote host as a command line parameter to a nova service. For Example: /usr/local/bin/nova-compute --config-file /etc/nova/nova.conf --remote_debug-host <IP address where the debugger is running>
`port = None`	port value	Debug port to connect to. This command line parameter allows you to specify the port you want to use to connect to a nova service via a debugger running on different host. Note that using the remote debug option changes how Nova uses the eventlet library to support async IO. This could result in failures that do not occur under normal operation. Use at your own risk. Possible Values: Port number you want to use as a command line parameter to a nova service. For Example: /usr/local/bin/nova-compute --config-file /etc/nova/nova.conf --remote_debug-host <IP address where the debugger is running> --remote_debug-port <port> it's listening on>.

11.1.46. scheduler

The following table outlines the options available under the [scheduler] group in the /etc/nova/nova.conf file.

Table 11.46. scheduler
Configuration option = Default value	Type	Description
`discover_hosts_in_cells_interval = -1`	integer value	Periodic task interval. This value controls how often (in seconds) the scheduler should attempt to discover new hosts that have been added to cells. If negative (the default), no automatic discovery will occur. Deployments where compute nodes come and go frequently may want this enabled, where others may prefer to manually discover hosts when one is added to avoid any overhead from constantly checking. If enabled, every time this runs, we will select any unmapped hosts out of each cell database on every run.
`driver = filter_scheduler`	string value	The class of the driver used by the scheduler. This should be chosen from one of the entrypoints under the namespace nova.scheduler.driver of file setup.cfg. If nothing is specified in this option, the filter_scheduler is used. Other options are: caching_scheduler which aggressively caches the system state for better individual scheduler performance at the risk of more retries when running multiple schedulers. [DEPRECATED] chance_scheduler which simply picks a host at random. [DEPRECATED] fake_scheduler which is used for testing. Possible values: Any of the drivers included in Nova: filter_scheduler caching_scheduler chance_scheduler fake_scheduler You may also set this to the entry point name of a custom scheduler driver, but you will be responsible for creating and maintaining it in your setup.cfg file. Related options: workers
`host_manager = host_manager`	string value	The scheduler host manager to use. The host manager manages the in-memory picture of the hosts that the scheduler uses. The options values are chosen from the entry points under the namespace nova.scheduler.host_manager in setup.cfg. Note The "ironic_host_manager" option is deprecated as of the 17.0.0 Queens release.
`max_attempts = 3`	integer value	This is the maximum number of attempts that will be made for a given instance build/move operation. It limits the number of alternate hosts returned by the scheduler. When that list of hosts is exhausted, a MaxRetriesExceeded exception is raised and the instance is set to an error state. Possible values: A positive integer, where the integer corresponds to the max number of attempts that can be made when building or moving an instance.
`max_placement_results = 1000`	integer value	This setting determines the maximum limit on results received from the placement service during a scheduling operation. It effectively limits the number of hosts that may be considered for scheduling requests that match a large number of candidates. A value of 1 (the minimum) will effectively defer scheduling to the placement service strictly on "will it fit" grounds. A higher value will put an upper cap on the number of results the scheduler will consider during the filtering and weighing process. Large deployments may need to set this lower than the total number of hosts available to limit memory consumption, network traffic, etc. of the scheduler. This option is only used by the FilterScheduler; if you use a different scheduler, this option has no effect.
`periodic_task_interval = 60`	integer value	Periodic task interval. This value controls how often (in seconds) to run periodic tasks in the scheduler. The specific tasks that are run for each period are determined by the particular scheduler being used. If this is larger than the nova-service service_down_time setting, Nova may report the scheduler service as down. This is because the scheduler driver is responsible for sending a heartbeat and it will only do that as often as this option allows. As each scheduler can work a little differently than the others, be sure to test this with your selected scheduler. Possible values: An integer, where the integer corresponds to periodic task interval in seconds. 0 uses the default interval (60 seconds). A negative value disables periodic tasks. Related options: `nova-service service_down_time`
`workers = None`	integer value	Number of workers for the nova-scheduler service. The default will be the number of CPUs available if using the "filter_scheduler" scheduler driver, otherwise the default will be 1.

11.1.47. serial_console

The following table outlines the options available under the [serial_console] group in the /etc/nova/nova.conf file.

Table 11.47. serial_console
Configuration option = Default value	Type	Description
`base_url = ws://127.0.0.1:6083/`	uri value	The URL an end user would use to connect to the `nova-serialproxy` service. The `nova-serialproxy` service is called with this token enriched URL and establishes the connection to the proper instance. Related options: The IP address must be identical to the address to which the `nova-serialproxy` service is listening (see option `serialproxy_host` in this section). The port must be the same as in the option `serialproxy_port` of this section. If you choose to use a secured websocket connection, then start this option with `wss://` instead of the unsecured `ws://`. The options `cert` and `key` in the `[DEFAULT]` section have to be set for that.
`enabled = False`	boolean value	Enable the serial console feature. In order to use this feature, the service `nova-serialproxy` needs to run. This service is typically executed on the controller node.
`port_range = 10000:20000`	string value	A range of TCP ports a guest can use for its backend. Each instance which gets created will use one port out of this range. If the range is not big enough to provide another port for an new instance, this instance won’t get launched. Possible values: Each string which passes the regex `\d+:\d+` For example `10000:20000`. Be sure that the first port number is lower than the second port number and that both are in range from 0 to 65535.
`proxyclient_address = 127.0.0.1`	string value	The IP address to which proxy clients (like `nova-serialproxy`) should connect to get the serial console of an instance. This is typically the IP address of the host of a `nova-compute` service.
`serialproxy_host = 0.0.0.0`	string value	The IP address which is used by the `nova-serialproxy` service to listen for incoming requests. The `nova-serialproxy` service listens on this IP address for incoming connection requests to instances which expose serial console. Related options: Ensure that this is the same IP address which is defined in the option `base_url` of this section or use `0.0.0.0` to listen on all addresses.
`serialproxy_port = 6083`	port value	The port number which is used by the `nova-serialproxy` service to listen for incoming requests. The `nova-serialproxy` service listens on this port number for incoming connection requests to instances which expose serial console. Related options: Ensure that this is the same port number which is defined in the option `base_url` of this section.

11.1.48. service_user

The following table outlines the options available under the [service_user] group in the /etc/nova/nova.conf file.

Table 11.48. service_user
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`send_service_user_token = False`	boolean value	When True, if sending a user token to a REST API, also send a service token. Nova often reuses the user token provided to the nova-api to talk to other REST APIs, such as Cinder, Glance and Neutron. It is possible that while the user token was valid when the request was made to Nova, the token may expire before it reaches the other service. To avoid any failures, and to make it clear it is Nova calling the service on the user’s behalf, we include a service token along with the user token. Should the user’s token have expired, a valid service token ensures the REST API request will still be accepted by the keystone middleware.
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username

11.1.49. spice

The following table outlines the options available under the [spice] group in the /etc/nova/nova.conf file.

Table 11.49. spice
Configuration option = Default value	Type	Description
`agent_enabled = True`	boolean value	Enable the SPICE guest agent support on the instances. The Spice agent works with the Spice protocol to offer a better guest console experience. However, the Spice console can still be used without the Spice Agent. With the Spice agent installed the following features are enabled: Copy & Paste of text and images between the guest and client machine Automatic adjustment of resolution when the client screen changes - e.g. if you make the Spice console full screen the guest resolution will adjust to match it rather than letterboxing. Better mouse integration - The mouse can be captured and released without needing to click inside the console or press keys to release it. The performance of mouse movement is also improved.
`enabled = False`	boolean value	Enable SPICE related features. Related options: VNC must be explicitly disabled to get access to the SPICE console. Set the enabled option to False in the [vnc] section to disable the VNC console.
`html5proxy_base_url = http://127.0.0.1:6082/spice_auto.html`	uri value	Location of the SPICE HTML5 console proxy. End user would use this URL to connect to the `nova-spicehtml5proxy` service. This service will forward request to the console of an instance. In order to use SPICE console, the service `nova-spicehtml5proxy` should be running. This service is typically launched on the controller node. Possible values: Must be a valid URL of the form: `http://host:port/spice_auto.html` where host is the node running `nova-spicehtml5proxy` and the port is typically 6082. Consider not using default value as it is not well defined for any real deployment. Related options: This option depends on `html5proxy_host` and `html5proxy_port` options. The access URL returned by the compute node must have the host and port where the `nova-spicehtml5proxy` service is listening.
`html5proxy_host = 0.0.0.0`	unknown value	IP address or a hostname on which the `nova-spicehtml5proxy` service listens for incoming requests. Related options: This option depends on the `html5proxy_base_url` option. The `nova-spicehtml5proxy` service must be listening on a host that is accessible from the HTML5 client.
`html5proxy_port = 6082`	port value	Port on which the `nova-spicehtml5proxy` service listens for incoming requests. Related options: This option depends on the `html5proxy_base_url` option. The `nova-spicehtml5proxy` service must be listening on a port that is accessible from the HTML5 client.
`keymap = en-us`	string value	A keyboard layout which is supported by the underlying hypervisor on this node. Possible values: * This is usually an IETF language tag (default is en-us). If you use QEMU as hypervisor, you should find the list of supported keyboard layouts at /usr/share/qemu/keymaps.
`server_listen = 127.0.0.1`	string value	The address where the SPICE server running on the instances should listen. Typically, the `nova-spicehtml5proxy` proxy client runs on the controller node and connects over the private network to this address on the compute node(s). Possible values: IP address to listen on.
`server_proxyclient_address = 127.0.0.1`	string value	The address used by `nova-spicehtml5proxy` client to connect to instance console. Typically, the `nova-spicehtml5proxy` proxy client runs on the controller node and connects over the private network to this address on the compute node(s). Possible values: Any valid IP address on the compute node. Related options: This option depends on the `server_listen` option. The proxy client must be able to access the address specified in `server_listen` using the value of this option.

11.1.50. upgrade_levels

The following table outlines the options available under the [upgrade_levels] group in the /etc/nova/nova.conf file.

