0% found this document useful (0 votes)

502 views

All Config Reference Files in Openstack

Training

Uploaded by

ravi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

502 views

All Config Reference Files in Openstack

Training

Uploaded by

ravi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 623

R

T
F
A

o
n
Ju

docs.openstack.org

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

OpenStack Configuration Reference

juno (2014-10-07)

Copyright 2013, 2014 OpenStack Foundation All rights reserved.

This document is for system administrators who want to look up configuration options. It contains lists of
configuration options available with OpenStack and uses auto-generation to generate options and the descriptions from the code for each project. It includes sample configuration files.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You
may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing
permissions and limitations under the License.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table of Contents
OpenStack configuration overview ................................................................................ xix
Conventions .......................................................................................................... xix
Document change history ...................................................................................... xx
Configuration file format ....................................................................................... xx
1. Block Storage .............................................................................................................. 1
Introduction to the Block Storage service ................................................................ 1
cinder.conf configuration file ............................................................................. 2
Volume drivers ........................................................................................................ 3
Backup drivers ....................................................................................................... 91
Block Storage sample configuration files ................................................................ 93
Log files used by Block Storage ........................................................................... 133
Fibre Channel Zone Manager .............................................................................. 133
Volume encryption with static key ....................................................................... 135
Additional options ............................................................................................... 139
New, updated and deprecated options in Juno for OpenStack Block Storage ........ 157
2. Compute ................................................................................................................. 163
Overview of nova.conf ........................................................................................ 163
Configure logging ................................................................................................ 165
Configure authentication and authorization ........................................................ 165
Configure resize .................................................................................................. 165
Database configuration ....................................................................................... 166
Configure the Oslo RPC messaging system ........................................................... 166
Configure the Compute API ................................................................................ 169
Configure the EC2 API ......................................................................................... 172
Fibre Channel support in Compute ...................................................................... 172
Hypervisors .......................................................................................................... 172
Scheduling ........................................................................................................... 206
Cells ..................................................................................................................... 222
Conductor ........................................................................................................... 226
Example nova.conf configuration files .............................................................. 227
Compute log files ................................................................................................ 231
Compute sample configuration files ..................................................................... 232
New, updated and deprecated options in Juno for OpenStack Compute ............... 271
3. Dashboard ............................................................................................................... 276
Configure the dashboard ..................................................................................... 276
Customize the dashboard .................................................................................... 280
Additional sample configuration files ................................................................... 281
Dashboard log files ............................................................................................. 292
4. Database Service ..................................................................................................... 294
Configure the database ....................................................................................... 303
Configure the RPC messaging system ................................................................... 307
5. Data processing service ............................................................................................ 311
6. Identity service ........................................................................................................ 319
Caching layer ....................................................................................................... 319
Identity service configuration file ......................................................................... 321
Identity service sample configuration files ............................................................ 338
New, updated and deprecated options in Juno for OpenStack Identity ................. 367
7. Image Service .......................................................................................................... 372

iii

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

October 7, 2014

juno

1.46. Description of Pure Storage driver configuration options ..................................... 141

1.47. Description of database configuration options .................................................... 141
1.48. Description of key manager configuration options .............................................. 142
1.49. Description of storage configuration options ....................................................... 142
1.50. Description of RPC configuration options ............................................................ 144
1.51. Description of AMQP configuration options ........................................................ 144
1.52. Description of Qpid configuration options ........................................................... 144
1.53. Description of RabbitMQ configuration options ................................................... 145
1.54. Description of Redis configuration options .......................................................... 145
1.55. Description of ZeroMQ configuration options ...................................................... 145
1.56. Description of Solaris SAN configuration options ................................................. 146
1.57. Description of rootwrap configuration options .................................................... 146
1.58. Description of CA and SSL configuration options ................................................. 146
1.59. Description of images configuration options ....................................................... 147
1.60. Description of swift configuration options ........................................................... 147
1.61. Description of EMC configuration options ........................................................... 147
1.62. Description of backups configuration options ...................................................... 148
1.63. Description of HP 3PAR Fibre Channel and iSCSI drivers configuration options ....... 148
1.64. Description of API configuration options ............................................................. 149
1.65. Description of HP LeftHand/StoreVirtual driver configuration options .................. 150
1.66. Description of Scality SOFS volume driver configuration options ........................... 150
1.67. Description of block device configuration options ................................................ 150
1.68. Description of Compute configuration options .................................................... 150
1.69. Description of SAN configuration options ............................................................ 151
1.70. Description of zones configuration options ......................................................... 151
1.71. Description of authorization configuration options .............................................. 151
1.72. Description of scheduler configuration options .................................................... 151
1.73. Description of quota configuration options ......................................................... 152
1.74. Description of common configuration options ..................................................... 152
1.75. Description of logging configuration options ....................................................... 153
1.76. Description of logging configuration options ....................................................... 154
1.77. Description of testing configuration options ........................................................ 155
1.78. Description of profiler configuration options ....................................................... 155
1.79. Description of Fusion-io driver configuration options ........................................... 155
1.80. Description of Hitachi volume driver configuration options .................................. 155
1.81. Description of IBM NAS volume driver configuration options ............................... 156
1.82. Description of Datera volume driver configuration options .................................. 156
1.83. Description of Fujitsu ETERNUS DX volume driver configuration options ............... 156
1.84. Description of Samba volume driver configuration options .................................. 156
1.85. New options ....................................................................................................... 157
1.86. New default values ............................................................................................. 161
1.87. Deprecated options ............................................................................................ 162
2.1. Description of RabbitMQ configuration options .................................................... 166
2.2. Description of Qpid configuration options ............................................................. 168
2.3. Description of ZeroMQ configuration options ....................................................... 168
2.4. Description of AMQP configuration options .......................................................... 169
2.5. Description of RPC configuration options .............................................................. 169
2.6. Default API rate limits .......................................................................................... 170
2.7. vCenter permissions tree ....................................................................................... 191
2.8. OpenStack Image Service disk type settings .......................................................... 194
2.9. Host weighting options ........................................................................................ 217

vii

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

2.10. Cell weighting options ........................................................................................

2.11. Log files used by Compute services .....................................................................
2.12. Description of API configuration options .............................................................
2.13. Description of API v3 configuration options ........................................................
2.14. Description of authentication configuration options ............................................
2.15. Description of authorization token configuration options ....................................
2.16. Description of availability zones configuration options .........................................
2.17. Description of baremetal configuration options ...................................................
2.18. Description of CA configuration options ..............................................................
2.19. Description of cell configuration options .............................................................
2.20. Description of common configuration options .....................................................
2.21. Description of Compute configuration options ....................................................
2.22. Description of conductor configuration options ...................................................
2.23. Description of config drive configuration options ................................................
2.24. Description of console configuration options .......................................................
2.25. Description of database configuration options ....................................................
2.26. Description of logging configuration options .......................................................
2.27. Description of EC2 configuration options ............................................................
2.28. Description of ephemeral storage encryption configuration options .....................
2.29. Description of fping configuration options ..........................................................
2.30. Description of glance configuration options ........................................................
2.31. Description of HyperV configuration options .......................................................
2.32. Description of hypervisor configuration options ...................................................
2.33. Description of bare metal configuration options ..................................................
2.34. Description of IPv6 configuration options ............................................................
2.35. Description of key manager configuration options ..............................................
2.36. Description of LDAP configuration options ..........................................................
2.37. Description of Libvirt configuration options .........................................................
2.38. Description of live migration configuration options .............................................
2.39. Description of logging configuration options .......................................................
2.40. Description of metadata configuration options ...................................................
2.41. Description of network configuration options .....................................................
2.42. Description of neutron configuration options ......................................................
2.43. Description of PCI configuration options .............................................................
2.44. Description of periodic configuration options ......................................................
2.45. Description of policy configuration options .........................................................
2.46. Description of quota configuration options .........................................................
2.47. Description of RDP configuration options ............................................................
2.48. Description of Redis configuration options ..........................................................
2.49. Description of rootwrap configuration options ....................................................
2.50. Description of S3 configuration options ...............................................................
2.51. Description of scheduler configuration options ....................................................
2.52. Description of serial console configuration options ..............................................
2.53. Description of SPICE configuration options ..........................................................
2.54. Description of testing configuration options ........................................................
2.55. Description of Tilera configuration options ..........................................................
2.56. Description of trusted computing configuration options ......................................
2.57. Description of upgrade levels configuration options ............................................
2.58. Description of VMware configuration options .....................................................
2.59. Description of VNC configuration options ...........................................................
2.60. Description of volumes configuration options ......................................................

7.11. Description of API configuration options ............................................................. 379
7.12. Description of CA and SSL configuration options ................................................. 380
7.13. Description of RabbitMQ configuration options ................................................... 381
7.14. Description of Qpid configuration options ........................................................... 381
7.15. Description of ZeroMQ configuration options ...................................................... 382
7.16. Description of AMQP configuration options ........................................................ 382
7.17. Description of RPC configuration options ............................................................ 382
7.18. Description of cinder configuration options ......................................................... 384
7.19. Description of filesystem configuration options ................................................... 384
7.20. Description of GridFS configuration options ........................................................ 384
7.21. Description of RBD configuration options ............................................................ 384
7.22. Description of S3 configuration options ............................................................... 385
7.23. Description of Sheepdog configuration options ................................................... 385
7.24. Description of swift configuration options ........................................................... 385
7.25. Description of VMware configuration options ..................................................... 387
7.26. New options ....................................................................................................... 408
7.27. New default values ............................................................................................. 409
7.28. Deprecated options ............................................................................................ 409
8.1. Description of common configuration options ....................................................... 410
8.2. Description of BigSwitch configuration options ..................................................... 412
8.3. Description of Brocade configuration options ........................................................ 414
8.4. Description of Cisco configuration options ............................................................ 414
8.5. Description of cfg agent configuration options ..................................................... 415
8.6. Description of HyperV agent configuration options ............................................... 416
8.7. Description of Embrane configuration options ...................................................... 416
8.8. Description of SDN-VE configuration options ......................................................... 417
8.9. Description of Linux Bridge agent configuration options ........................................ 417
8.10. Description of Mellanox configuration options .................................................... 418
8.11. Description of meta configuration options .......................................................... 418
8.12. Description of ML2 configuration options ........................................................... 419
8.13. Description of ML2 Flat mechanism driver configuration options .......................... 419
8.14. Description of ML2 GRE configuration options .................................................... 420
8.15. Description of ML2 VLAN configuration options .................................................. 420
8.16. Description of ML2 VXLN configuration options .................................................. 420
8.17. Description of ML2 Arista mechanism driver configuration options ....................... 420
8.18. Description of Arista layer-3 service plug-in configuration options ........................ 421
8.19. Description of ML2 BigSwitch mechanism driver configuration options ................. 421
8.20. Description of ML2 Brocade mechanism driver configuration options ................... 423
8.21. Description of ML2 Cisco mechanism driver configuration options ........................ 423
8.22. Description of ML2 Freescale SDN mechanism driver configuration options ........... 424
8.23. Description of Mellanox ML2 mechanism driver configuration options ................. 424
8.24. Description of ML2 OpenDaylight mechanism driver configuration options ........... 425
8.25. Description of ML2 ofagent mechanism driver configuration options ................... 425
8.26. Description of ML2 L2 population configuration options ...................................... 425
8.27. Description of ML2 NCS mechanism driver configuration options ......................... 425
8.28. Description of ML2 ML2 SR-IOV driver configuration options ............................... 426
8.29. Description of Midonet configuration options ..................................................... 426
8.30. Description of Nec configuration options ............................................................ 426
8.31. Description of Nuage configuration options ........................................................ 427
8.32. Description of NVSD driver configuration options ................................................ 427

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

List of Examples
1.1. Default (single-instance) configuration .................................................................... 11
3.1. Before .................................................................................................................. 279
3.2. After .................................................................................................................... 279

xviii

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

OpenStack configuration overview

OpenStack is a collection of open source project components that enable setting up cloud
services. Each component uses similar configuration techniques and a common framework
for INI file options.
This guide pulls together multiple references and configuration options for the following
OpenStack components:
OpenStack Block Storage
OpenStack Compute
OpenStack Dashboard
Database Service
OpenStack Identity
OpenStack Image Service
OpenStack Networking
OpenStack Object Storage
Telemetry
Orchestration

Conventions
The OpenStack documentation uses several typesetting conventions.

Notices
Notices take these forms:

Note
A handy tip or reminder.

Important
Something you must be aware of before proceeding.

Warning
Critical information about the risk of data loss or security issues.

Command prompts
$ prompt

Any user, including the root user, can run commands that are prefixed with
the $ prompt.
xix

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

# prompt

October 7, 2014

juno

The root user must run commands that are prefixed with the # prompt. You
can also prefix these commands with the sudo command, if available, to run
them.

Document change history

This version of the guide replaces and obsoletes all earlier versions.
The following table describes the most recent changes:
Revision Date

Summary of Changes

April 16, 2014

Update for Icehouse: Updated all configuration tables, include sample configuration files,
add chapters for Database Service, Orchestration, and Telemetry.

March 11, 2014

Sorted component listing. Moved procedures to the Cloud Administrator Guide

January 9, 2014

Removes content addressed in installation, merges duplicated content, and revises legacy
references.

October 17, 2013

Havana release.

August 16, 2013

Moves Block Storage driver configuration information from the Block Storage Administration Guide to this reference.

June 10, 2013

Initial creation of Configuration Reference.

Configuration file format

OpenStack uses the INI file format for configuration files. An INI file is a simple text file that
specifies options as key=value pairs, grouped into sections. The DEFAULT section contains most of the configuration options. Lines starting with a hash sign (#) are comment
lines. For example:
[DEFAULT]
# Print debugging output (set logging level to DEBUG instead
# of default WARNING level). (boolean value)
debug = true
# Print more verbose output (set logging level to INFO instead
# of default WARNING level). (boolean value)
verbose = true
[database]
# The SQLAlchemy connection string used to connect to the
# database (string value)
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone

Options can have different types for values. The comments in the sample config files always
mention these. The following types are used by OpenStack:
boolean value

Enables or disables an option. The allowed values are true

and false.
# Enable the experimental use of database reconnect
on
# connection lost (boolean value)
use_db_reconnect = false

floating point value

A floating point number like 0.25 or 1000.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Sleep time in seconds for polling an ongoing async

task
# (floating point value)
task_poll_interval = 0.5

integer value

An integer number is a number without fractional components, like 0 or 42.

# The port which the OpenStack Compute service
listens on.
# (integer value)
compute_port = 8774

list value

Represents values of other types, separated

by commas. As an example, the following sets
allowed_rpc_exception_modules to a list containing the four elements oslo.messaging.exceptions,
nova.exception, cinder.exception, and exceptions:
# Modules of exceptions that are permitted to be
recreated
# upon receiving exception data from an rpc call.
(list value)
allowed_rpc_exception_modules = oslo.messaging.
exceptions,nova.exception,cinder.exception,
exceptions

multi valued

A multi-valued option is a string value and can be given more

than once, all values will be used.
# Driver or drivers to handle sending notifications.
(multi
# valued)
notification_driver = nova.openstack.common.
notifier.rpc_notifier
notification_driver = ceilometer.compute.
nova_notifier

string value

Strings can be optionally enclosed with single or double

quotes.
# onready allows you to send a notification when the
process
# is ready to serve. For example, to have it notify
using
# systemd, one could set shell command: "onready =
systemd# notify --ready" or a module with notify() method:
"onready =
# keystone.common.systemd". (string value)
onready = systemd-notify --ready
# If an instance is passed with the log message,
format it
# like this (string value)
instance_format = "[instance: %(uuid)s] "

xxi

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Sections
Configuration options are grouped by section. Most configuration files support at least the
following sections:
[DEFAULT]

Contains most configuration options. If the documentation for a configuration option does not specify its section, assume that it appears in this section.

[database]

Configuration options for the database that stores the state of the OpenStack service.

Substitution
The configuration file supports variable substitution. After you set a configuration option,
it can be referenced in later configuration values when you precede it with a $, like $OPTION.
The following example uses the values of rabbit_host and rabbit_port to define the
value of the rabbit_hosts option, in this case as controller:5672.
# The RabbitMQ broker address where a single node is used.
# (string value)
rabbit_host = controller
# The RabbitMQ broker port where a single node is used.
# (integer value)
rabbit_port = 5672
# RabbitMQ HA cluster host:port pairs. (list value)
rabbit_hosts = $rabbit_host:$rabbit_port

To avoid substitution, use $$, it is replaced by a single $. For example, if your LDAP DNS
password is $xkj432, specify it, as follows:
ldap_dns_password = $$xkj432

The code uses the Python string.Template.safe_substitute() method to implement variable substitution. For more details on how variable substitution is resolved, see
http://docs.python.org/2/library/string.html#template-strings and PEP 292.

Whitespace
To include whitespace in a configuration value, use a quoted string. For example:
ldap_dns_passsword='a password with spaces'

Define an alternate location for a config file

Most services and the and the *-manage command-line clients load the configuration
file. To define an alternate location for the configuration file, pass the --config-file
CONFIG_FILE parameter when you start a service or call a *-manage command.

xxii

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

1. Block Storage
Table of Contents
Introduction to the Block Storage service ........................................................................ 1
cinder.conf configuration file ..................................................................................... 2
Volume drivers ................................................................................................................ 3
Backup drivers ............................................................................................................... 91
Block Storage sample configuration files ........................................................................ 93
Log files used by Block Storage ................................................................................... 133
Fibre Channel Zone Manager ...................................................................................... 133
Volume encryption with static key ............................................................................... 135
Additional options ....................................................................................................... 139
New, updated and deprecated options in Juno for OpenStack Block Storage ................ 157
The OpenStack Block Storage service works with many different storage drivers that you
can configure by using these instructions.

Introduction to the Block Storage service

The OpenStack Block Storage service provides persistent block storage resources that OpenStack Compute instances can consume. This includes secondary attached storage similar
to the Amazon Elastic Block Storage (EBS) offering. In addition, you can write images to a
Block Storage device for Compute to use as a bootable persistent instance.
The Block Storage service differs slightly from the Amazon EBS offering. The Block Storage
service does not provide a shared storage solution like NFS. With the Block Storage service,
you can attach a device to only one instance.
The Block Storage service provides:
cinder-api. A WSGI app that authenticates and routes requests throughout the Block
Storage service. It supports the OpenStack APIs only, although there is a translation that
can be done through Compute's EC2 interface, which calls in to the Block Storage client.
cinder-scheduler. Schedules and routes requests to the appropriate volume service.
Depending upon your configuration, this may be simple round-robin scheduling to the
running volume services, or it can be more sophisticated through the use of the Filter
Scheduler. The Filter Scheduler is the default and enables filters on things like Capacity,
Availability Zone, Volume Types, and Capabilities as well as custom filters.
cinder-volume. Manages Block Storage devices, specifically the back-end devices
themselves.
cinder-backup. Provides a means to back up a Block Storage volume to OpenStack
Object Storage (swift).
The Block Storage service contains the following components:
Back-end Storage Devices. The Block Storage service requires some form of back-end
storage that the service is built on. The default implementation is to use LVM on a local
1

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

volume group named "cinder-volumes." In addition to the base driver implementation,

the Block Storage service also provides the means to add support for other storage devices to be utilized such as external Raid Arrays or other storage appliances. These backend storage devices may have custom block sizes when using KVM or QEMU as the hypervisor.
Users and Tenants (Projects). The Block Storage service can be used by many different
cloud computing consumers or customers (tenants on a shared system), using role-based
access assignments. Roles control the actions that a user is allowed to perform. In the
default configuration, most actions do not require a particular role, but this can be configured by the system administrator in the appropriate policy.json file that maintains the rules. A user's access to particular volumes is limited by tenant, but the user
name and password are assigned per user. Key pairs granting access to a volume are enabled per user, but quotas to control resource consumption across available hardware resources are per tenant.
For tenants, quota controls are available to limit:
The number of volumes that can be created.
The number of snapshots that can be created.
The total number of GBs allowed per tenant (shared between snapshots and volumes).
You can revise the default quota values with the Block Storage CLI, so the limits placed
by quotas are editable by admin users.
Volumes, Snapshots, and Backups. The basic resources offered by the Block Storage service are volumes and snapshots which are derived from volumes and volume backups:
Volumes. Allocated block storage resources that can be attached to instances as secondary storage or they can be used as the root store to boot instances. Volumes are
persistent R/W block storage devices most commonly attached to the compute node
through iSCSI.
Snapshots. A read-only point in time copy of a volume. The snapshot can be created
from a volume that is currently in use (through the use of --force True) or in an
available state. The snapshot can then be used to create a new volume through create
from snapshot.
Backups. An archived copy of a volume currently stored in OpenStack Object Storage
(swift).

cinder.conf configuration file

The cinder.conf file is installed in /etc/cinder by default. When you manually install
the Block Storage service, the options in the cinder.conf file are set to default values.
This example shows a typical cinder.conf file:
[DEFAULT]
rootwrap_config=/etc/cinder/rootwrap.conf
sql_connection = mysql://cinder:[email protected]/cinder

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

api_paste_config = /etc/cinder/api-paste.ini
iscsi_helper=tgtadm
volume_name_template = volume-%s
volume_group = cinder-volumes
verbose = True
auth_strategy = keystone
#osapi_volume_listen_port=5900
# Add these when not using the defaults.
rabbit_host = 10.10.10.10
rabbit_port = 5672
rabbit_userid = rabbit
rabbit_password = secure_password
rabbit_virtual_host = /nova

Volume drivers
To use different volume drivers for the cinder-volume service, use the parameters described in these sections.
The volume drivers are included in the Block Storage repository (https://github.com/openstack/cinder). To set a volume driver, use the volume_driver flag. The default is:
volume_driver = cinder.volume.drivers.lvm.LVMISCSIDriver

Ceph RADOS Block Device (RBD)

If you use KVM or QEMU as your hypervisor, you can configure the Compute service to use
Ceph RADOS block devices (RBD) for volumes.
Ceph is a massively scalable, open source, distributed storage system. It is comprised of an
object store, block store, and a POSIX-compliant distributed file system. The platform can
auto-scale to the exabyte level and beyond. It runs on commodity hardware, is self-healing
and self-managing, and has no single point of failure. Ceph is in the Linux kernel and is integrated with the OpenStack cloud operating system. Due to its open-source nature, you can
install and use this portable storage platform in public or private clouds.

Figure1.1.Ceph architecture

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

RADOS
Ceph is based on RADOS: Reliable Autonomic Distributed Object Store. RADOS distributes
objects across the storage cluster and replicates objects for fault tolerance. RADOS contains
the following major components:
Object Storage Device (OSD) Daemon. The storage daemon for the RADOS service, which
interacts with the OSD (physical or logical storage unit for your data).
You must run this daemon on each server in your cluster. For each OSD, you can have an
associated hard drive disk. For performance purposes, pool your hard drive disk with raid
arrays, logical volume management (LVM), or B-tree file system (Btrfs) pooling. By default, the following pools are created: data, metadata, and RBD.
Meta-Data Server (MDS). Stores metadata. MDSs build a POSIX file system on top of objects for Ceph clients. However, if you do not use the Ceph file system, you do not need a
metadata server.
Monitor (MON). A lightweight daemon that handles all communications with external
applications and clients. It also provides a consensus for distributed decision making in a
Ceph/RADOS cluster. For instance, when you mount a Ceph shared on a client, you point
to the address of a MON server. It checks the state and the consistency of the data. In an
ideal setup, you must run at least three ceph-mon daemons on separate servers.
Ceph developers recommend that you use Btrfs as a file system for storage. XFS might
be a better alternative for production environments;XFS is an excellent alternative to Btrfs.
The ext4 file system is also compatible but does not exploit the power of Ceph.

Note
If using Btrfs, ensure that you use the correct version (see Ceph Dependencies).
For more information about usable file systems, see ceph.com/ceph-storage/file-system/.

Ways to store, use, and expose data

To store and access your data, you can use the following storage systems:
RADOS. Use as an object, default storage mechanism.
RBD. Use as a block device. The Linux kernel RBD (RADOS block device) driver allows
striping a Linux block device over multiple distributed object store data objects. It is compatible with the KVM RBD image.
CephFS. Use as a file, POSIX-compliant file system.
Ceph exposes RADOS; you can access it through the following interfaces:
RADOS Gateway. OpenStack Object Storage and Amazon-S3 compatible RESTful interface (see RADOS_Gateway).
librados, and its related C/C++ bindings.
4

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

RBD and QEMU-RBD. Linux kernel and QEMU block devices that stripe data across multiple objects.

Driver options
The following table contains the configuration options supported by the Ceph RADOS
Block Device driver.

Table1.1.Description of Ceph storage configuration options

Configuration option = Default value

Description

[DEFAULT]
rados_connect_timeout = -1

(IntOpt) Timeout value (in seconds) used when connecting

to ceph cluster. If value < 0, no timeout is set and default
librados value is used.

rbd_ceph_conf =

(StrOpt) Path to the ceph configuration file

rbd_flatten_volume_from_snapshot = False

(BoolOpt) Flatten volumes created from snapshots to remove dependency from volume to snapshot

rbd_max_clone_depth = 5

(IntOpt) Maximum number of nested volume clones

that are taken before a flatten occurs. Set to 0 to disable
cloning.

rbd_pool = rbd

(StrOpt) The RADOS pool where rbd volumes are stored

rbd_secret_uuid = None

(StrOpt) The libvirt uuid of the secret for the rbd_user volumes

rbd_store_chunk_size = 4

(IntOpt) Volumes will be chunked into objects of this size

(in megabytes).

rbd_user = None

(StrOpt) The RADOS client name for accessing rbd volumes

- only set when using cephx authentication

volume_tmp_dir = None

(StrOpt) Directory where temporary image files are stored

when the volume driver does not write them directly to
the volume.

Coraid AoE driver configuration

Coraid storage appliances can provide block-level storage to OpenStack instances. Coraid
storage appliances use the low-latency ATA-over-Ethernet (ATA) protocol to provide highbandwidth data transfer between hosts and data on the network.

Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Get volume statistics.
5

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

This document describes how to configure the OpenStack Block Storage service for use with
Coraid storage appliances.

Terminology
These terms are used in this section:
Term

Definition

AoE

ATA-over-Ethernet protocol

EtherCloud Storage Manager (ESM)

ESM provides live monitoring and management of EtherDrive appliances that use the AoE protocol, such as the
SRX and VSX.

Fully-Qualified Repository Name (FQRN)

The FQRN is the full identifier of

a storage profile. FQRN syntax is:
performance_classavailability_class:profile_name:repository_name

SAN

Storage Area Network

SRX

Coraid EtherDrive SRX block storage appliance

VSX

Coraid EtherDrive VSX storage virtualization appliance

Requirements
To support the OpenStack Block Storage service, your SAN must include an SRX for physical
storage, a VSX running at least CorOS v2.0.6 for snapshot support, and an ESM running at
least v2.1.1 for storage repository orchestration. Ensure that all storage appliances are installed and connected to your network before you configure OpenStack volumes.
In order for the node to communicate with the SAN, you must install the Coraid AoE Linux
driver on each Compute node on the network that runs an OpenStack instance.

Overview
To configure the OpenStack Block Storage for use with Coraid storage appliances, perform
the following procedures:
1.

Download and install the Coraid Linux AoE driver.

Create a storage profile by using the Coraid ESM GUI.

Create a storage repository by using the ESM GUI and record the FQRN.

Configure the cinder.conf file.

Create and associate a block storage volume type.

Install the Coraid AoE driver

Install the Coraid AoE driver on every compute node that will require access to block storage.
The latest AoE drivers will always be located at http://support.coraid.com/support/linux/.
To download and install the AoE driver, follow the instructions below, replacing aoeXXX
with the AoE driver file name:
6

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Download the latest Coraid AoE driver.

$ wget http://support.coraid.com/support/linux/aoeXXX.tar.gz

Unpack the AoE driver.

Install the AoE driver.

$ cd aoeXXX
$ make
# make install

Initialize the AoE driver.

# modprobe aoe

Optionally, specify the Ethernet interfaces that the node can use to communicate with
the SAN.
The AoE driver may use every Ethernet interface available to the node unless limited
with the aoe_iflist parameter. For more information about the aoe_iflist parameter, see the aoe readme file included with the AoE driver.
# modprobe aoe_iflist="eth1 eth2 ..."

Create a storage profile

To create a storage profile using the ESM GUI:
1.

Log in to the ESM.

Click Storage Profiles in the SAN Domain pane.

Choose Menu > Create Storage Profile. If the option is unavailable, you might not
have appropriate permissions. Make sure you are logged in to the ESM as the SAN administrator.

Use the storage class selector to select a storage class.

Each storage class includes performance and availability criteria (see the Storage Classes topic in the ESM Online Help for information on the different options).

Select a RAID type (if more than one is available) for the selected profile type.

Type a Storage Profile name.

The name is restricted to alphanumeric characters, underscore (_), and hyphen (-), and
cannot exceed 32 characters.

Select the drive size from the drop-down menu.

Select the number of drives to be initialized for each RAID (LUN) from the drop-down
menu (if the selected RAID type requires multiple drives).

Type the number of RAID sets (LUNs) you want to create in the repository by using this
profile.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

10. Click Next.

Create a storage repository and get the FQRN

Create a storage repository and get its fully qualified repository name (FQRN):
1.

Access the Create Storage Repository dialog box.

Type a Storage Repository name.

The name is restricted to alphanumeric characters, underscore (_), hyphen (-), and cannot exceed 32 characters.

Click Limited or Unlimited to indicate the maximum repository size.

Limited sets the amount of space that can be allocated to the repository. Specify the
size in TB, GB, or MB.
When the difference between the reserved space and the space already allocated
to LUNs is less than is required by a LUN allocation request, the reserved space is increased until the repository limit is reached.

Note
The reserved space does not include space used for parity or space used
for mirrors. If parity and/or mirrors are required, the actual space allocated to the repository from the SAN is greater than that specified in reserved
space.
UnlimitedUnlimited means that the amount of space allocated to the repository is
unlimited and additional space is allocated to the repository automatically when space
is required and available.

Note
Drives specified in the associated Storage Profile must be available on the
SAN in order to allocate additional resources.
4.

Check the Resizeable LUN box.

This is required for OpenStack volumes.

Note
If the Storage Profile associated with the repository has platinum availability, the Resizeable LUN box is automatically checked.
5.

Check the Show Allocation Plan API calls box. Click Next.

Record the FQRN and click Finish.

The FQRN is located in the first line of output following the Plan keyword in the Repository Creation Plan window. The FQRN syntax is
8

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

performance_classavailability_class:profile_name:repository_name.
In this example, the FQRN is Bronze-Platinum:BP1000:OSTest, and is highlighted.

Figure1.2.Repository Creation Plan screen

Record the FQRN; it is a required parameter later in the configuration procedure.

Configure options in the cinder.conf file

Edit or add the following lines to the file /etc/cinder/cinder.conf:
volume_driver = cinder.volume.drivers.coraid.CoraidDriver
coraid_esm_address = ESM_IP_address
coraid_user = username
coraid_group = Access_Control_Group_name
coraid_password = password
coraid_repository_key = coraid_repository_key

Table1.2.Description of Coraid AoE driver configuration options

Configuration option = Default value

Description

[DEFAULT]
coraid_esm_address =

(StrOpt) IP address of Coraid ESM

coraid_group = admin

(StrOpt) Name of group on Coraid ESM to which

coraid_user belongs (must have admin privilege)

coraid_password = password

(StrOpt) Password to connect to Coraid ESM

coraid_repository_key = coraid_repository

(StrOpt) Volume Type key name to store ESM Repository

Name

coraid_user = admin

(StrOpt) User name to connect to Coraid ESM

Access to storage devices and storage repositories can be controlled using Access Control
Groups configured in ESM. Configuring cinder.conf to log on to ESM as the SAN administrator (user name admin), will grant full access to the devices and repositories configured
in ESM.
9

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Optionally, you can configure an ESM Access Control Group and user. Then, use the
cinder.conf file to configure access to the ESM through that group, and user limits access from the OpenStack instance to devices and storage repositories that are defined in
the group.
To manage access to the SAN by using Access Control Groups, you must enable the Use Access Control setting in the ESM System Setup > Security screen.
For more information, see the ESM Online Help.

Create and associate a volume type

Create and associate a volume with the ESM storage repository.
1.

Restart Cinder.
# service openstack-cinder-api restart
# service openstack-cinder-scheduler restart
# service openstack-cinder-volume restart

Create a volume.
$ cinder type-create volume_type_name

where volume_type_name is the name you assign the volume. You will see output
similar to the following:
+--------------------------------------+-------------+
|
ID
|
Name
|
+--------------------------------------+-------------+
| 7fa6b5ab-3e20-40f0-b773-dd9e16778722 | JBOD-SAS600 |
+--------------------------------------+-------------+

Record the value in the ID field; you use this value in the next step.
3.

Associate the volume type with the Storage Repository.

# cinder type-key UUID set coraid_repository_key=FQRN
Variable

Description

UUID

The ID returned from the cinder type-create command.

You can use the cinder type-list command to recover
the ID.

coraid_repository_key

The key name used to associate the Cinder volume type with the ESM in the cinder.conf file.
If no key name was defined, this is default value for
coraid_repository.

FQRN

The FQRN recorded during the Create Storage Repository process.

Dell EqualLogic volume driver

The Dell EqualLogic volume driver interacts with configured EqualLogic arrays and supports
various operations.
10

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Clone a volume.
The OpenStack Block Storage service supports:
Multiple instances of Dell EqualLogic Groups or Dell EqualLogic Group Storage Pools and
multiple pools on a single array.
Multiple instances of Dell EqualLogic Groups or Dell EqualLogic Group Storage Pools or
multiple pools on a single array.
The Dell EqualLogic volume driver's ability to access the EqualLogic Group is dependent upon the generic block storage driver's SSH settings in the /etc/cinder/cinder.conf file
(see the section called Block Storage sample configuration files [93] for reference).

Table1.3.Description of Dell EqualLogic volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
eqlx_chap_login = admin

(StrOpt) Existing CHAP account name

eqlx_chap_password = password

(StrOpt) Password for specified CHAP account name

eqlx_cli_max_retries = 5

(IntOpt) Maximum retry count for reconnection

eqlx_cli_timeout = 30

(IntOpt) Timeout for the Group Manager cli command execution

eqlx_group_name = group-0

(StrOpt) Group name to use for creating volumes

eqlx_pool = default

(StrOpt) Pool in which volumes will be created

eqlx_use_chap = False

(BoolOpt) Use CHAP authentication for targets?

The following sample /etc/cinder/cinder.conf configuration lists the relevant settings for a typical Block Storage service using a single Dell EqualLogic Group:

Example1.1.Default (single-instance) configuration

[DEFAULT]
#Required settings
volume_driver = cinder.volume.drivers.eqlx.DellEQLSanISCSIDriver
san_ip = IP_EQLX
san_login = SAN_UNAME
san_password = SAN_PW
eqlx_group_name = EQLX_GROUP
eqlx_pool = EQLX_POOL
#Optional settings
san_thin_provision = true|false
eqlx_use_chap = true|false
eqlx_chap_login = EQLX_UNAME
eqlx_chap_password = EQLX_PW
eqlx_cli_timeout = 30
eqlx_cli_max_retries = 5

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

san_ssh_port = 22
ssh_conn_timeout = 30
san_private_key = SAN_KEY_PATH
ssh_min_pool_conn = 1
ssh_max_pool_conn = 5

In this example, replace the following variables accordingly:

IP_EQLX

The IP address used to reach the Dell EqualLogic Group

through SSH. This field has no default value.

SAN_UNAME

The user name to login to the Group manager via SSH at

the san_ip. Default user name is grpadmin.

SAN_PW

The corresponding password of SAN_UNAME. Not used

when san_private_key is set. Default password is
password.

EQLX_GROUP

The group to be used for a pool where the Block Storage

service will create volumes and snapshots. Default group
is group-0.

EQLX_POOL

The pool where the Block Storage service will create volumes and snapshots. Default pool is default. This option cannot be used for multiple pools utilized by the
Block Storage service on a single Dell EqualLogic Group.

EQLX_UNAME

The CHAP login account for each volume in a pool, if

eqlx_use_chap is set to true. Default account name is
chapadmin.

EQLX_PW

The corresponding password of EQLX_UNAME. The default password is randomly generated in hexadecimal, so
you must set this password manually.

SAN_KEY_PATH (optional)

The filename of the private key used for SSH authentication. This provides password-less login to the EqualLogic
Group. Not used when san_password is set. There is no
default value.

EMC VMAX iSCSI and FC drivers

The EMC VMAX drivers, EMCVMAXISCSIDriver and EMCVMAXFCDriver, support the use
of EMC VMAX storage arrays under OpenStack Block Storage. They both provide equivalent functions and differ only in support for their respective host attachment methods.
The drivers perform volume operations by communicating with the backend VMAX storage. It uses a CIM client in Python called PyWBEM to perform CIM operations over HTTP.
The EMC CIM Object Manager (ECOM) is packaged with the EMC SMI-S provider. It is a CIM
server that enables CIM clients to perform CIM operations over HTTP by using SMI-S in the
back-end for VMAX storage operations.
The EMC SMI-S Provider supports the SNIA Storage Management Initiative (SMI), an ANSI
standard for storage management. It supports the VMAX storage system.
12

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

System requirements
EMC SMI-S Provider V4.6.2.8 and higher is required. You can download SMI-S from the
EMC's support web site (login is required). See the EMC SMI-S Provider release notes for installation instructions.
EMC storage VMAX Family is supported.

Supported operations
VMAX drivers support these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Retype a volume.
Create a volume from a snapshot.
VMAX drivers also support the following features:
FAST automated storage tiering policy.
Dynamic masking view creation.
Striped volume creation.

Install the python-pywbem package

Install the python-pywbem package for your distribution, as follows:
On Ubuntu:
# apt-get install python-pywbem

On openSUSE:
# zypper install python-pywbem

On Fedora:
# yum install pywbem

Set up SMI-S
You can install SMI-S on a non-OpenStack host. Supported platforms include different flavors of Windows, Red Hat, and SUSE Linux. SMI-S can be installed on a physical server or a
VM hosted by an ESX server. Note that the supported hypervisor for a VM running SMI-S

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

is ESX only. See the EMC SMI-S Provider release notes for more information on supported
platforms and installation instructions.

Note
You must discover storage arrays on the SMI-S server before you can use the
VMAX drivers. Follow instructions in the SMI-S release notes.
SMI-S is usually installed at /opt/emc/ECIM/ECOM/bin on Linux and C:\Program
Files\EMC\ECIM\ECOM\bin on Windows. After you install and configure SMI-S, go to
that directory and type TestSmiProvider.exe.
Use addsys in TestSmiProvider.exe to add an array. Use dv and examine the output after
the array is added. Make sure that the arrays are recognized by the SMI-S server before using the EMC VMAX drivers.

cinder.conf configuration file

Make the following changes in /etc/cinder/cinder.conf.
Add the following entries, where 10.10.61.45 is the IP address of the VMAX iSCSI target:
enabled_backends = CONF_GROUP_ISCSI, CONF_GROUP_FC
[CONF_GROUP_ISCSI]
iscsi_ip_address = 10.10.61.45
volume_driver = cinder.volume.drivers.emc.emc_vmax_iscsi.EMCVMAXISCSIDriver
cinder_emc_config_file = /etc/cinder/cinder_emc_config_CONF_GROUP_ISCSI.xml
volume_backend_name=ISCSI_backend
[CONF_GROUP_FC]
volume_driver = cinder.volume.drivers.emc.emc_vmax_fc.EMCVMAXFCDriver
cinder_emc_config_file = /etc/cinder/cinder_emc_config_CONF_GROUP_FC.xml
volume_backend_name=FC_backend

In this example, two backend configuration groups are enabled: CONF_GROUP_ISCSI and
CONF_GROUP_FC. Each configuration group has a section describing unique parameters
for connections, drivers, the volume_backend_name, and the name of the EMC-specific
configuration file containing additional settings. Note that the file name is in the format /
etc/cinder/cinder_emc_config_[confGroup].xml.
Once the cinder.conf and EMC-specific configuration files have been created, cinder
commands need to be issued in order to create and associate OpenStack volume types with
the declared volume_backend_names:
$
$
$
$

cinder
cinder
cinder
cinder

type-create VMAX_ISCSI
type-key VMAX_ISCSI set volume_backend_name=ISCSI_backend
type-create VMAX_FC
type-key VMAX_FC set volume_backend_name=FC_backend

By issuing these commands, the Block Storage volume type VMAX_ISCSI is associated with
the ISCSI_backend, and the type VMAX_FC is associated with the FC_backend.
Restart the cinder-volume service.

cinder_emc_config_CONF_GROUP_ISCSI.xml configuration file

Create the /etc/cinder/cinder_emc_config_CONF_GROUP_ISCSI.xml file. You
do not need to restart the service for this change.
14

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Add the following lines to the XML file:

<?xml version="1.0" encoding="UTF-8" ?>
<EMC>
<EcomServerIp>1.1.1.1</EcomServerIp>
<EcomServerPort>00</EcomServerPort>
<EcomUserName>user1</EcomUserName>
<EcomPassword>password1</EcomPassword>
<PortGroups>
<PortGroup>OS-PORTGROUP1-PG</PortGroup>
<PortGroup>OS-PORTGROUP2-PG</PortGroup>
</PortGroups>
<Array>111111111111</Array>
<Pool>FC_GOLD1</Pool>
<FastPolicy>GOLD1</FastPolicy>
</EMC>

Where:
EcomServerIp and EcomServerPort are the IP address and port number of the
ECOM server which is packaged with SMI-S.
EcomUserName and EcomPassword are credentials for the ECOM server.
PortGroups supplies the names of VMAX port groups that have been pre-configured
to expose volumes managed by this backend. Each supplied port group should have sufficient number and distribution of ports (across directors and switches) as to ensure adequate bandwidth and failure protection for the volume connections. PortGroups can
contain one or more port groups of either iSCSI or FC ports. When a dynamic masking
view is created by the VMAX driver, the port group is chosen randomly from the PortGroup list, to evenly distribute load across the set of groups provided. Make sure that
the PortGroups set contains either all FC or all iSCSI port groups (for a given backend),
as appropriate for the configured driver (iSCSI or FC).
The Array tag holds the unique VMAX array serial number.
The Pool tag holds the unique pool name within a given array. For backends not using
FAST automated tiering, the pool is a single pool that has been created by the administrator. For backends exposing FAST policy automated tiering, the pool is the bind pool to
be used with the FAST policy.
The FastPolicy tag conveys the name of the FAST Policy to be used. By including this
tag, volumes managed by this backend are treated as under FAST control. Omitting the
FastPolicy tag means FAST is not enabled on the provided storage pool.

FC Zoning with VMAX

Zone Manager is recommended when using the VMAX FC driver, especially for larger configurations where pre-zoning would be too complex and open-zoning would raise security
concerns.

iSCSI with VMAX

Make sure the iscsi-initiator-utils package is installed on the host (use apt-get, zypper, or
yum, depending on Linux flavor).
15

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Verify host is able to ping VMAX iSCSI target ports.

Set up the VMAX drivers

Procedure1.1.To set up the EMC VMAX drivers
1.

Install the python-pywbem package for your distribution. See the section called Install
the python-pywbem package [13].

Download SMI-S from PowerLink and install it. Add your VMAX arrays to SMI-S.
For information, see the section called Set up SMI-S [13] and the SMI-S release
notes.

Change configuration files. See the section called cinder.conf

configuration file [14] and the section called
cinder_emc_config_CONF_GROUP_ISCSI.xml configuration file [14].

Configure connectivity. For FC driver, see the section called FC Zoning with
VMAX [15]. For iSCSI driver, see the section called iSCSI with VMAX [15].

VMAX masking view and group naming info

Masking view names
Masking views are dynamically created by the VMAX FC and iSCSI drivers using the following naming conventions:
OS-[shortHostName][poolName]-I-MV (for Masking Views using iSCSI)
OS-[shortHostName][poolName]-F-MV (for Masking Views using FC)

Initiator group names

For each host that is attached to VMAX volumes using the drivers, an initiator group is created or re-used (per attachment type). All initiators of the appropriate type known for that
host are included in the group. At each new attach volume operation, the VMAX driver
retrieves the initiators (either WWNNs or IQNs) from OpenStack and adds or updates the
contents of the Initiator Group as required. Names are of the following format:
OS-[shortHostName]-I-IG (for iSCSI initiators)
OS-[shortHostName]-F-IG (for Fibre Channel initiators)

Note
Hosts attaching to VMAX storage managed by the OpenStack environment
cannot also be attached to storage on the same VMAX not being managed by
OpenStack. This is due to limitations on VMAX Initiator Group membership.

FA port groups
VMAX array FA ports to be used in a new masking view are chosen from the list provided in
the EMC configuration file.
16

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Storage group names

As volumes are attached to a host, they are either added to an existing storage group (if
it exists) or a new storage group is created and the volume is then added. Storage groups
contain volumes created from a pool (either single-pool or FAST-controlled), attached to a
single host, over a single connection type (iSCSI or FC). Names are formed:
OS-[shortHostName][poolName]-I-SG (attached over iSCSI)
OS-[shortHostName][poolName]-F-SG (attached over Fibre Channel)

Concatenated or striped volumes

In order to support later expansion of created volumes, the VMAX Block Storage drivers
create concatenated volumes as the default layout. If later expansion is not required, users
can opt to create striped volumes in order to optimize I/O performance.
Below is an example of how to create striped volumes. First, create a volume type. Then define the extra spec for the volume type storagetype:stripecount representing the
number of meta members in the striped volume. The example below means that each volume created under the GoldStriped volume type will be striped and made up of 4 meta
members.
$ cinder type-create GoldStriped
$ cinder type-key GoldStriped set volume_backend_name=GOLD_BACKEND
$ cinder type-key GoldStriped set storagetype:stripecount=4

EMC VNX direct driver

Use the EMC VNX direct driver to create, attach, detach, and delete volumes, create and
delete snapshots, and so on. This driver is based on the Cinder-defined ISCSIDriver driver.
To complete volume operations, the driver uses the NaviSec command-line interface (CLI)
to communicate with back-end EMC VNX storage.

System requirements
Flare version 5.32 or later.
You must activate VNX Snapshot and Thin Provisioning license for the array. Ensure that
all the iSCSI ports from the VNX are accessible through OpenStack hosts.
Navisphere CLI v7.32 or later.
EMC storage VNX Series are supported.

Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
17

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Copy an image to a volume.

Copy a volume to an image.
Clone a volume.
Extend a volume.

Set up the VNX direct driver

Complete these high-level tasks to set up the VNX direct driver:
1. Install NaviSecCLI. You must install the NaviSecCLI tool on the controller node and all
the Cinder nodes in an OpenStack deployment. See the section called Install NaviSecCLI [18].
2. Register with VNX. See the section called Register with VNX [18]

Install NaviSecCLI
On Ubuntu x64, download the NaviSecCLI deb package from EMC's OpenStack GitHub web
site.
For all the other variants of Linux, download the NaviSecCLI rpm package from EMC's support web site for VNX2 series or VNX1 series. Login is required.

Register with VNX

To export a VNX volume to a compute node or a volume node, you must register the node
with VNX.

Procedure1.2.To register the node

On the compute node or volume node 1.1.1.1, do the following (assume

10.10.61.35 is the iSCSI target):
#
#
#
#
#

/etc/init.d/open-iscsi start
iscsiadm -m discovery -t st -p 10.10.61.35
cd /etc/iscsi
more initiatorname.iscsi
iscsiadm -m node

Log in to VNX from the node using the target corresponding to the SPA port:
# iscsiadm -m node -T iqn.1992-04.com.emc:cx.apm01234567890.a0 -p 10.10.
61.35 -l

Where iqn.1992-04.com.emc:cx.apm01234567890.a0 is the initiator name of

the node. Login to Unisphere, go to VNX00000->Hosts->Initiators, Refresh and wait until initiator iqn.1992-04.com.emc:cx.apm01234567890.a0 with SP Port A-8v0
appears.
3.

Click Register, select CLARiiON/VNX, and enter the host name myhost1 and IP address myhost1. Click Register. Now host 1.1.1.1 also appears under Hosts->Host
List.
18

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Log out of VNX on the node:

# iscsiadm -m node -u

Log in to VNX from the node using the target corresponding to the SPB port:
# iscsiadm -m node -T iqn.1992-04.com.emc:cx.apm01234567890.b8 -p 10.10.
10.11 -l

In Unisphere register the initiator with the SPB port.

Log out:
# iscsiadm -m node -u

cinder.conf configuration file

Make the following changes in /etc/cinder/cinder.conf.
For the VNX iSCSI driver, add the following entries, where 10.10.61.35 is the IP address of the VNX iSCSI target, 10.10.72.41 is the IP address of the VNX array (SPA
or SPB), default_timeout is the default time out for CLI operations in minutes, and
max_luns_per_storage_group is the default max number of LUNs in a storage group:
iscsi_ip_address = 10.10.61.35
san_ip = 10.10.72.41
san_login = global_username
san_password = password
naviseccli_path = /opt/Navisphere/bin/naviseccli
storage_vnx_pool_name = poolname
default_timeout = 10
max_luns_per_storage_group=256
volume_driver=cinder.volume.drivers.emc.emc_cli_iscsi.EMCCLIISCSIDriver

Note
To find out max_luns_per_storage_group for each VNX model, refer to
the EMC's support web site (login is required).
Restart the cinder-volume service.

Volume type support

Volume type support allows user to choose thick/thin provisioning capabilities.
Here is an example of how to setup volume type. First create volume types. Then define extra specs for each volume type.

Procedure1.3.To set up volume types

Setup volume types:

$ cinder type-create "TypeA"
$ cinder type-create "TypeB"

Setup volume type extra specs:

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

$ cinder type-key "TypeA" set storagetype:provisioning=thick

$ cinder type-key "TypeB" set storagetype:provisioning=thin

The previous example creates two volume types: TypeA and TypeB. For TypeA, storagetype:provisioning is set to thick. Similarly for TypeB,
storagetype:provisioning is set to thin. If storagetype:provisioning is
not specified, it will be default to thick.

GlusterFS driver
GlusterFS is an open-source scalable distributed file system that is able to grow to petabytes
and beyond in size. More information can be found on Gluster's homepage.
This driver enables the use of GlusterFS in a similar fashion as NFS. It supports basic volume
operations, including snapshot/clone.

Note
You must use a Linux kernel of version 3.4 or greater (or version 2.6.32 or
greater in Red Hat Enterprise Linux/CentOS 6.3+) when working with Gluster-based volumes. See Bug 1177103 for more information.
To use Block Storage with GlusterFS, first set the volume_driver in cinder.conf:
volume_driver=cinder.volume.drivers.glusterfs.GlusterfsDriver

The following table contains the configuration options supported by the GlusterFS driver.

Table1.4.Description of GlusterFS storage configuration options

Configuration option = Default value

Description

[DEFAULT]
glusterfs_mount_point_base = $state_path/mnt

(StrOpt) Base dir containing mount points for gluster

shares.

glusterfs_qcow2_volumes = False

(BoolOpt) Create volumes as QCOW2 files rather than raw

files.

glusterfs_shares_config = /etc/cinder/glusterfs_shares

(StrOpt) File with the list of available gluster shares

glusterfs_sparsed_volumes = True

(BoolOpt) Create volumes as sparsed files which take no

space.If set to False volume is created as regular file.In
such case volume creation takes a lot of time.

HDS HNAS iSCSI and NFS driver

This Block Storage volume driver provides iSCSI and NFS support for HNAS (Hitachi Network-attached Storage) arrays such as, HNAS 3000 and 4000 family.

System requirements
Use the HDS ssc command to communicate with an HNAS array. This utility package is available in the physical media distributed with the hardware or it can be copied from the SMU
(/usr/local/bin/ssc).
Platform: Ubuntu 12.04 LTS or newer.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Supported operations
The base NFS driver combined with the HNAS driver extensions support these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
Extend a volume.
Get volume statistics.

Configuration
The HDS driver supports the concept of differentiated services (also referred to as quality of
service) by mapping volume types to services provided through HNAS. HNAS supports a variety of storage options and file system capabilities which are selected through volume typing and the use of multiple back-ends. The HDS driver maps up to 4 volume types into separate exports/filesystems, and can support any number using multiple back-ends.
Configuration is read from an XML-formatted file (one per backend). Examples are shown
for single and multi back-end cases.

Note
Configuration is read from an XML file. This example shows the configuration
for single back-end and for multi-back-end cases.
The default volume type needs to be set in configuration file. If there is no
default volume type, only matching volume types will work.

Table1.5.Description of HDS HNAS iSCSI and NFS driver configuration

options
Configuration option = Default value

Description

[DEFAULT]
hds_hnas_iscsi_config_file = /opt/hds/hnas/
cinder_iscsi_conf.xml

(StrOpt) Configuration file for HDS iSCSI cinder plugin

hds_hnas_nfs_config_file = /opt/hds/hnas/
cinder_nfs_conf.xml

(StrOpt) Configuration file for HDS NFS cinder plugin

HNAS setup
Before using iSCSI and NFS services, use the HNAS Web Interface to create storage pool(s),
filesystem(s), and assign an EVS. For NFS, NFS exports should be created. For iSCSI, a SCSI
Domain needs to be set.
21

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Single back-end
In a single back-end deployment, only one OpenStack Block Storage instance runs on the
OpenStack Block Storage server and controls one HNAS array: this deployment requires
these configuration files:
1. Set the hds_hnas_iscsi_config_file option in the /etc/cinder/cinder.conf file to use the HNAS iSCSI volume driver. Or
hds_hnas_nfs_config_file to use HNAS NFS driver. This option points to a configuration file.1
For HNAS iSCSI driver:
volume_driver = cinder.volume.drivers.hds.iscsi.HDSISCSIDriver
hds_hnas_iscsi_config_file = /opt/hds/hnas/cinder_iscsi_conf.xml

For HNAS NFS driver:

volume_driver = cinder.volume.drivers.hds.nfs.HDSNFSDriver
hds_hnas_nfs_config_file = /opt/hds/hnas/cinder_nfs_conf.xml

2. For HNAS iSCSI, configure hds_hnas_iscsi_config_file at the location specified

previously. For example, /opt/hds/hnas/cinder_iscsi_conf.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.16</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<chap_enabled>True</chap_enabled>
<username>supervisor</username>
<password>supervisor</password>
<svc_0>
<volume_type>default</volume_type>
<iscsi_ip>172.17.39.132</iscsi_ip>
<hdp>fs-01</hdp>
</svc_0>
</config>

For HNAS NFS, configure hds_hnas_nfs_config_file at the location specified previously. For example, /opt/hds/hnas/cinder_nfs_conf.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.16</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<username>supervisor</username>
<password>supervisor</password>
<chap_enabled>False</chap_enabled>
<svc_0>
<volume_type>default</volume_type>
<hdp>172.17.44.100:/virtual-01</hdp>
</svc_0>
</config>

Up to 4 service stanzas can be included in the XML file; named svc_0, svc_1, svc_2 and
svc_3. Additional services can be enabled using multi-backend as described below.
1

The configuration file location may differ.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Multi back-end
In a multi back-end deployment, more than one OpenStack Block Storage instance runs on
the same server. In this example, two HNAS arrays are used, possibly providing different
storage performance:
1.

