3.17. Compute sample configuration files
3.17.1. nova.conf - configuration options
For a complete list of all available configuration options for each OpenStack Compute service, run nova-<servicename> --help.
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
api_paste_config = api-paste.ini
|
(StrOpt) File name for the paste.deploy config for nova-api |
api_rate_limit = False
|
(BoolOpt) Whether to use per-user rate limiting for the api. This option is only used by v2 api. Rate limiting is removed from v2.1 api. |
client_socket_timeout = 900
|
(IntOpt) Timeout for client connections' socket operations. If an incoming connection is idle for this number of seconds it will be closed. A value of '0' means wait forever. |
enable_new_services = True
|
(BoolOpt) Services to be added to the available pool on create |
enabled_apis = ec2, osapi_compute, metadata
|
(ListOpt) A list of APIs to enable by default |
enabled_ssl_apis =
|
(ListOpt) A list of APIs with enabled SSL |
instance_name_template = instance-%08x
|
(StrOpt) Template string to be used to generate instance names |
max_header_line = 16384
|
(IntOpt) Maximum line size of message headers to be accepted. max_header_line may need to be increased when using large tokens (typically those generated by the Keystone v3 API with big service catalogs). |
multi_instance_display_name_template = %(name)s-%(count)d
|
(StrOpt) When creating multiple instances with a single request using the os-multiple-create API extension, this template will be used to build the display name for each instance. The benefit is that the instances end up with different hostnames. To restore legacy behavior of every instance having the same name, set this option to "%(name)s". Valid keys for the template are: name, uuid, count. |
non_inheritable_image_properties = cache_in_nova, bittorrent
|
(ListOpt) These are image properties which a snapshot should not inherit from an instance |
null_kernel = nokernel
|
(StrOpt) Kernel image that indicates not to use a kernel, but to use a raw disk image instead |
osapi_compute_ext_list =
|
(ListOpt) DEPRECATED: Specify list of extensions to load when using the osapi_compute_extension option with nova.api.openstack.compute.legacy_v2.contrib.select_extensions . This option will be removed in the near future. After that point you have to run all of the API.
|
osapi_compute_extension = ['nova.api.openstack.compute.legacy_v2.contrib.standard_extensions']
|
(MultiStrOpt) osapi compute extension to load. This option will be removed in the near future. After that point you have to run all of the API. |
osapi_compute_link_prefix = None
|
(StrOpt) Base URL that will be presented to users in links to the OpenStack Compute API |
osapi_compute_listen = 0.0.0.0
|
(StrOpt) The IP address on which the OpenStack API will listen. |
osapi_compute_listen_port = 8774
|
(IntOpt) The port on which the OpenStack API will listen. |
osapi_compute_workers = None
|
(IntOpt) Number of workers for OpenStack API service. The default will be the number of CPUs available. |
osapi_hide_server_address_states = building
|
(ListOpt) List of instance states that should hide network info |
secure_proxy_ssl_header = None
|
(StrOpt) The HTTP header used to determine the scheme for the original request, even if it was removed by an SSL terminating proxy. Typical value is HTTP_X_FORWARDED_PROTO .
|
servicegroup_driver = db
|
(StrOpt) The driver for servicegroup service (valid options are: db, zk, mc) |
snapshot_name_template = snapshot-%s
|
(StrOpt) Template string to be used to generate snapshot names |
tcp_keepidle = 600
|
(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for each server socket. Not supported on OS X. |
use_forwarded_for = False
|
(BoolOpt) Treat X-Forwarded-For as the canonical remote address. Only enable this if you have a sanitizing proxy. |
wsgi_default_pool_size = 1000
|
(IntOpt) Size of the pool of greenthreads used by wsgi |
wsgi_keep_alive = True
|
(BoolOpt) If False, closes the client socket connection explicitly. |
wsgi_log_format = %(client_ip)s "%(request_line)s" status: %(status_code)s len: %(body_length)s time: %(wall_seconds).7f
|
(StrOpt) A python format string that is used as the template to generate log lines. The following values can be formatted into it: client_ip, date_time, request_line, status_code, body_length, wall_seconds. |
[oslo_middleware] | |
max_request_body_size = 114688
|
(IntOpt) The maximum body size for each request, in bytes. |
secure_proxy_ssl_header = X-Forwarded-Proto
|
(StrOpt) The HTTP Header that will be used to determine what the original request protocol scheme was, even if it was hidden by an SSL termination proxy. |
[oslo_versionedobjects] | |
fatal_exception_format_errors = False
|
(BoolOpt) Make exception message format errors fatal. |
Configuration option = Default value | Description |
---|---|
[osapi_v21] | |
enabled = True
|
(BoolOpt) DEPRECATED: Whether the V2.1 API is enabled or not. This option will be removed in the near future. |
extensions_blacklist =
|
(ListOpt) DEPRECATED: A list of v2.1 API extensions to never load. Specify the extension aliases here. This option will be removed in the near future. After that point you have to run all of the API. |
extensions_whitelist =
|
(ListOpt) DEPRECATED: If the list is not empty then a v2.1 API extension will only be loaded if it exists in this list. Specify the extension aliases here. This option will be removed in the near future. After that point you have to run all of the API. |
Configuration option = Default value | Description |
---|---|
[osapi_v3] | |
enabled = False
|
(BoolOpt) Whether the V3 API is enabled or not |
extensions_blacklist =
|
(ListOpt) A list of v3 API extensions to never load. Specify the extension aliases here. |
extensions_whitelist =
|
(ListOpt) If the list is not empty then a v3 API extension will only be loaded if it exists in this list. Specify the extension aliases here. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
auth_strategy = keystone
|
(StrOpt) The strategy to use for auth: keystone or noauth2. noauth2 is designed for testing only, as it does no actual credential checking. noauth2 provides administrative credentials only if 'admin' is specified as the username. |
Configuration option = Default value | Description |
---|---|
[keystone_authtoken] | |
admin_password = None
|
(StrOpt) Service user password. |
admin_tenant_name = admin
|
(StrOpt) Service tenant name. |
admin_token = None
|
(StrOpt) This option is deprecated and may be removed in a future release. Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process. This option should not be used, use `admin_user` and `admin_password` instead. |
admin_user = None
|
(StrOpt) Service username. |
auth_admin_prefix =
|
(StrOpt) Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. |
auth_host = 127.0.0.1
|
(StrOpt) Host providing the admin Identity API endpoint. Deprecated, use identity_uri. |
auth_plugin = None
|
(StrOpt) Name of the plugin to load |
auth_port = 35357
|
(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri. |
auth_protocol = https
|
(StrOpt) Protocol of the admin Identity API endpoint (http or https). Deprecated, use identity_uri. |
auth_section = None
|
(StrOpt) Config Section from which to load plugin specific options |
auth_uri = None
|
(StrOpt) Complete public Identity API endpoint. |
auth_version = None
|
(StrOpt) API version of the admin Identity API endpoint. |
cache = None
|
(StrOpt) Env key for the swift cache. |
cafile = None
|
(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs. |
certfile = None
|
(StrOpt) Required if identity server requires client certificate |
check_revocations_for_cached = False
|
(BoolOpt) If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server. |
delay_auth_decision = False
|
(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components. |
enforce_token_bind = permissive
|
(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens. |
hash_algorithms = md5
|
(ListOpt) Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance. |
http_connect_timeout = None
|
(IntOpt) Request timeout value for communicating with Identity API server. |
http_request_max_retries = 3
|
(IntOpt) How many times to try to reconnect when communicating with Identity API Server. |
identity_uri = None
|
(StrOpt) Complete admin Identity API endpoint. This should specify the unversioned root endpoint e.g. https://localhost:35357/ |
include_service_catalog = True
|
(BoolOpt) (Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header. |
insecure = False
|
(BoolOpt) Verify HTTPS connections. |
keyfile = None
|
(StrOpt) Required if identity server requires client certificate |
memcache_pool_conn_get_timeout = 10
|
(IntOpt) (Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool. |
memcache_pool_dead_retry = 300
|
(IntOpt) (Optional) Number of seconds memcached server is considered dead before it is tried again. |
memcache_pool_maxsize = 10
|
(IntOpt) (Optional) Maximum total number of open connections to every memcached server. |
memcache_pool_socket_timeout = 3
|
(IntOpt) (Optional) Socket timeout in seconds for communicating with a memcached server. |
memcache_pool_unused_timeout = 60
|
(IntOpt) (Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed. |
memcache_secret_key = None
|
(StrOpt) (Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation. |
memcache_security_strategy = None
|
(StrOpt) (Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization. |
memcache_use_advanced_pool = False
|
(BoolOpt) (Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x. |
region_name = None
|
(StrOpt) The region in which the identity server can be found. |
revocation_cache_time = 10
|
(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. |
signing_dir = None
|
(StrOpt) Directory used to cache files related to PKI tokens. |
token_cache_time = 300
|
(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
default_availability_zone = nova
|
(StrOpt) Default compute node availability_zone |
default_schedule_zone = None
|
(StrOpt) Availability zone to use when user does not specify one |
internal_service_availability_zone = internal
|
(StrOpt) The availability_zone to show internal services under |
Configuration option = Default value | Description |
---|---|
[barbican] | |
cafile = None
|
(StrOpt) PEM encoded Certificate Authority to use when verifying HTTPs connections. |
catalog_info = key-manager:barbican:public
|
(StrOpt) Info to match when looking for barbican in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> |
certfile = None
|
(StrOpt) PEM encoded client certificate cert file |
endpoint_template = None
|
(StrOpt) Override service catalog lookup with template for barbican endpoint e.g. http://localhost:9311/v1/%(project_id)s |
insecure = False
|
(BoolOpt) Verify HTTPS connections. |
keyfile = None
|
(StrOpt) PEM encoded client certificate key file |
os_region_name = None
|
(StrOpt) Region name of this node |
timeout = None
|
(IntOpt) Timeout value for http requests |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
ca_file = cacert.pem
|
(StrOpt) Filename of root CA |
ca_path = $state_path/CA
|
(StrOpt) Where to keep the root CA |
cert = self.pem
|
(StrOpt) SSL certificate file |
cert_manager = nova.cert.manager.CertManager
|
(StrOpt) Full class name for the Manager for cert |
cert_topic = cert
|
(StrOpt) The topic cert nodes listen on |
crl_file = crl.pem
|
(StrOpt) Filename of root Certificate Revocation List |
key_file = private/cakey.pem
|
(StrOpt) Filename of private key |
keys_path = $state_path/keys
|
(StrOpt) Where to keep the keys |
project_cert_subject = /C=US/ST=California/O=OpenStack/OU=NovaDev/CN=project-ca-%.16s-%s
|
(StrOpt) Subject for certificate for projects, %s for project, timestamp |
ssl_ca_file = None
|
(StrOpt) CA certificate file to use to verify connecting clients |
ssl_cert_file = None
|
(StrOpt) SSL certificate of API server |
ssl_key_file = None
|
(StrOpt) SSL private key of API server |
use_project_ca = False
|
(BoolOpt) Should a CA be used for each project? |
user_cert_subject = /C=US/ST=California/O=OpenStack/OU=NovaDev/CN=%.16s-%.16s-%s
|
(StrOpt) Subject for certificate for users, %s for project, user, timestamp |
[ssl] | |
ca_file = None
|
(StrOpt) CA certificate file to use to verify connecting clients. |
cert_file = None
|
(StrOpt) Certificate file to use when starting the server securely. |
key_file = None
|
(StrOpt) Private key file to use when starting the server securely. |
Configuration option = Default value | Description |
---|---|
[cells] | |
call_timeout = 60
|
(IntOpt) Seconds to wait for response from a call to a cell. |
capabilities = hypervisor=xenserver;kvm, os=linux
|
(ListOpt) Key/Multi-value list with the capabilities of the cell |
cell_type = compute
|
(StrOpt) Type of cell |
cells_config = None
|
(StrOpt) Configuration file from which to read cells configuration. If given, overrides reading cells from the database. |
db_check_interval = 60
|
(IntOpt) Interval, in seconds, for getting fresh cell information from the database. |
driver = nova.cells.rpc_driver.CellsRPCDriver
|
(StrOpt) Cells communication driver to use |
enable = False
|
(BoolOpt) Enable cell functionality |
instance_update_num_instances = 1
|
(IntOpt) Number of instances to update per periodic task run |
instance_updated_at_threshold = 3600
|
(IntOpt) Number of seconds after an instance was updated or deleted to continue to update cells |
manager = nova.cells.manager.CellsManager
|
(StrOpt) Manager for cells |
max_hop_count = 10
|
(IntOpt) Maximum number of hops for cells routing. |
mute_child_interval = 300
|
(IntOpt) Number of seconds after which a lack of capability and capacity updates signals the child cell is to be treated as a mute. |
mute_weight_multiplier = -10000.0
|
(FloatOpt) Multiplier used to weigh mute children. (The value should be negative.) |
name = nova
|
(StrOpt) Name of this cell |
offset_weight_multiplier = 1.0
|
(FloatOpt) Multiplier used to weigh offset weigher. |
reserve_percent = 10.0
|
(FloatOpt) Percentage of cell capacity to hold in reserve. Affects both memory and disk utilization |
topic = cells
|
(StrOpt) The topic cells nodes listen on |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
bindir = /usr/local/bin
|
(StrOpt) Directory where nova binaries are installed |
compute_topic = compute
|
(StrOpt) The topic compute nodes listen on |
console_topic = console
|
(StrOpt) The topic console proxy nodes listen on |
consoleauth_topic = consoleauth
|
(StrOpt) The topic console auth proxy nodes listen on |
executor_thread_pool_size = 64
|
(IntOpt) Size of executor thread pool. |
host = localhost
|
(StrOpt) Name of this node. This can be an opaque identifier. It is not necessarily a hostname, FQDN, or IP address. However, the node name must be valid within an AMQP key. |
memcached_servers = None
|
(ListOpt) Memcached servers or None for in process cache. |
my_ip = 10.0.0.1
|
(StrOpt) IP address of this host |
notify_api_faults = False
|
(BoolOpt) If set, send api.fault notifications on caught exceptions in the API service. |
notify_on_state_change = None
|
(StrOpt) If set, send compute.instance.update notifications on instance state changes. Valid values are None for no notifications, "vm_state" for notifications on VM state changes, or "vm_and_task_state" for notifications on VM and task state changes. |
pybasedir = /usr/lib/python/site-packages/nova
|
(StrOpt) Directory where the nova python module is installed |
report_interval = 10
|
(IntOpt) Seconds between nodes reporting state to datastore |
rootwrap_config = /etc/nova/rootwrap.conf
|
(StrOpt) Path to the rootwrap configuration file to use for running commands as root |
service_down_time = 60
|
(IntOpt) Maximum time since last check-in for up service |
state_path = $pybasedir
|
(StrOpt) Top-level directory for maintaining nova's state |
tempdir = None
|
(StrOpt) Explicitly specify the temporary working directory |
use_rootwrap_daemon = False
|
(BoolOpt) Start and use a daemon that can run the commands that need to be run with root privileges. This option is usually enabled on nodes that run nova compute processes. |
[keystone_authtoken] | |
memcached_servers = None
|
(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process. |
[workarounds] | |
destroy_after_evacuate = True
|
(BoolOpt) DEPRECATED: Whether to destroy instances on startup when it is suspected that they have previously been evacuated. This can result in data loss if undesired. See https://launchpad.net/bugs/1419785. |
disable_libvirt_livesnapshot = True
|
(BoolOpt) When using libvirt 1.2.2, live snapshots fail intermittently under load. This configuration option provides a mechanism to enable live snapshot while this is resolved. See https://bugs.launchpad.net/nova/+bug/1334398. |
disable_rootwrap = False
|
(BoolOpt) This option allows a fallback to sudo for performance reasons. For example, see https://bugs.launchpad.net/nova/+bug/1415106. |
handle_virt_lifecycle_events = True
|
(BoolOpt) Whether or not to handle events raised from the compute driver's emit_event method. These are lifecycle events raised from compute drivers that implement the method. An example of a lifecycle event is an instance starting or stopping. If the instance is going through task state changes due to an API operation, such as resize, the events are ignored. However, this is an advanced feature which allows the hypervisor to signal to the compute service that an unexpected state change has occurred in an instance and the instance can be shut down automatically, which can inherently race in reboot operations or when the compute service or host is rebooted, either intentionally or due to an unexpected outage. Care should be taken when using this and sync_power_state_interval is negative since then if any instances are out of sync between the hypervisor and the Nova database, they will have to be synchronized manually. See https://bugs.launchpad.net/bugs/1444630.