Table 11.50. upgrade_levels
Configuration option = Default value	Type	Description
`baseapi = None`	string value	Base API RPC API version cap
`cells = None`	string value	Cells RPC API version cap
`cert = None`	string value	Cert RPC API version cap
`compute = None`	string value	Compute RPC API version cap. By default, we always send messages using the most recent version the client knows about. Where you have old and new compute services running, you should set this to the lowest deployed version. This is to guarantee that all services never send messages that one of the compute nodes can’t understand. Note that we only support upgrading from release N to release N+1. Set this option to "auto" if you want to let the compute RPC module automatically determine what version to use based on the service versions in the deployment. Possible values: By default send the latest version the client knows about auto: Automatically determines what version to use based on the service versions in the deployment. A string representing a version number in the format N.N; for example, possible values might be 1.12 or 2.0. An OpenStack release name, in lower case, such as mitaka or liberty.
`conductor = None`	string value	Conductor RPC API version cap
`console = None`	string value	Console RPC API version cap
`consoleauth = None`	string value	Consoleauth RPC API version cap
`intercell = None`	string value	Intercell RPC API version cap
`network = None`	string value	Network RPC API version cap
`scheduler = None`	string value	Scheduler RPC API version cap

11.1.51. vault

The following table outlines the options available under the [vault] group in the /etc/nova/nova.conf file.

Table 11.51. vault
Configuration option = Default value	Type	Description
`root_token_id = None`	string value	root token for vault
`ssl_ca_crt_file = None`	string value	Absolute path to ca cert file
`use_ssl = False`	boolean value	SSL Enabled/Disabled
`vault_url = http://127.0.0.1:8200`	string value	Use this endpoint to connect to Vault, for example: "http://127.0.0.1:8200"

11.1.52. vendordata_dynamic_auth

The following table outlines the options available under the [vendordata_dynamic_auth] group in the /etc/nova/nova.conf file.

Table 11.52. vendordata_dynamic_auth
Configuration option = Default value	Type	Description
`auth-url = None`	string value	Authentication URL
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`cafile = None`	string value	PEM encoded Certificate Authority to use when verifying HTTPs connections.
`certfile = None`	string value	PEM encoded client certificate cert file
`default-domain-id = None`	string value	Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`default-domain-name = None`	string value	Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
`domain-id = None`	string value	Domain ID to scope to
`domain-name = None`	string value	Domain name to scope to
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	PEM encoded client certificate key file
`password = None`	string value	User’s password
`project-domain-id = None`	string value	Domain ID containing project
`project-domain-name = None`	string value	Domain name containing project
`project-id = None`	string value	Project ID to scope to
`project-name = None`	string value	Project name to scope to
`system-scope = None`	string value	Scope for system operations
`tenant-id = None`	string value	Tenant ID
`tenant-name = None`	string value	Tenant Name
`timeout = None`	integer value	Timeout value for http requests
`trust-id = None`	string value	Trust ID
`user-domain-id = None`	string value	User’s domain id
`user-domain-name = None`	string value	User’s domain name
`user-id = None`	string value	User ID
`username = None`	string value	Username

11.1.53. vmware

The following table outlines the options available under the [vmware] group in the /etc/nova/nova.conf file.

Table 11.53. vmware
Configuration option = Default value	Type	Description
`api_retry_count = 10`	integer value	Number of times VMware vCenter server API must be retried on connection failures, e.g. socket error, etc.
`ca_file = None`	string value	Specifies the CA bundle file to be used in verifying the vCenter server certificate.
`cache_prefix = None`	string value	This option adds a prefix to the folder where cached images are stored This is not the full path - just a folder prefix. This should only be used when a datastore cache is shared between compute nodes. Note: This should only be used when the compute nodes are running on same host or they have a shared file system. Possible values: Any string representing the cache prefix to the folder
`cluster_name = None`	string value	Name of a VMware Cluster ComputeResource.
`connection_pool_size = 10`	integer value	This option sets the http connection pool size The connection pool size is the maximum number of connections from nova to vSphere. It should only be increased if there are warnings indicating that the connection pool is full, otherwise, the default should suffice.
`console_delay_seconds = None`	integer value	Set this value if affected by an increased network latency causing repeated characters when typing in a remote console.
`datastore_regex = None`	string value	Regular expression pattern to match the name of datastore. The datastore_regex setting specifies the datastores to use with Compute. For example, datastore_regex="nas.*" selects all the data stores that have a name starting with "nas". Note If no regex is given, it just picks the datastore with the most freespace. Possible values: Any matching regular expression to a datastore must be given
`host_ip = None`	unknown value	Hostname or IP address for connection to VMware vCenter host.
`host_password = None`	string value	Password for connection to VMware vCenter host.
`host_port = 443`	port value	Port for connection to VMware vCenter host.
`host_username = None`	string value	Username for connection to VMware vCenter host.
`insecure = False`	boolean value	If true, the vCenter server certificate is not verified. If false, then the default CA truststore is used for verification. Related options: * ca_file: This option is ignored if "ca_file" is set.
`integration_bridge = None`	string value	This option should be configured only when using the NSX-MH Neutron plugin. This is the name of the integration bridge on the ESXi server or host. This should not be set for any other Neutron plugin. Hence the default value is not set. Possible values: Any valid string representing the name of the integration bridge
`maximum_objects = 100`	integer value	This option specifies the limit on the maximum number of objects to return in a single result. A positive value will cause the operation to suspend the retrieval when the count of objects reaches the specified limit. The server may still limit the count to something less than the configured value. Any remaining objects may be retrieved with additional requests.
`pbm_default_policy = None`	string value	This option specifies the default policy to be used. If pbm_enabled is set and there is no defined storage policy for the specific request, then this policy will be used. Possible values: Any valid storage policy such as VSAN default storage policy Related options: pbm_enabled
`pbm_enabled = False`	boolean value	This option enables or disables storage policy based placement of instances. Related options: pbm_default_policy
`pbm_wsdl_location = None`	string value	This option specifies the PBM service WSDL file location URL. Setting this will disable storage policy based placement of instances. Possible values: Any valid file path e.g file:///opt/SDK/spbm/wsdl/pbmService.wsdl
`serial_log_dir = /opt/vmware/vspc`	string value	Specifies the directory where the Virtual Serial Port Concentrator is storing console log files. It should match the serial_log_dir config value of VSPC.
`serial_port_proxy_uri = None`	uri value	Identifies a proxy service that provides network access to the serial_port_service_uri. Possible values: Any valid URI (The scheme is telnet or telnets.) Related options: This option is ignored if serial_port_service_uri is not specified. * serial_port_service_uri
`serial_port_service_uri = None`	string value	Identifies the remote system where the serial port traffic will be sent. This option adds a virtual serial port which sends console output to a configurable service URI. At the service URI address there will be virtual serial port concentrator that will collect console logs. If this is not set, no serial ports will be added to the created VMs. Possible values: Any valid URI
`task_poll_interval = 0.5`	floating point value	Time interval in seconds to poll remote tasks invoked on VMware VC server.
`use_linked_clone = True`	boolean value	This option enables/disables the use of linked clone. The ESX hypervisor requires a copy of the VMDK file in order to boot up a virtual machine. The compute driver must download the VMDK via HTTP from the OpenStack Image service to a datastore that is visible to the hypervisor and cache it. Subsequent virtual machines that need the VMDK use the cached version and don’t have to copy the file again from the OpenStack Image service. If set to false, even with a cached VMDK, there is still a copy operation from the cache location to the hypervisor file directory in the shared datastore. If set to true, the above copy operation is avoided as it creates copy of the virtual machine that shares virtual disks with its parent VM.
`vlan_interface = vmnic0`	string value	This option specifies the physical ethernet adapter name for VLAN networking. Set the vlan_interface configuration option to match the ESX host interface that handles VLAN-tagged VM traffic. Possible values: Any valid string representing VLAN interface name
`vnc_port = 5900`	port value	This option specifies VNC starting port. Every VM created by ESX host has an option of enabling VNC client for remote connection. Above option vnc_port helps you to set default starting port for the VNC client. Possible values: Any valid port number within 5900 -(5900 + vnc_port_total) Related options: Below options should be set to enable VNC client. * vnc.enabled = True * vnc_port_total
`vnc_port_total = 10000`	integer value	Total number of VNC ports.

11.1.54. vnc

The following table outlines the options available under the [vnc] group in the /etc/nova/nova.conf file.

Table 11.54. vnc
Configuration option = Default value	Type	Description
`auth_schemes = [u'none']`	list value	The authentication schemes to use with the compute node. Control what RFB authentication schemes are permitted for connections between the proxy and the compute host. If multiple schemes are enabled, the first matching scheme will be used, thus the strongest schemes should be listed first. Possible values: `none`: allow connection without authentication `vencrypt`: use VeNCrypt authentication scheme Related options: `[vnc]vencrypt_client_key`, `[vnc]vencrypt_client_cert`: must also be set
`enabled = True`	boolean value	Enable VNC related features. Guests will get created with graphical devices to support this. Clients (for example Horizon) can then establish a VNC connection to the guest.
`keymap = en-us`	string value	Keymap for VNC. The keyboard mapping (keymap) determines which keyboard layout a VNC session should use by default. Possible values: A keyboard layout which is supported by the underlying hypervisor on this node. This is usually an IETF language tag (for example en-us). If you use QEMU as hypervisor, you should find the list of supported keyboard layouts at `/usr/share/qemu/keymaps`.
`novncproxy_base_url = http://127.0.0.1:6080/vnc_auto.html`	uri value	Public address of noVNC VNC console proxy. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. noVNC provides VNC support through a websocket-based client. This option sets the public base URL to which client systems will connect. noVNC clients can use this address to connect to the noVNC instance and, by extension, the VNC sessions. Related options: novncproxy_host novncproxy_port
`novncproxy_host = 0.0.0.0`	string value	IP address that the noVNC console proxy should bind to. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. noVNC provides VNC support through a websocket-based client. This option sets the private address to which the noVNC console proxy service should bind to. Related options: novncproxy_port novncproxy_base_url
`novncproxy_port = 6080`	port value	Port that the noVNC console proxy should bind to. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. noVNC provides VNC support through a websocket-based client. This option sets the private port to which the noVNC console proxy service should bind to. Related options: novncproxy_host novncproxy_base_url
`server_listen = 127.0.0.1`	unknown value	The IP address or hostname on which an instance should listen to for incoming VNC connection requests on this node.
`server_proxyclient_address = 127.0.0.1`	unknown value	Private, internal IP address or hostname of VNC console proxy. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. This option sets the private address to which proxy clients, such as `nova-xvpvncproxy`, should connect to.
`vencrypt_ca_certs = None`	string value	The path to the CA certificate PEM file The fully qualified path to a PEM file containing one or more x509 certificates for the certificate authorities used by the compute node VNC server. Related options: `vnc.auth_schemes`: must include `vencrypt`
`vencrypt_client_cert = None`	string value	The path to the client key file (for x509) The fully qualified path to a PEM file containing the x509 certificate which the VNC proxy server presents to the compute node during VNC authentication. Realted options: `vnc.auth_schemes`: must include `vencrypt` `vnc.vencrypt_client_key`: must also be set
`vencrypt_client_key = None`	string value	The path to the client certificate PEM file (for x509) The fully qualified path to a PEM file containing the private key which the VNC proxy server presents to the compute node during VNC authentication. Related options: `vnc.auth_schemes`: must include `vencrypt` `vnc.vencrypt_client_cert`: must also be set
`xvpvncproxy_base_url = http://127.0.0.1:6081/console`	uri value	Public URL address of XVP VNC console proxy. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. Xen provides the Xenserver VNC Proxy, or XVP, as an alternative to the websocket-based noVNC proxy used by Libvirt. In contrast to noVNC, XVP clients are Java-based. This option sets the public base URL to which client systems will connect. XVP clients can use this address to connect to the XVP instance and, by extension, the VNC sessions. Related options: xvpvncproxy_host xvpvncproxy_port
`xvpvncproxy_host = 0.0.0.0`	unknown value	IP address or hostname that the XVP VNC console proxy should bind to. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. Xen provides the Xenserver VNC Proxy, or XVP, as an alternative to the websocket-based noVNC proxy used by Libvirt. In contrast to noVNC, XVP clients are Java-based. This option sets the private address to which the XVP VNC console proxy service should bind to. Related options: xvpvncproxy_port xvpvncproxy_base_url
`xvpvncproxy_port = 6081`	port value	Port that the XVP VNC console proxy should bind to. The VNC proxy is an OpenStack component that enables compute service users to access their instances through VNC clients. Xen provides the Xenserver VNC Proxy, or XVP, as an alternative to the websocket-based noVNC proxy used by Libvirt. In contrast to noVNC, XVP clients are Java-based. This option sets the private port to which the XVP VNC console proxy service should bind to. Related options: xvpvncproxy_host xvpvncproxy_base_url