For HNAS iSCSI, configure /etc/cinder/cinder.conf: the hnas1 and hnas2 configuration blocks are created. Set the hds_hnas_iscsi_config_file option to
point to an unique configuration file for each block. Set the volume_driver option
for each back-end to cinder.volume.drivers.hds.iscsi.HDSISCSIDriver.
enabled_backends=hnas1,hnas2
[hnas1]
volume_driver = cinder.volume.drivers.hds.iscsi.HDSISCSIDriver
hds_hnas_iscsi_config_file = /opt/hds/hnas/cinder_iscsi1_conf.xml
volume_backend_name=hnas-1
[hnas2]
volume_driver = cinder.volume.drivers.hds.iscsi.HDSISCSIDriver
hds_hnas_iscsi_config_file = /opt/hds/hnas/cinder_iscsi2_conf.xml
volume_backend_name=hnas-2

Configure the /opt/hds/hnas/cinder_iscsi1_conf.xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.16</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<chap_enabled>True</chap_enabled>
<username>supervisor</username>
<password>supervisor</password>
<svc_0>
<volume_type>regular</volume_type>
<iscsi_ip>172.17.39.132</iscsi_ip>
<hdp>fs-01</hdp>
</svc_0>
</config>

Configure the /opt/hds/hnas/cinder_iscsi2_conf.xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.20</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<chap_enabled>True</chap_enabled>
<username>supervisor</username>
<password>supervisor</password>
<svc_0>
<volume_type>platinum</volume_type>
<iscsi_ip>172.17.30.130</iscsi_ip>
<hdp>fs-02</hdp>
</svc_0>
</config>

For NFS, configure /etc/cinder/cinder.conf: the hnas1 and hnas2 configuration blocks are created. Set the hds_hnas_nfs_config_file option to point to
an unique configuration file for each block. Set the volume_driver option for each
back-end to cinder.volume.drivers.hds.nfs.HDSNFSDriver.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

enabled_backends=hnas1,hnas2
[hnas1]
volume_driver = cinder.volume.drivers.hds.nfs.HDSNFSDriver
hds_hnas_nfs_config_file = /opt/hds/hnas/cinder_nfs1_conf.xml
volume_backend_name=hnas-1
[hnas2]
volume_driver = cinder.volume.drivers.hds.nfs.HDSNFSDriver
hds_hnas_nfs_config_file = /opt/hds/hnas/cinder_nfs2_conf.xml
volume_backend_name=hnas-2

Configure the /opt/hds/hnas/cinder_nfs1_conf.xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.16</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<username>supervisor</username>
<password>supervisor</password>
<chap_enabled>False</chap_enabled>
<svc_0>
<volume_type>regular</volume_type>
<hdp>172.17.44.100:/virtual-01</hdp>
</svc_0>
</config>

Configure the /opt/hds/hnas/cinder_nfs2_conf.xml file:

<?xml version="1.0" encoding="UTF-8" ?>
<config>
<mgmt_ip0>172.17.44.20</mgmt_ip0>
<hnas_cmd>ssc</hnas_cmd>
<username>supervisor</username>
<password>supervisor</password>
<chap_enabled>False</chap_enabled>
<svc_0>
<volume_type>platinum</volume_type>
<hdp>172.17.44.100:/virtual-02</hdp>
</svc_0>
</config>

Type extra specs: volume_backend and volume type

If you use volume types, you must configure them in the configuration file and set the
volume_backend_name option to the appropriate back-end. In the previous multi backend example, the platinum volume type is served by hnas-2, and the regular volume
type is served by hnas-1.
cinder type-key regular set volume_backend_name=hnas-1
cinder type-key platinum set volume_backend_name=hnas-2

Non-differentiated deployment of HNAS arrays

You can deploy multiple OpenStack HNAS drivers instances that each control a separate
HNAS array. Each instance does not need to have a volume type associated with it. The
OpenStack Block Storage filtering algorithm selects the HNAS array with the largest avail-

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

able free space. In each configuration file, you must define the default volume type in
the service labels.

HDS HNAS volume driver configuration options

These details apply to the XML format configuration file that is read by HDS volume driver. These differentiated service labels are predefined: svc_0, svc_1, svc_2 and svc_32.
Each respective service label associates with these parameters and tags:
volume_type

A create_volume call with a certain volume type shall be matched up with

this tag. The value default is special in that any service associated with
this type is used to create volume when no other labels match. Other labels are case sensitive and should exactly match. If no configured volume
types match the incoming requested type, an error occurs in volume creation.

hdp

(iSCSI only) Virtual filesystem label associated with the service.

(NFS only) Path to the volume <ip_address>:/<path> associated with the service. Additionally, this entry must be added in the file
used to list available NFS shares. This file is located, by default, in /
etc/cinder/nfs_shares or you can specify the location in the
nfs_shares_config option in the cinder configuration file.

iscsi_ip

(iSCSI only) An iSCSI IP address dedicated to the service.

Typically a OpenStack Block Storage volume instance has only one such service label. For example, any svc_0, svc_1, svc_2 or svc_3 can be associated with it. But any mix of these
service labels can be used in the same instance 3.

Table1.6.Configuration options
Option

Type

mgmt_ip0

Required

Default

Description

hnas_cmd

Optional

ssc

hnas_cmd is a command to communicate to HNAS array.

chap_enabled

Optional

True

(iSCSI only) chap_enabled is a boolean tag used to enable CHAP authentication protocol.

username

Required

supervisor

of the 'Admin' EVS.

volume_type tag is used to match volume type. default

meets any type of volume type, or if it is not specified. Any
other volume type is selected if exactly matched during
volume creation.
(iSCSI only) iSCSI IP address where volume attaches for this
volume type.

There is no relative precedence or weight among these four labels.

The get_volume_stats() function always provides the available capacity based on the combined sum of all the HDPs that are used in
these services labels.
3

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Option

Type

hdp

Required

Default

juno

Description
HDP, for HNAS iSCSI is the virtual filesystem label or the
path (for HNAS NFS) where volume, or snapshot should be
created.

HDS HUS iSCSI driver

This Block Storage volume driver provides iSCSI support for HUS (Hitachi Unified Storage)
arrays such as, HUS-110, HUS-130, and HUS-150.

System requirements
Use the HDS hus-cmd command to communicate with an HUS array. You can download
this utility package from the HDS support site (https://hdssupport.hds.com/).
Platform: Ubuntu 12.04 LTS or newer.

Configuration
The HDS driver supports the concept of differentiated services, where a volume type can be
associated with the fine-tuned performance characteristics of an HDP the dynamic pool
where volumes are created4. For instance, an HDP can consist of fast SSDs to provide speed.
HDP can provide a certain reliability based on things like its RAID level characteristics. HDS
driver maps volume type to the volume_type option in its configuration file.
Configuration is read from an XML-format file. Examples are shown for single and multi
back-end cases.

If you use volume types, you must configure them in the configuration file and set the
volume_backend_name option to the appropriate back-end. In the previous multi backend example, the platinum volume type is served by hus-2, and the regular volume
type is served by hus-1.
cinder type-key regular set volume_backend_name=hus-1
cinder type-key platinum set volume_backend_name=hus-2

Non differentiated deployment of HUS arrays

You can deploy multiple OpenStack Block Storage instances that each control a separate
HUS array. Each instance has no volume type associated with it. The OpenStack Block Storage filtering algorithm selects the HUS array with the largest available free space. In each
configuration file, you must define the default volume_type in the service labels.

HDS iSCSI volume driver configuration options

These details apply to the XML format configuration file that is read by HDS volume driver. These differentiated service labels are predefined: svc_0, svc_1, svc_2, and svc_37.
Each respective service label associates with these parameters and tags:
1. volume-types: A create_volume call with a certain volume type shall be matched up
with this tag. default is special in that any service associated with this type is used to
create volume when no other labels match. Other labels are case sensitive and should exactly match. If no configured volume_types match the incoming requested type, an error
occurs in volume creation.
2. HDP, the pool ID associated with the service.
3. An iSCSI port dedicated to the service.
Typically a OpenStack Block Storage volume instance has only one such service label. For
example, any svc_0, svc_1, svc_2, or svc_3 can be associated with it. But any mix of
these service labels can be used in the same instance 8.

Table1.8.Configuration options
Option

Type

mgmt_ip0

Required

Default

Description
Management Port 0 IP address

mgmt_ip1

Required

Management Port 1 IP address

hus_cmd

Optional

hus_cmd is the command used to communicate with the

HUS array. If it is not set, the default value is hus-cmd.

username

Optional

Username is required only if secure mode is used

Each of these four labels has no relative precedence or weight.

The get_volume_stats() always provides the available capacity based on the combined sum of all the HDPs that are used in these services labels.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Default

juno

Option

Type

password

Optional

Description

svc_0, svc_1, svc_2,

svc_3

Optional

(at least one la- Service labels: these four predefined names help four difbel has to be de- ferent sets of configuration options -- each can specify iSCfined)
SI port address, HDP and a unique volume type.

snapshot

Required

A service label which helps specify configuration for snapshots, such as, HDP.

volume_type

Required

volume_type tag is used to match volume type. Default meets any type of volume_type, or if it is not
specified. Any other volume_type is selected if exactly
matched during create_volume.

iscsi_ip

Required

iSCSI port IP address where volume attaches for this volume type.

hdp

Required

HDP, the pool number where volume, or snapshot should

be created.

lun_start

Optional

LUN allocation starts at this number.

lun_end

Optional

4096

LUN allocation is up to, but not including, this number.

Password is required only if secure mode is used

HP 3PAR Fibre Channel and iSCSI drivers

The HP3PARFCDriver and HP3PARISCSIDriver drivers, which are based on the Block
Storage service (Cinder) plug-in architecture, run volume operations by communicating
with the HP 3PAR storage system over HTTP, HTTPS, and SSH connections. The HTTP and
HTTPS communications use hp3parclient, which is part of the Python standard library.
For information about how to manage HP 3PAR storage systems, see the HP 3PAR user documentation.

System requirements
To use the HP 3PAR drivers, install the following software and components on the HP 3PAR
storage system:
HP 3PAR Operating System software version 3.1.3 MU1 or higher
HP 3PAR Web Services API Server must be enabled and running
One Common Provisioning Group (CPG)
Additionally, you must install the hp3parclient version 3.1.0 or newer from the Python
standard library on the system with the enabled Block Storage service volume drivers.

Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
30

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Clone a volume.
Extend a volume.
Migrate a volume with back-end assistance.
Volume type support for both HP 3PAR drivers includes the ability
to set the following capabilities in the OpenStack Block Storage API
cinder.api.contrib.types_extra_specs volume type extra specs extension module:
hp3par:cpg
hp3par:snap_cpg
hp3par:provisioning
hp3par:persona
hp3par:vvs
To work with the default filter scheduler, the key values are case sensitive and scoped with
hp3par:. For information about how to set the key-value pairs and associate them with a
volume type, run the following command:
$ cinder help type-key

Note
Volumes that are cloned only support extra specs keys cpg, snap_cpg, provisioning and vvs. The others are ignored. In addition the comments section of the
cloned volume in the HP 3PAR StoreServ storage array is not populated.
If volume types are not used or a particular key is not set for a volume type, the following
defaults are used:
hp3par:cpg - Defaults to the hp3par_cpg setting in the cinder.conf file.
hp3par:snap_cpg - Defaults to the hp3par_snap setting in the cinder.conf file. If
hp3par_snap is not set, it defaults to the hp3par_cpg setting.
hp3par:provisioning - Defaults to thin provisioning, the valid values are thin and
full.
hp3par:persona - Defaults to the 2 - Generic-ALUA persona. The valid values are,
1 - Generic, 2 - Generic-ALUA, 6 - Generic-legacy, 7 - HPUX-legacy, 8
- AIX-legacy, 9 - EGENERA, 10 - ONTAP-legacy, 11 - VMware, 12 - OpenVMS, 13 - HPUX, and 15 - WindowsServer.
QoS support for both HP 3PAR drivers includes the ability to set the following capabilities in
the OpenStack Block Storage API cinder.api.contrib.qos_specs_manage qos specs
extension module:
minBWS
maxBWS
31

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

minIOPS
maxIOPS
latency
priority
The qos keys above no longer require to be scoped but must be created and associated to a
volume type. For information about how to set the key-value pairs and associate them with
a volume type, run the following commands:
$ cinder help qos-create
$ cinder help qos-key
$ cinder help qos-associate

The following keys require that the HP 3PAR StoreServ storage array has a Priority Optimization license installed.
hp3par:vvs - The virtual volume set name that has been predefined by the Administrator with Quality of Service (QoS) rules associated to it. If you specify extra_specs
hp3par:vvs, the qos_specs minIOPS, maxIOPS, minBWS, and maxBWS settings are ignored.
minBWS - The QoS I/O issue bandwidth minimum goal in MBs. If not set, the I/O issue
bandwidth rate has no minimum goal.
maxBWS - The QoS I/O issue bandwidth rate limit in MBs. If not set, the I/O issue bandwidth rate has no limit.
minIOPS - The QoS I/O issue count minimum goal. If not set, the I/O issue count has no
minimum goal.
maxIOPS - The QoS I/O issue count rate limit. If not set, the I/O issue count rate has no
limit.
latency - The latency goal in milliseconds.
priority - The priority of the QoS rule over other rules. If not set, the priority is normal,
valid values are low, normal and high.

Note
Since the Icehouse release, minIOPS and maxIOPS must be used together to set
I/O limits. Similarly, minBWS and maxBWS must be used together. If only one is
set the other will be set to the same value.

Enable the HP 3PAR Fibre Channel and iSCSI drivers

The HP3PARFCDriver and HP3PARISCSIDriver are installed with the OpenStack software.
1.

Install the hp3parclient Python package on the OpenStack Block Storage system.
32

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# pip install 'hp3parclient>=3.0,<4.0'

Verify that the HP 3PAR Web Services API server is enabled and running on the HP
3PAR storage system.
a.

Log onto the HP 3PAR storage system with administrator access.

$ ssh 3paradm@<HP 3PAR IP Address>

View the current state of the Web Services API Server.

# showwsapi
-Service- -State- -HTTP_State- HTTP_Port -HTTPS_State- HTTPS_Port VersionEnabled
Active Enabled
8008
Enabled
8080
1.1

If the Web Services API Server is disabled, start it.

# startwsapi

If the HTTP or HTTPS state is disabled, enable one of them.

# setwsapi -http enable

or
# setwsapi -https enable

Note
To stop the Web Services API Server, use the stopwsapi command. For other options run the setwsapi h command.
4.

If you are not using an existing CPG, create a CPG on the HP 3PAR storage system to
be used as the default location for creating volumes.

Make the following changes in the /etc/cinder/cinder.conf file.

## REQUIRED SETTINGS
# 3PAR WS API Server URL
hp3par_api_url=https://10.10.0.141:8080/api/v1
# 3PAR Super user username
hp3par_username=3paradm
# 3PAR Super user password
hp3par_password=3parpass
# 3PAR CPG to use for volume creation
hp3par_cpg=OpenStackCPG_RAID5_NL
# IP address of SAN controller for SSH access to the array
san_ip=10.10.22.241
# Username for SAN controller for SSH access to the array
san_login=3paradm

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Password for SAN controller for SSH access to the array

san_password=3parpass
# FIBRE CHANNEL(uncomment the next line to enable the FC driver)
# volume_driver=cinder.volume.drivers.san.hp.hp_3par_fc.HP3PARFCDriver
# iSCSI (uncomment the next line to enable the iSCSI driver and
# hp3par_iscsi_ips or iscsi_ip_address)
#volume_driver=cinder.volume.drivers.san.hp.hp_3par_iscsi.
HP3PARISCSIDriver
# iSCSI multiple port configuration
# hp3par_iscsi_ips=10.10.220.253:3261,10.10.222.234
# Still available for single port iSCSI configuration
#iscsi_ip_address=10.10.220.253
## OPTIONAL SETTINGS
# Enable HTTP debugging to 3PAR
hp3par_debug=False
# Enable CHAP authentication for iSCSI connections.
hp3par_iscsi_chap_enabled=false
# The CPG to use for Snapshots for volumes. If empty hp3par_cpg will be
used.
hp3par_snap_cpg=OpenStackSNAP_CPG
# Time in hours to retain a snapshot. You can't delete it before this
expires.
hp3par_snapshot_retention=48
# Time in hours when a snapshot expires and is deleted. This must be
larger than retention.
hp3par_snapshot_expiration=72

Note
You can enable only one driver on each cinder instance unless you enable
multiple back-end support. See the Cinder multiple back-end support instructions to enable this feature.

Note
You can configure one or more iSCSI addresses by using the
hp3par_iscsi_ips option. When you configure multiple addresses, the driver selects the iSCSI port with the fewest active volumes at attach time. The IP address might include an IP port by using a colon (:)
to separate the address from port. If you do not define an IP port, the
default port 3260 is used. Separate IP addresses with a comma (,). The
iscsi_ip_address/iscsi_port options might be used as an alternative to hp3par_iscsi_ips for single port iSCSI configuration.
6.

Save the changes to the cinder.conf file and restart the cinder-volume service.

The HP 3PAR Fibre Channel and iSCSI drivers are now enabled on your OpenStack system. If
you experience problems, review the Block Storage service log files for errors.
34

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

HP LeftHand/StoreVirtual driver
The HPLeftHandISCSIDriver is based on the Block Storage service (Cinder) plug-in architecture. Volume operations are run by communicating with the HP LeftHand/StoreVirtual system over HTTPS, or SSH connections. HTTPS communications use the hplefthandclient,
which is part of the Python standard library.
The HPLeftHandISCSIDriver can be configured to run in one of two possible modes,
legacy mode which uses SSH/CLIQ to communicate with the HP LeftHand/StoreVirtual array, or standard mode which uses a new REST client to communicate with the array. No
new functionality has been, or will be, supported in legacy mode. For performance improvements and new functionality, the driver must be configured for standard mode,
the hplefthandclient must be downloaded, and HP LeftHand/StoreVirtual Operating System software version 11.5 or higher is required on the array. To configure the driver in
standard mode, see the section called HP LeftHand/StoreVirtual REST driver standard
mode [35]. To configure the driver in legacy mode, see the section called HP LeftHand/StoreVirtual CLIQ driver legacy mode [38].
For information about how to manage HP LeftHand/StoreVirtual storage systems, see the
HP LeftHand/StoreVirtual user documentation.

HP LeftHand/StoreVirtual REST driver standard mode

This section describes how to configure the HP LeftHand/StoreVirtual Cinder driver in standard mode.

System requirements
To use the HP LeftHand/StoreVirtual driver in standard mode, do the following:
Install LeftHand/StoreVirtual Operating System software version 11.5 or higher on the
HP LeftHand/StoreVirtual storage system.
Create a cluster group.
Install the hplefthandclient version 1.0.2 from the Python Package Index on the system
with the enabled Block Storage service volume drivers.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Get volume statistics.

Migrate a volume with back-end assistance.
Retype a volume.
When you use back-end assisted volume migration, both source and destination clusters must be in the same HP LeftHand/StoreVirtual management group. The HP LeftHand/StoreVirtual array will use native LeftHand APIs to migrate the volume. The volume
cannot be attached or have snapshots to migrate.
Volume type support for the driver includes the ability to set the following capabilities in
the OpenStack Cinder API cinder.api.contrib.types_extra_specs volume type
extra specs extension module.
hplh:provisioning
hplh:ao
hplh:data_pl
To work with the default filter scheduler, the key-value pairs are case-sensitive and scoped
with 'hplh:'. For information about how to set the key-value pairs and associate them
with a volume type, run the following command:
$ cinder help type-key

The following keys require the HP LeftHand/StoreVirtual storage array be configured for
hplh:ao

The HP LeftHand/StoreVirtual storage array must be configured for

Adaptive Optimization.

hplh:data_pl

The HP LeftHand/StoreVirtual storage array must be able to support

the Data Protection level specified by the extra spec.

If volume types are not used or a particular key is not set for a volume type, the following defaults are used:
hplh:provisioning

Defaults to thin provisioning, the valid values are, thin and

full

hplh:ao

Defaults to true, the valid values are, true and false.

hplh:data_pl

Defaults to r-0, Network RAID-0 (None), the valid values are,

r-0, Network RAID-0 (None)
r-5, Network RAID-5 (Single Parity)
r-10-2, Network RAID-10 (2-Way Mirror)
r-10-3, Network RAID-10 (3-Way Mirror)
r-10-4, Network RAID-10 (4-Way Mirror)
36

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

r-6, Network RAID-6 (Dual Parity),

Enable the HP LeftHand/StoreVirtual iSCSI driver in standard mode

The HPLeftHandISCSIDriver is installed with the OpenStack software.
1.

Install the hplefthandclient Python package on the OpenStack Block Storage system.
# pip install 'hplefthandclient>=1.0.2,<2.0'

If you are not using an existing cluster, create a cluster on the HP LeftHand storage system to be used as the cluster for creating volumes.

Make the following changes in the /etc/cinder/cinder.conf file:

## REQUIRED SETTINGS
# LeftHand WS API Server URL
hplefthand_api_url=https://10.10.0.141:8081/lhos
# LeftHand Super user username
hplefthand_username=lhuser
# LeftHand Super user password
hplefthand_password=lhpass
# LeftHand cluster to use for volume creation
hplefthand_clustername=ClusterLefthand
# LeftHand iSCSI driver
volume_driver=cinder.volume.drivers.san.hp.hp_lefthand_iscsi.
HPLeftHandISCSIDriver
## OPTIONAL SETTINGS
# Should CHAPS authentication be used (default=false)
hplefthand_iscsi_chap_enabled=false
# Enable HTTP debugging to LeftHand (default=false)
hplefthand_debug=false

You can enable only one driver on each cinder instance unless you enable multiple
back-end support. See the Cinder multiple back-end support instructions to enable this
feature.
If the hplefthand_iscsi_chap_enabled is set to true, the driver will associate
randomly-generated CHAP secrets with all hosts on the HP LeftHand/StoreVirtual system. OpenStack Compute nodes use these secrets when creating iSCSI connections.

Important
CHAP secrets are passed from OpenStack Block Storage to Compute in
clear text. This communication should be secured to ensure that CHAP secrets are not discovered.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
CHAP secrets are added to existing hosts as well as newly-created ones. If
the CHAP option is enabled, hosts will not be able to access the storage
without the generated secrets.
4.

Save the changes to the cinder.conf file and restart the cinder-volume service.

The HP LeftHand/StoreVirtual driver is now enabled in standard mode on your OpenStack

system. If you experience problems, review the Block Storage service log files for errors.

HP LeftHand/StoreVirtual CLIQ driver legacy mode

This section describes how to configure the HP LeftHand/StoreVirtual Cinder driver in legacy mode.
The HPLeftHandISCSIDriver allows you to use a HP Lefthand/StoreVirtual SAN that
supports the CLIQ interface. Every supported volume operation translates into a CLIQ call in
the back-end.

Supported operations
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.

Enable the HP LeftHand/StoreVirtual iSCSI driver in legacy mode

The HPLeftHandISCSIDriver is installed with the OpenStack software.
1.

If you are not using an existing cluster, create a cluster on the HP Lefthand storage system to be used as the cluster for creating volumes.

Make the following changes in the /etc/cinder/cinder.conf file.

## REQUIRED SETTINGS
# VIP of your Virtual Storage Appliance (VSA).
san_ip=10.10.0.141
# LeftHand Super user username
san_login=lhuser
# LeftHand Super user password
san_password=lhpass
# LeftHand ssh port, the default for the VSA is usually 16022.
san_ssh_port=16022
# LeftHand cluster to use for volume creation

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

san_clustername=ClusterLefthand
# LeftHand iSCSI driver
volume_driver=cinder.volume.drivers.san.hp.hp_lefthand_iscsi.
HPLeftHandISCSIDriver
## OPTIONAL SETTINGS
# LeftHand provisioning, to disable thin provisioning, set to
# set to False.
san_thin_provision=True
# Typically, this parameter is set to False, for this driver.
# To configure the CLIQ commands to run locally instead of over ssh,
# set this parameter to True
san_is_local=False

Save the changes to the cinder.conf file and restart the cinder-volume service.

The HP LeftHand/StoreVirtual driver is now enabled in legacy mode on your OpenStack system. If you experience problems, review the Block Storage service log files for errors.
To configure the VSA
1.

Configure CHAP on each of the nova-compute nodes.

Add server associations on the VSA with the associated CHAPS and initiator information. The name should correspond to the hostname of the nova-compute node. For
Xen, this is the hypervisor host name. To do this, use either CLIQ or the Centralized
Management Console.

HP MSA Fibre Channel driver

The HP MSA fiber channel driver runs volume operations on the storage array over HTTP.
A VDisk must be created on the HP MSA array first. This can be done using the web interface or the command-line interface of the array.
The following options must be defined in the cinder-volume configuration file (/etc/
cinder/cinder.conf):
Set the volume_driver option to
cinder.volume.drivers.san.hp.hp_msa_fc.HPMSAFCDriver
Set the san_ip option to the hostname or IP address of your HP MSA array.
Set the san_login option to the login of an existing user of the HP MSA array.
Set the san_password option to the password for this user.

Huawei storage driver

The Huawei driver supports the iSCSI and Fibre Channel connections and enables OceanStor
T series unified storage, OceanStor Dorado high-performance storage, and OceanStor HVS
high-end storage to provide block storage services for OpenStack.
39

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Supported operations
OceanStor T series unified storage supports these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Create a volume from a snapshot.
Copy an image to a volume.
Copy a volume to an image.
Clone a volume.
OceanStor Dorado5100 supports these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Copy an image to a volume.
Copy a volume to an image.
OceanStor Dorado2100 G2 supports these operations:
Create, delete, attach, and detach volumes.
Copy an image to a volume.
Copy a volume to an image.
OceanStor HVS supports these operations:
Create, delete, attach, and detach volumes.
Create, list, and delete volume snapshots.
Copy an image to a volume.
Copy a volume to an image.
Create a volume from a snapshot.
Clone a volume.

Configure Cinder nodes

In /etc/cinder, create the driver configuration file named
cinder_huawei_conf.xml.
You must configure Product and Protocol to specify a storage system and link type.
The following uses the iSCSI driver as an example. The driver configuration file of OceanStor
T series unified storage is shown as follows:
<?xml version='1.0' encoding='UTF-8'?>

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

<config>
<Storage>
<Product>T</Product>
<Protocol>iSCSI</Protocol>
<ControllerIP0>x.x.x.x</ControllerIP0>
<ControllerIP1>x.x.x.x</ControllerIP1>
<UserName>xxxxxxxx</UserName>
<UserPassword>xxxxxxxx</UserPassword>
</Storage>
<LUN>
<LUNType>Thick</LUNType>
<StripUnitSize>64</StripUnitSize>
<WriteType>1</WriteType>
<MirrorSwitch>1</MirrorSwitch>
<Prefetch Type="3" value="0"/>
<StoragePool Name="xxxxxxxx"/>
<StoragePool Name="xxxxxxxx"/>
</LUN>
<iSCSI>
<DefaultTargetIP>x.x.x.x</DefaultTargetIP>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
</iSCSI>
<Host OSType=Linux HostIP=x.x.x.x, x.x.x.x/>
</config>

The driver configuration file of OceanStor Dorado5100 is shown as follows:

<?xml version='1.0' encoding='UTF-8'?>
<config>
<Storage>
<Product>Dorado</Product>
<Protocol>iSCSI</Protocol>
<ControllerIP0>x.x.x.x</ControllerIP0>
<ControllerIP1>x.x.x.x</ControllerIP1>
<UserName>xxxxxxxx</UserName>
<UserPassword>xxxxxxxx</UserPassword>
</Storage>
<LUN>
<StripUnitSize>64</StripUnitSize>
<WriteType>1</WriteType>
<MirrorSwitch>1</MirrorSwitch>
<StoragePool Name="xxxxxxxx"/>
<StoragePool Name="xxxxxxxx"/>
</LUN>
<iSCSI>
<DefaultTargetIP>x.x.x.x</DefaultTargetIP>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
<Initiator Name="xxxxxxxx" TargetIP="x.x.x.x"/>
</iSCSI>
<Host OSType=Linux HostIP=x.x.x.x, x.x.x.x/>
</config>

The driver configuration file of OceanStor Dorado2100 G2 is shown as follows:

<?xml version='1.0' encoding='UTF-8'?>
<config>
<Storage>
<Product>Dorado</Product>
<Protocol>iSCSI</Protocol>
<ControllerIP0>x.x.x.x</ControllerIP0>

Description

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Default

juno

Flag name

Type

UserPassword

Required

Description

StoragePool

Required

Name of a storage pool that you want

to use. Not required for the Dorado2100
G2.

DefaultTargetIP

Optional

Default IP address of the iSCSI port provided for compute nodes.

Initiator Name

Optional

Name of a compute node initiator.

Initiator TargetIP

Optional

IP address of the iSCSI port provided for

compute nodes.

OSType

Optional

HostIP

Optional

Password of an administrator

This flag is not valid for a thin LUN.

Linux

The OS type for a compute node.

The IPs for compute nodes.

Note
1. You can configure one iSCSI target port for each or all compute nodes. The
driver checks whether a target port IP address is configured for the current
compute node. If not, select DefaultTargetIP.
2. You can configure multiple storage pools in one configuration file, which
supports the use of multiple storage pools in a storage system. (HVS allows
configuration of only one storage pool.)
3. For details about LUN configuration information, see the createlun command in the command-line interface (CLI) documentation or run the help -c
createlun on the storage system CLI.
4. After the driver is loaded, the storage system obtains any modification of the
driver configuration file in real time and you do not need to restart the cinder-volume service.

IBM GPFS volume driver

IBM General Parallel File System (GPFS) is a cluster file system that provides concurrent access to file systems from multiple nodes. The storage provided by these nodes can be direct
44

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

attached, network attached, SAN attached, or a combination of these methods. GPFS provides many features beyond common data access, including data replication, policy based
storage management, and space efficient file snapshot and clone operations.

How the GPFS driver works

The GPFS driver enables the use of GPFS in a fashion similar to that of the NFS driver. With
the GPFS driver, instances do not actually access a storage device at the block level. Instead,
volume backing files are created in a GPFS file system and mapped to instances, which emulate a block device.

Note
GPFS software must be installed and running on nodes where Block Storage
and Compute services run in the OpenStack environment. A GPFS file system
must also be created and mounted on these nodes before starting the cinder-volume service. The details of these GPFS specific steps are covered in
GPFS: Concepts, Planning, and Installation Guide and GPFS: Administration and
Programming Reference.
Optionally, the Image Service can be configured to store images on a GPFS file system.
When a Block Storage volume is created from an image, if both image data and volume data reside in the same GPFS file system, the data from image file is moved efficiently to the
volume file using copy-on-write optimization strategy.

Enable the GPFS driver

To use the Block Storage service with the GPFS driver, first set the volume_driver in
cinder.conf:
volume_driver = cinder.volume.drivers.ibm.gpfs.GPFSDriver

The following table contains the configuration options supported by the GPFS driver.

Table1.10.Description of GPFS storage configuration options

Configuration option = Default value

Description

[DEFAULT]
gpfs_images_dir = None

(StrOpt) Specifies the path of the Image service repository

in GPFS. Leave undefined if not storing images in GPFS.

gpfs_images_share_mode = None

(StrOpt) Specifies the type of image copy to be used. Set

this when the Image service repository also uses GPFS so
that image files can be transferred efficiently from the Image service to the Block Storage service. There are two
valid values: "copy" specifies that a full copy of the image
is made; "copy_on_write" specifies that copy-on-write optimization strategy is used and unmodified blocks of the image file are shared efficiently.

gpfs_max_clone_depth = 0

(IntOpt) Specifies an upper limit on the number of indirections required to reach a specific block due to snapshots
or clones. A lengthy chain of copy-on-write snapshots or
clones can have a negative impact on performance, but
improves space utilization. 0 indicates unlimited clone
depth.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

gpfs_mount_point_base = None

(StrOpt) Specifies the path of the GPFS directory where

Block Storage volume and snapshot files are stored.

gpfs_sparse_volumes = True

(BoolOpt) Specifies that volumes are created as sparse files

which initially consume no space. If set to False, the volume is created as a fully allocated file, in which case, creation may take a significantly longer time.

gpfs_storage_pool = system

(StrOpt) Specifies the storage pool that volumes are assigned to. By default, the system storage pool is used.

Note
The gpfs_images_share_mode flag is only valid if the Image Service is configured to use GPFS with the gpfs_images_dir flag. When
the value of this flag is copy_on_write, the paths specified by the
gpfs_mount_point_base and gpfs_images_dir flags must both reside in
the same GPFS file system and in the same GPFS file set.

Volume creation options

It is possible to specify additional volume configuration options on a per-volume basis by
specifying volume metadata. The volume is created using the specified options. Changing
the metadata after the volume is created has no effect. The following table lists the volume
creation options supported by the GPFS volume driver.

Table1.11.Volume Create Options for GPFS Volume Drive

Metadata Item Name

Description

fstype

Specifies whether to create a file system or a swap area

on the new volume. If fstype=swap is specified, the mkswap command is used to create a swap area. Otherwise
the mkfs command is passed the specified file system type,
for example ext3, ext4 or ntfs.

fslabel

Sets the file system label for the file system specified by
fstype option. This value is only used if fstype is specified.

data_pool_name

Specifies the GPFS storage pool to which the volume is to

be assigned. Note: The GPFS storage pool must already
have been created.

replicas

Specifies how many copies of the volume file to create.

Valid values are 1, 2, and, for GPFS V3.5.0.7 and later, 3.
This value cannot be greater than the value of the MaxDataReplicas attribute of the file system.

dio

Enables or disables the Direct I/O caching policy for the

volume file. Valid values are yes and no.

write_affinity_depth

Specifies the allocation policy to be used for the volume

file. Note: This option only works if allow-writeaffinity is set for the GPFS data pool.

block_group_factor

Specifies how many blocks are laid out sequentially in the

volume file to behave as a single large block. Note: This
option only works if allow-write-affinity is set for
the GPFS data pool.

write_affinity_failure_group

Specifies the range of nodes (in GPFS shared nothing architecture) where replicas of blocks in the volume file are
to be written. See GPFS: Administration and Programming
Reference for more details on this option.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Example: Volume creation options

This example shows the creation of a 50GB volume with an ext4 file system labeled newfs
and direct IO enabled:
$ cinder create --metadata fstype=ext4 fslabel=newfs dio=yes --display-name
volume_1 50

Operational notes for GPFS driver

Snapshots and clones
Volume snapshots are implemented using the GPFS file clone feature. Whenever a new
snapshot is created, the snapshot file is efficiently created as a read-only clone parent of
the volume, and the volume file uses copy-on-write optimization strategy to minimize data
movement.
Similarly when a new volume is created from a snapshot or from an existing volume,
the same approach is taken. The same approach is also used when a new volume
is created from an Image Service image, if the source image is in raw format, and
gpfs_images_share_mode is set to copy_on_write.

IBM Storwize family and SVC volume driver

The volume management driver for Storwize family and SAN Volume Controller (SVC) provides OpenStack Compute instances with access to IBM Storwize family or SVC storage systems.

Configure the Storwize family and SVC system

Network configuration
The Storwize family or SVC system must be configured for iSCSI, Fibre Channel, or both.
If using iSCSI, each Storwize family or SVC node should have at least one iSCSI IP address.
The IBM Storwize/SVC driver uses an iSCSI IP address associated with the volume's preferred node (if available) to attach the volume to the instance, otherwise it uses the first
available iSCSI IP address of the system. The driver obtains the iSCSI IP address directly from
the storage system; you do not need to provide these iSCSI IP addresses directly to the driver.

Note
If using iSCSI, ensure that the compute nodes have iSCSI network access to the
Storwize family or SVC system.

Note
OpenStack Nova's Grizzly version supports iSCSI multipath. Once this is configured on the Nova host (outside the scope of this documentation), multipath is
enabled.
If using Fibre Channel (FC), each Storwize family or SVC node should have at least one WWPN port configured. If the storwize_svc_multipath_enabled flag is set to True in the

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Cinder configuration file, the driver uses all available WWPNs to attach the volume to the
instance (details about the configuration flags appear in the next section). If the flag is not
set, the driver uses the WWPN associated with the volume's preferred node (if available),
otherwise it uses the first available WWPN of the system. The driver obtains the WWPNs directly from the storage system; you do not need to provide these WWPNs directly to the
driver.

Note
If using FC, ensure that the compute nodes have FC connectivity to the Storwize
family or SVC system.

iSCSI CHAP authentication

If using iSCSI for data access and the storwize_svc_iscsi_chap_enabled is set to
True, the driver will associate randomly-generated CHAP secrets with all hosts on the Storwize family system. OpenStack compute nodes use these secrets when creating iSCSI connections.

Note
CHAP secrets are added to existing hosts as well as newly-created ones. If the
CHAP option is enabled, hosts will not be able to access the storage without the
generated secrets.

Note
Not all OpenStack Compute drivers support CHAP authentication. Please check
compatibility before using.

Note
CHAP secrets are passed from OpenStack Block Storage to Compute in clear
text. This communication should be secured to ensure that CHAP secrets are
not discovered.

Configure storage pools

Each instance of the IBM Storwize/SVC driver allocates all volumes in a single pool.
The pool should be created in advance and be provided to the driver using the
storwize_svc_volpool_name configuration flag. Details about the configuration flags
and how to provide the flags to the driver appear in the next section.

Configure user authentication for the driver

The driver requires access to the Storwize family or SVC system management interface. The
driver communicates with the management using SSH. The driver should be provided with
the Storwize family or SVC management IP using the san_ip flag, and the management
port should be provided by the san_ssh_port flag. By default, the port value is configured to be port 22 (SSH).
48

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
Make sure the compute node running the cinder-volume management driver has SSH network access to the storage system.
To allow the driver to communicate with the Storwize family or SVC system, you must provide the driver with a user on the storage system. The driver has two authentication methods: password-based authentication and SSH key pair authentication. The user should have
an Administrator role. It is suggested to create a new user for the management driver.
Please consult with your storage and security administrator regarding the preferred authentication method and how passwords or SSH keys should be stored in a secure manner.

Note
When creating a new user on the Storwize or SVC system, make sure the user
belongs to the Administrator group or to another group that has an Administrator role.
If using password authentication, assign a password to the user on the Storwize or SVC
system. The driver configuration flags for the user and password are san_login and
san_password, respectively.
If you are using the SSH key pair authentication, create SSH private and public keys using
the instructions below or by any other method. Associate the public key with the user by
uploading the public key: select the "choose file" option in the Storwize family or SVC management GUI under "SSH public key". Alternatively, you may associate the SSH public key using the command line interface; details can be found in the Storwize and SVC documentation. The private key should be provided to the driver using the san_private_key configuration flag.

Create a SSH key pair with OpenSSH

You can create an SSH key pair using OpenSSH, by running:
$ ssh-keygen -t rsa

The command prompts for a file to save the key pair. For example, if you select 'key' as the
filename, two files are created: key and key.pub. The key file holds the private SSH key
and key.pub holds the public SSH key.
The command also prompts for a pass phrase, which should be empty.
The private key file should be provided to the driver using the san_private_key configuration flag. The public key should be uploaded to the Storwize family or SVC system using
the storage management GUI or command line interface.

Note
Ensure that Cinder has read permissions on the private key file.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configure the Storwize family and SVC driver

Enable the Storwize family and SVC driver
Set the volume driver to the Storwize family and SVC driver by setting the
volume_driver option in cinder.conf as follows:
volume_driver = cinder.volume.drivers.ibm.storwize_svc.StorwizeSVCDriver

Storwize family and SVC driver options in cinder.conf

The following options specify default values for all volumes. Some can be over-ridden using
volume types, which are described below.

Table1.12.List of configuration flags for Storwize storage and SVC driver

Flag name

Type

Default

san_ip

Required

san_ssh_port

Optional

san_login

Required

san_password

Required a

Description
Management IP or host name

Management port
Management login username
Management login password

san_private_key

Required

storwize_svc_volpool_name

connections

storwize_svc_multipath_enabled

Optional

False

Enable multipath for FC connections g

storwize_svc_multihost_enabled

Optional

True

Enable mapping vdisks to multiple hosts h

Management login SSH private key

Default pool name for volumes

The authentication requires either a password (san_password) or SSH private key (san_private_key). One must be specified. If both are specified, the driver uses only the SSH private key.
b
The driver creates thin-provisioned volumes by default. The storwize_svc_vol_rsize flag defines the initial physical allocation percentage for thin-provisioned volumes, or if set to -1, the driver creates full allocated volumes. More details about the
available options are available in the Storwize family and SVC documentation.
c
Defines whether thin-provisioned volumes can be auto expanded by the storage system, a value of True means that auto expansion is enabled, a value of False disables auto expansion. Details about this option can be found in the autoexpand flag of
the Storwize family and SVC command line interface mkvdisk command.
d
Defines whether Real-time Compression is used for the volumes created with OpenStack. Details on Real-time Compression can
be found in the Storwize family and SVC documentation. The Storwize or SVC system must have compression enabled for this
feature to work.
e
Defines whether Easy Tier is used for the volumes created with OpenStack. Details on EasyTier can be found in the Storwize
family and SVC documentation. The Storwize or SVC system must have Easy Tier enabled for this feature to work.
f
The driver wait timeout threshold when creating an OpenStack snapshot. This is actually the maximum amount of time that the
driver waits for the Storwize family or SVC system to prepare a new FlashCopy mapping. The driver accepts a maximum wait
time of 600 seconds (10 minutes).

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Multipath for iSCSI connections requires no storage-side configuration and is enabled if the compute host has multipath configured.
h
This option allows the driver to map a vdisk to more than one host at a time. This scenario occurs during migration of a virtual
machine with an attached volume; the volume is simultaneously mapped to both the source and destination compute hosts. If your
deployment does not require attaching vdisks to multiple hosts, setting this flag to False will provide added safety.

Table1.13.Description of IBM Storwise driver configuration options

Configuration option = Default value

Description

[DEFAULT]
storwize_svc_allow_tenant_qos = False

(BoolOpt) Allow tenants to specify QOS on create

storwize_svc_connection_protocol = iSCSI

(StrOpt) Connection protocol (iSCSI/FC)

storwize_svc_flashcopy_timeout = 120

(IntOpt) Maximum number of seconds to wait for FlashCopy to be prepared. Maximum value is 600 seconds (10
minutes)

storwize_svc_iscsi_chap_enabled = True

(BoolOpt) Configure CHAP authentication for iSCSI connections (Default: Enabled)

storwize_svc_multihostmap_enabled = True

(BoolOpt) Allows vdisk to multi host mapping

storwize_svc_multipath_enabled = False

(BoolOpt) Connect with multipath (FC only; iSCSI multipath is controlled by Nova)

storwize_svc_npiv_compatibility_mode = False

(BoolOpt) Indicate whether svc driver is compatible

for NPIV setup. If it is compatible, it will allow no wwpns being returned on get_conn_fc_wwpns during
initialize_connection

storwize_svc_stretched_cluster_partner = None

(StrOpt) If operating in stretched cluster mode, specify the name of the pool in which mirrored copies are
stored.Example: "pool2"

storwize_svc_vol_autoexpand = True

(BoolOpt) Storage system autoexpand parameter for volumes (True/False)

storwize_svc_vol_compression = False

(BoolOpt) Storage system compression option for volumes

storwize_svc_vol_easytier = True

(BoolOpt) Enable Easy Tier for volumes

storwize_svc_vol_grainsize = 256

(IntOpt) Storage system grain size parameter for volumes

(32/64/128/256)

storwize_svc_vol_iogrp = 0

(IntOpt) The I/O group in which to allocate volumes

storwize_svc_vol_rsize = 2

(IntOpt) Storage system space-efficiency parameter for

volumes (percentage)

storwize_svc_vol_warning = 0

(IntOpt) Storage system threshold for volume capacity

warnings (percentage)

storwize_svc_volpool_name = volpool

(StrOpt) Storage system storage pool for volumes

Placement with volume types

The IBM Storwize/SVC driver exposes capabilities that can be added to the extra specs
of volume types, and used by the filter scheduler to determine placement of new volumes.
Make sure to prefix these keys with capabilities: to indicate that the scheduler should
use them. The following extra specs are supported:
capabilities:volume_back-end_name - Specify a specific back-end where the volume
should be created. The back-end name is a concatenation of the name of the IBM Storwize/SVC storage system as shown in lssystem, an underscore, and the name of the
pool (mdisk group). For example:
capabilities:volume_back-end_name=myV7000_openstackpool

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

capabilities:compression_support - Specify a back-end according to compression support.

A value of True should be used to request a back-end that supports compression, and a
value of False will request a back-end that does not support compression. If you do not
have constraints on compression support, do not set this key. Note that specifying True
does not enable compression; it only requests that the volume be placed on a back-end
that supports compression. Example syntax:
capabilities:compression_support='<is> True'

capabilities:easytier_support - Similar semantics as the compression_support key, but

for specifying according to support of the Easy Tier feature. Example syntax:
capabilities:easytier_support='<is> True'

capabilities:storage_protocol - Specifies the connection protocol used to attach volumes

of this type to instances. Legal values are iSCSI and FC. This extra specs value is
used for both placement and setting the protocol used for this volume. In the example
syntax, note <in> is used as opposed to <is> used in the previous examples.
capabilities:storage_protocol='<in> FC'

Configure per-volume creation options

Volume types can also be used to pass options to the IBM Storwize/SVC driver, which override the default values set in the configuration file. Contrary to the previous examples
where the "capabilities" scope was used to pass parameters to the Cinder scheduler, options
can be passed to the IBM Storwize/SVC driver with the "drivers" scope.
The following extra specs keys are supported by the IBM Storwize/SVC driver:
rsize
warning
autoexpand
grainsize
compression
easytier
multipath
iogrp
These keys have the same semantics as their counterparts in the configuration file. They are
set similarly; for example, rsize=2 or compression=False.

Example: Volume types

In the following example, we create a volume type to specify a controller that supports iSCSI and compression, to use iSCSI when attaching the volume, and to enable compression:
$ cinder type-create compressed
$ cinder type-key compressed set capabilities:storage_protocol='<in> iSCSI'
capabilities:compression_support='<is> True' drivers:compression=True

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

We can then create a 50GB volume using this type:

$ cinder create --display-name "compressed volume" --volume-type compressed 50

Volume types can be used, for example, to provide users with different
performance levels (such as, allocating entirely on an HDD tier, using Easy Tier for an
HDD-SDD mix, or allocating entirely on an SSD tier)
resiliency levels (such as, allocating volumes in pools with different RAID levels)
features (such as, enabling/disabling Real-time Compression)

Operational notes for the Storwize family and SVC driver

Migrate volumes
In the context of OpenStack Block Storage's volume migration feature, the IBM Storwize/SVC driver enables the storage's virtualization technology. When migrating a volume
from one pool to another, the volume will appear in the destination pool almost immediately, while the storage moves the data in the background.

Note
To enable this feature, both pools involved in a given volume migration must
have the same values for extent_size. If the pools have different values for
extent_size, the data will still be moved directly between the pools (not
host-side copy), but the operation will be synchronous.

Extend volumes
The IBM Storwize/SVC driver allows for extending a volume's size, but only for volumes
without snapshots.

Snapshots and clones

Snapshots are implemented using FlashCopy with no background copy (space-efficient).
Volume clones (volumes created from existing volumes) are implemented with FlashCopy,
but with background copy enabled. This means that volume clones are independent, full
copies. While this background copy is taking place, attempting to delete or extend the
source volume will result in that operation waiting for the copy to complete.

Volume retype
The IBM Storwize/SVC driver enables you to modify volume types. When you modify volume types, you can also change these extra specs properties:
rsize
warning
autoexpand
grainsize
53

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

compression
easytier
iogrp

Note
When you change the rsize, grainsize or compression properties, volume copies are asynchronously synchronized on the array.

Note
To change the iogrp property, IBM Storwize/SVC firmware version 6.4.0 or later is required.

IBM XIV and DS8000 volume driver

The IBM Storage Driver for OpenStack is a Block Storage driver that supports IBM XIV and
IBM DS8000 storage systems over Fiber channel and iSCSI.
Set the following in your cinder.conf, and use the following options to configure it.
volume_driver = cinder.volume.drivers.xiv_ds8k.XIVDS8KDriver

Table1.14.Description of IBM XIV and DS8000 volume driver configuration

options
Configuration option = Default value

Description

[DEFAULT]
san_clustername =

(StrOpt) Cluster name to use for creating volumes

san_ip =

(StrOpt) IP address of SAN controller

san_login = admin

(StrOpt) Username for SAN controller

san_password =

(StrOpt) Password for SAN controller

xiv_chap = disabled

(StrOpt) CHAP authentication mode, effective only for iscsi

(disabled|enabled)

xiv_ds8k_connection_type = iscsi

(StrOpt) Connection type to the IBM Storage Array

(fibre_channel|iscsi)

xiv_ds8k_proxy =
xiv_ds8k_openstack.nova_proxy.XIVDS8KNovaProxy

(StrOpt) Proxy driver that connects to the IBM Storage Array

Note
To use the IBM Storage Driver for OpenStack you must download and install the package available at: http://www.ibm.com/
support/fixcentral/swg/selectFixes?parent=Enterprise%2BStorage%2BServers&product=ibm/Storage_Disk/XIV+Storage+System+%282810,
+2812%29&release=All&platform=All&function=all
For full documentation refer to IBM's online documentation available at http://
pic.dhe.ibm.com/infocenter/strhosts/ic/topic/com.ibm.help.strghosts.doc/nova-homepage.html.
54

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

LVM
The default volume back-end uses local volumes managed by LVM.
This driver supports different transport protocols to attach volumes, currently iSCSI and iSER.
Set the following in your cinder.conf, and use the following options to configure for
iSCSI transport:
volume_driver = cinder.volume.drivers.lvm.LVMISCSIDriver

and for the iSER transport:

volume_driver = cinder.volume.drivers.lvm.LVMISERDriver

Table1.15.Description of LVM configuration options

Configuration option = Default value

Description

[DEFAULT]
lvm_mirrors = 0

(IntOpt) If >0, create LVs with multiple mirrors. Note that

this requires lvm_mirrors + 2 PVs with available space

lvm_type = default

(StrOpt) Type of LVM volumes to deploy; (default or thin)

volume_group = cinder-volumes

(StrOpt) Name for the VG that will contain exported volumes

NetApp unified driver

The NetApp unified driver is a block storage driver that supports multiple storage families
and protocols. A storage family corresponds to storage systems built on different NetApp
technologies such as clustered Data ONTAP, Data ONTAP operating in 7-Mode, and E-Series. The storage protocol refers to the protocol used to initiate data storage and access
operations on those storage systems like iSCSI and NFS. The NetApp unified driver can be
configured to provision and manage OpenStack volumes on a given storage family using a
specified storage protocol. The OpenStack volumes can then be used for accessing and storing data using the storage protocol on the storage family system. The NetApp unified driver is an extensible interface that can support new storage families and protocols.

NetApp clustered Data ONTAP storage family

The NetApp clustered Data ONTAP storage family represents a configuration group which
provides OpenStack compute instances access to clustered Data ONTAP storage systems. At
present it can be configured in OpenStack Block Storage to work with iSCSI and NFS storage protocols.

NetApp iSCSI configuration for clustered Data ONTAP

The NetApp iSCSI configuration for clustered Data ONTAP is an interface from OpenStack
to clustered Data ONTAP storage systems for provisioning and managing the SAN block
storage entity; that is, a NetApp LUN which can be accessed using the iSCSI protocol.
The iSCSI configuration for clustered Data ONTAP is a direct interface from OpenStack
Block Storage to the clustered Data ONTAP instance and as such does not require addition55

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

al management software to achieve the desired functionality. It uses NetApp APIs to interact with the clustered Data ONTAP instance.
Configuration options for clustered Data ONTAP family with iSCSI protocol

Configure the volume driver, storage family and storage protocol to the NetApp unified
driver, clustered Data ONTAP, and iSCSI respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in
cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = iscsi
netapp_vserver = openstack-vserver
netapp_server_hostname = myhostname
netapp_server_port = port
netapp_login = username
netapp_password = password

Note
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.

Table1.16.Description of NetApp cDOT iSCSI driver configuration options

Configuration option = Default value

Description

[DEFAULT]
netapp_login = None

(StrOpt) Administrative user account name used to access

the storage system or proxy server.

netapp_password = None

(StrOpt) Password for the administrative user account

specified in the netapp_login option.

netapp_server_hostname = None

(StrOpt) The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = 80

(IntOpt) The TCP port to use for communication with the

storage system or proxy server. Traditionally, port 80 is
used for HTTP and port 443 is used for HTTPS; however,
this value should be changed if an alternate port has been
configured on the storage system or proxy server.

netapp_size_multiplier = 1.2

(FloatOpt) The quantity to be multiplied by the requested

volume size to ensure enough space is available on the virtual storage server (Vserver) to fulfill the volume creation
request.

netapp_storage_family = ontap_cluster

(StrOpt) The storage family type used on the storage system; valid values are ontap_7mode for using Data ONTAP
operating in 7-Mode, ontap_cluster for using clustered Data ONTAP, or eseries for using E-Series.

netapp_storage_protocol = None

(StrOpt) The storage protocol to be used on the data path

with the storage system; valid values are iscsi or nfs.

netapp_transport_type = http

(StrOpt) The transport protocol used when communicating with the storage system or proxy server. Valid values
are http or https.

netapp_vserver = None

(StrOpt) This option specifies the virtual storage server

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
extra_specs support). If this option is specified, the exports
belonging to the Vserver will only be used for provisioning in the future. Block storage volumes on exports not belonging to the Vserver specified by this option will continue to function normally.

Note
If you specify an account in the netapp_login that only has virtual storage
server (Vserver) administration privileges (rather than cluster-wide administration privileges), some advanced features of the NetApp unified driver will not
work and you may see warnings in the OpenStack Block Storage logs.

Tip
For more information on these options and other deployment and operational
scenarios, visit the OpenStack NetApp community.

NetApp NFS configuration for clustered Data ONTAP

The NetApp NFS configuration for clustered Data ONTAP is an interface from OpenStack to
a clustered Data ONTAP system for provisioning and managing OpenStack volumes on NFS
exports provided by the clustered Data ONTAP system that are accessed using the NFS protocol.
The NFS configuration for clustered Data ONTAP is a direct interface from OpenStack Block
Storage to the clustered Data ONTAP instance and as such does not require any additional
management software to achieve the desired functionality. It uses NetApp APIs to interact
with the clustered Data ONTAP instance.
Configuration options for the clustered Data ONTAP family with NFS protocol

Configure the volume driver, storage family, and storage protocol to NetApp unified
driver, clustered Data ONTAP, and NFS respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in
cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = nfs
netapp_vserver = openstack-vserver
netapp_server_hostname = myhostname
netapp_server_port = port
netapp_login = username
netapp_password = password
nfs_shares_config = /etc/cinder/nfs_shares

Table1.17.Description of NetApp cDOT NFS driver configuration options

Configuration option = Default value

Description

[DEFAULT]
expiry_thres_minutes = 720

(IntOpt) This option specifies the threshold for last access

time for images in the NFS image cache. When a cache
cleaning cycle begins, images in the cache that have not

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
been accessed in the last M minutes, where M is the value
of this parameter, will be deleted from the cache to create
free space on the NFS share.

netapp_copyoffload_tool_path = None

(StrOpt) This option specifies the path of the NetApp copy

offload tool binary. Ensure that the binary has execute
permissions set which allow the effective user of the cinder-volume process to execute the file.

netapp_login = None

(StrOpt) Administrative user account name used to access

the storage system or proxy server.

netapp_password = None

(StrOpt) Password for the administrative user account

specified in the netapp_login option.

netapp_server_hostname = None

(StrOpt) The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = 80

(IntOpt) The TCP port to use for communication with the

netapp_storage_family = ontap_cluster

netapp_storage_protocol = None

(StrOpt) The storage protocol to be used on the data path

with the storage system; valid values are iscsi or nfs.

netapp_transport_type = http

(StrOpt) The transport protocol used when communicating with the storage system or proxy server. Valid values
are http or https.

netapp_vserver = None

(StrOpt) This option specifies the virtual storage server

(Vserver) name on the storage cluster on which provisioning of block storage volumes should occur. If using the NFS
storage protocol, this parameter is mandatory for storage
service catalog support (utilized by Cinder volume type
extra_specs support). If this option is specified, the exports
belonging to the Vserver will only be used for provisioning in the future. Block storage volumes on exports not belonging to the Vserver specified by this option will continue to function normally.

thres_avl_size_perc_start = 20

(IntOpt) If the percentage of available space for an NFS

share has dropped below the value specified by this option, the NFS image cache will be cleaned.

thres_avl_size_perc_stop = 60

(IntOpt) When the percentage of available space on an

NFS share has reached the percentage specified by this option, the driver will stop clearing files from the NFS image
cache that have not been accessed in the last M minutes,
where M is the value of the expiry_thres_minutes configuration option.