|
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
compute_available_monitors = None
|
(MultiStrOpt) [DEPRECATED] Monitor classes available to the compute which may be specified more than once. Use setuptools entry points to list available monitor plug-ins. |
compute_driver = None
|
(StrOpt) Driver to use for controlling virtualization. Options include: libvirt.LibvirtDriver , ironic.IronicDriver , and vmwareapi.VMwareVCDriver .
|
compute_manager = nova.compute.manager.ComputeManager
|
(StrOpt) Full class name for the Manager for compute |
compute_monitors =
|
(ListOpt) A list of monitors that can be used for getting compute metrics. You can use the alias/name from the setuptools entry points for nova.compute.monitors.* namespaces. If no namespace is supplied, the "cpu." namespace is assumed for backwards-compatibility. An example value that would enable both the CPU and NUMA memory bandwidth monitors that used the virt driver variant: ["cpu.virt_driver", "numa_mem_bw.virt_driver"] |
compute_resources = vcpu
|
(ListOpt) The names of the extra resources to track. |
compute_stats_class = nova.compute.stats.Stats
|
(StrOpt) Class that will manage stats for the local compute host |
console_host = localhost
|
(StrOpt) Console proxy host to use to connect to instances on this host. |
console_manager = nova.console.manager.ConsoleProxyManager
|
(StrOpt) Full class name for the Manager for console proxy |
default_flavor = m1.small
|
(StrOpt) Default flavor to use for the EC2 API only. The Nova API does not support a default flavor. |
default_notification_level = INFO
|
(StrOpt) Default notification level for outgoing notifications |
enable_instance_password = True
|
(BoolOpt) Enables returning of the instance password by the relevant server API calls such as create, rebuild or rescue, If the hypervisor does not support password injection then the password returned will not be correct |
heal_instance_info_cache_interval = 60
|
(IntOpt) Number of seconds between instance network information cache updates |
image_cache_manager_interval = 2400
|
(IntOpt) Number of seconds to wait between runs of the image cache manager. Set to -1 to disable. Setting this to 0 will run at the default rate. |
image_cache_subdirectory_name = _base
|
(StrOpt) Where cached images are stored under $instances_path. This is NOT the full path - only a folder name. For per-compute-host cached images, set to _base_$my_ip |
instance_build_timeout = 0
|
(IntOpt) Amount of time in seconds an instance can be in BUILD before going into ERROR status. Set to 0 to disable. |
instance_delete_interval = 300
|
(IntOpt) Interval in seconds for retrying failed instance file deletes. Set to -1 to disable. Setting this to 0 will run at the default rate. |
instance_usage_audit = False
|
(BoolOpt) Generate periodic compute.instance.exists notifications |
instance_usage_audit_period = month
|
(StrOpt) Time period to generate instance usages for. Time period must be hour, day, month or year |
instances_path = $state_path/instances
|
(StrOpt) Where instances are stored on disk |
max_concurrent_builds = 10
|
(IntOpt) Maximum number of instance builds to run concurrently |
maximum_instance_delete_attempts = 5
|
(IntOpt) The number of times to attempt to reap an instance's files. |
reboot_timeout = 0
|
(IntOpt) Automatically hard reboot an instance if it has been stuck in a rebooting state longer than N seconds. Set to 0 to disable. |
reclaim_instance_interval = 0
|
(IntOpt) Interval in seconds for reclaiming deleted instances |
rescue_timeout = 0
|
(IntOpt) Automatically unrescue an instance after N seconds. Set to 0 to disable. |
resize_confirm_window = 0
|
(IntOpt) Automatically confirm resizes after N seconds. Set to 0 to disable. |
resume_guests_state_on_host_boot = False
|
(BoolOpt) Whether to start guests that were running before the host rebooted |
running_deleted_instance_action = reap
|
(StrOpt) Action to take if a running deleted instance is detected. Set to 'noop' to take no action. |
running_deleted_instance_poll_interval = 1800
|
(IntOpt) Number of seconds to wait between runs of the cleanup task. |
running_deleted_instance_timeout = 0
|
(IntOpt) Number of seconds after being deleted when a running instance should be considered eligible for cleanup. |
shelved_offload_time = 0
|
(IntOpt) Time in seconds before a shelved instance is eligible for removing from a host. -1: never offload, 0: offload immediately when shelved. |
shelved_poll_interval = 3600
|
(IntOpt) Interval in seconds for polling shelved instances to offload. Set to -1 to disable. Setting this to 0 will run at the default rate. |
shutdown_timeout = 60
|
(IntOpt) Total amount of time to wait in seconds for an instance to perform a clean shutdown. |
sync_power_state_interval = 600
|
(IntOpt) Interval to sync power states between the database and the hypervisor. Set to -1 to disable. Setting this to 0 will run at the default rate. |
update_resources_interval = 0
|
(IntOpt) Interval in seconds for updating compute resources. A negative number disables the task completely. Leaving this at the default of 0 will cause this to run at the default periodic interval. Setting it to any positive value will cause it to run at approximately that number of seconds. |
vif_plugging_is_fatal = True
|
(BoolOpt) Fail instance boot if vif plugging fails |
vif_plugging_timeout = 300
|
(IntOpt) Number of seconds to wait for neutron vif plugging events to arrive before continuing or failing (see vif_plugging_is_fatal). If this is set to zero and vif_plugging_is_fatal is False, events should not be expected to arrive at all. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
migrate_max_retries = -1
|
(IntOpt) Number of times to retry live-migration before failing. If set to -1, try until out of hosts. If set to 0, only try once, no retries. |
[conductor] | |
manager = nova.conductor.manager.ConductorManager
|
(StrOpt) Full class name for the Manager for conductor |
topic = conductor
|
(StrOpt) The topic on which conductor nodes listen |
use_local = False
|
(BoolOpt) Perform nova-conductor operations locally |
workers = None
|
(IntOpt) Number of workers for OpenStack Conductor service. The default will be the number of CPUs available. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
config_drive_format = iso9660
|
(StrOpt) Config drive format. |
config_drive_skip_versions = 1.0 2007-01-19 2007-03-01 2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01
|
(StrOpt) List of metadata versions to skip placing into the config drive |
force_config_drive = None
|
(StrOpt) Set to "always" to force injection to take place on a config drive. NOTE: The "always" will be deprecated in the Liberty release cycle. |
mkisofs_cmd = genisoimage
|
(StrOpt) Name and optionally path of the tool used for ISO image creation |
[hyperv] | |
config_drive_cdrom = False
|
(BoolOpt) Attaches the Config Drive image as a cdrom drive instead of a disk drive |
config_drive_inject_password = False
|
(BoolOpt) Sets the admin password in the config drive image |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
console_allowed_origins =
|
(ListOpt) Allowed Origin header hostnames for access to console proxy servers |
console_public_hostname = localhost
|
(StrOpt) Publicly visible name for this console host |
console_token_ttl = 600
|
(IntOpt) How many seconds before deleting tokens |
consoleauth_manager = nova.consoleauth.manager.ConsoleAuthManager
|
(StrOpt) Manager for console auth |
[mks] | |
enabled = False
|
(BoolOpt) Enable MKS related features |
mksproxy_base_url = http://127.0.0.1:6090/
|
(StrOpt) Location of MKS web console proxy, in the form "http://127.0.0.1:6090/" |
Configuration option = Default value | Description |
---|---|
[cors] | |
allow_credentials = True
|
(BoolOpt) Indicate that the actual request can include user credentials |
allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
|
(ListOpt) Indicate which header field names may be used during the actual request. |
allow_methods = GET, POST, PUT, DELETE, OPTIONS
|
(ListOpt) Indicate which methods can be used during the actual request. |
allowed_origin = None
|
(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header. |
expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
|
(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers. |
max_age = 3600
|
(IntOpt) Maximum cache age of CORS preflight requests. |
[cors.subdomain] | |
allow_credentials = True
|
(BoolOpt) Indicate that the actual request can include user credentials |
allow_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
|
(ListOpt) Indicate which header field names may be used during the actual request. |
allow_methods = GET, POST, PUT, DELETE, OPTIONS
|
(ListOpt) Indicate which methods can be used during the actual request. |
allowed_origin = None
|
(StrOpt) Indicate whether this resource may be shared with the domain received in the requests "origin" header. |
expose_headers = Content-Type, Cache-Control, Content-Language, Expires, Last-Modified, Pragma
|
(ListOpt) Indicate which headers are safe to expose to the API. Defaults to HTTP Simple Headers. |
max_age = 3600
|
(IntOpt) Maximum cache age of CORS preflight requests. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
db_driver = nova.db
|
(StrOpt) The driver to use for database access |
[api_database] | |
connection = None
|
(StrOpt) The SQLAlchemy connection string to use to connect to the Nova API database. |
connection_debug = 0
|
(IntOpt) Verbosity of SQL debugging information: 0=None, 100=Everything. |
connection_trace = False
|
(BoolOpt) Add Python stack traces to SQL as comment strings. |
idle_timeout = 3600
|
(IntOpt) Timeout before idle SQL connections are reaped. |
max_overflow = None
|
(IntOpt) If set, use this value for max_overflow with SQLAlchemy. |
max_pool_size = None
|
(IntOpt) Maximum number of SQL connections to keep open in a pool. |
max_retries = 10
|
(IntOpt) Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count. |
mysql_sql_mode = TRADITIONAL
|
(StrOpt) The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode= |
pool_timeout = None
|
(IntOpt) If set, use this value for pool_timeout with SQLAlchemy. |
retry_interval = 10
|
(IntOpt) Interval between retries of opening a SQL connection. |
slave_connection = None
|
(StrOpt) The SQLAlchemy connection string to use to connect to the slave database. |
sqlite_synchronous = True
|
(BoolOpt) If True, SQLite uses synchronous mode. |
[database] | |
backend = sqlalchemy
|
(StrOpt) The back end to use for the database. |
connection = None
|
(StrOpt) The SQLAlchemy connection string to use to connect to the database. |
connection_debug = 0
|
(IntOpt) Verbosity of SQL debugging information: 0=None, 100=Everything. |
connection_trace = False
|
(BoolOpt) Add Python stack traces to SQL as comment strings. |
db_inc_retry_interval = True
|
(BoolOpt) If True, increases the interval between retries of a database operation up to db_max_retry_interval. |
db_max_retries = 20
|
(IntOpt) Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count. |
db_max_retry_interval = 10
|
(IntOpt) If db_inc_retry_interval is set, the maximum seconds between retries of a database operation. |
db_retry_interval = 1
|
(IntOpt) Seconds between retries of a database transaction. |
idle_timeout = 3600
|
(IntOpt) Timeout before idle SQL connections are reaped. |
max_overflow = None
|
(IntOpt) If set, use this value for max_overflow with SQLAlchemy. |
max_pool_size = None
|
(IntOpt) Maximum number of SQL connections to keep open in a pool. |
max_retries = 10
|
(IntOpt) Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count. |
min_pool_size = 1
|
(IntOpt) Minimum number of SQL connections to keep open in a pool. |
mysql_sql_mode = TRADITIONAL
|
(StrOpt) The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode= |
pool_timeout = None
|
(IntOpt) If set, use this value for pool_timeout with SQLAlchemy. |
retry_interval = 10
|
(IntOpt) Interval between retries of opening a SQL connection. |
slave_connection = None
|
(StrOpt) The SQLAlchemy connection string to use to connect to the slave database. |
sqlite_db = oslo.sqlite
|
(StrOpt) The file name to use with SQLite. |
sqlite_synchronous = True
|
(BoolOpt) If True, SQLite uses synchronous mode. |
use_db_reconnect = False
|