11.1.55. workarounds

The following table outlines the options available under the [workarounds] group in the /etc/nova/nova.conf file.

Table 11.55. workarounds
Configuration option = Default value	Type	Description
`disable_group_policy_check_upcall = False`	boolean value	Disable the server group policy check upcall in compute. In order to detect races with server group affinity policy, the compute service attempts to validate that the policy was not violated by the scheduler. It does this by making an upcall to the API database to list the instances in the server group for one that it is booting, which violates our api/cell isolation goals. Eventually this will be solved by proper affinity guarantees in the scheduler and placement service, but until then, this late check is needed to ensure proper affinity policy. Operators that desire api/cell isolation over this check should enable this flag, which will avoid making that upcall from compute. Related options: [filter_scheduler]/track_instance_changes also relies on upcalls from the compute service to the scheduler service.
`disable_libvirt_livesnapshot = False`	boolean value	Disable live snapshots when using the libvirt driver. Live snapshots allow the snapshot of the disk to happen without an interruption to the guest, using coordination with a guest agent to quiesce the filesystem. When using libvirt 1.2.2 live snapshots fail intermittently under load (likely related to concurrent libvirt/qemu operations). This config option provides a mechanism to disable live snapshot, in favor of cold snapshot, while this is resolved. Cold snapshot causes an instance outage while the guest is going through the snapshotting process. For more information, refer to the bug report: https://bugs.launchpad.net/nova/+bug/1334398 Possible values: True: Live snapshot is disabled when using libvirt False: Live snapshots are always used when snapshotting (as long as there is a new enough libvirt and the backend storage supports it)
`disable_rootwrap = False`	boolean value	Use sudo instead of rootwrap. Allow fallback to sudo for performance reasons. For more information, refer to the bug report: https://bugs.launchpad.net/nova/+bug/1415106 Possible values: True: Use sudo instead of rootwrap False: Use rootwrap as usual Interdependencies to other options: Any options that affect rootwrap will be ignored.
`ensure_libvirt_rbd_instance_dir_cleanup = False`	boolean value	Ensure the instance directory is removed during clean up when using rbd. When enabled this workaround will ensure that the instance directory is always removed during cleanup on hosts using `[libvirt]/images_type=rbd`. This avoids the following bugs with evacuation and revert resize clean up that lead to the instance directory remaining on the host: https://bugs.launchpad.net/nova/+bug/1414895 https://bugs.launchpad.net/nova/+bug/1761062 Both of these bugs can then result in `DestinationDiskExists` errors being raised if the instances ever attempt to return to the host. warning:: Operators will need to ensure that the instance directory itself, specified by `[DEFAULT]/instances_path`, is not shared between computes before enabling this workaround otherwise the console.log, kernels, ramdisks and any additional files being used by the running instance will be lost. Related options: `compute_driver` (libvirt) `[libvirt]/images_type` (rbd) `instances_path`
`handle_virt_lifecycle_events = True`	boolean value	Enable handling of events emitted from compute drivers. Many compute drivers emit lifecycle events, which are events that occur when, for example, an instance is starting or stopping. If the instance is going through task state changes due to an API operation, like resize, the events are ignored. This is an advanced feature which allows the hypervisor to signal to the compute service that an unexpected state change has occurred in an instance and that the instance can be shutdown automatically. Unfortunately, this can race in some conditions, for example in reboot operations or when the compute service or when host is rebooted (planned or due to an outage). If such races are common, then it is advisable to disable this feature. Care should be taken when this feature is disabled and sync_power_state_interval is set to a negative value. In this case, any instances that get out of sync between the hypervisor and the Nova database will have to be synchronized manually. For more information, refer to the bug report: https://bugs.launchpad.net/bugs/1444630 Interdependencies to other options: If `sync_power_state_interval` is negative and this feature is disabled, then instances that get out of sync between the hypervisor and the Nova database will have to be synchronized manually.

11.1.56. wsgi

The following table outlines the options available under the [wsgi] group in the /etc/nova/nova.conf file.

Table 11.56. wsgi
Configuration option = Default value	Type	Description
`api_paste_config = api-paste.ini`	string value	This option represents a file name for the paste.deploy config for nova-api. Possible values: A string representing file name for the paste.deploy config.
`client_socket_timeout = 900`	integer value	This option specifies the timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. It indicates timeout on individual read/writes on the socket connection. To wait forever set to 0.
`default_pool_size = 1000`	integer value	This option specifies the size of the pool of greenthreads used by wsgi. It is possible to limit the number of concurrent connections using this option.
`keep_alive = True`	boolean value	This option allows using the same TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening a new one for every single request/response pair. HTTP keep-alive indicates HTTP connection reuse. Possible values: True : reuse HTTP connection. False : closes the client socket connection explicitly. Related options: tcp_keepidle
`max_header_line = 16384`	integer value	This option specifies the maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs). Since TCP is a stream based protocol, in order to reuse a connection, the HTTP has to have a way to indicate the end of the previous response and beginning of the next. Hence, in a keep_alive case, all messages must have a self-defined message length.
`secure_proxy_ssl_header = None`	string value	This option specifies the HTTP header used to determine the protocol scheme for the original request, even if it was removed by a SSL terminating proxy. Possible values: None (default) - the request scheme is not influenced by any HTTP headers Valid HTTP header, like HTTP_X_FORWARDED_PROTO Warning Do not set this unless you know what you are doing. Make sure ALL of the following are true before setting this (assuming the values from the example above): * Your API is behind a proxy. * Your proxy strips the X-Forwarded-Proto header from all incoming requests. In other words, if end users include that header in their requests, the proxy will discard it. * Your proxy sets the X-Forwarded-Proto header and sends it to API, but only for requests that originally come in via HTTPS. If any of those are not true, you should keep this setting set to None.
`ssl_ca_file = None`	string value	This option allows setting path to the CA certificate file that should be used to verify connecting clients. Possible values: String representing path to the CA certificate file. Related options: enabled_ssl_apis
`ssl_cert_file = None`	string value	This option allows setting path to the SSL certificate of API server. Possible values: String representing path to the SSL certificate. Related options: enabled_ssl_apis
`ssl_key_file = None`	string value	This option specifies the path to the file where SSL private key of API server is stored when SSL is in effect. Possible values: String representing path to the SSL private key. Related options: enabled_ssl_apis
`tcp_keepidle = 600`	integer value	This option sets the value of TCP_KEEPIDLE in seconds for each server socket. It specifies the duration of time to keep connection active. TCP generates a KEEPALIVE transmission for an application that requests to keep connection active. Not supported on OS X. Related options: keep_alive
`wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f`	string value	It represents a python format string that is used as the template to generate log lines. The following values can be formatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds. This option is used for building custom request loglines when running nova-api under eventlet. If used under uwsgi or apache, this option has no effect. Possible values: %(client_ip)s "%(request_line)s" status: %(status_code)slen: %(body_length)s time: %(wall_seconds).7f (default) Any formatted string formed by specific values.

11.1.57. xenserver

The following table outlines the options available under the [xenserver] group in the /etc/nova/nova.conf file.