Note
Additional NetApp NFS configuration options are shared with the generic NFS
driver. These options can be found here: Table1.24, Description of NFS storage configuration options [70].

Note
If you specify an account in the netapp_login that only has virtual storage
server (Vserver) administration privileges (rather than cluster-wide administra58

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

tion privileges), some advanced features of the NetApp unified driver will not
work and you may see warnings in the OpenStack Block Storage logs.
NetApp NFS Copy Offload client

A feature was added in the Icehouse release of the NetApp unified driver that enables Image Service images to be efficiently copied to a destination Block Storage volume. When
the Block Storage and Image Service are configured to use the NetApp NFS Copy Offload
client, a controller-side copy will be attempted before reverting to downloading the image
from the Image Service. This improves image provisioning times while reducing the consumption of bandwidth and CPU cycles on the host(s) running the Image and Block Storage
services. This is due to the copy operation being performed completely within the storage
cluster.
The NetApp NFS Copy Offload client can be used in either of the following scenarios:
The Image Service is configured to store images in an NFS share that is exported from a
NetApp FlexVol volume and the destination for the new Block Storage volume will be on
an NFS share exported from a different FlexVol volume than the one used by the Image
Service. Both FlexVols must be located within the same cluster.
The source image from the Image Service has already been cached in an NFS image cache
within a Block Storage backend. The cached image resides on a different FlexVol volume
than the destination for the new Block Storage volume. Both FlexVols must be located
within the same cluster.
To use this feature, you must configure the Image Service, as follows:
Set the default_store configuration option to file.
Set the filesystem_store_datadir configuration option to the path to the Image
Service NFS export.
Set the show_image_direct_url configuration option to True.
Set the show_multiple_locations configuration option to True.
Set the filesystem_store_metadata_file configuration option to a metadata
file. The metadata file should contain a JSON object that contains the correct information
about the NFS export used by the Image Service, similar to:
{
"share_location": "nfs://192.168.0.1/myGlanceExport",
"mount_point": "/var/lib/glance/images",
"type": "nfs"
}

To use this feature, you must configure the Block Storage service, as follows:
Set the netapp_copyoffload_tool_path configuration option to the path to the
NetApp Copy Offload binary.
Set the glance_api_version configuration option to 2.
59

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Important
This feature requires that:
The storage system must have Data ONTAP v8.2 or greater installed.
The vStorage feature must be enabled on each storage virtual machine (SVM,
also known as a Vserver) that is permitted to interact with the copy offload
client.
To configure the copy offload workflow, enable NFS v4.0 or greater and export it from the SVM.

Tip
To download the NetApp copy offload binary to be utilized in conjunction with
the netapp_copyoffload_tool_path configuration option, please visit the
Utility Toolchest page at the NetApp Support portal (login is required).

Tip
For more information on these options and other deployment and operational
scenarios, visit the OpenStack NetApp community.

NetApp-supported extra specs for clustered Data ONTAP

Extra specs enable vendors to specify extra filter criteria that the Block Storage scheduler
uses when it determines which volume node should fulfill a volume provisioning request.
When you use the NetApp unified driver with a clustered Data ONTAP storage system, you
can leverage extra specs with OpenStack Block Storage volume types to ensure that OpenStack Block Storage volumes are created on storage back ends that have certain properties.
For example, when you configure QoS, mirroring, or compression for a storage back end.
Extra specs are associated with OpenStack Block Storage volume types, so that when users
request volumes of a particular volume type, the volumes are created on storage back ends
that meet the list of requirements. For example, the back ends have the available space or
extra specs. You can use the specs in the following table when you define OpenStack Block
Storage volume types by using the cinder type-key command.

Table1.18.Description of extra specs options for NetApp Unified Driver with

Clustered Data ONTAP
Extra spec

Type

Description

netapp_raid_type

String

Limit the candidate volume list based on one of the following

raid types: raid4, raid_dp.

netapp_disk_type

String

Limit the candidate volume list based on one of the following

disk types: ATA, BSAS, EATA, FCAL, FSAS, LUN, MSATA, SAS, SATA, SCSI, XATA, XSAS, or SSD.

netapp:qos_policy_groupa

String

Specify the name of a QoS policy group, which defines measurable Service Level Objectives, that should be applied to the
OpenStack Block Storage volume at the time of volume creation.
Ensure that the QoS policy group object within Data ONTAP
should be defined before an OpenStack Block Storage volume is
created, and that the QoS policy group is not associated with the
destination FlexVol volume.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Extra spec

Type

Description

netapp_mirrored

Boolean

Limit the candidate volume list to only the ones that are mirrored on the storage controller.

netapp_unmirroredb

Boolean

Limit the candidate volume list to only the ones that are not mirrored on the storage controller.

netapp_dedup

Boolean

Limit the candidate volume list to only the ones that have deduplication enabled on the storage controller.

netapp_nodedupb

Boolean

Limit the candidate volume list to only the ones that have deduplication disabled on the storage controller.

netapp_compression

Boolean

Limit the candidate volume list to only the ones that have compression enabled on the storage controller.

netapp_nocompressionb

Boolean

Limit the candidate volume list to only the ones that have compression disabled on the storage controller.

netapp_thin_provisioned

Boolean

Limit the candidate volume list to only the ones that support
thin provisioning on the storage controller.

netapp_thick_provisionedb Boolean

Limit the candidate volume list to only the ones that support
thick provisioning on the storage controller.

Please note that this extra spec has a colon (:) in its name because it is used by the driver to assign the QoS policy group to the
OpenStack Block Storage volume after it has been provisioned.
b
In the Juno release, these negative-assertion extra specs are formally deprecated by the NetApp unified driver. Instead of using
the deprecated negative-assertion extra specs (for example, netapp_unmirrored) with a value of true, use the corresponding positive-assertion extra spec (for example, netapp_mirrored) with a value of false.

NetApp Data ONTAP operating in 7-Mode storage family

The NetApp Data ONTAP operating in 7-Mode storage family represents a configuration
group which provides OpenStack compute instances access to 7-Mode storage systems. At
present it can be configured in OpenStack Block Storage to work with iSCSI and NFS storage protocols.

NetApp iSCSI configuration for Data ONTAP operating in 7-Mode

The NetApp iSCSI configuration for Data ONTAP operating in 7-Mode is an interface from
OpenStack to Data ONTAP operating in 7-Mode storage systems for provisioning and managing the SAN block storage entity, that is, a LUN which can be accessed using iSCSI protocol.
The iSCSI configuration for Data ONTAP operating in 7-Mode is a direct interface from
OpenStack to Data ONTAP operating in 7-Mode storage system and it does not require additional management software to achieve the desired functionality. It uses NetApp ONTAPI
to interact with the Data ONTAP operating in 7-Mode storage system.
Configuration options for the Data ONTAP operating in 7-Mode storage family with iSCSI protocol

Configure the volume driver, storage family and storage protocol to the NetApp unified driver, Data ONTAP operating in 7-Mode, and iSCSI respectively by setting the
volume_driver, netapp_storage_family and netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = iscsi
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.

Table1.19.Description of NetApp 7-Mode iSCSI driver configuration options

Configuration option = Default value

Description

[DEFAULT]
netapp_login = None

(StrOpt) Administrative user account name used to access

the storage system or proxy server.

netapp_password = None

(StrOpt) Password for the administrative user account

specified in the netapp_login option.

netapp_server_hostname = None

(StrOpt) The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = 80

(IntOpt) The TCP port to use for communication with the

netapp_size_multiplier = 1.2

(FloatOpt) The quantity to be multiplied by the requested

volume size to ensure enough space is available on the virtual storage server (Vserver) to fulfill the volume creation
request.

netapp_storage_family = ontap_cluster

netapp_storage_protocol = None

(StrOpt) The storage protocol to be used on the data path

with the storage system; valid values are iscsi or nfs.

netapp_transport_type = http

(StrOpt) The transport protocol used when communicating with the storage system or proxy server. Valid values
are http or https.

netapp_vfiler = None

(StrOpt) The vFiler unit on which provisioning of block

storage volumes will be done. This option is only used by
the driver when connecting to an instance with a storage
family of Data ONTAP operating in 7-Mode and the storage protocol selected is iSCSI. Only use this option when
utilizing the MultiStore feature on the NetApp storage system.

netapp_volume_list = None

(StrOpt) This option is only utilized when the storage protocol is configured to use iSCSI. This option is used to restrict provisioning to the specified controller volumes.
Specify the value of this option to be a comma separated
list of NetApp controller volume names to be used for provisioning.

Tip
For more information on these options and other deployment and operational
scenarios, visit the OpenStack NetApp community.

NetApp NFS configuration for Data ONTAP operating in 7-Mode

The NetApp NFS configuration for Data ONTAP operating in 7-Mode is an interface from
OpenStack to Data ONTAP operating in 7-Mode storage system for provisioning and man62

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

aging OpenStack volumes on NFS exports provided by the Data ONTAP operating in 7Mode storage system which can then be accessed using NFS protocol.
The NFS configuration for Data ONTAP operating in 7-Mode is a direct interface from
OpenStack Block Storage to the Data ONTAP operating in 7-Mode instance and as such
does not require any additional management software to achieve the desired functionality.
It uses NetApp ONTAPI to interact with the Data ONTAP operating in 7-Mode storage system.
Configuration options for the Data ONTAP operating in 7-Mode family with NFS protocol

Configure the volume driver, storage family, and storage protocol to the NetApp unified driver, Data ONTAP operating in 7-Mode, and NFS respectively by setting the
volume_driver, netapp_storage_family and netapp_storage_protocol options in cinder.conf as follows:
volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = nfs
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password
nfs_shares_config = /etc/cinder/nfs_shares

Table1.20.Description of NetApp 7-Mode NFS driver configuration options

Configuration option = Default value

Description

[DEFAULT]
expiry_thres_minutes = 720

(IntOpt) This option specifies the threshold for last access

time for images in the NFS image cache. When a cache
cleaning cycle begins, images in the cache that have not
been accessed in the last M minutes, where M is the value
of this parameter, will be deleted from the cache to create
free space on the NFS share.

netapp_login = None

(StrOpt) Administrative user account name used to access

the storage system or proxy server.

netapp_password = None

(StrOpt) Password for the administrative user account

specified in the netapp_login option.

netapp_server_hostname = None

(StrOpt) The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = 80

(IntOpt) The TCP port to use for communication with the

netapp_storage_family = ontap_cluster

netapp_storage_protocol = None

(StrOpt) The storage protocol to be used on the data path

with the storage system; valid values are iscsi or nfs.

netapp_transport_type = http

(StrOpt) The transport protocol used when communicating with the storage system or proxy server. Valid values
are http or https.

thres_avl_size_perc_start = 20

(IntOpt) If the percentage of available space for an NFS

share has dropped below the value specified by this option, the NFS image cache will be cleaned.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

thres_avl_size_perc_stop = 60

(IntOpt) When the percentage of available space on an

Note
Additional NetApp NFS configuration options are shared with the generic NFS
driver. For a description of these, see Table1.24, Description of NFS storage
configuration options [70].

Tip
For more information on these options and other deployment and operational
scenarios, visit the OpenStack NetApp community.

NetApp E-Series storage family

The NetApp E-Series storage family represents a configuration group which provides OpenStack compute instances access to E-Series storage systems. At present it can be configured
in OpenStack Block Storage to work with the iSCSI storage protocol.

NetApp iSCSI configuration for E-Series

The NetApp iSCSI configuration for E-Series is an interface from OpenStack to E-Series storage systems for provisioning and managing the SAN block storage entity; that is, a NetApp
LUN which can be accessed using the iSCSI protocol.
The iSCSI configuration for E-Series is an interface from OpenStack Block Storage to the ESeries proxy instance and as such requires the deployment of the proxy instance in order
to achieve the desired functionality. The driver uses REST APIs to interact with the E-Series
proxy instance, which in turn interacts directly with the E-Series controllers.
The use of multipath and DM-MP are required when using the OpenStack Block Storage
driver for E-Series. In order for OpenStack Block Storage and OpenStack Compute to take
advantage of multiple paths, the following configuration options must be correctly configured:
The use_multipath_for_image_xfer option should be set to True in the
cinder.conf file within the driver-specific stanza (for example, [myDriver]).
The iscsi_use_multipath option should be set to True in the nova.conf file within the [libvirt] stanza.
Configuration options for E-Series storage family with iSCSI protocol

Configure the volume driver, storage family, and storage protocol to the NetApp
unified driver, E-Series, and iSCSI respectively by setting the volume_driver,
netapp_storage_family and netapp_storage_protocol options in
cinder.conf as follows:
64

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = eseries
netapp_storage_protocol = iscsi
netapp_server_hostname = myhostname
netapp_server_port = 80
netapp_login = username
netapp_password = password
netapp_controller_ips = 1.2.3.4,5.6.7.8
netapp_sa_password = arrayPassword
netapp_storage_pools = pool1,pool2
use_multipath_for_image_xfer = True

Note
To use the E-Series driver, you must override the default value of
netapp_storage_family with eseries.

Note
To use the iSCSI protocol, you must override the default value of
netapp_storage_protocol with iscsi.

Table1.21.Description of NetApp E-Series driver configuration options

Configuration option = Default value

Description

[DEFAULT]
netapp_controller_ips = None

(StrOpt) This option is only utilized when the storage family is configured to eseries. This option is used to restrict
provisioning to the specified controllers. Specify the value
of this option to be a comma separated list of controller
hostnames or IP addresses to be used for provisioning.

netapp_login = None

(StrOpt) Administrative user account name used to access

the storage system or proxy server.

netapp_password = None

(StrOpt) Password for the administrative user account

specified in the netapp_login option.

netapp_sa_password = None

(StrOpt) Password for the NetApp E-Series storage array.

netapp_server_hostname = None

(StrOpt) The hostname (or IP address) for the storage system or proxy server.

netapp_server_port = 80

(IntOpt) The TCP port to use for communication with the

netapp_storage_family = ontap_cluster

netapp_storage_pools = None

(StrOpt) This option is used to restrict provisioning to the

specified storage pools. Only dynamic disk pools are currently supported. Specify the value of this option to be a
comma separated list of disk pool names to be used for
provisioning.

netapp_transport_type = http

(StrOpt) The transport protocol used when communicating with the storage system or proxy server. Valid values
are http or https.

netapp_webservice_path = /devmgr/v2

(StrOpt) This option is used to specify the path to the ESeries proxy application on a proxy server. The value is

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
combined with the value of the netapp_transport_type,
netapp_server_hostname, and netapp_server_port options to create the URL used by the driver to connect to
the proxy application.

Tip
For more information on these options and other deployment and operational
scenarios, visit the OpenStack NetApp community.

Upgrading prior NetApp drivers to the NetApp unified driver

NetApp introduced a new unified block storage driver in Havana for configuring different
storage families and storage protocols. This requires defining upgrade path for NetApp
drivers which existed in releases prior to Havana. This section covers the upgrade configuration for NetApp drivers to the new unified configuration and a list of deprecated NetApp
drivers.

Upgraded NetApp drivers

This section describes how to update OpenStack Block Storage configuration from a preHavana release to the unified driver format.
Driver upgrade configuration

1. NetApp iSCSI direct driver for Clustered Data ONTAP in Grizzly (or earlier).
volume_driver = cinder.volume.drivers.netapp.iscsi.
NetAppDirectCmodeISCSIDriver

NetApp unified driver configuration.

volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = iscsi

2. NetApp NFS direct driver for Clustered Data ONTAP in Grizzly (or earlier).
volume_driver = cinder.volume.drivers.netapp.nfs.NetAppDirectCmodeNfsDriver

NetApp unified driver configuration.

volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_cluster
netapp_storage_protocol = nfs

3. NetApp iSCSI direct driver for Data ONTAP operating in 7-Mode storage controller in
Grizzly (or earlier)
volume_driver = cinder.volume.drivers.netapp.iscsi.
NetAppDirect7modeISCSIDriver

NetApp unified driver configuration

volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = iscsi

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

4. NetApp NFS direct driver for Data ONTAP operating in 7-Mode storage controller in Grizzly (or earlier)
volume_driver = cinder.volume.drivers.netapp.nfs.NetAppDirect7modeNfsDriver

NetApp unified driver configuration

volume_driver = cinder.volume.drivers.netapp.common.NetAppDriver
netapp_storage_family = ontap_7mode
netapp_storage_protocol = nfs

Deprecated NetApp drivers

This section lists the NetApp drivers in earlier releases that are deprecated in Havana.
1. NetApp iSCSI driver for clustered Data ONTAP.
volume_driver = cinder.volume.drivers.netapp.iscsi.NetAppCmodeISCSIDriver

2. NetApp NFS driver for clustered Data ONTAP.

volume_driver = cinder.volume.drivers.netapp.nfs.NetAppCmodeNfsDriver

3. NetApp iSCSI driver for Data ONTAP operating in 7-Mode storage controller.
volume_driver = cinder.volume.drivers.netapp.iscsi.NetAppISCSIDriver

4. NetApp NFS driver for Data ONTAP operating in 7-Mode storage controller.
volume_driver = cinder.volume.drivers.netapp.nfs.NetAppNFSDriver

Note
See the OpenStack NetApp community for support information on deprecated
NetApp drivers in the Havana release.

Nexenta drivers
NexentaStor Appliance is NAS/SAN software platform designed for building reliable and
fast network storage arrays. The Nexenta Storage Appliance uses ZFS as a disk management system. NexentaStor can serve as a storage node for the OpenStack and its virtual
servers through iSCSI and NFS protocols.
With the NFS option, every Compute volume is represented by a directory designated to be
its own file system in the ZFS file system. These file systems are exported using NFS.
With either option some minimal setup is required to tell OpenStack which NexentaStor
servers are being used, whether they are supporting iSCSI and/or NFS and how to access
each of the servers.
Typically the only operation required on the NexentaStor servers is to create the containing directory for the iSCSI or NFS exports. For NFS this containing directory must be explicitly exported via NFS. There is no software that must be installed on the NexentaStor servers;
they are controlled using existing management plane interfaces.
67

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Nexenta iSCSI driver

The Nexenta iSCSI driver allows you to use a NexentaStor appliance to store Compute
volumes. Every Compute volume is represented by a single zvol in a predefined Nexenta
namespace. For every new volume the driver creates a iSCSI target and iSCSI target group
that are used to access it from compute hosts.
The Nexenta iSCSI volume driver should work with all versions of NexentaStor. The NexentaStor appliance must be installed and configured according to the relevant Nexenta documentation. A pool and an enclosing namespace must be created for all iSCSI volumes to be
accessed through the volume driver. This should be done as specified in the release specific
NexentaStor documentation.
The NexentaStor Appliance iSCSI driver is selected using the normal procedures for one or
multiple back-end volume drivers. You must configure these items for each NexentaStor appliance that the iSCSI volume driver controls:

Enable the Nexenta iSCSI driver and related options

This table contains the options supported by the Nexenta iSCSI driver.

Table1.22.Description of Nexenta iSCSI driver configuration options

Configuration option = Default value

Description

[DEFAULT]
nexenta_blocksize =

(StrOpt) Block size for volumes (default=blank means 8KB)

nexenta_host =

(StrOpt) IP address of Nexenta SA

nexenta_iscsi_target_portal_port = 3260

(IntOpt) Nexenta target portal port

nexenta_password = nexenta

(StrOpt) Password to connect to Nexenta SA

nexenta_rest_port = 2000

(IntOpt) HTTP port to connect to Nexenta REST API server

nexenta_rest_protocol = auto

(StrOpt) Use http or https for REST connection (default auto)

nexenta_rrmgr_compression = 0

(IntOpt) Enable stream compression, level 1..9. 1 - gives

best speed; 9 - gives best compression.

nexenta_rrmgr_connections = 2

(IntOpt) Number of TCP connections.

nexenta_rrmgr_tcp_buf_size = 4096

(IntOpt) TCP Buffer size in KiloBytes.

nexenta_sparse = False

(BoolOpt) Enables or disables the creation of sparse volumes

nexenta_sparsed_volumes = True

(BoolOpt) Enables or disables the creation of volumes as

sparsed files that take no space. If disabled (False), volume
is created as a regular file, which takes a long time.

nexenta_target_group_prefix = cinder/

(StrOpt) Prefix for iSCSI target groups on SA

nexenta_target_prefix = iqn.1986-03.com.sun:02:cinder-

(StrOpt) IQN prefix for iSCSI targets

nexenta_user = admin

(StrOpt) User name to connect to Nexenta SA

nexenta_volume = cinder

(StrOpt) SA Pool that holds all volumes

To use Compute with the Nexenta iSCSI driver, first set the volume_driver:
volume_driver=cinder.volume.drivers.nexenta.iscsi.NexentaISCSIDriver

Then, set the nexenta_host parameter and other parameters from the table, if needed.
68

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Nexenta NFS driver

The Nexenta NFS driver allows you to use NexentaStor appliance to store Compute volumes
via NFS. Every Compute volume is represented by a single NFS file within a shared directory.
While the NFS protocols standardize file access for users, they do not standardize administrative actions such as taking snapshots or replicating file systems. The OpenStack Volume
Drivers bring a common interface to these operations. The Nexenta NFS driver implements
these standard actions using the ZFS management plane that already is deployed on NexentaStor appliances.
The Nexenta NFS volume driver should work with all versions of NexentaStor. The NexentaStor appliance must be installed and configured according to the relevant Nexenta documentation. A single-parent file system must be created for all virtual disk directories supported for OpenStack. This directory must be created and exported on each NexentaStor
appliance. This should be done as specified in the release specific NexentaStor documentation.

Enable the Nexenta NFS driver and related options

To use Compute with the Nexenta NFS driver, first set the volume_driver:
volume_driver = cinder.volume.drivers.nexenta.nfs.NexentaNfsDriver

The following table contains the options supported by the Nexenta NFS driver.

Table1.23.Description of Nexenta NFS driver configuration options

Configuration option = Default value

Description

[DEFAULT]
nexenta_mount_point_base = $state_path/mnt

(StrOpt) Base directory that contains NFS share mount

points

nexenta_nms_cache_volroot = True

(BoolOpt) If set True cache NexentaStor appliance volroot

option value.

nexenta_shares_config = /etc/cinder/nfs_shares

(StrOpt) File with the list of available nfs shares

nexenta_volume_compression = on

(StrOpt) Default compression value for new ZFS folders.

Add your list of Nexenta NFS servers to the file you specified with the
nexenta_shares_config option. For example, if the value of this option was set to /
etc/cinder/nfs_shares, then:
# cat /etc/cinder/nfs_shares
192.168.1.200:/storage http://admin:[email protected]:2000
192.168.1.201:/storage http://admin:[email protected]:2000
192.168.1.202:/storage http://admin:[email protected]:2000

Comments are allowed in this file. They begin with a #.

Each line in this file represents a NFS share. The first part of the line is the NFS share URL,
the second is the connection URL to the NexentaStor Appliance.

NFS driver
The Network File System (NFS) is a distributed file system protocol originally developed by
Sun Microsystems in 1984. An NFS server exports one or more of its file systems, known as
69

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

shares. An NFS client can mount these exported shares on its own file system. You can perform file actions on this mounted remote file system as if the file system were local.

How the NFS driver works

The NFS driver, and other drivers based on it, work quite differently than a traditional block
storage driver.
The NFS driver does not actually allow an instance to access a storage device at the block
level. Instead, files are created on an NFS share and mapped to instances, which emulates
a block device. This works in a similar way to QEMU, which stores instances in the /var/
lib/nova/instances directory.

Enable the NFS driver and related options

To use Cinder with the NFS driver, first set the volume_driver in cinder.conf:
volume_driver=cinder.volume.drivers.nfs.NfsDriver

The following table contains the options supported by the NFS driver.

Table1.24.Description of NFS storage configuration options

Configuration option = Default value

Description

[DEFAULT]
nfs_mount_options = None

(StrOpt) Mount options passed to the nfs client. See section of the nfs man page for details.

nfs_mount_point_base = $state_path/mnt

(StrOpt) Base dir containing mount points for nfs shares.

nfs_oversub_ratio = 1.0

(FloatOpt) This will compare the allocated to available

space on the volume destination. If the ratio exceeds this
number, the destination will no longer be valid.

nfs_shares_config = /etc/cinder/nfs_shares

(StrOpt) File with the list of available nfs shares

nfs_sparsed_volumes = True

(BoolOpt) Create volumes as sparsed files which take no

space.If set to False volume is created as regular file.In
such case volume creation takes a lot of time.

nfs_used_ratio = 0.95

(FloatOpt) Percent of ACTUAL usage of the underlying volume before no new volumes can be allocated to the volume destination.

Note
As of the Icehouse release, the NFS driver (and other drivers based off it) will
attempt to mount shares using version 4.1 of the NFS protocol (including pNFS). If the mount attempt is unsuccessful due to a lack of client or server support, a subsequent mount attempt that requests the default behavior of the
mount.nfs command will be performed. On most distributions, the default behavior is to attempt mounting first with NFS v4.0, then silently fall back to NFS
v3.0 if necessary. If the nfs_mount_options configuration option contains a
request for a specific version of NFS to be used, or if specific options are specified in the shares configuration file specified by the nfs_shares_config configuration option, the mount will be attempted as requested with no subsequent attempts.
70

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

How to use the NFS driver

Access to one or more NFS servers. Creating an NFS server is outside the scope of
this document. This example assumes access to the following NFS servers and mount
points:
192.168.1.200:/storage
192.168.1.201:/storage
192.168.1.202:/storage
This example demonstrates the use of with this driver with multiple NFS servers. Multiple servers are not required. One is usually enough.

Add your list of NFS servers to the file you specified with the nfs_shares_config
option. For example, if the value of this option was set to /etc/cinder/shares.txt, then:
# cat /etc/cinder/shares.txt
192.168.1.200:/storage
192.168.1.201:/storage
192.168.1.202:/storage

Comments are allowed in this file. They begin with a #.

Configure the nfs_mount_point_base option. This is a directory where cinder-volume mounts all NFS shares stored in shares.txt. For this example,
/var/lib/cinder/nfs is used. You can, of course, use the default value of
$state_path/mnt.

Start the cinder-volume service. /var/lib/cinder/nfs should now contain a directory for each NFS share specified in shares.txt. The name of each directory is a
hashed name:
# ls /var/lib/cinder/nfs/
...
46c5db75dc3a3a50a10bfd1a456a9f3f
...

You can now create volumes as you normally would:

$ nova volume-create --display-name myvol 5
# ls /var/lib/cinder/nfs/46c5db75dc3a3a50a10bfd1a456a9f3f
volume-a8862558-e6d6-4648-b5df-bb84f31c8935

This volume can also be attached and deleted just like other volumes. However, snapshotting is not supported.

NFS driver notes

cinder-volume manages the mounting of the NFS shares as well as volume creation
on the shares. Keep this in mind when planning your OpenStack architecture. If you have
one master NFS server, it might make sense to only have one cinder-volume service
to handle all requests to that NFS server. However, if that single server is unable to han71

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

dle all requests, more than one cinder-volume service is needed as well as potentially
more than one NFS server.
Because data is stored in a file and not actually on a block storage device, you might not
see the same IO performance as you would with a traditional block storage driver. Please
test accordingly.
Despite possible IO performance loss, having volume data stored in a file might be beneficial. For example, backing up volumes can be as easy as copying the volume files.

Note
Regular IO flushing and syncing still stands.

ProphetStor Fibre Channel and iSCSI drivers

ProhetStor Fibre Channel and iSCSI drivers add support for ProphetStor Flexvisor through
OpenStack Block Storage. ProphetStor Flexvisor enables commodity x86 hardware as software-defined storage leveraging well-proven ZFS for disk management to provide enterprise grade storage services such as snapshots, data protection with different RAID levels,
replication, and deduplication.
The DPLFCDriver and DPLISCSIDriver drivers run volume operations by communicating with the ProphetStor storage system over HTTPS.

Enable the Fibre Channel or iSCSI drivers

The DPLFCDriver and DPLISCSIDriver are installed with the OpenStack software.
1.

Query storage pool id for configure dpl_pool of the cinder.conf.

Logon onto the storage system with administrator access.

$ ssh root@STORAGE IP ADDRESS

View the current usable pool id.

$ flvcli show pool list
- d5bd40b58ea84e9da09dcf25a01fdc07 : default_pool_dc07

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Use d5bd40b58ea84e9da09dcf25a01fdc07 to config the dpl_pool of /

etc/cinder/cinder.conf.

Note
Other management command can reference by command help flvcli -h.
2.

Make the following changes on the volume node /etc/cinder/cinder.conf file.

# IP address of SAN controller (string value)
san_ip=STORAGE IP ADDRESS
# Username for SAN controller (string value)
san_login=USERNAME
# Password for SAN controller (string value)
san_password=PASSWORD
# Use thin provisioning for SAN volumes? (boolean value)
san_thin_provision=true
# The port that the iSCSI daemon is listening on. (integer value)
iscsi_port=3260
# DPL pool uuid in which DPL volumes are stored. (string value)
dpl_pool=d5bd40b58ea84e9da09dcf25a01fdc07
# DPL port number. (integer value)
dpl_port=8357
# Uncomment one of the next two option to enable Fibre channel or iSCSI
# FIBRE CHANNEL(uncomment the next line to enable the FC driver)
#volume_driver=cinder.volume.drivers.prophetstor.dpl_fc.DPLFCDriver
# iSCSI (uncomment the next line to enable the iSCSI driver)
#volume_driver=cinder.volume.drivers.prophetstor.dpl_iscsi.DPLISCSIDriver

Save the changes to the /etc/cinder/cinder.conf file and restart the cinder-volume service.

The ProphetStor Fibre Channel or iSCSI drivers are now enabled on your OpenStack system.
If you experience problems, review the Block Storage service log files for errors.
The following table contains the options supported by the ProphetStor storage driver.

Table1.25.Description of ProphetStor Fibre Channel and iSCSi drivers

configuration options
Configuration option = Default value

Description

[DEFAULT]
dpl_pool =

(StrOpt) DPL pool uuid in which DPL volumes are stored.

dpl_port = 8357

(IntOpt) DPL port number.

iscsi_port = 3260

(IntOpt) The port that the iSCSI daemon is listening on

san_ip =

(StrOpt) IP address of SAN controller

san_login = admin

(StrOpt) Username for SAN controller

san_password =

(StrOpt) Password for SAN controller

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

san_thin_provision = True

(BoolOpt) Use thin provisioning for SAN volumes?

juno

Pure Storage volume driver

The Pure Storage FlashArray volume driver for OpenStack Block Storage interacts with configured Pure Storage arrays and supports various operations.
This driver can be configured in OpenStack Block Storage to work with the iSCSI storage
protocol.
This driver is compatible with Purity FlashArrays that support the REST API (Purity 3.4.0 and
newer) and that are capable of iSCSI connectivity. This release supports installation with
OpenStack clusters running the Juno version that use the KVM or QEMU hypervisors together with OpenStack Compute service's libvirt driver.

Limitations and known issues

If you do not set up the nodes hosting instances to use multipathing, all iSCSI connectivity
will use a single physical 10-gigabit Ethernet port on the array. In addition to significantly
limiting the available bandwidth, this means you do not have the high-availability and nondisruptive upgrade benefits provided by FlashArray.
Workaround: You must set up multipathing on your hosts.
In the default configuration, OpenStack Block Storage does not provision volumes on a
backend whose available raw space is less than the logical size of the new volume. Due to
Purity's data reduction technology, such a volume could actually fit in the backend, and
thus OpenStack Block Storage default configuration does not take advantage of all available space.
Workaround: Turn off the CapacityFilter.

Supported operations
Create, delete, attach, detach, clone and extend volumes.
Create a volume from snapshot.
Create and delete volume snapshots.

Configure OpenStack and Purity

You need to configure both your Purity array and your OpenStack cluster.

Note
These instructions assume that the cinder-api and cinder-scheduler services are installed and configured in your OpenStack cluster.
1.

Configure the OpenStack Block Storage service

In these steps, you will edit the cinder.conf file to configure OpenStack Block Storage service to enable multipathing and to use the Pure Storage FlashArray as back-end
storage.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Retrieve an API token from Purity

The OpenStack Block Storage service configuration requires an API token from
Purity. Actions performed by the volume driver use this token for authorization.
Also, Purity logs the volume driver's actions as being performed by the user who
owns this API token.
If you created a Purity user account that is dedicated to managing your OpenStack
Block Storage volumes, copy the API token from that user account.
Use the appropriate create or list command below to display and copy the Purity
API token:

To create a new API token:

$ pureadmin create --api-token USER

The following is an example output:

$ pureadmin create --api-token pureuser
Name
API Token
pureuser 902fdca3-7e3f-d2e4-d6a6-24c2285fe1d9
14:50:30

Created
2014-08-04

To list an existing API token:

$ pureadmin list --api-token --expose USER

The following is an example output:

$ pureadmin list --api-token --expose pureuser
Name
API Token
pureuser 902fdca3-7e3f-d2e4-d6a6-24c2285fe1d9
14:50:30

Created
2014-08-04

Copy the API token retrieved (902fdca3-7e3f-d2e4-d6a6-24c2285fe1d9

from the examples above) to use in the next step.

Edit the OpenStack Block Storage service configuration file

The following sample /etc/cinder/cinder.conf configuration lists the relevant settings for a typical Block Storage service using a single Pure Storage array:
[DEFAULT]
....
enabled_backends = puredriver-1
default_volume_type = puredriver-1
....
[puredriver-1]
volume_backend_name = puredriver-1
volume_driver = cinder.volume.drivers.pure.PureISCSIDriver
san_ip = IP_PURE_MGMT
pure_api_token = PURE_API_TOKEN
use_multipath_for_image_xfer = True

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Replace the following variables accordingly:

IP_PURE_MGMT

The IP address of the Pure Storage array's management interface or a domain name that resolves to that IP address.

PURE_API_TOKEN

The Purity Authorization token that the volume driver uses

to perform volume management on the Pure Storage array.

Create Purity host objects

Before using the volume driver, follow these steps to create a host in Purity for each
OpenStack iSCSI initiator IQN that will connect to the FlashArray.
For every node that the driver runs on and every compute node that will connect to
the FlashArray:

check the file /etc/iscsi/initiatorname.iscsi.

For each IQN in that file:

copy the IQN string and run the following command to create a Purity host
for an IQN:
$ purehost create --iqnlist IQN HOST

Replace the following variables accordingly:

IQN

The IQN retrieved from the /etc/iscsi/initiatorname.iscsi

file

HOST An unique friendly name for this entry.

Note
Do not specify multiple IQNs with the --iqnlist option. Each
FlashArray host must be configured to a single OpenStack IQN.

Sheepdog driver
Sheepdog is an open-source distributed storage system that provides a virtual storage pool
utilizing internal disk of commodity servers.
Sheepdog scales to several hundred nodes, and has powerful virtual disk management features like snapshot, cloning, rollback, thin provisioning.
More information can be found on Sheepdog Project.
This driver enables use of Sheepdog through Qemu/KVM.
Set the following volume_driver in cinder.conf:
volume_driver=cinder.volume.drivers.sheepdog.SheepdogDriver

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

SolidFire
The SolidFire Cluster is a high performance all SSD iSCSI storage device that provides massive scale out capability and extreme fault tolerance. A key feature of the SolidFire cluster
is the ability to set and modify during operation specific QoS levels on a volume for volume
basis. The SolidFire cluster offers this along with de-duplication, compression, and an architecture that takes full advantage of SSDs.
To configure the use of a SolidFire cluster with Block Storage, modify your cinder.conf
file as follows:
volume_driver = cinder.volume.drivers.solidfire.SolidFireDriver
san_ip = 172.17.1.182
# the address of your MVIP
san_login = sfadmin
# your cluster admin login
san_password = sfpassword
# your cluster admin password
sf_account_prefix = ''
# prefix for tenant account creation on
solidfire cluster (see warning below)

Warning
The SolidFire driver creates a unique account prefixed with $cinder-volume-service-hostname-$tenant-id on the SolidFire cluster for each tenant that accesses the cluster through the Volume API. Unfortunately, this account formation results in issues for High Availability (HA) installations and installations where the cinder-volume service can move to a new node. HA installations can return an Account Not Found error because the call to the SolidFire cluster is not always going to be sent from the same node. In installations
where the cinder-volume service moves to a new node, the same issue can
occur when you perform operations on existing volumes, such as clone, extend,
delete, and so on.

Note
Set the sf_account_prefix option to an empty string ('') in the
cinder.conf file. This setting results in unique accounts being created on
the SolidFire cluster, but the accounts are prefixed with the tenant-id or any
unique identifier that you choose and are independent of the host where the
cinder-volume service resides.

Table1.26.Description of SolidFire driver configuration options

Configuration option = Default value

Description

[DEFAULT]
sf_account_prefix = None

(StrOpt) Create SolidFire accounts with this prefix. Any

string can be used here, but the string "hostname" is special and will create a prefix using the cinder node hostsname (previous default behavior). The default is NO prefix.

sf_allow_tenant_qos = False

(BoolOpt) Allow tenants to specify QOS on create

sf_api_port = 443

(IntOpt) SolidFire API port. Useful if the device api is behind a proxy on a different port.

sf_emulate_512 = True

(BoolOpt) Set 512 byte emulation on volume creation;

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

VMware VMDK driver

Use the VMware VMDK driver to enable management of the OpenStack Block Storage volumes on vCenter-managed data stores. Volumes are backed by VMDK files on data stores
that use any VMware-compatible storage technology such as NFS, iSCSI, FiberChannel, and
vSAN.

Warning
The VMware ESX VMDK driver is deprecated as of the Icehouse release and
might be removed in Juno or a subsequent release. The VMware vCenter
VMDK driver continues to be fully supported.

Functional context
The VMware VMDK driver connects to vCenter, through which it can dynamically access all
the data stores visible from the ESX hosts in the managed cluster.
When you create a volume, the VMDK driver creates a VMDK file on demand. The VMDK
file creation completes only when the volume is subsequently attached to an instance, because the set of data stores visible to the instance determines where to place the volume.
The running vSphere VM is automatically reconfigured to attach the VMDK file as an extra
disk. Once attached, you can log in to the running vSphere VM to rescan and discover this
extra disk.

Configuration
The recommended volume driver for OpenStack Block Storage is the VMware vCenter
VMDK driver. When you configure the driver, you must match it with the appropriate
OpenStack Compute driver from VMware and both drivers must point to the same server.
In the nova.conf file, use this option to define the Compute driver:
compute_driver=vmwareapi.VMwareVCDriver

In the cinder.conf file, use this option to define the volume driver:
volume_driver=cinder.volume.drivers.vmware.vmdk.VMwareVcVmdkDriver

The following table lists various options that the drivers support for the OpenStack Block
Storage configuration (cinder.conf):

Table1.27.Description of VMware configuration options

Configuration option = Default value

Description

[DEFAULT]
vmware_api_retry_count = 10

(IntOpt) Number of times VMware ESX/VC server API

must be retried upon connection related issues.

vmware_host_ip = None

(StrOpt) IP address for connecting to VMware ESX/VC

server.

vmware_host_password = None

(StrOpt) Password for authenticating with VMware ESX/

VC server.

vmware_host_username = None

(StrOpt) Username for authenticating with VMware ESX/

VC server.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

vmware_host_version = None

(StrOpt) Optional string specifying the VMware VC server

version. The driver attempts to retrieve the version from
VMware VC server. Set this configuration only if you want
to override the VC server version.

vmware_image_transfer_timeout_secs = 7200

(IntOpt) Timeout in seconds for VMDK volume transfer between Cinder and Glance.

vmware_max_objects_retrieval = 100

(IntOpt) Max number of objects to be retrieved per batch.

Query results will be obtained in batches from the server and not in one shot. Server may still limit the count to
something less than the configured value.

vmware_task_poll_interval = 0.5

(FloatOpt) The interval (in seconds) for polling remote

tasks invoked on VMware ESX/VC server.

vmware_tmp_dir = /tmp

(StrOpt) Directory where virtual disks are stored during

volume backup and restore.

vmware_volume_folder = cinder-volumes

(StrOpt) Name for the folder in the VC datacenter that will

contain cinder volumes.

vmware_wsdl_location = None

(StrOpt) Optional VIM service WSDL Location e.g http://

<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds.

VMDK disk type

The VMware VMDK drivers support the creation of VMDK disk files of type thin,
lazyZeroedThick, or eagerZeroedThick. Use the vmware:vmdk_type extra spec
key with the appropriate value to specify the VMDK disk file type. The following table captures the mapping between the extra spec entry and the VMDK disk file type:

Table1.28.Extra spec entry to VMDK disk file type mapping

Disk file type

Extra spec key

Extra spec value

thin

vmware:vmdk_type

thin

lazyZeroedThick

vmware:vmdk_type

thick

eagerZeroedThick

vmware:vmdk_type

eagerZeroedThick

If you do not specify a vmdk_type extra spec entry, the default disk file type is thin.
The following example shows how to create a lazyZeroedThick VMDK volume by using
the appropriate vmdk_type:
$ cinder type-create thick_volume
$ cinder type-key thick_volume set vmware:vmdk_type=thick
$ cinder create --volume-type thick_volume --display-name volume1 1

Clone type
With the VMware VMDK drivers, you can create a volume from another source volume or a
snapshot point. The VMware vCenter VMDK driver supports the full and linked/fast
clone types. Use the vmware:clone_type extra spec key to specify the clone type. The
following table captures the mapping for clone types:

Table1.29.Extra spec entry to clone type mapping

Clone type

Extra spec key

Extra spec value

full

vmware:clone_type

full

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Clone type

Extra spec key

Extra spec value

linked/fast

vmware:clone_type

linked

If you do not specify the clone type, the default is full.

The following example shows linked cloning from another source volume:
$ cinder type-create fast_clone
$ cinder type-key fast_clone set vmware:clone_type=linked
$ cinder create --volume-type fast_clone --source-volid 25743b9d-3605-462bb9eb-71459fe2bb35 --display-name volume1 1

Note
The VMware ESX VMDK driver ignores the extra spec entry and always creates
a full clone.

Use vCenter storage policies to specify back-end data stores

This section describes how to configure back-end data stores using storage policies. In vCenter, you can create one or more storage policies and expose them as a Block Storage volume-type to a vmdk volume. The storage policies are exposed to the vmdk driver through
the extra spec property with the vmware:storage_profile key.
For example, assume a storage policy in vCenter named gold_policy. and a Block Storage volume type named vol1 with the extra spec key vmware:storage_profile set to
the value gold_policy. Any Block Storage volume creation that uses the vol1 volume
type places the volume only in data stores that match the gold_policy storage policy.
The Block Storage back-end configuration for vSphere data stores is automatically determined based on the vCenter configuration. If you configure a connection to connect to
vCenter version 5.5 or later in the cinder.conf file, the use of storage policies to configure back-end data stores is automatically supported.

Note
You must configure any data stores that you configure for the Block Storage
service for the Compute service.

Procedure1.4.To configure back-end data stores by using storage policies

In vCenter, tag the data stores to be used for the back end.
OpenStack also supports policies that are created by using vendor-specific capabilities;
for example vSAN-specific storage policies.

Note
The tag value serves as the policy. For details, see the section called Storage policy-based configuration in vCenter [82].
2.

Set the extra spec key vmware:storage_profile in the desired Block Storage volume types to the policy name that you created in the previous step.
80

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Optionally, for the vmware_host_version parameter, enter the version number of

your vSphere platform. For example, 5.5.
This setting overrides the default location for the corresponding WSDL file. Among
other scenarios, you can use this setting to prevent WSDL error messages during the
development phase or to work with a newer version of vCenter.

Complete the other vCenter configuration parameters as appropriate.

Note
The following considerations apply to configuring SPBM for the Block Storage
service:
Any volume that is created without an associated policy (that is to say, without an associated volume type that specifies vmware:storage_profile
extra spec), there is no policy-based placement for that volume.

Supported operations
The VMware vCenter and ESX VMDK drivers support these operations:
Create, delete, attach, and detach volumes.

Note
When a volume is attached to an instance, a reconfigure operation is performed on the instance to add the volume's VMDK to it. The user must manually rescan and mount the device from within the guest operating system.
Create, list, and delete volume snapshots.

Note
Allowed only if volume is not attached to an instance.
Create a volume from a snapshot.
Copy an image to a volume.

Note
Only images in vmdk disk format with bare container format are supported. The vmware_disktype property of the image can be preallocated,
sparse, streamOptimized or thin.
Copy a volume to an image.

Note
Allowed only if the volume is not attached to an instance.
Clone a volume.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
Supported only if the source volume is not attached to an instance.
Backup a volume.
Restore backup to new or existing volume.

Note
Supported only if the existing volume doesn't contain snapshots.
Change the type of a volume.

Note
This operation is supported only if the volume state is available.

Note
Although the VMware ESX VMDK driver supports these operations, it has not
been extensively tested.

Storage policy-based configuration in vCenter

You can configure Storage Policy-Based Management (SPBM) profiles for vCenter data
stores supporting the Compute, Image Service, and Block Storage components of an OpenStack implementation.
In a vSphere OpenStack deployment, SPBM enables you to delegate several data stores for
storage, which reduces the risk of running out of storage space. The policy logic selects the
data store based on accessibility and available storage space.

Prerequisites
Determine the data stores to be used by the SPBM policy.
Determine the tag that identifies the data stores in the OpenStack component configuration.
Create separate policies or sets of data stores for separate OpenStack components.

Create storage policies in vCenter

Procedure1.5.To create storage policies in vCenter
1.

In vCenter, create the tag that identifies the data stores:

From the Home screen, click Tags.

Specify a name for the tag.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

c.
2.

October 7, 2014

juno

Specify a tag category. For example, spbm-cinder.

Apply the tag to the data stores to be used by the SPBM policy.

Note
For details about creating tags in vSphere, see the vSphere documentation.
3.

In vCenter, create a tag-based storage policy that uses one or more tags to identify a
set of data stores.

Note
You use this tag name and category when you configure the *.conf file
for the OpenStack component. For details about creating tags in vSphere,
see the vSphere documentation.

Data store selection

If storage policy is enabled, the driver initially selects all the data stores that match the associated storage policy.
If two or more data stores match the storage policy, the driver chooses a data store that is
connected to the maximum number of hosts.
In case of ties, the driver chooses the data store with lowest space utilization, where space
utilization is defined by the (1-freespace/totalspace) metric.
These actions reduce the number of volume migrations while attaching the volume to instances.
The volume must be migrated if the ESX host for the instance cannot access the data store
that contains the volume.

Windows
There is a volume back-end for Windows. Set the following in your cinder.conf, and use
the options below to configure it.
volume_driver=cinder.volume.drivers.windows.WindowsDriver

Table1.30.Description of Windows configuration options

Configuration option = Default value

Description

[DEFAULT]
windows_iscsi_lun_path = C:\iSCSIVirtualDisks

(StrOpt) Path to store VHD backed volumes

XenAPI Storage Manager volume driver

The Xen Storage Manager volume driver (xensm) is a XenAPI hypervisor specific volume
driver, and can be used to provide basic storage functionality, including volume creation
and destruction, on a number of different storage back-ends. It also enables the capability

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

of using more sophisticated storage back-ends for operations like cloning/snapshots, and
so on. Some of the storage plug-ins that are already supported in Citrix XenServer and Xen
Cloud Platform (XCP) are:
1. NFS VHD: Storage repository (SR) plug-in that stores disks as Virtual Hard Disk (VHD) files
on a remote Network File System (NFS).
2. Local VHD on LVM: SR plug-in that represents disks as VHD disks on Logical Volumes
(LVM) within a locally-attached Volume Group.
3. HBA LUN-per-VDI driver: SR plug-in that represents Logical Units (LUs) as Virtual Disk Images (VDIs) sourced by host bus adapters (HBAs). For example, hardware-based iSCSI or
FC support.
4. NetApp: SR driver for mapping of LUNs to VDIs on a NETAPP server, providing use of
fast snapshot and clone features on the filer.
5. LVHD over FC: SR plug-in that represents disks as VHDs on Logical Volumes within a Volume Group created on an HBA LUN. For example, hardware-based iSCSI or FC support.
6. iSCSI: Base ISCSI SR driver, provides a LUN-per-VDI. Does not support creation of VDIs but
accesses existing LUNs on a target.
7. LVHD over iSCSI: SR plug-in that represents disks as Logical Volumes within a Volume
Group created on an iSCSI LUN.
8. EqualLogic: SR driver for mapping of LUNs to VDIs on a EQUALLOGIC array group, providing use of fast snapshot and clone features on the array.

Design and operation

Definitions
Back-end: A term for a particular storage back-end. This could be iSCSI, NFS, NetApp, and
so on.
Back-end-config: All the parameters required to connect to a specific back-end. For example, for NFS, this would be the server, path, and so on.
Flavor: This term is equivalent to volume "types". A user friendly term to specify some notion of quality of service. For example, "gold" might mean that the volumes use a backend where backups are possible. A flavor can be associated with multiple back-ends. The
volume scheduler, with the help of the driver, decides which back-end is used to create
a volume of a particular flavor. Currently, the driver uses a simple "first-fit" policy, where
the first back-end that can successfully create this volume is the one that is used.

Operation
The admin uses the nova-manage command detailed below to add flavors and back-ends.
One or more cinder-volume service instances are deployed for each availability zone.
When an instance is started, it creates storage repositories (SRs) to connect to the backends available within that zone. All cinder-volume instances within a zone can see all
the available back-ends. These instances are completely symmetric and hence should be
able to service any create_volume request within the zone.
84

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

On XenServer, PV guests required

Note that when using XenServer you can only attach a volume to a PV guest.

Configure XenAPI Storage Manager

Prerequisites
1. xensm requires that you use either Citrix XenServer or XCP as the hypervisor. The NetApp and EqualLogic back-ends are not supported on XCP.
2. Ensure all hosts running volume and Compute services have connectivity to the storage
system.

Configuration
Set the following configuration options for the nova volume service: (nova-compute
also requires the volume_driver configuration option.)
--volume_driver "nova.volume.xensm.XenSMDriver"
--use_local_volumes False

You must create the back-end configurations that the volume driver uses before you
start the volume service.
$ nova-manage sm flavor_create <label> <description>
$ nova-manage sm flavor_delete <label>
$ nova-manage sm backend_add <flavor label> <SR type> [config connection
parameters]

Note
SR type and configuration connection parameters are in keeping with the XenAPI Command Line Interface.
$ nova-manage sm backend_delete <back-end-id>

Example: For the NFS storage manager plug-in, run these commands:
$ nova-manage sm flavor_create gold "Not all that glitters"
$ nova-manage sm flavor_delete gold
$ nova-manage sm backend_add gold nfs name_label=myback-end server=myserver
serverpath=/local/scratch/myname
$ nova-manage sm backend_remove 1

Start cinder-volume and nova-compute with the new configuration options.

Create and access the volumes from VMs

Currently, the flavors have not been tied to the volume types API. As a result, we simply
end up creating volumes in a "first fit" order on the given back-ends.
Use the standard euca-* or OpenStack API commands (such as volume extensions) to create, destroy, attach, or detach volumes.
85

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

XenAPINFS
XenAPINFS is a Block Storage (Cinder) driver that uses an NFS share through the XenAPI
Storage Manager to store virtual disk images and expose those virtual disks as volumes.
This driver does not access the NFS share directly. It accesses the share only through XenAPI
Storage Manager. Consider this driver as a reference implementation for use of the XenAPI
Storage Manager in OpenStack (present in XenServer and XCP).

Requirements
A XenServer/XCP installation that acts as Storage Controller. This hypervisor is known as
the storage controller.
Use XenServer/XCP as your hypervisor for Compute nodes.
An NFS share that is configured for XenServer/XCP. For specific requirements and export
options, see the administration guide for your specific XenServer version. The NFS share
must be accessible by all XenServers components within your cloud.
To create volumes from XenServer type images (vhd tgz files), XenServer Nova plug-ins
are also required on the storage controller.

Note
You can use a XenServer as a storage controller and compute node at the same
time. This minimal configuration consists of a XenServer/XCP box and an NFS
share.

Configuration patterns
Local configuration (Recommended): The driver runs in a virtual machine on top of the
storage controller. With this configuration, you can create volumes from qemu-img-supported formats.

Figure1.3.Local configuration

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Remote configuration: The driver is not a guest VM of the storage controller. With this
configuration, you can only use XenServer vhd-type images to create volumes.

Figure1.4.Remote configuration

Configuration options
Assuming the following setup:
XenServer box at 10.2.2.1
XenServer password is r00tme
NFS server is nfs.example.com
NFS export is at /volumes
To use XenAPINFS as your cinder driver, set these configuration options in the
cinder.conf file:
volume_driver = cinder.volume.drivers.xenapi.sm.XenAPINFSDriver
xenapi_connection_url = http://10.2.2.1
xenapi_connection_username = root
xenapi_connection_password = r00tme
xenapi_nfs_server = nfs.example.com
xenapi_nfs_serverpath = /volumes

The following table shows the configuration options that the XenAPINFS driver supports:

Table1.31.Description of Xen storage configuration options

Configuration option = Default value

Description

[DEFAULT]
xenapi_connection_password = None

(StrOpt) Password for XenAPI connection

xenapi_connection_url = None

(StrOpt) URL for XenAPI connection

xenapi_connection_username = root

(StrOpt) Username for XenAPI connection

xenapi_nfs_server = None

(StrOpt) NFS server to be used by XenAPINFSDriver

xenapi_nfs_serverpath = None

(StrOpt) Path of exported NFS, used by XenAPINFSDriver

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

xenapi_sr_base_path = /var/run/sr-mount

(StrOpt) Base path to the storage repository

juno

Zadara
There is a volume back-end for Zadara. Set the following in your cinder.conf, and use
the following options to configure it.
volume_driver=cinder.volume.drivers.zadara.ZadaraVPSAISCSIDriver

Table1.32.Description of Zadara Storage driver configuration options

Configuration option = Default value

Description

[DEFAULT]
zadara_password = None

(StrOpt) Password for the VPSA

zadara_user = None

(StrOpt) User name for the VPSA

zadara_vol_encrypt = False

(BoolOpt) Default encryption policy for volumes

zadara_vol_name_template = OS_%s

(StrOpt) Default template for VPSA volume names

zadara_vol_thin = True

(BoolOpt) Default thin provisioning policy for volumes

zadara_vpsa_allow_nonexistent_delete = True

(BoolOpt) Don't halt on deletion of non-existing volumes

zadara_vpsa_auto_detach_on_delete = True

(BoolOpt) Automatically detach from servers on volume

delete

zadara_vpsa_ip = None

(StrOpt) Management IP of Zadara VPSA

zadara_vpsa_poolname = None

(StrOpt) Name of VPSA storage pool for volumes

zadara_vpsa_port = None

(StrOpt) Zadara VPSA port number

zadara_vpsa_use_ssl = False

(BoolOpt) Use SSL connection

Oracle ZFSSA iSCSI Driver

Oracle ZFS Storage Appliances (ZFSSAs) provide advanced software to protect data, speed
tuning and troubleshooting, and deliver high performance and high availability. Through
the Oracle ZFSSA iSCSI Driver, OpenStack Block Storage can use an Oracle ZFSSA as a block
storage resource. The driver enables you to create iSCSI volumes that an OpenStack Block
Storage server can allocate to any virtual machine running on a compute host. The Oracle
ZFSSA iSCSI Driver, version 1.0.0, supports ZFSSA software release 2013.1.2.0 and later.

Configuration
1.

Enable RESTful service on the ZFSSA Storage Appliance.