(BoolOpt) Enable the experimental use of database reconnect on connection lost. |
use_tpool = False
|
(BoolOpt) Enable the experimental use of thread pooling for all DB API calls |
Configuration option = Default value | Description |
---|---|
[guestfs] | |
debug = False
|
(BoolOpt) Enable guestfs debug |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
ec2_dmz_host = $my_ip
|
(StrOpt) The internal IP address of the EC2 API server |
ec2_host = $my_ip
|
(StrOpt) The IP address of the EC2 API server |
ec2_listen = 0.0.0.0
|
(StrOpt) The IP address on which the EC2 API will listen. |
ec2_listen_port = 8773
|
(IntOpt) The port on which the EC2 API will listen. |
ec2_path = /
|
(StrOpt) The path prefix used to call the ec2 API server |
ec2_port = 8773
|
(IntOpt) The port of the EC2 API server |
ec2_private_dns_show_ip = False
|
(BoolOpt) Return the IP address as private dns hostname in describe instances |
ec2_scheme = http
|
(StrOpt) The protocol to use when connecting to the EC2 API server |
ec2_strict_validation = True
|
(BoolOpt) Validate security group names according to EC2 specification |
ec2_timestamp_expiry = 300
|
(IntOpt) Time in seconds before ec2 timestamp expires |
ec2_workers = None
|
(IntOpt) Number of workers for EC2 API service. The default will be equal to the number of CPUs available. |
keystone_ec2_insecure = False
|
(BoolOpt) Disable SSL certificate verification. |
keystone_ec2_url = http://localhost:5000/v2.0/ec2tokens
|
(StrOpt) URL to get token from ec2 request. |
lockout_attempts = 5
|
(IntOpt) Number of failed auths before lockout. |
lockout_minutes = 15
|
(IntOpt) Number of minutes to lockout if triggered. |
lockout_window = 15
|
(IntOpt) Number of minutes for lockout window. |
region_list =
|
(ListOpt) List of region=fqdn pairs separated by commas |
Configuration option = Default value | Description |
---|---|
[ephemeral_storage_encryption] | |
cipher = aes-xts-plain64
|
(StrOpt) The cipher and mode to be used to encrypt ephemeral storage. Which ciphers are available ciphers depends on kernel support. See /proc/crypto for the list of available options. |
enabled = False
|
(BoolOpt) Whether to encrypt ephemeral storage |
key_size = 512
|
(IntOpt) The bit length of the encryption key to be used to encrypt ephemeral storage (in XTS mode only half of the bits are used for encryption key) |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
fping_path = /usr/sbin/fping
|
(StrOpt) Full path to fping. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
osapi_glance_link_prefix = None
|
(StrOpt) Base URL that will be presented to users in links to glance resources |
[glance] | |
allowed_direct_url_schemes =
|
(ListOpt) A list of url scheme that can be downloaded directly via the direct_url. Currently supported schemes: [file]. |
api_insecure = False
|
(BoolOpt) Allow to perform insecure SSL (https) requests to glance |
api_servers = None
|
(ListOpt) A list of the glance api servers available to nova. Prefix with https:// for ssl-based glance api servers. ([hostname|ip]:port) |
host = $my_ip
|
(StrOpt) Default glance hostname or IP address |
num_retries = 0
|
(IntOpt) Number of retries when uploading / downloading an image to / from glance. |
port = 9292
|
(IntOpt) Default glance port |
protocol = http
|
(StrOpt) Default protocol to use when connecting to glance. Set to https for SSL. |
[image_file_url] | |
filesystems =
|
(ListOpt) List of file systems that are configured in this file in the image_file_url:<list entry name> sections |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
default_ephemeral_format = None
|
(StrOpt) The default format an ephemeral_volume will be formatted with on creation. |
force_raw_images = True
|
(BoolOpt) Force backing images to raw format |
preallocate_images = none
|
(StrOpt) VM image preallocation mode: "none" => no storage provisioning is done up front, "space" => storage is fully allocated at instance start |
timeout_nbd = 10
|
(IntOpt) Amount of time, in seconds, to wait for NBD device start up. |
use_cow_images = True
|
(BoolOpt) Whether to use cow images |
vcpu_pin_set = None
|
(StrOpt) Defines which pcpus that instance vcpus can use. For example, "4-12,^8,15" |
virt_mkfs = []
|
(MultiStrOpt) Name of the mkfs commands for ephemeral device. The format is <os_type>=<mkfs command> |
Configuration option = Default value | Description |
---|---|
[ironic] | |
admin_auth_token = None
|
(StrOpt) Ironic keystone auth token. DEPRECATED: use admin_username , admin_password , and admin_tenant_name instead
|
admin_password = None
|
(StrOpt) Ironic keystone admin password. |
admin_tenant_name = None
|
(StrOpt) Ironic keystone tenant name. |
admin_url = None
|
(StrOpt) Keystone public API endpoint. |
admin_username = None
|
(StrOpt) Ironic keystone admin name |
api_endpoint = None
|
(StrOpt) URL for Ironic API endpoint. |
api_max_retries = 60
|
(IntOpt) How many retries when a request does conflict. If a negative number is set, only try once, no retries. |
api_retry_interval = 2
|
(IntOpt) How often to retry in seconds when a request does conflict |
api_version = 1
|
(IntOpt) Version of Ironic API service endpoint. |
client_log_level = None
|
(StrOpt) Log level override for ironicclient. Set this in order to override the global "default_log_levels", "verbose", and "debug" settings. DEPRECATED: use standard logging configuration. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
fixed_range_v6 = fd00::/48
|
(StrOpt) Fixed IPv6 address block |
gateway_v6 = None
|
(StrOpt) Default IPv6 gateway |
ipv6_backend = rfc2462
|
(StrOpt) Backend to use for IPv6 generation |
use_ipv6 = False
|
(BoolOpt) Use IPv6 |
Configuration option = Default value | Description |
---|---|
[keymgr] | |
api_class = nova.keymgr.conf_key_mgr.ConfKeyManager
|
(StrOpt) The full class name of the key manager API class |
fixed_key = None
|
(StrOpt) Fixed key returned by key manager, specified in hex |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
ldap_dns_base_dn = ou=hosts,dc=example,dc=org
|
(StrOpt) Base DN for DNS entries in LDAP |
ldap_dns_password = password
|
(StrOpt) Password for LDAP DNS |
ldap_dns_servers = ['dns.example.org']
|
(MultiStrOpt) DNS Servers for LDAP DNS driver |
ldap_dns_soa_expiry = 86400
|
(StrOpt) Expiry interval (in seconds) for LDAP DNS driver Statement of Authority |
ldap_dns_soa_hostmaster = hostmaster@example.org
|
(StrOpt) Hostmaster for LDAP DNS driver Statement of Authority |
ldap_dns_soa_minimum = 7200
|
(StrOpt) Minimum interval (in seconds) for LDAP DNS driver Statement of Authority |
ldap_dns_soa_refresh = 1800
|
(StrOpt) Refresh interval (in seconds) for LDAP DNS driver Statement of Authority |
ldap_dns_soa_retry = 3600
|
(StrOpt) Retry interval (in seconds) for LDAP DNS driver Statement of Authority |
ldap_dns_url = ldap://ldap.example.com:389
|
(StrOpt) URL for LDAP server which will store DNS entries |
ldap_dns_user = uid=admin,ou=people,dc=example,dc=org
|
(StrOpt) User for LDAP DNS |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
remove_unused_base_images = True
|
(BoolOpt) Should unused base images be removed? |
remove_unused_original_minimum_age_seconds = 86400
|
(IntOpt) Unused unresized base images younger than this will not be removed |
[libvirt] | |
block_migration_flag = VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED, VIR_MIGRATE_NON_SHARED_INC
|
(StrOpt) Migration flags to be set for block migration |
checksum_base_images = False
|
(BoolOpt) Write a checksum for files in _base to disk |
checksum_interval_seconds = 3600
|
(IntOpt) How frequently to checksum base images |
connection_uri =
|
(StrOpt) Override the default libvirt URI (which is dependent on virt_type) |
cpu_mode = None
|
(StrOpt) Set to "host-model" to clone the host CPU feature flags; to "host-passthrough" to use the host CPU model exactly; to "custom" to use a named CPU model; to "none" to not set any CPU model. If virt_type="kvm|qemu", it will default to "host-model", otherwise it will default to "none" |
cpu_model = None
|
(StrOpt) Set to a named libvirt CPU model (see names listed in /usr/share/libvirt/cpu_map.xml). Only has effect if cpu_mode="custom" and virt_type="kvm|qemu" |
disk_cachemodes =
|
(ListOpt) Specific cachemodes to use for different disk types e.g: file=directsync,block=none |
disk_prefix = None
|
(StrOpt) Override the default disk prefix for the devices attached to a server, which is dependent on virt_type. (valid options are: sd, xvd, uvd, vd) |
gid_maps =
|
(ListOpt) List of guid targets and ranges.Syntax is guest-gid:host-gid:countMaximum of 5 allowed. |
hw_disk_discard = None
|
(StrOpt) Discard option for nova managed disks. Need Libvirt(1.0.6) Qemu1.5 (raw format) Qemu1.6(qcow2 format) |
hw_machine_type = None
|
(ListOpt) For qemu or KVM guests, set this option to specify a default machine type per host architecture. You can find a list of supported machine types in your environment by checking the output of the "virsh capabilities"command. The format of the value for this config option is host-arch=machine-type. For example: x86_64=machinetype1,armv7l=machinetype2 |
image_info_filename_pattern = $instances_path/$image_cache_subdirectory_name/%(image)s.info
|
(StrOpt) Allows image information files to be stored in non-standard locations |
images_rbd_ceph_conf =
|
(StrOpt) Path to the ceph configuration file to use |
images_rbd_pool = rbd
|
(StrOpt) The RADOS pool in which rbd volumes are stored |
images_type = default
|
(StrOpt) VM Images format. If default is specified, then use_cow_images flag is used instead of this one. |
images_volume_group = None
|
(StrOpt) LVM Volume Group that is used for VM images, when you specify images_type=lvm. |
inject_key = False
|
(BoolOpt) Inject the ssh public key at boot time |
inject_partition = -2
|
(IntOpt) The partition to inject to : -2 => disable, -1 => inspect (libguestfs only), 0 => not partitioned, >0 => partition number |
inject_password = False
|
(BoolOpt) Inject the admin password at boot time, without an agent. |
iscsi_iface = None
|
(StrOpt) The iSCSI transport interface to use to connect to the target if offload support is desired. The default format is of the form transport_name.hwaddress, where transport_name is one of: be2iscsi, bnx2i, cxgb3i, cxgb4i, qla4xxx, ocs, and hwaddress is the MAC address of the interface and can be generated using the iscsiadm -m interface command. Do not confuse the iscsi_iface parameter provided here with the actual transport name.
|
iscsi_use_multipath = False
|
(BoolOpt) Use multipath connection of the iSCSI volume |
iser_use_multipath = False
|
(BoolOpt) Use multipath connection of the iSER volume |
mem_stats_period_seconds = 10
|
(IntOpt) A number of seconds to memory usage statistics period. Zero or negative value mean to disable memory usage statistics. |
remove_unused_kernels = True
|
(BoolOpt) DEPRECATED: Should unused kernel images be removed? This is only safe to enable if all compute nodes have been updated to support this option (running Grizzly or later). This will be the default behavior in the 13.0.0 release. |
remove_unused_resized_minimum_age_seconds = 3600
|
(IntOpt) Unused resized base images younger than this will not be removed |
rescue_image_id = None
|
(StrOpt) Rescue ami image. This will not be used if an image id is provided by the user. |
rescue_kernel_id = None
|
(StrOpt) Rescue aki image |
rescue_ramdisk_id = None
|
(StrOpt) Rescue ari image |
rng_dev_path = None
|
(StrOpt) A path to a device that will be used as source of entropy on the host. Permitted options are: /dev/random or /dev/hwrng |
snapshot_compression = False
|
(BoolOpt) Compress snapshot images when possible. This currently applies exclusively to qcow2 images |
snapshot_image_format = None
|
(StrOpt) Snapshot image format. Defaults to same as source image |
snapshots_directory = $instances_path/snapshots
|
(StrOpt) Location where libvirt driver will store snapshots before uploading them to image service |
sparse_logical_volumes = False
|
(BoolOpt) Create sparse logical volumes (with virtualsize) if this flag is set to True. |
sysinfo_serial = auto
|
(StrOpt) The data source used to the populate the host "serial" UUID exposed to guest in the virtual BIOS. |
uid_maps =
|
(ListOpt) List of uid targets and ranges. Syntax is guest-uid:host-uid:count . Maximum of 5 allowed.