Table 11.57. xenserver
Configuration option = Default value	Type	Description
`agent_path = usr/sbin/xe-update-networking`	string value	Path to locate guest agent on the server. Specifies the path in which the XenAPI guest agent should be located. If the agent is present, network configuration is not injected into the image. Related options: For this option to have an effect: * `flat_injected` should be set to `True` * `compute_driver` should be set to `xenapi.XenAPIDriver`
`agent_resetnetwork_timeout = 60`	integer value	Number of seconds to wait for agent’s reply to resetnetwork request. This indicates the amount of time xapi agent plugin waits for the agent to respond to the resetnetwork request specifically. The generic timeout for agent communication `agent_timeout` is ignored in this case.
`agent_timeout = 30`	integer value	Number of seconds to wait for agent’s reply to a request. Nova configures/performs certain administrative actions on a server with the help of an agent that’s installed on the server. The communication between Nova and the agent is achieved via sharing messages, called records, over xenstore, a shared storage across all the domains on a Xenserver host. Operations performed by the agent on behalf of nova are: version,' key_init', password,resetnetwork,inject_file, and agentupdate. To perform one of the above operations, the xapi agent plugin writes the command and its associated parameters to a certain location known to the domain and awaits response. On being notified of the message, the agent performs appropriate actions on the server and writes the result back to xenstore. This result is then read by the xapi agent plugin to determine the success/failure of the operation. This config option determines how long the xapi agent plugin shall wait to read the response off of xenstore for a given request/command. If the agent on the instance fails to write the result in this time period, the operation is considered to have timed out. Related options: `agent_version_timeout` `agent_resetnetwork_timeout`
`agent_version_timeout = 300`	integer value	Number of seconds to wait for agent’t reply to version request. This indicates the amount of time xapi agent plugin waits for the agent to respond to the version request specifically. The generic timeout for agent communication `agent_timeout` is ignored in this case. During the build process the version request is used to determine if the agent is available/operational to perform other requests such as resetnetwork, password, key_init and inject_file. If the version call fails, the other configuration is skipped. So, this configuration option can also be interpreted as time in which agent is expected to be fully operational.
`block_device_creation_timeout = 10`	integer value	Time in secs to wait for a block device to be created
`cache_images = all`	string value	Cache glance images locally. The value for this option must be chosen from the choices listed here. Configuring a value other than these will default to all. Note: There is nothing that deletes these images. Possible values: `all`: will cache all images. `some`: will only cache images that have the image_property `cache_in_nova=True`. `none`: turns off caching entirely.
`check_host = True`	boolean value	Ensure compute service is running on host XenAPI connects to. This option must be set to false if the independent_compute option is set to true. Possible values: Setting this option to true will make sure that compute service is running on the same host that is specified by connection_url. Setting this option to false, doesn’t perform the check. Related options: `independent_compute`
`connection_concurrent = 5`	integer value	Maximum number of concurrent XenAPI connections. In nova, multiple XenAPI requests can happen at a time. Configuring this option will parallelize access to the XenAPI session, which allows you to make concurrent XenAPI connections.
`connection_password = None`	string value	Password for connection to XenServer/Xen Cloud Platform
`connection_url = None`	string value	URL for connection to XenServer/Xen Cloud Platform. A special value of unix://local can be used to connect to the local unix socket. Possible values: Any string that represents a URL. The connection_url is generally the management network IP address of the XenServer. This option must be set if you chose the XenServer driver.
`connection_username = root`	string value	Username for connection to XenServer/Xen Cloud Platform
`console_public_hostname = ccsosp-undercloud.usersys.redhat.com`	string value	Publicly visible name for this console host. Possible values: Current hostname (default) or any string representing hostname.
`default_os_type = linux`	string value	Default OS type used when uploading an image to glance
`disable_agent = False`	boolean value	Disables the use of XenAPI agent. This configuration option suggests whether the use of agent should be enabled or not regardless of what image properties are present. Image properties have an effect only when this is set to `True`. Read description of config option `use_agent_default` for more information. Related options: `use_agent_default`
`image_compression_level = None`	integer value	Compression level for images. By setting this option we can configure the gzip compression level. This option sets GZIP environment variable before spawning tar -cz to force the compression level. It defaults to none, which means the GZIP environment variable is not set and the default (usually -6) is used. Possible values: Range is 1-9, e.g., 9 for gzip -9, 9 being most compressed but most CPU intensive on dom0. Any values out of this range will default to None.
`image_upload_handler = nova.virt.xenapi.image.glance.GlanceStore`	string value	Dom0 plugin driver used to handle image uploads. Provide a string value representing a plugin driver required to handle the image uploading to GlanceStore. Images, and snapshots from XenServer need to be uploaded to the data store for use. image_upload_handler takes in a value for the Dom0 plugin driver. This driver is then called to uplaod images to the GlanceStore.
`independent_compute = False`	boolean value	Used to prevent attempts to attach VBDs locally, so Nova can be run in a VM on a different host. Related options: `CONF.flat_injected` (Must be False) `CONF.xenserver.check_host` (Must be False) `CONF.default_ephemeral_format` (Must be unset or ext3) Joining host aggregates (will error if attempted) Swap disks for Windows VMs (will error if attempted) Nova-based auto_configure_disk (will error if attempted)
`introduce_vdi_retry_wait = 20`	integer value	Number of seconds to wait for SR to settle if the VDI does not exist when first introduced. Some SRs, particularly iSCSI connections are slow to see the VDIs right after they got introduced. Setting this option to a time interval will make the SR to wait for that time period before raising VDI not found exception.
`ipxe_boot_menu_url = None`	string value	URL to the iPXE boot menu. An iPXE ISO is a specially crafted ISO which supports iPXE booting. This feature gives a means to roll your own image. By default this option is not set. Enable this option to boot an iPXE ISO. Related Options: `ipxe_network_name` `ipxe_mkisofs_cmd`
`ipxe_mkisofs_cmd = mkisofs`	string value	Name and optionally path of the tool used for ISO image creation. An iPXE ISO is a specially crafted ISO which supports iPXE booting. This feature gives a means to roll your own image. Note: By default `mkisofs` is not present in the Dom0, so the package can either be manually added to Dom0 or include the `mkisofs` binary in the image itself. Related Options: `ipxe_network_name` `ipxe_boot_menu_url`
`ipxe_network_name = None`	string value	Name of network to use for booting iPXE ISOs. An iPXE ISO is a specially crafted ISO which supports iPXE booting. This feature gives a means to roll your own image. By default this option is not set. Enable this option to boot an iPXE ISO. Related Options: `ipxe_boot_menu_url` `ipxe_mkisofs_cmd`
`login_timeout = 10`	integer value	Timeout in seconds for XenAPI login.
`max_kernel_ramdisk_size = 16777216`	integer value	Maximum size in bytes of kernel or ramdisk images. Specifying the maximum size of kernel or ramdisk will avoid copying large files to dom0 and fill up /boot/guest.
`num_vbd_unplug_retries = 10`	integer value	Maximum number of retries to unplug VBD. If set to 0, should try once, no retries.
`ovs_integration_bridge = None`	string value	The name of the integration Bridge that is used with xenapi when connecting with Open vSwitch. Note: The value of this config option is dependent on the environment, therefore this configuration value must be set accordingly if you are using XenAPI. Possible values: Any string that represents a bridge name.
`running_timeout = 60`	integer value	Wait time for instances to go to running state. Provide an integer value representing time in seconds to set the wait time for an instance to go to running state. When a request to create an instance is received by nova-api and communicated to nova-compute, the creation of the instance occurs through interaction with Xen via XenAPI in the compute node. Once the node on which the instance(s) are to be launched is decided by nova-schedule and the launch is triggered, a certain amount of wait time is involved until the instance(s) can become available and running. This wait time is defined by running_timeout. If the instances do not go to running state within this specified wait time, the launch expires and the instance(s) are set to error state.
`sparse_copy = True`	boolean value	Whether to use sparse_copy for copying data on a resize down. (False will use standard dd). This speeds up resizes down considerably since large runs of zeros won’t have to be rsynced.
`sr_base_path = /var/run/sr-mount`	string value	Base path to the storage repository on the XenServer host.
`sr_matching_filter = default-sr:true`	string value	Filter for finding the SR to be used to install guest instances on. Possible values: To use the Local Storage in default XenServer/XCP installations set this flag to other-config:i18n-key=local-storage. To select an SR with a different matching criteria, you could set it to other-config:my_favorite_sr=true. To fall back on the Default SR, as displayed by XenCenter, set this flag to: default-sr:true.
`target_host = None`	unknown value	The iSCSI Target Host. This option represents the hostname or ip of the iSCSI Target. If the target host is not present in the connection information from the volume provider then the value from this option is taken. Possible values: Any string that represents hostname/ip of Target.
`target_port = 3260`	port value	The iSCSI Target Port. This option represents the port of the iSCSI Target. If the target port is not present in the connection information from the volume provider then the value from this option is taken.
`use_agent_default = False`	boolean value	Whether or not to use the agent by default when its usage is enabled but not indicated by the image. The use of XenAPI agent can be disabled altogether using the configuration option `disable_agent`. However, if it is not disabled, the use of an agent can still be controlled by the image in use through one of its properties, `xenapi_use_agent`. If this property is either not present or specified incorrectly on the image, the use of agent is determined by this configuration option. Note that if this configuration is set to `True` when the agent is not present, the boot times will increase significantly. Related options: `disable_agent`
`use_join_force = True`	boolean value	When adding new host to a pool, this will append a --force flag to the command, forcing hosts to join a pool, even if they have different CPUs. Since XenServer version 5.6 it is possible to create a pool of hosts that have different CPU capabilities. To accommodate CPU differences, XenServer limited features it uses to determine CPU compatibility to only the ones that are exposed by CPU and support for CPU masking was added. Despite this effort to level differences between CPUs, it is still possible that adding new host will fail, thus option to force join was introduced.
`vhd_coalesce_max_attempts = 20`	integer value	Max number of times to poll for VHD to coalesce. This option determines the maximum number of attempts that can be made for coalescing the VHD before giving up. Related opitons: `vhd_coalesce_poll_interval`
`vhd_coalesce_poll_interval = 5.0`	floating point value	The interval used for polling of coalescing vhds. This is the interval after which the task of coalesce VHD is performed, until it reaches the max attempts that is set by vhd_coalesce_max_attempts. Related options: `vhd_coalesce_max_attempts`
`vif_driver = nova.virt.xenapi.vif.XenAPIOpenVswitchDriver`	string value	The XenAPI VIF driver using XenServer Network APIs. Provide a string value representing the VIF XenAPI vif driver to use for plugging virtual network interfaces. Xen configuration uses bridging within the backend domain to allow all VMs to appear on the network as individual hosts. Bridge interfaces are used to create a XenServer VLAN network in which the VIFs for the VM instances are plugged. If no VIF bridge driver is plugged, the bridge is not made available. This configuration option takes in a value for the VIF driver. Possible values: nova.virt.xenapi.vif.XenAPIOpenVswitchDriver (default) nova.virt.xenapi.vif.XenAPIBridgeDriver (deprecated) Related options: `vlan_interface` `ovs_integration_bridge`

11.1.58. xvp

The following table outlines the options available under the [xvp] group in the /etc/nova/nova.conf file.

Table 11.58. xvp
Configuration option = Default value	Type	Description
`console_xvp_conf = /etc/xvp.conf`	string value	Generated XVP conf file
`console_xvp_conf_template = $pybasedir/nova/console/xvp.conf.template`	string value	XVP conf template
`console_xvp_log = /var/log/xvp.log`	string value	XVP log file
`console_xvp_multiplex_port = 5900`	port value	Port for XVP to multiplex VNC connections on
`console_xvp_pid = /var/run/xvp.pid`	string value	XVP master process pid file

Chapter 12. sahara

The following chapter contains information about the configuration options in the sahara service.

12.1. sahara.conf

This section contains options for the /etc/sahara/sahara.conf file.

12.1.1. DEFAULT

The following table outlines the options available under the [DEFAULT] group in the /etc/sahara/sahara.conf file.