Create a new user on the appliance with the following authorizations:

scope=stmf - allow_configure=true
scope=nas - allow_clone=true, allow_createProject=true,
allow_createShare=true, allow_changeSpaceProps=true,
allow_changeGeneralProps=true, allow_destroy=true,
allow_rollback=true, allow_takeSnap=true
88

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

You can create a role with authorizations as follows:

zfssa:> configuration roles
zfssa:configuration roles> role OpenStackRole
zfssa:configuration roles OpenStackRole (uncommitted)> set description=
"OpenStack Cinder Driver"
zfssa:configuration roles OpenStackRole (uncommitted)> commit
zfssa:configuration roles> select OpenStackRole
zfssa:configuration roles OpenStackRole> authorizations create
zfssa:configuration roles OpenStackRole auth (uncommitted)> set scope=stmf
zfssa:configuration roles OpenStackRole auth (uncommitted)> set
allow_configure=true
zfssa:configuration roles OpenStackRole auth (uncommitted)> commit

You can create a user with a specific role as follows:

zfssa:> configuration users
zfssa:configuration users> user cinder
zfssa:configuration users cinder (uncommitted)> set fullname="OpenStack
Cinder Driver"
zfssa:configuration users cinder (uncommitted)> set initial_password=12345
zfssa:configuration users cinder (uncommitted)> commit
zfssa:configuration users> select cinder set roles=OpenStackRole

Note
You can also run this workflow to automate the above tasks.
3.

Ensure that the ZFSSA iSCSI service is online. If the ZFSSA iSCSI service is not online, enable the service by using the BUI, CLI or REST API in the appliance.
zfssa:> configuration services iscsi
zfssa:configuration services iscsi> enable
zfssa:configuration services iscsi> show
Properties:
<status>= online
...

Define the following required properties in the cinder.conf file:

volume_driver = cinder.volume.drivers.zfssa.zfssaiscsi.ZFSSAISCSIDriver
san_ip = myhost
san_login = username
san_password = password
zfssa_pool = mypool
zfssa_project = myproject
zfssa_initiator_group = default
zfssa_target_portal = w.x.y.z:3260
zfssa_target_interfaces = e1000g0

Optionally, you can define additional properties.

Target interfaces can be seen as follows in the CLI:
zfssa:> configuration net interfaces
zfssa:configuration net interfaces> show
Interfaces:
INTERFACE STATE CLASS LINKS
ADDRS
e1000g0
up
ip
e1000g0 1.10.20.30/24

LABEL
Untitled Interface

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

...

Note
Do not use management interfaces for zfssa_target_interfaces.

Supported operations
Create and delete volumes
Extend volume
Create and delete snapshots
Create volume from snapshot
Delete volume snapshots
Attach and detach volumes
Get volume stats
Clone volumes

Driver options
The Oracle ZFSSA iSCSI Driver supports these options:

Table1.33.Description of ZFS Storage Appliance iSCSI driver configuration

options
Configuration option = Default value

Description

[DEFAULT]
zfssa_initiator =

(StrOpt) iSCSI initiator IQNs. (comma separated)

zfssa_initiator_group =

(StrOpt) iSCSI initiator group.

zfssa_initiator_password =

(StrOpt) iSCSI initiator CHAP password.

zfssa_initiator_user =

(StrOpt) iSCSI initiator CHAP user.

zfssa_lun_compression =

(StrOpt) Data compression-off, lzjb, gzip-2, gzip, gzip-9.

zfssa_lun_logbias =

(StrOpt) Synchronous write bias-latency, throughput.

zfssa_lun_sparse = False

(BoolOpt) Flag to enable sparse (thin-provisioned): True,

False.

zfssa_lun_volblocksize = 8k

(StrOpt) Block size: 512, 1k, 2k, 4k, 8k, 16k, 32k, 64k,
128k.

zfssa_pool = None

(StrOpt) Storage pool name.

zfssa_project = None

(StrOpt) Project name.

zfssa_rest_timeout = None

(IntOpt) REST connection timeout. (seconds)

zfssa_target_group = tgt-grp

(StrOpt) iSCSI target group name.

zfssa_target_interfaces = None

(StrOpt) Network interfaces of iSCSI targets. (comma separated)

zfssa_target_password =

(StrOpt) iSCSI target CHAP password.

zfssa_target_portal = None

(StrOpt) iSCSI target portal (Data-IP:Port, w.x.y.z:3260).

zfssa_target_user =

(StrOpt) iSCSI target CHAP user.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Backup drivers
This section describes how to configure the cinder-backup service and its drivers.
The volume drivers are included with the Block Storage repository (https://github.com/
openstack/cinder). To set a backup driver, use the backup_driver flag. By default there
is no backup driver enabled.

Ceph backup driver

The Ceph backup driver backs up volumes of any type to a Ceph back-end store. The driver can also detect whether the volume to be backed up is a Ceph RBD volume, and if so, it
tries to perform incremental and differential backups.
For source Ceph RBD volumes, you can perform backups within the same Ceph pool (not
recommended). You can also perform backups between different Ceph pools and between
different Ceph clusters.
At the time of writing, differential backup support in Ceph/librbd was quite new. This driver attempts a differential backup in the first instance. If the differential backup fails, the
driver falls back to full backup/copy.
If incremental backups are used, multiple backups of the same volume are stored as snapshots so that minimal space is consumed in the backup store. It takes far less time to restore
a volume than to take a full copy.

Note
Block Storage enables you to:
Restore to a new volume, which is the default and recommended action.
Restore to the original volume from which the backup was taken. The restore
action takes a full copy because this is the safest action.
To enable the Ceph backup driver, include the following option in the cinder.conf file:
backup_driver = cinder.backup.drivers.ceph

The following configuration options are available for the Ceph backup driver.

Table1.34.Description of Ceph backup driver configuration options

Configuration option = Default value

Description

[DEFAULT]
backup_ceph_chunk_size = 134217728

(IntOpt) The chunk size, in bytes, that a backup is broken

into before transfer to the Ceph object store.

backup_ceph_conf = /etc/ceph/ceph.conf

(StrOpt) Ceph configuration file to use.

backup_ceph_pool = backups

(StrOpt) The Ceph pool where volume backups are stored.

backup_ceph_stripe_count = 0

(IntOpt) RBD stripe count to use when creating a backup

image.

backup_ceph_stripe_unit = 0

(IntOpt) RBD stripe unit to use when creating a backup image.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

backup_ceph_user = cinder

(StrOpt) The Ceph user to connect with. Default here is

to use the same user as for Cinder volumes. If not using
cephx this should be set to None.

restore_discard_excess_bytes = True

(BoolOpt) If True, always discard excess bytes when restoring volumes i.e. pad with zeroes.

This example shows the default options for the Ceph backup driver.
backup_ceph_conf=/etc/ceph/ceph.conf
backup_ceph_user = cinder
backup_ceph_chunk_size = 134217728
backup_ceph_pool = backups
backup_ceph_stripe_unit = 0
backup_ceph_stripe_count = 0

IBM Tivoli Storage Manager backup driver

The IBM Tivoli Storage Manager (TSM) backup driver enables performing volume backups
to a TSM server.
The TSM client should be installed and configured on the machine running the cinder-backup service. See the IBM Tivoli Storage Manager Backup-Archive Client Installation and User's Guide for details on installing the TSM client.
To enable the IBM TSM backup driver, include the following option in cinder.conf:
backup_driver = cinder.backup.drivers.tsm

The following configuration options are available for the TSM backup driver.

Table1.35.Description of IBM Tivoli Storage Manager backup driver

configuration options
Configuration option = Default value

Description

[DEFAULT]
backup_tsm_compression = True

(BoolOpt) Enable or Disable compression for backups

backup_tsm_password = password

(StrOpt) TSM password for the running username

backup_tsm_volume_prefix = backup

(StrOpt) Volume prefix for the backup id when backing up

to TSM

This example shows the default options for the TSM backup driver.
backup_tsm_volume_prefix = backup
backup_tsm_password = password
backup_tsm_compression = True

Swift backup driver

The backup driver for Swift back-end performs a volume backup to a Swift object storage
system.
To enable the Swift backup driver, include the following option in the cinder.conf file:
backup_driver = cinder.backup.drivers.swift

The following configuration options are available for the Swift back-end backup driver.
92

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table1.36.Description of Swift backup driver configuration options

Configuration option = Default value

Description

[DEFAULT]
backup_swift_auth = per_user

(StrOpt) Swift authentication mechanism

backup_swift_container = volumebackups

(StrOpt) The default Swift container to use

backup_swift_key = None

(StrOpt) Swift key for authentication

backup_swift_object_size = 52428800

(IntOpt) The size in bytes of Swift backup objects

backup_swift_retry_attempts = 3

(IntOpt) The number of retries to make for Swift operations

backup_swift_retry_backoff = 2

(IntOpt) The backoff time in seconds between Swift retries

backup_swift_url = None

(StrOpt) The URL of the Swift endpoint

backup_swift_user = None

(StrOpt) Swift user name

swift_catalog_info = object-store:swift:publicURL

(StrOpt) Info to match when looking for swift in the service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type> - Only
used if backup_swift_url is unset

This example shows the default options for the Swift back-end backup driver.
backup_swift_url = http://localhost:8080/v1/AUTH
backup_swift_auth = per_user
backup_swift_user = <None>
backup_swift_key = <None>
backup_swift_container = volumebackups
backup_swift_object_size = 52428800
backup_swift_retry_attempts = 3
backup_swift_retry_backoff = 2
backup_compression_algorithm = zlib

Block Storage sample configuration files

All the files in this section can be found in /etc/cinder.

cinder.conf
Use the cinder.conf file to configure the majority of the Block Storage service options.
[DEFAULT]
#
# Options defined in oslo.messaging
#
# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false
# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false
# Size of RPC connection pool. (integer value)
#rpc_conn_pool_size=30
# Qpid broker hostname. (string value)

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#qpid_hostname=localhost
# Qpid broker port. (integer value)
#qpid_port=5672
# Qpid HA cluster host:port pairs. (list value)
#qpid_hosts=$qpid_hostname:$qpid_port
# Username for Qpid connection. (string value)
#qpid_username=
# Password for Qpid connection. (string value)
#qpid_password=
# Space separated list of SASL mechanisms to use for auth.
# (string value)
#qpid_sasl_mechanisms=
# Seconds between connection keepalive heartbeats. (integer
# value)
#qpid_heartbeat=60
# Transport to use, either 'tcp' or 'ssl'. (string value)
#qpid_protocol=tcp
# Whether to disable the Nagle algorithm. (boolean value)
#qpid_tcp_nodelay=true
# The number of prefetched messages held by receiver. (integer
# value)
#qpid_receiver_capacity=1
# The qpid topology version to use. Version 1 is what was
# originally used by impl_qpid. Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work. Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1
# SSL version to use (valid only if SSL enabled). valid values
# are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some
# distributions. (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled). (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled). (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL
# enabled). (string value)
#kombu_ssl_ca_certs=
# How long to wait before reconnecting in response to an AMQP
# consumer cancel notification. (floating point value)
#kombu_reconnect_delay=1.0
# The RabbitMQ broker address where a single node is used.

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# (string value)
#rabbit_host=localhost
# The RabbitMQ broker port where a single node is used.
# (integer value)
#rabbit_port=5672
# RabbitMQ HA cluster host:port pairs. (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ. (boolean value)
#rabbit_use_ssl=false
# The RabbitMQ userid. (string value)
#rabbit_userid=guest
# The RabbitMQ password. (string value)
#rabbit_password=guest
# the RabbitMQ login method (string value)
#rabbit_login_method=AMQPLAIN
# The RabbitMQ virtual host. (string value)
#rabbit_virtual_host=/
# How frequently to retry connecting with RabbitMQ. (integer
# value)
#rabbit_retry_interval=1
# How long to backoff for between retries when connecting to
# RabbitMQ. (integer value)
#rabbit_retry_backoff=2
# Maximum number of RabbitMQ connection retries. Default is 0
# (infinite retry count). (integer value)
#rabbit_max_retries=0
# Use HA queues in RabbitMQ (x-ha-policy: all). If you change
# this option, you must wipe the RabbitMQ database. (boolean
# value)
#rabbit_ha_queues=false
# If passed, use a fake RabbitMQ provider. (boolean value)
#fake_rabbit=false
# ZeroMQ bind address. Should be a wildcard (*), an ethernet
# interface, or IP. The "host" option should point or resolve
# to this address. (string value)
#rpc_zmq_bind_address=*
# MatchMaker driver. (string value)
#rpc_zmq_matchmaker=oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
# ZeroMQ receiver listening port. (integer value)
#rpc_zmq_port=9501
# Number of ZeroMQ contexts, defaults to 1. (integer value)
#rpc_zmq_contexts=1
# Maximum number of ingress messages to locally buffer per

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# topic. Default is unlimited. (integer value)

#rpc_zmq_topic_backlog=<None>
# Directory for holding IPC sockets. (string value)
#rpc_zmq_ipc_dir=/var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP
# address. Must match "host" option, if running Nova. (string
# value)
#rpc_zmq_host=cinder
# Seconds to wait before a cast expires (TTL). Only supported
# by impl_zmq. (integer value)
#rpc_cast_timeout=30
# Heartbeat frequency. (integer value)
#matchmaker_heartbeat_freq=300
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl=600
# Size of RPC greenthread pool. (integer value)
#rpc_thread_pool_size=64
# Driver or drivers to handle sending notifications. (multi
# valued)
#notification_driver=
# AMQP topic used for OpenStack notifications. (list value)
# Deprecated group/name - [rpc_notifier2]/topics
#notification_topics=notifications
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout=60
# A URL representing the messaging driver to use and its full
# configuration. If not set, we fall back to the rpc_backend
# option and driver specific configuration. (string value)
#transport_url=<None>
# The messaging driver to use, defaults to rabbit. Other
# drivers include qpid and zmq. (string value)
#rpc_backend=rabbit
# The default exchange under which topics are scoped. May be
# overridden by an exchange name specified in the
# transport_url option. (string value)
#control_exchange=openstack

#
# Options defined in cinder.exception
#
# make exception message format errors fatal (boolean value)
#fatal_exception_format_errors=false

#
# Options defined in cinder.policy

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# JSON file representing policy (string value)
#policy_file=policy.json
# Rule checked when requested rule is not found (string value)
#policy_default_rule=default

#
# Options defined in cinder.quota
#
# number of volumes allowed per project (integer value)
#quota_volumes=10
# number of volume snapshots allowed per project (integer
# value)
#quota_snapshots=10
# number of volume gigabytes (snapshots are also included)
# allowed per project (integer value)
#quota_gigabytes=1000
# number of seconds until a reservation expires (integer
# value)
#reservation_expire=86400
# count of reservations until usage is refreshed (integer
# value)
#until_refresh=0
# number of seconds between subsequent usage refreshes
# (integer value)
#max_age=0
# default driver to use for quota checks (string value)
#quota_driver=cinder.quota.DbQuotaDriver
# whether to use default quota class for default quota
# (boolean value)
#use_default_quota_class=true

#
# Options defined in cinder.service
#
# seconds between nodes reporting state to datastore (integer
# value)
#report_interval=10
# seconds between running periodic tasks (integer value)
#periodic_interval=60
# range of seconds to randomly delay when starting the
# periodic task scheduler to reduce stampeding. (Disable by
# setting to 0) (integer value)
#periodic_fuzzy_delay=60

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# IP address for OpenStack Volume API to listen (string value)

#osapi_volume_listen=0.0.0.0
# port for os volume api to listen (integer value)
#osapi_volume_listen_port=8776
# Number of workers for OpenStack Volume API service (integer
# value)
#osapi_volume_workers=<None>

#
# Options defined in cinder.test
#
# File name of clean sqlite db (string value)
#sqlite_clean_db=clean.sqlite

#
# Options defined in cinder.wsgi
#
# Maximum line size of message headers to be accepted.
# max_header_line may need to be increased when using large
# tokens (typically those generated by the Keystone v3 API
# with big service catalogs). (integer value)
#max_header_line=16384
# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Not supported on OS X. (integer value)
#tcp_keepidle=600
# CA certificate file to use to verify connecting clients
# (string value)
#ssl_ca_file=<None>
# Certificate file to use when starting the server securely
# (string value)
#ssl_cert_file=<None>
# Private key file to use when starting the server securely
# (string value)
#ssl_key_file=<None>

#
# Options defined in cinder.api.common
#
# the maximum number of items returned in a single response
# from a collection resource (integer value)
#osapi_max_limit=1000
# Base URL that will be presented to users in links to the
# OpenStack Volume API (string value)
# Deprecated group/name - [DEFAULT]/osapi_compute_link_prefix
#osapi_volume_base_URL=<None>

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Options defined in cinder.api.middleware.auth
#
# Treat X-Forwarded-For as the canonical remote address. Only
# enable this if you have a sanitizing proxy. (boolean value)
#use_forwarded_for=false

#
# Options defined in cinder.api.middleware.sizelimit
#
# Max size for body of a request (integer value)
#osapi_max_request_body_size=114688

#
# Options defined in cinder.backup.driver
#
# Backup metadata version to be used when backing up volume
# metadata. If this number is bumped, make sure the service
# doing the restore supports the new version. (integer value)
#backup_metadata_version=1

#
# Options defined in cinder.backup.drivers.ceph
#
# Ceph configuration file to use. (string value)
#backup_ceph_conf=/etc/ceph/ceph.conf
# The Ceph user to connect with. Default here is to use the
# same user as for Cinder volumes. If not using cephx this
# should be set to None. (string value)
#backup_ceph_user=cinder
# The chunk size, in bytes, that a backup is broken into
# before transfer to the Ceph object store. (integer value)
#backup_ceph_chunk_size=134217728
# The Ceph pool where volume backups are stored. (string
# value)
#backup_ceph_pool=backups
# RBD stripe unit to use when creating a backup image.
# (integer value)
#backup_ceph_stripe_unit=0
# RBD stripe count to use when creating a backup image.
# (integer value)
#backup_ceph_stripe_count=0
# If True, always discard excess bytes when restoring volumes
# i.e. pad with zeroes. (boolean value)
#restore_discard_excess_bytes=true

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Options defined in cinder.backup.drivers.swift
#
# The URL of the Swift endpoint (string value)
#backup_swift_url=http://localhost:8080/v1/AUTH_
# Swift authentication mechanism (string value)
#backup_swift_auth=per_user
# Swift user name (string value)
#backup_swift_user=<None>
# Swift key for authentication (string value)
#backup_swift_key=<None>
# The default Swift container to use (string value)
#backup_swift_container=volumebackups
# The size in bytes of Swift backup objects (integer value)
#backup_swift_object_size=52428800
# The number of retries to make for Swift operations (integer
# value)
#backup_swift_retry_attempts=3
# The backoff time in seconds between Swift retries (integer
# value)
#backup_swift_retry_backoff=2
# Compression algorithm (None to disable) (string value)
#backup_compression_algorithm=zlib

#
# Options defined in cinder.backup.drivers.tsm
#
# Volume prefix for the backup id when backing up to TSM
# (string value)
#backup_tsm_volume_prefix=backup
# TSM password for the running username (string value)
#backup_tsm_password=password
# Enable or Disable compression for backups (boolean value)
#backup_tsm_compression=true

#
# Options defined in cinder.backup.manager
#
# Driver to use for backups. (string value)
# Deprecated group/name - [DEFAULT]/backup_service
#backup_driver=cinder.backup.drivers.swift

#
# Options defined in cinder.common.config

100

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# File name for the paste.deploy config for cinder-api (string
# value)
#api_paste_config=api-paste.ini
# Top-level directory for maintaining cinder's state (string
# value)
# Deprecated group/name - [DEFAULT]/pybasedir
#state_path=/var/lib/cinder
# ip address of this host (string value)
#my_ip=10.0.0.1
# default glance hostname or ip (string value)
#glance_host=$my_ip
# default glance port (integer value)
#glance_port=9292
# A list of the glance api servers available to cinder
# ([hostname|ip]:port) (list value)
#glance_api_servers=$glance_host:$glance_port
# Version of the glance api to use (integer value)
#glance_api_version=1
# Number retries when downloading an image from glance
# (integer value)
#glance_num_retries=0
# Allow to perform insecure SSL (https) requests to glance
# (boolean value)
#glance_api_insecure=false
# Whether to attempt to negotiate SSL layer compression when
# using SSL (https) requests. Set to False to disable SSL
# layer compression. In some cases disabling this may improve
# data throughput, eg when high network bandwidth is available
# and you are using already compressed image formats such as
# qcow2 . (boolean value)
#glance_api_ssl_compression=false
# http/https timeout value for glance operations. If no value
# (None) is supplied here, the glanceclient default value is
# used. (integer value)
#glance_request_timeout=<None>
# the topic scheduler nodes listen on (string value)
#scheduler_topic=cinder-scheduler
# the topic volume nodes listen on (string value)
#volume_topic=cinder-volume
# the topic volume backup nodes listen on (string value)
#backup_topic=cinder-backup
# Deploy v1 of the Cinder API. (boolean value)
#enable_v1_api=true

101

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Deploy v2 of the Cinder API. (boolean value)

#enable_v2_api=true
# whether to rate limit the api (boolean value)
#api_rate_limit=true
# Specify list of extensions to load when using
# osapi_volume_extension option with
# cinder.api.contrib.select_extensions (list value)
#osapi_volume_ext_list=
# osapi volume extension to load (multi valued)
#osapi_volume_extension=cinder.api.contrib.standard_extensions
# full class name for the Manager for volume (string value)
#volume_manager=cinder.volume.manager.VolumeManager
# full class name for the Manager for volume backup (string
# value)
#backup_manager=cinder.backup.manager.BackupManager
# full class name for the Manager for scheduler (string value)
#scheduler_manager=cinder.scheduler.manager.SchedulerManager
# Name of this node. This can be an opaque identifier. It is
# not necessarily a hostname, FQDN, or IP address. (string
# value)
#host=cinder
# availability zone of this node (string value)
#storage_availability_zone=nova
# default availability zone to use when creating a new volume.
# If this is not set then we use the value from the
# storage_availability_zone option as the default
# availability_zone for new volumes. (string value)
#default_availability_zone=<None>
# default volume type to use (string value)
#default_volume_type=<None>
# time period to generate volume usages for.
# be hour, day, month or year (string value)
#volume_usage_audit_period=month

Time period must

# Path to the rootwrap configuration file to use for running

# commands as root (string value)
#rootwrap_config=/etc/cinder/rootwrap.conf
# Enable monkey patching (boolean value)
#monkey_patch=false
# List of modules/decorators to monkey patch (list value)
#monkey_patch_modules=
# maximum time since last check-in for up service (integer
# value)
#service_down_time=60
# The full class name of the volume API class to use (string

102

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# value)
#volume_api_class=cinder.volume.api.API
# The full class name of the volume backup API class (string
# value)
#backup_api_class=cinder.backup.api.API
# The strategy to use for auth. Supports noauth, keystone, and
# deprecated. (string value)
#auth_strategy=noauth
# A list of backend names to use. These backend names should
# be backed by a unique [CONFIG] group with its options (list
# value)
#enabled_backends=<None>
# Whether snapshots count against GigaByte quota (boolean
# value)
#no_snapshot_gb_quota=false
# The full class name of the volume transfer API class (string
# value)
#transfer_api_class=cinder.transfer.api.API

#
# Options defined in cinder.compute
#
# The full class name of the compute API class to use (string
# value)
#compute_api_class=cinder.compute.nova.API

#
# Options defined in cinder.compute.nova
#
# Info to match when looking for nova in the service catalog.
# Format is : separated values of the form:
# <service_type>:<service_name>:<endpoint_type> (string value)
#nova_catalog_info=compute:nova:publicURL
# Same as nova_catalog_info, but for admin endpoint. (string
# value)
#nova_catalog_admin_info=compute:nova:adminURL
# Override service catalog lookup with template for nova
# endpoint e.g. http://localhost:8774/v2/%(project_id)s
# (string value)
#nova_endpoint_template=<None>
# Same as nova_endpoint_template, but for admin endpoint.
# (string value)
#nova_endpoint_admin_template=<None>
# region name of this node (string value)
#os_region_name=<None>
# Location of ca certificates file to use for nova client

103

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# requests. (string value)

#nova_ca_certificates_file=<None>
# Allow to perform insecure SSL requests to nova (boolean
# value)
#nova_api_insecure=false

#
# Options defined in cinder.db.api
#
# The backend to use for db (string value)
#db_backend=sqlalchemy
# Services to be added to the available pool on create
# (boolean value)
#enable_new_services=true
# Template string to be used to generate volume names (string
# value)
#volume_name_template=volume-%s
# Template string to be used to generate snapshot names
# (string value)
#snapshot_name_template=snapshot-%s
# Template string to be used to generate backup names (string
# value)
#backup_name_template=backup-%s

#
# Options defined in cinder.db.base
#
# driver to use for database access (string value)
#db_driver=cinder.db

# during I, and then will be changed in J to honor RFC5424
# (boolean value)
#use_syslog=false
# (Optional) Use syslog rfc5424 format for logging. If
# enabled, will add APP-NAME (RFC5424) before the MSG part of
# the syslog message. The old format without APP-NAME is
# deprecated in I, and will be removed in J. (boolean value)
#use_syslog_rfc_format=false
# Syslog facility to receive log lines (string value)
#syslog_log_facility=LOG_USER

#
# Options defined in cinder.openstack.common.periodic_task
#
# Some periodic tasks can be run in a separate process. Should
# we run them here? (boolean value)
#run_external_periodic_tasks=true

#
# Options defined in cinder.scheduler.driver
#
# The scheduler host manager class to use (string value)
#scheduler_host_manager=cinder.scheduler.host_manager.HostManager
# Maximum number of attempts to schedule an volume (integer
# value)
#scheduler_max_attempts=3

#
# Options defined in cinder.scheduler.host_manager
#
# Which filter class names to use for filtering hosts when not
# specified in the request. (list value)
#scheduler_default_filters=AvailabilityZoneFilter,CapacityFilter,
CapabilitiesFilter
# Which weigher class names to use for weighing hosts. (list
# value)
#scheduler_default_weighers=CapacityWeigher

#
# Options defined in cinder.scheduler.manager
#
# Default scheduler driver to use (string value)
#scheduler_driver=cinder.scheduler.filter_scheduler.FilterScheduler

#
# Options defined in cinder.scheduler.scheduler_options

107

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Absolute path to scheduler configuration JSON file. (string
# value)
#scheduler_json_config_location=

#
# Options defined in cinder.scheduler.simple
#
# This configure option has been deprecated along with the
# SimpleScheduler. New scheduler is able to gather capacity
# information for each host, thus setting the maximum number
# of volume gigabytes for host is no longer needed. It's safe
# to remove this configure from cinder.conf. (integer value)
#max_gigabytes=10000

#
# Options defined in cinder.scheduler.weights.capacity
#
# Multiplier used for weighing volume capacity. Negative
# numbers mean to stack vs spread. (floating point value)
#capacity_weight_multiplier=1.0
# Multiplier used for weighing volume capacity. Negative
# numbers mean to stack vs spread. (floating point value)
#allocated_capacity_weight_multiplier=-1.0

#
# Options defined in cinder.transfer.api
#
# The number of characters in the salt. (integer value)
#volume_transfer_salt_length=8
# The number of characters in the autogenerated auth key.
# (integer value)
#volume_transfer_key_length=16

#
# Options defined in cinder.volume.api
#
# Create volume from snapshot at the host where snapshot
# resides (boolean value)
#snapshot_same_host=true
# Ensure that the new volumes are the same AZ as snapshot or
# source volume (boolean value)
#cloned_volume_same_az=true

October 7, 2014

# Volume Type key name to store ESM Repository Name (string

# value)
#coraid_repository_key=coraid_repository

#
# Options defined in cinder.volume.drivers.emc.emc_smis_common
#
# use this file for cinder emc plugin config data (string
# value)
#cinder_emc_config_file=/etc/cinder/cinder_emc_config.xml

#
# Options defined in cinder.volume.drivers.emc.emc_vnx_cli
#
# Naviseccli Path (string value)
#naviseccli_path=
# ISCSI pool name (string value)
#storage_vnx_pool_name=<None>
# Default Time Out For CLI operations in minutes (integer
# value)
#default_timeout=20
# Default max number of LUNs in a storage group (integer
# value)
#max_luns_per_storage_group=256

#
# Options defined in cinder.volume.drivers.eqlx
#
# Group name to use for creating volumes (string value)
#eqlx_group_name=group-0
# Timeout for the Group Manager cli command execution (integer
# value)
#eqlx_cli_timeout=30
# Maximum retry count for reconnection (integer value)
#eqlx_cli_max_retries=5
# Use CHAP authentication for targets? (boolean value)
#eqlx_use_chap=false
# Existing CHAP account name (string value)
#eqlx_chap_login=admin
# Password for specified CHAP account name (string value)
#eqlx_chap_password=password
# Pool in which volumes will be created (string value)
#eqlx_pool=default

111

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Options defined in cinder.volume.drivers.glusterfs
#
# File with the list of available gluster shares (string
# value)
#glusterfs_shares_config=/etc/cinder/glusterfs_shares
# Create volumes as sparsed files which take no space.If set
# to False volume is created as regular file.In such case
# volume creation takes a lot of time. (boolean value)
#glusterfs_sparsed_volumes=true
# Create volumes as QCOW2 files rather than raw files.
# (boolean value)
#glusterfs_qcow2_volumes=false
# Base dir containing mount points for gluster shares. (string
# value)
#glusterfs_mount_point_base=$state_path/mnt

#
# Options defined in cinder.volume.drivers.hds.hds
#
# configuration file for HDS cinder plugin for HUS (string
# value)
#hds_cinder_config_file=/opt/hds/hus/cinder_hus_conf.xml

#
# Options defined in cinder.volume.drivers.huawei
#
# config data for cinder huawei plugin (string value)
#cinder_huawei_conf_file=/etc/cinder/cinder_huawei_conf.xml

#
# Options defined in cinder.volume.drivers.ibm.gpfs
#
# Specifies the path of the GPFS directory where Block Storage
# volume and snapshot files are stored. (string value)
#gpfs_mount_point_base=<None>
# Specifies the path of the Image service repository in GPFS.
# Leave undefined if not storing images in GPFS. (string
# value)
#gpfs_images_dir=<None>
#
#
#
#
#
#
#

Specifies the type of image copy to be used. Set this when

the Image service repository also uses GPFS so that image
files can be transferred efficiently from the Image service
to the Block Storage service. There are two valid values:
"copy" specifies that a full copy of the image is made;
"copy_on_write" specifies that copy-on-write optimization
strategy is used and unmodified blocks of the image file are

112

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# shared efficiently. (string value)

#gpfs_images_share_mode=<None>
# Specifies an upper limit on the number of indirections
# required to reach a specific block due to snapshots or
# clones. A lengthy chain of copy-on-write snapshots or
# clones can have a negative impact on performance, but
# improves space utilization. 0 indicates unlimited clone
# depth. (integer value)
#gpfs_max_clone_depth=0
# Specifies that volumes are created as
# initially consume no space. If set to
# created as a fully allocated file, in
# may take a significantly longer time.
#gpfs_sparse_volumes=true

sparse files which

False, the volume is
which case, creation
(boolean value)

# Specifies the storage pool that volumes are assigned to.

# default, the system storage pool is used. (string value)
#gpfs_storage_pool=<None>

#
# Options defined in cinder.volume.drivers.ibm.storwize_svc
#
# Storage system storage pool for volumes (string value)
#storwize_svc_volpool_name=volpool
# Storage system space-efficiency parameter for volumes
# (percentage) (integer value)
#storwize_svc_vol_rsize=2
# Storage system threshold for volume capacity warnings
# (percentage) (integer value)
#storwize_svc_vol_warning=0
# Storage system autoexpand parameter for volumes (True/False)
# (boolean value)
#storwize_svc_vol_autoexpand=true
# Storage system grain size parameter for volumes
# (32/64/128/256) (integer value)
#storwize_svc_vol_grainsize=256
# Storage system compression option for volumes (boolean
# value)
#storwize_svc_vol_compression=false
# Enable Easy Tier for volumes (boolean value)
#storwize_svc_vol_easytier=true
# The I/O group in which to allocate volumes (integer value)
#storwize_svc_vol_iogrp=0
# Maximum number of seconds to wait for FlashCopy to be
# prepared. Maximum value is 600 seconds (10 minutes) (integer
# value)
#storwize_svc_flashcopy_timeout=120

113

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Connection protocol (iSCSI/FC) (string value)

#storwize_svc_connection_protocol=iSCSI
# Configure CHAP authentication for iSCSI connections
# (Default: Enabled) (boolean value)
#storwize_svc_iscsi_chap_enabled=true
# Connect with multipath (FC only; iSCSI multipath is
# controlled by Nova) (boolean value)
#storwize_svc_multipath_enabled=false
# Allows vdisk to multi host mapping (boolean value)
#storwize_svc_multihostmap_enabled=true

#
# Options defined in cinder.volume.drivers.ibm.xiv_ds8k
#
# Proxy driver that connects to the IBM Storage Array (string
# value)
#xiv_ds8k_proxy=xiv_ds8k_openstack.nova_proxy.XIVDS8KNovaProxy
# Connection type to the IBM Storage Array
# (fibre_channel|iscsi) (string value)
#xiv_ds8k_connection_type=iscsi
# CHAP authentication mode, effective only for iscsi
# (disabled|enabled) (string value)
#xiv_chap=disabled

#
# Options defined in cinder.volume.drivers.lvm
#
# Name for the VG that will contain exported volumes (string
# value)
#volume_group=cinder-volumes
# If set, create lvms with multiple mirrors. Note that this
# requires lvm_mirrors + 2 pvs with available space (integer
# value)
#lvm_mirrors=0
# Type of LVM volumes to deploy; (default or thin) (string
# value)
#lvm_type=default

#
# Options defined in cinder.volume.drivers.netapp.options
#
#
#
#
#
#
#

The vFiler unit on which provisioning of block storage

volumes will be done. This option is only used by the driver
when connecting to an instance with a storage family of Data
ONTAP operating in 7-Mode and the storage protocol selected
is iSCSI. Only use this option when utilizing the MultiStore
feature on the NetApp storage system. (string value)

114

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#netapp_vfiler=<None>
# Administrative user account name used to access the storage
# system or proxy server. (string value)
#netapp_login=<None>
# Password for the administrative user account specified in
# the netapp_login option. (string value)
#netapp_password=<None>
# This option specifies the virtual storage server (Vserver)
# name on the storage cluster on which provisioning of block
# storage volumes should occur. If using the NFS storage
# protocol, this parameter is mandatory for storage service
# catalog support (utilized by Cinder volume type extra_specs
# support). If this option is specified, the exports belonging
# to the Vserver will only be used for provisioning in the
# future. Block storage volumes on exports not belonging to
# the Vserver specified by this option will continue to
# function normally. (string value)
#netapp_vserver=<None>
# The hostname (or IP address) for the storage system or proxy
# server. (string value)
#netapp_server_hostname=<None>
# The TCP port to use for communication with the storage
# system or proxy server. Traditionally, port 80 is used for
# HTTP and port 443 is used for HTTPS; however, this value
# should be changed if an alternate port has been configured
# on the storage system or proxy server. (integer value)
#netapp_server_port=80
# This option is used to specify the path to the E-Series
# proxy application on a proxy server. The value is combined
# with the value of the netapp_transport_type,
# netapp_server_hostname, and netapp_server_port options to
# create the URL used by the driver to connect to the proxy
# application. (string value)
#netapp_webservice_path=/devmgr/v2
# This option is only utilized when the storage family is
# configured to eseries. This option is used to restrict
# provisioning to the specified controllers. Specify the value
# of this option to be a comma separated list of controller
# hostnames or IP addresses to be used for provisioning.
# (string value)
#netapp_controller_ips=<None>
# Password for the NetApp E-Series storage array. (string
# value)
#netapp_sa_password=<None>
# This option is used to restrict provisioning to the
# specified storage pools. Only dynamic disk pools are
# currently supported. Specify the value of this option to be
# a comma separated list of disk pool names to be used for
# provisioning. (string value)
#netapp_storage_pools=<None>

October 7, 2014

# block size for volumes (blank=default,8KB) (string value)

#nexenta_blocksize=
# flag to create sparse volumes (boolean value)
#nexenta_sparse=false

#
# Options defined in cinder.volume.drivers.nfs
#
# IP address or Hostname of NAS system. (string value)
#nas_ip=
# User name to connect to NAS system. (string value)
#nas_login=admin
# Password to connect to NAS system. (string value)
#nas_password=
# SSH port to use to connect to NAS system. (integer value)
#nas_ssh_port=22
# Filename of private key to use for SSH authentication.
# (string value)
#nas_private_key=
# File with the list of available nfs shares (string value)
#nfs_shares_config=/etc/cinder/nfs_shares
# Create volumes as sparsed files which take no space.If set
# to False volume is created as regular file.In such case
# volume creation takes a lot of time. (boolean value)
#nfs_sparsed_volumes=true
# Percent of ACTUAL usage of the underlying volume before no
# new volumes can be allocated to the volume destination.
# (floating point value)
#nfs_used_ratio=0.95
# This will compare the allocated to available space on the
# volume destination. If the ratio exceeds this number, the
# destination will no longer be valid. (floating point value)
#nfs_oversub_ratio=1.0
# Base dir containing mount points for nfs shares. (string
# value)
#nfs_mount_point_base=$state_path/mnt
# Mount options passed to the nfs client. See section of the
# nfs man page for details. (string value)
#nfs_mount_options=<None>

#
# Options defined in cinder.volume.drivers.rbd
#
# the RADOS pool in which rbd volumes are stored (string

118

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# value)
#rbd_pool=rbd
# the RADOS client name for accessing rbd volumes - only set
# when using cephx authentication (string value)
#rbd_user=<None>
# path to the ceph configuration file to use (string value)
#rbd_ceph_conf=
# flatten volumes created from snapshots to remove dependency
# (boolean value)
#rbd_flatten_volume_from_snapshot=false
# the libvirt uuid of the secret for the rbd_uservolumes
# (string value)
#rbd_secret_uuid=<None>
# where to store temporary image files if the volume driver
# does not write them directly to the volume (string value)
#volume_tmp_dir=<None>
# maximum number of nested clones that can be taken of a
# volume before enforcing a flatten prior to next clone. A
# value of zero disables cloning (integer value)
#rbd_max_clone_depth=5

#
# Options defined in cinder.volume.drivers.san.hp.hp_3par_common
#
# 3PAR WSAPI Server Url like https://<3par ip>:8080/api/v1
# (string value)
#hp3par_api_url=
# 3PAR Super user username (string value)
#hp3par_username=
# 3PAR Super user password (string value)
#hp3par_password=
# The CPG to use for volume creation (string value)
#hp3par_cpg=OpenStack
# The CPG to use for Snapshots for volumes. If empty
# hp3par_cpg will be used (string value)
#hp3par_cpg_snap=
# The time in hours to retain a snapshot.
# before this expires. (string value)
#hp3par_snapshot_retention=

You can't delete it

# The time in hours when a snapshot expires and is deleted.

# This must be larger than expiration (string value)
#hp3par_snapshot_expiration=
# Enable HTTP debugging to 3PAR (boolean value)
#hp3par_debug=false

119

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# List of target iSCSI addresses to use. (list value)

#hp3par_iscsi_ips=

#
# Options defined in cinder.volume.drivers.san.hp.hp_lefthand_rest_proxy
#
# HP LeftHand WSAPI Server Url like https://<LeftHand
# ip>:8081/lhos (string value)
#hplefthand_api_url=<None>
# HP LeftHand Super user username (string value)
#hplefthand_username=<None>
# HP LeftHand Super user password (string value)
#hplefthand_password=<None>
# HP LeftHand cluster name (string value)
#hplefthand_clustername=<None>
# Configure CHAP authentication for iSCSI connections
# (Default: Disabled) (boolean value)
#hplefthand_iscsi_chap_enabled=false
# Enable HTTP debugging to LeftHand (boolean value)
#hplefthand_debug=false

#
# Options defined in cinder.volume.drivers.san.hp.hp_msa_common
#
# The VDisk to use for volume creation. (string value)
#msa_vdisk=OpenStack

#
# Options defined in cinder.volume.drivers.san.san
#
# Use thin provisioning for SAN volumes? (boolean value)
#san_thin_provision=true
# IP address of SAN controller (string value)
#san_ip=
# Username for SAN controller (string value)
#san_login=admin
# Password for SAN controller (string value)
#san_password=
# Filename of private key to use for SSH authentication
# (string value)
#san_private_key=
# Cluster name to use for creating volumes (string value)
#san_clustername=

120

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# SSH port to use with SAN (integer value)

#san_ssh_port=22
# Execute commands locally instead of over SSH; use if the
# volume service is running on the SAN device (boolean value)
#san_is_local=false
# SSH connection timeout in seconds (integer value)
#ssh_conn_timeout=30
# Minimum ssh connections in the pool (integer value)
#ssh_min_pool_conn=1
# Maximum ssh connections in the pool (integer value)
#ssh_max_pool_conn=5

#
# Options defined in cinder.volume.drivers.san.solaris
#
# The ZFS path under which to create zvols for volumes.
# (string value)
#san_zfs_volume_base=rpool/

#
# Options defined in cinder.volume.drivers.scality
#
# Path or URL to Scality SOFS configuration file (string
# value)
#scality_sofs_config=<None>
# Base dir where Scality SOFS shall be mounted (string value)
#scality_sofs_mount_point=$state_path/scality
# Path from Scality SOFS root to volume dir (string value)
#scality_sofs_volume_dir=cinder/volumes

#
# Options defined in cinder.volume.drivers.solidfire
#
# Set 512 byte emulation on volume creation;
#sf_emulate_512=true

(boolean value)

# Allow tenants to specify QOS on create (boolean value)

#sf_allow_tenant_qos=false
# Create SolidFire accounts with this prefix. Any string can
# be used here, but the string "hostname" is special and will
# create a prefix using the cinder node hostsname (previous
# default behavior). The default is NO prefix. (string value)
#sf_account_prefix=<None>
# SolidFire API port. Useful if the device api is behind a
# proxy on a different port. (integer value)
#sf_api_port=443

121

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Options defined in cinder.volume.drivers.vmware.vmdk
#
# IP address for connecting to VMware ESX/VC server. (string
# value)
#vmware_host_ip=<None>
# Username for authenticating with VMware ESX/VC server.
# (string value)
#vmware_host_username=<None>
# Password for authenticating with VMware ESX/VC server.
# (string value)
#vmware_host_password=<None>
# Optional VIM service WSDL Location e.g
# http://<server>/vimService.wsdl. Optional over-ride to
# default location for bug work-arounds. (string value)
#vmware_wsdl_location=<None>
# Number of times VMware ESX/VC server API must be retried
# upon connection related issues. (integer value)
#vmware_api_retry_count=10
# The interval (in seconds) for polling remote tasks invoked
# on VMware ESX/VC server. (integer value)
#vmware_task_poll_interval=5
# Name for the folder in the VC datacenter that will contain
# cinder volumes. (string value)
#vmware_volume_folder=cinder-volumes
# Timeout in seconds for VMDK volume transfer between Cinder
# and Glance. (integer value)
#vmware_image_transfer_timeout_secs=7200
# Max number of objects to be retrieved per batch. Query
# results will be obtained in batches from the server and not
# in one shot. Server may still limit the count to something
# less than the configured value. (integer value)
#vmware_max_objects_retrieval=100
# Optional string specifying the VMware VC server version. The
# driver attempts to retrieve the version from VMware VC
# server. Set this configuration only if you want to override
# the VC server version. (string value)
#vmware_host_version=<None>

#
# Options defined in cinder.volume.drivers.windows.windows
#
# Path to store VHD backed volumes (string value)
#windows_iscsi_lun_path=C:\iSCSIVirtualDisks

122

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Options defined in cinder.volume.drivers.xenapi.sm
#
# NFS server to be used by XenAPINFSDriver (string value)
#xenapi_nfs_server=<None>
# Path of exported NFS, used by XenAPINFSDriver (string value)
#xenapi_nfs_serverpath=<None>
# URL for XenAPI connection (string value)
#xenapi_connection_url=<None>
# Username for XenAPI connection (string value)
#xenapi_connection_username=root
# Password for XenAPI connection (string value)
#xenapi_connection_password=<None>
# Base path to the storage repository (string value)
#xenapi_sr_base_path=/var/run/sr-mount

#
# Options defined in cinder.volume.drivers.zadara
#
# Management IP of Zadara VPSA (string value)
#zadara_vpsa_ip=<None>
# Zadara VPSA port number (string value)
#zadara_vpsa_port=<None>
# Use SSL connection (boolean value)
#zadara_vpsa_use_ssl=false
# User name for the VPSA (string value)
#zadara_user=<None>
# Password for the VPSA (string value)
#zadara_password=<None>
# Name of VPSA storage pool for volumes (string value)
#zadara_vpsa_poolname=<None>
# Default thin provisioning policy for volumes (boolean value)
#zadara_vol_thin=true
# Default encryption policy for volumes (boolean value)
#zadara_vol_encrypt=false
# Default template for VPSA volume names (string value)
#zadara_vol_name_template=OS_%s
# Automatically detach from servers on volume delete (boolean
# value)
#zadara_vpsa_auto_detach_on_delete=true
# Don't halt on deletion of non-existing volumes (boolean
# value)

123

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#zadara_vpsa_allow_nonexistent_delete=true

#
# Options defined in cinder.volume.manager
#
# Driver to use for volume creation (string value)
#volume_driver=cinder.volume.drivers.lvm.LVMISCSIDriver
# Timeout for creating the volume to migrate to when
# performing volume migration (seconds) (integer value)
#migration_create_volume_timeout_secs=300
# Offload pending volume delete during volume service startup
# (boolean value)
#volume_service_inithost_offload=false
# FC Zoning mode configured (string value)
#zoning_mode=none
# User defined capabilities, a JSON formatted string
# specifying key/value pairs. (string value)
#extra_capabilities={}

[BRCD_FABRIC_EXAMPLE]
#
# Options defined in cinder.zonemanager.drivers.brocade.brcd_fabric_opts
#
# Management IP of fabric (string value)
#fc_fabric_address=
# Fabric user ID (string value)
#fc_fabric_user=
# Password for user (string value)
#fc_fabric_password=
# Connecting port (integer value)
#fc_fabric_port=22
# overridden zoning policy (string value)
#zoning_policy=initiator-target
# overridden zoning activation state (boolean value)
#zone_activate=true
# overridden zone name prefix (string value)
#zone_name_prefix=<None>
# Principal switch WWN of the fabric (string value)
#principal_switch_wwn=<None>

[database]
#

124

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Options defined in cinder.openstack.common.db.api

#
# The backend to use for db (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend=sqlalchemy
# Enable the experimental use of thread pooling for all DB API
# calls (boolean value)
# Deprecated group/name - [DEFAULT]/dbapi_use_tpool
#use_tpool=false

#
# Options defined in cinder.openstack.common.db.sqlalchemy.session
#
# The SQLAlchemy connection string used to connect to the
# database (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
#connection=sqlite:///$state_path/$sqlite_db
# timeout before idle sql connections are reaped (integer
# value)
# Deprecated group/name - [DEFAULT]/sql_idle_timeout
#idle_timeout=3600
# Minimum number of SQL connections to keep open in a pool
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
#min_pool_size=1
# Maximum number of SQL connections to keep open in a pool
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
#max_pool_size=5
# maximum db connection retries during startup. (setting -1
# implies an infinite retry count) (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_retries
#max_retries=10
# interval between retries of opening a sql connection
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_retry_interval
#retry_interval=10
# If set, use this value for max_overflow with sqlalchemy
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
#max_overflow=<None>
# Verbosity of SQL debugging information. 0=None,
# 100=Everything (integer value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug=0
# Add python stack traces to SQL as comment strings (boolean
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace

125

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

#connection_trace=false

[fc-zone-manager]
#
# Options defined in cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver
#
# Southbound connector for zoning operation (string value)
#brcd_sb_connector=cinder.zonemanager.drivers.brocade.brcd_fc_zone_client_cli.
BrcdFCZoneClientCLI

#
# Options defined in cinder.zonemanager.fc_zone_manager
#
# FC Zone Driver responsible for zone management (string
# value)
#zone_driver=cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.
BrcdFCZoneDriver
# Zoning policy configured by user (string value)
#zoning_policy=initiator-target
# Comma separated list of fibre channel fabric names. This
# list of names is used to retrieve other SAN credentials for
# connecting to each SAN fabric (string value)
#fc_fabric_names=<None>
# FC San Lookup Service (string value)
#fc_san_lookup_service=cinder.zonemanager.drivers.brocade.
brcd_fc_san_lookup_service.BrcdFCSanLookupService

[keymgr]
#
# Options defined in cinder.keymgr
#
# The full class name of the key manager API class (string
# value)
#api_class=cinder.keymgr.conf_key_mgr.ConfKeyManager

#
# Options defined in cinder.keymgr.conf_key_mgr
#
# Fixed key returned by key manager, specified in hex (string
# value)
#fixed_key=<None>

[keystone_authtoken]
#
# Options defined in keystoneclient.middleware.auth_token

126

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Prefix to prepend at the beginning of the path. Deprecated,
# use identity_uri. (string value)
#auth_admin_prefix=
# Host providing the admin Identity API endpoint. Deprecated,
# use identity_uri. (string value)
#auth_host=127.0.0.1
# Port of the admin Identity API endpoint. Deprecated, use
# identity_uri. (integer value)
#auth_port=35357
# Protocol of the admin Identity API endpoint (http or https).
# Deprecated, use identity_uri. (string value)
#auth_protocol=https
# Complete public Identity API endpoint (string value)
#auth_uri=<None>
# Complete admin Identity API endpoint. This should specify
# the unversioned root endpoint e.g. https://localhost:35357/
# (string value)
#identity_uri=<None>
# API version of the admin Identity API endpoint (string
# value)
#auth_version=<None>
# Do not handle authorization requests within the middleware,
# but delegate the authorization decision to downstream WSGI
# components (boolean value)
#delay_auth_decision=false
# Request timeout value for communicating with Identity API
# server. (boolean value)
#http_connect_timeout=<None>
# How many times are we trying to reconnect when communicating
# with Identity API Server. (integer value)
#http_request_max_retries=3
# This option is deprecated and may be removed in a future
# release. Single shared secret with the Keystone
# configuration used for bootstrapping a Keystone
# installation, or otherwise bypassing the normal
# authentication process. This option should not be used, use
# `admin_user` and `admin_password` instead. (string value)
#admin_token=<None>
# Keystone account username (string value)
#admin_user=<None>
# Keystone account password (string value)
#admin_password=<None>
# Keystone service account tenant name to validate user tokens
# (string value)
#admin_tenant_name=admin

127

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

rootwrap.conf
The rootwrap.conf file defines configuration values used by the rootwrap script when
the Block Storage service must escalate its privileges to those of the root user.
# Configuration for cinder-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/cinder/rootwrap.d,/usr/share/cinder/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin

132

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Enable logging to syslog

# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

Log files used by Block Storage

The corresponding log file of each Block Storage service is stored in the /var/log/cinder/ directory of the host on which each service runs.

Table1.37.Log files used by Block Storage services

Log file

Service/interface (for CentOS, Fedora,

openSUSE, Red Hat Enterprise Linux,
and SUSE Linux Enterprise)

Service/interface (for Ubuntu and

Debian)

api.log

openstack-cinder-api

cinder-api

cinder-manage.log

cinder-manage

scheduler.log

openstack-cinder-scheduler

cinder-scheduler

volume.log

openstack-cinder-volume

cinder-volume

Fibre Channel Zone Manager

The Fibre Channel Zone Manager allows FC SAN Zone/Access control management in conjunction with Fibre Channel block storage. The configuration of Fibre Channel Zone Manager and various zone drivers are described in this section.

Configure Block Storage to use Fibre Channel Zone Manager

If Block Storage is configured to use a Fibre Channel volume driver that supports Zone Manager, update cinder.conf to add the following configuration options to enable Fibre
Channel Zone Manager.
Make the following changes in the /etc/cinder/cinder.conf file.

Table1.38.Description of zoning configuration options

Configuration option = Default value

Description

[DEFAULT]
zoning_mode = none

(StrOpt) FC Zoning mode configured

[fc-zone-manager]
fc_fabric_names = None

(StrOpt) Comma separated list of fibre channel fabric

names. This list of names is used to retrieve other SAN credentials for connecting to each SAN fabric

zoning_policy = initiator-target

(StrOpt) Zoning policy configured by user

133

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

To use different Fibre Channel Zone Drivers, use the parameters described in this section.

Note
When multi backend configuration is used, provide the zoning_mode
configuration option as part of the volume driver configuration where
volume_driver option is specified.

Note
Default value of zoning_mode is None and this needs to be changed to fabric to allow fabric zoning.

Note
zoning_policy can be configured as initiator-target or initiator

Brocade Fibre Channel Zone Driver

Brocade Fibre Channel Zone Driver performs zoning operations via SSH. Configure Brocade
Zone Driver and lookup service by specifying the following parameters:

Table1.39.Description of zoning manager configuration options

Configuration option = Default value

Description

[fc-zone-manager]
brcd_sb_connector =
(StrOpt) Southbound connector for zoning operation
cinder.zonemanager.drivers.brocade.brcd_fc_zone_client_cli.BrcdFCZoneClientCLI
cisco_sb_connector =
(StrOpt) Southbound connector for zoning operation
cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClientCLI
fc_san_lookup_service =
(StrOpt) FC San Lookup Service
cinder.zonemanager.drivers.brocade.brcd_fc_san_lookup_service.BrcdFCSanLookupService
zone_driver =
(StrOpt) FC Zone Driver responsible for zone management
cinder.zonemanager.drivers.brocade.brcd_fc_zone_driver.BrcdFCZoneDriver

Configure SAN fabric parameters in the form of fabric groups as described in the example
below:

Table1.40.Description of zoning fabrics configuration options

Configuration option = Default value

Description

[BRCD_FABRIC_EXAMPLE]
fc_fabric_address =

(StrOpt) Management IP of fabric

fc_fabric_password =

(StrOpt) Password for user

fc_fabric_port = 22

(IntOpt) Connecting port

fc_fabric_user =

(StrOpt) Fabric user ID

principal_switch_wwn = None

(StrOpt) Principal switch WWN of the fabric

zone_activate = True

(BoolOpt) overridden zoning activation state

zone_name_prefix = None

(StrOpt) overridden zone name prefix

zoning_policy = initiator-target

(StrOpt) overridden zoning policy

134

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[CISCO_FABRIC_EXAMPLE]
cisco_fc_fabric_address =

(StrOpt) Management IP of fabric

cisco_fc_fabric_password =

(StrOpt) Password for user

cisco_fc_fabric_port = 22

(IntOpt) Connecting port

cisco_fc_fabric_user =

(StrOpt) Fabric user ID

cisco_zone_activate = True

(BoolOpt) overridden zoning activation state

cisco_zone_name_prefix = None

(StrOpt) overridden zone name prefix

cisco_zoning_policy = initiator-target

(StrOpt) overridden zoning policy

cisco_zoning_vsan = None

(StrOpt) VSAN of the Fabric

Note
Define a fabric group for each fabric using the fabric names used in
fc_fabric_names configuration option as group name.

System requirements
Brocade Fibre Channel Zone Driver requires firmware version FOS v6.4 or higher.
As a best practice for zone management, use a user account with zoneadmin role. Users
with admin role (including the default admin user account) are limited to a maximum of
two concurrent SSH sessions.
For information about how to manage Brocade Fibre Channel switches, see the Brocade
Fabric OS user documentation.

Volume encryption with static key

This is an implementation of a key manager that reads its key from the project's configuration options.
This key manager implementation provides limited security, assuming that the key remains
secret. Volume encryption provides protection against a lost or stolen disk, assuming that
the configuration file that contains the key is not stored on the disk. Encryption also protects the confidentiality of data as it is transmitted via iSCSI from the compute host to the
storage host as long as an attacker who intercepts the data does not know the secret key.
Because this implementation uses a single, fixed key, it does not provide protection if that
key is compromised. In particular, different volumes encrypted with a key provided by this
key manager actually share the same encryption key so any volume can be decrypted once
the fixed key is known.
Updates are in the pipeline which will provide true key manager support via the key management service. This will provide much better security once complete.

Initial configuration
Configuration changes need to be made to any nodes running the cinder-volume or
nova-compute services.
135

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Update cinder-volume servers:

Edit the /etc/cinder/cinder.conf file and add or update the value of the option
fixed_key in the [keymgr] section:
[keymgr]
# Fixed key returned by key manager, specified in hex (string
# value)
fixed_key =
0000000000000000000000000000000000000000000000000000000000000000

Restart cinder-volume.