|
use_usb_tablet = True
|
(BoolOpt) Sync virtual and real mouse cursors (Not applicable to Red Hat Enterprise Linux VMs) |
use_virtio_for_bridges = True
|
(BoolOpt) Use virtio for bridge interfaces with KVM/QEMU |
virt_type = kvm
|
(StrOpt) Libvirt domain type |
volume_clear = zero
|
(StrOpt) Method used to wipe old volumes. |
volume_clear_size = 0
|
(IntOpt) Size in MiB to wipe at start of old volumes. 0 => all |
wait_soft_reboot_seconds = 120
|
(IntOpt) Number of seconds to wait for instance to shut down after soft reboot request is made. Fall back to hard reboot if instance does not shut down within this window. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
live_migration_retry_count = 30
|
(IntOpt) Number of 1 second retries needed in live_migration |
max_concurrent_live_migrations = 1
|
(IntOpt) Maximum number of live migrations to run concurrently. This limit is enforced to avoid outbound live migrations overwhelming the host or network and causing failures. It is not recommended that you change this unless you are very sure that doing so is safe and stable in your environment. |
[libvirt] | |
live_migration_bandwidth = 0
|
(IntOpt) Maximum bandwidth(in MiB/s) to be used during migration. If set to 0, will choose a suitable default. Some hypervisors do not support this feature and will return an error if bandwidth is not 0. Refer to the libvirt documentation for further details. |
live_migration_completion_timeout = 800
|
(IntOpt) Time to wait, in seconds, for migration to successfully complete transferring data before aborting the operation. Value is per GiB of guest RAM + disk to be transferred, with lower bound of a minimum of 2 GiB. Should usually be larger than downtime delay * downtime steps. Set to 0 to disable timeouts. |
live_migration_downtime = 500
|
(IntOpt) Maximum permitted downtime, in milliseconds, for live migration switchover. Will be rounded up to a minimum of 100ms. Use a large value if guest liveness is unimportant. |
live_migration_downtime_delay = 75
|
(IntOpt) Time to wait, in seconds, between each step increase of the migration downtime. Minimum delay is 10 seconds. Value is per GiB of guest RAM + disk to be transferred, with lower bound of a minimum of 2 GiB per device |
live_migration_downtime_steps = 10
|
(IntOpt) Number of incremental steps to reach max downtime value. Will be rounded up to a minimum of 3 steps. |
live_migration_flag = VIR_MIGRATE_UNDEFINE_SOURCE, VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE, VIR_MIGRATE_TUNNELLED
|
(StrOpt) Migration flags to be set for live migration |
live_migration_progress_timeout = 150
|
(IntOpt) Time to wait, in seconds, for migration to make forward progress in transferring data before aborting the operation. Set to 0 to disable timeouts. |
live_migration_uri = qemu+tcp://%s/system
|
(StrOpt) Migration target URI (any included "%s" is replaced with the migration target hostname) |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
debug = False
|
(BoolOpt) Print debugging output (set logging level to DEBUG instead of default INFO level). |
default_log_levels = amqp=WARN, amqplib=WARN, boto=WARN, qpid=WARN, sqlalchemy=WARN, suds=INFO, oslo.messaging=INFO, iso8601=WARN, requests.packages.urllib3.connectionpool=WARN, urllib3.connectionpool=WARN, websocket=WARN, requests.packages.urllib3.util.retry=WARN, urllib3.util.retry=WARN, keystonemiddleware=WARN, routes.middleware=WARN, stevedore=WARN, taskflow=WARN
|
(ListOpt) List of logger=LEVEL pairs. This option is ignored if log_config_append is set.
|
fatal_deprecations = False
|
(BoolOpt) Enables or disables fatal status of deprecations. |
fatal_exception_format_errors = False
|
(BoolOpt) Make exception message format errors fatal |
instance_format = "[instance: %(uuid)s] "
|
(StrOpt) The format for an instance that is passed with the log message. |
instance_uuid_format = "[instance: %(uuid)s] "
|
(StrOpt) The format for an instance UUID that is passed with the log message. |
log_config_append = None
|
(StrOpt) The name of a logging configuration file. This file is appended to any existing logging configuration files. For details about logging configuration files, see the Python logging module documentation. |
log_date_format = %Y-%m-%d %H:%M:%S
|
(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s. This option is ignored if log_config_append is set.
|
log_dir = None
|
(StrOpt) (Optional) The base directory used for relative --log-file paths. This option is ignored if log_config_append is set.
|
log_file = None
|
(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout. This option is ignored if log_config_append is set.
|
log_format = None
|
(StrOpt) DEPRECATED Formatter log message format string which may use any of the available logging.LogRecord attributes. Use logging_context_format_string and logging_default_format_string instead. This option is ignored if log_config_append is set.
|
logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s
|
(StrOpt) Format string to use for log messages with context. |
logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d
|
(StrOpt) Data to append to log format when level is DEBUG. |
logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s
|
(StrOpt) Format string to use for log messages without context. |
logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s
|
(StrOpt) Prefix each line of exception output with this format. |
publish_errors = False
|
(BoolOpt) Enables or disables publication of error events. |
syslog_log_facility = LOG_USER
|
(StrOpt) Syslog facility to receive log lines. This option is ignored if log_config_append is set.
|
use_stderr = True
|
(BoolOpt) Log output to standard error. This option is ignored if log_config_append is set.
|
use_syslog = False
|
(BoolOpt) Use syslog for logging. Existing syslog format is DEPRECATED and will be changed later to honor RFC5424. This option is ignored if log_config_append is set.
|
use_syslog_rfc_format = True
|
(BoolOpt) (Optional) Enables or disables syslog rfc5424 format for logging. If enabled, prefixes the MSG part of the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in Kilo, and will be removed in Mitaka, along with this option. This option is ignored if log_config_append is set.
|
verbose = True
|
(BoolOpt) If set to false, will disable INFO logging level, making WARNING the default. |
watch_log_file = False
|
(BoolOpt) (Optional) Uses logging handler designed to watch the file system. When a log file is moved or removed, this handler will open a new log file with the specified path instantaneously. It only makes sense if the log_file option is specified. This option is ignored if log_config_append is set.
|
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
metadata_cache_expiration = 15
|
(IntOpt) Time in seconds to cache metadata; 0 to disable metadata caching entirely (not recommended). Increasingthis should improve response times of the metadata API when under heavy load. Higher values may increase memoryusage and result in longer times for host metadata changes to take effect. |
metadata_host = $my_ip
|
(StrOpt) The IP address for the metadata API server |
metadata_listen = 0.0.0.0
|
(StrOpt) The IP address on which the metadata API will listen. |
metadata_listen_port = 8775
|
(IntOpt) The port on which the metadata API will listen. |
metadata_manager = nova.api.manager.MetadataManager
|
(StrOpt) OpenStack metadata service manager |
metadata_port = 8775
|
(IntOpt) The port for the metadata API port |
metadata_workers = None
|
(IntOpt) Number of workers for metadata service. The default will be the number of CPUs available. |
vendordata_driver = nova.api.metadata.vendordata_json.JsonFileVendorData
|
(StrOpt) Driver to use for vendor data |
vendordata_jsonfile_path = None
|
(StrOpt) File to load JSON formatted vendor data from |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
allow_same_net_traffic = True
|
(BoolOpt) Whether to allow network traffic from same network |
auto_assign_floating_ip = False
|
(BoolOpt) Autoassigning floating IP to VM |
cnt_vpn_clients = 0
|
(IntOpt) Number of addresses reserved for vpn clients |
create_unique_mac_address_attempts = 5
|
(IntOpt) Number of attempts to create unique mac address |
default_access_ip_network_name = None
|
(StrOpt) Name of network to use to set access IPs for instances |
default_floating_pool = nova
|
(StrOpt) Default pool for floating IPs |
defer_iptables_apply = False
|
(BoolOpt) Whether to batch up the application of IPTables rules during a host restart and apply all at the end of the init phase |
dhcp_domain = novalocal
|
(StrOpt) Domain to use for building the hostnames |
dhcp_lease_time = 86400
|
(IntOpt) Lifetime of a DHCP lease in seconds |
dhcpbridge = $bindir/nova-dhcpbridge
|
(StrOpt) Location of nova-dhcpbridge |
dhcpbridge_flagfile = ['/etc/nova/nova-dhcpbridge.conf']
|
(MultiStrOpt) Location of flagfiles for dhcpbridge |
dns_server = []
|
(MultiStrOpt) If set, uses specific DNS server for dnsmasq. Can be specified multiple times. |
dns_update_periodic_interval = -1
|
(IntOpt) Number of seconds to wait between runs of updates to DNS entries. |
dnsmasq_config_file =
|
(StrOpt) Override the default dnsmasq settings with this file |
ebtables_exec_attempts = 3
|
(IntOpt) Number of times to retry ebtables commands on failure. |
ebtables_retry_interval = 1.0
|
(FloatOpt) Number of seconds to wait between ebtables retries. |
firewall_driver = None
|
(StrOpt) Firewall driver (defaults to hypervisor specific iptables driver) |
fixed_ip_disassociate_timeout = 600
|
(IntOpt) Seconds after which a deallocated IP is disassociated |
flat_injected = False
|
(BoolOpt) Whether to attempt to inject network setup into guest |
flat_interface = None
|
(StrOpt) FlatDhcp will bridge into this interface if set |
flat_network_bridge = None
|
(StrOpt) Bridge for simple network instances |
flat_network_dns = 8.8.4.4
|
(StrOpt) DNS server for simple network |
floating_ip_dns_manager = nova.network.noop_dns_driver.NoopDNSDriver
|
(StrOpt) Full class name for the DNS Manager for floating IPs |
force_dhcp_release = True
|
(BoolOpt) If True, send a dhcp release on instance termination |
force_snat_range = []
|
(MultiStrOpt) Traffic to this range will always be snatted to the fallback ip, even if it would normally be bridged out of the node. Can be specified multiple times. |
forward_bridge_interface = ['all']
|
(MultiStrOpt) An interface that bridges can forward to. If this is set to all then all traffic will be forwarded. Can be specified multiple times. |
gateway = None
|
(StrOpt) Default IPv4 gateway |
injected_network_template = $pybasedir/nova/virt/interfaces.template
|
(StrOpt) Template file for injected network |
instance_dns_domain =
|
(StrOpt) Full class name for the DNS Zone for instance IPs |
instance_dns_manager = nova.network.noop_dns_driver.NoopDNSDriver
|
(StrOpt) Full class name for the DNS Manager for instance IPs |
iptables_bottom_regex =
|
(StrOpt) Regular expression to match the iptables rule that should always be on the bottom. |
iptables_drop_action = DROP
|
(StrOpt) The table that iptables to jump to when a packet is to be dropped. |
iptables_top_regex =
|
(StrOpt) Regular expression to match the iptables rule that should always be on the top. |
l3_lib = nova.network.l3.LinuxNetL3
|
(StrOpt) Indicates underlying L3 management library |
linuxnet_interface_driver = nova.network.linux_net.LinuxBridgeInterfaceDriver
|
(StrOpt) Driver used to create ethernet devices. |
linuxnet_ovs_integration_bridge = br-int
|
(StrOpt) Name of Open vSwitch bridge used with linuxnet |
multi_host = False
|
(BoolOpt) Default value for multi_host in networks. Also, if set, some rpc network calls will be sent directly to host. |
network_allocate_retries = 0
|
(IntOpt) Number of times to retry network allocation on failures |
network_api_class = nova.network.api.API
|
(StrOpt) The full class name of the network API class to use |
network_device_mtu = None
|
(IntOpt) DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE NETWORK. MTU setting for network interface. |
network_driver = nova.network.linux_net
|
(StrOpt) Driver to use for network creation |
network_manager = nova.network.manager.VlanManager
|
(StrOpt) Full class name for the Manager for network |
network_size = 256
|
(IntOpt) Number of addresses in each private subnet |
network_topic = network
|
(StrOpt) The topic network nodes listen on |
networks_path = $state_path/networks
|
(StrOpt) Location to keep network config files |
num_networks = 1
|
(IntOpt) Number of networks to support |
ovs_vsctl_timeout = 120
|
(IntOpt) Amount of time, in seconds, that ovs_vsctl should wait for a response from the database. 0 is to wait forever. |
public_interface = eth0
|
(StrOpt) Interface for public IP addresses |
routing_source_ip = $my_ip
|
(StrOpt) Public IP of network host |
security_group_api = nova
|
(StrOpt) The full class name of the security API class |
send_arp_for_ha = False
|
(BoolOpt) Send gratuitous ARPs for HA setup |
send_arp_for_ha_count = 3
|
(IntOpt) Send this many gratuitous ARPs for HA setup |
share_dhcp_address = False
|
(BoolOpt) DEPRECATED: THIS VALUE SHOULD BE SET WHEN CREATING THE NETWORK. If True in multi_host mode, all compute hosts share the same dhcp address. The same IP address used for DHCP will be added on each nova-network node which is only visible to the vms on the same host. |
teardown_unused_network_gateway = False
|
(BoolOpt) If True, unused gateway devices (VLAN and bridge) are deleted in VLAN network mode with multi hosted networks |
update_dns_entries = False
|
(BoolOpt) If True, when a DNS entry must be updated, it sends a fanout cast to all network hosts to update their DNS entries in multi host mode |
use_network_dns_servers = False
|
(BoolOpt) If set, uses the dns1 and dns2 from the network ref. as dns servers. |
use_neutron_default_nets = False
|
(StrOpt) Control for checking for default networks |
use_single_default_gateway = False
|
(BoolOpt) Use single default gateway. Only first nic of vm will get default gateway from dhcp server |
vlan_interface = None
|
(StrOpt) VLANs will bridge into this interface if set |
vlan_start = 100
|
(IntOpt) First VLAN for private networks |
[libvirt] | |
remote_filesystem_transport = ssh
|
(StrOpt) Use ssh or rsync transport for creating, copying, removing files on the remote host. |
[vmware] | |
vlan_interface = vmnic0
|
(StrOpt) Physical ethernet adapter name for vlan networking |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
neutron_default_tenant_id = default
|
(StrOpt) Default tenant id when creating neutron networks |
[neutron] | |
admin_auth_url = http://localhost:5000/v2.0
|
(StrOpt) Authorization URL for connecting to neutron in admin context. DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
admin_password = None
|
(StrOpt) Password for connecting to neutron in admin context DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
admin_tenant_id = None
|
(StrOpt) Tenant id for connecting to neutron in admin context DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
admin_tenant_name = None
|
(StrOpt) Tenant name for connecting to neutron in admin context. This option will be ignored if neutron_admin_tenant_id is set. Note that with Keystone V3 tenant names are only unique within a domain. DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
admin_user_id = None
|
(StrOpt) User id for connecting to neutron in admin context. DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
admin_username = None
|
(StrOpt) Username for connecting to neutron in admin context DEPRECATED: specify an auth_plugin and appropriate credentials instead. |
auth_plugin = None
|
(StrOpt) Name of the plugin to load |
auth_section = None
|
(StrOpt) Config Section from which to load plugin specific options |
auth_strategy = keystone
|
(StrOpt) Authorization strategy for connecting to neutron in admin context. DEPRECATED: specify an auth_plugin and appropriate credentials instead. If an auth_plugin is specified strategy will be ignored. |
cafile = None
|
(StrOpt) PEM encoded Certificate Authority to use when verifying HTTPs connections. |
certfile = None
|
(StrOpt) PEM encoded client certificate cert file |
extension_sync_interval = 600
|
(IntOpt) Number of seconds before querying neutron for extensions |
insecure = False
|
(BoolOpt) Verify HTTPS connections. |
keyfile = None
|
(StrOpt) PEM encoded client certificate key file |
metadata_proxy_shared_secret =
|
(StrOpt) Shared secret to validate proxies Neutron metadata requests |
ovs_bridge = br-int
|
(StrOpt) Name of Integration Bridge used by Open vSwitch |
region_name = None
|
(StrOpt) Region name for connecting to neutron in admin context |
service_metadata_proxy = False
|
(BoolOpt) Set flag to indicate Neutron will proxy metadata requests and resolve instance ids. |
timeout = None
|
(IntOpt) Timeout value for http requests |
url = http://127.0.0.1:9696
|
(StrOpt) URL for connecting to neutron |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
pci_alias = []
|
(MultiStrOpt) An alias for a PCI passthrough device requirement. This allows users to specify the alias in the extra_spec for a flavor, without needing to repeat all the PCI property requirements. For example: pci_alias = { "name": "QuickAssist", "product_id": "0443", "vendor_id": "8086", "device_type": "ACCEL" } defines an alias for the Intel QuickAssist card. (multi valued) |
pci_passthrough_whitelist = []
|
(MultiStrOpt) White list of PCI devices available to VMs. For example: pci_passthrough_whitelist = [{"vendor_id": "8086", "product_id": "0443"}] |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
periodic_enable = True
|
(BoolOpt) Enable periodic tasks |
periodic_fuzzy_delay = 60
|
(IntOpt) Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0) |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
allow_instance_snapshots = True
|
(BoolOpt) Permit instance snapshot operations. |
allow_resize_to_same_host = False
|
(BoolOpt) Allow destination machine to match source for resize. Useful when testing in single-host environments. |
max_age = 0
|
(IntOpt) Number of seconds between subsequent usage refreshes. This defaults to 0(off) to avoid additional load but it is useful to turn on to help keep quota usage up to date and reduce the impact of out of sync usage issues. Note that quotas are not updated on a periodic task, they will update on a new reservation if max_age has passed since the last reservation |
max_local_block_devices = 3
|
(IntOpt) Maximum number of devices that will result in a local image being created on the hypervisor node. A negative number means unlimited. Setting max_local_block_devices to 0 means that any request that attempts to create a local disk will fail. This option is meant to limit the number of local discs (so root local disc that is the result of --image being used, and any other ephemeral and swap disks). 0 does not mean that images will be automatically converted to volumes and boot instances from volumes; it just means that all requests that attempt to create a local disk will fail.