Table 12.1. DEFAULT
Configuration option = Default value	Type	Description
`api_paste_config = api-paste.ini`	string value	File name for the paste.deploy config for api service
`api_workers = 1`	integer value	Number of workers for Sahara API service (0 means all-in-one-thread configuration).
`cleanup_time_for_incomplete_clusters = 0`	integer value	Maximal time (in hours) for clusters allowed to be in states other than "Active", "Deleting" or "Error". If a cluster is not in "Active", "Deleting" or "Error" state and last update of it was longer than "cleanup_time_for_incomplete_clusters" hours ago then it will be deleted automatically. (0 value means that automatic clean up is disabled).
`client_socket_timeout = 900`	integer value	Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of 0 means wait forever.
`cluster_remote_threshold = 70`	integer value	The same as global_remote_threshold, but for a single cluster.
`compute_topology_file = etc/sahara/compute.topology`	string value	File with nova compute topology. It should contain mapping between nova computes and racks.
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`control_exchange = openstack`	string value	The default exchange under which topics are scoped. May be overridden by an exchange name specified in the transport_url option.
`coordinator_heartbeat_interval = 1`	integer value	Interval size between heartbeat execution in seconds. Heartbeats are executed to make sure that connection to the coordination server is active.
`data_source_types = [u'swift', u'hdfs', u'maprfs', u'manila']`	list value	List of data sources types to be loaded. Sahara preserves the order of the list when returning it.
`db_driver = sahara.db`	string value	Driver to use for database access.
`debug = False`	boolean value	If set to true, the logging level will be set to DEBUG instead of the default INFO level.
default_log_levels = [u'amqp=WARN', u'amqplib=WARN', u'boto=WARN', u'qpid=WARN', u'sqlalchemy=WARN', u'suds=INFO', u'oslo.messaging=INFO', u'oslo_messaging=INFO', u'iso8601=WARN', u'requests.packages.urllib3.connectionpool=WARN', u'urllib3.connectionpool=WARN', u'websocket=WARN', u'requests.packages.urllib3.util.retry=WARN', u'urllib3.util.retry=WARN', u'keystonemiddleware=WARN', u'routes.middleware=WARN', u'stevedore=WARN', u'taskflow=WARN', u'keystoneauth=WARN', u'oslo.cache=INFO', u'dogpile.core.dogpile=INFO', u'stevedore=INFO', u'eventlet.wsgi.server=WARN', u'paramiko=WARN', u'requests=WARN', u'neutronclient=INFO']	list value	List of package logging levels in logger=LEVEL pairs. This option is ignored if log_config_append is set.
`disable_event_log = False`	boolean value	Disables event log feature.
`edp_internal_db_enabled = True`	boolean value	Use Sahara internal db to store job binaries.
`enable_data_locality = False`	boolean value	Enables data locality for hadoop cluster. Also enables data locality for Swift used by hadoop. If enabled, compute_topology and swift_topology configuration parameters should point to OpenStack and Swift topology correspondingly.
`enable_hypervisor_awareness = True`	boolean value	Enables four-level topology for data locality. Works only if corresponding plugin supports such mode.
`executor_thread_pool_size = 64`	integer value	Size of executor thread pool when executor is threading or eventlet.
`fatal_deprecations = False`	boolean value	Enables or disables fatal status of deprecations.
`global_remote_threshold = 100`	integer value	Maximum number of remote operations that will be running at the same time. Note that each remote operation requires its own process to run.
`hash_ring_replicas_count = 40`	integer value	Number of points that belongs to each member on a hash ring. The larger number leads to a better distribution.
`heat_enable_wait_condition = True`	boolean value	Enable wait condition feature to reduce polling during cluster creation
`heat_stack_tags = [u'data-processing-cluster']`	list value	List of tags to be used during operating with stack.
`host = 0.0.0.0`	unknown value	Hostname or IP address that will be used to listen on.
`instance_format = [instance: %(uuid)s] `	string value	The format for an instance that is passed with the log message.
`instance_uuid_format = [instance: %(uuid)s] `	string value	The format for an instance UUID that is passed with the log message.
`job_binary_max_KB = 5120`	integer value	Maximum length of job binary data in kilobytes that may be stored or retrieved in a single operation.
`job_binary_types = [u'swift', u'manila', u'internal-db', u's3']`	list value	List of job binary types to be loaded. Sahara preserves the order of the list when returning it.
`job_canceling_timeout = 300`	integer value	Timeout for canceling job execution (in seconds). Sahara will try to cancel job execution during this time.
`job_workflow_postfix = `	string value	Postfix for storing jobs in hdfs. Will be added to /user/<hdfs user>/ path.
`log-config-append = None`	string value	The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. Note that when logging configuration files are used then all logging configuration is set in the configuration file and other logging configuration options are ignored (for example, logging_context_format_string).
`log-date-format = %Y-%m-%d %H:%M:%S`	string value	Defines the format string for %%(asctime)s in log records. Default: %(default)s . This option is ignored if log_config_append is set.
`log-dir = None`	string value	(Optional) The base directory used for relative log_file paths. This option is ignored if log_config_append is set.
`log-exchange = False`	boolean value	Log request/response exchange details: environ, headers and bodies.
`log-file = None`	string value	(Optional) Name of log file to send logging output to. If no default is set, logging will go to stderr as defined by use_stderr. This option is ignored if log_config_append is set.
`logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s`	string value	Format string to use for log messages with context.
`logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d`	string value	Additional data to append to log message when logging level for the message is DEBUG.
`logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s`	string value	Format string to use for log messages when context is undefined.
`logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s`	string value	Prefix each line of exception output with this format.
`logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s`	string value	Defines the format string for %(user_identity)s that is used in logging_context_format_string.
`max_header_line = 16384`	integer value	Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated when keystone is configured to use PKI tokens with big service catalogs).
`min_transient_cluster_active_time = 30`	integer value	Minimal "lifetime" in seconds for a transient cluster. Cluster is guaranteed to be "alive" within this time period.
`nameservers = []`	list value	IP addresses of Designate nameservers. This is required if use_designate is True
`node_domain = novalocal`	string value	The suffix of the node’s FQDN.
`os_region_name = None`	string value	Region name used to get services endpoints.
`periodic_coordinator_backend_url = None`	string value	The backend URL to use for distributed periodic tasks coordination.
`periodic_enable = True`	boolean value	Enable periodic tasks.
`periodic_fuzzy_delay = 60`	integer value	Range in seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0).
`periodic_interval_max = 60`	integer value	Max interval size between periodic tasks execution in seconds.
`periodic_workers_number = 1`	integer value	Number of threads to run periodic tasks.
`plugins = [u'vanilla', u'spark', u'cdh', u'ambari', u'storm', u'mapr']`	list value	List of plugins to be loaded. Sahara preserves the order of the list when returning it.
`port = 8386`	port value	Port that will be used to listen on.
`proxy_command = `	string value	Proxy command used to connect to instances. If set, this command should open a netcat socket, that Sahara will use for SSH and HTTP connections. Use {host} and {port} to describe the destination. Other available keywords: {tenant_id}, {network_id}, {router_id}.
`proxy_command_use_internal_ip = False`	boolean value	Force proxy_command usage to be consuming internal IP always, instead of management IP. Ignored if proxy_command is not set.
`proxy_user_domain_name = None`	string value	The domain Sahara will use to create new proxy users for Swift object access.
`proxy_user_role_names = [u'Member']`	list value	A list of the role names that the proxy user should assume through trust for Swift object access.
`publish_errors = False`	boolean value	Enables or disables publication of error events.
`rate_limit_burst = 0`	integer value	Maximum number of logged messages per rate_limit_interval.
`rate_limit_except_level = CRITICAL`	string value	Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG or empty string. Logs with level greater or equal to rate_limit_except_level are not filtered. An empty string means that all levels are filtered.
`rate_limit_interval = 0`	integer value	Interval, number of seconds, of log rate limiting.
`remote = ssh`	string value	A method for Sahara to execute commands on VMs.
`retries_number = 5`	integer value	Number of times to retry the request to client before failing
`retry_after = 10`	integer value	Time between the retries to client (in seconds).
`rootwrap_command = sudo sahara-rootwrap /etc/sahara/rootwrap.conf`	string value	Rootwrap command to leverage. Use in conjunction with use_rootwrap=True
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_backend = rabbit`	string value	The messaging driver to use, defaults to rabbit. Other drivers include amqp and zmq.
`rpc_conn_pool_size = 30`	integer value	Size of RPC connection pool.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_response_timeout = 60`	integer value	Seconds to wait for a response from a call.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`run_external_periodic_tasks = True`	boolean value	Some periodic tasks can be run in a separate process. Should we run them here?
`ssh_timeout_common = 300`	integer value	Overrides timeout for common ssh operations, in seconds
`ssh_timeout_files = 120`	integer value	Overrides timeout for ssh operations with files, in seconds
`ssh_timeout_interactive = 1800`	integer value	Overrides timeout for interactive ssh operations, in seconds
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`swift_topology_file = etc/sahara/swift.topology`	string value	File with Swift topology.It should contain mapping between Swift nodes and racks.
`syslog-log-facility = LOG_USER`	string value	Syslog facility to receive log lines. This option is ignored if log_config_append is set.
`tcp_keepidle = 600`	integer value	Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X.
`transport_url = None`	string value	The network address and optional user credentials for connecting to the messaging backend, in URL format. The expected format is: driver://[user:pass@]host:port[,[userN:passN@]hostN:portN]/virtual_host?query Example: rabbit://rabbitmq:password@127.0.0.1:5672// For full details on the fields in the URL see the documentation of oslo_messaging.TransportURL at https://docs.openstack.org/oslo.messaging/latest/reference/transport.html
`use-journal = False`	boolean value	Enable journald for logging. If running in a systemd environment you may wish to enable journal support. Doing so will use the journal native protocol which includes structured metadata in addition to log messages.This option is ignored if log_config_append is set.
`use-json = False`	boolean value	Use JSON formatting for logging. This option is ignored if log_config_append is set.
`use-syslog = False`	boolean value	Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
`use_barbican_key_manager = False`	boolean value	Enable the usage of the OpenStack Key Management service provided by barbican.
`use_designate = False`	boolean value	Use Designate for internal and external hostnames resolution
`use_domain_for_proxy_users = False`	boolean value	Enables Sahara to use a domain for creating temporary proxy users to access Swift. If this is enabled a domain must be created for Sahara to use.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_floating_ips = True`	boolean value	If set to True, Sahara will use floating IPs to communicate with instances. To make sure that all instances have floating IPs assigned, make sure that all Node Groups have "floating_ip_pool" parameter defined.
`use_identity_api_v3 = True`	boolean value	Enables Sahara to use Keystone API v3. If that flag is disabled, per-job clusters will not be terminated automatically.
`use_namespaces = False`	boolean value	Use network namespaces for communication.
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_rootwrap = False`	boolean value	Use rootwrap facility to allow non-root users to run the sahara services and access private network IPs (only valid to use in conjunction with use_namespaces=True)
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`use_stderr = False`	boolean value	Log output to standard error. This option is ignored if log_config_append is set.
`watch-log-file = False`	boolean value	Uses logging handler designed to watch file system. When log file is moved or removed this handler will open a new log file with specified path instantaneously. It makes sense only if log_file option is specified and Linux platform is used. This option is ignored if log_config_append is set.
`wsgi_default_pool_size = 100`	integer value	Size of the pool of greenthreads used by wsgi
`wsgi_keep_alive = True`	boolean value	If False, closes the client socket connection explicitly.
`wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f`	string value	A python format string that is used as the template to generate log lines. The following values can beformatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

12.1.2. castellan

The following table outlines the options available under the [castellan] group in the /etc/sahara/sahara.conf file.