Update nova-compute servers:

Edit the /etc/nova/nova.conf file and add or update the value of the option
fixed_key in the [keymgr] section (add a keymgr section as shown if needed):
[keymgr]
# Fixed key returned by key manager, specified in hex (string
# value)
fixed_key =
0000000000000000000000000000000000000000000000000000000000000000

Restart nova-compute.

Create encrypted volume type

Block Storage volume type assignment provides a mechanism to provide scheduling to a
specific back-end, and also can be used to specify specific information for a back-end storage device to act upon.
In this case we are creating a volume type called LUKS and providing configuration information that will tell the storage system to encrypt or decrypt the volume.
1.

Source your admin credentials:

$ source admin-openrc.sh

Create the volume type:

$ cinder type-create LUKS
+--------------------------------------+-------+
|
ID
| Name |
+--------------------------------------+-------+
| e64b35a4-a849-4c53-9cc7-2345d3c8fbde | LUKS |
+--------------------------------------+-------+

Mark the volume type as encrypted and provide the necessary details:
$ cinder encryption-type-create --cipher aes-xts-plain64 --key_size 512 \
--control_location front-end LUKS nova.volume.encryptors.luks.
LuksEncryptor
+-------------------------------------+-------------------------------------------+-----------------+---------+------------------+
|
Volume Type ID
|
Provider
|
Cipher
| Key Size | Control Location |

136

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

+-------------------------------------+-------------------------------------------+-----------------+---------+------------------+
| e64b35a4-a849-4c53-9cc7-2345d3c8fbde | nova.volume.encryptors.luks.
LuksEncryptor | aes-xts-plain64 |
512
|
front-end
|
+-------------------------------------+-------------------------------------------+-----------------+---------+------------------+

Support for creating the volume type in the OpenStack dashboard (horizon) exists today,
however support for tagging the type as encrypted and providing the additional information needed is still in review.

Create an encrypted volume

Use the OpenStack dashboard (horizon), or the cinder command to create volumes just as
you normally would. For an encrypted volume use the LUKS tag, for unencrypted leave the
LUKS tag off.
1.

Source your admin credentials:

$ source admin-openrc.sh

Create an unencrypted 1GB test volume:

$ cinder create --display-name 'unencrypted volume' 1
+--------------------------------+--------------------------------------+
|
Property
|
Value
|
+--------------------------------+--------------------------------------+
|
attachments
|
[]
|
|
availability_zone
|
nova
|
|
bootable
|
false
|
|
created_at
|
2014-08-10T01:24:03.000000
|
|
description
|
None
|
|
encrypted
|
False
|
|
id
| 081700fd-2357-44ff-860d-2cd78ad9c568 |
|
metadata
|
{}
|
|
name
|
unencrypted volume
|
|
os-vol-host-attr:host
|
controller
|
| os-vol-mig-status-attr:migstat |
None
|
| os-vol-mig-status-attr:name_id |
None
|
| os-vol-tenant-attr:tenant_id |
08fdea76c760475f82087a45dbe94918
|
|
size
|
1
|
|
snapshot_id
|
None
|
|
source_volid
|
None
|
|
status
|
creating
|
|
user_id
|
7cbc6b58b372439e8f70e2a9103f1332
|
|
volume_type
|
None
|
+--------------------------------+--------------------------------------+

Create an encrypted 1GB test volume:

137

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

|
created_at
|
2014-08-10T01:24:24.000000
|
|
description
|
None
|
|
encrypted
|
True
|
|
id
| 86060306-6f43-4c92-9ab8-ddcd83acd973 |
|
metadata
|
{}
|
|
name
|
encrypted volume
|
|
os-vol-host-attr:host
|
controller
|
| os-vol-mig-status-attr:migstat |
None
|
| os-vol-mig-status-attr:name_id |
None
|
| os-vol-tenant-attr:tenant_id |
08fdea76c760475f82087a45dbe94918
|
|
size
|
1
|
|
snapshot_id
|
None
|
|
source_volid
|
None
|
|
status
|
creating
|
|
user_id
|
7cbc6b58b372439e8f70e2a9103f1332
|
|
volume_type
|
LUKS
|
+--------------------------------+--------------------------------------+

Notice the encrypted parameter; it will show True/False. The option volume_type is also
shown for easy review.

Testing volume encryption

This is a simple test scenario to help validate your encryption. It assumes an LVM based
Block Storage server.
Perform these steps after completing the volume encryption setup and creating the volume-type for LUKS as described in the preceding sections.
1.

Create a VM:
$ nova boot --flavor m1.tiny --image cirros-0.3.1-x86_64-disk vm-test

Create two volumes, one encrypted and one not encrypted then attach them to your
VM:
$ cinder create --display-name 'unencrypted volume' 1
$ cinder create --display-name 'encrypted volume' --volume-type LUKS 1
$ cinder list
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+
|
ID
|
Status |
Name
|
Size | Volume Type | Bootable | Attached to |
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+
| 64b48a79-5686-4542-9b52-d649b51c10a2 | available | unencrypted volume |
1
|
None
| false
|
|
| db50b71c-bf97-47cb-a5cf-b4b43a0edab6 | available | encrypted volume |
1
|
LUKS
| false
|
|
+--------------------------------------+-----------+-------------------+------+-------------+----------+-------------+
$ nova volume-attach vm-test 64b48a79-5686-4542-9b52-d649b51c10a2 /dev/vdb
$ nova volume-attach vm-test db50b71c-bf97-47cb-a5cf-b4b43a0edab6 /dev/vdc

On the VM, send some text to the newly attached volumes and synchronize them:
# echo "Hello, world (unencrypted /dev/vdb)" >> /dev/vdb
# echo "Hello, world (encrypted /dev/vdc)" >> /dev/vdc

138

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# sync && sleep 2

On the system hosting cinder volume services, synchronize to flush the I/O cache then
test to see if your strings can be found:
# sync && sleep 2
# sync && sleep 2
# strings /dev/stack-volumes/volume-* | grep "Hello"
Hello, world (unencrypted /dev/vdb)

In the above example you see that the search returns the string written to the unencrypted
volume, but not the encrypted one.

Additional options
These options can also be set in the cinder.conf file.

Table1.41.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

in a future release. Single shared secret with the Keystone
configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication
process. This option should not be used, use `admin_user`
and `admin_password` instead.

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding.

139

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
"permissive" (default) to validate binding information if
the bind type is of a form known to the server and ignore
it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of
token binding is needed to be allowed. Finally the name of
a binding method that must be present in tokens.

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

This may be a single algorithm or multiple. The algorithms
are those supported by Python standard hashlib.new().
The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first
hash will be stored in the cache. This will typically be set to
multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are
expired this option should be set to a single value for better performance.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the
cache. If the value is not one of these options or empty,
auth_token will raise an exception on initialization.

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table1.42.Description of Huawei storage driver configuration options

Configuration option = Default value

Description

[DEFAULT]
cinder_huawei_conf_file = /etc/cinder/cinder_huawei_conf.xml

(StrOpt) The configuration file for the Cinder Huawei driver

140

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table1.43.Description of NAS configuration options

Configuration option = Default value

Description

[DEFAULT]
nas_ip =

(StrOpt) IP address or Hostname of NAS system.

nas_login = admin

(StrOpt) User name to connect to NAS system.

nas_password =

(StrOpt) Password to connect to NAS system.

nas_private_key =

(StrOpt) Filename of private key to use for SSH authentication.

nas_ssh_port = 22

(IntOpt) SSH port to use to connect to NAS system.

Table1.44.Description of HP MSA Fiber Channel driver configuration options

Configuration option = Default value

Description

[DEFAULT]
msa_vdisk = OpenStack

(StrOpt) The VDisk to use for volume creation.

Table1.45.Description of Nimble driver configuration options

Configuration option = Default value

Description

[DEFAULT]
nimble_pool_name = default

(StrOpt) Nimble Controller pool name

nimble_subnet_label = *

(StrOpt) Nimble Subnet Label

Table1.46.Description of Pure Storage driver configuration options

Configuration option = Default value

Description

[DEFAULT]
pure_api_token = None

(StrOpt) REST API authorization token.

Table1.47.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
db_backend = sqlalchemy

(StrOpt) The backend to use for db

db_driver = cinder.db

(StrOpt) Driver to use for database access

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

141

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

use_tpool = False

(BoolOpt) Enable the experimental use of thread pooling

for all DB API calls

Table1.48.Description of key manager configuration options

Configuration option = Default value

Description

[keymgr]
api_class = cinder.keymgr.conf_key_mgr.ConfKeyManager (StrOpt) The full class name of the key manager API class
encryption_api_url = http://localhost:9311/v1

(StrOpt) Url for encryption service.

encryption_auth_url = http://localhost:5000/v2.0

(StrOpt) Authentication url for encryption service.

fixed_key = None

(StrOpt) Fixed key returned by key manager, specified in

hex

Table1.49.Description of storage configuration options

Configuration option = Default value

Description

[DEFAULT]
allocated_capacity_weight_multiplier = -1.0

(FloatOpt) Multiplier used for weighing volume capacity.

Negative numbers mean to stack vs spread.

capacity_weight_multiplier = 1.0

(FloatOpt) Multiplier used for weighing volume capacity.

Negative numbers mean to stack vs spread.

enabled_backends = None

(ListOpt) A list of backend names to use. These backend

names should be backed by a unique [CONFIG] group with
its options

iscsi_helper = tgtadm

(StrOpt) iSCSI target user-land tool to use. tgtadm is default, use lioadm for LIO iSCSI support, iseradm for the ISER protocol, or fake for testing.

iscsi_iotype = fileio

(StrOpt) Sets the behavior of the iSCSI target to either perform blockio or fileio optionally, auto can be set and Cinder will autodetect type of backing device

142

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

iscsi_ip_address = $my_ip

(StrOpt) The IP address that the iSCSI daemon is listening

iscsi_num_targets = 100

(IntOpt) The maximum number of iSCSI target IDs per host

iscsi_port = 3260

(IntOpt) The port that the iSCSI daemon is listening on

iscsi_target_prefix = iqn.2010-10.org.openstack:

(StrOpt) Prefix for iSCSI volumes

iscsi_write_cache = on

(StrOpt) Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter
is valid if iscsi_helper is set to tgtadm or iseradm.

iser_helper = tgtadm

(StrOpt) The name of the iSER target user-land tool to use

iser_ip_address = $my_ip

(StrOpt) The IP address that the iSER daemon is listening

iser_num_targets = 100

(IntOpt) The maximum number of iSER target IDs per host

iser_port = 3260

(IntOpt) The port that the iSER daemon is listening on

iser_target_prefix = iqn.2010-10.org.iser.openstack:

(StrOpt) Prefix for iSER volumes

max_gigabytes = 10000

(IntOpt) This configure option has been deprecated along

with the SimpleScheduler. New scheduler is able to gather capacity information for each host, thus setting the
maximum number of volume gigabytes for host is no
longer needed. It's safe to remove this configure from
cinder.conf.

migration_create_volume_timeout_secs = 300

(IntOpt) Timeout for creating the volume to migrate to

when performing volume migration (seconds)

num_iser_scan_tries = 3

(IntOpt) The maximum number of times to rescan iSER targetto find volume

num_volume_device_scan_tries = 3

(IntOpt) The maximum number of times to rescan targets

to find volume

volume_backend_name = None

(StrOpt) The backend name for a given driver implementation

volume_clear = zero

(StrOpt) Method used to wipe old volumes (valid options

are: none, zero, shred)

volume_clear_ionice = None

(StrOpt) The flag to pass to ionice to alter the i/o priority

of the process used to zero a volume after deletion, for example "-c3" for idle only priority.

volume_clear_size = 0

(IntOpt) Size in MiB to wipe at start of old volumes. 0 =>

all

volume_copy_blkio_cgroup_name = cinder-volume-copy

(StrOpt) The blkio cgroup name to be used to limit bandwidth of volume copy

volume_copy_bps_limit = 0

(IntOpt) The upper limit of bandwidth of volume copy. 0

=> unlimited

volume_dd_blocksize = 1M

(StrOpt) The default block size used when copying/clearing volumes

volume_driver = cinder.volume.drivers.lvm.LVMISCSIDriver (StrOpt) Driver to use for volume creation

volume_manager =
cinder.volume.manager.VolumeManager

(StrOpt) Full class name for the Manager for volume

volume_service_inithost_offload = False

(BoolOpt) Offload pending volume delete during volume

service startup

volume_usage_audit_period = month

(StrOpt) Time period for which to generate volume usages. The options are hour, day, month, or year.

volumes_dir = $state_path/volumes

(StrOpt) Volume configuration file storage directory

143

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table1.50.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = rabbit

(StrOpt) The messaging driver to use, defaults to rabbit.

Other drivers include qpid and zmq.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool.

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from a call.

rpc_thread_pool_size = 64

(IntOpt) Size of RPC greenthread pool.

volume_topic = cinder-volume

(StrOpt) The topic that volume nodes listen on

Table1.51.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) The default exchange under which topics are

scoped. May be overridden by an exchange name specified in the transport_url option.

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table1.52.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

what was originally used by impl_qpid. Version 2 includes
some backwards-incompatible changes that allow broker federation to work. Users should update to version 2
when they are able to take everything down, as it requires
a clean break.

144

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

qpid_username =

(StrOpt) Username for Qpid connection.

juno

Table1.53.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Table1.54.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Table1.55.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]

145

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Table1.56.Description of Solaris SAN configuration options

Configuration option = Default value

Description

key_file = None

(StrOpt) Private key file to use when starting the server securely

Table1.59.Description of images configuration options

Configuration option = Default value

Description

[DEFAULT]
allowed_direct_url_schemes =

(ListOpt) A list of url schemes that can be downloaded

directly via the direct_url. Currently supported schemes:
[file].

glance_api_insecure = False

(BoolOpt) Allow to perform insecure SSL (https) requests

to glance

glance_api_servers = $glance_host:$glance_port

(ListOpt) A list of the glance API servers available to cinder

([hostname|ip]:port)

glance_api_ssl_compression = False

(BoolOpt) Enables or disables negotiation of SSL layer

compression. In some cases disabling compression can improve data throughput, such as when high network bandwidth is available and you use compressed image formats
like qcow2.

glance_api_version = 1

(IntOpt) Version of the glance API to use

glance_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for glance

client requests.

glance_core_properties = checksum, container_format,

disk_format, image_name, image_id, min_disk, min_ram,
name, size

(ListOpt) Default core properties of image

glance_host = $my_ip

(StrOpt) Default glance host name or IP

glance_num_retries = 0

(IntOpt) Number retries when downloading an image

from glance

glance_port = 9292

(IntOpt) Default glance port

glance_request_timeout = None

(IntOpt) http/https timeout value for glance operations. If

no value (None) is supplied here, the glanceclient default
value is used.

image_conversion_dir = $state_path/conversion

(StrOpt) Directory used for temporary storage during image conversion

use_multipath_for_image_xfer = False

(BoolOpt) Do we attach/detach volumes in cinder using

multipath for volume to image and image to volume transfers?

Table1.60.Description of swift configuration options

Configuration option = Default value

Description

[DEFAULT]
backup_swift_auth_version = 1

(StrOpt) Swift authentication version. Specify "1" for auth

1.0, or "2" for auth 2.0

backup_swift_tenant = None

(StrOpt) Swift tenant/account name. Required when connecting to an auth 2.0 system

Table1.61.Description of EMC configuration options

Configuration option = Default value

Description

[DEFAULT]
cinder_emc_config_file = /etc/cinder/cinder_emc_config.xml

(StrOpt) use this file for cinder emc plugin config data

147

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

destroy_empty_storage_group = False

(BoolOpt) To destroy storage group when the last LUN is

removed from it. By default, the value is False.

initiator_auto_registration = False

(BoolOpt) Automatically register initiators. By default, the

value is False.

iscsi_initiators =

(StrOpt) Mapping between hostname and its iSCSI initiator IP addresses.

max_luns_per_storage_group = 255

(IntOpt) Default max number of LUNs in a storage group.

By default, the value is 255.

naviseccli_path =

(StrOpt) Naviseccli Path.

storage_vnx_authentication_type = global

(StrOpt) VNX authentication scope type.

storage_vnx_pool_name = None

(StrOpt) Storage pool name.

storage_vnx_security_file_dir = None

(StrOpt) Directory path that contains the VNX security file.

Make sure the security file is generated first.

Table1.62.Description of backups configuration options

Configuration option = Default value

Description

[DEFAULT]
backup_api_class = cinder.backup.api.API

(StrOpt) The full class name of the volume backup API

class

backup_compression_algorithm = zlib

(StrOpt) Compression algorithm (None to disable)

backup_driver = cinder.backup.drivers.swift

(StrOpt) Driver to use for backups.

backup_manager =
cinder.backup.manager.BackupManager

(StrOpt) Full class name for the Manager for volume backup

backup_metadata_version = 1

(IntOpt) Backup metadata version to be used when backing up volume metadata. If this number is bumped, make
sure the service doing the restore supports the new version.

backup_name_template = backup-%s

(StrOpt) Template string to be used to generate backup

names

backup_topic = cinder-backup

(StrOpt) The topic that volume backup nodes listen on

snapshot_name_template = snapshot-%s

(StrOpt) Template string to be used to generate snapshot

names

snapshot_same_host = True

(BoolOpt) Create volume from snapshot at the host where

snapshot resides

Table1.63.Description of HP 3PAR Fibre Channel and iSCSI drivers

configuration options
Configuration option = Default value

Description

[DEFAULT]
hp3par_api_url =

(StrOpt) 3PAR WSAPI Server Url like https://<3par

ip>:8080/api/v1

hp3par_cpg = OpenStack

(StrOpt) The CPG to use for volume creation

hp3par_cpg_snap =

(StrOpt) The CPG to use for Snapshots for volumes. If empty hp3par_cpg will be used

hp3par_debug = False

(BoolOpt) Enable HTTP debugging to 3PAR

hp3par_iscsi_chap_enabled = False

(BoolOpt) Enable CHAP authentication for iSCSI connections.

hp3par_iscsi_ips =

(ListOpt) List of target iSCSI addresses to use.

hp3par_password =

(StrOpt) 3PAR Super user password

148

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

hp3par_snapshot_expiration =

(StrOpt) The time in hours when a snapshot expires and is

deleted. This must be larger than expiration

hp3par_snapshot_retention =

(StrOpt) The time in hours to retain a snapshot. You can't

delete it before this expires.

hp3par_username =

(StrOpt) 3PAR Super user username

Table1.64.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
api_paste_config = api-paste.ini

(StrOpt) File name for the paste.deploy config for cinder-api

api_rate_limit = True

(BoolOpt) Enables or disables rate limit of the API.

az_cache_duration = 3600

(IntOpt) Cache volume availability zones in memory for

the provided duration in seconds

default_timeout = 525600

(IntOpt) Default timeout for CLI operations in minutes.

For example, LUN migration is a typical long running operation, which depends on the LUN size and the load of
the array. An upper bound in the specific deployment can
be set to avoid unnecessary long wait. By default, it is 365
days long.

enable_v1_api = True

(BoolOpt) DEPRECATED: Deploy v1 of the Cinder API.

enable_v2_api = True

(BoolOpt) Deploy v2 of the Cinder API.

extra_capabilities = {}

(StrOpt) User defined capabilities, a JSON formatted string

specifying key/value pairs.

max_header_line = 16384

(IntOpt) Maximum line size of message headers to be accepted. max_header_line may need to be increased when
using large tokens (typically those generated by the Keystone v3 API with big service catalogs).

osapi_max_limit = 1000

(IntOpt) The maximum number of items that a collection

resource returns in a single response

osapi_max_request_body_size = 114688

(IntOpt) Max size for body of a request

osapi_volume_base_URL = None

(StrOpt) Base URL that will be presented to users in links

to the OpenStack Volume API

osapi_volume_ext_list =

(ListOpt) Specify list of extensions to load when

using osapi_volume_extension option with
cinder.api.contrib.select_extensions

osapi_volume_extension =
['cinder.api.contrib.standard_extensions']

(MultiStrOpt) osapi volume extension to load

osapi_volume_listen = 0.0.0.0

(StrOpt) IP address on which OpenStack Volume API listens

osapi_volume_listen_port = 8776

(IntOpt) Port on which OpenStack Volume API listens

osapi_volume_workers = None

(IntOpt) Number of workers for OpenStack Volume API

service. The default is equal to the number of CPUs available.

transfer_api_class = cinder.transfer.api.API

(StrOpt) The full class name of the volume transfer API

class

volume_api_class = cinder.volume.api.API

(StrOpt) The full class name of the volume API class to use

volume_name_template = volume-%s

(StrOpt) Template string to be used to generate volume

names

volume_number_multiplier = -1.0

(FloatOpt) Multiplier used for weighing volume number.

Negative numbers mean to spread vs stack.

149

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

volume_transfer_key_length = 16

(IntOpt) The number of characters in the autogenerated

auth key.

volume_transfer_salt_length = 8

(IntOpt) The number of characters in the salt.

Table1.65.Description of HP LeftHand/StoreVirtual driver configuration

options
Configuration option = Default value

Description

[DEFAULT]
hplefthand_api_url = None

(StrOpt) HP LeftHand WSAPI Server Url like https://<LeftHand ip>:8081/lhos

hplefthand_clustername = None

(StrOpt) HP LeftHand cluster name

hplefthand_debug = False

(BoolOpt) Enable HTTP debugging to LeftHand

hplefthand_iscsi_chap_enabled = False

(BoolOpt) Configure CHAP authentication for iSCSI connections (Default: Disabled)

hplefthand_password = None

(StrOpt) HP LeftHand Super user password

hplefthand_username = None

(StrOpt) HP LeftHand Super user username

Table1.66.Description of Scality SOFS volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
scality_sofs_config = None

(StrOpt) Path or URL to Scality SOFS configuration file

scality_sofs_mount_point = $state_path/scality

(StrOpt) Base dir where Scality SOFS shall be mounted

scality_sofs_volume_dir = cinder/volumes

(StrOpt) Path from Scality SOFS root to volume dir

Table1.67.Description of block device configuration options

Configuration option = Default value

Description

[DEFAULT]
available_devices =

(ListOpt) List of all available devices

Table1.68.Description of Compute configuration options

Configuration option = Default value

Description

[DEFAULT]
nova_api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to nova

nova_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for nova

client requests.

nova_catalog_admin_info = compute:nova:adminURL

(StrOpt) Same as nova_catalog_info, but for admin endpoint.

nova_catalog_info = compute:nova:publicURL

(StrOpt) Match this value when searching for nova in the

service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type>

nova_endpoint_admin_template = None

(StrOpt) Same as nova_endpoint_template, but for admin

endpoint.

nova_endpoint_template = None

(StrOpt) Override service catalog lookup with template for nova endpoint e.g. http://localhost:8774/v2/
%(project_id)s

os_region_name = None

(StrOpt) Region name of this node

150

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table1.69.Description of SAN configuration options

Configuration option = Default value

Description

[DEFAULT]
san_clustername =

(StrOpt) Cluster name to use for creating volumes

san_ip =

(StrOpt) IP address of SAN controller

san_is_local = False

(BoolOpt) Execute commands locally instead of over SSH;

use if the volume service is running on the SAN device

san_login = admin

(StrOpt) Username for SAN controller

san_password =

(StrOpt) Password for SAN controller

san_private_key =

(StrOpt) Filename of private key to use for SSH authentication

san_secondary_ip = None

(StrOpt) VNX secondary SP IP Address.

san_ssh_port = 22

(IntOpt) SSH port to use with SAN

san_thin_provision = True

(BoolOpt) Use thin provisioning for SAN volumes?

ssh_conn_timeout = 30

(IntOpt) SSH connection timeout in seconds

ssh_max_pool_conn = 5

(IntOpt) Maximum ssh connections in the pool

ssh_min_pool_conn = 1

hosts.

scheduler_driver =
cinder.scheduler.filter_scheduler.FilterScheduler

(StrOpt) Default scheduler driver to use

scheduler_host_manager =
cinder.scheduler.host_manager.HostManager

(StrOpt) The scheduler host manager class to use

scheduler_json_config_location =

(StrOpt) Absolute path to scheduler configuration JSON

file.

scheduler_manager =
cinder.scheduler.manager.SchedulerManager

(StrOpt) Full class name for the Manager for scheduler

scheduler_max_attempts = 3

(IntOpt) Maximum number of attempts to schedule an

volume

151

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

scheduler_topic = cinder-scheduler

(StrOpt) The topic that scheduler nodes listen on

juno

Table1.73.Description of quota configuration options

Configuration option = Default value

Description

[DEFAULT]
max_age = 0

(IntOpt) Number of seconds between subsequent usage

refreshes

quota_backup_gigabytes = 1000

(IntOpt) Total amount of storage, in gigabytes, allowed

for backups per project

quota_backups = 10

(IntOpt) Number of volume backups allowed per project

quota_consistencygroups = 10

(IntOpt) Number of consistencygroups allowed per project

quota_driver = cinder.quota.DbQuotaDriver

(StrOpt) Default driver to use for quota checks

quota_gigabytes = 1000

(IntOpt) Total amount of storage, in gigabytes, allowed

for volumes and snapshots per project

quota_snapshots = 10

(IntOpt) Number of volume snapshots allowed per project

quota_volumes = 10

(IntOpt) Number of volumes allowed per project

reservation_expire = 86400

(IntOpt) Number of seconds until a reservation expires

use_default_quota_class = True

(BoolOpt) Enables or disables use of default quota class

with default quota.

Table1.74.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
compute_api_class = cinder.compute.nova.API

(StrOpt) The full class name of the compute API class to

use

consistencygroup_api_class =
cinder.consistencygroup.api.API

(StrOpt) The full class name of the consistencygroup API

class

default_availability_zone = None

(StrOpt) Default availability zone for new volumes. If not

set, the storage_availability_zone option value is used as
the default for new volumes.

default_volume_type = None

(StrOpt) Default volume type to use

enable_new_services = True

(BoolOpt) Services to be added to the available pool on

create

host = localhost

(StrOpt) Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.

iet_conf = /etc/iet/ietd.conf

(StrOpt) IET configuration file

lio_initiator_iqns =

(StrOpt) Comma-separated list of initiator IQNs allowed to

connect to the iSCSI target. (From Nova compute nodes.)

lock_path = None

(StrOpt) Directory to use for lock files. Default to a temp

(ListOpt) Memcached servers or None for in process cache.

monkey_patch = False

(BoolOpt) Enable monkey patching

monkey_patch_modules =

(ListOpt) List of modules/decorators to monkey patch

my_ip = 10.0.0.1

(StrOpt) IP address of this host

no_snapshot_gb_quota = False

(BoolOpt) Whether snapshots count against GigaByte quota

num_shell_tries = 3

(IntOpt) Number of times to attempt to run flakey shell

commands

152

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

periodic_fuzzy_delay = 60

(IntOpt) Range, in seconds, to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)

periodic_interval = 60

(IntOpt) Interval, in seconds, between running periodic

tasks

policy_default_rule = default

(StrOpt) Default rule. Enforced when a requested rule is

not found.

policy_file = policy.json

(StrOpt) The JSON file that defines policies.

replication_api_class = cinder.replication.api.API

(StrOpt) The full class name of the volume replication API

class

report_interval = 10

(IntOpt) Interval, in seconds, between nodes reporting

state to datastore

reserved_percentage = 0

(IntOpt) The percentage of backend capacity is reserved

rootwrap_config = /etc/cinder/rootwrap.conf

(StrOpt) Path to the rootwrap configuration file to use for

running commands as root

run_external_periodic_tasks = True

(BoolOpt) Some periodic tasks can be run in a separate

process. Should we run them here?

service_down_time = 60

(IntOpt) Maximum time since last check-in for a service to

be considered up

ssh_hosts_key_file = $state_path/ssh_known_hosts

(StrOpt) File containing SSH host keys for the systems

with which Cinder needs to communicate. OPTIONAL: Default=$state_path/ssh_known_hosts

state_path = /var/lib/cinder

(StrOpt) Top-level directory for maintaining cinder's state

storage_availability_zone = nova

(StrOpt) Availability zone of this node

strict_ssh_host_key_policy = False

(BoolOpt) Option to enable strict host key checking. When

set to "True" Cinder will only connect to systems with a
host key present in the configured "ssh_hosts_key_file".
When set to "False" the host key will be saved upon
first connection and used for subsequent connections.
Default=False

tcp_keepalive = True

(BoolOpt) Sets the value of TCP_KEEPALIVE (True/False)

for each server socket.

tcp_keepalive_count = None

(IntOpt) Sets the value of TCP_KEEPCNT for each server

socket. Not supported on OS X.

tcp_keepalive_interval = None

(IntOpt) Sets the value of TCP_KEEPINTVL in seconds for

each server socket. Not supported on OS X.

tcp_keepidle = 600

(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for

each server socket. Not supported on OS X.

until_refresh = 0

(IntOpt) Count of reservations until usage is refreshed

use_forwarded_for = False

(BoolOpt) Treat X-Forwarded-For as the canonical remote

address. Only enable this if you have a sanitizing proxy.

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Table1.75.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,

(ListOpt) List of logger=LEVEL pairs.

153

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

suds=INFO, oslo.messaging=INFO, iso8601=WARN,

requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
keystonemiddleware=WARN, routes.middleware=WARN,
stevedore=WARN
fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

fatal_exception_format_errors = False

(BoolOpt) Make exception message format errors fatal.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

(StrOpt) DEPRECATED. A logging.Formatter log message format string which may use any of the available
logging.LogRecord attributes. This option is deprecated. Please use logging_context_format_string and
logging_default_format_string instead.

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

logging_default_format_string = %(asctime)s.%(msecs)03d (StrOpt) Format string to use for log messages without
%(process)d %(levelname)s %(name)s [-] %(instance)s
context.
%(message)s
logging_exception_prefix = %(asctime)s.%(msecs)03d
%(process)d TRACE %(name)s %(instance)s

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table1.76.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]

154

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

0, <port>, and <start>:<end>, where 0 results in listening
on a random tcp port number; <port> results in listening
on the specified port number (and not enabling backdoor
if that port is in use); and <start>:<end> results in listening
on the smallest unused port number within the specified
range of port numbers. The chosen port is displayed in the
service's log file.

disable_process_locking = False

(BoolOpt) Whether to disable inter-process locks

Table1.77.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider.

Table1.78.Description of profiler configuration options

Configuration option = Default value

Description

[profiler]
profiler_enabled = False

(BoolOpt) If False fully disable profiling feature.

trace_sqlalchemy = False

(BoolOpt) If False doesn't trace SQL requests.

Table1.79.Description of Fusion-io driver configuration options

Configuration option = Default value

Description

[DEFAULT]
fusionio_iocontrol_retry = 3

(IntOpt) number of retries for GET operations

fusionio_iocontrol_targetdelay = 5

(IntOpt) amount of time wait for iSCSI target to come online

fusionio_iocontrol_verify_cert = True

(BoolOpt) verify the array certificate on each transaction

Table1.80.Description of Hitachi volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
hitachi_add_chap_user = False

(BoolOpt) Add CHAP user

hitachi_async_copy_check_interval = 10

(IntOpt) Interval to check copy asynchronously

hitachi_auth_method = None

(StrOpt) iSCSI authentication method

hitachi_auth_password = HBSD-CHAP-password

(StrOpt) iSCSI authentication password

hitachi_auth_user = HBSD-CHAP-user

(StrOpt) iSCSI authentication username

hitachi_copy_check_interval = 3

(IntOpt) Interval to check copy

hitachi_copy_speed = 3

(IntOpt) Copy speed of storage system

hitachi_default_copy_method = FULL

(StrOpt) Default copy method of storage system

hitachi_group_range = None

(StrOpt) Range of group number

hitachi_group_request = False

(BoolOpt) Request for creating HostGroup or iSCSI Target

hitachi_horcm_add_conf = True

(BoolOpt) Add to HORCM configuration

hitachi_horcm_numbers = 200,201

(StrOpt) Instance numbers for HORCM

hitachi_horcm_password = None

(StrOpt) Password of storage system for HORCM

hitachi_horcm_user = None

(StrOpt) Username of storage system for HORCM

hitachi_ldev_range = None

(StrOpt) Range of logical device of storage system

155

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

hitachi_pool_id = None

(IntOpt) Pool ID of storage system

hitachi_serial_number = None

(StrOpt) Serial number of storage system

hitachi_target_ports = None

(StrOpt) Control port names for HostGroup or iSCSI Target

hitachi_thin_pool_id = None

(IntOpt) Thin pool ID of storage system

hitachi_unit_name = None

(StrOpt) Name of an array unit

hitachi_zoning_request = False

(BoolOpt) Request for FC Zone creating HostGroup

Table1.81.Description of IBM NAS volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
ibmnas_platform_type = v7ku

(StrOpt) IBMNAS platform type to be used as backend

storage; valid values are - v7ku : for using IBM Storwize
V7000 Unified, sonas : for using IBM Scale Out NAS, gpfsnas : for using NFS based IBM GPFS deployments.

Table1.82.Description of Datera volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
datera_api_port = 7717

(StrOpt) Datera API port.

datera_api_token = None

(StrOpt) Datera API token.

datera_api_version = 1

(StrOpt) Datera API version.

datera_num_replicas = 3

(StrOpt) Number of replicas to create of an inode.

driver_client_cert = None

(StrOpt) The path to the client certificate for verification, if

the driver supports it.

driver_client_cert_key = None

(StrOpt) The path to the client certificate key for verification, if the driver supports it.

Table1.83.Description of Fujitsu ETERNUS DX volume driver configuration

options
Configuration option = Default value

Description

[DEFAULT]
cinder_smis_config_file = /etc/cinder/cinder_fujitsu_eternus_dx.xml

(StrOpt) The configuration file for the Cinder SMI-S driver

Table1.84.Description of Samba volume driver configuration options

Configuration option = Default value

Description

[DEFAULT]
smbfs_default_volume_format = qcow2

(StrOpt) Default format that will be used when creating

volumes if no volume format is specified. Can be set to:
raw, qcow2, vhd or vhdx.

smbfs_mount_options =
noperm,file_mode=0775,dir_mode=0775

(StrOpt) Mount options passed to the smbfs client. See

mount.cifs man page for details.

smbfs_mount_point_base = $state_path/mnt

(StrOpt) Base dir containing mount points for smbfs

shares.

smbfs_oversub_ratio = 1.0

(FloatOpt) This will compare the allocated to available

space on the volume destination. If the ratio exceeds this
number, the destination will no longer be valid.

smbfs_shares_config = /etc/cinder/smbfs_shares

(StrOpt) File with the list of available smbfs shares.

156

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

smbfs_sparsed_volumes = True

(BoolOpt) Create volumes as sparsed files which take no

space rather than regular files when using raw format, in
which case volume creation takes lot of time.

smbfs_used_ratio = 0.95

(FloatOpt) Percent of ACTUAL usage of the underlying volume before no new volumes can be allocated to the volume destination.

New, updated and deprecated options in Juno for

OpenStack Block Storage
Table1.85.New options
Option = default value

(Type) Help string

[DEFAULT] az_cache_duration = 3600

(IntOpt) Cache volume availability zones in memory for

the provided duration in seconds

[DEFAULT] backup_swift_auth_version = 1

(StrOpt) Swift authentication version. Specify "1" for auth

1.0, or "2" for auth 2.0

[DEFAULT] backup_swift_tenant = None

(StrOpt) Swift tenant/account name. Required when connecting to an auth 2.0 system

[DEFAULT] cinder_smis_config_file = /etc/cinder/cinder_fujitsu_eternus_dx.xml

(StrOpt) The configuration file for the Cinder SMI-S driver

[DEFAULT] consistencygroup_api_class =
cinder.consistencygroup.api.API

(StrOpt) The full class name of the consistencygroup API

class

[DEFAULT] datera_api_port = 7717

(StrOpt) Datera API port.

[DEFAULT] datera_api_token = None

(StrOpt) Datera API token.

[DEFAULT] datera_api_version = 1

(StrOpt) Datera API version.

[DEFAULT] datera_num_replicas = 3

(StrOpt) Number of replicas to create of an inode.

[DEFAULT] destroy_empty_storage_group = False

(BoolOpt) To destroy storage group when the last LUN is

removed from it. By default, the value is False.

[DEFAULT] dpl_pool =

(StrOpt) DPL pool uuid in which DPL volumes are stored.

[DEFAULT] dpl_port = 8357

(IntOpt) DPL port number.

[DEFAULT] driver_client_cert = None

(StrOpt) The path to the client certificate for verification, if

the driver supports it.

[DEFAULT] driver_client_cert_key = None

(StrOpt) The path to the client certificate key for verification, if the driver supports it.

[DEFAULT] fusionio_iocontrol_retry = 3

(IntOpt) number of retries for GET operations

[DEFAULT] fusionio_iocontrol_targetdelay = 5

(IntOpt) amount of time wait for iSCSI target to come online

[DEFAULT] fusionio_iocontrol_verify_cert = True

(BoolOpt) verify the array certificate on each transaction

[DEFAULT] glance_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for glance

client requests.

[DEFAULT] glance_core_properties = ['checksum',

'container_format', 'disk_format', 'image_name',
'image_id', 'min_disk', 'min_ram', 'name', 'size']

(ListOpt) Default core properties of image

[DEFAULT] hds_hnas_iscsi_config_file = /opt/hds/hnas/

cinder_iscsi_conf.xml

(StrOpt) Configuration file for HDS iSCSI cinder plugin

[DEFAULT] hds_hnas_nfs_config_file = /opt/hds/hnas/

cinder_nfs_conf.xml

(StrOpt) Configuration file for HDS NFS cinder plugin

[DEFAULT] hitachi_add_chap_user = False

(BoolOpt) Add CHAP user

[DEFAULT] hitachi_async_copy_check_interval = 10

(IntOpt) Interval to check copy asynchronously

157

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] hitachi_auth_method = None

(StrOpt) iSCSI authentication method

[DEFAULT] hitachi_auth_password = HBSD-CHAP-password

(StrOpt) iSCSI authentication password

[DEFAULT] hitachi_auth_user = HBSD-CHAP-user

(StrOpt) iSCSI authentication username

[DEFAULT] hitachi_copy_check_interval = 3

(IntOpt) Interval to check copy

[DEFAULT] hitachi_copy_speed = 3

(IntOpt) Copy speed of storage system

[DEFAULT] hitachi_default_copy_method = FULL

(StrOpt) Default copy method of storage system

[DEFAULT] hitachi_group_range = None

(StrOpt) Range of group number

[DEFAULT] hitachi_group_request = False

(BoolOpt) Request for creating HostGroup or iSCSI Target

[DEFAULT] hitachi_horcm_add_conf = True

(BoolOpt) Add to HORCM configuration

[DEFAULT] hitachi_horcm_numbers = 200,201

(StrOpt) Instance numbers for HORCM

[DEFAULT] hitachi_horcm_password = None

(StrOpt) Password of storage system for HORCM

[DEFAULT] hitachi_horcm_user = None

(StrOpt) Username of storage system for HORCM

[DEFAULT] hitachi_ldev_range = None

(StrOpt) Range of logical device of storage system

[DEFAULT] hitachi_pool_id = None

(IntOpt) Pool ID of storage system

[DEFAULT] hitachi_serial_number = None

(StrOpt) Serial number of storage system

[DEFAULT] hitachi_target_ports = None

(StrOpt) Control port names for HostGroup or iSCSI Target

[DEFAULT] hitachi_thin_pool_id = None

(IntOpt) Thin pool ID of storage system

[DEFAULT] hitachi_unit_name = None

(StrOpt) Name of an array unit

[DEFAULT] hitachi_zoning_request = False

(BoolOpt) Request for FC Zone creating HostGroup

[DEFAULT] hp3par_iscsi_chap_enabled = False

(BoolOpt) Enable CHAP authentication for iSCSI connections.

[DEFAULT] ibmnas_platform_type = v7ku

(StrOpt) IBMNAS platform type to be used as backend

storage; valid values are - v7ku : for using IBM Storwize
V7000 Unified, sonas : for using IBM Scale Out NAS, gpfsnas : for using NFS based IBM GPFS deployments.

[DEFAULT] initiator_auto_registration = False

(BoolOpt) Automatically register initiators. By default, the

value is False.

[DEFAULT] iscsi_initiators =

(StrOpt) Mapping between hostname and its iSCSI initiator IP addresses.

[DEFAULT] iscsi_write_cache = on

(StrOpt) Sets the behavior of the iSCSI target to either perform write-back(on) or write-through(off). This parameter
is valid if iscsi_helper is set to tgtadm or iseradm.

[DEFAULT] nimble_pool_name = default

(StrOpt) Nimble Controller pool name

[DEFAULT] nimble_subnet_label = *

(StrOpt) Nimble Subnet Label

[DEFAULT] nova_api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to nova

[DEFAULT] nova_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for nova

client requests.

[DEFAULT] nova_catalog_admin_info =
compute:nova:adminURL

(StrOpt) Same as nova_catalog_info, but for admin endpoint.

[DEFAULT] nova_catalog_info = compute:nova:publicURL

(StrOpt) Match this value when searching for nova in the

service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type>

[DEFAULT] nova_endpoint_admin_template = None

(StrOpt) Same as nova_endpoint_template, but for admin

endpoint.

[DEFAULT] nova_endpoint_template = None

(StrOpt) Override service catalog lookup with template for nova endpoint e.g. http://localhost:8774/v2/
%(project_id)s

[DEFAULT] os_region_name = None

(StrOpt) Region name of this node

[DEFAULT] pure_api_token = None

(StrOpt) REST API authorization token.

158

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] quota_backup_gigabytes = 1000

(IntOpt) Total amount of storage, in gigabytes, allowed

for backups per project

[DEFAULT] quota_backups = 10

(IntOpt) Number of volume backups allowed per project

[DEFAULT] quota_consistencygroups = 10

(IntOpt) Number of consistencygroups allowed per project

[DEFAULT] rados_connect_timeout = -1

(IntOpt) Timeout value (in seconds) used when connecting

to ceph cluster. If value < 0, no timeout is set and default
librados value is used.

[DEFAULT] rbd_store_chunk_size = 4

(IntOpt) Volumes will be chunked into objects of this size

(in megabytes).

[DEFAULT] replication_api_class =
cinder.replication.api.API

(StrOpt) The full class name of the volume replication API

class

[DEFAULT] san_secondary_ip = None

(StrOpt) VNX secondary SP IP Address.

[DEFAULT] smbfs_default_volume_format = qcow2

(StrOpt) Default format that will be used when creating

volumes if no volume format is specified. Can be set to:
raw, qcow2, vhd or vhdx.

[DEFAULT] smbfs_mount_options =
noperm,file_mode=0775,dir_mode=0775

(StrOpt) Mount options passed to the smbfs client. See

mount.cifs man page for details.

[DEFAULT] smbfs_mount_point_base = $state_path/mnt

(StrOpt) Base dir containing mount points for smbfs

shares.

[DEFAULT] smbfs_oversub_ratio = 1.0

(FloatOpt) This will compare the allocated to available

space on the volume destination. If the ratio exceeds this
number, the destination will no longer be valid.

[DEFAULT] smbfs_shares_config = /etc/cinder/smbfs_shares

(StrOpt) File with the list of available smbfs shares.

[DEFAULT] smbfs_sparsed_volumes = True

(BoolOpt) Create volumes as sparsed files which take no

space rather than regular files when using raw format, in
which case volume creation takes lot of time.

[DEFAULT] smbfs_used_ratio = 0.95

(FloatOpt) Percent of ACTUAL usage of the underlying volume before no new volumes can be allocated to the volume destination.

[DEFAULT] ssh_hosts_key_file = $state_path/

ssh_known_hosts

(StrOpt) File containing SSH host keys for the systems

with which Cinder needs to communicate. OPTIONAL: Default=$state_path/ssh_known_hosts

[DEFAULT] storage_vnx_authentication_type = global

(StrOpt) VNX authentication scope type.

[DEFAULT] storage_vnx_security_file_dir = None

(StrOpt) Directory path that contains the VNX security file.

Make sure the security file is generated first.

[DEFAULT] storwize_svc_allow_tenant_qos = False

(BoolOpt) Allow tenants to specify QOS on create

[DEFAULT] storwize_svc_npiv_compatibility_mode = False

(BoolOpt) Indicate whether svc driver is compatible

for NPIV setup. If it is compatible, it will allow no wwpns being returned on get_conn_fc_wwpns during
initialize_connection

[DEFAULT] storwize_svc_stretched_cluster_partner = None (StrOpt) If operating in stretched cluster mode, specify the name of the pool in which mirrored copies are
stored.Example: "pool2"
[DEFAULT] strict_ssh_host_key_policy = False

(BoolOpt) Option to enable strict host key checking. When

[DEFAULT] swift_catalog_info = object-store:swift:publicURL

(StrOpt) Info to match when looking for swift in the service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type> - Only
used if backup_swift_url is unset

159

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] tcp_keepalive = True

(BoolOpt) Sets the value of TCP_KEEPALIVE (True/False)

for each server socket.

[DEFAULT] tcp_keepalive_count = None

(IntOpt) Sets the value of TCP_KEEPCNT for each server

socket. Not supported on OS X.

[DEFAULT] tcp_keepalive_interval = None

(IntOpt) Sets the value of TCP_KEEPINTVL in seconds for

each server socket. Not supported on OS X.

[DEFAULT] vmware_tmp_dir = /tmp

(StrOpt) Directory where virtual disks are stored during

volume backup and restore.

[DEFAULT] volume_copy_blkio_cgroup_name = cinder-vol- (StrOpt) The blkio cgroup name to be used to limit bandume-copy
width of volume copy
[DEFAULT] volume_copy_bps_limit = 0

(IntOpt) The upper limit of bandwidth of volume copy. 0

=> unlimited

[DEFAULT] volume_number_multiplier = -1.0

(FloatOpt) Multiplier used for weighing volume number.

Negative numbers mean to spread vs stack.

[DEFAULT] zfssa_initiator =

(StrOpt) iSCSI initiator IQNs. (comma separated)

[DEFAULT] zfssa_initiator_group =

(StrOpt) iSCSI initiator group.

[DEFAULT] zfssa_initiator_password =

(StrOpt) iSCSI initiator CHAP password.

[DEFAULT] zfssa_initiator_user =

(StrOpt) iSCSI initiator CHAP user.

[DEFAULT] zfssa_lun_compression =

(StrOpt) Data compression-off, lzjb, gzip-2, gzip, gzip-9.

[DEFAULT] zfssa_lun_logbias =

(StrOpt) Synchronous write bias-latency, throughput.

[DEFAULT] zfssa_lun_sparse = False

(BoolOpt) Flag to enable sparse (thin-provisioned): True,

False.

[DEFAULT] zfssa_lun_volblocksize = 8k

(StrOpt) Block size: 512, 1k, 2k, 4k, 8k, 16k, 32k, 64k,
128k.

[DEFAULT] zfssa_pool = None

(StrOpt) Storage pool name.

[DEFAULT] zfssa_project = None

(StrOpt) Project name.

[DEFAULT] zfssa_rest_timeout = None

(IntOpt) REST connection timeout. (seconds)

[DEFAULT] zfssa_target_group = tgt-grp

(StrOpt) iSCSI target group name.

[DEFAULT] zfssa_target_interfaces = None

(StrOpt) Network interfaces of iSCSI targets. (comma separated)

[DEFAULT] zfssa_target_password =

(StrOpt) iSCSI target CHAP password.

[DEFAULT] zfssa_target_portal = None

(StrOpt) iSCSI target portal (Data-IP:Port, w.x.y.z:3260).

[DEFAULT] zfssa_target_user =

(StrOpt) iSCSI target CHAP user.

[CISCO_FABRIC_EXAMPLE] cisco_fc_fabric_address =

(StrOpt) Management IP of fabric

[CISCO_FABRIC_EXAMPLE] cisco_fc_fabric_password =

(StrOpt) Password for user

[CISCO_FABRIC_EXAMPLE] cisco_fc_fabric_port = 22

(IntOpt) Connecting port

[CISCO_FABRIC_EXAMPLE] cisco_fc_fabric_user =

(StrOpt) Fabric user ID

[CISCO_FABRIC_EXAMPLE] cisco_zone_activate = True

(BoolOpt) overridden zoning activation state

[CISCO_FABRIC_EXAMPLE] cisco_zone_name_prefix =
None

(StrOpt) overridden zone name prefix

[CISCO_FABRIC_EXAMPLE] cisco_zoning_policy = initiator-target

(StrOpt) overridden zoning policy

[CISCO_FABRIC_EXAMPLE] cisco_zoning_vsan = None

(StrOpt) VSAN of the Fabric

[database] db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

[database] db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

[database] db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

160

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[database] db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

[database] mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

[database] pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

[database] slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

[database] sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

[database] sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

[database] use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

[fc-zone-manager] cisco_sb_connector =
(StrOpt) Southbound connector for zoning operation
cinder.zonemanager.drivers.cisco.cisco_fc_zone_client_cli.CiscoFCZoneClientCLI
[keymgr] encryption_api_url = http://localhost:9311/v1

(StrOpt) Url for encryption service.

[keymgr] encryption_auth_url = http://localhost:5000/v2.0

(StrOpt) Authentication url for encryption service.

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[profiler] profiler_enabled = False

(BoolOpt) If False fully disable profiling feature.

[profiler] trace_sqlalchemy = False

(BoolOpt) If False doesn't trace SQL requests.

Table1.86.New default values

Option

Previous default value

New default value

[DEFAULT] backup_swift_url

http://localhost:8080/v1/AUTH_

None

[DEFAULT] default_log_levels

amqp=WARN, amqplib=WARN,
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
oslo.messaging=INFO,
iso8601=WARN,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN

[DEFAULT] default_timeout

525600

[DEFAULT] gpfs_storage_pool

None

system

161

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option

Previous default value

New default value

[DEFAULT]
max_luns_per_storage_group

256

255

[DEFAULT] vmware_task_poll_interval 5

0.5

[database] connection

sqlite:///$state_path/$sqlite_db

None

[database] max_pool_size

None

[keystone_authtoken]
revocation_cache_time

300

Table1.87.Deprecated options
Deprecated option

New Option

[DEFAULT] db_backend

[database] backend

162

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

2. Compute
Table of Contents
Overview of nova.conf ................................................................................................
Configure logging .......................................................................................................
Configure authentication and authorization ................................................................
Configure resize ..........................................................................................................
Database configuration ...............................................................................................
Configure the Oslo RPC messaging system ...................................................................
Configure the Compute API ........................................................................................
Configure the EC2 API .................................................................................................
Fibre Channel support in Compute ..............................................................................
Hypervisors ..................................................................................................................
Scheduling ...................................................................................................................
Cells ............................................................................................................................
Conductor ...................................................................................................................
Example nova.conf configuration files ......................................................................
Compute log files ........................................................................................................
Compute sample configuration files .............................................................................
New, updated and deprecated options in Juno for OpenStack Compute ......................

163
165
165
165
166
166
169
172
172
172
206
222
226
227
231
232
271

The OpenStack Compute service is a cloud computing fabric controller, which is the main
part of an IaaS system. You can use OpenStack Compute to host and manage cloud computing systems. This section describes the OpenStack Compute configuration options.
To configure your Compute installation, you must define configuration options in these
files:
nova.conf. Contains most of the Compute configuration options. Resides in the /etc/
nova directory.
api-paste.ini. Defines Compute limits. Resides in the /etc/nova directory.
Related Image Service and Identity service management configuration files.

Overview of nova.conf
The nova.conf configuration file is an INI file format as explained in the section called
Configuration file format [xx].
You can use a particular configuration option file by using the option (nova.conf) parameter when you run one of the nova-* services. This parameter inserts configuration option definitions from the specified configuration file name, which might be useful for debugging or performance tuning.
For a list of configuration options, see the tables in this guide.
163

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

To learn more about the nova.conf configuration file, review the general purpose configuration options documented in Table2.20, Description of common configuration options [237].

Important
Do not specify quotes around Nova options.

Sections
Configuration options are grouped by section. The Compute configuration file supports the
following sections:
[DEFAULT]

Contains most configuration options. If the documentation

for a configuration option does not specify its section, assume
that it appears in this section.

[baremetal]

Configures the baremetal hypervisor driver.

[cells]

Configures cells functionality. For details, see the section

called Cells [222].

[conductor]

Configures the nova-conductor service.

[database]

Configures the database that Compute uses.

[glance]

Configures how to access the Image Service.

[hyperv]

Configures the Hyper-V hypervisor driver.

[image_file_url]

Configures additional filesystems to access the Image Service.

[keymgr]

Configures the key manager.

[keystone_authtoken] Configures authorization via Identity service.

[libvirt]

Configures the hypervisor drivers using the Libvirt library:

KVM, LXC, Qemu, UML, Xen.

[matchmaker_redis]

Configures a Redis server.

[matchmaker_ring]

Configures a matchmaker ring.

[metrics]

Configures weights for the metrics weighter.

[neutron]

Configures Networking specific options.

[osapi_v3]

Configures the OpenStack Compute API v3.

[rdp]

Configures RDP proxying.

[serial_console]

Configures serial console.

[spice]

Configures virtual consoles using SPICE.

[ssl]

Configures certificate authority using SSL.

164

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

[trusted_computing]

Configures the trusted computing pools functionality and

how to connect to a remote attestation service.

[upgrade_levels]

Configures version locking on the RPC (message queue) communications between the various Compute services to allow
live upgrading an OpenStack installation.

[vmware]

Configures the VMware hypervisor driver.

[xenserver]

Configures the XenServer hypervisor driver.

[zookeeper]

Configures the ZooKeeper ServiceGroup driver.

Configure logging
You can use nova.conf file to configure where Compute logs events, the level of logging,
and log formats.
To customize log formats for OpenStack Compute, use the configuration option settings
documented in Table2.39, Description of logging configuration options [247].

Configure authentication and authorization

There are different methods of authentication for the OpenStack Compute project, including no authentication. The preferred system is the OpenStack Identity service, code-named
Keystone.
To customize authorization settings for Compute, use the configuration options documented in Table2.14, Description of authentication configuration options [233].
To customize certificate authority settings for Compute, use the configuration options documented in Table2.18, Description of CA configuration options [236].
To customize Compute and the Identity service to use LDAP as a backend, refer to the
configuration options documented in Table2.36, Description of LDAP configuration options [244].

Configure resize
Resize (or Server resize) is the ability to change the flavor of a server, thus allowing it to upscale or downscale according to user needs. For this feature to work properly, you might
need to configure some underlying virt layers.

KVM
Resize on KVM is implemented currently by transferring the images between compute
nodes over ssh. For KVM you need hostnames to resolve properly and passwordless ssh access between your compute hosts. Direct access from one compute host to another is needed to copy the VM file across.
Cloud end users can find out how to resize a server by reading the OpenStack End User
Guide.
165

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

XenServer
To get resize to work with XenServer (and XCP), you need to establish a root trust between
all hypervisor nodes and provide an /image mount point to your hypervisors dom0.

Database configuration
You can configure OpenStack Compute to use any SQLAlchemy-compatible database. The
database name is nova. The nova-conductor service is the only service that writes to the
database. The other Compute services access the database through the nova-conductor
service.
To ensure that the database schema is current, run the following command:
# nova-manage db sync

If nova-conductor is not used, entries to the database are mostly written by the nova-scheduler service, although all services must be able to update entries in the
database.
In either case, use the configuration option settings documented in Table2.25, Description
of database configuration options [240] to configure the connection string for the nova
database.

Configure the Oslo RPC messaging system

OpenStack projects use AMQP, an open standard for messaging middleware. OpenStack
services that run on multiple servers to talk to each other. OpenStack Oslo RPC supports
three implementations of AMQP: RabbitMQ, Qpid, and ZeroMQ.