|
osapi_compute_unique_server_name_scope =
|
(StrOpt) When set, compute API will consider duplicate hostnames invalid within the specified scope, regardless of case. Should be empty, "project" or "global". |
osapi_max_limit = 1000
|
(IntOpt) The maximum number of items returned in a single response from a collection resource |
password_length = 12
|
(IntOpt) Length of generated instance admin passwords |
policy_default_rule = default
|
(StrOpt) Default rule. Enforced when a requested rule is not found. |
policy_dirs = ['policy.d']
|
(MultiStrOpt) Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored. |
policy_file = policy.json
|
(StrOpt) The JSON file that defines policies. |
reservation_expire = 86400
|
(IntOpt) Number of seconds until a reservation expires |
resize_fs_using_block_device = False
|
(BoolOpt) Attempt to resize the filesystem by accessing the image over a block device. This is done by the host and may not be necessary if the image contains a recent version of cloud-init. Possible mechanisms require the nbd driver (for qcow and raw), or loop (for raw). |
until_refresh = 0
|
(IntOpt) Count of reservations until usage is refreshed. This defaults to 0(off) to avoid additional load but it is useful to turn on to help keep quota usage up to date and reduce the impact of out of sync usage issues. |
Configuration option = Default value | Description |
---|---|
[libvirt] | |
quobyte_client_cfg = None
|
(StrOpt) Path to a Quobyte Client configuration file. |
quobyte_mount_point_base = $state_path/mnt
|
(StrOpt) Directory where the Quobyte volume is mounted on the compute node |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
bandwidth_poll_interval = 600
|
(IntOpt) Interval to pull network bandwidth usage info. Not supported on all hypervisors. Set to -1 to disable. Setting this to 0 will run at the default rate. |
enable_network_quota = False
|
(BoolOpt) Enables or disables quota checking for tenant networks |
quota_cores = 20
|
(IntOpt) Number of instance cores allowed per project |
quota_driver = nova.quota.DbQuotaDriver
|
(StrOpt) Default driver to use for quota checks |
quota_fixed_ips = -1
|
(IntOpt) Number of fixed IPs allowed per project (this should be at least the number of instances allowed) |
quota_floating_ips = 10
|
(IntOpt) Number of floating IPs allowed per project |
quota_injected_file_content_bytes = 10240
|
(IntOpt) Number of bytes allowed per injected file |
quota_injected_file_path_length = 255
|
(IntOpt) Length of injected file path |
quota_injected_files = 5
|
(IntOpt) Number of injected files allowed |
quota_instances = 10
|
(IntOpt) Number of instances allowed per project |
quota_key_pairs = 100
|
(IntOpt) Number of key pairs per user |
quota_metadata_items = 128
|
(IntOpt) Number of metadata items allowed per instance |
quota_networks = 3
|
(IntOpt) Number of private networks allowed per project |
quota_ram = 51200
|
(IntOpt) Megabytes of instance RAM allowed per project |
quota_security_group_rules = 20
|
(IntOpt) Number of security rules per security group |
quota_security_groups = 10
|
(IntOpt) Number of security groups per project |
quota_server_group_members = 10
|
(IntOpt) Number of servers per server group |
quota_server_groups = 10
|
(IntOpt) Number of server groups per project |
[cells] | |
bandwidth_update_interval = 600
|
(IntOpt) Seconds between bandwidth updates for cells. |
Configuration option = Default value | Description |
---|---|
[rdp] | |
enabled = False
|
(BoolOpt) Enable RDP related features |
html5_proxy_base_url = http://127.0.0.1:6083/
|
(StrOpt) Location of RDP html5 console proxy, in the form "http://127.0.0.1:6083/" |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
password =
|
(StrOpt) Password for Redis server (optional). |
port = 6379
|
(IntOpt) Use this port to connect to redis host. |
[matchmaker_redis] | |
host = 127.0.0.1
|
(StrOpt) Host to locate redis. |
password =
|
(StrOpt) Password for Redis server (optional). |
port = 6379
|
(IntOpt) Use this port to connect to redis host. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
buckets_path = $state_path/buckets
|
(StrOpt) Path to S3 buckets |
image_decryption_dir = /tmp
|
(StrOpt) Parent directory for tempdir used for image decryption |
s3_access_key = notchecked
|
(StrOpt) Access key to use for S3 server for images |
s3_affix_tenant = False
|
(BoolOpt) Whether to affix the tenant id to the access key when downloading from S3 |
s3_host = $my_ip
|
(StrOpt) Hostname or IP for OpenStack to use when accessing the S3 api |
s3_listen = 0.0.0.0
|
(StrOpt) IP address for S3 API to listen |
s3_listen_port = 3333
|
(IntOpt) Port for S3 API to listen |
s3_port = 3333
|
(IntOpt) Port used when accessing the S3 api |
s3_secret_key = notchecked
|
(StrOpt) Secret key to use for S3 server for images |
s3_use_ssl = False
|
(BoolOpt) Whether to use SSL when talking to S3 |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
aggregate_image_properties_isolation_namespace = None
|
(StrOpt) Force the filter to consider only keys matching the given namespace. |
aggregate_image_properties_isolation_separator = .
|
(StrOpt) The separator used between the namespace and keys |
baremetal_scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, ExactRamFilter, ExactDiskFilter, ExactCoreFilter
|
(ListOpt) Which filter class names to use for filtering baremetal hosts when not specified in the request. |
cpu_allocation_ratio = 0.0
|
(FloatOpt) Virtual CPU to physical CPU allocation ratio which affects all CPU filters. This configuration specifies a global ratio for CoreFilter. For AggregateCoreFilter, it will fall back to this configuration value if no per-aggregate setting found. NOTE: This can be set per-compute, or if set to 0.0, the value set on the scheduler node(s) will be used and defaulted to 1.5. |
disk_allocation_ratio = 1.0
|
(FloatOpt) Virtual disk to physical disk allocation ratio |
io_ops_weight_multiplier = -1.0
|
(FloatOpt) Multiplier used for weighing host io ops. Negative numbers mean a preference to choose light workload compute hosts. |
isolated_hosts =
|
(ListOpt) Host reserved for specific images |
isolated_images =
|
(ListOpt) Images to run on isolated host |
max_instances_per_host = 50
|
(IntOpt) Ignore hosts that have too many instances |
max_io_ops_per_host = 8
|
(IntOpt) Tells filters to ignore hosts that have this many or more instances currently in build, resize, snapshot, migrate, rescue or unshelve task states |
ram_allocation_ratio = 0.0
|
(FloatOpt) Virtual RAM to physical RAM allocation ratio which affects all RAM filters. This configuration specifies a global ratio for RamFilter . For AggregateRamFilter , it will fall back to this configuration value if no per-aggregate setting found. NOTE: This can be set per-compute, or if set to 0.0, the value set on the scheduler node(s) will be used and defaulted to 1.5.
|
ram_weight_multiplier = 1.0
|
(FloatOpt) Multiplier used for weighing ram. Negative numbers mean to stack vs spread. |
reserved_host_disk_mb = 0
|
(IntOpt) Amount of disk in MB to reserve for the host |
reserved_host_memory_mb = 512
|
(IntOpt) Amount of memory in MB to reserve for the host |
restrict_isolated_hosts_to_isolated_images = True
|
(BoolOpt) Whether to force isolated hosts to run only isolated images |
scheduler_available_filters = ['nova.scheduler.filters.all_filters']
|
(MultiStrOpt) Filter classes available to the scheduler which may be specified more than once. An entry of "nova.scheduler.filters.all_filters" maps to all filters included with nova. |
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter, DiskFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, ServerGroupAntiAffinityFilter, ServerGroupAffinityFilter
|
(ListOpt) Which filter class names to use for filtering hosts when not specified in the request. |
scheduler_driver = nova.scheduler.filter_scheduler.FilterScheduler
|
(StrOpt) Default driver to use for the scheduler |
scheduler_driver_task_period = 60
|
(IntOpt) How often (in seconds) to run periodic tasks in the scheduler driver of your choice. Note this is likely to interact with the value of service_down_time, but exactly how they interact will depend on your choice of scheduler driver. |
scheduler_host_manager = nova.scheduler.host_manager.HostManager
|
(StrOpt) The scheduler host manager class to use |
scheduler_host_subset_size = 1
|
(IntOpt) New instances will be scheduled on a host chosen randomly from a subset of the N best hosts. This property defines the subset size that a host is chosen from. A value of 1 chooses the first host returned by the weighing functions. This value must be at least 1. Any value less than 1 will be ignored, and 1 will be used instead |
scheduler_instance_sync_interval = 120
|
(IntOpt) Waiting time interval (seconds) between sending the scheduler a list of current instance UUIDs to verify that its view of instances is in sync with nova. If the CONF option `scheduler_tracks_instance_changes` is False, changing this option will have no effect. |
scheduler_json_config_location =
|
(StrOpt) Absolute path to scheduler configuration JSON file. |
scheduler_manager = nova.scheduler.manager.SchedulerManager
|
(StrOpt) Full class name for the Manager for scheduler |
scheduler_max_attempts = 3
|
(IntOpt) Maximum number of attempts to schedule an instance |
scheduler_topic = scheduler
|
(StrOpt) The topic scheduler nodes listen on |
scheduler_tracks_instance_changes = True
|
(BoolOpt) Determines if the Scheduler tracks changes to instances to help with its filtering decisions. |
scheduler_use_baremetal_filters = False
|
(BoolOpt) Flag to decide whether to use baremetal_scheduler_default_filters or not. |
scheduler_weight_classes = nova.scheduler.weights.all_weighers
|
(ListOpt) Which weight class names to use for weighing hosts |
[cells] | |
ram_weight_multiplier = 10.0
|
(FloatOpt) Multiplier used for weighing ram. Negative numbers mean to stack vs spread. |
scheduler_filter_classes = nova.cells.filters.all_filters
|
(ListOpt) Filter classes the cells scheduler should use. An entry of "nova.cells.filters.all_filters" maps to all cells filters included with nova. |
scheduler_retries = 10
|
(IntOpt) How many retries when no cells are available. |
scheduler_retry_delay = 2
|
(IntOpt) How often to retry in seconds when no cells are available. |
scheduler_weight_classes = nova.cells.weights.all_weighers
|
(ListOpt) Weigher classes the cells scheduler should use. An entry of "nova.cells.weights.all_weighers" maps to all cell weighers included with nova. |
[metrics] | |
required = True
|
(BoolOpt) How to treat the unavailable metrics. When a metric is NOT available for a host, if it is set to be True, it would raise an exception, so it is recommended to use the scheduler filter MetricFilter to filter out those hosts. If it is set to be False, the unavailable metric would be treated as a negative factor in weighing process, the returned value would be set by the option weight_of_unavailable. |
weight_multiplier = 1.0
|
(FloatOpt) Multiplier used for weighing metrics. |
weight_of_unavailable = -10000.0
|
(FloatOpt) The final weight value to be returned if required is set to False and any one of the metrics set by weight_setting is unavailable. |
weight_setting =
|
(ListOpt) How the metrics are going to be weighed. This should be in the form of "<name1>=<ratio1>, <name2>=<ratio2>, ...", where <nameX> is one of the metrics to be weighed, and <ratioX> is the corresponding ratio. So for "name1=1.0, name2=-1.0" The final weight would be name1.value * 1.0 + name2.value * -1.0. |
Configuration option = Default value | Description |
---|---|
[serial_console] | |
base_url = ws://127.0.0.1:6083/
|
(StrOpt) Location of serial console proxy. |
enabled = False
|
(BoolOpt) Enable serial console related features |
listen = 127.0.0.1
|
(StrOpt) IP address on which instance serial console should listen |
port_range = 10000:20000
|
(StrOpt) Range of TCP ports to use for serial ports on compute hosts |
proxyclient_address = 127.0.0.1
|
(StrOpt) The address to which proxy clients (like nova-serialproxy) should connect |
serialproxy_host = 0.0.0.0
|
(StrOpt) Host on which to listen for incoming requests |
serialproxy_port = 6083
|
(IntOpt) Port on which to listen for incoming requests |
Configuration option = Default value | Description |
---|---|
[spice] | |
agent_enabled = True
|
(BoolOpt) Enable spice guest agent support |
enabled = False
|
(BoolOpt) Enable spice related features |
html5proxy_base_url = http://127.0.0.1:6082/spice_auto.html
|
(StrOpt) Location of spice HTML5 console proxy, in the form "http://127.0.0.1:6082/spice_auto.html" |
html5proxy_host = 0.0.0.0
|
(StrOpt) Host on which to listen for incoming requests |
html5proxy_port = 6082
|
(IntOpt) Port on which to listen for incoming requests |
keymap = en-us
|
(StrOpt) Keymap for spice |
server_listen = 127.0.0.1
|
(StrOpt) IP address on which instance spice server should listen |
server_proxyclient_address = 127.0.0.1
|
(StrOpt) The address to which proxy clients (like nova-spicehtml5proxy) should connect |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
fake_call = False
|
(BoolOpt) If True, skip using the queue and make local calls |
fake_network = False
|
(BoolOpt) If passed, use fake network devices and addresses |
monkey_patch = False
|
(BoolOpt) Whether to log monkey patching |
monkey_patch_modules = nova.api.ec2.cloud:nova.notifications.notify_decorator, nova.compute.api:nova.notifications.notify_decorator
|
(ListOpt) List of modules/decorators to monkey patch |
Configuration option = Default value | Description |
---|---|
[trusted_computing] | |
attestation_api_url = /OpenAttestationWebServices/V1.0
|
(StrOpt) Attestation web API URL |
attestation_auth_blob = None
|
(StrOpt) Attestation authorization blob - must change |
attestation_auth_timeout = 60
|
(IntOpt) Attestation status cache valid period length |
attestation_insecure_ssl = False
|
(BoolOpt) Disable SSL cert verification for Attestation service |
attestation_port = 8443
|
(StrOpt) Attestation server port |
attestation_server = None
|
(StrOpt) Attestation server HTTP |
attestation_server_ca_file = None
|