Table 12.2. castellan
Configuration option = Default value	Type	Description
`barbican_api_endpoint = None`	string value	The endpoint to use for connecting to the barbican api controller. By default, castellan will use the URL from the service catalog.
`barbican_api_version = v1`	string value	Version of the barbican API, for example: "v1"

12.1.3. cinder

The following table outlines the options available under the [cinder] group in the /etc/sahara/sahara.conf file.

Table 12.3. cinder
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to cinder.
`api_version = 3`	integer value	Version of the Cinder API to use.
`ca_file = None`	string value	Location of ca certificates file to use for cinder client requests.
`endpoint_type = internalURL`	string value	Endpoint type for cinder client requests

12.1.4. conductor

The following table outlines the options available under the [conductor] group in the /etc/sahara/sahara.conf file.

Table 12.4. conductor
Configuration option = Default value	Type	Description
`use_local = True`	boolean value	Perform sahara-conductor operations locally.

12.1.5. cors

The following table outlines the options available under the [cors] group in the /etc/sahara/sahara.conf file.

Table 12.5. cors
Configuration option = Default value	Type	Description
`allow_credentials = True`	boolean value	Indicate that the actual request can include user credentials
`allow_headers = [u'X-Auth-Token', u'X-Identity-Status', u'X-Roles', u'X-Service-Catalog', u'X-User-Id', u'X-Tenant-Id', u'X-OpenStack-Request-ID']`	list value	Indicate which header field names may be used during the actual request.
`allow_methods = [u'GET', u'PUT', u'POST', u'DELETE', u'PATCH']`	list value	Indicate which methods can be used during the actual request.
`allowed_origin = None`	list value	Indicate whether this resource may be shared with the domain received in the requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing slash. Example: https://horizon.example.com
`expose_headers = [u'X-Auth-Token', u'X-Subject-Token', u'X-Service-Token', u'X-OpenStack-Request-ID']`	list value	Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers.
`max_age = 3600`	integer value	Maximum cache age of CORS preflight requests.

12.1.6. database

The following table outlines the options available under the [database] group in the /etc/sahara/sahara.conf file.

Table 12.6. database
Configuration option = Default value	Type	Description
`backend = sqlalchemy`	string value	The back end to use for the database.
`connection = None`	string value	The SQLAlchemy connection string to use to connect to the database.
`connection_debug = 0`	integer value	Verbosity of SQL debugging information: 0=None, 100=Everything.
`connection_recycle_time = 3600`	integer value	Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.
`connection_trace = False`	boolean value	Add Python stack traces to SQL as comment strings.
`db_inc_retry_interval = True`	boolean value	If True, increases the interval between retries of a database operation up to db_max_retry_interval.
`db_max_retries = 20`	integer value	Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.
`db_max_retry_interval = 10`	integer value	If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.
`db_retry_interval = 1`	integer value	Seconds between retries of a database transaction.
`max_overflow = 50`	integer value	If set, use this value for max_overflow with SQLAlchemy.
`max_pool_size = 5`	integer value	Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.
`max_retries = 10`	integer value	Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.
`min_pool_size = 1`	integer value	Minimum number of SQL connections to keep open in a pool.
`mysql_enable_ndb = False`	boolean value	If True, transparently enables support for handling MySQL Cluster (NDB).
`mysql_sql_mode = TRADITIONAL`	string value	The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=
`pool_timeout = None`	integer value	If set, use this value for pool_timeout with SQLAlchemy.
`retry_interval = 10`	integer value	Interval between retries of opening a SQL connection.
`slave_connection = None`	string value	The SQLAlchemy connection string to use to connect to the slave database.
`sqlite_synchronous = True`	boolean value	If True, SQLite uses synchronous mode.
`use_db_reconnect = False`	boolean value	Enable the experimental use of database reconnect on connection lost.

12.1.7. glance

The following table outlines the options available under the [glance] group in the /etc/sahara/sahara.conf file.

Table 12.7. glance
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to glance.
`ca_file = None`	string value	Location of ca certificates file to use for glance client requests.
`endpoint_type = internalURL`	string value	Endpoint type for glance client requests

12.1.8. heat

The following table outlines the options available under the [heat] group in the /etc/sahara/sahara.conf file.

Table 12.8. heat
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to heat.
`ca_file = None`	string value	Location of ca certificates file to use for heat client requests.
`endpoint_type = internalURL`	string value	Endpoint type for heat client requests

12.1.9. keystone

The following table outlines the options available under the [keystone] group in the /etc/sahara/sahara.conf file.

Table 12.9. keystone
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to keystone.
`ca_file = None`	string value	Location of ca certificates file to use for keystone client requests.
`endpoint_type = internalURL`	string value	Endpoint type for keystone client requests

12.1.10. keystone_authtoken

The following table outlines the options available under the [keystone_authtoken] group in the /etc/sahara/sahara.conf file.

Table 12.10. keystone_authtoken
Configuration option = Default value	Type	Description
`auth_section = None`	string value	Config Section from which to load plugin specific options
`auth_type = None`	string value	Authentication type to load
`auth_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.
`auth_version = None`	string value	API version of the admin Identity API endpoint.
`cache = None`	string value	Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the `memcached_servers` option instead.
`cafile = None`	string value	A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
`certfile = None`	string value	Required if identity server requires client certificate
`check_revocations_for_cached = False`	boolean value	If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.
`delay_auth_decision = False`	boolean value	Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.
`enforce_token_bind = permissive`	string value	Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
`hash_algorithms = [u'md5']`	list value	Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.
`http_connect_timeout = None`	integer value	Request timeout value for communicating with Identity API server.
`http_request_max_retries = 3`	integer value	How many times are we trying to reconnect when communicating with Identity API Server.
`include_service_catalog = True`	boolean value	(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
`insecure = False`	boolean value	Verify HTTPS connections.
`keyfile = None`	string value	Required if identity server requires client certificate
`memcache_pool_conn_get_timeout = 10`	integer value	(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.
`memcache_pool_dead_retry = 300`	integer value	(Optional) Number of seconds memcached server is considered dead before it is tried again.
`memcache_pool_maxsize = 10`	integer value	(Optional) Maximum total number of open connections to every memcached server.
`memcache_pool_socket_timeout = 3`	integer value	(Optional) Socket timeout in seconds for communicating with a memcached server.
`memcache_pool_unused_timeout = 60`	integer value	(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.
`memcache_secret_key = None`	string value	(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.
`memcache_security_strategy = None`	string value	(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
`memcache_use_advanced_pool = False`	boolean value	(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.
`memcached_servers = None`	list value	Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
`region_name = None`	string value	The region in which the identity server can be found.
`revocation_cache_time = 10`	integer value	Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`service_token_roles = [u'service']`	list value	A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.
`service_token_roles_required = False`	boolean value	For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.
`signing_dir = None`	string value	Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.
`token_cache_time = 300`	integer value	In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.
`www_authenticate_uri = None`	string value	Complete "public" Identity API endpoint. This endpoint should not be an "admin" endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

12.1.11. manila

The following table outlines the options available under the [manila] group in the /etc/sahara/sahara.conf file.

Table 12.11. manila
Configuration option = Default value	Type	Description
`api_insecure = True`	boolean value	Allow to perform insecure SSL requests to manila.
`api_version = 1`	string value	Version of the manila API to use.
`ca_file = None`	string value	Location of ca certificates file to use for manila client requests.

12.1.12. matchmaker_redis

The following table outlines the options available under the [matchmaker_redis] group in the /etc/sahara/sahara.conf file.

Table 12.12. matchmaker_redis
Configuration option = Default value	Type	Description
`check_timeout = 20000`	integer value	Time in ms to wait before the transaction is killed.
`host = 127.0.0.1`	string value	Host to locate redis.
`password = `	string value	Password for Redis server (optional).
`port = 6379`	port value	Use this port to connect to redis host.
`sentinel_group_name = oslo-messaging-zeromq`	string value	Redis replica set name.
`sentinel_hosts = []`	list value	List of Redis Sentinel hosts (fault tolerance mode), e.g., [host:port, host1:port … ]
`socket_timeout = 10000`	integer value	Timeout in ms on blocking socket operations.
`wait_timeout = 2000`	integer value	Time in ms to wait between connection attempts.

12.1.13. neutron

The following table outlines the options available under the [neutron] group in the /etc/sahara/sahara.conf file.

Table 12.13. neutron
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to neutron.
`ca_file = None`	string value	Location of ca certificates file to use for neutron client requests.
`endpoint_type = internalURL`	string value	Endpoint type for neutron client requests

12.1.14. nova

The following table outlines the options available under the [nova] group in the /etc/sahara/sahara.conf file.

Table 12.14. nova
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to nova.
`ca_file = None`	string value	Location of ca certificates file to use for nova client requests.
`endpoint_type = internalURL`	string value	Endpoint type for nova client requests

12.1.15. object_store_access

The following table outlines the options available under the [object_store_access] group in the /etc/sahara/sahara.conf file.

Table 12.15. object_store_access
Configuration option = Default value	Type	Description
`public_identity_ca_file = None`	string value	Location of ca certificate file to use for identity client requests via public endpoint
`public_object_store_ca_file = None`	string value	Location of ca certificate file to use for object-store client requests via public endpoint

12.1.16. oslo_concurrency

The following table outlines the options available under the [oslo_concurrency] group in the /etc/sahara/sahara.conf file.

Table 12.16. oslo_concurrency
Configuration option = Default value	Type	Description
`disable_process_locking = False`	boolean value	Enables or disables inter-process locks.
`lock_path = None`	string value	Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

12.1.17. oslo_messaging_amqp

The following table outlines the options available under the [oslo_messaging_amqp] group in the /etc/sahara/sahara.conf file.