Configure RabbitMQ
OpenStack Oslo RPC uses RabbitMQ by default. Use these options to configure the RabbitMQ message system. The rpc_backend option is not required as long as RabbitMQ is the
default messaging system. However, if it is included the configuration, you must set it to
nova.openstack.common.rpc.impl_kombu.
rpc_backend=nova.openstack.common.rpc.impl_kombu

You can use these additional options to configure the RabbitMQ messaging system.
You can configure messaging communication for different installation scenarios, tune
retries for RabbitMQ, and define the size of the RPC thread pool. To monitor notifications through RabbitMQ, you must set the notification_driver option to
nova.openstack.common.notifier.rpc_notifier in the nova.conf file. The default for sending usage data is sixty seconds plus a random number of seconds from zero to
sixty.

Table2.1.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]

166

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Configure Qpid
Use these options to configure the Qpid messaging system for OpenStack Oslo RPC. Qpid is
not the default messaging system, so you must enable it by setting the rpc_backend option in the nova.conf file.
rpc_backend=nova.openstack.common.rpc.impl_qpid

This critical option points the compute nodes to the Qpid broker (server). Set
qpid_hostname to the host name where the broker runs in the nova.conf file.

Note
The --qpid_hostname option accepts a host name or IP address value.
qpid_hostname=hostname.example.com

If the Qpid broker listens on a port other than the AMQP default of 5672, you must set the
qpid_port option to that value:
qpid_port=12345

If you configure the Qpid broker to require authentication, you must add a user name and
password to the configuration:
167

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

qpid_username=username
qpid_password=password

By default, TCP is used as the transport. To enable SSL, set the qpid_protocol option:
qpid_protocol=ssl

This table lists additional options that you use to configure the Qpid messaging driver for
OpenStack Oslo RPC. These options are used infrequently.

Table2.2.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Configure ZeroMQ
Use these options to configure the ZeroMQ messaging system for OpenStack Oslo
RPC. ZeroMQ is not the default messaging system, so you must enable it by setting the
rpc_backend option in the nova.conf file.

Table2.3.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

168

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Configure messaging
Use these options to configure the RabbitMQ and Qpid messaging drivers.

Table2.4.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) The default exchange under which topics are

scoped. May be overridden by an exchange name specified in the transport_url option.

default_publisher_id = None

(StrOpt) Default publisher_id for outgoing notifications

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table2.5.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = rabbit

(StrOpt) The messaging driver to use, defaults to rabbit.

Other drivers include qpid and zmq.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool.

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from a call.

rpc_thread_pool_size = 64

(IntOpt) Size of RPC greenthread pool.

[cells]
rpc_driver_queue_base = cells.intercell

(StrOpt) Base queue name to use when communicating

between cells. Various topics by message type will be appended to this.

[upgrade_levels]
baseapi = None

(StrOpt) Set a version cap for messages sent to the base

api in any service

Configure the Compute API

The Compute API, run by the nova-api daemon, is the component of OpenStack Compute that receives and responds to user requests, whether they be direct API calls, or via
the CLI tools or dashboard.
169

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configure Compute API password handling

The OpenStack Compute API enables users to specify an administrative password when
they create or rebuild a server instance. If the user does not specify a password, a random
password is generated and returned in the API response.
In practice, how the admin password is handled depends on the hypervisor in use and
might require additional configuration of the instance. For example, you might have to install an agent to handle the password setting. If the hypervisor and instance configuration
do not support setting a password at server create time, the password that is returned by
the create API call is misleading because it was ignored.
To prevent this confusion, use the enable_instance_password configuration option
to disable the return of the admin password for installations that do not support setting instance passwords.

Configure Compute API rate limiting

OpenStack Compute supports API rate limiting for the OpenStack API. The rate limiting allows an administrator to configure limits on the type and number of API calls that can be
made in a specific time interval.
When API rate limits are exceeded, HTTP requests return an error with a status code of 403
Forbidden.
Rate limiting is not available for the EC2 API.

Define limits
To define limits, set these values:
The HTTP method used in the API call, typically one of GET, PUT, POST, or DELETE.
A human readable URI that is used as a friendly description of where the limit is applied.
A regular expression. The limit is applied to all URIs that match the regular expression
and HTTP method.
A limit value that specifies the maximum count of units before the limit takes effect.
An interval that specifies time frame to which the limit is applied. The interval can be
SECOND, MINUTE, HOUR, or DAY.
Rate limits are applied in relative order to the HTTP method, going from least to most specific.

Default limits
Normally, you install OpenStack Compute with the following limits enabled:

Table2.6.Default API rate limits

HTTP method

API URI

API regular expression

Limit

POST

any URI (*)

120 per minute

170

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

HTTP method

API URI

API regular expression

Limit

POST

/servers

^/servers

120 per minute

PUT

any URI (*)

120 per minute

GET

*changes-since*

.*changes-since.*

120 per minute

DELETE

any URI (*)

120 per minute

GET

*/os-fping

^/os-fping

12 per minute

Configure and change limits

As part of the WSGI pipeline, the etc/nova/api-paste.ini file defines the actual limits.
To enable limits, include the ratelimit' filter in the API pipeline specification. If the
ratelimit filter is removed from the pipeline, limiting is disabled. You must also define
the rate limit filter. The lines appear as follows:
[pipeline:openstack_compute_api_v2]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
[pipeline:openstack_volume_api_v1]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.
limits:RateLimitingMiddleware.factory

To modify the limits, add a limits specification to the [filter:ratelimit] section of

the file. Specify the limits in this order:
1. HTTP method
2. friendly URI
3. regex
4. limit
5. interval
The following example shows the default rate-limiting values:
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.
limits:RateLimitingMiddleware.factory
limits =(POST, "*", .*, 120, MINUTE);(POST, "*/servers", ^/servers, 120,
MINUTE);(PUT, "*", .*, 120, MINUTE);(GET, "*changes-since*", .*changes-since.
*, 120, MINUTE);(DELETE, "*", .*, 120, MINUTE);(GET, "*/os-fping", ^/os-fping,
12, MINUTE)

Configuration reference
The Compute API configuration options are documented in Table2.12, Description of API
configuration options [232].
171

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configure the EC2 API

You can set options in the nova.conf configuration file to control which network address
and port the EC2 API listens on, the formatting of some API responses, and authentication
related options.
To customize these options for OpenStack EC2 API, use the configuration option settings
documented in Table2.27, Description of EC2 configuration options [241].

Fibre Channel support in Compute

Fibre Channel support in OpenStack Compute is remote block storage attached to compute
nodes for VMs.
In the Grizzly release, Fibre Channel supported only the KVM hypervisor.
Compute and Block Storage for Fibre Channel do not support automatic zoning. Fibre
Channel arrays must be pre-zoned or directly attached to the KVM hosts.

KVM host requirements

You must install these packages on the KVM host:
sysfsutils - Nova uses the systool application in this package.
sg3-utils - Nova uses the sg_scan and sginfo applications.
Installing the multipath-tools package is optional.

Install required packages

Use these commands to install the system packages:
For systems running openSUSE or SUSE Linux Enterprise Server:
# zypper install sysfsutils sg3_utils multipath-tools

For systems running Red Hat:

# yum install sysfsutils sg3_utils multipath-tools

For systems running Ubuntu:

# apt-get install sysfsutils sg3-utils multipath-tools

Hypervisors
OpenStack Compute supports many hypervisors, which might make it difficult for you to
choose one. Most installations use only one hypervisor. However, you can use the section
called ComputeFilter [210] and the section called ImagePropertiesFilter [212] to
schedule different hypervisors within the same installation. The following links help you
choose a hypervisor. See http://wiki.openstack.org/HypervisorSupportMatrix for a detailed
list of features and support across the hypervisors.

172

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The following hypervisors are supported:

KVM - Kernel-based Virtual Machine. The virtual disk formats that it supports is inherited
from QEMU since it uses a modified QEMU program to launch the virtual machine. The
supported formats include raw images, the qcow2, and VMware formats.
LXC - Linux Containers (through libvirt), use to run Linux-based virtual machines.
QEMU - Quick EMUlator, generally only used for development purposes.
UML - User Mode Linux, generally only used for development purposes.
VMware vSphere 4.1 update 1 and newer, runs VMware-based Linux and Windows images through a connection with a vCenter server or directly with an ESXi host.
Xen - XenServer, Xen Cloud Platform (XCP), use to run Linux or Windows virtual machines. You must install the nova-compute service in a para-virtualized VM.
Hyper-V - Server virtualization with Microsoft's Hyper-V, use to run Windows, Linux, and
FreeBSD virtual machines. Runs nova-compute natively on the Windows virtualization
platform.
Bare Metal - Not a hypervisor in the traditional sense, this driver provisions physical hardware through pluggable sub-drivers (for example, PXE for image deployment, and IPMI
for power management).

Hypervisor configuration basics

The node where the nova-compute service is installed and operates on the same node
that runs all of the virtual machines. This is referred to as the compute node in this guide.
By default, the selected hypervisor is KVM. To change to another hypervisor, change the
virt_type option in the [libvirt] section of nova.conf and restart the nova-compute service.
Here are the general nova.conf options that are used to configure the compute node's
hypervisor: Table2.32, Description of hypervisor configuration options [243].
Specific options for particular hypervisors can be found in the following sections.

KVM
KVM is configured as the default hypervisor for Compute.

Note
This document contains several sections about hypervisor selection. If you are
reading this document linearly, you do not want to load the KVM module before you install nova-compute. The nova-compute service depends on qemu-kvm, which installs /lib/udev/rules.d/45-qemu-kvm.rules, which
sets the correct permissions on the /dev/kvm device node.
To enable KVM explicitly, add the following configuration options to the /etc/nova/nova.conf file:
173

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = kvm

The KVM hypervisor supports the following virtual machine image formats:
Raw
QEMU Copy-on-write (qcow2)
QED Qemu Enhanced Disk
VMware virtual machine disk format (vmdk)
This section describes how to enable KVM on your system. For more information, see the
following distribution-specific documentation:
Fedora: Getting started with virtualization from the Fedora project wiki.
Ubuntu: KVM/Installation from the Community Ubuntu documentation.
Debian: Virtualization with KVM from the Debian handbook.
Red Hat Enterprise Linux: Installing virtualization packages on an existing Red Hat Enterprise Linux system from the Red Hat Enterprise Linux Virtualization Host Configuration
and Guest Installation Guide.
openSUSE: Installing KVM from the openSUSE Virtualization with KVM manual.
SLES: Installing KVM from the SUSE Linux Enterprise Server Virtualization with KVM manual.

Enable KVM
The following sections outline how to enable KVM based hardware virtualisation on different architectures and platforms. To perform these steps, you must be logged in as the
root user.

For x86 based systems

To determine whether the svm or vmx CPU extensions are present, run this command:
# grep -E 'svm|vmx' /proc/cpuinfo

This command generates output if the CPU is capable of hardware-virtualization. Even

if output is shown, you might still need to enable virtualization in the system BIOS for
full support.
If no output appears, consult your system documentation to ensure that your CPU and
motherboard support hardware virtualization. Verify that any relevant hardware virtualization options are enabled in the system BIOS.
The BIOS for each manufacturer is different. If you must enable virtualization in the
BIOS, look for an option containing the words virtualization, VT, VMX, or SVM.
174

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

To list the loaded kernel modules and verify that the kvm modules are loaded, run this
command:
# lsmod | grep kvm

If the output includes kvm_intel or kvm_amd, the kvm hardware virtualization modules are loaded and your kernel meets the module requirements for OpenStack Compute.
If the output does not show that the kvm module is loaded, run this command to load
it:
# modprobe -a kvm

Run the command for your CPU. For Intel, run this command:
# modprobe -a kvm-intel

For AMD, run this command:

# modprobe -a kvm-amd

Because a KVM installation can change user group membership, you might need to log
in again for changes to take effect.
If the kernel modules do not load automatically, use the procedures listed in these subsections.
If the checks indicate that required hardware virtualization support or kernel modules are
disabled or unavailable, you must either enable this support on the system or find a system
with this support.

Note
Some systems require that you enable VT support in the system BIOS. If you believe your processor supports hardware acceleration but the previous command
did not produce output, reboot your machine, enter the system BIOS, and enable the VT option.
If KVM acceleration is not supported, configure Compute to use a different hypervisor, such
as QEMU or Xen.
These procedures help you load the kernel modules for Intel-based and AMD-based processors if they do not load automatically during KVM installation.
Intel-based processors

If your compute host is Intel-based, run these commands as root to load the kernel modules:
# modprobe kvm
# modprobe kvm-intel

Add these lines to the /etc/modules file so that these modules load on reboot:
kvm
kvm-intel

175

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

AMD-based processors

If your compute host is AMD-based, run these commands as root to load the kernel modules:
# modprobe kvm
# modprobe kvm-amd

Add these lines to /etc/modules file so that these modules load on reboot:
kvm
kvm-amd

For POWER based systems

KVM as a hypervisor is supported on POWER system's PowerNV platform.
1.

To determine if your POWER platform supports KVM based virtualization run the following command:
#cat /proc/cpuinfo | grep PowerNV

If the previous command generates the following output, then CPU supports KVM
based virtualization
platform: PowerNV

If no output is displayed, then your POWER platform does not support KVM based
hardware virtualization.
2.

To list the loaded kernel modules and verify that the kvm modules are loaded, run the
following command:
# lsmod | grep kvm

If the output includes kvm_hv, the kvm hardware virtualization modules are loaded
and your kernel meets the module requirements for OpenStack Compute.
If the output does not show that the kvm module is loaded, run the following command to load it:
# modprobe -a kvm

For PowerNV platform, run the following command:

# modprobe -a kvm-hv

Because a KVM installation can change user group membership, you might need to log
in again for changes to take effect.

Specify the CPU model of KVM guests

The Compute service enables you to control the guest CPU model that is exposed to KVM
virtual machines. Use cases include:
To maximize performance of virtual machines by exposing new host CPU features to the
guest
176

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

To ensure a consistent default CPU across all machines, removing reliance of variable QEMU defaults
In libvirt, the CPU is specified by providing a base CPU model name (which is a shorthand for a set of feature flags), a set of additional feature flags, and the topology (sockets/cores/threads). The libvirt KVM driver provides a number of standard CPU model
names. These models are defined in the /usr/share/libvirt/cpu_map.xml file.
Check this file to determine which models are supported by your local installation.
Two Compute configuration options in the [libvirt] group of nova.conf define
which type of CPU model is exposed to the hypervisor when using KVM: cpu_mode and
cpu_model.
The cpu_mode option can take one of the following values: none, host-passthrough,
host-model, and custom.

Host model (default for KVM & QEMU)

If your nova.conf file contains cpu_mode=host-model, libvirt identifies the CPU model in /usr/share/libvirt/cpu_map.xml file that most closely matches the host, and
requests additional CPU flags to complete the match. This configuration provides the maximum functionality and performance and maintains good reliability and compatibility if the
guest is migrated to another host with slightly different host CPUs.

Host pass through

If your nova.conf file contains cpu_mode=host-passthrough, libvirt tells KVM to pass
through the host CPU with no modifications. The difference to host-model, instead of just
matching feature flags, every last detail of the host CPU is matched. This gives the best performance, and can be important to some apps which check low level CPU details, but it
comes at a cost with respect to migration. The guest can only be migrated to a matching
host CPU.

Custom
If your nova.conf file contains cpu_mode=custom, you can explicitly specify one of the
supported named models using the cpu_model configuration option. For example, to configure the KVM guests to expose Nehalem CPUs, your nova.conf file should contain:
[libvirt]
cpu_mode = custom
cpu_model = Nehalem

None (default for all libvirt-driven hypervisors other than KVM & QEMU)
If your nova.conf file contains cpu_mode=none, libvirt does not specify a CPU model. Instead, the hypervisor chooses the default model.

Guest agent support

Use guest agents to enable optional access between compute nodes and guests through a
socket, using the QMP protocol.
To enable this feature, you must set hw_qemu_guest_agent=yes as a metadata parameter on the image you wish to use to create the guest-agent-capable instances from. You can
177

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

explicitly disable the feature by setting hw_qemu_guest_agent=no in the image metadata.

KVM performance tweaks

The VHostNet kernel module improves network performance. To load the kernel module,
run the following command as root:
# modprobe vhost_net

Troubleshoot KVM
Trying to launch a new virtual machine instance fails with the ERRORstate, and the following error appears in the /var/log/nova/nova-compute.log file:
libvirtError: internal error no supported architecture for os type 'hvm'

This message indicates that the KVM kernel modules were not loaded.
If you cannot start VMs after installation without rebooting, the permissions might not be
set correctly. This can happen if you load the KVM module before you install nova-compute. To check whether the group is set to kvm, run:
# ls -l /dev/kvm

If it is not set to kvm, run:

# udevadm trigger

QEMU
From the perspective of the Compute service, the QEMU hypervisor is very similar to the
KVM hypervisor. Both are controlled through libvirt, both support the same feature set,
and all virtual machine images that are compatible with KVM are also compatible with QEMU. The main difference is that QEMU does not support native virtualization. Consequently, QEMU has worse performance than KVM and is a poor choice for a production deployment.
The typical uses cases for QEMU are
Running on older hardware that lacks virtualization support.
Running the Compute service inside of a virtual machine for development or testing purposes, where the hypervisor does not support native virtualization for guests.
To enable QEMU, add these settings to nova.conf:
compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = qemu

For some operations you may also have to install the guestmount utility:
On Ubuntu:
178

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# apt-get install guestmount

On Red Hat Enterprise Linux, Fedora, or CentOS:

# yum install libguestfs-tools

On openSUSE:
# zypper install guestfs-tools

The QEMU hypervisor supports the following virtual machine image formats:
Raw
QEMU Copy-on-write (qcow2)
VMware virtual machine disk format (vmdk)

Tips and fixes for QEMU on RHEL

If you are testing OpenStack in a virtual machine, you must configure Compute to use qemu without KVM and hardware virtualization. The second command relaxes SELinux rules
to allow this mode of operation ( https://bugzilla.redhat.com/show_bug.cgi?id=753589).
The last two commands here work around a libvirt issue fixed in Red Hat Enterprise Linux
6.4. Nested virtualization will be the much slower TCG variety, and you should provide lots
of memory to the top-level guest, because the OpenStack-created guests default to 2GM
RAM with no overcommit.

Note
The second command, setsebool, may take a while.
#
#
#
#

openstack-config --set /etc/nova/nova.conf libvirt virt_type qemu

setsebool -P virt_use_execmem on
ln -s /usr/libexec/qemu-kvm /usr/bin/qemu-system-x86_64
service libvirtd restart

Xen, XenAPI, XenServer, and XCP

This section needs help
This section is low quality, and contains out of date information. The Documentation Team is currently looking for individuals with experience with the hypervisor to Re-document Xen integration with OpenStack.
This section describes Xen, XenAPI, XenServer, and XCP, their differences, and how to use
them with OpenStack. After you understand how the Xen and KVM architectures differ,
you can determine when to use each architecture in your OpenStack cloud.

Before you can run OpenStack with XCP or XenServer, you must install the software on an
appropriate server.

Note
Xen is a type 1 hypervisor: When your server starts, Xen is the first software
that runs. Consequently, you must install XenServer or XCP before you install
the operating system where you want to run OpenStack code. The OpenStack
services then run in a virtual machine that you install on top of XenServer.
Before you can install your system, decide whether to install a free or paid edition of Citrix
XenServer or Xen Cloud Platform from Xen.org. Download the software from these locations:

182

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

http://www.citrix.com/XenServer/download
http://www.xen.org/download/xcp/index.html
When you install many servers, you might find it easier to perform PXE boot installations
of XenServer or XCP. You can also package any post-installation changes that you want to
make to your XenServer by creating your own XenServer supplemental pack.
You can also install the xcp-xenapi package on Debian-based distributions to get XCP. However, this is not as mature or feature complete as above distributions. This modifies your
boot loader to first boot Xen and boot your existing OS on top of Xen as Dom0. The xapi
daemon runs in Dom0. Find more details at http://wiki.xen.org/wiki/Project_Kronos.

Important
Make sure you use the EXT type of storage repository (SR). Features that require access to VHD files (such as copy on write, snapshot and migration) do
not work when you use the LVM SR. Storage repository (SR) is a XenAPI-specific
term relating to the physical storage where virtual disks are stored.
On the XenServer/XCP installation screen, choose the XenDesktop Optimized
option. If you use an answer file, make sure you use srtype="ext" in the installation tag of the answer file.

Post-installation steps
Complete these steps to install OpenStack in your XenServer system:
1.

For resize and migrate functionality, complete the changes described in the Configure
resize section in the OpenStack Configuration Reference.

Install the VIF isolation rules to help prevent mac and IP address spoofing.

Install the XenAPI plug-ins. See the following section.

To support AMI type images, you must set up /boot/guest symlink/directory in

Dom0. For detailed instructions, see next section.

To support resize/migration, set up an ssh trust relation between your XenServer

hosts, and ensure /images is properly set up. See next section for more details.

Create a Paravirtualized virtual machine that can run the OpenStack compute code.

Install and configure the nova-compute in the above virtual machine.

For more information, see how DevStack performs the last three steps for developer deployments. For more information about DevStack, see Getting Started With XenServer and Devstack (https://github.com/openstack-dev/devstack/blob/master/tools/xen/
README.md). Find more information about the first step, see Multi Tenancy Networking Protections in XenServer (https://github.com/openstack/nova/blob/master/plugins/xenserver/doc/networking.rst). For information about how to install the XenAPI
plug-ins, see XenAPI README (https://github.com/openstack/nova/blob/master/plugins/xenserver/xenapi/README).
183

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Install the XenAPI plug-ins

When you use Xen as the hypervisor for OpenStack Compute, you can install a Python
script (or any executable) on the host side, and call that through the XenAPI. These scripts
are called plug-ins. The XenAPI plug-ins live in the nova code repository. These plug-ins have
to be copied to the Dom0 for the hypervisor, to the appropriate directory, where xapi can
find them. There are several options for the installation. The important thing is to ensure
that the version of the plug-ins are in line with the nova installation by only installing plugins from a matching nova repository.
Manually install the plug-in

Create temporary files/directories:

$ NOVA_ZIPBALL=$(mktemp)
$ NOVA_SOURCES=$(mktemp -d)

Get the source from GitHub. The example assumes the master branch is used. Amend
the URL to match the version being used:
$ wget -qO "$NOVA_ZIPBALL" https://github.com/openstack/nova/archive/
master.zip
$ unzip "$NOVA_ZIPBALL" -d "$NOVA_SOURCES"

(Alternatively) To use the official Ubuntu packages, use the following commands to
get the nova code base:
$ ( cd $NOVA_SOURCES && apt-get source python-nova --download-only )
$ ( cd $NOVA_SOURCES && for ARCHIVE in *.tar.gz; do tar -xzf $ARCHIVE;
done )

Copy the plug-ins to the hypervisor:

$ PLUGINPATH=$(find $NOVA_SOURCES -path '*/xapi.d/plugins' -type d -print)
$ tar -czf - -C "$PLUGINPATH" ./ | ssh root@xenserver tar -xozf - -C /etc/
xapi.d/plugins/

Remove the temporary files/directories:

$ rm "$NOVA_ZIPBALL"
$ rm -rf "$NOVA_SOURCES"

Package a XenServer supplemental pack

Follow these steps to produce a supplemental pack from the nova sources, and package it
as a XenServer supplemental pack.
1.

Create RPM packages. Given you have the nova sources. Use one of the methods in the
section called Manually install the plug-in [184]:
$ cd nova/plugins/xenserver/xenapi/contrib
$ ./build-rpm.sh

These commands leave an .rpm file in the rpmbuild/RPMS/noarch/ directory.

Pack the RPM packages to a Supplemental Pack, using the XenServer DDK (the following command should be issued on the XenServer DDK virtual appliance, after the produced rpm file has been copied over):

184

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

$
>
>
>
>
>
>
>

October 7, 2014

juno

/usr/bin/build-supplemental-pack.sh \
--output=output_directory \
--vendor-code=novaplugin \
--vendor-name=openstack \
--label=novaplugins \
--text="nova plugins" \
--version=0 \
full_path_to_rpmfile

This command produces an .iso file in the output directory specified. Copy that file to
the hypervisor.
3.

Install the Supplemental Pack. Log in to the hypervisor, and issue:

# xe-install-supplemental-pack path_to_isofile

Prepare for AMI type images

To support AMI type images in your OpenStack installation, you must create a /boot/
guest directory inside Dom0. The OpenStack VM extracts the kernel and ramdisk from the
AKI and ARI images puts them in this location.
OpenStack maintains the contents of this directory and its size should not increase during
normal operation. However, in case of power failures or accidental shutdowns, some files
might be left over. To prevent these files from filling the Dom0 disk, set up this directory as
a symlink that points to a subdirectory of the local SR.
Run these commands in Dom0 to achieve this setup:
#
#
#
#

LOCAL_SR=$(xe sr-list name-label="Local storage" --minimal)

LOCALPATH="/var/run/sr-mount/$LOCAL_SR/os-guest-kernels"
mkdir -p "$LOCALPATH"
ln -s "$LOCALPATH" /boot/guest

Modify Dom0 for resize/migration support

To resize servers with XenServer and XCP, you must:

Establish a root trust between all hypervisor nodes of your deployment:
To do so, generate an ssh key-pair with the ssh-keygen command. Ensure that each of
your dom0's authorized_keys file (located in /root/.ssh/authorized_keys)
contains the public key fingerprint (located in /root/.ssh/id_rsa.pub).
Provide an /images mount point to the dom0 for your hypervisor:
Dom0 space is at a premium so creating a directory in dom0 is potentially dangerous and
likely to fail especially when you resize large servers. The least you can do is to symlink /
images to your local storage SR. The following instructions work for an English-based installation of XenServer (and XCP) and in the case of ext3-based SR (with which the resize
functionality is known to work correctly).
# LOCAL_SR=$(xe sr-list name-label="Local storage" --minimal)
# IMG_DIR="/var/run/sr-mount/$LOCAL_SR/images"
# mkdir -p "$IMG_DIR"

185

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# ln -s "$IMG_DIR" /images

Xen boot from ISO

XenServer, through the XenAPI integration with OpenStack, provides a feature to boot instances from an ISO file. To activate the Boot From ISO feature, you must configure the SR
elements on XenServer host, as follows:
1.

Create an ISO-typed SR, such as an NFS ISO library, for instance. For this, using XenCenter is a simple method. You must export an NFS volume from a remote NFS server.
Make sure it is exported in read-write mode.

On the compute host, find and record the UUID of this ISO SR:
# xe host-list

Locate the UUID of the NFS ISO library:

# xe sr-list content-type=iso

Set the UUID and configuration. Even if an NFS mount point is not local, you must
specify local-storage-iso.
# xe sr-param-set uuid=[iso sr uuid] other-config:i18n-key=local-storageiso

Make sure the host-UUID from xe pbd-list equals the UUID of the host you found
previously:
# xe sr-uuid=[iso sr uuid]

You can now add images through the OpenStack Image Service with diskformat=iso, and boot them in OpenStack Compute:
$ glance image-create --name fedora_iso --disk-format iso --containerformat bare < Fedora-16-x86_64-netinst.iso

Xen configuration reference

The following section discusses some commonly changed options in XenServer. The table
below provides a complete reference of all configuration options available for configuring
Xen with OpenStack.
The recommended way to use Xen with OpenStack is through the XenAPI driver. To enable
the XenAPI driver, add the following configuration options /etc/nova/nova.conf and
restart the nova-compute service:
compute_driver = xenapi.XenAPIDriver
xenapi_connection_url = http://your_xenapi_management_ip_address
xenapi_connection_username = root
xenapi_connection_password = your_password

These connection details are used by the OpenStack Compute service to contact your hypervisor and are the same details you use to connect XenCenter, the XenServer management console, to your XenServer or XCP box.
186

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
The xenapi_connection_url is generally the management network IP address of the XenServer. Though it is possible to use the internal network IP Address (169.250.0.1) to contact XenAPI, this does not allow live migration between hosts. Other functionalities such as host aggregates, do not work.
It is possible to manage Xen using libvirt, though this is not well-tested or supported. To
experiment using Xen through libvirt add the following configuration options /etc/nova/nova.conf:
compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = xen

Agent
If you don't have the guest agent on your VMs, it takes a long time for nova to decide the
VM has successfully started. Generally a large timeout is required for Windows instances,
but you may want to tweak agent_version_timeout.

Firewall
If using nova-network, iptables is supported:
firewall_driver = nova.virt.firewall.IptablesFirewallDriver

Alternately, doing the isolation in Dom0:

firewall_driver = nova.virt.xenapi.firewall.Dom0IptablesFirewallDriver

VNC proxy address

Assuming you are talking to XenAPI through the host local management network, and XenServer is on the address: 169.254.0.1, you can use the following:
vncserver_proxyclient_address=169.254.0.1

Storage
You can specify which Storage Repository to use with nova by looking at the following flag.
The default is to use the local-storage setup by the default installer:
sr_matching_filter = "other-config:i18n-key=local-storage"

Another good alternative is to use the "default" storage (for example if you have attached
NFS or any other shared storage):
sr_matching_filter = "default-sr:true"

Note
To use a XenServer pool, you must create the pool by using the Host Aggregates feature.
187

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Xen configuration reference

To customize the Xen driver, use the configuration option settings documented in Table2.62, Description of Xen configuration options [260].

LXC (Linux containers)

LXC (also known as Linux containers) is a virtualization technology that works at the operating system level. This is different from hardware virtualization, the approach used by other hypervisors such as KVM, Xen, and VMware. LXC (as currently implemented using libvirt
in the Compute service) is not a secure virtualization technology for multi-tenant environments (specifically, containers may affect resource quotas for other containers hosted on
the same machine). Additional containment technologies, such as AppArmor, may be used
to provide better isolation between containers, although this is not the case by default. For
all these reasons, the choice of this virtualization technology is not recommended in production.
If your compute hosts do not have hardware support for virtualization, LXC will likely provide better performance than QEMU. In addition, if your guests must access specialized
hardware, such as GPUs, this might be easier to achieve with LXC than other hypervisors.

Note
Some OpenStack Compute features might be missing when running with LXC as
the hypervisor. See the hypervisor support matrix for details.
To enable LXC, ensure the following options are set in /etc/nova/nova.conf on all
hosts running the nova-compute service.
compute_driver = libvirt.LibvirtDriver
[libvirt]
virt_type = lxc

On Ubuntu, enable LXC support in OpenStack by installing the nova-compute-lxc package.

VMware vSphere
Introduction
OpenStack Compute supports the VMware vSphere product family and enables access to
advanced features such as vMotion, High Availability, and Dynamic Resource Scheduling
(DRS).
This section describes how to configure VMware-based virtual machine images for launch.
vSphere versions 4.1 and later are supported.
The VMware vCenter driver enables the nova-compute service to communicate with a
VMware vCenter server that manages one or more ESX host clusters. The driver aggregates
the ESX hosts in each cluster to present one large hypervisor entity for each cluster to the
Compute scheduler. Because individual ESX hosts are not exposed to the scheduler, Compute schedules to the granularity of clusters and vCenter uses DRS to select the actual ESX
188

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

host within the cluster. When a virtual machine makes its way into a vCenter cluster, it can
use all vSphere features.
The following sections describe how to configure the VMware vCenter driver.

High-level architecture
The following diagram shows a high-level view of the VMware driver architecture:

Figure2.1.VMware driver architecture

As the figure shows, the OpenStack Compute Scheduler sees three hypervisors that each
correspond to a cluster in vCenter. Nova-compute contains the VMware driver. You can
run with multiple nova-compute services. While Compute schedules at the granularity of
a cluster, the VMware driver inside nova-compute interacts with the vCenter APIs to select an appropriate ESX host within the cluster. Internally, vCenter uses DRS for placement.
The VMware vCenter driver also interacts with the OpenStack Image Service to copy VMDK
images from the Image Service back end store. The dotted line in the figure represents
VMDK images being copied from the OpenStack Image Service to the vSphere data store.
VMDK images are cached in the data store so the copy operation is only required the first
time that the VMDK image is used.
After OpenStack boots a VM into a vSphere cluster, the VM becomes visible in vCenter and
can access vSphere advanced features. At the same time, the VM is visible in the OpenStack
dashboard and you can manage it as you would any other OpenStack VM. You can per189

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

form advanced vSphere operations in vCenter while you configure OpenStack resources
such as VMs through the OpenStack dashboard.
The figure does not show how networking fits into the architecture. Both nova-network
and the OpenStack Networking Service are supported. For details, see the section called
Networking with VMware vSphere [197].

Configuration overview
To get started with the VMware vCenter driver, complete the following high-level steps:
1. Configure vCenter. See the section called Prerequisites and limitations [190].
2. Configure the VMware vCenter driver in the nova.conf file. See the section called
VMware vCenter driver [192].
3. Load desired VMDK images into the OpenStack Image Service. See the section called
Images with VMware vSphere [194].
4. Configure networking with either nova-network or the OpenStack Networking Service. See the section called Networking with VMware vSphere [197].

Prerequisites and limitations

Use the following list to prepare a vSphere environment that runs with the VMware vCenter driver:
1. Copying VMDK files (vSphere 5.1 only). In vSphere 5.1, copying large image files (for example, 12GB and greater) from Glance can take a long time. To improve performance,
VMware recommends that you upgrade to VMware vCenter Server 5.1 Update 1 or later. For more information, see the Release Notes.
2. DRS. For any cluster that contains multiple ESX hosts, enable DRS and enable fully automated placement.
3. Shared storage. Only shared storage is supported and data stores must be shared
among all hosts in a cluster. It is recommended to remove data stores not intended for
OpenStack from clusters being configured for OpenStack.
4. Clusters and data stores. Do not use OpenStack clusters and data stores for other purposes. If you do, OpenStack displays incorrect usage information.
5. Networking. The networking configuration depends on the desired networking model.
See the section called Networking with VMware vSphere [197].
6. Security groups. If you use the VMware driver with OpenStack Networking and the NSX
plug-in, security groups are supported. If you use nova-network, security groups are
not supported.

Note
The NSX plug-in is the only plug-in that is validated for vSphere.
7. VNC. The port range 5900 - 6105 (inclusive) is automatically enabled for VNC connections on every ESX host in all clusters under OpenStack control. For more information
190

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

about using a VNC client to connect to virtual machine, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1246.

Note
In addition to the default VNC port numbers (5900 to 6000) specified in the
above document, the following ports are also used: 6101, 6102, and 6105.
You must modify the ESXi firewall configuration to allow the VNC ports. Additionally, for
the firewall modifications to persist after a reboot, you must create a custom vSphere Installation Bundle (VIB) which is then installed onto the running ESXi host or added to a
custom image profile used to install ESXi hosts. For details about how to create a VIB for
persisting the firewall configuration modifications, see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2007381.
8. Ephemeral Disks. Ephemeral disks are not supported. A future major release will address
this limitation.
9. Injection of SSH keys into compute instances hosted by vCenter is not currently supported.
10.To use multiple vCenter installations with OpenStack, each vCenter must be assigned to
a separate availability zone. This is required as the OpenStack Block Storage VMDK driver does not currently work across multiple vCenter installations.

VMware vCenter service account

OpenStack integration requires a vCenter service account with the following minimum permissions. Apply the permissions to the Datacenter root object, and select the Propagate
to Child Objects option.

Table2.7.vCenter permissions tree

All Privileges
Datastore
Allocate space
Browse datastore
Low level file operation
Remove file
Folder
Create folder
Host
Configuration

S
Network
Assign network
Resource
Assign virtual machine to resource pool

191

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno
Migrate powered off virtual machine
Migrate powered on virtual machine

Virtual Machine
Configuration

S
Interaction

S
Inventory

U
Provisioning

C
Sessions

V
Snapshot management

R
vApp
Export
Import

VMware vCenter driver

Use the VMware vCenter driver (VMwareVCDriver) to connect OpenStack Compute with
vCenter. This recommended configuration enables access through vCenter to advanced
vSphere features like vMotion, High Availability, and Dynamic Resource Scheduling (DRS).

192

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

VMwareVCDriver configuration options

When you use the VMwareVCDriver (vCenter versions 5.1 and later) with OpenStack Compute, add the following VMware-specific configuration options to the nova.conf file:
[DEFAULT]
compute_driver=vmwareapi.VMwareVCDriver
[vmware]
host_ip=<vCenter host IP>
host_username=<vCenter username>
host_password=<vCenter password>
cluster_name=<vCenter cluster name>
datastore_regex=<optional datastore regex>

Note
vSphere vCenter versions 5.0 and earlier: You must specify the location of the
WSDL files by adding the wsdl_location=http://127.0.0.1:8080/
vmware/SDK/wsdl/vim25/vimService.wsdl setting to the above configuration. For more information, see vSphere 5.0 and earlier additional set
up.
Clusters: The vCenter driver can support multiple clusters. To use more than
one cluster, simply add multiple cluster_name lines in nova.conf with
the appropriate cluster name. Clusters and data stores used by the vCenter
driver should not contain any VMs other than those created by the driver.
Data stores: The datastore_regex setting specifies the data stores to use
with Compute. For example, datastore_regex="nas.*" selects all the
data stores that have a name starting with "nas". If this line is omitted, Compute uses the first data store returned by the vSphere API. It is recommended
not to use this field and instead remove data stores that are not intended for
OpenStack.
Reserved host memory: The reserved_host_memory_mb option value is
512MB by default. However, VMware recommends that you set this option
to 0MB because the vCenter driver reports the effective memory available to
the virtual machines.
A nova-compute service can control one or more clusters containing multiple ESX hosts,
making nova-compute a critical service from a high availability perspective. Because the
host that runs nova-compute can fail while the vCenter and ESX still run, you must protect the nova-compute service against host failures.

Note
Many nova.conf options are relevant to libvirt but do not apply to this driver.
You must complete additional configuration for environments that use vSphere 5.0 and
earlier. See the section called vSphere 5.0 and earlier additional set up [198].

193

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Images with VMware vSphere

The vCenter driver supports images in the VMDK format. Disks in this format can be obtained from VMware Fusion or from an ESX environment. It is also possible to convert other formats, such as qcow2, to the VMDK format using the qemu-img utility. After a VMDK
disk is available, load it into the OpenStack Image Service. Then, you can use it with the
VMware vCenter driver. The following sections provide additional details on the supported
disks and the commands used for conversion and upload.

Supported image types

Upload images to the OpenStack Image Service in VMDK format. The following VMDK disk
types are supported:
VMFS Flat Disks (includes thin, thick, zeroedthick, and eagerzeroedthick). Note that once
a VMFS thin disk is exported from VMFS to a non-VMFS location, like the OpenStack Image Service, it becomes a preallocated flat disk. This impacts the transfer time from the
OpenStack Image Service to the data store when the full preallocated flat disk, rather
than the thin disk, must be transferred.
Monolithic Sparse disks. Sparse disks get imported from the OpenStack Image Service into ESX as thin provisioned disks. Monolithic Sparse disks can be obtained from VMware
Fusion or can be created by converting from other virtual disk formats using the qemu-img utility.
The following table shows the vmware_disktype property that applies to each of the
supported VMDK disk types:

Table2.8.OpenStack Image Service disk type settings

vmware_disktype property

VMDK disk type

sparse

Monolithic Sparse

thin

VMFS flat, thin provisioned

preallocated (default)

VMFS flat, thick/zeroedthick/eagerzeroedthick

The vmware_disktype property is set when an image is loaded into the OpenStack Image Service. For example, the following command creates a Monolithic Sparse image by setting vmware_disktype to sparse:
$ glance image-create --name "ubuntu-sparse" --disk-format vmdk \
--container-format bare \
--property vmware_disktype="sparse" \
--property vmware_ostype="ubuntu64Guest" < ubuntuLTS-sparse.vmdk

Note
Specifying thin does not provide any advantage over preallocated with
the current version of the driver. Future versions might restore the thin properties of the disk after it is downloaded to a vSphere data store.

Convert and load images

Using the qemu-img utility, disk images in several formats (such as, qcow2) can be converted to the VMDK format.
194

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

For example, the following command can be used to convert a qcow2 Ubuntu Trusty cloud
image:
$ qemu-img convert -f qcow2 ~/Downloads/trusty-server-cloudimg-amd64-disk1.img
\
-O vmdk trusty-server-cloudimg-amd64-disk1.vmdk

VMDK disks converted through qemu-img are always monolithic sparse VMDK disks with
an IDE adapter type. Using the previous example of the Ubuntu Trusty image after the qemu-img conversion, the command to upload the VMDK disk should be something like:
$ glance image-create --name trusty-cloud --is-public False \
--container-format bare --disk-format vmdk \
--property vmware_disktype="sparse" \
--property vmware_adaptertype="ide" < \
trusty-server-cloudimg-amd64-disk1.vmdk

Note that the vmware_disktype is set to sparse and the vmware_adaptertype is set
to ide in the previous command.
If the image did not come from the qemu-img utility, the vmware_disktype and
vmware_adaptertype might be different. To determine the image adapter type from an
image file, use the following command and look for the ddb.adapterType= line:
$ head -20 <vmdk file name>

Assuming a preallocated disk type and an iSCSI lsiLogic adapter type, the following command uploads the VMDK disk:
$ glance image-create --name "ubuntu-thick-scsi" --disk-format vmdk \
--container-format bare \
--property vmware_adaptertype="lsiLogic" \
--property vmware_disktype="preallocated" \
--property vmware_ostype="ubuntu64Guest" < ubuntuLTS-flat.vmdk

Currently, OS boot VMDK disks with an IDE adapter type cannot be attached to a virtual
SCSI controller and likewise disks with one of the SCSI adapter types (such as, busLogic, lsiLogic) cannot be attached to the IDE controller. Therefore, as the previous examples show,
it is important to set the vmware_adaptertype property correctly. The default adapter
type is lsiLogic, which is SCSI, so you can omit the vmware_adaptertype property if you
are certain that the image adapter type is lsiLogic.

Tag VMware images

In a mixed hypervisor environment, OpenStack Compute uses the hypervisor_type tag
to match images to the correct hypervisor type. For VMware images, set the hypervisor
type to vmware. Other valid hypervisor types include: xen, qemu, lxc, uml, and hyperv.
Note that qemu is used for both QEMU and KVM hypervisor types.
$ glance image-create --name "ubuntu-thick-scsi" --disk-format vmdk \
--container-format bare \
--property vmware_adaptertype="lsiLogic" \
--property vmware_disktype="preallocated" \
--property hypervisor_type="vmware" \
--property vmware_ostype="ubuntu64Guest" < ubuntuLTS-flat.vmdk

195

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Optimize images
Monolithic Sparse disks are considerably faster to download but have the overhead of
an additional conversion step. When imported into ESX, sparse disks get converted to
VMFS flat thin provisioned disks. The download and conversion steps only affect the first
launched instance that uses the sparse disk image. The converted disk image is cached, so
subsequent instances that use this disk image can simply use the cached version.
To avoid the conversion step (at the cost of longer download times) consider converting
sparse disks to thin provisioned or preallocated disks before loading them into the OpenStack Image Service.
Use one of the following tools to pre-convert sparse disks.
vSphere CLI tools

Sometimes called the remote CLI or rCLI.

Assuming that the sparse disk is made available on a data store accessible by an ESX host, the following command converts it to preallocated format:
vmkfstools --server=ip_of_some_ESX_host -i /
vmfs/volumes/datastore1/sparse.vmdk /vmfs/
volumes/datastore1/converted.vmdk

Note that the vifs tool from the same CLI package can
be used to upload the disk to be converted. The vifs tool
can also be used to download the converted disk if necessary.
vmkfstools directly on the ESX
host

If the SSH service is enabled on an ESX host, the sparse

disk can be uploaded to the ESX data store through scp
and the vmkfstools local to the ESX host can use used
to perform the conversion. After you log in to the host
through ssh, run this command:
vmkfstools -i /vmfs/volumes/datastore1/sparse.
vmdk /vmfs/volumes/datastore1/converted.vmdk

vmware-vdiskmanager

vmware-vdiskmanager is a utility that comes bundled with VMware Fusion and VMware Workstation.
The following example converts a sparse disk to preallocated format:
'/Applications/VMware Fusion.app/Contents/
Library/vmware-vdiskmanager' -r sparse.vmdk -t 4
converted.vmdk

In the previous cases, the converted vmdk is actually a pair of files:

The descriptor file converted.vmdk.
The actual virtual disk data file converted-flat.vmdk.
The file to be uploaded to the OpenStack Image Service is converted-flat.vmdk.
196

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Image handling
The ESX hypervisor requires a copy of the VMDK file in order to boot up a virtual machine.
As a result, the vCenter OpenStack Compute driver must download the VMDK via HTTP
from the OpenStack Image Service to a data store that is visible to the hypervisor. To optimize this process, the first time a VMDK file is used, it gets cached in the data store. Subsequent virtual machines that need the VMDK use the cached version and don't have to copy
the file again from the OpenStack Image Service.
Even with a cached VMDK, there is still a copy operation from the cache location to the
hypervisor file directory in the shared data store. To avoid this copy, boot the image in
linked_clone mode. To learn how to enable this mode, see the section called Configuration reference [199].

Note
You can also use the vmware_linked_clone property in the OpenStack Image Service to override the linked_clone mode on a per-image basis.
You can automatically purge unused images after a specified period of time. To configure
this action, set these options in the DEFAULT section in the nova.conf file:
remove_unused_base_images Set this parameter to True to specify that unused images should be removed after the duration specified in the
remove_unused_original_minimum_age_seconds
parameter. The default is True.
remove_unused_original_minimum_age_seconds
Specifies the duration in seconds after which an unused
image is purged from the cache. The default is 86400
(24 hours).

Networking with VMware vSphere

The VMware driver supports networking with the nova-network service or the OpenStack Networking Service. Depending on your installation, complete these configuration
steps before you provision VMs:
The nova-network service with the FlatManager or FlatDHCPManager. Create a port
group with the same name as the flat_network_bridge value in the nova.conf
file. The default value is br100. If you specify another value, the new value must be a
valid Linux bridge identifier that adheres to Linux bridge naming conventions.
All VM NICs are attached to this port group.
Ensure that the flat interface of the node that runs the nova-network service has a
path to this network.

Note
When configuring the port binding for this port group in vCenter, specify
ephemeral for the port binding type. For more information, see Choosing a
port binding type in ESX/ESXi in the VMware Knowledge Base.

197

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The nova-network service with the VlanManager. Set the vlan_interface configuration option to match the ESX host interface that handles VLAN-tagged VM traffic.
OpenStack Compute automatically creates the corresponding port groups.
If you are using the OpenStack Networking Service: Before provisioning VMs, create
a port group with the same name as the vmware.integration_bridge value in
nova.conf (default is br-int). All VM NICs are attached to this port group for management by the OpenStack Networking plug-in.

Volumes with VMware vSphere

The VMware driver supports attaching volumes from the OpenStack Block Storage service.
The VMware VMDK driver for OpenStack Block Storage is recommended and should be
used for managing volumes based on vSphere data stores. For more information about the
VMware VMDK driver, see VMware VMDK Driver. Also an iSCSI volume driver provides limited support and can be used only for attachments.

vSphere 5.0 and earlier additional set up

Users of vSphere 5.0 or earlier must host their WSDL files locally. These steps are applicable for vCenter 5.0 or ESXi 5.0 and you can either mirror the WSDL from the vCenter or ESXi server that you intend to use or you can download the SDK directly from VMware. These
workaround steps fix a known issue with the WSDL that was resolved in later versions.
When setting the VMwareVCDriver configuration options, you must include the
wsdl_location option. For more information, see VMwareVCDriver configuration options above.

Procedure2.1.To mirror WSDL from vCenter (or ESXi)

Set the VMWAREAPI_IP shell variable to the IP address for your vCenter or ESXi host
from where you plan to mirror files. For example:
$ export VMWAREAPI_IP=<your_vsphere_host_ip>

Create a local file system directory to hold the WSDL files:

$ mkdir -p /opt/stack/vmware/wsdl/5.0

Change into the new directory.

$ cd /opt/stack/vmware/wsdl/5.0

Use your OS-specific tools to install a command-line tool that can download files like
wget.

Download the files to the local file cache:

198

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

wget --no-check-certificate
wget --no-check-certificate
wget --no-check-certificate
wget --no-check-certificate
xsd
wget --no-check-certificate
wget --no-check-certificate
xsd
wget --no-check-certificate
wget --no-check-certificate
messagetypes.xsd
wget --no-check-certificate

juno

https://$VMWAREAPI_IP/sdk/vimService.wsdl
https://$VMWAREAPI_IP/sdk/vim.wsdl
https://$VMWAREAPI_IP/sdk/core-types.xsd
https://$VMWAREAPI_IP/sdk/query-messagetypes.
https://$VMWAREAPI_IP/sdk/query-types.xsd
https://$VMWAREAPI_IP/sdk/vim-messagetypes.
https://$VMWAREAPI_IP/sdk/vim-types.xsd
https://$VMWAREAPI_IP/sdk/reflecthttps://$VMWAREAPI_IP/sdk/reflect-types.xsd

Because the reflect-types.xsd and reflect-messagetypes.xsd files do not

fetch properly, you must stub out these files. Use the following XML listing to replace
the missing file content. The XML parser underneath Python can be very particular and
if you put a space in the wrong place, it can break the parser. Copy the following contents and formatting carefully.
<?xml version="1.0" encoding="UTF-8"?>
<schema
targetNamespace="urn:reflect"
xmlns="http://www.w3.org/2001/XMLSchema"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified">
</schema>

Now that the files are locally present, tell the driver to look for the SOAP service WSDLs
in the local file system and not on the remote vSphere server. Add the following setting to the nova.conf file for your nova-compute node:
[vmware]
wsdl_location=file:///opt/stack/vmware/wsdl/5.0/vimService.wsdl

Alternatively, download the version appropriate SDK from http://www.vmware.com/

support/developer/vc-sdk/ and copy it to the /opt/stack/vmware file. Make sure
that the WSDL is available, in for example /opt/stack/vmware/SDK/wsdl/vim25/
vimService.wsdl. You must point nova.conf to fetch this WSDL file from the local file
system by using a URL.
When using the VMwareVCDriver (vCenter) with OpenStack Compute with vSphere version
5.0 or earlier, nova.conf must include the following extra config option:
[vmware]
wsdl_location=file:///opt/stack/vmware/SDK/wsdl/vim25/vimService.wsdl

Configuration reference
To customize the VMware driver, use the configuration option settings documented in Table2.58, Description of VMware configuration options [258].

Hyper-V virtualization platform

It is possible to use Hyper-V as a compute node within an OpenStack Deployment. The nova-compute service runs as "openstack-compute," a 32-bit service directly upon the Win-

199

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

dows platform with the Hyper-V role enabled. The necessary Python components as well
as the nova-compute service are installed directly onto the Windows platform. Windows
Clustering Services are not needed for functionality within the OpenStack infrastructure.
The use of the Windows Server 2012 platform is recommend for the best experience and is
the platform for active development. The following Windows platforms have been tested
as compute nodes:
Windows Server 2008r2
Both Server and Server Core with the Hyper-V role enabled (Shared Nothing Live migration is not supported using 2008r2)
Windows Server 2012
Server and Core (with the Hyper-V role enabled), and Hyper-V Server

Hyper-V configuration
The following sections discuss how to prepare the Windows Hyper-V node for operation
as an OpenStack compute node. Unless stated otherwise, any configuration information
should work for both the Windows 2008r2 and 2012 platforms.
Local Storage Considerations
The Hyper-V compute node needs to have ample storage for storing the virtual machine images running on the compute nodes. You may use a single volume for all, or partition it into an OS volume and VM volume. It is up to the individual deploying to decide.

Configure NTP
Network time services must be configured to ensure proper operation of the Hyper-V compute node. To set network time on your Hyper-V host you must run the following commands:
C:\>net stop w32time
C:\>w32tm /config /manualpeerlist:pool.ntp.org,0x8 /syncfromflags:MANUAL
C:\>net start w32time

Configure Hyper-V virtual switching

Information regarding the Hyper-V virtual Switch can be located here: http://
technet.microsoft.com/en-us/library/hh831823.aspx
To quickly enable an interface to be used as a Virtual Interface the following PowerShell
may be used:
PS C:\>$if = Get-NetIPAddress -IPAddress 192* | Get-NetIPInterface
PS C:\>New-VMSwitch -NetAdapterName $if.ifAlias -Name yourbridgename AllowManagementOS $false

Enable iSCSI initiator service

To prepare the Hyper-V node to be able to attach to volumes provided by cinder you must
first make sure the Windows iSCSI initiator service is running and started automatically.
200

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

C:\>sc start MSiSCSI

C:\>sc config MSiSCSI start="auto"

Configure shared nothing live migration

Detailed information on the configuration of live migration can be found here: http://
technet.microsoft.com/en-us/library/jj134199.aspx
The following outlines the steps of shared nothing live migration.
1. The target hosts ensures that live migration is enabled and properly configured in Hyper-V.
2. The target hosts checks if the image to be migrated requires a base VHD and pulls it
from the Image Service if not already available on the target host.
3. The source hosts ensures that live migration is enabled and properly configured in Hyper-V.
4. The source hosts initiates a Hyper-V live migration.
5. The source hosts communicates to the manager the outcome of the operation.
The following two configuration options/flags are needed in order to support Hyper-V live
migration and must be added to your nova.conf on the Hyper-V compute node:
instances_shared_storage=False
This needed to support "shared nothing" Hyper-V live migrations. It is used in nova/compute/manager.py
limit_cpu_features=True
This flag is needed to support live migration to hosts with different CPU features. This
flag is checked during instance creation in order to limit the CPU features used by the
VM.
instances_path=DRIVELETTER:\PATH\TO\YOUR\INSTANCES
Additional Requirements:
Hyper-V 2012 RC or Windows Server 2012 RC with Hyper-V role enabled
A Windows domain controller with the Hyper-V compute nodes as domain members
The instances_path command-line option/flag needs to be the same on all hosts.
The openstack-compute service deployed with the setup must run with domain credentials. You can set the service credentials with:
C:\>sc config openstack-compute obj="DOMAIN\username" password="password"

How to setup live migration on Hyper-V

To enable 'shared nothing live' migration, run the 3 PowerShell instructions below on each
Hyper-V host:
201

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

PS C:\>Enable-VMMigration
PS C:\>Set-VMMigrationNetwork IP_ADDRESS
PS C:\>Set-VMHost -VirtualMachineMigrationAuthenticationTypeKerberos

Note
Please replace the IP_ADDRESS with the address of the interface which will provide the virtual switching for nova-network.
Additional Reading
Here's an article that clarifies the various live migration options in Hyper-V:
http://ariessysadmin.blogspot.ro/2012/04/hyper-v-live-migration-of-windows.html

Python Requirements
Python
Python 2.7.3 must be installed prior to installing the OpenStack Compute Driver on the Hyper-V server. Download and then install the MSI for windows here:
http://www.python.org/ftp/python/2.7.3/python-2.7.3.msi
Install the MSI accepting the default options.
The installation will put python in C:/python27.
Setuptools
You will require pip to install the necessary python module dependencies. The installer will
install under the C:\python27 directory structure. Setuptools for Python 2.7 for Windows
can be download from here:
http://pypi.python.org/packages/2.7/s/setuptools/setuptools-0.6c11.win32-py2.7.exe
Python Dependencies
You must download and manually install the following packages on the Compute node:
MySQL-python
http://codegood.com/download/10/
pywin32
Download and run the installer from the following location
http://sourceforge.net/projects/pywin32/files/pywin32/Build%20217/
pywin32-217.win32-py2.7.exe
greenlet
Select the link below:
http://www.lfd.uci.edu/~gohlke/pythonlibs/

202

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

You must scroll to the greenlet section for the following file: greenlet-0.4.0.win32py2.7.exe
Click on the file, to initiate the download. Once the download is complete, run the installer.
You must install the following Python packages through easy_install or pip. Run the following replacing PACKAGENAME with the following packages:
C:\>c:\Python27\Scripts\pip.exe install PACKAGE_NAME

amqplib
anyjson
distribute
eventlet
httplib2
iso8601
jsonschema
kombu
netaddr
paste
paste-deploy
prettytable
python-cinderclient
python-glanceclient
python-keystoneclient
repoze.lru
routes
sqlalchemy
simplejson
warlock
webob
wmi

203

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Install Nova-compute
Using git on Windows to retrieve source
Git be used to download the necessary source code. The installer to run Git on Windows
can be downloaded here:
http://code.google.com/p/msysgit/downloads/list?q=full+installer+official+git
Download the latest installer. Once the download is complete double click the installer and
follow the prompts in the installation wizard. The default should be acceptable for the
needs of the document.
Once installed you may run the following to clone the Nova code.
C:\>git.exe clone https://github.com/openstack/nova.git

Configure Nova.conf
The nova.conf file must be placed in C:\etc\nova for running OpenStack on Hyper-V.
Below is a sample nova.conf for Windows:
[DEFAULT]
verbose=true
force_raw_images=false
auth_strategy=keystone
fake_network=true
vswitch_name=openstack-br
logdir=c:\openstack\
state_path=c:\openstack\
lock_path=c:\openstack\
instances_path=e:\Hyper-V\instances
policy_file=C:\Program Files (x86)\OpenStack\nova\etc\nova\policy.json
api_paste_config=c:\openstack\nova\etc\nova\api-paste.ini
rabbit_host=IP_ADDRESS
image_service=nova.image.glance.GlanceImageService
instances_shared_storage=false
limit_cpu_features=true
compute_driver=nova.virt.hyperv.driver.HyperVDriver
volume_api_class=nova.volume.cinder.API
[glance]
api_servers=IP_ADDRESS:9292
[database]
connection=mysql://nova:passwd@IP_ADDRESS/nova

Table2.31, Description of HyperV configuration options [243] contains a reference of

all options for hyper-v.