(StrOpt) Attestation server Cert file for Identity verification |
Configuration option = Default value | Description |
---|---|
[cells] | |
scheduler = nova.cells.scheduler.CellsScheduler
|
(StrOpt) Cells scheduler to use |
[upgrade_levels] | |
cells = None
|
(StrOpt) Set a version cap for messages sent to local cells services |
cert = None
|
(StrOpt) Set a version cap for messages sent to cert services |
compute = None
|
(StrOpt) Set a version cap for messages sent to compute services. If you plan to do a live upgrade from an old version to a newer version, you should set this option to the old version before beginning the live upgrade procedure. Only upgrading to the next version is supported, so you cannot skip a release for the live upgrade procedure. |
conductor = None
|
(StrOpt) Set a version cap for messages sent to conductor services |
console = None
|
(StrOpt) Set a version cap for messages sent to console services |
consoleauth = None
|
(StrOpt) Set a version cap for messages sent to consoleauth services |
intercell = None
|
(StrOpt) Set a version cap for messages sent between cells services |
network = None
|
(StrOpt) Set a version cap for messages sent to network services |
scheduler = None
|
(StrOpt) Set a version cap for messages sent to scheduler services |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
daemon = False
|
(BoolOpt) Become a daemon (background process) |
key = None
|
(StrOpt) SSL key file (if separate from cert) |
novncproxy_host = 0.0.0.0
|
(StrOpt) Host on which to listen for incoming requests |
novncproxy_port = 6080
|
(IntOpt) Port on which to listen for incoming requests |
record = False
|
(BoolOpt) Record sessions to FILE.[session_number] |
source_is_ipv6 = False
|
(BoolOpt) Source is ipv6 |
ssl_only = False
|
(BoolOpt) Disallow non-encrypted connections |
web = /usr/share/spice-html5
|
(StrOpt) Run webserver on same port. Serve files from DIR. |
[vmware] | |
vnc_port = 5900
|
(IntOpt) VNC starting port |
vnc_port_total = 10000
|
(IntOpt) Total number of VNC ports |
[vnc] | |
enabled = True
|
(BoolOpt) Enable VNC related features |
keymap = en-us
|
(StrOpt) Keymap for VNC |
novncproxy_base_url = http://127.0.0.1:6080/vnc_auto.html
|
(StrOpt) Location of VNC console proxy, in the form "http://127.0.0.1:6080/vnc_auto.html" |
vncserver_listen = 127.0.0.1
|
(StrOpt) IP address on which instance vncservers should listen |
vncserver_proxyclient_address = 127.0.0.1
|
(StrOpt) The address to which proxy clients (such as nova-xvpvncproxy) should connect |
xvpvncproxy_base_url = http://127.0.0.1:6081/console
|
(StrOpt) Location of nova xvp VNC console proxy, in the form "http://127.0.0.1:6081/console" |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
block_device_allocate_retries = 60
|
(IntOpt) Number of times to retry block device allocation on failures |
block_device_allocate_retries_interval = 3
|
(IntOpt) Waiting time interval (seconds) between block device allocation retries on failures |
my_block_storage_ip = $my_ip
|
(StrOpt) Block storage IP address of this host |
volume_api_class = nova.volume.cinder.API
|
(StrOpt) The full class name of the volume API class to use |
volume_usage_poll_interval = 0
|
(IntOpt) Interval in seconds for gathering volume usages |
[cinder] | |
cafile = None
|
(StrOpt) PEM encoded Certificate Authority to use when verifying HTTPs connections. |
catalog_info = volumev2:cinderv2:publicURL
|
(StrOpt) Info to match when looking for cinder in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> |
certfile = None
|
(StrOpt) PEM encoded client certificate cert file |
cross_az_attach = True
|
(BoolOpt) Allow attach between instance and volume in different availability zones. |
endpoint_template = None
|
(StrOpt) Override service catalog lookup with template for cinder endpoint e.g. http://localhost:8776/v1/%(project_id)s |
http_retries = 3
|
(IntOpt) Number of cinderclient retries on failed http calls |
insecure = False
|
(BoolOpt) Verify HTTPS connections. |
keyfile = None
|
(StrOpt) PEM encoded client certificate key file |
os_region_name = None
|
(StrOpt) Region name of this node |
timeout = None
|
(IntOpt) Timeout value for http requests |
[hyperv] | |
force_volumeutils_v1 = False
|
(BoolOpt) Force V1 volume utility class |
volume_attach_retry_count = 10
|
(IntOpt) The number of times to retry to attach a volume |
volume_attach_retry_interval = 5
|
(IntOpt) Interval between volume attachment attempts, in seconds |
[libvirt] | |
glusterfs_mount_point_base = $state_path/mnt
|
(StrOpt) Directory where the glusterfs volume is mounted on the compute node |
nfs_mount_options = None
|
(StrOpt) Mount options passed to the NFS client. See section of the nfs man page for details |
nfs_mount_point_base = $state_path/mnt
|
(StrOpt) Directory where the NFS volume is mounted on the compute node |
num_aoe_discover_tries = 3
|
(IntOpt) Number of times to rediscover AoE target to find volume |
num_iscsi_scan_tries = 5
|
(IntOpt) Number of times to rescan iSCSI target to find volume |
num_iser_scan_tries = 5
|
(IntOpt) Number of times to rescan iSER target to find volume |
qemu_allowed_storage_drivers =
|
(ListOpt) Protocols listed here will be accessed directly from QEMU. Currently supported protocols: [gluster] |
rbd_secret_uuid = None
|
(StrOpt) The libvirt UUID of the secret for the rbd_uservolumes |
rbd_user = None
|
(StrOpt) The RADOS client name for accessing rbd volumes |
scality_sofs_config = None
|
(StrOpt) Path or URL to Scality SOFS configuration file |
scality_sofs_mount_point = $state_path/scality
|
(StrOpt) Base dir where Scality SOFS shall be mounted |
smbfs_mount_options =
|
(StrOpt) Mount options passed to the SMBFS client. See mount.cifs man page for details. Note that the libvirt-qemu uid and gid must be specified. |
smbfs_mount_point_base = $state_path/mnt
|
(StrOpt) Directory where the SMBFS shares are mounted on the compute node |
[xenserver] | |
block_device_creation_timeout = 10
|
(IntOpt) Time to wait for a block device to be created |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
boot_script_template = $pybasedir/nova/cloudpipe/bootscript.template
|
(StrOpt) Template for cloudpipe instance boot script |
dmz_cidr =
|
(ListOpt) A list of dmz ranges that should be accepted |
dmz_mask = 255.255.255.0
|
(StrOpt) Netmask to push into openvpn config |
dmz_net = 10.0.0.0
|
(StrOpt) Network to push into openvpn config |
vpn_flavor = m1.tiny
|
(StrOpt) Flavor for vpn instances |
vpn_image_id = 0
|
(StrOpt) Image ID used when starting up a cloudpipe vpn server |
vpn_ip = $my_ip
|
(StrOpt) Public IP for the cloudpipe VPN servers |
vpn_key_suffix = -vpn
|
(StrOpt) Suffix to add to project name for vpn key and secgroups |
vpn_start = 1000
|
(IntOpt) First Vpn port for private networks |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
console_driver = nova.console.xvp.XVPConsoleProxy
|
(StrOpt) Driver to use for the console proxy |
console_xvp_conf = /etc/xvp.conf
|
(StrOpt) Generated XVP conf file |
console_xvp_conf_template = $pybasedir/nova/console/xvp.conf.template
|
(StrOpt) XVP conf template |
console_xvp_log = /var/log/xvp.log
|
(StrOpt) XVP log file |
console_xvp_multiplex_port = 5900
|
(IntOpt) Port for XVP to multiplex VNC connections on |
console_xvp_pid = /var/run/xvp.pid
|
(StrOpt) XVP master process pid file |
stub_compute = False
|
(BoolOpt) Stub calls to compute worker for tests |
[libvirt] | |
xen_hvmloader_path = /usr/lib/xen/boot/hvmloader
|
(StrOpt) Location where the Xen hvmloader is kept |
[xenserver] | |
agent_path = usr/sbin/xe-update-networking
|
(StrOpt) Specifies the path in which the XenAPI guest agent should be located. If the agent is present, network configuration is not injected into the image. Used if compute_driver=xenapi.XenAPIDriver and flat_injected=True |
agent_resetnetwork_timeout = 60
|
(IntOpt) Number of seconds to wait for agent reply to resetnetwork request |
agent_timeout = 30
|
(IntOpt) Number of seconds to wait for agent reply |
agent_version_timeout = 300
|
(IntOpt) Number of seconds to wait for agent to be fully operational |
cache_images = all
|
(StrOpt) Cache glance images locally. `all` will cache all images, `some` will only cache images that have the image_property `cache_in_nova=True`, and `none` turns off caching entirely |
check_host = True
|
(BoolOpt) Ensure compute service is running on host XenAPI connects to. |
connection_concurrent = 5
|
(IntOpt) Maximum number of concurrent XenAPI connections. Used only if compute_driver=xenapi.XenAPIDriver |
connection_password = None
|
(StrOpt) Password for connection to XenServer/Xen Cloud Platform. Used only if compute_driver=xenapi.XenAPIDriver |
connection_url = None
|
(StrOpt) URL for connection to XenServer/Xen Cloud Platform. A special value of unix://local can be used to connect to the local unix socket. Required if compute_driver=xenapi.XenAPIDriver |
connection_username = root
|
(StrOpt) Username for connection to XenServer/Xen Cloud Platform. Used only if compute_driver=xenapi.XenAPIDriver |
default_os_type = linux
|
(StrOpt) Default OS type |
disable_agent = False
|
(BoolOpt) Disables the use of the XenAPI agent in any image regardless of what image properties are present. |
image_compression_level = None
|
(IntOpt) Compression level for images, e.g., 9 for gzip -9. Range is 1-9, 9 being most compressed but most CPU intensive on dom0. |
image_upload_handler = nova.virt.xenapi.image.glance.GlanceStore
|
(StrOpt) Dom0 plugin driver used to handle image uploads. |
introduce_vdi_retry_wait = 20
|
(IntOpt) Number of seconds to wait for an SR to settle if the VDI does not exist when first introduced |
ipxe_boot_menu_url = None
|
(StrOpt) URL to the iPXE boot menu |
ipxe_mkisofs_cmd = mkisofs
|
(StrOpt) Name and optionally path of the tool used for ISO image creation |
ipxe_network_name = None
|
(StrOpt) Name of network to use for booting iPXE ISOs |
iqn_prefix = iqn.2010-10.org.openstack
|
(StrOpt) IQN Prefix |
login_timeout = 10
|
(IntOpt) Timeout in seconds for XenAPI login. |
max_kernel_ramdisk_size = 16777216
|
(IntOpt) Maximum size in bytes of kernel or ramdisk images |
num_vbd_unplug_retries = 10
|
(IntOpt) Maximum number of retries to unplug VBD. if <=0, should try once and no retry |
ovs_integration_bridge = xapi1
|
(StrOpt) Name of Integration Bridge used by Open vSwitch |
remap_vbd_dev = False
|
(BoolOpt) Used to enable the remapping of VBD dev |
remap_vbd_dev_prefix = sd
|
(StrOpt) Specify prefix to remap VBD dev to (ex. /dev/xvdb -> /dev/sdb) |
running_timeout = 60
|
(IntOpt) Number of seconds to wait for instance to go to running state |
sparse_copy = True
|
(BoolOpt) Whether to use sparse_copy for copying data on a resize down (False will use standard dd). This speeds up resizes down considerably since large runs of zeros will not have to be rsynced |
sr_base_path = /var/run/sr-mount
|
(StrOpt) Base path to the storage repository |
sr_matching_filter = default-sr:true
|
(StrOpt) Filter for finding the SR to be used to install guest instances on. To use the Local Storage in default XenServer/XCP installations set this flag to other-config:i18n-key=local-storage. To select an SR with a different matching criteria, you could set it to other-config:my_favorite_sr=true. On the other hand, to fall back on the Default SR, as displayed by XenCenter, set this flag to: default-sr:true |
target_host = None
|
(StrOpt) The iSCSI Target Host |
target_port = 3260
|
(StrOpt) The iSCSI Target Port, default is port 3260 |
torrent_base_url = None
|
(StrOpt) Base URL for torrent files; must contain a slash character (see RFC 1808, step 6). |
torrent_download_stall_cutoff = 600
|
(IntOpt) Number of seconds a download can remain at the same progress percentage w/o being considered a stall |
torrent_images = none
|
(StrOpt) Whether or not to download images via Bit Torrent. |
torrent_listen_port_end = 6891
|
(IntOpt) End of port range to listen on |
torrent_listen_port_start = 6881
|
(IntOpt) Beginning of port range to listen on |
torrent_max_last_accessed = 86400
|
(IntOpt) Cached torrent files not accessed within this number of seconds can be reaped |
torrent_max_seeder_processes_per_host = 1
|
(IntOpt) Maximum number of seeder processes to run concurrently within a given dom0. (-1 = no limit) |
torrent_seed_chance = 1.0
|
(FloatOpt) Probability that peer will become a seeder. (1.0 = 100%) |
torrent_seed_duration = 3600
|
(IntOpt) Number of seconds after downloading an image via BitTorrent that it should be seeded for other peers. |
use_agent_default = False
|
(BoolOpt) Determines if the XenAPI agent should be used when the image used does not contain a hint to declare if the agent is present or not. The hint is a glance property "xenapi_use_agent" that has the value "True" or "False". Note that waiting for the agent when it is not present will significantly increase server boot times. |
use_join_force = True
|
(BoolOpt) To use for hosts with different CPUs |
vhd_coalesce_max_attempts = 20
|
(IntOpt) Max number of times to poll for VHD to coalesce. Used only if compute_driver=xenapi.XenAPIDriver |
vhd_coalesce_poll_interval = 5.0
|
(FloatOpt) The interval used for polling of coalescing vhds. Used only if compute_driver=xenapi.XenAPIDriver |
vif_driver = nova.virt.xenapi.vif.XenAPIBridgeDriver
|
(StrOpt) The XenAPI VIF driver using XenServer Network APIs. |
Configuration option = Default value | Description |
---|---|
[DEFAULT] | |
xvpvncproxy_host = 0.0.0.0
|
(StrOpt) Address that the XCP VNC proxy should bind to |
xvpvncproxy_port = 6081
|
(IntOpt) Port that the XCP VNC proxy should bind to |
Configuration option = Default value | Description |
---|---|
[zookeeper] | |
address = None
|
(StrOpt) The ZooKeeper addresses for servicegroup service in the format of host1:port,host2:port,host3:port |
recv_timeout = 4000
|
(IntOpt) The recv_timeout parameter for the zk session |
sg_prefix = /servicegroups
|
(StrOpt) The prefix used in ZooKeeper to store ephemeral nodes |
sg_retry_interval = 5
|
(IntOpt) Number of seconds to wait until retrying to join the session |
3.17.2. Additional sample configuration files
Files in this section can be found in
/etc/nova
.