Table 12.17. oslo_messaging_amqp
Configuration option = Default value	Type	Description
`addressing_mode = dynamic`	string value	Indicates the addressing mode used by the driver. Permitted values: legacy - use legacy non-routable addressing routable - use routable addresses dynamic - use legacy addresses if the message bus does not support routing otherwise use routable addressing
`allow_insecure_clients = False`	boolean value	Accept clients using either SSL or plain TCP
`anycast_address = anycast`	string value	Appended to the address prefix when sending to a group of consumers. Used by the message bus to identify messages that should be delivered in a round-robin fashion across consumers.
`broadcast_prefix = broadcast`	string value	address prefix used when broadcasting to all servers
`connection_retry_backoff = 2`	integer value	Increase the connection_retry_interval by this many seconds after each unsuccessful failover attempt.
`connection_retry_interval = 1`	integer value	Seconds to pause before attempting to re-connect.
`connection_retry_interval_max = 30`	integer value	Maximum limit for connection_retry_interval + connection_retry_backoff
`container_name = None`	string value	Name for the AMQP container. must be globally unique. Defaults to a generated UUID
`default_notification_exchange = None`	string value	Exchange name used in notification addresses. Exchange name resolution precedence: Target.exchange if set else default_notification_exchange if set else control_exchange if set else notify
`default_notify_timeout = 30`	integer value	The deadline for a sent notification message delivery. Only used when caller does not provide a timeout expiry.
`default_reply_retry = 0`	integer value	The maximum number of attempts to re-send a reply message which failed due to a recoverable error.
`default_reply_timeout = 30`	integer value	The deadline for an rpc reply message delivery.
`default_rpc_exchange = None`	string value	Exchange name used in RPC addresses. Exchange name resolution precedence: Target.exchange if set else default_rpc_exchange if set else control_exchange if set else rpc
`default_send_timeout = 30`	integer value	The deadline for an rpc cast or call message delivery. Only used when caller does not provide a timeout expiry.
`default_sender_link_timeout = 600`	integer value	The duration to schedule a purge of idle sender links. Detach link after expiry.
`group_request_prefix = unicast`	string value	address prefix when sending to any server in group
`idle_timeout = 0`	integer value	Timeout for inactive connections (in seconds)
`link_retry_delay = 10`	integer value	Time to pause between re-connecting an AMQP 1.0 link that failed due to a recoverable error.
`multicast_address = multicast`	string value	Appended to the address prefix when sending a fanout message. Used by the message bus to identify fanout messages.
`notify_address_prefix = openstack.org/om/notify`	string value	Address prefix for all generated Notification addresses
`notify_server_credit = 100`	integer value	Window size for incoming Notification messages
`password = `	string value	Password for message broker authentication
`pre_settled = [u'rpc-cast', u'rpc-reply']`	multi valued	Send messages of this type pre-settled. Pre-settled messages will not receive acknowledgement from the peer. Note well: pre-settled messages may be silently discarded if the delivery fails. Permitted values: rpc-call - send RPC Calls pre-settled rpc-reply- send RPC Replies pre-settled rpc-cast - Send RPC Casts pre-settled notify - Send Notifications pre-settled
`pseudo_vhost = True`	boolean value	Enable virtual host support for those message buses that do not natively support virtual hosting (such as qpidd). When set to true the virtual host name will be added to all message bus addresses, effectively creating a private subnet per virtual host. Set to False if the message bus supports virtual hosting using the hostname field in the AMQP 1.0 Open performative as the name of the virtual host.
`reply_link_credit = 200`	integer value	Window size for incoming RPC Reply messages.
`rpc_address_prefix = openstack.org/om/rpc`	string value	Address prefix for all generated RPC addresses
`rpc_server_credit = 100`	integer value	Window size for incoming RPC Request messages
`sasl_config_dir = `	string value	Path to directory that contains the SASL configuration
`sasl_config_name = `	string value	Name of configuration file (without .conf suffix)
`sasl_default_realm = `	string value	SASL realm to use if no realm present in username
`sasl_mechanisms = `	string value	Space separated list of acceptable SASL mechanisms
`server_request_prefix = exclusive`	string value	address prefix used when sending to a specific server
`ssl = False`	boolean value	Attempt to connect via SSL. If no other ssl-related parameters are given, it will use the system’s CA-bundle to verify the server’s certificate.
`ssl_ca_file = `	string value	CA certificate PEM file used to verify the server’s certificate
`ssl_cert_file = `	string value	Self-identifying certificate PEM file for client authentication
`ssl_key_file = `	string value	Private key PEM file used to sign ssl_cert_file certificate (optional)
`ssl_key_password = None`	string value	Password for decrypting ssl_key_file (if encrypted)
`ssl_verify_vhost = False`	boolean value	By default SSL checks that the name in the server’s certificate matches the hostname in the transport_url. In some configurations it may be preferable to use the virtual hostname instead, for example if the server uses the Server Name Indication TLS extension (rfc6066) to provide a certificate per virtual host. Set ssl_verify_vhost to True if the server’s SSL certificate uses the virtual host name instead of the DNS name.
`trace = False`	boolean value	Debug: dump AMQP frames to stdout
`unicast_address = unicast`	string value	Appended to the address prefix when sending to a particular RPC/Notification server. Used by the message bus to identify messages sent to a single destination.
`username = `	string value	User name for message broker authentication

12.1.18. oslo_messaging_kafka

The following table outlines the options available under the [oslo_messaging_kafka] group in the /etc/sahara/sahara.conf file.

Table 12.18. oslo_messaging_kafka
Configuration option = Default value	Type	Description
`conn_pool_min_size = 2`	integer value	The pool size limit for connections expiration policy
`conn_pool_ttl = 1200`	integer value	The time-to-live in sec of idle connections in the pool
`consumer_group = oslo_messaging_consumer`	string value	Group id for Kafka consumer. Consumers in one group will coordinate message consumption
`kafka_consumer_timeout = 1.0`	floating point value	Default timeout(s) for Kafka consumers
`kafka_default_host = localhost`	string value	Default Kafka broker Host
`kafka_default_port = 9092`	port value	Default Kafka broker Port
`kafka_max_fetch_bytes = 1048576`	integer value	Max fetch bytes of Kafka consumer
`pool_size = 10`	integer value	Pool Size for Kafka Consumers
`producer_batch_size = 16384`	integer value	Size of batch for the producer async send
`producer_batch_timeout = 0.0`	floating point value	Upper bound on the delay for KafkaProducer batching in seconds

12.1.19. oslo_messaging_notifications

The following table outlines the options available under the [oslo_messaging_notifications] group in the /etc/sahara/sahara.conf file.

Table 12.19. oslo_messaging_notifications
Configuration option = Default value	Type	Description
`driver = []`	multi valued	The Drivers(s) to handle sending notifications. Possible values are messaging, messagingv2, routing, log, test, noop
`level = INFO`	string value	Notification level for outgoing notifications
`publisher_id = None`	string value	Identifier of the publisher
`retry = -1`	integer value	The maximum number of attempts to re-send a notification message which failed to be delivered due to a recoverable error. 0 - No retry, -1 - indefinite
`topics = [u'notifications']`	list value	AMQP topic used for OpenStack notifications.
`transport_url = None`	string value	A URL representing the messaging driver to use for notifications. If not set, we fall back to the same configuration used for RPC.

12.1.20. oslo_messaging_rabbit

The following table outlines the options available under the [oslo_messaging_rabbit] group in the /etc/sahara/sahara.conf file.

Table 12.20. oslo_messaging_rabbit
Configuration option = Default value	Type	Description
`amqp_auto_delete = False`	boolean value	Auto-delete queues in AMQP.
`amqp_durable_queues = False`	boolean value	Use durable queues in AMQP.
`channel_max = None`	integer value	Maximum number of channels to allow
`connection_factory = single`	string value	Connection factory implementation
`default_notification_exchange = ${control_exchange}_notification`	string value	Exchange name for sending notifications
`default_notification_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending notification, -1 means infinite retry.
`default_rpc_exchange = ${control_exchange}_rpc`	string value	Exchange name for sending RPC messages
`default_rpc_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending RPC message, -1 means infinite retry. If actual retry attempts in not 0 the rpc request could be processed more than one time
`default_serializer_type = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`fake_rabbit = False`	boolean value	Deprecated, use rpc_backend=kombu+memory or rpc_backend=fake
`frame_max = None`	integer value	The maximum byte size for an AMQP frame
`heartbeat_interval = 3`	integer value	How often to send heartbeats for consumer’s connections
`heartbeat_rate = 2`	integer value	How often times during the heartbeat_timeout_threshold we check the heartbeat.
`heartbeat_timeout_threshold = 60`	integer value	Number of seconds after which the Rabbit broker is considered down if heartbeat’s keep-alive fails (0 disable the heartbeat). EXPERIMENTAL
`host_connection_reconnect_delay = 0.25`	floating point value	Set delay for reconnection to some host which has connection error
`kombu_compression = None`	string value	EXPERIMENTAL: Possible values are: gzip, bz2. If not set compression will not be used. This option may not be available in future versions.
`kombu_failover_strategy = round-robin`	string value	Determines how the next RabbitMQ node is chosen in case the one we are currently connected to becomes unavailable. Takes effect only if more than one RabbitMQ node is provided in config.
`kombu_missing_consumer_retry_timeout = 60`	integer value	How long to wait a missing client before abandoning to send it its replies. This value should not be longer than rpc_response_timeout.
`kombu_reconnect_delay = 1.0`	floating point value	How long to wait before reconnecting in response to an AMQP consumer cancel notification.
`notification_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to notification listener.
`notification_persistence = False`	boolean value	Persist notification messages.
`notification_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending notification message
`pool_max_overflow = 0`	integer value	Maximum number of connections to create above `pool_max_size`.
`pool_max_size = 30`	integer value	Maximum number of connections to keep queued.
`pool_recycle = 600`	integer value	Lifetime of a connection (since creation) in seconds or None for no recycling. Expired connections are closed on acquire.
`pool_stale = 60`	integer value	Threshold at which inactive (since release) connections are considered stale in seconds or None for no staleness. Stale connections are closed on acquire.
`pool_timeout = 30`	integer value	Default number of seconds to wait for a connections to available
`rabbit_ha_queues = False`	boolean value	Try to use HA queues in RabbitMQ (x-ha-policy: all). If you change this option, you must wipe the RabbitMQ database. In RabbitMQ 3.0, queue mirroring is no longer controlled by the x-ha-policy argument when declaring a queue. If you just want to make sure that all queues (except those with auto-generated names) are mirrored across all nodes, run: "rabbitmqctl set_policy HA ^(?!amq\.).* {"ha-mode": "all"} "
`rabbit_host = localhost`	string value	The RabbitMQ broker address where a single node is used.
`rabbit_hosts = [u'$rabbit_host:$rabbit_port']`	list value	RabbitMQ HA cluster host:port pairs.
`rabbit_interval_max = 30`	integer value	Maximum interval of RabbitMQ connection retries. Default is 30 seconds.
`rabbit_login_method = AMQPLAIN`	string value	The RabbitMQ login method.
`rabbit_max_retries = 0`	integer value	Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).
`rabbit_password = guest`	string value	The RabbitMQ password.
`rabbit_port = 5672`	port value	The RabbitMQ broker port where a single node is used.
`rabbit_qos_prefetch_count = 0`	integer value	Specifies the number of messages to prefetch. Setting to zero allows unlimited messages.
`rabbit_retry_backoff = 2`	integer value	How long to backoff for between retries when connecting to RabbitMQ.
`rabbit_retry_interval = 1`	integer value	How frequently to retry connecting with RabbitMQ.
`rabbit_transient_queues_ttl = 1800`	integer value	Positive integer representing duration in seconds for queue TTL (x-expires). Queues which are unused for the duration of the TTL are automatically deleted. The parameter affects only reply and fanout queues.
`rabbit_userid = guest`	string value	The RabbitMQ userid.
`rabbit_virtual_host = /`	string value	The RabbitMQ virtual host.
`rpc_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc listener.
`rpc_queue_expiration = 60`	integer value	Time to live for rpc queues without consumers in seconds.
`rpc_reply_exchange = ${control_exchange}_rpc_reply`	string value	Exchange name for receiving RPC replies
`rpc_reply_listener_prefetch_count = 100`	integer value	Max number of not acknowledged message which RabbitMQ can send to rpc reply listener.
`rpc_reply_retry_attempts = -1`	integer value	Reconnecting retry count in case of connectivity problem during sending reply. -1 means infinite retry during rpc_timeout
`rpc_reply_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending reply.
`rpc_retry_delay = 0.25`	floating point value	Reconnecting retry delay in case of connectivity problem during sending RPC message
`socket_timeout = 0.25`	floating point value	Set socket timeout in seconds for connection’s socket
`ssl = None`	boolean value	Enable SSL
`ssl_ca_file = `	string value	SSL certification authority file (valid only if SSL enabled).
`ssl_cert_file = `	string value	SSL cert file (valid only if SSL enabled).
`ssl_key_file = `	string value	SSL key file (valid only if SSL enabled).
`ssl_options = None`	dict value	Arguments passed to ssl.wrap_socket
`ssl_version = `	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.
`tcp_user_timeout = 0.25`	floating point value	Set TCP_USER_TIMEOUT in seconds for connection’s socket