Prepare images for use with Hyper-V

Hyper-V currently supports only the VHD file format for virtual machine instances. Detailed
instructions for installing virtual machines on Hyper-V can be found here:
http://technet.microsoft.com/en-us/library/cc772480.aspx
Once you have successfully created a virtual machine, you can then upload the image to
glance using the native glance-client:
204

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

C:\>glance image-create --name "VM_IMAGE_NAME" --is-public False --containerformat bare --disk-format vhd

Run Compute with Hyper-V

To start the nova-compute service, run this command from a console in the Windows
server:
C:\>C:\python27\python.exe c:\nova\bin\nova-compute.py

Troubleshoot Hyper-V configuration

I ran the nova-manage service list command from my controller; however, I'm
not seeing smiley faces for Hyper-V compute nodes, what do I do?
Verify that you are synchronized with a network time source. For instructions about
how to configure NTP on your Hyper-V compute node, see the section called Configure
NTP [200].

Baremetal driver
The baremetal driver is a hypervisor driver for OpenStack Nova Compute. Within the OpenStack framework, it has the same role as the drivers for other hypervisors (libvirt, xen, etc),
and yet it is presently unique in that the hardware is not virtualized - there is no hypervisor
between the tenants and the physical hardware. It exposes hardware through the OpenStack APIs, using pluggable sub-drivers to deliver machine imaging (PXE) and power control
(IPMI). With this, provisioning and management of physical hardware is accomplished by
using common cloud APIs and tools, such as the Orchestration module (heat) or salt-cloud.
However, due to this unique situation, using the baremetal driver requires some additional
preparation of its environment, the details of which are beyond the scope of this guide.

Note
Some OpenStack Compute features are not implemented by the baremetal hypervisor driver. See the hypervisor support matrix for details.
For the Baremetal driver to be loaded and function properly, ensure that the following options are set in /etc/nova/nova.conf on your nova-compute hosts.
[default]
compute_driver=nova.virt.baremetal.driver.BareMetalDriver
firewall_driver = nova.virt.firewall.NoopFirewallDriver
scheduler_host_manager=nova.scheduler.baremetal_host_manager.
BaremetalHostManager
ram_allocation_ratio=1.0
reserved_host_memory_mb=0

Many configuration options are specific to the Baremetal driver. Also, some additional
steps are required, such as building the baremetal deploy ramdisk. See the main wiki page
for details and implementation suggestions.
To customize the Baremetal driver, use the configuration option settings documented in
Table2.17, Description of baremetal configuration options [235].
205

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Scheduling
Compute uses the nova-scheduler service to determine how to dispatch compute and
volume requests. For example, the nova-scheduler service determines on which host a
VM should launch. In the context of filters, the term host means a physical node that has a
nova-compute service running on it. You can configure the scheduler through a variety of
options.
Compute is configured with the following default scheduler options in the /etc/nova/nova.conf file:
scheduler_driver=nova.scheduler.multi.MultiScheduler
scheduler_driver_task_period = 60
scheduler_driver = nova.scheduler.filter_scheduler.FilterScheduler
scheduler_available_filters = nova.scheduler.filters.all_filters
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter,
ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter,
ServerGroupAntiAffinityFilter, ServerGroupAffinityFilter

By default, the scheduler_driver is configured as a filter scheduler, as described in the

next section. In the default configuration, this scheduler considers hosts that meet all the
following criteria:
Have not been attempted for scheduling purposes (RetryFilter).
Are in the requested availability zone (AvailabilityZoneFilter).
Have sufficient RAM available (RamFilter).
Can service the request (ComputeFilter).
Satisfy the extra specs associated with the instance type (ComputeCapabilitiesFilter).
Satisfy any architecture, hypervisor type, or virtual machine mode properties specified on
the instance's image properties (ImagePropertiesFilter).
Are on a different host than other instances of a group (if requested) (ServerGroupAntiAffinityFilter).
Are in a set of group hosts (if requested) (ServerGroupAffinityFilter).
The scheduler caches its list of available hosts; use the
scheduler_driver_task_period option to specify how often the list is updated.

Note
Do not configure service_down_time to be much smaller than
scheduler_driver_task_period; otherwise, hosts appear to be dead
while the host list is being cached.
For information about the volume scheduler, see the Block Storage section of OpenStack
Cloud Administrator Guide.
206

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The scheduler chooses a new host when an instance is migrated.

When evacuating instances from a host, the scheduler service does not pick the next host.
Instances are evacuated to the host explicitly defined by the administrator. For information
about instance evacuation, see Evacuate instances section of the OpenStack Cloud Administrator Guide.

Filter scheduler
The filter scheduler (nova.scheduler.filter_scheduler.FilterScheduler) is
the default scheduler for scheduling virtual machine instances. It supports filtering and
weighting to make informed decisions on where a new instance should be created.

Filters
When the filter scheduler receives a request for a resource, it first applies filters to determine which hosts are eligible for consideration when dispatching a resource. Filters are binary: either a host is accepted by the filter, or it is rejected. Hosts that are accepted by the
filter are then processed by a different algorithm to decide which hosts to use for that request, described in the Weights section.

Figure2.2.Filtering

The scheduler_available_filters configuration option in nova.conf provides the

Compute service with the list of the filters that are used by the scheduler. The default setting specifies all of the filter that are included with the Compute service:
scheduler_available_filters = nova.scheduler.filters.all_filters

This configuration option can be specified multiple times. For example, if you implemented your own custom filter in Python called myfilter.MyFilter and you wanted to use
both the built-in filters and your custom filter, your nova.conf file would contain:
207

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

scheduler_available_filters = nova.scheduler.filters.all_filters
scheduler_available_filters = myfilter.MyFilter

The scheduler_default_filters configuration option in nova.conf defines the list

of filters that are applied by the nova-scheduler service. The default filters are:
scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter,
ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter,
ServerGroupAntiAffinityFilter, ServerGroupAffinityFilter

The following sections describe the available filters.

AggregateCoreFilter
Filters host by CPU core numbers with a per-aggregate cpu_allocation_ratio value. If
the per-aggregate value is not found, the value falls back to the global setting. If the host
is in more than one aggregate and more than one value is found, the minimum value will
be used. For information about how to use this filter, see the section called Host aggregates [219]. See also the section called CoreFilter [210].

AggregateDiskFilter
Filters host by disk allocation with a per-aggregate disk_allocation_ratio value. If
the per-aggregate value is not found, the value falls back to the global setting. If the host
is in more than one aggregate and more than one value is found, the minimum value will
be used. For information about how to use this filter, see the section called Host aggregates [219]. See also the section called DiskFilter [211].

AggregateImagePropertiesIsolation
Matches properties defined in an image's metadata against those of aggregates to determine host matches:
If a host belongs to an aggregate and the aggregate defines one or more metadata that
matches an image's properties, that host is a candidate to boot the image's instance.
If a host does not belong to any aggregate, it can boot instances from all images.
For example, the following aggregate myWinAgg has the Windows operating system as
metadata (named 'windows'):
$ nova aggregate-details MyWinAgg
+----+----------+-------------------+------------+---------------+
| Id | Name
| Availability Zone | Hosts
| Metadata
|
+----+----------+-------------------+------------+---------------+
| 1 | MyWinAgg | None
| 'sf-devel' | 'os=windows' |
+----+----------+-------------------+------------+---------------+

In this example, because the following Win-2012 image has the windows property, it boots
on the sf-devel host (all other filters being equal):
$ glance image-show Win-2012
+------------------+--------------------------------------+
| Property
| Value
|
+------------------+--------------------------------------+

208

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

|
|
|
|
|

Property 'os'
checksum
container_format
created_at
...

October 7, 2014

|
|
|
|

windows
f8a2eeee2dc65b3d9b6e63678955bd83
ami
2013-11-14T13:24:25

juno

|
|
|
|

You can configure the AggregateImagePropertiesIsolation filter by using the following options in the nova.conf file:
# Considers only keys matching the given namespace (string).
aggregate_image_properties_isolation_namespace = <None>
# Separator used between the namespace and keys (string).
aggregate_image_properties_isolation_separator = .

AggregateInstanceExtraSpecsFilter
Matches properties defined in extra specs for an instance type against admin-defined properties on a host aggregate. Works with specifications that are scoped with
aggregate_instance_extra_specs. For backward compatibility, also works with nonscoped specifications; this action is highly discouraged because it conflicts with ComputeCapabilitiesFilter filter when you enable both filters. For information about how to use this filter, see the host aggregates section.

AggregateIoOpsFilter
Filters host by disk allocation with a per-aggregate max_io_ops_per_host value. If the
per-aggregate value is not found, the value falls back to the global setting. If the host is
in more than one aggregate and more than one value is found, the minimum value will
be used. For information about how to use this filter, see the section called Host aggregates [219]. See also the section called IoOpsFilter [213].

AggregateMultiTenancyIsolation
Isolates tenants to specific host aggregates. If a host is in an aggregate that has the
filter_tenant_id metadata key, the host creates instances from only that tenant or
list of tenants. A host can be in different aggregates. If a host does not belong to an aggregate with the metadata key, the host can create instances from all tenants.

AggregateNumInstancesFilter
Filters host by number of instances with a per-aggregate max_instances_per_host value. If the per-aggregate value is not found, the value falls back to the global setting. If the
host is in more than one aggregate and thus more than one value is found, the minimum
value will be used. For information about how to use this filter, see the section called Host
aggregates [219]. See also the section called NumInstancesFilter [214].

AggregateRamFilter
Filters host by RAM allocation of instances with a per-aggregate
ram_allocation_ratio value. If the per-aggregate value is not found, the value falls
back to the global setting. If the host is in more than one aggregate and thus more than
one value is found, the minimum value will be used. For information about how to use this
209

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

filter, see the section called Host aggregates [219]. See also the section called RamFilter [214].

AggregateTypeAffinityFilter
Filters host by per-aggregate instance_type value. For information about how to use
this filter, see the section called Host aggregates [219]. See also the section called TypeAffinityFilter [216].

AllHostsFilter
This is a no-op filter. It does not eliminate any of the available hosts.

AvailabilityZoneFilter
Filters hosts by availability zone. You must enable this filter for the scheduler to respect
availability zones in requests.

ComputeCapabilitiesFilter
Matches properties defined in extra specs for an instance type against compute capabilities.
If an extra specs key contains a colon (:), anything before the colon is treated as a namespace and anything after the colon is treated as the key to be matched. If a namespace
is present and is not capabilities, the filter ignores the namespace. For backward
compatibility, also treats the extra specs key as the key to be matched if no namespace is
present; this action is highly discouraged because it conflicts with AggregateInstanceExtraSpecsFilter filter when you enable both filters.

ComputeFilter
Passes all hosts that are operational and enabled.
In general, you should always enable this filter.

CoreFilter
Only schedules instances on hosts if sufficient CPU cores are available. If this filter is not set,
the scheduler might over-provision a host based on cores. For example, the virtual cores
running on an instance may exceed the physical cores.
You can configure this filter to enable a fixed amount of vCPU overcommitment by using
the cpu_allocation_ratio configuration option in nova.conf. The default setting is:
cpu_allocation_ratio = 16.0

With this setting, if 8 vCPUs are on a node, the scheduler allows instances up to 128 vCPU
to be run on that node.
To disallow vCPU overcommitment set:
cpu_allocation_ratio = 1.0

210

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
The Compute API always returns the actual number of CPU cores available on
a compute node regardless of the value of the cpu_allocation_ratio configuration key. As a result changes to the cpu_allocation_ratio are not
reflected via the command line clients or the dashboard. Changes to this configuration key are only taken into account internally in the scheduler.

DifferentHostFilter
Schedules the instance on a different host from a set of instances. To take advantage of
this filter, the requester must pass a scheduler hint, using different_host as the key and
a list of instance UUIDs as the value. This filter is the opposite of the SameHostFilter. Using the nova command-line tool, use the --hint flag. For example:
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 \
--hint different_host=a0cf03a5-d921-4877-bb5c-86d26cf818e1 \
--hint different_host=8c19174f-4220-44f0-824a-cd1eeef10287 server-1

With the API, use the os:scheduler_hints key. For example:

{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"different_host": [
"a0cf03a5-d921-4877-bb5c-86d26cf818e1",
"8c19174f-4220-44f0-824a-cd1eeef10287"
]
}
}

DiskFilter
Only schedules instances on hosts if there is sufficient disk space available for root and
ephemeral storage.
You can configure this filter to enable a fixed amount of disk overcommitment by using the
disk_allocation_ratio configuration option in nova.conf. The default setting is:
disk_allocation_ratio = 1.0

Adjusting this value to greater than 1.0 enables scheduling instances while over committing disk resources on the node. This might be desirable if you use an image format that is
sparse or copy on write so that each virtual instance does not require a 1:1 allocation of virtual disk to physical storage.

GroupAffinityFilter
Note
This filter is deprecated in favor of ServerGroupAffinityFilter.
211

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The GroupAffinityFilter ensures that an instance is scheduled on to a host from a set of

group hosts. To take advantage of this filter, the requester must pass a scheduler hint, using group as the key and an arbitrary name as the value. Using the nova command-line
tool, use the --hint flag. For example:
$ nova boot --image IMAGE_ID --flavor 1 --hint group=foo server-1

This filter should not be enabled at the same time as GroupAntiAffinityFilter or neither filter will work properly.

GroupAntiAffinityFilter
Note
This filter is deprecated in favor of ServerGroupAntiAffinityFilter.
The GroupAntiAffinityFilter ensures that each instance in a group is on a different host.
To take advantage of this filter, the requester must pass a scheduler hint, using group as
the key and an arbitrary name as the value. Using the nova command-line tool, use the -hint flag. For example:
$ nova boot --image IMAGE_ID --flavor 1 --hint group=foo server-1

This filter should not be enabled at the same time as GroupAffinityFilter or neither filter will
work properly.

ImagePropertiesFilter
Filters hosts based on properties defined on the instance's image. It passes hosts that can
support the specified image properties contained in the instance. Properties include the architecture, hypervisor type, and virtual machine mode. for example, an instance might require a host that runs an ARM-based processor and QEMU as the hypervisor. An image can
be decorated with these properties by using:
$ glance image-update img-uuid --property architecture=arm --property
hypervisor_type=qemu

The image properties that the filter checks for are:

architecture: Architecture describes the machine architecture required by the image.
Examples are i686, x86_64, arm, and ppc64.
hypervisor_type: Hypervisor type describes the hypervisor required by the image. Examples are xen, qemu, and xenapi. Note that qemu is used for both QEMU and KVM hypervisor types.
vm_mode: Virtual machine mode describes the hypervisor application binary interface
(ABI) required by the image. Examples are 'xen' for Xen 3.0 paravirtual ABI, 'hvm' for native ABI, 'uml' for User Mode Linux paravirtual ABI, exe for container virt executable ABI.

IsolatedHostsFilter
Allows the admin to define a special (isolated) set of images and a special
(isolated) set of hosts, such that the isolated images can only run on the iso212

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

lated hosts, and the isolated hosts can only run isolated images. The flag
restrict_isolated_hosts_to_isolated_images can be used to force isolated
hosts to only run isolated images.
The admin must specify the isolated set of images and hosts in the nova.conf file using
the isolated_hosts and isolated_images configuration options. For example:
isolated_hosts = server1, server2
isolated_images = 342b492c-128f-4a42-8d3a-c5088cf27d13, ebd267a6ca86-4d6c-9a0e-bd132d6b7d09

IoOpsFilter
The IoOpsFilter filters hosts by concurrent I/O operations on it. Hosts with too many concurrent I/O operations will be filtered out. The max_io_ops_per_host option specifies
the maximum number of I/O intensive instances allowed to run on a host. A host will be
ignored by the scheduler if more than max_io_ops_per_host instances in build, resize,
snapshot, migrate, rescue or unshelve task states are running on it.

JsonFilter
The JsonFilter allows a user to construct a custom filter by passing a scheduler hint in JSON
format. The following operators are supported:
=
<
>
in
<=
>=
not
or
and
The filter supports the following variables:
$free_ram_mb
$free_disk_mb
$total_usable_ram_mb
$vcpus_total
$vcpus_used
213

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Using the nova command-line tool, use the --hint flag:

$ nova boot --image 827d564a-e636-4fc4-a376-d36f7ebe1747 \
--flavor 1 --hint query='[">=","$free_ram_mb",1024]' server1

With the API, use the os:scheduler_hints key:

{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"query": "[>=,$free_ram_mb,1024]"
}
}

MetricsFilter
Filters hosts based on metrics weight_setting. Only hosts with the available metrics are
passed so that the metrics weigher will not fail due to these hosts.

NumInstancesFilter
Hosts that have more instances running than specified by the
max_instances_per_host option are filtered out when this filter is in place.

PciPassthroughFilter
The filter schedules instances on a host if the host has devices that meet the device requests
in the extra_specs attribute for the flavor.

RamFilter
Only schedules instances on hosts that have sufficient RAM available. If this filter is not set,
the scheduler may over provision a host based on RAM (for example, the RAM allocated by
virtual machine instances may exceed the physical RAM).
You can configure this filter to enable a fixed amount of RAM overcommitment by using
the ram_allocation_ratio configuration option in nova.conf. The default setting is:
ram_allocation_ratio = 1.5

This setting enables 1.5GB instances to run on any compute node with 1GB of free RAM.

RetryFilter
Filters out hosts that have already been attempted for scheduling purposes. If the scheduler
selects a host to respond to a service request, and the host fails to respond to the request,
this filter prevents the scheduler from retrying that host for the service request.
This filter is only useful if the scheduler_max_attempts configuration option is set to a
value greater than zero.
214

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

SameHostFilter
Schedules the instance on the same host as another instance in a set of instances. To take
advantage of this filter, the requester must pass a scheduler hint, using same_host as the
key and a list of instance UUIDs as the value. This filter is the opposite of the DifferentHostFilter. Using the nova command-line tool, use the --hint flag:
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 \
--hint same_host=a0cf03a5-d921-4877-bb5c-86d26cf818e1 \
--hint same_host=8c19174f-4220-44f0-824a-cd1eeef10287 server-1

With the API, use the os:scheduler_hints key:

{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"same_host": [
"a0cf03a5-d921-4877-bb5c-86d26cf818e1",
"8c19174f-4220-44f0-824a-cd1eeef10287"
]
}
}

ServerGroupAffinityFilter
The ServerGroupAffinityFilter ensures that an instance is scheduled on to a host from a set
of group hosts. To take advantage of this filter, the requester must create a server group
with an affinity policy, and pass a scheduler hint, using group as the key and the server
group UUID as the value. Using the nova command-line tool, use the --hint flag. For example:
$ nova server-group-create --policy affinity group-1
$ nova boot --image IMAGE_ID --flavor 1 --hint group=SERVER_GROUP_UUID
server-1

ServerGroupAntiAffinityFilter
The ServerGroupAntiAffinityFilter ensures that each instance in a group is on a different
host. To take advantage of this filter, the requester must create a server group with an anti-affinity policy, and pass a scheduler hint, using group as the key and the server
group UUID as the value. Using the nova command-line tool, use the --hint flag. For example:
$ nova server-group-create --policy anti-affinity group-1
$ nova boot --image IMAGE_ID --flavor 1 --hint group=SERVER_GROUP_UUID
server-1

SimpleCIDRAffinityFilter
Schedules the instance based on host IP subnet range. To take advantage of this filter, the
requester must specify a range of valid IP address in CIDR format, by passing two scheduler
hints:
215

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

build_near_host_ip The first IP address in the subnet (for example, 192.168.1.1)

cidr

The CIDR that corresponds to the subnet (for example, /24)

Using the nova command-line tool, use the --hint flag. For example, to specify the IP subnet 192.168.1.1/24
$ nova boot --image cedef40a-ed67-4d10-800e-17455edce175 --flavor 1 \
--hint build_near_host_ip=192.168.1.1 --hint cidr=/24 server-1

With the API, use the os:scheduler_hints key:

{
"server": {
"name": "server-1",
"imageRef": "cedef40a-ed67-4d10-800e-17455edce175",
"flavorRef": "1"
},
"os:scheduler_hints": {
"build_near_host_ip": "192.168.1.1",
"cidr": "24"
}
}

TrustedFilter
Filters hosts based on their trust. Only passes hosts that meet the trust requirements specified in the instance properties.

TypeAffinityFilter
Dynamically limits hosts to one instance type. An instance can only be launched on a host,
if no instance with different instances types are running on it, or if the host has no running
instances at all.

Weights
When resourcing instances, the filter scheduler filters and weights each host in the list of
acceptable hosts. Each time the scheduler selects a host, it virtually consumes resources on
it, and subsequent selections are adjusted accordingly. This process is useful when the customer asks for the same large amount of instances, because weight is computed for each
requested instance.
All weights are normalized before being summed up; the host with the largest weight is
given the highest priority.

216

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Figure2.3.Weighting hosts

If cells are used, cells are weighted by the scheduler in the same manner as hosts.
Hosts and cells are weighted based on the following options in the /etc/nova/nova.conf file:

Table2.9.Host weighting options

Section

Option

[DEFAULT]

ram_weight_multiplier By default, the scheduler spreads instances across all hosts evenly. Set
the ram_weight_multiplier option to a negative number if you
prefer stacking instead of spreading. Use a floating-point value.

Description

[DEFAULT]

scheduler_host_subset_size
New instances are scheduled on a host that is chosen randomly from a
subset of the N best hosts. This property defines the subset size from
which a host is chosen. A value of 1 chooses the first host returned
by the weighting functions. This value must be at least 1. A value less
than 1 is ignored, and 1 is used instead. Use an integer value.

[DEFAULT]

scheduler_weight_classes
Defaults to nova.scheduler.weights.all_weighers, which selects the RamWeigher. Hosts are then weighted and sorted with the
largest weight winning.

[metrics]

weight_multiplier

Multiplier for weighting metrics. Use a floating-point value.

217

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Section

Option

Description

[metrics]

weight_setting

Determines how metrics are weighted. Use a comma-separated list of

metricName=ratio. For example: "name1=1.0, name2=-1.0" results in:
name1.value * 1.0 + name2.value * -1.0

[metrics]

required

Specifies how to treat unavailable metrics:

juno

TrueRaises an exception. To avoid the raised exception, you should

use the scheduler filter MetricFilter to filter out hosts with unavailable metrics.
FalseTreated as a negative factor in the weighting process (uses
the weight_of_unavailable option).
[metrics]

weight_of_unavailable If required is set to False, and any one of the metrics set by
weight_setting is unavailable, the weight_of_unavailable
value is returned to the scheduler.

For example:
[DEFAULT]
scheduler_host_subset_size = 1
scheduler_weight_classes = nova.scheduler.weights.all_weighers
ram_weight_multiplier = 1.0
[metrics]
weight_multiplier = 1.0
weight_setting = name1=1.0, name2=-1.0
required = false
weight_of_unavailable = -10000.0

Table2.10.Cell weighting options

Section

Option

[cells]

mute_weight_multiplierMultiplier to weight mute children (hosts which have not sent capacity
or capacity updates for some time). Use a negative, floating-point value.

Description

[cells]

mute_weight_value

[cells]

offset_weight_multiplier
Multiplier to weight cells, so you can specify a preferred cell. Use a
floating point value.

[cells]

ram_weight_multiplier By default, the scheduler spreads instances across all cells evenly. Set
the ram_weight_multiplier option to a negative number if you
prefer stacking instead of spreading. Use a floating-point value.

[cells]

scheduler_weight_classes
Defaults to nova.cells.weights.all_weighers, which maps to
all cell weighters included with Compute. Cells are then weighted and
sorted with the largest weight winning.

Weight value assigned to mute children. Use a positive, floating-point

value with a maximum of '1.0'.

For example:
[cells]
scheduler_weight_classes = nova.cells.weights.all_weighers
mute_weight_multiplier = -10.0
mute_weight_value = 1000.0
ram_weight_multiplier = 1.0
offset_weight_multiplier = 1.0

Chance scheduler
As an administrator, you work with the filter scheduler. However, the Compute service also
uses the Chance Scheduler, nova.scheduler.chance.ChanceScheduler, which randomly selects from lists of filtered hosts.
218

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Host aggregates
Host aggregates are a mechanism to further partition an availability zone; while availability zones are visible to users, host aggregates are only visible to administrators. Host Aggregates provide a mechanism to allow administrators to assign key-value pairs to groups of
machines. Each node can have multiple aggregates, each aggregate can have multiple keyvalue pairs, and the same key-value pair can be assigned to multiple aggregates. This information can be used in the scheduler to enable advanced scheduling, to set up hypervisor resource pools or to define logical groups for migration.

Command-line interface
The nova command-line tool supports the following aggregate-related commands.
nova aggregate-list

Print a list of all aggregates.

nova aggregate-create <name>

<availability-zone>

Create a new aggregate named <name> in availability

zone <availability-zone>. Returns the ID of the
newly created aggregate. Hosts can be made available
to multiple availability zones, but administrators should
be careful when adding the host to a different host aggregate within the same availability zone and pay attention when using the aggregate-set-metadata and
aggregate-update commands to avoid user confusion
when they boot instances in different availability zones.
An error occurs if you cannot add a particular host to an
aggregate zone for which it is not intended.

nova aggregate-delete <id>

Delete an aggregate with id <id>.

nova aggregate-details <id>

Show details of the aggregate with id <id>.

nova aggregate-add-host <id>

<host>

Add host with name <host> to aggregate with id

<id>.

nova aggregate-remove-host
<id> <host>

Remove the host with name <host> from the aggregate with id <id>.

nova aggregate-set-metadata <id> <key=value>

[<key=value> ...]

Add or update metadata (key-value pairs) associated

with the aggregate with id <id>.

nova aggregate-update <id> <name>

[<availability_zone>]

Update the name and availability zone (optional) for

the aggregate.

nova host-list

List all hosts by service.

nova host-update --maintenance [enable | disable]

Put/resume host into/from maintenance.

219

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Note
Only administrators can access these commands. If you try to use these commands and the user name and tenant that you use to access the Compute service do not have the admin role or the appropriate privileges, these errors occur:
ERROR: Policy doesn't allow compute_extension:aggregates to be
performed. (HTTP 403) (Request-ID: req-299fbff6-6729-4cef-93b2e7e1f96b4864)
ERROR: Policy doesn't allow compute_extension:hosts to be performed.
(HTTP 403) (Request-ID: req-ef2400f6-6776-4ea3-b6f1-7704085c27d1)

Configure scheduler to support host aggregates

One common use case for host aggregates is when you want to support scheduling instances to a subset of compute hosts because they have a specific capability. For example,
you may want to allow users to request compute hosts that have SSD drives if they need access to faster disk I/O, or access to compute hosts that have GPU cards to take advantage
of GPU-accelerated code.
To configure the scheduler to support host aggregates, the
scheduler_default_filters configuration option must contain the AggregateInstanceExtraSpecsFilter in addition to the other filters used by the scheduler. Add
the following line to /etc/nova/nova.conf on the host that runs the nova-scheduler service to enable host aggregates filtering, as well as the other filters that are typically enabled:
scheduler_default_filters=AggregateInstanceExtraSpecsFilter,RetryFilter,
AvailabilityZoneFilter,RamFilter,ComputeFilter,ComputeCapabilitiesFilter,
ImagePropertiesFilter,ServerGroupAntiAffinityFilter,ServerGroupAffinityFilter

Example: Specify compute hosts with SSDs

This example configures the Compute service to enable users to request nodes that have
solid-state drives (SSDs). You create a fast-io host aggregate in the nova availability zone and you add the ssd=true key-value pair to the aggregate. Then, you add the
node1, and node2 compute nodes to it.
$ nova aggregate-create fast-io nova
+----+---------+-------------------+-------+----------+
| Id | Name
| Availability Zone | Hosts | Metadata |
+----+---------+-------------------+-------+----------+
| 1 | fast-io | nova
|
|
|
+----+---------+-------------------+-------+----------+
$ nova aggregate-set-metadata 1 ssd=true
+----+---------+-------------------+-------+-------------------+
| Id | Name
| Availability Zone | Hosts | Metadata
|
+----+---------+-------------------+-------+-------------------+
| 1 | fast-io | nova
| []
| {u'ssd': u'true'} |
+----+---------+-------------------+-------+-------------------+
$ nova aggregate-add-host 1 node1
+----+---------+-------------------+-----------+-------------------+

220

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

| Id | Name
| Availability Zone | Hosts
| Metadata
|
+----+---------+-------------------+------------+-------------------+
| 1 | fast-io | nova
| [u'node1'] | {u'ssd': u'true'} |
+----+---------+-------------------+------------+-------------------+
$ nova aggregate-add-host 1 node2
+----+---------+-------------------+---------------------+-------------------+
| Id | Name
| Availability Zone | Hosts
| Metadata
|
+----+---------+-------------------+----------------------+------------------+
| 1 | fast-io | nova
| [u'node1', u'node2'] | {u'ssd': u'true'}
|
+----+---------+-------------------+----------------------+------------------+

Use the nova flavor-create command to create the ssd.large flavor called with an ID of
6, 8GB of RAM, 80GB root disk, and four vCPUs.
$ nova flavor-create ssd.large 6 8192 80 4
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+-------------+
| ID | Name
| Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
Is_Public | extra_specs |
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+-------------+
| 6 | ssd.large | 8192
| 80
| 0
|
| 4
| 1
|
True
| {}
|
+----+-----------+-----------+------+-----------+------+-------+------------+-----------+-------------+

Once the flavor is created, specify one or more key-value pairs that match the key-value
pairs on the host aggregates. In this case, that is the ssd=true key-value pair. Setting a
key-value pair on a flavor is done using the nova flavor-key command.
$ nova flavor-key ssd.large set

ssd=true

Once it is set, you should see the extra_specs property of the ssd.large flavor populated with a key of ssd and a corresponding value of true.
$ nova flavor-show ssd.large
+----------------------------+-------------------+
| Property
| Value
|
+----------------------------+-------------------+
| OS-FLV-DISABLED:disabled
| False
|
| OS-FLV-EXT-DATA:ephemeral | 0
|
| disk
| 80
|
| extra_specs
| {u'ssd': u'true'} |
| id
| 6
|
| name
| ssd.large
|
| os-flavor-access:is_public | True
|
| ram
| 8192
|
| rxtx_factor
| 1.0
|
| swap
|
|
| vcpus
| 4
|
+----------------------------+-------------------+

Now, when a user requests an instance with the ssd.large flavor, the scheduler only
considers hosts with the ssd=true key-value pair. In this example, these are node1 and
node2.
221

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

XenServer hypervisor pools to support live migration

When using the XenAPI-based hypervisor, the Compute service uses host aggregates to
manage XenServer Resource pools, which are used in supporting live migration.

Configuration reference
To customize the Compute scheduler, use the configuration option settings documented in
Table2.51, Description of scheduler configuration options [254].

Cells
Cells functionality enables you to scale an OpenStack Compute cloud in a more distributed
fashion without having to use complicated technologies like database and message queue
clustering. It supports very large deployments.
When this functionality is enabled, the hosts in an OpenStack Compute cloud are partitioned into groups called cells. Cells are configured as a tree. The top-level cell should
have a host that runs a nova-api service, but no nova-compute services. Each child cell
should run all of the typical nova-* services in a regular Compute cloud except for nova-api. You can think of cells as a normal Compute deployment in that each cell has its
own database server and message queue broker.
The nova-cells service handles communication between cells and selects cells for new
instances. This service is required for every cell. Communication between cells is pluggable,
and currently the only option is communication through RPC.
Cells scheduling is separate from host scheduling. nova-cells first picks a cell. Once a cell
is selected and the new build request reaches its nova-cells service, it is sent over to the
host scheduler in that cell and the build proceeds as it would have without cells.

Warning
Cell functionality is currently considered experimental.

Cell configuration options

Cells are disabled by default. All cell-related configuration options appear in the [cells]
section in nova.conf. The following cell-related options are currently supported:
enable

Set to True to turn on cell functionality. Default is

false.

name

Name of the current cell. Must be unique for each cell.

capabilities

List of arbitrary key=value pairs defining capabilities of the current cell. Values include
hypervisor=xenserver;kvm,os=linux;windows.

call_timeout

How long in seconds to wait for replies from calls between cells.
222

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

scheduler_filter_classes Filter classes that the cells scheduler should use. By default, uses "nova.cells.filters.all_filters" to
map to all cells filters included with Compute.
scheduler_weight_classes Weight classes that the scheduler for cells uses. By default, uses nova.cells.weights.all_weighers
to map to all cells weight algorithms included with Compute.
ram_weight_multiplier

Multiplier used to weight RAM. Negative numbers indicate that Compute should stack VMs on one host instead of spreading out new VMs to more hosts in the
cell. The default value is 10.0.

Configure the API (top-level) cell

The compute API class must be changed in the API cell so that requests can be proxied
through nova-cells down to the correct cell properly. Add the following line to nova.conf
in the API cell:
[DEFAULT]
compute_api_class=nova.compute.cells_api.ComputeCellsAPI
...
[cells]
enable=True
name=api

Configure the child cells

Add the following lines to nova.conf in the child cells, replacing cell1 with the name of
each cell:
[DEFAULT]
# Disable quota checking in child cells. Let API cell do it exclusively.
quota_driver=nova.quota.NoopQuotaDriver
[cells]
enable=True
name=cell1

Configure the database in each cell

Before bringing the services online, the database in each cell needs to be configured with
information about related cells. In particular, the API cell needs to know about its immediate children, and the child cells must know about their immediate agents. The information
needed is the RabbitMQ server credentials for the particular cell.
Use the nova-manage cell create command to add this information to the database in each
cell:
# nova-manage cell create -h
Options:
-h, --help
show this help message and exit
--name=<name>
Name for the new cell
--cell_type=<parent|child>

223

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Whether the cell is a parent or child

--username=<username>
Username for the message broker in this cell
--password=<password>
Password for the message broker in this cell
--hostname=<hostname>
Address of the message broker in this cell
--port=<number>
Port number of the message broker in this cell
--virtual_host=<virtual_host>
The virtual host of the message broker in this cell
--woffset=<float>
(weight offset) It might be used by some cell
scheduling code in the future
--wscale=<float>
(weight scale) It might be used by some cell
scheduling code in the future

As an example, assume an API cell named api and a child cell named cell1.
Within the api cell, specify the following RabbitMQ server information:
rabbit_host=10.0.0.10
rabbit_port=5672
rabbit_username=api_user
rabbit_password=api_passwd
rabbit_virtual_host=api_vhost

Within the cell1 child cell, specify the following RabbitMQ server information:
rabbit_host=10.0.1.10
rabbit_port=5673
rabbit_username=cell1_user
rabbit_password=cell1_passwd
rabbit_virtual_host=cell1_vhost

You can run this in the API cell as root:

# nova-manage cell create --name cell1 --cell_type child \
--username cell1_user --password cell1_passwd --hostname 10.0.1.10 \
--port 5673 --virtual_host cell1_vhost --woffset 1.0 --wscale 1.0

Repeat the previous steps for all child cells.

In the child cell, run the following, as root:
# nova-manage cell create --name api --cell_type parent \
--username api_user --password api_passwd --hostname 10.0.0.10 \
--port 5672 --virtual_host api_vhost --woffset 1.0 --wscale 1.0

To customize the Compute cells, use the configuration option settings documented in Table2.19, Description of cell configuration options [236].

Cell scheduling configuration

To determine the best cell to use to launch a new instance, Compute uses a set of filters
and weights defined in the /etc/nova/nova.conf file. The following options are available to prioritize cells for scheduling:
scheduler_filter_classes List of filter classes. By default
nova.cells.weights.all_filters is specified,
224

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

which maps to all cells filters included with Compute

(see the section called Filters [207]).
scheduler_weight_classes List of weight classes. By default
nova.cells.weights.all_weighers is specified,
which maps to all cell weight algorithms included with
Compute. The following modules are available:
mute_child. Downgrades the likelihood of child
cells being chosen for scheduling requests, which
haven't sent capacity or capability updates in a while.
Options include mute_weight_multiplier (multiplier for mute children; value should be negative) and
mute_weight_value (assigned to mute children;
should be a positive value).
ram_by_instance_type. Select cells with the most
RAM capacity for the instance type being requested.
Because higher weights win, Compute returns the
number of available units for the instance type requested. The ram_weight_multiplier option defaults to 10.0 that adds to the weight by a factor of
10. Use a negative number to stack VMs on one host
instead of spreading out new VMs to more hosts in
the cell.
weight_offset. Allows modifying the database to
weight a particular cell. You can use this when you
want to disable a cell (for example, '0'), or to set a default cell by making its weight_offset very high (for
example, '999999999999999'). The highest weight will
be the first cell to be scheduled for launching an instance.
Additionally, the following options are available for the cell scheduler:
scheduler_retries

Specifies how many times the scheduler tries to launch a

new instance when no cells are available (default=10).

scheduler_retry_delay

Specifies the delay (in seconds) between retries (default=2).

As an admin user, you can also add a filter that directs builds to
a particular cell. The policy.json file must have a line with
"cells_scheduler_filter:TargetCellFilter" : "is_admin:True" to let an
admin user specify a scheduler hint to direct a build to a particular cell.

Optional cell configuration

Cells store all inter-cell communication data, including user names and passwords,
in the database. Because the cells data is not updated very frequently, use the
[cells]cells_config option to specify a JSON file to store cells data. With this configuration, the database is no longer consulted when reloading the cells data. The file must
have columns present in the Cell model (excluding common database fields and the id col-

225

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

umn). You must specify the queue connection information through a transport_url
field, instead of username, password, and so on. The transport_url has the following
form:
rabbit://USERNAME:PASSWORD@HOSTNAME:PORT/VIRTUAL_HOST

The scheme can be either qpid or rabbit, as shown previously. The following sample
shows this optional configuration:
{
"parent": {
"name": "parent",
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": true
},
"cell1": {
"name": "cell1",
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit1.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": false
},
"cell2": {
"name": "cell2",
"api_url": "http://api.example.com:8774",
"transport_url": "rabbit://rabbit2.example.com",
"weight_offset": 0.0,
"weight_scale": 1.0,
"is_parent": false
}
}

Conductor
The nova-conductor service enables OpenStack to function without compute nodes
accessing the database. Conceptually, it implements a new layer on top of nova-compute. It should not be deployed on compute nodes, or else the security benefits of removing database access from nova-compute are negated. Just like other nova services such as
nova-api or nova-scheduler, it can be scaled horizontally. You can run multiple instances
of nova-conductor on different machines as needed for scaling purposes.
The methods exposed by nova-conductor are relatively simple methods used by nova-compute to offload its database operations. Places where nova-compute previously
performed database access are now talking to nova-conductor. However, we have plans
in the medium to long term to move more and more of what is currently in nova-compute up to the nova-conductor layer. The Compute service will start to look like a less
intelligent slave service to nova-conductor. The conductor service will implement long
running complex operations, ensuring forward progress and graceful error handling. This
will be especially beneficial for operations that cross multiple compute nodes, such as migrations or resizes.
To customize the Conductor, use the configuration option settings documented in Table2.22, Description of conductor configuration options [239].
226

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Example nova.conf configuration files

The following sections describe the configuration options in the nova.conf file. You must
copy the nova.conf file to each compute node. The sample nova.conf files show examples of specific configurations.

Small, private cloud

This example nova.conf file configures a small private cloud with cloud controller services,
database server, and messaging server on the same server. In this case, CONTROLLER_IP
represents the IP address of a central server, BRIDGE_INTERFACE represents the bridge
such as br100, the NETWORK_INTERFACE represents an interface to your VLAN setup,
and passwords are represented as DB_PASSWORD_COMPUTE for your Compute (nova)
database password, and RABBIT PASSWORD represents the password to your message
queue installation.
[DEFAULT]
# LOGS/STATE
verbose=True
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
rootwrap_config=/etc/nova/rootwrap.conf
# SCHEDULER
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
# VOLUMES
# configured in cinder.conf
# COMPUTE
compute_driver=libvirt.LibvirtDriver
instance_name_template=instance-%08x
api_paste_config=/etc/nova/api-paste.ini
# COMPUTE/APIS: if you have separate configs for separate services
# this flag is required for both nova-api and nova-compute
allow_resize_to_same_host=True
# APIS
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions
ec2_dmz_host=192.168.206.130
s3_host=192.168.206.130
# RABBITMQ
rabbit_host=192.168.206.130
# GLANCE
image_service=nova.image.glance.GlanceImageService
# NETWORK
network_manager=nova.network.manager.FlatDHCPManager
force_dhcp_release=True
dhcpbridge_flagfile=/etc/nova/nova.conf
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
# Change my_ip to match each host

227

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

my_ip=192.168.206.130
public_interface=eth0
vlan_interface=eth0
flat_network_bridge=br100
flat_interface=eth0
# NOVNC CONSOLE
novncproxy_base_url=http://192.168.206.130:6080/vnc_auto.html
# Change vncserver_proxyclient_address and vncserver_listen to match each
compute host
vncserver_proxyclient_address=192.168.206.130
vncserver_listen=192.168.206.130
# AUTHENTICATION
auth_strategy=keystone
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = nova
signing_dirname = /tmp/keystone-signing-nova
# GLANCE
[glance]
api_servers=192.168.206.130:9292
# DATABASE
[database]
connection=mysql://nova:[email protected]/nova
# LIBVIRT
[libvirt]
virt_type=qemu

KVM, Flat, MySQL, and Glance, OpenStack or EC2 API

This example nova.conf file, from an internal Rackspace test system, is used for demonstrations.
[DEFAULT]
# LOGS/STATE
verbose=True
logdir=/var/log/nova
state_path=/var/lib/nova
lock_path=/var/lock/nova
rootwrap_config=/etc/nova/rootwrap.conf
# SCHEDULER
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
# VOLUMES
# configured in cinder.conf
# COMPUTE
compute_driver=libvirt.LibvirtDriver
instance_name_template=instance-%08x

228

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

api_paste_config=/etc/nova/api-paste.ini
# COMPUTE/APIS: if you have separate configs for separate services
# this flag is required for both nova-api and nova-compute
allow_resize_to_same_host=True
# APIS
osapi_compute_extension=nova.api.openstack.compute.contrib.standard_extensions
ec2_dmz_host=192.168.206.130
s3_host=192.168.206.130
# RABBITMQ
rabbit_host=192.168.206.130
# GLANCE
image_service=nova.image.glance.GlanceImageService
# NETWORK
network_manager=nova.network.manager.FlatDHCPManager
force_dhcp_release=True
dhcpbridge_flagfile=/etc/nova/nova.conf
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
# Change my_ip to match each host
my_ip=192.168.206.130
public_interface=eth0
vlan_interface=eth0
flat_network_bridge=br100
flat_interface=eth0
# NOVNC CONSOLE
novncproxy_base_url=http://192.168.206.130:6080/vnc_auto.html
# Change vncserver_proxyclient_address and vncserver_listen to match each
compute host
vncserver_proxyclient_address=192.168.206.130
vncserver_listen=192.168.206.130
# AUTHENTICATION
auth_strategy=keystone
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = service
admin_user = nova
admin_password = nova
signing_dirname = /tmp/keystone-signing-nova
# GLANCE
[glance]
api_servers=192.168.206.130:9292
# DATABASE
[database]
connection=mysql://nova:[email protected]/nova
# LIBVIRT
[libvirt]
virt_type=qemu

229

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Figure2.4.KVM, Flat, MySQL, and Glance, OpenStack or EC2 API

XenServer, Flat networking, MySQL, and Glance, OpenStack

API
This example nova.conf file is from an internal Rackspace test system.
verbose
nodaemon
network_manager=nova.network.manager.FlatManager
image_service=nova.image.glance.GlanceImageService
flat_network_bridge=xenbr0
compute_driver=xenapi.XenAPIDriver
xenapi_connection_url=https://<XenServer IP>
xenapi_connection_username=root
xenapi_connection_password=supersecret
xenapi_image_upload_handler=nova.virt.xenapi.image.glance.GlanceStore
rescue_timeout=86400
use_ipv6=true
# To enable flat_injected, currently only works on Debian-based systems
flat_injected=true
ipv6_backend=account_identifier
ca_path=./nova/CA
# Add the following to your conf file if you're running on Ubuntu Maverick
xenapi_remap_vbd_dev=true
[database]
connection=mysql://root:<password>@127.0.0.1/nova

230

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Figure2.5.KVM, Flat, MySQL, and Glance, OpenStack or EC2 API

Compute log files

The corresponding log file of each Compute service is stored in the /var/log/nova/ directory of the host on which each service runs.

Table2.11.Log files used by Compute services

Log file

api.log
cert.log

Service name (CentOS/Fedora/openSUSE/Red Hat Enterprise Linux/SUSE

Linux Enterprise)

Service name (Ubuntu/Debian)

openstack-nova-api

nova-api

openstack-nova-cert

nova-cert

compute.log

openstack-nova-compute

nova-compute

conductor.log

openstack-nova-conductor

nova-conductor

consoleauth.log

openstack-nova-consoleauth

nova-consoleauth

network.log

openstack-nova-network

nova-network

nova-manage.log

nova-manage

scheduler.log

openstack-nova-scheduler

nova-scheduler

The X509 certificate service (openstack-nova-cert/nova-cert) is only required by the EC2 API to the Compute service.

231

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The nova network service (openstack-nova-network/nova-network) only runs in deployments that are not configured to use the Networking service (neutron).

Compute sample configuration files

nova.conf - configuration options
For a complete list of all available configuration options for each OpenStack Compute service, run bin/nova-<servicename> --help.

Table2.12.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
api_paste_config = api-paste.ini

(StrOpt) File name for the paste.deploy config for nova-api

api_rate_limit = False

(BoolOpt) Whether to use per-user rate limiting for the

api. This option is only used by v2 api. Rate limiting is removed from v3 api.

enable_new_services = True

(BoolOpt) Services to be added to the available pool on

create

enabled_apis = ec2, osapi_compute, metadata

(ListOpt) A list of APIs to enable by default

enabled_ssl_apis =

(ListOpt) A list of APIs with enabled SSL

instance_name_template = instance-%08x

(StrOpt) Template string to be used to generate instance

names

max_header_line = 16384

multi_instance_display_name_template = %(name)s%(uuid)s

(StrOpt) When creating multiple instances with a single

request using the os-multiple-create API extension, this
template will be used to build the display name for each
instance. The benefit is that the instances end up with
different hostnames. To restore legacy behavior of every instance having the same name, set this option to
"%(name)s". Valid keys for the template are: name, uuid,
count.

non_inheritable_image_properties = cache_in_nova, bittorrent

(ListOpt) These are image properties which a snapshot

should not inherit from an instance

null_kernel = nokernel

(StrOpt) Kernel image that indicates not to use a kernel,

but to use a raw disk image instead

osapi_compute_ext_list =

(ListOpt) Specify list of extensions to load when

using osapi_compute_extension option with
nova.api.openstack.compute.contrib.select_extensions

osapi_compute_extension =
(MultiStrOpt) osapi compute extension to load
['nova.api.openstack.compute.contrib.standard_extensions']
osapi_compute_link_prefix = None

(StrOpt) Base URL that will be presented to users in links

to the OpenStack Compute API

osapi_compute_listen = 0.0.0.0

(StrOpt) The IP address on which the OpenStack API will

listen.

osapi_compute_listen_port = 8774

(IntOpt) The port on which the OpenStack API will listen.

osapi_compute_workers = None

(IntOpt) Number of workers for OpenStack API service.

The default will be the number of CPUs available.

osapi_hide_server_address_states = building

(ListOpt) List of instance states that should hide network

info

232

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

servicegroup_driver = db

(StrOpt) The driver for servicegroup service (valid options

are: db, zk, mc)

snapshot_name_template = snapshot-%s

(StrOpt) Template string to be used to generate snapshot

names

tcp_keepidle = 600

(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for

each server socket. Not supported on OS X.

use_forwarded_for = False

(BoolOpt) Treat X-Forwarded-For as the canonical remote

address. Only enable this if you have a sanitizing proxy.

wsgi_default_pool_size = 1000

(IntOpt) Size of the pool of greenthreads used by wsgi

wsgi_log_format = %(client_ip)s "%(request_line)s"

status: %(status_code)s len: %(body_length)s time:
%(wall_seconds).7f

(StrOpt) A python format string that is used as the template to generate log lines. The following values can
be formatted into it: client_ip, date_time, request_line,
status_code, body_length, wall_seconds.

Table2.13.Description of API v3 configuration options

Configuration option = Default value

Description

[osapi_v3]
enabled = False

(BoolOpt) Whether the V3 API is enabled or not

extensions_blacklist =

(ListOpt) A list of v3 API extensions to never load. Specify

the extension aliases here.

extensions_whitelist =

(ListOpt) If the list is not empty then a v3 API extension

will only be loaded if it exists in this list. Specify the extension aliases here.

Table2.14.Description of authentication configuration options

Configuration option = Default value

Description

[DEFAULT]
auth_strategy = keystone

(StrOpt) The strategy to use for auth: noauth or keystone.

Table2.15.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

233

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding.
"permissive" (default) to validate binding information if
the bind type is of a form known to the server and ignore
it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of
token binding is needed to be allowed. Finally the name of
a binding method that must be present in tokens.

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined

234

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table2.16.Description of availability zones configuration options

Configuration option = Default value

Description

[DEFAULT]
default_availability_zone = nova

(StrOpt) Default compute node availability_zone

default_schedule_zone = None

(StrOpt) Availability zone to use when user doesn't specify

one

internal_service_availability_zone = internal

(StrOpt) The availability_zone to show internal services under

Table2.17.Description of baremetal configuration options

Configuration option = Default value

Description

[baremetal]
db_backend = sqlalchemy

(StrOpt) The backend to use for bare-metal database

deploy_kernel = None

(StrOpt) Default kernel image ID used in deployment

phase

deploy_ramdisk = None

(StrOpt) Default ramdisk image ID used in deployment

phase

driver = nova.virt.baremetal.pxe.PXE

(StrOpt) Baremetal driver back-end (pxe or tilera)

flavor_extra_specs =

(ListOpt) A list of additional capabilities corresponding

to flavor_extra_specs for this compute host to advertise. Valid entries are name=value, pairs For example,
"key1:val1, key2:val2"

ipmi_power_retry = 10

(IntOpt) Maximal number of retries for IPMI operations

net_config_template = $pybasedir/nova/virt/baremetal/net-dhcp.ubuntu.template

(StrOpt) Template file for injected network config

power_manager = nova.virt.baremetal.ipmi.IPMI

(StrOpt) Baremetal power management method

pxe_append_params = nofb nomodeset vga=normal

(StrOpt) Additional append parameters for baremetal PXE

boot

pxe_bootfile_name = pxelinux.0

(StrOpt) This gets passed to Neutron as the bootfile dhcp

parameter.

pxe_config_template = $pybasedir/nova/virt/baremetal/pxe_config.template

(StrOpt) Template file for PXE configuration

pxe_deploy_timeout = 0

(IntOpt) Timeout for PXE deployments. Default: 0 (unlimited)

pxe_network_config = False

(BoolOpt) If set, pass the network configuration details to

the initramfs via cmdline.

sql_connection = sqlite:///$state_path/
baremetal_nova.sqlite

(StrOpt) The SQLAlchemy connection string used to connect to the bare-metal database

terminal = shellinaboxd

(StrOpt) Path to baremetal terminal program

terminal_cert_dir = None

(StrOpt) Path to baremetal terminal SSL cert(PEM)

terminal_pid_dir = $state_path/baremetal/console

(StrOpt) Path to directory stores pidfiles of

baremetal_terminal

tftp_root = /tftpboot

(StrOpt) Baremetal compute node's tftp root path

235

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

use_file_injection = False

(BoolOpt) If True, enable file injection for network info,

files and admin password

use_unsafe_iscsi = False

(BoolOpt) Do not set this out of dev/test environments. If

a node does not have a fixed PXE IP address, volumes are
exported with globally opened ACL

vif_driver =
nova.virt.baremetal.vif_driver.BareMetalVIFDriver

(StrOpt) Baremetal VIF driver.

virtual_power_host_key = None

(StrOpt) The ssh key for virtual power host_user

virtual_power_host_pass =

(StrOpt) Password for virtual power host_user

virtual_power_host_user =

(StrOpt) User to execute virtual power commands as

virtual_power_ssh_host =

(StrOpt) IP or name to virtual power host

virtual_power_ssh_port = 22

(IntOpt) Port to use for ssh to virtual power host

virtual_power_type = virsh

(StrOpt) Base command to use for virtual power(vbox,

virsh)

Table2.18.Description of CA configuration options

Configuration option = Default value

Description

[DEFAULT]
ca_file = cacert.pem

(StrOpt) Filename of root CA

ca_path = $state_path/CA

(StrOpt) Where we keep our root CA

cert_manager = nova.cert.manager.CertManager

(StrOpt) Full class name for the Manager for cert

cert_topic = cert

(StrOpt) The topic cert nodes listen on

crl_file = crl.pem

(StrOpt) Filename of root Certificate Revocation List

key_file = private/cakey.pem

(StrOpt) Filename of private key

keys_path = $state_path/keys

(StrOpt) Where we keep our keys

project_cert_subject = /C=US/ST=California/O=OpenStack/ (StrOpt) Subject for certificate for projects, %s for project,
OU=NovaDev/CN=project-ca-%.16s-%s
timestamp
ssl_ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients

ssl_cert_file = None

(StrOpt) SSL certificate of API server

ssl_key_file = None

(StrOpt) SSL private key of API server

use_project_ca = False

(BoolOpt) Should we use a CA for each project?

user_cert_subject = /C=US/ST=California/O=OpenStack/
OU=NovaDev/CN=%.16s-%.16s-%s

(StrOpt) Subject for certificate for users, %s for project, user, timestamp

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients.

cert_file = None

(StrOpt) Certificate file to use when starting the server securely.

key_file = None

(StrOpt) Private key file to use when starting the server securely.

Table2.19.Description of cell configuration options

Configuration option = Default value

Description

[cells]
call_timeout = 60

(IntOpt) Seconds to wait for response from a call to a cell.

capabilities = hypervisor=xenserver;kvm, os=linux;windows (ListOpt) Key/Multi-value list with the capabilities of the
cell

236

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

cell_type = compute

(StrOpt) Type of cell: api or compute

cells_config = None

(StrOpt) Configuration file from which to read cells configuration. If given, overrides reading cells from the
database.

db_check_interval = 60

(IntOpt) Interval, in seconds, for getting fresh cell information from the database.

driver = nova.cells.rpc_driver.CellsRPCDriver

(StrOpt) Cells communication driver to use

enable = False

(BoolOpt) Enable cell functionality

instance_update_num_instances = 1

(IntOpt) Number of instances to update per periodic task

run

instance_updated_at_threshold = 3600

(IntOpt) Number of seconds after an instance was updated or deleted to continue to update cells

manager = nova.cells.manager.CellsManager

(StrOpt) Manager for cells

max_hop_count = 10

(IntOpt) Maximum number of hops for cells routing.

mute_child_interval = 300

(IntOpt) Number of seconds after which a lack of capability and capacity updates signals the child cell is to be treated as a mute.

mute_weight_multiplier = -10.0

(FloatOpt) Multiplier used to weigh mute children. (The

value should be negative.)

mute_weight_value = 1000.0

(FloatOpt) Weight value assigned to mute children. (The

value should be positive.)

name = nova

(StrOpt) Name of this cell

offset_weight_multiplier = 1.0

(FloatOpt) Multiplier used to weigh offset weigher.

reserve_percent = 10.0

(FloatOpt) Percentage of cell capacity to hold in reserve.