3.17.2.1. api-paste.ini
The Compute service stores its API configuration settings in the
api-paste.ini
file.
############ # Metadata # ############ [composite:metadata] use = egg:Paste#urlmap /: meta [pipeline:meta] pipeline = ec2faultwrap logrequest metaapp [app:metaapp] paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory ####### # EC2 # ####### # NOTE: this is now deprecated in favor of https://github.com/stackforge/ec2-api [composite:ec2] use = egg:Paste#urlmap /: ec2cloud [composite:ec2cloud] use = call:nova.api.auth:pipeline_factory noauth2 = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator ec2executor [filter:ec2faultwrap] paste.filter_factory = nova.api.ec2:FaultWrapper.factory [filter:logrequest] paste.filter_factory = nova.api.ec2:RequestLogging.factory [filter:ec2lockout] paste.filter_factory = nova.api.ec2:Lockout.factory [filter:ec2keystoneauth] paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory [filter:ec2noauth] paste.filter_factory = nova.api.ec2:NoAuth.factory [filter:cloudrequest] controller = nova.api.ec2.cloud.CloudController paste.filter_factory = nova.api.ec2:Requestify.factory [filter:authorizer] paste.filter_factory = nova.api.ec2:Authorizer.factory [filter:validator] paste.filter_factory = nova.api.ec2:Validator.factory [app:ec2executor] paste.app_factory = nova.api.ec2:Executor.factory ############# # OpenStack # ############# [composite:osapi_compute] use = call:nova.api.openstack.urlmap:urlmap_factory /: oscomputeversions # starting in Liberty the v21 implementation replaces the v2 # implementation and is suggested that you use it as the default. If # this causes issues with your clients you can rollback to the # *frozen* v2 api by commenting out the above stanza and using the # following instead:: # /v1.1: openstack_compute_api_legacy_v2 # /v2: openstack_compute_api_legacy_v2 # if rolling back to v2 fixes your issue please file a critical bug # at - https://bugs.launchpad.net/nova/+bugs # # v21 is an exactly feature match for v2, except it has more stringent # input validation on the wsgi surface (prevents fuzzing early on the # API). It also provides new features via API microversions which are # opt into for clients. Unaware clients will receive the same frozen # v2 API feature set, but with some relaxed validation /v1.1: openstack_compute_api_v21_legacy_v2_compatible /v2: openstack_compute_api_v21_legacy_v2_compatible /v2.1: openstack_compute_api_v21 # NOTE: this is deprecated in favor of openstack_compute_api_v21_legacy_v2_compatible [composite:openstack_compute_api_legacy_v2] use = call:nova.api.auth:pipeline_factory noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_ratelimit osapi_compute_app_legacy_v2 keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_ratelimit osapi_compute_app_legacy_v2 keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_legacy_v2 [composite:openstack_compute_api_v21] use = call:nova.api.auth:pipeline_factory_v21 noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v21 [composite:openstack_compute_api_v21_legacy_v2_compatible] use = call:nova.api.auth:pipeline_factory_v21 noauth2 = compute_req_id faultwrap sizelimit noauth2 legacy_v2_compatible osapi_compute_app_v21 keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext legacy_v2_compatible osapi_compute_app_v21 [filter:request_id] paste.filter_factory = oslo_middleware:RequestId.factory [filter:compute_req_id] paste.filter_factory = nova.api.compute_req_id:ComputeReqIdMiddleware.factory [filter:faultwrap] paste.filter_factory = nova.api.openstack:FaultWrapper.factory [filter:noauth2] paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory [filter:legacy_ratelimit] paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory [filter:sizelimit] paste.filter_factory = oslo_middleware:RequestBodySizeLimiter.factory [filter:legacy_v2_compatible] paste.filter_factory = nova.api.openstack:LegacyV2CompatibleWrapper.factory [app:osapi_compute_app_legacy_v2] paste.app_factory = nova.api.openstack.compute:APIRouter.factory [app:osapi_compute_app_v21] paste.app_factory = nova.api.openstack.compute:APIRouterV21.factory [pipeline:oscomputeversions] pipeline = faultwrap oscomputeversionapp [app:oscomputeversionapp] paste.app_factory = nova.api.openstack.compute.versions:Versions.factory ########## # Shared # ########## [filter:keystonecontext] paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory
3.17.2.2. policy.json
The
policy.json
file defines additional access controls that apply to the Compute service.
{ "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", "cells_scheduler_filter:TargetCellFilter": "is_admin:True", "compute:create": "", "compute:create:attach_network": "", "compute:create:attach_volume": "", "compute:create:forced_host": "is_admin:True", "compute:get": "", "compute:get_all": "", "compute:get_all_tenants": "is_admin:True", "compute:update": "", "compute:get_instance_metadata": "", "compute:get_all_instance_metadata": "", "compute:get_all_instance_system_metadata": "", "compute:update_instance_metadata": "", "compute:delete_instance_metadata": "", "compute:get_instance_faults": "", "compute:get_diagnostics": "", "compute:get_instance_diagnostics": "", "compute:start": "rule:admin_or_owner", "compute:stop": "rule:admin_or_owner", "compute:get_lock": "", "compute:lock": "", "compute:unlock": "", "compute:unlock_override": "rule:admin_api", "compute:get_vnc_console": "", "compute:get_spice_console": "", "compute:get_rdp_console": "", "compute:get_serial_console": "", "compute:get_mks_console": "", "compute:get_console_output": "", "compute:reset_network": "", "compute:inject_network_info": "", "compute:add_fixed_ip": "", "compute:remove_fixed_ip": "", "compute:attach_volume": "", "compute:detach_volume": "", "compute:swap_volume": "", "compute:attach_interface": "", "compute:detach_interface": "", "compute:set_admin_password": "", "compute:rescue": "", "compute:unrescue": "", "compute:suspend": "", "compute:resume": "", "compute:pause": "", "compute:unpause": "", "compute:shelve": "", "compute:shelve_offload": "", "compute:unshelve": "", "compute:snapshot": "", "compute:snapshot_volume_backed": "", "compute:backup": "", "compute:resize": "", "compute:confirm_resize": "", "compute:revert_resize": "", "compute:rebuild": "", "compute:reboot": "", "compute:delete": "rule:admin_or_owner", "compute:soft_delete": "rule:admin_or_owner", "compute:force_delete": "rule:admin_or_owner", "compute:security_groups:add_to_instance": "", "compute:security_groups:remove_from_instance": "", "compute:delete": "", "compute:soft_delete": "", "compute:force_delete": "", "compute:restore": "", "compute:volume_snapshot_create": "", "compute:volume_snapshot_delete": "", "admin_api": "is_admin:True", "compute_extension:accounts": "rule:admin_api", "compute_extension:admin_actions": "rule:admin_api", "compute_extension:admin_actions:pause": "rule:admin_or_owner", "compute_extension:admin_actions:unpause": "rule:admin_or_owner", "compute_extension:admin_actions:suspend": "rule:admin_or_owner", "compute_extension:admin_actions:resume": "rule:admin_or_owner", "compute_extension:admin_actions:lock": "rule:admin_or_owner", "compute_extension:admin_actions:unlock": "rule:admin_or_owner", "compute_extension:admin_actions:resetNetwork": "rule:admin_api", "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", "compute_extension:admin_actions:migrateLive": "rule:admin_api", "compute_extension:admin_actions:resetState": "rule:admin_api", "compute_extension:admin_actions:migrate": "rule:admin_api", "compute_extension:aggregates": "rule:admin_api", "compute_extension:agents": "rule:admin_api", "compute_extension:attach_interfaces": "", "compute_extension:baremetal_nodes": "rule:admin_api", "compute_extension:cells": "rule:admin_api", "compute_extension:cells:create": "rule:admin_api", "compute_extension:cells:delete": "rule:admin_api", "compute_extension:cells:update": "rule:admin_api", "compute_extension:cells:sync_instances": "rule:admin_api", "compute_extension:certificates": "", "compute_extension:cloudpipe": "rule:admin_api", "compute_extension:cloudpipe_update": "rule:admin_api", "compute_extension:config_drive": "", "compute_extension:console_output": "", "compute_extension:consoles": "", "compute_extension:createserverext": "", "compute_extension:deferred_delete": "", "compute_extension:disk_config": "", "compute_extension:evacuate": "rule:admin_api", "compute_extension:extended_server_attributes": "rule:admin_api", "compute_extension:extended_status": "", "compute_extension:extended_availability_zone": "", "compute_extension:extended_ips": "", "compute_extension:extended_ips_mac": "", "compute_extension:extended_vif_net": "", "compute_extension:extended_volumes": "", "compute_extension:fixed_ips": "rule:admin_api", "compute_extension:flavor_access": "", "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", "compute_extension:flavor_disabled": "", "compute_extension:flavor_rxtx": "", "compute_extension:flavor_swap": "", "compute_extension:flavorextradata": "", "compute_extension:flavorextraspecs:index": "", "compute_extension:flavorextraspecs:show": "", "compute_extension:flavorextraspecs:create": "rule:admin_api", "compute_extension:flavorextraspecs:update": "rule:admin_api", "compute_extension:flavorextraspecs:delete": "rule:admin_api", "compute_extension:flavormanage": "rule:admin_api", "compute_extension:floating_ip_dns": "", "compute_extension:floating_ip_pools": "", "compute_extension:floating_ips": "", "compute_extension:floating_ips_bulk": "rule:admin_api", "compute_extension:fping": "", "compute_extension:fping:all_tenants": "rule:admin_api", "compute_extension:hide_server_addresses": "is_admin:False", "compute_extension:hosts": "rule:admin_api", "compute_extension:hypervisors": "rule:admin_api", "compute_extension:image_size": "", "compute_extension:instance_actions": "", "compute_extension:instance_actions:events": "rule:admin_api", "compute_extension:instance_usage_audit_log": "rule:admin_api", "compute_extension:keypairs": "", "compute_extension:keypairs:index": "", "compute_extension:keypairs:show": "", "compute_extension:keypairs:create": "", "compute_extension:keypairs:delete": "", "compute_extension:multinic": "", "compute_extension:networks": "rule:admin_api", "compute_extension:networks:view": "", "compute_extension:networks_associate": "rule:admin_api", "compute_extension:os-tenant-networks": "", "compute_extension:quotas:show": "", "compute_extension:quotas:update": "rule:admin_api", "compute_extension:quotas:delete": "rule:admin_api", "compute_extension:quota_classes": "", "compute_extension:rescue": "", "compute_extension:security_group_default_rules": "rule:admin_api", "compute_extension:security_groups": "", "compute_extension:server_diagnostics": "rule:admin_api", "compute_extension:server_groups": "", "compute_extension:server_password": "", "compute_extension:server_usage": "", "compute_extension:services": "rule:admin_api", "compute_extension:shelve": "", "compute_extension:shelveOffload": "rule:admin_api", "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", "compute_extension:simple_tenant_usage:list": "rule:admin_api", "compute_extension:unshelve": "", "compute_extension:users": "rule:admin_api", "compute_extension:virtual_interfaces": "", "compute_extension:virtual_storage_arrays": "", "compute_extension:volumes": "", "compute_extension:volume_attachments:index": "", "compute_extension:volume_attachments:show": "", "compute_extension:volume_attachments:create": "", "compute_extension:volume_attachments:update": "", "compute_extension:volume_attachments:delete": "", "compute_extension:volumetypes": "", "compute_extension:availability_zone:list": "", "compute_extension:availability_zone:detail": "rule:admin_api", "compute_extension:used_limits_for_admin": "rule:admin_api", "compute_extension:migrations:index": "rule:admin_api", "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", "compute_extension:console_auth_tokens": "rule:admin_api", "compute_extension:os-server-external-events:create": "rule:admin_api", "network:get_all": "", "network:get": "", "network:create": "", "network:delete": "", "network:associate": "", "network:disassociate": "", "network:get_vifs_by_instance": "", "network:allocate_for_instance": "", "network:deallocate_for_instance": "", "network:validate_networks": "", "network:get_instance_uuids_by_ip_filter": "", "network:get_instance_id_by_floating_address": "", "network:setup_networks_on_host": "", "network:get_backdoor_port": "", "network:get_floating_ip": "", "network:get_floating_ip_pools": "", "network:get_floating_ip_by_address": "", "network:get_floating_ips_by_project": "", "network:get_floating_ips_by_fixed_address": "", "network:allocate_floating_ip": "", "network:associate_floating_ip": "", "network:disassociate_floating_ip": "", "network:release_floating_ip": "", "network:migrate