12.1.21. oslo_messaging_zmq

The following table outlines the options available under the [oslo_messaging_zmq] group in the /etc/sahara/sahara.conf file.

Table 12.21. oslo_messaging_zmq
Configuration option = Default value	Type	Description
`rpc_ack_timeout_base = 15`	integer value	Number of seconds to wait for an ack from a cast/call. After each retry attempt this timeout is multiplied by some specified multiplier.
`rpc_ack_timeout_multiplier = 2`	integer value	Number to multiply base ack timeout by after each retry attempt.
`rpc_message_ttl = 300`	integer value	Expiration timeout in seconds of a sent/received message after which it is not tracked anymore by a client/server.
`rpc_poll_timeout = 1`	integer value	The default number of seconds that poll should wait. Poll raises timeout exception when timeout expired.
`rpc_retry_attempts = 3`	integer value	Default number of message sending attempts in case of any problems occurred: positive value N means at most N retries, 0 means no retries, None or -1 (or any other negative values) mean to retry forever. This option is used only if acknowledgments are enabled.
`rpc_thread_pool_size = 100`	integer value	Maximum number of (green) threads to work concurrently.
`rpc_use_acks = False`	boolean value	Wait for message acknowledgements from receivers. This mechanism works only via proxy without PUB/SUB.
`rpc_zmq_bind_address = *`	string value	ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP. The "host" option should point or resolve to this address.
`rpc_zmq_bind_port_retries = 100`	integer value	Number of retries to find free port number before fail with ZMQBindError.
`rpc_zmq_contexts = 1`	integer value	Number of ZeroMQ contexts, defaults to 1.
`rpc_zmq_host = ccsosp-undercloud.usersys.redhat.com`	string value	Name of this node. Must be a valid hostname, FQDN, or IP address. Must match "host" option, if running Nova.
`rpc_zmq_ipc_dir = /var/run/openstack`	string value	Directory for holding IPC sockets.
`rpc_zmq_matchmaker = redis`	string value	MatchMaker driver.
`rpc_zmq_max_port = 65536`	integer value	Maximal port number for random ports range.
`rpc_zmq_min_port = 49153`	port value	Minimal port number for random ports range.
`rpc_zmq_serialization = json`	string value	Default serialization mechanism for serializing/deserializing outgoing/incoming messages
`rpc_zmq_topic_backlog = None`	integer value	Maximum number of ingress messages to locally buffer per topic. Default is unlimited.
`subscribe_on = []`	list value	List of publisher hosts SubConsumer can subscribe on. This option has higher priority then the default publishers list taken from the matchmaker.
`use_dynamic_connections = False`	boolean value	This option makes direct connections dynamic or static. It makes sense only with use_router_proxy=False which means to use direct connections for direct message types (ignored otherwise).
`use_pub_sub = False`	boolean value	Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy.
`use_router_proxy = False`	boolean value	Use ROUTER remote proxy.
`zmq_failover_connections = 2`	integer value	How many additional connections to a host will be made for failover reasons. This option is actual only in dynamic connections mode.
`zmq_immediate = True`	boolean value	This option configures round-robin mode in zmq socket. True means not keeping a queue when server side disconnects. False means to keep queue and messages even if server is disconnected, when the server appears we send all accumulated messages to it.
`zmq_linger = -1`	integer value	Number of seconds to wait before all pending messages will be sent after closing a socket. The default value of -1 specifies an infinite linger period. The value of 0 specifies no linger period. Pending messages shall be discarded immediately when the socket is closed. Positive values specify an upper bound for the linger period.
`zmq_target_expire = 300`	integer value	Expiration timeout in seconds of a name service record about existing target ( < 0 means no timeout).
`zmq_target_update = 180`	integer value	Update period in seconds of a name service record about existing target.
`zmq_tcp_keepalive = -1`	integer value	Enable/disable TCP keepalive (KA) mechanism. The default value of -1 (or any other negative value) means to skip any overrides and leave it to OS default; 0 and 1 (or any other positive value) mean to disable and enable the option respectively.
`zmq_tcp_keepalive_cnt = -1`	integer value	The number of retransmissions to be carried out before declaring that remote end is not available. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_idle = -1`	integer value	The duration between two keepalive transmissions in idle condition. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.
`zmq_tcp_keepalive_intvl = -1`	integer value	The duration between two successive keepalive retransmissions, if acknowledgement to the previous keepalive transmission is not received. The unit is platform dependent, for example, seconds in Linux, milliseconds in Windows etc. The default value of -1 (or any other negative value and 0) means to skip any overrides and leave it to OS default.

12.1.22. oslo_middleware

The following table outlines the options available under the [oslo_middleware] group in the /etc/sahara/sahara.conf file.

Table 12.22. oslo_middleware
Configuration option = Default value	Type	Description
`enable_proxy_headers_parsing = False`	boolean value	Whether the application is behind a proxy or not. This determines if the middleware should parse the headers or not.

12.1.23. oslo_policy

The following table outlines the options available under the [oslo_policy] group in the /etc/sahara/sahara.conf file.

Table 12.23. oslo_policy
Configuration option = Default value	Type	Description
`enforce_scope = False`	boolean value	This option controls whether or not to enforce scope when evaluating policies. If `True`, the scope of the token used in the request is compared to the `scope_types` of the policy being enforced. If the scopes do not match, an `InvalidScope` exception will be raised. If `False`, a message will be logged informing operators that policies are being invoked with mismatching scope.
`policy_default_rule = default`	string value	Default rule. Enforced when a requested rule is not found.
`policy_dirs = [u'policy.d']`	multi valued	Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.
`policy_file = policy.json`	string value	The file that defines policies.
`remote_content_type = application/x-www-form-urlencoded`	string value	Content Type to send and receive data for REST based policy check
`remote_ssl_ca_crt_file = None`	string value	Absolute path to ca cert file for REST based policy check
`remote_ssl_client_crt_file = None`	string value	Absolute path to client cert for REST based policy check
`remote_ssl_client_key_file = None`	string value	Absolute path client key file REST based policy check
`remote_ssl_verify_server_crt = False`	boolean value	server identity verification for REST based policy check

12.1.24. retries

The following table outlines the options available under the [retries] group in the /etc/sahara/sahara.conf file.

Table 12.24. retries
Configuration option = Default value	Type	Description
`retries_number = 5`	integer value	Number of times to retry the request to client before failing
`retry_after = 10`	integer value	Time between the retries to client (in seconds).

12.1.25. ssl

The following table outlines the options available under the [ssl] group in the /etc/sahara/sahara.conf file.

Table 12.25. ssl
Configuration option = Default value	Type	Description
`ca_file = None`	string value	CA certificate file to use to verify connecting clients.
`cert_file = None`	string value	Certificate file to use when starting the server securely.
`ciphers = None`	string value	Sets the list of available ciphers. value should be a string in the OpenSSL cipher list format.
`key_file = None`	string value	Private key file to use when starting the server securely.
`version = None`	string value	SSL version to use (valid only if SSL enabled). Valid values are TLSv1 and SSLv23. SSLv2, SSLv3, TLSv1_1, and TLSv1_2 may be available on some distributions.

12.1.26. swift

The following table outlines the options available under the [swift] group in the /etc/sahara/sahara.conf file.

Table 12.26. swift
Configuration option = Default value	Type	Description
`api_insecure = False`	boolean value	Allow to perform insecure SSL requests to swift.
`ca_file = None`	string value	Location of ca certificates file to use for swift client requests.
`endpoint_type = internalURL`	string value	Endpoint type for swift client requests

12.1.27. timeouts

The following table outlines the options available under the [timeouts] group in the /etc/sahara/sahara.conf file.

Table 12.27. timeouts
Configuration option = Default value	Type	Description
`delete_instances_timeout = 10800`	integer value	Wait for instances to be deleted, in seconds
`detach_volume_timeout = 300`	integer value	Timeout for detaching volumes from instance, in seconds
`ips_assign_timeout = 10800`	integer value	Assign IPs timeout, in seconds
`wait_until_accessible = 10800`	integer value	Wait for instance accessibility, in seconds

12.1.28. trustee

The following table outlines the options available under the [trustee] group in the /etc/sahara/sahara.conf file.

Table 12.28. trustee
Configuration option = Default value	Type	Description
`auth_url = None`	string value	Auth url for trusts creation
`password = None`	string value	Password for trusts creation
`project_domain_name = Default`	string value	Project domain name for trusts creation
`project_name = None`	string value	Project name for trusts creation
`user_domain_name = Default`	string value	User domain name for trusts creation
`username = None`	string value	Username for trusts creation