_instance_start": "", "network:migrate_instance_finish": "", "network:get_fixed_ip": "", "network:get_fixed_ip_by_address": "", "network:add_fixed_ip_to_instance": "", "network:remove_fixed_ip_from_instance": "", "network:add_network_to_project": "", "network:get_instance_nw_info": "", "network:get_dns_domains": "", "network:add_dns_entry": "", "network:modify_dns_entry": "", "network:delete_dns_entry": "", "network:get_dns_entries_by_address": "", "network:get_dns_entries_by_name": "", "network:create_private_dns_domain": "", "network:create_public_dns_domain": "", "network:delete_dns_domain": "", "network:attach_external_network": "rule:admin_api", "network:get_vif_by_mac_address": "", "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", "os_compute_api:servers:index:get_all_tenants": "is_admin:True", "os_compute_api:servers:confirm_resize": "", "os_compute_api:servers:create": "", "os_compute_api:servers:create:attach_network": "", "os_compute_api:servers:create:attach_volume": "", "os_compute_api:servers:create:forced_host": "rule:admin_api", "os_compute_api:servers:delete": "", "os_compute_api:servers:update": "", "os_compute_api:servers:detail": "", "os_compute_api:servers:index": "", "os_compute_api:servers:reboot": "", "os_compute_api:servers:rebuild": "", "os_compute_api:servers:resize": "", "os_compute_api:servers:revert_resize": "", "os_compute_api:servers:show": "", "os_compute_api:servers:create_image": "", "os_compute_api:servers:create_image:allow_volume_backed": "", "os_compute_api:servers:start": "rule:admin_or_owner", "os_compute_api:servers:stop": "rule:admin_or_owner", "os_compute_api:os-access-ips:discoverable": "", "os_compute_api:os-access-ips": "", "os_compute_api:os-admin-actions": "rule:admin_api", "os_compute_api:os-admin-actions:discoverable": "", "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", "os_compute_api:os-admin-password": "", "os_compute_api:os-admin-password:discoverable": "", "os_compute_api:os-aggregates:discoverable": "", "os_compute_api:os-aggregates:index": "rule:admin_api", "os_compute_api:os-aggregates:create": "rule:admin_api", "os_compute_api:os-aggregates:show": "rule:admin_api", "os_compute_api:os-aggregates:update": "rule:admin_api", "os_compute_api:os-aggregates:delete": "rule:admin_api", "os_compute_api:os-aggregates:add_host": "rule:admin_api", "os_compute_api:os-aggregates:remove_host": "rule:admin_api", "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", "os_compute_api:os-agents": "rule:admin_api", "os_compute_api:os-agents:discoverable": "", "os_compute_api:os-attach-interfaces": "", "os_compute_api:os-attach-interfaces:discoverable": "", "os_compute_api:os-baremetal-nodes": "rule:admin_api", "os_compute_api:os-baremetal-nodes:discoverable": "", "os_compute_api:os-block-device-mapping-v1:discoverable": "", "os_compute_api:os-cells": "rule:admin_api", "os_compute_api:os-cells:create": "rule:admin_api", "os_compute_api:os-cells:delete": "rule:admin_api", "os_compute_api:os-cells:update": "rule:admin_api", "os_compute_api:os-cells:sync_instances": "rule:admin_api", "os_compute_api:os-cells:discoverable": "", "os_compute_api:os-certificates:create": "", "os_compute_api:os-certificates:show": "", "os_compute_api:os-certificates:discoverable": "", "os_compute_api:os-cloudpipe": "rule:admin_api", "os_compute_api:os-cloudpipe:discoverable": "", "os_compute_api:os-config-drive": "", "os_compute_api:os-consoles:discoverable": "", "os_compute_api:os-consoles:create": "", "os_compute_api:os-consoles:delete": "", "os_compute_api:os-consoles:index": "", "os_compute_api:os-consoles:show": "", "os_compute_api:os-console-output:discoverable": "", "os_compute_api:os-console-output": "", "os_compute_api:os-remote-consoles": "", "os_compute_api:os-remote-consoles:discoverable": "", "os_compute_api:os-create-backup:discoverable": "", "os_compute_api:os-create-backup": "rule:admin_or_owner", "os_compute_api:os-deferred-delete": "", "os_compute_api:os-deferred-delete:discoverable": "", "os_compute_api:os-disk-config": "", "os_compute_api:os-disk-config:discoverable": "", "os_compute_api:os-evacuate": "rule:admin_api", "os_compute_api:os-evacuate:discoverable": "", "os_compute_api:os-extended-server-attributes": "rule:admin_api", "os_compute_api:os-extended-server-attributes:discoverable": "", "os_compute_api:os-extended-status": "", "os_compute_api:os-extended-status:discoverable": "", "os_compute_api:os-extended-availability-zone": "", "os_compute_api:os-extended-availability-zone:discoverable": "", "os_compute_api:extensions": "", "os_compute_api:extension_info:discoverable": "", "os_compute_api:os-extended-volumes": "", "os_compute_api:os-extended-volumes:discoverable": "", "os_compute_api:os-fixed-ips": "rule:admin_api", "os_compute_api:os-fixed-ips:discoverable": "", "os_compute_api:os-flavor-access": "", "os_compute_api:os-flavor-access:discoverable": "", "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", "os_compute_api:os-flavor-rxtx": "", "os_compute_api:os-flavor-rxtx:discoverable": "", "os_compute_api:flavors:discoverable": "", "os_compute_api:os-flavor-extra-specs:discoverable": "", "os_compute_api:os-flavor-extra-specs:index": "", "os_compute_api:os-flavor-extra-specs:show": "", "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", "os_compute_api:os-flavor-manage:discoverable": "", "os_compute_api:os-flavor-manage": "rule:admin_api", "os_compute_api:os-floating-ip-dns": "", "os_compute_api:os-floating-ip-dns:discoverable": "", "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", "os_compute_api:os-floating-ip-pools": "", "os_compute_api:os-floating-ip-pools:discoverable": "", "os_compute_api:os-floating-ips": "", "os_compute_api:os-floating-ips:discoverable": "", "os_compute_api:os-floating-ips-bulk": "rule:admin_api", "os_compute_api:os-floating-ips-bulk:discoverable": "", "os_compute_api:os-fping": "", "os_compute_api:os-fping:discoverable": "", "os_compute_api:os-fping:all_tenants": "rule:admin_api", "os_compute_api:os-hide-server-addresses": "is_admin:False", "os_compute_api:os-hide-server-addresses:discoverable": "", "os_compute_api:os-hosts": "rule:admin_api", "os_compute_api:os-hosts:discoverable": "", "os_compute_api:os-hypervisors": "rule:admin_api", "os_compute_api:os-hypervisors:discoverable": "", "os_compute_api:images:discoverable": "", "os_compute_api:image-size": "", "os_compute_api:image-size:discoverable": "", "os_compute_api:os-instance-actions": "", "os_compute_api:os-instance-actions:discoverable": "", "os_compute_api:os-instance-actions:events": "rule:admin_api", "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", "os_compute_api:os-instance-usage-audit-log:discoverable": "", "os_compute_api:ips:discoverable": "", "os_compute_api:ips:index": "rule:admin_or_owner", "os_compute_api:ips:show": "rule:admin_or_owner", "os_compute_api:os-keypairs:discoverable": "", "os_compute_api:os-keypairs": "", "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", "os_compute_api:limits:discoverable": "", "os_compute_api:limits": "", "os_compute_api:os-lock-server:discoverable": "", "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", "os_compute_api:os-migrate-server:discoverable": "", "os_compute_api:os-migrate-server:migrate": "rule:admin_api", "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", "os_compute_api:os-multinic": "", "os_compute_api:os-multinic:discoverable": "", "os_compute_api:os-networks": "rule:admin_api", "os_compute_api:os-networks:view": "", "os_compute_api:os-networks:discoverable": "", "os_compute_api:os-networks-associate": "rule:admin_api", "os_compute_api:os-networks-associate:discoverable": "", "os_compute_api:os-pause-server:discoverable": "", "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", "os_compute_api:os-pci:pci_servers": "", "os_compute_api:os-pci:discoverable": "", "os_compute_api:os-pci:index": "rule:admin_api", "os_compute_api:os-pci:detail": "rule:admin_api", "os_compute_api:os-pci:show": "rule:admin_api", "os_compute_api:os-personality:discoverable": "", "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", "os_compute_api:os-quota-sets:discoverable": "", "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", "os_compute_api:os-quota-sets:defaults": "", "os_compute_api:os-quota-sets:update": "rule:admin_api", "os_compute_api:os-quota-sets:delete": "rule:admin_api", "os_compute_api:os-quota-sets:detail": "rule:admin_api", "os_compute_api:os-quota-class-sets:update": "rule:admin_api", "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", "os_compute_api:os-quota-class-sets:discoverable": "", "os_compute_api:os-rescue": "", "os_compute_api:os-rescue:discoverable": "", "os_compute_api:os-scheduler-hints:discoverable": "", "os_compute_api:os-security-group-default-rules:discoverable": "", "os_compute_api:os-security-group-default-rules": "rule:admin_api", "os_compute_api:os-security-groups": "", "os_compute_api:os-security-groups:discoverable": "", "os_compute_api:os-server-diagnostics": "rule:admin_api", "os_compute_api:os-server-diagnostics:discoverable": "", "os_compute_api:os-server-password": "", "os_compute_api:os-server-password:discoverable": "", "os_compute_api:os-server-usage": "", "os_compute_api:os-server-usage:discoverable": "", "os_compute_api:os-server-groups": "", "os_compute_api:os-server-groups:discoverable": "", "os_compute_api:os-services": "rule:admin_api", "os_compute_api:os-services:discoverable": "", "os_compute_api:server-metadata:discoverable": "", "os_compute_api:server-metadata:index": "rule:admin_or_owner", "os_compute_api:server-metadata:show": "rule:admin_or_owner", "os_compute_api:server-metadata:delete": "rule:admin_or_owner", "os_compute_api:server-metadata:create": "rule:admin_or_owner", "os_compute_api:server-metadata:update": "rule:admin_or_owner", "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", "os_compute_api:servers:discoverable": "", "os_compute_api:os-shelve:shelve": "", "os_compute_api:os-shelve:shelve:discoverable": "", "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", "os_compute_api:os-simple-tenant-usage:discoverable": "", "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", "os_compute_api:os-suspend-server:discoverable": "", "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", "os_compute_api:os-tenant-networks": "rule:admin_or_owner", "os_compute_api:os-tenant-networks:discoverable": "", "os_compute_api:os-shelve:unshelve": "", "os_compute_api:os-user-data:discoverable": "", "os_compute_api:os-virtual-interfaces": "", "os_compute_api:os-virtual-interfaces:discoverable": "", "os_compute_api:os-volumes": "", "os_compute_api:os-volumes:discoverable": "", "os_compute_api:os-volumes-attachments:index": "", "os_compute_api:os-volumes-attachments:show": "", "os_compute_api:os-volumes-attachments:create": "", "os_compute_api:os-volumes-attachments:update": "", "os_compute_api:os-volumes-attachments:delete": "", "os_compute_api:os-volumes-attachments:discoverable": "", "os_compute_api:os-availability-zone:list": "", "os_compute_api:os-availability-zone:discoverable": "", "os_compute_api:os-availability-zone:detail": "rule:admin_api", "os_compute_api:os-used-limits": "rule:admin_api", "os_compute_api:os-used-limits:discoverable": "", "os_compute_api:os-migrations:index": "rule:admin_api", "os_compute_api:os-migrations:discoverable": "", "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", "os_compute_api:os-assisted-volume-snapshots:discoverable": "", "os_compute_api:os-console-auth-tokens": "rule:admin_api", "os_compute_api:os-server-external-events:create": "rule:admin_api" }
3.17.2.3. rootwrap.conf
The
rootwrap.conf
file defines configuration values used by the rootwrap script when the Compute service needs to escalate its privileges to those of the root user.
It is also possible to disable the root wrapper, and default to sudo only. Configure the
disable_rootwrap
option in the [workaround]
section of the nova.conf
configuration file.
# Configuration for nova-rootwrap # This file should be owned by (and only-writeable by) the root user [DEFAULT] # List of directories to load filter definitions from (separated by ','). # These directories MUST all be only writeable by root ! filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap # List of directories to search executables in, in case filters do not # explicitely specify a full path (separated by ',') # If not specified, defaults to system PATH environment variable. # These directories MUST all be only writeable by root ! exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin # Enable logging to syslog # Default value is False use_syslog=False # Which syslog facility to use. # Valid values include auth, authpriv, syslog, local0, local1... # Default value is 'syslog' syslog_log_facility=syslog # Which messages to log. # INFO means log all usage # ERROR means only log unsuccessful attempts syslog_log_level=ERROR