Affects both memory and disk utilization

topic = cells

(StrOpt) The topic cells nodes listen on

Table2.20.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
bindir = /usr/local/bin

(StrOpt) Directory where nova binaries are installed

compute_topic = compute

(StrOpt) The topic compute nodes listen on

console_topic = console

(StrOpt) The topic console proxy nodes listen on

consoleauth_topic = consoleauth

(StrOpt) The topic console auth proxy nodes listen on

host = localhost

(StrOpt) Name of this node. This can be an opaque identifier. It is not necessarily a hostname, FQDN, or IP address.
However, the node name must be valid within an AMQP
key, and if using ZeroMQ, a valid hostname, FQDN, or IP
address

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

my_ip = 10.0.0.1

(StrOpt) IP address of this host

notify_api_faults = False

(BoolOpt) If set, send api.fault notifications on caught exceptions in the API service.

notify_on_state_change = None

(StrOpt) If set, send compute.instance.update notifications on instance state changes. Valid values are None for
no notifications, "vm_state" for notifications on VM state
changes, or "vm_and_task_state" for notifications on VM
and task state changes.

pybasedir = /usr/lib/python/site-packages/nova

(StrOpt) Directory where the nova python module is installed

237

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

report_interval = 10

(IntOpt) Seconds between nodes reporting state to datastore

rootwrap_config = /etc/nova/rootwrap.conf

(StrOpt) Path to the rootwrap configuration file to use for

running commands as root

service_down_time = 60

(IntOpt) Maximum time since last check-in for up service

state_path = $pybasedir

(StrOpt) Top-level directory for maintaining nova's state

tempdir = None

(StrOpt) Explicitly specify the temporary working directory

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Table2.21.Description of Compute configuration options

Configuration option = Default value

Description

[DEFAULT]
compute_available_monitors =
['nova.compute.monitors.all_monitors']

(MultiStrOpt) Monitor classes available to the compute

which may be specified more than once.

compute_driver = None

(StrOpt) Driver to use for controlling virtualization. Options include: libvirt.LibvirtDriver, xenapi.XenAPIDriver,
fake.FakeDriver, baremetal.BareMetalDriver,
vmwareapi.VMwareVCDriver, hyperv.HyperVDriver

compute_manager =
nova.compute.manager.ComputeManager

(StrOpt) Full class name for the Manager for compute

compute_monitors =

(ListOpt) A list of monitors that can be used for getting

compute metrics.

compute_resources = vcpu

(ListOpt) The names of the extra resources to track.

compute_stats_class = nova.compute.stats.Stats

(StrOpt) Class that will manage stats for the local compute
host

console_host = localhost

(StrOpt) Console proxy host to use to connect to instances

on this host.

console_manager =
nova.console.manager.ConsoleProxyManager

(StrOpt) Full class name for the Manager for console proxy

default_flavor = m1.small

(StrOpt) Default flavor to use for the EC2 API only. The
Nova API does not support a default flavor.

default_notification_level = INFO

(StrOpt) Default notification level for outgoing notifications

enable_instance_password = True

(BoolOpt) Enables returning of the instance password by

the relevant server API calls such as create, rebuild or rescue, If the hypervisor does not support password injection
then the password returned will not be correct

heal_instance_info_cache_interval = 60

(IntOpt) Number of seconds between instance info_cache

self healing updates

image_cache_manager_interval = 2400

(IntOpt) Number of seconds to wait between runs of the

image cache manager. Set to -1 to disable. Setting this to
0 will disable, but this will change in the K release to mean
"run at the default rate".

image_cache_subdirectory_name = _base

(StrOpt) Where cached images are stored under

$instances_path. This is NOT the full path - just a folder
name. For per-compute-host cached images, set to _base_
$my_ip

instance_build_timeout = 0

(IntOpt) Amount of time in seconds an instance can be in

BUILD before going into ERROR status.Set to 0 to disable.

238

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

instance_delete_interval = 300

(IntOpt) Interval in seconds for retrying failed instance file

deletes

instance_usage_audit = False

(BoolOpt) Generate periodic compute.instance.exists notifications

instance_usage_audit_period = month

(StrOpt) Time period to generate instance usages for.

Time period must be hour, day, month or year

instances_path = $state_path/instances

(StrOpt) Where instances are stored on disk

maximum_instance_delete_attempts = 5

(IntOpt) The number of times to attempt to reap an

instance's files.

reboot_timeout = 0

(IntOpt) Automatically hard reboot an instance if it has

been stuck in a rebooting state longer than N seconds. Set
to 0 to disable.

reclaim_instance_interval = 0

(IntOpt) Interval in seconds for reclaiming deleted instances

rescue_timeout = 0

(IntOpt) Automatically unrescue an instance after N seconds. Set to 0 to disable.

resize_confirm_window = 0

(IntOpt) Automatically confirm resizes after N seconds. Set

to 0 to disable.

resume_guests_state_on_host_boot = False

(BoolOpt) Whether to start guests that were running before the host rebooted

running_deleted_instance_action = reap

(StrOpt) Action to take if a running deleted instance is

detected.Valid options are 'noop', 'log', 'shutdown', or
'reap'. Set to 'noop' to take no action.

running_deleted_instance_poll_interval = 1800

(IntOpt) Number of seconds to wait between runs of the

cleanup task.

running_deleted_instance_timeout = 0

(IntOpt) Number of seconds after being deleted when a

running instance should be considered eligible for cleanup.

shelved_offload_time = 0

(IntOpt) Time in seconds before a shelved instance is eligible for removing from a host. -1 never offload, 0 offload
when shelved

shelved_poll_interval = 3600

(IntOpt) Interval in seconds for polling shelved instances

to offload. Set to -1 to disable.Setting this to 0 will disable,
but this will change in Juno to mean "run at the default
rate".

shutdown_timeout = 60

(IntOpt) Total amount of time to wait in seconds for an instance to perform a clean shutdown.

sync_power_state_interval = 600

(IntOpt) Interval to sync power states between the

database and the hypervisor. Set to -1 to disable. Setting
this to 0 will disable, but this will change in Juno to mean
"run at the default rate".

vif_plugging_is_fatal = True

(BoolOpt) Fail instance boot if vif plugging fails

vif_plugging_timeout = 300

(IntOpt) Number of seconds to wait for neutron vif

plugging events to arrive before continuing or failing
(see vif_plugging_is_fatal). If this is set to zero and
vif_plugging_is_fatal is False, events should not be expected to arrive at all.

Table2.22.Description of conductor configuration options

Configuration option = Default value

Description

[DEFAULT]
migrate_max_retries = -1

(IntOpt) Number of times to retry live-migration before

failing. If == -1, try until out of hosts. If == 0, only try once,
no retries.

[conductor]

239

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

manager = nova.conductor.manager.ConductorManager

(StrOpt) Full class name for the Manager for conductor

topic = conductor

(StrOpt) The topic on which conductor nodes listen

use_local = False

(BoolOpt) Perform nova-conductor operations locally

workers = None

(IntOpt) Number of workers for OpenStack Conductor service. The default will be the number of CPUs available.

Table2.23.Description of config drive configuration options

Configuration option = Default value

Description

[DEFAULT]
config_drive_format = iso9660

(StrOpt) Config drive format. One of iso9660 (default) or

vfat

config_drive_skip_versions = 1.0 2007-01-19 2007-03-01

2007-08-29 2007-10-10 2007-12-15 2008-02-01 2008-09-01

(StrOpt) List of metadata versions to skip placing into the

config drive

config_drive_tempdir = None

(StrOpt) DEPRECATED (not needed any more): Where to

put temporary files associated with config drive creation

force_config_drive = None

(StrOpt) Set to force injection to take place on a config

drive (if set, valid options are: always)

mkisofs_cmd = genisoimage

(StrOpt) Name and optionally path of the tool used for

ISO image creation

[hyperv]
config_drive_cdrom = False

(BoolOpt) Attaches the Config Drive image as a cdrom

drive instead of a disk drive

config_drive_inject_password = False

(BoolOpt) Sets the admin password in the config drive image

Table2.24.Description of console configuration options

Configuration option = Default value

Description

[DEFAULT]
console_public_hostname = localhost

(StrOpt) Publicly visible name for this console host

console_token_ttl = 600

(IntOpt) How many seconds before deleting tokens

consoleauth_manager =
nova.consoleauth.manager.ConsoleAuthManager

(StrOpt) Manager for console auth

Table2.25.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
db_driver = nova.db

(StrOpt) The driver to use for database access

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

240

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

use_tpool = False

(BoolOpt) Enable the experimental use of thread pooling

for all DB API calls

Table2.26.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

disable_process_locking = False

(BoolOpt) Enables or disables inter-process locks.

Table2.27.Description of EC2 configuration options

Configuration option = Default value

Description

[DEFAULT]
ec2_dmz_host = $my_ip

(StrOpt) The internal IP address of the EC2 API server

ec2_host = $my_ip

(StrOpt) The IP address of the EC2 API server

ec2_listen = 0.0.0.0

(StrOpt) The IP address on which the EC2 API will listen.

ec2_listen_port = 8773

(IntOpt) The port on which the EC2 API will listen.

ec2_path = /services/Cloud

(StrOpt) The path prefix used to call the ec2 API server

241

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

ec2_port = 8773

(IntOpt) The port of the EC2 API server

ec2_private_dns_show_ip = False

(BoolOpt) Return the IP address as private dns hostname

in describe instances

ec2_scheme = http

(StrOpt) The protocol to use when connecting to the EC2

API server (http, https)

ec2_strict_validation = True

(BoolOpt) Validate security group names according to EC2

specification

ec2_timestamp_expiry = 300

(IntOpt) Time in seconds before ec2 timestamp expires

ec2_workers = None

(IntOpt) Number of workers for EC2 API service. The default will be equal to the number of CPUs available.

keystone_ec2_url = http://localhost:5000/v2.0/ec2tokens

(StrOpt) URL to get token from ec2 request.

lockout_attempts = 5

(IntOpt) Number of failed auths before lockout.

lockout_minutes = 15

(IntOpt) Number of minutes to lockout if triggered.

lockout_window = 15

(IntOpt) Number of minutes for lockout window.

region_list =

(ListOpt) List of region=fqdn pairs separated by commas

Table2.28.Description of ephemeral storage encryption configuration

options
Configuration option = Default value

Description

[ephemeral_storage_encryption]
cipher = aes-xts-plain64

(StrOpt) The cipher and mode to be used to encrypt

ephemeral storage. Which ciphers are available ciphers depends on kernel support. See /proc/crypto for the list of
available options.

enabled = False

(BoolOpt) Whether to encrypt ephemeral storage

key_size = 512

(IntOpt) The bit length of the encryption key to be used to

encrypt ephemeral storage (in XTS mode only half of the
bits are used for encryption key)

Table2.29.Description of fping configuration options

Configuration option = Default value

Description

[DEFAULT]
fping_path = /usr/sbin/fping

(StrOpt) Full path to fping.

Table2.30.Description of glance configuration options

Configuration option = Default value

Description

[DEFAULT]
osapi_glance_link_prefix = None

(StrOpt) Base URL that will be presented to users in links

to glance resources

[glance]
allowed_direct_url_schemes =

(ListOpt) A list of url scheme that can be downloaded directly via the direct_url. Currently supported schemes:
[file].

api_insecure = False

(BoolOpt) Allow to perform insecure SSL (https) requests

to glance

api_servers = None

(ListOpt) A list of the glance api servers available to nova.

Prefix with https:// for ssl-based glance api servers. ([hostname|ip]:port)

host = $my_ip

(StrOpt) Default glance hostname or IP address

242

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

num_retries = 0

(IntOpt) Number of retries when downloading an image

from glance

port = 9292

(IntOpt) Default glance port

protocol = http

(StrOpt) Default protocol to use when connecting to

glance. Set to https for SSL.

[image_file_url]
filesystems =

(ListOpt) List of file systems that are configured in this file

in the image_file_url:<list entry name> sections

Table2.31.Description of HyperV configuration options

Configuration option = Default value

Description

[hyperv]
dynamic_memory_ratio = 1.0

(FloatOpt) Enables dynamic memory allocation (ballooning) when set to a value greater than 1. The value expresses the ratio between the total RAM assigned to an instance and its startup RAM amount. For example a ratio of
2.0 for an instance with 1024MB of RAM implies 512MB of
RAM allocated at startup

enable_instance_metrics_collection = False

(BoolOpt) Enables metrics collections for an instance by using Hyper-V's metric APIs. Collected data can by retrieved
by other apps and services, e.g.: Ceilometer. Requires Hyper-V / Windows Server 2012 and above

force_hyperv_utils_v1 = False

(BoolOpt) Force V1 WMI utility classes

instances_path_share =

(StrOpt) The name of a Windows share name mapped to

the "instances_path" dir and used by the resize feature to
copy files to the target host. If left blank, an administrative
share will be used, looking for the same "instances_path"
used locally

limit_cpu_features = False

(BoolOpt) Required for live migration among hosts with

different CPU features

mounted_disk_query_retry_count = 10

(IntOpt) The number of times to retry checking for a disk

mounted via iSCSI.

mounted_disk_query_retry_interval = 5

(IntOpt) Interval between checks for a mounted iSCSI disk,

in seconds.

qemu_img_cmd = qemu-img.exe

(StrOpt) Path of qemu-img command which is used to convert between different image types

vswitch_name = None

(StrOpt) External virtual switch Name, if not provided, the

first external virtual switch is used

wait_soft_reboot_seconds = 60

(IntOpt) Number of seconds to wait for instance to shut

down after soft reboot request is made. We fall back to
hard reboot if instance does not shutdown within this window.

Table2.32.Description of hypervisor configuration options

Configuration option = Default value

Description

[DEFAULT]
default_ephemeral_format = None

(StrOpt) The default format an ephemeral_volume will be

formatted with on creation.

force_raw_images = True

(BoolOpt) Force backing images to raw format

preallocate_images = none

(StrOpt) VM image preallocation mode: "none" => no storage provisioning is done up front, "space" => storage is fully allocated at instance start

243

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

timeout_nbd = 10

(IntOpt) Amount of time, in seconds, to wait for NBD device start up.

use_cow_images = True

(BoolOpt) Whether to use cow images

vcpu_pin_set = None

(StrOpt) Defines which pcpus that instance vcpus can use.

For example, "4-12,^8,15"

virt_mkfs = []

(MultiStrOpt) Name of the mkfs commands for ephemeral

device. The format is <os_type>=<mkfs command>

Table2.33.Description of bare metal configuration options

Configuration option = Default value

Description

[ironic]
admin_auth_token = None

(StrOpt) Ironic keystone auth token.

admin_password = None

(StrOpt) Ironic keystone admin password.

admin_tenant_name = None

(StrOpt) Ironic keystone tenant name.

admin_url = None

(StrOpt) Keystone public API endpoint.

admin_username = None

(StrOpt) Ironic keystone admin name

api_endpoint = None

(StrOpt) URL for Ironic API endpoint.

api_max_retries = 60

(IntOpt) How many retries when a request does conflict.

api_retry_interval = 2

(IntOpt) How often to retry in seconds when a request

does conflict

api_version = 1

(IntOpt) Version of Ironic API service endpoint.

client_log_level = None

(StrOpt) Log level override for ironicclient. Set this in order

to override the global "default_log_levels", "verbose", and
"debug" settings.

Table2.34.Description of IPv6 configuration options

Configuration option = Default value

Description

[DEFAULT]
fixed_range_v6 = fd00::/48

(StrOpt) Fixed IPv6 address block

gateway_v6 = None

(StrOpt) Default IPv6 gateway

ipv6_backend = rfc2462

(StrOpt) Backend to use for IPv6 generation

use_ipv6 = False

(BoolOpt) Use IPv6

ldap_dns_soa_expiry = 86400

(StrOpt) Expiry interval (in seconds) for LDAP DNS driver

Statement of Authority

ldap_dns_soa_hostmaster = [email protected]

(StrOpt) Hostmaster for LDAP DNS driver Statement of Authority

ldap_dns_soa_minimum = 7200

(StrOpt) Minimum interval (in seconds) for LDAP DNS driver Statement of Authority

ldap_dns_soa_refresh = 1800

(StrOpt) Refresh interval (in seconds) for LDAP DNS driver

Statement of Authority

ldap_dns_soa_retry = 3600

(StrOpt) Retry interval (in seconds) for LDAP DNS driver

Statement of Authority

ldap_dns_url = ldap://ldap.example.com:389

(StrOpt) URL for LDAP server which will store DNS entries

ldap_dns_user =
uid=admin,ou=people,dc=example,dc=org

(StrOpt) User for LDAP DNS

Table2.37.Description of Libvirt configuration options

Configuration option = Default value

Description

[DEFAULT]
remove_unused_base_images = True

(BoolOpt) Should unused base images be removed?

remove_unused_original_minimum_age_seconds = 86400

(IntOpt) Unused unresized base images younger than this

will not be removed

[libvirt]
block_migration_flag =
VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED,
VIR_MIGRATE_NON_SHARED_INC

(StrOpt) Migration flags to be set for block migration

checksum_base_images = False

(BoolOpt) Write a checksum for files in _base to disk

checksum_interval_seconds = 3600

(IntOpt) How frequently to checksum base images

connection_uri =

(StrOpt) Override the default libvirt URI (which is dependent on virt_type)

cpu_mode = None

(StrOpt) Set to "host-model" to clone the host CPU feature

flags; to "host-passthrough" to use the host CPU model exactly; to "custom" to use a named CPU model; to "none" to
not set any CPU model. If virt_type="kvm|qemu", it will default to "host-model", otherwise it will default to "none"

cpu_model = None

(StrOpt) Set to a named libvirt CPU model (see names listed in /usr/share/libvirt/cpu_map.xml). Only has effect if
cpu_mode="custom" and virt_type="kvm|qemu"

disk_cachemodes =

(ListOpt) Specific cachemodes to use for different disk

types e.g: file=directsync,block=none

disk_prefix = None

(StrOpt) Override the default disk prefix for the devices attached to a server, which is dependent on virt_type. (valid
options are: sd, xvd, uvd, vd)

gid_maps =

(ListOpt) List of guid targets and ranges.Syntax is guestgid:host-gid:countMaximum of 5 allowed.

hw_disk_discard = None

(StrOpt) Discard option for nova managed disks (valid options are: ignore, unmap). Need Libvirt(1.0.6) Qemu1.5
(raw format) Qemu1.6(qcow2 format)

hw_machine_type = None

(ListOpt) For qemu or KVM guests, set this option

245

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
config option is host-arch=machine-type. For example:
x86_64=machinetype1,armv7l=machinetype2

image_info_filename_pattern = $instances_path/
$image_cache_subdirectory_name/%(image)s.info

(StrOpt) Allows image information files to be stored in

non-standard locations

images_rbd_ceph_conf =

(StrOpt) Path to the ceph configuration file to use

images_rbd_pool = rbd

(StrOpt) The RADOS pool in which rbd volumes are stored

images_type = default

(StrOpt) VM Images format. Acceptable values are: raw,

qcow2, lvm, rbd, default. If default is specified, then
use_cow_images flag is used instead of this one.

images_volume_group = None

(StrOpt) LVM Volume Group that is used for VM images,

when you specify images_type=lvm.

inject_key = False

(BoolOpt) Inject the ssh public key at boot time

inject_partition = -2

(IntOpt) The partition to inject to : -2 => disable, -1 => inspect (libguestfs only), 0 => not partitioned, >0 => partition
number

inject_password = False

(BoolOpt) Inject the admin password at boot time, without an agent.

iscsi_use_multipath = False

(BoolOpt) Use multipath connection of the iSCSI volume

iser_use_multipath = False

(BoolOpt) Use multipath connection of the iSER volume

mem_stats_period_seconds = 10

(IntOpt) A number of seconds to memory usage statistics

period. Zero or negative value mean to disable memory usage statistics.

remove_unused_kernels = False

(BoolOpt) Should unused kernel images be removed? This

is only safe to enable if all compute nodes have been updated to support this option. This will be enabled by default in future.

remove_unused_resized_minimum_age_seconds = 3600

(IntOpt) Unused resized base images younger than this

will not be removed

rescue_image_id = None

(StrOpt) Rescue ami image. This will not be used if an image id is provided by the user.

rescue_kernel_id = None

(StrOpt) Rescue aki image

rescue_ramdisk_id = None

(StrOpt) Rescue ari image

rng_dev_path = None

(StrOpt) A path to a device that will be used as source of

entropy on the host. Permitted options are: /dev/random
or /dev/hwrng

snapshot_compression = False

(BoolOpt) Compress snapshot images when possible. This

currently applies exclusively to qcow2 images

snapshot_image_format = None

(StrOpt) Snapshot image format (valid options are : raw,

qcow2, vmdk, vdi). Defaults to same as source image

snapshots_directory = $instances_path/snapshots

(StrOpt) Location where libvirt driver will store snapshots

before uploading them to image service

sparse_logical_volumes = False

(BoolOpt) Create sparse logical volumes (with virtualsize)

if this flag is set to True.

sysinfo_serial = auto

(StrOpt) The data source used to the populate the

host "serial" UUID exposed to guest in the virtual BIOS.
Permitted options are "hardware", "os", "none" or
"auto" (default).

uid_maps =

(ListOpt) List of uid targets and ranges.Syntax is guestuid:host-uid:countMaximum of 5 allowed.

use_usb_tablet = True

(BoolOpt) Sync virtual and real mouse cursors in Windows

VMs

use_virtio_for_bridges = True

(BoolOpt) Use virtio for bridge interfaces with KVM/QEMU

246

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

virt_type = kvm

(StrOpt) Libvirt domain type (valid options are: kvm, lxc,

qemu, uml, xen)

volume_clear = zero

(StrOpt) Method used to wipe old volumes (valid options

are: none, zero, shred)

volume_clear_size = 0

(IntOpt) Size in MiB to wipe at start of old volumes. 0 =>

all

volume_drivers =
(ListOpt) DEPRECATED. Libvirt handlers for remote voliscsi=nova.virt.libvirt.volume.LibvirtISCSIVolumeDriver,
umes. This option is deprecated and will be removed in the
iser=nova.virt.libvirt.volume.LibvirtISERVolumeDriver,
Kilo release.
local=nova.virt.libvirt.volume.LibvirtVolumeDriver,
fake=nova.virt.libvirt.volume.LibvirtFakeVolumeDriver,
rbd=nova.virt.libvirt.volume.LibvirtNetVolumeDriver,
sheepdog=nova.virt.libvirt.volume.LibvirtNetVolumeDriver,
nfs=nova.virt.libvirt.volume.LibvirtNFSVolumeDriver,
aoe=nova.virt.libvirt.volume.LibvirtAOEVolumeDriver,
glusterfs=nova.virt.libvirt.volume.LibvirtGlusterfsVolumeDriver,
fibre_channel=nova.virt.libvirt.volume.LibvirtFibreChannelVolumeDriver,
scality=nova.virt.libvirt.volume.LibvirtScalityVolumeDriver
wait_soft_reboot_seconds = 120

(IntOpt) Number of seconds to wait for instance to shut

down after soft reboot request is made. We fall back to
hard reboot if instance does not shutdown within this window.

Table2.38.Description of live migration configuration options

Configuration option = Default value

Description

[DEFAULT]
live_migration_retry_count = 30

(IntOpt) Number of 1 second retries needed in

live_migration

[libvirt]
live_migration_bandwidth = 0

(IntOpt) Maximum bandwidth to be used during migration, in Mbps

live_migration_flag = VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER, VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED

(StrOpt) Migration flags to be set for live migration

live_migration_uri = qemu+tcp://%s/system

(StrOpt) Migration target URI (any included "%s" is replaced with the migration target hostname)

Table2.39.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN,
keystonemiddleware=WARN, routes.middleware=WARN,
stevedore=WARN

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

fatal_exception_format_errors = False

(BoolOpt) Make exception message format errors fatal

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

247

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table2.40.Description of metadata configuration options

Configuration option = Default value

Description

[DEFAULT]
metadata_host = $my_ip

(StrOpt) The IP address for the metadata API server

metadata_listen = 0.0.0.0

(StrOpt) The IP address on which the metadata API will listen.

metadata_listen_port = 8775

(IntOpt) The port on which the metadata API will listen.

metadata_manager =
nova.api.manager.MetadataManager

(StrOpt) OpenStack metadata service manager

metadata_port = 8775

(IntOpt) The port for the metadata API port

248

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

metadata_workers = None

(IntOpt) Number of workers for metadata service. The default will be the number of CPUs available.

vendordata_driver =
nova.api.metadata.vendordata_json.JsonFileVendorData

(StrOpt) Driver to use for vendor data

vendordata_jsonfile_path = None

(StrOpt) File to load JSON formatted vendor data from

Table2.41.Description of network configuration options

Configuration option = Default value

Description

[DEFAULT]
allow_same_net_traffic = True

(BoolOpt) Whether to allow network traffic from same

network

auto_assign_floating_ip = False

(BoolOpt) Autoassigning floating IP to VM

cnt_vpn_clients = 0

(IntOpt) Number of addresses reserved for vpn clients

create_unique_mac_address_attempts = 5

(IntOpt) Number of attempts to create unique mac address

default_access_ip_network_name = None

(StrOpt) Name of network to use to set access IPs for instances

default_floating_pool = nova

(StrOpt) Default pool for floating IPs

defer_iptables_apply = False

(BoolOpt) Whether to batch up the application of IPTables

rules during a host restart and apply all at the end of the
init phase

dhcp_domain = novalocal

(StrOpt) Domain to use for building the hostnames

dhcp_lease_time = 86400

(IntOpt) Lifetime of a DHCP lease in seconds

dhcpbridge = $bindir/nova-dhcpbridge

(StrOpt) Location of nova-dhcpbridge

dhcpbridge_flagfile = ['/etc/nova/nova-dhcpbridge.conf']

(MultiStrOpt) Location of flagfiles for dhcpbridge

dns_server = []

(MultiStrOpt) If set, uses specific DNS server for dnsmasq.

Can be specified multiple times.

dns_update_periodic_interval = -1

(IntOpt) Number of seconds to wait between runs of updates to DNS entries.

dnsmasq_config_file =

(StrOpt) Override the default dnsmasq settings with this

file

firewall_driver = None

(StrOpt) Firewall driver (defaults to hypervisor specific iptables driver)

fixed_ip_disassociate_timeout = 600

(IntOpt) Seconds after which a deallocated IP is disassociated

flat_injected = False

(BoolOpt) Whether to attempt to inject network setup into guest

flat_interface = None

(StrOpt) FlatDhcp will bridge into this interface if set

flat_network_bridge = None

(StrOpt) Bridge for simple network instances

flat_network_dns = 8.8.4.4

(StrOpt) DNS server for simple network

floating_ip_dns_manager =
nova.network.noop_dns_driver.NoopDNSDriver

(StrOpt) Full class name for the DNS Manager for floating
IPs

force_dhcp_release = True

(BoolOpt) If True, send a dhcp release on instance termination

force_snat_range = []

(MultiStrOpt) Traffic to this range will always be snatted

to the fallback ip, even if it would normally be bridged out
of the node. Can be specified multiple times.

forward_bridge_interface = ['all']

(MultiStrOpt) An interface that bridges can forward to. If

this is set to all then all traffic will be forwarded. Can be
specified multiple times.

249

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

gateway = None

(StrOpt) Default IPv4 gateway

injected_network_template = $pybasedir/nova/virt/
interfaces.template

(StrOpt) Template file for injected network

instance_dns_domain =

(StrOpt) Full class name for the DNS Zone for instance IPs

instance_dns_manager =
nova.network.noop_dns_driver.NoopDNSDriver

(StrOpt) Full class name for the DNS Manager for instance
IPs

iptables_bottom_regex =

(StrOpt) Regular expression to match iptables rule that

should always be on the bottom.

iptables_drop_action = DROP

(StrOpt) The table that iptables to jump to when a packet

is to be dropped.

iptables_top_regex =

(StrOpt) Regular expression to match iptables rule that

should always be on the top.

l3_lib = nova.network.l3.LinuxNetL3

(StrOpt) Indicates underlying L3 management library

linuxnet_interface_driver =
nova.network.linux_net.LinuxBridgeInterfaceDriver

(StrOpt) Driver used to create ethernet devices.

linuxnet_ovs_integration_bridge = br-int

(StrOpt) Name of Open vSwitch bridge used with linuxnet

multi_host = False

(BoolOpt) Default value for multi_host in networks. Also,

if set, some rpc network calls will be sent directly to host.

network_allocate_retries = 0

(IntOpt) Number of times to retry network allocation on

failures

network_api_class = nova.network.api.API

(StrOpt) The full class name of the network API class to

use

network_device_mtu = None

(IntOpt) DEPRECATED: THIS VALUE SHOULD BE SET

WHEN CREATING THE NETWORK. MTU setting for network interface.

network_driver = nova.network.linux_net

(StrOpt) Driver to use for network creation

network_manager =
nova.network.manager.VlanManager

(StrOpt) Full class name for the Manager for network

network_size = 256

(IntOpt) Number of addresses in each private subnet

network_topic = network

(StrOpt) The topic network nodes listen on

networks_path = $state_path/networks

(StrOpt) Location to keep network config files

num_networks = 1

(IntOpt) Number of networks to support

ovs_vsctl_timeout = 120

(IntOpt) Amount of time, in seconds, that ovs_vsctl should

wait for a response from the database. 0 is to wait forever.

public_interface = eth0

(StrOpt) Interface for public IP addresses

routing_source_ip = $my_ip

(StrOpt) Public IP of network host

security_group_api = nova

(StrOpt) The full class name of the security API class

send_arp_for_ha = False

(BoolOpt) Send gratuitous ARPs for HA setup

send_arp_for_ha_count = 3

(IntOpt) Send this many gratuitous ARPs for HA setup

share_dhcp_address = False

(BoolOpt) DEPRECATED: THIS VALUE SHOULD BE SET

WHEN CREATING THE NETWORK. If True in multi_host
mode, all compute hosts share the same dhcp address. The
same IP address used for DHCP will be added on each nova-network node which is only visible to the vms on the
same host.

teardown_unused_network_gateway = False

(BoolOpt) If True, unused gateway devices (VLAN and

bridge) are deleted in VLAN network mode with multi
hosted networks

update_dns_entries = False

(BoolOpt) If True, when a DNS entry must be updated, it

sends a fanout cast to all network hosts to update their
DNS entries in multi host mode

250

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

use_network_dns_servers = False

(BoolOpt) If set, uses the dns1 and dns2 from the network
ref. as dns servers.

use_neutron_default_nets = False

(StrOpt) Control for checking for default networks

use_single_default_gateway = False

(BoolOpt) Use single default gateway. Only first nic of vm

will get default gateway from dhcp server

vlan_interface = None

(StrOpt) VLANs will bridge into this interface if set

vlan_start = 100

(IntOpt) First VLAN for private networks

[vmware]
vlan_interface = vmnic0

(StrOpt) Physical ethernet adapter name for vlan networking

Table2.42.Description of neutron configuration options

Configuration option = Default value

Description

[DEFAULT]
neutron_default_tenant_id = default

(StrOpt) Default tenant id when creating neutron networks

[neutron]
admin_auth_url = http://localhost:5000/v2.0

(StrOpt) Authorization URL for connecting to neutron in

admin context

admin_password = None

(StrOpt) Password for connecting to neutron in admin

context

admin_tenant_id = None

(StrOpt) Tenant id for connecting to neutron in admin

context

admin_tenant_name = None

(StrOpt) Tenant name for connecting to neutron

in admin context. This option will be ignored if
neutron_admin_tenant_id is set. Note that with Keystone
V3 tenant names are only unique within a domain.

admin_user_id = None

(StrOpt) User id for connecting to neutron in admin context

admin_username = None

(StrOpt) Username for connecting to neutron in admin

context

allow_duplicate_networks = False

(BoolOpt) Allow an instance to have multiple vNICs attached to the same Neutron network.

api_insecure = False

(BoolOpt) If set, ignore any SSL validation issues

auth_strategy = keystone

(StrOpt) Authorization strategy for connecting to neutron

in admin context

ca_certificates_file = None

(StrOpt) Location of CA certificates file to use for neutron

client requests.

extension_sync_interval = 600

(IntOpt) Number of seconds before querying neutron for

extensions

metadata_proxy_shared_secret =

(StrOpt) Shared secret to validate proxies Neutron metadata requests

ovs_bridge = br-int

(StrOpt) Name of Integration Bridge used by Open

vSwitch

region_name = None

(StrOpt) Region name for connecting to neutron in admin

context

service_metadata_proxy = False

(BoolOpt) Set flag to indicate Neutron will proxy metadata

requests and resolve instance ids.

url = http://127.0.0.1:9696

(StrOpt) URL for connecting to neutron

url_timeout = 30

(IntOpt) Timeout value for connecting to neutron in seconds

251

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table2.43.Description of PCI configuration options

Configuration option = Default value

Description

[DEFAULT]
pci_alias = []

(MultiStrOpt) An alias for a PCI passthrough device requirement. This allows users to specify the alias in the
extra_spec for a flavor, without needing to repeat all
the PCI property requirements. For example: pci_alias =
{ "name": "QuicAssist", "product_id": "0443", "vendor_id":
"8086", "device_type": "ACCEL" } defines an alias for the Intel QuickAssist card. (multi valued)

pci_passthrough_whitelist = []

(MultiStrOpt) White list of PCI devices available to VMs.

For example: pci_passthrough_whitelist = [{"vendor_id":
"8086", "product_id": "0443"}]

Table2.44.Description of periodic configuration options

Configuration option = Default value

Description

[DEFAULT]
periodic_enable = True

(BoolOpt) Enable periodic tasks

periodic_fuzzy_delay = 60

(IntOpt) Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)

run_external_periodic_tasks = True

(BoolOpt) Some periodic tasks can be run in a separate

process. Should we run them here?

Table2.45.Description of policy configuration options

Configuration option = Default value

Description

[DEFAULT]
allow_instance_snapshots = True

(BoolOpt) Permit instance snapshot operations.

allow_migrate_to_same_host = False

(BoolOpt) Allow migrate machine to the same host. Useful

when testing in single-host environments.

allow_resize_to_same_host = False

(BoolOpt) Allow destination machine to match source for

resize. Useful when testing in single-host environments.

max_age = 0

(IntOpt) Number of seconds between subsequent usage

refreshes

max_local_block_devices = 3

(IntOpt) Maximum number of devices that will result in a

local image being created on the hypervisor node. Setting
this to 0 means nova will allow only boot from volume. A
negative number means unlimited.

osapi_compute_unique_server_name_scope =

(StrOpt) When set, compute API will consider duplicate

hostnames invalid within the specified scope, regardless of
case. Should be empty, "project" or "global".

osapi_max_limit = 1000

(IntOpt) The maximum number of items returned in a single response from a collection resource

osapi_max_request_body_size = 114688

(IntOpt) The maximum body size per each osapi

request(bytes)

password_length = 12

(IntOpt) Length of generated instance admin passwords

policy_default_rule = default

(StrOpt) Default rule. Enforced when a requested rule is

not found.

policy_file = policy.json

(StrOpt) The JSON file that defines policies.

reservation_expire = 86400

(IntOpt) Number of seconds until a reservation expires

resize_fs_using_block_device = False

(BoolOpt) Attempt to resize the filesystem by accessing

the image over a block device. This is done by the host and
may not be necessary if the image contains a recent ver-

252

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
sion of cloud-init. Possible mechanisms require the nbd
driver (for qcow and raw), or loop (for raw).

until_refresh = 0

(IntOpt) Count of reservations until usage is refreshed

Table2.46.Description of quota configuration options

Configuration option = Default value

Description

[DEFAULT]
bandwidth_poll_interval = 600

(IntOpt) Interval to pull network bandwidth usage info.

Not supported on all hypervisors. Set to -1 to disable. Setting this to 0 will disable, but this will change in the K release to mean "run at the default rate".

enable_network_quota = False

(BoolOpt) Enables or disables quota checking for tenant

networks

quota_cores = 20

(IntOpt) Number of instance cores allowed per project

quota_driver = nova.quota.DbQuotaDriver

(StrOpt) Default driver to use for quota checks

quota_fixed_ips = -1

(IntOpt) Number of fixed IPs allowed per project (this

should be at least the number of instances allowed)

quota_floating_ips = 10

(IntOpt) Number of floating IPs allowed per project

quota_injected_file_content_bytes = 10240

(IntOpt) Number of bytes allowed per injected file

quota_injected_file_path_length = 255

(IntOpt) Length of injected file path

quota_injected_files = 5

(IntOpt) Number of injected files allowed

quota_instances = 10

(IntOpt) Number of instances allowed per project

quota_key_pairs = 100

(IntOpt) Number of key pairs per user

quota_metadata_items = 128

(IntOpt) Number of metadata items allowed per instance

quota_ram = 51200

(IntOpt) Megabytes of instance RAM allowed per project

quota_security_group_rules = 20

(IntOpt) Number of security rules per security group

quota_security_groups = 10

(IntOpt) Number of security groups per project

quota_server_group_members = 10

(IntOpt) Number of servers per server group

quota_server_groups = 10

(IntOpt) Number of server groups per project

[cells]
bandwidth_update_interval = 600

(IntOpt) Seconds between bandwidth updates for cells.

Table2.47.Description of RDP configuration options

Configuration option = Default value

Description

[rdp]
enabled = False

(BoolOpt) Enable RDP related features

html5_proxy_base_url = http://127.0.0.1:6083/

(StrOpt) Location of RDP html5 console proxy, in the form

"http://127.0.0.1:6083/"

Table2.48.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

253

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table2.49.Description of rootwrap configuration options

Configuration option = Default value

Description

[DEFAULT]
filters_path = /etc/nova/rootwrap.d,/usr/share/nova/rootwrap

List of directories to load filter definitions from (separated by ','). These directories MUST all be only writeable by
root !

exec_dirs = /sbin,/usr/sbin,/bin,/usr/bin

List of directories to search executables in, in case filters

do not explicitely specify a full path (separated by ',') If not
specified, defaults to system PATH environment variable.
These directories MUST all be only writeable by root !

use_syslog = False

Enable logging to syslog Default value is False

syslog_log_facility = syslog

Which syslog facility to use. Valid values include auth, authpriv, syslog, local0, local1... Default value is 'syslog'

syslog_log_level = ERROR

Which messages to log. INFO means log all usage ERROR

means only log unsuccessful attempts

Table2.50.Description of S3 configuration options

Configuration option = Default value

Description

[DEFAULT]
buckets_path = $state_path/buckets

(StrOpt) Path to S3 buckets

image_decryption_dir = /tmp

(StrOpt) Parent directory for tempdir used for image decryption

s3_access_key = notchecked

(StrOpt) Access key to use for S3 server for images

s3_affix_tenant = False

(BoolOpt) Whether to affix the tenant id to the access key

when downloading from S3

s3_host = $my_ip

(StrOpt) Hostname or IP for OpenStack to use when accessing the S3 api

s3_listen = 0.0.0.0

(StrOpt) IP address for S3 API to listen

s3_listen_port = 3333

(IntOpt) Port for S3 API to listen

s3_port = 3333

(IntOpt) Port used when accessing the S3 api

s3_secret_key = notchecked

(StrOpt) Secret key to use for S3 server for images

s3_use_ssl = False

(BoolOpt) Whether to use SSL when talking to S3

Table2.51.Description of scheduler configuration options

Configuration option = Default value

Description

[DEFAULT]
aggregate_image_properties_isolation_namespace =
None

(StrOpt) Force the filter to consider only keys matching the

given namespace.

aggregate_image_properties_isolation_separator = .

(StrOpt) The separator used between the namespace and

keys

baremetal_scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, ExactRamFilter, ExactDiskFilter,

ExactCoreFilter

(ListOpt) Which filter class names to use for filtering

baremetal hosts when not specified in the request.

cpu_allocation_ratio = 16.0

(FloatOpt) Virtual CPU to physical CPU allocation ratio

which affects all CPU filters. This configuration specifies a
global ratio for CoreFilter. For AggregateCoreFilter, it will
fall back to this configuration value if no per-aggregate
setting found.

disk_allocation_ratio = 1.0

(FloatOpt) Virtual disk to physical disk allocation ratio

isolated_hosts =

(ListOpt) Host reserved for specific images

254

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

isolated_images =

(ListOpt) Images to run on isolated host

max_instances_per_host = 50

(IntOpt) Ignore hosts that have too many instances

max_io_ops_per_host = 8

(IntOpt) Tells filters to ignore hosts that have this many

or more instances currently in build, resize, snapshot, migrate, rescue or unshelve task states

ram_allocation_ratio = 1.5

(FloatOpt) Virtual ram to physical ram allocation ratio

which affects all ram filters. This configuration specifies a
global ratio for RamFilter. For AggregateRamFilter, it will
fall back to this configuration value if no per-aggregate
setting found.

ram_weight_multiplier = 1.0

(FloatOpt) Multiplier used for weighing ram. Negative

numbers mean to stack vs spread.

reserved_host_disk_mb = 0

(IntOpt) Amount of disk in MB to reserve for the host

reserved_host_memory_mb = 512

(IntOpt) Amount of memory in MB to reserve for the host

restrict_isolated_hosts_to_isolated_images = True

(BoolOpt) Whether to force isolated hosts to run only isolated images

scheduler_available_filters =
['nova.scheduler.filters.all_filters']

(MultiStrOpt) Filter classes available to the scheduler

which may be specified more than once. An entry of
"nova.scheduler.filters.standard_filters" maps to all filters
included with nova.

scheduler_default_filters = RetryFilter, AvailabilityZoneFilter, RamFilter, ComputeFilter, ComputeCapabilitiesFilter, ImagePropertiesFilter, ServerGroupAntiAffinityFilter,

ServerGroupAffinityFilter

(ListOpt) Which filter class names to use for filtering hosts

when not specified in the request.

scheduler_driver =
nova.scheduler.filter_scheduler.FilterScheduler

(StrOpt) Default driver to use for the scheduler

scheduler_driver_task_period = 60

(IntOpt) How often (in seconds) to run periodic tasks in

the scheduler driver of your choice. Please note this is likely to interact with the value of service_down_time, but
exactly how they interact will depend on your choice of
scheduler driver.

scheduler_host_manager =
nova.scheduler.host_manager.HostManager

(StrOpt) The scheduler host manager class to use

scheduler_host_subset_size = 1

(IntOpt) New instances will be scheduled on a host chosen

randomly from a subset of the N best hosts. This property
defines the subset size that a host is chosen from. A value
of 1 chooses the first host returned by the weighing functions. This value must be at least 1. Any value less than 1
will be ignored, and 1 will be used instead

scheduler_json_config_location =

(StrOpt) Absolute path to scheduler configuration JSON

file.

scheduler_manager =
nova.scheduler.manager.SchedulerManager

(StrOpt) Full class name for the Manager for scheduler

scheduler_max_attempts = 3

(IntOpt) Maximum number of attempts to schedule an instance

scheduler_topic = scheduler

(StrOpt) The topic scheduler nodes listen on

scheduler_use_baremetal_filters = False

(BoolOpt) Flag to decide whether to use

baremetal_scheduler_default_filters or not.

scheduler_weight_classes =
nova.scheduler.weights.all_weighers

(ListOpt) Which weight class names to use for weighing

hosts

[cells]
ram_weight_multiplier = 10.0

(FloatOpt) Multiplier used for weighing ram. Negative

numbers mean to stack vs spread.

255

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

scheduler_filter_classes = nova.cells.filters.all_filters

(ListOpt) Filter classes the cells scheduler should use. An

entry of "nova.cells.filters.all_filters" maps to all cells filters
included with nova.

scheduler_retries = 10

(IntOpt) How many retries when no cells are available.

scheduler_retry_delay = 2

(IntOpt) How often to retry in seconds when no cells are

available.

scheduler_weight_classes = nova.cells.weights.all_weighers (ListOpt) Weigher classes the cells scheduler should use.
An entry of "nova.cells.weights.all_weighers" maps to all
cell weighers included with nova.
[metrics]
required = True

(BoolOpt) How to treat the unavailable metrics. When a

metric is NOT available for a host, if it is set to be True, it
would raise an exception, so it is recommended to use the
scheduler filter MetricFilter to filter out those hosts. If it is
set to be False, the unavailable metric would be treated as
a negative factor in weighing process, the returned value
would be set by the option weight_of_unavailable.

weight_multiplier = 1.0

(FloatOpt) Multiplier used for weighing metrics.

weight_of_unavailable = -10000.0

(FloatOpt) The final weight value to be returned if required is set to False and any one of the metrics set by
weight_setting is unavailable.

weight_setting =

(ListOpt) How the metrics are going to be weighed.

This should be in the form of "<name1>=<ratio1>,
<name2>=<ratio2>, ...", where <nameX> is one of the metrics to be weighed, and <ratioX> is the corresponding
ratio. So for "name1=1.0, name2=-1.0" The final weight
would be name1.value * 1.0 + name2.value * -1.0.

Table2.52.Description of serial console configuration options

Configuration option = Default value

Description

[serial_console]
base_url = http://127.0.0.1:6083/

(StrOpt) Location of serial console proxy.

enabled = False

(BoolOpt) Enable serial console related features

listen = 127.0.0.1

(StrOpt) IP address on which instance serial console should

listen

port_range = 10000:20000

(StrOpt) Range of TCP ports to use for serial ports on compute hosts

proxyclient_address = 127.0.0.1

(StrOpt) The address to which proxy clients (like nova-serialproxy) should connect

Table2.53.Description of SPICE configuration options

Configuration option = Default value

Description

[spice]
agent_enabled = True

(BoolOpt) Enable spice guest agent support

enabled = False

(BoolOpt) Enable spice related features

html5proxy_base_url = http://127.0.0.1:6082/
spice_auto.html

(StrOpt) Location of spice HTML5 console proxy, in the

form "http://127.0.0.1:6082/spice_auto.html"

keymap = en-us

(StrOpt) Keymap for spice

server_listen = 127.0.0.1

(StrOpt) IP address on which instance spice server should

listen

server_proxyclient_address = 127.0.0.1

(StrOpt) The address to which proxy clients (like nova-spicehtml5proxy) should connect

256

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table2.54.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_call = False

(BoolOpt) If True, skip using the queue and make local

calls

fake_network = False

(BoolOpt) If passed, use fake network devices and addresses

fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider.

monkey_patch = False

(BoolOpt) Whether to log monkey patching

monkey_patch_modules =
nova.api.ec2.cloud:nova.notifications.notify_decorator,
nova.compute.api:nova.notifications.notify_decorator

(ListOpt) List of modules/decorators to monkey patch

Table2.55.Description of Tilera configuration options

Configuration option = Default value

Description

[baremetal]
tile_pdu_ip = 10.0.100.1

(StrOpt) IP address of tilera pdu

tile_pdu_mgr = /tftpboot/pdu_mgr

(StrOpt) Management script for tilera pdu

tile_pdu_off = 2

(IntOpt) Power status of tilera PDU is OFF

tile_pdu_on = 1

(IntOpt) Power status of tilera PDU is ON

tile_pdu_status = 9

(IntOpt) Power status of tilera PDU

tile_power_wait = 9

(IntOpt) Wait time in seconds until check the result after

tilera power operations

Table2.56.Description of trusted computing configuration options

Configuration option = Default value

Description

[trusted_computing]
attestation_api_url = /OpenAttestationWebServices/V1.0

(StrOpt) Attestation web API URL

attestation_auth_blob = None

(StrOpt) Attestation authorization blob - must change

attestation_auth_timeout = 60

(IntOpt) Attestation status cache valid period length

attestation_port = 8443

(StrOpt) Attestation server port

attestation_server = None

(StrOpt) Attestation server HTTP

attestation_server_ca_file = None

(StrOpt) Attestation server Cert file for Identity verification

Table2.57.Description of upgrade levels configuration options

Configuration option = Default value

Description

[cells]
scheduler = nova.cells.scheduler.CellsScheduler

(StrOpt) Cells scheduler to use

[upgrade_levels]
cells = None

(StrOpt) Set a version cap for messages sent to local cells

services

cert = None

(StrOpt) Set a version cap for messages sent to cert services

compute = None

(StrOpt) Set a version cap for messages sent to compute

services. If you plan to do a live upgrade from havana to
icehouse, you should set this option to "icehouse-compat"
before beginning the live upgrade procedure.

257

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

conductor = None

(StrOpt) Set a version cap for messages sent to conductor

services

console = None

(StrOpt) Set a version cap for messages sent to console services

consoleauth = None

(StrOpt) Set a version cap for messages sent to consoleauth services

intercell = None

(StrOpt) Set a version cap for messages sent between cells

services

network = None

(StrOpt) Set a version cap for messages sent to network

services

scheduler = None

(StrOpt) Set a version cap for messages sent to scheduler

services

Table2.58.Description of VMware configuration options

Configuration option = Default value

Description

[vmware]
api_retry_count = 10

(IntOpt) The number of times we retry on failures, e.g.,

socket error, etc.

cluster_name = None

(MultiStrOpt) Name of a VMware Cluster ComputeResource.

datastore_regex = None

(StrOpt) Regex to match the name of a datastore.

host_ip = None

(StrOpt) Hostname or IP address for connection to

VMware VC host.

host_password = None

(StrOpt) Password for connection to VMware VC host.

host_port = 443

(IntOpt) Port for connection to VMware VC host.

host_username = None

(StrOpt) Username for connection to VMware VC host.

integration_bridge = br-int

(StrOpt) Name of Integration Bridge

maximum_objects = 100

(IntOpt) The maximum number of ObjectContent data

objects that should be returned in a single result. A positive value will cause the operation to suspend the retrieval
when the count of objects reaches the specified maximum.
The server may still limit the count to something less than
the configured value. Any remaining objects may be retrieved with additional requests.

task_poll_interval = 0.5

(FloatOpt) The interval used for polling of remote tasks.

use_linked_clone = True

(BoolOpt) Whether to use linked clone

wsdl_location = None

(StrOpt) Optional VIM Service WSDL Location e.g http://

<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds

Table2.59.Description of VNC configuration options

Configuration option = Default value

Description

[DEFAULT]
novncproxy_base_url = http://127.0.0.1:6080/
vnc_auto.html

(StrOpt) Location of VNC console proxy, in the form

"http://127.0.0.1:6080/vnc_auto.html"

vnc_enabled = True

(BoolOpt) Enable VNC related features

vnc_keymap = en-us

(StrOpt) Keymap for VNC

vncserver_listen = 127.0.0.1

(StrOpt) IP address on which instance vncservers should listen

vncserver_proxyclient_address = 127.0.0.1

(StrOpt) The address to which proxy clients (like nova-xvpvncproxy) should connect

258

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[vmware]
vnc_port = 5900

(IntOpt) VNC starting port

vnc_port_total = 10000

(IntOpt) Total number of VNC ports

Table2.60.Description of volumes configuration options

Configuration option = Default value

Description

[DEFAULT]
block_device_allocate_retries = 60

(IntOpt) Number of times to retry block device allocation

on failures

block_device_allocate_retries_interval = 3

(IntOpt) Waiting time interval (seconds) between block

device allocation retries on failures

volume_api_class = nova.volume.cinder.API

(StrOpt) The full class name of the volume API class to use

volume_usage_poll_interval = 0

(IntOpt) Interval in seconds for gathering volume usages

[baremetal]
iscsi_iqn_prefix = iqn.2010-10.org.openstack.baremetal

(StrOpt) The iSCSI IQN prefix used in baremetal volume

connections.

volume_driver =
nova.virt.baremetal.volume_driver.LibvirtVolumeDriver

(StrOpt) Baremetal volume driver.

[cinder]
api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to cinder

ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for cinder

client requests.

catalog_info = volume:cinder:publicURL

(StrOpt) Info to match when looking for cinder in the

service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type>

cross_az_attach = True

(BoolOpt) Allow attach between instance and volume in

different availability zones.

endpoint_template = None

(StrOpt) Override service catalog lookup with template for cinder endpoint e.g. http://localhost:8776/v1/
%(project_id)s

http_retries = 3

(IntOpt) Number of cinderclient retries on failed http calls

http_timeout = None

(IntOpt) HTTP inactivity timeout (in seconds)

os_region_name = None

(StrOpt) Region name of this node

[hyperv]
force_volumeutils_v1 = False

(BoolOpt) Force V1 volume utility class

volume_attach_retry_count = 10

(IntOpt) The number of times to retry to attach a volume

volume_attach_retry_interval = 5

(IntOpt) Interval between volume attachment attempts, in

seconds

[libvirt]
glusterfs_mount_point_base = $state_path/mnt

(StrOpt) Directory where the glusterfs volume is mounted

on the compute node

nfs_mount_options = None

(StrOpt) Mount options passedf to the NFS client. See section of the nfs man page for details

nfs_mount_point_base = $state_path/mnt

(StrOpt) Directory where the NFS volume is mounted on

the compute node

num_aoe_discover_tries = 3

(IntOpt) Number of times to rediscover AoE target to find

volume

num_iscsi_scan_tries = 5

(IntOpt) Number of times to rescan iSCSI target to find volume

259

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

num_iser_scan_tries = 5

(IntOpt) Number of times to rescan iSER target to find volume

qemu_allowed_storage_drivers =

(ListOpt) Protocols listed here will be accessed directly

from QEMU. Currently supported protocols: [gluster]

rbd_secret_uuid = None

(StrOpt) The libvirt UUID of the secret for the

rbd_uservolumes

rbd_user = None

(StrOpt) The RADOS client name for accessing rbd volumes

scality_sofs_config = None

(StrOpt) Path or URL to Scality SOFS configuration file

scality_sofs_mount_point = $state_path/scality

(StrOpt) Base dir where Scality SOFS shall be mounted

[xenserver]
block_device_creation_timeout = 10

(IntOpt) Time to wait for a block device to be created

Table2.61.Description of VPN configuration options

Configuration option = Default value

Description

[DEFAULT]
boot_script_template = $pybasedir/nova/cloudpipe/bootscript.template

(StrOpt) Template for cloudpipe instance boot script

dmz_cidr =

(ListOpt) A list of dmz range that should be accepted

dmz_mask = 255.255.255.0

(StrOpt) Netmask to push into openvpn config

dmz_net = 10.0.0.0

(StrOpt) Network to push into openvpn config

vpn_flavor = m1.tiny

(StrOpt) Flavor for vpn instances

vpn_image_id = 0

(StrOpt) Image ID used when starting up a cloudpipe vpn

server

vpn_ip = $my_ip

(StrOpt) Public IP for the cloudpipe VPN servers

vpn_key_suffix = -vpn

(StrOpt) Suffix to add to project name for vpn key and secgroups

vpn_start = 1000

(IntOpt) First Vpn port for private networks

Table2.62.Description of Xen configuration options

Configuration option = Default value

Description

[DEFAULT]
console_driver = nova.console.xvp.XVPConsoleProxy

(StrOpt) Driver to use for the console proxy

console_vmrc_error_retries = 10

(IntOpt) DEPRECATED. Number of retries for retrieving

VMRC information

console_vmrc_port = 443

(IntOpt) DEPRECATED. Port for VMware VMRC connections

console_xvp_conf = /etc/xvp.conf

(StrOpt) Generated XVP conf file

console_xvp_conf_template = $pybasedir/nova/console/xvp.conf.template

(StrOpt) XVP conf template

console_xvp_log = /var/log/xvp.log

(StrOpt) XVP log file

console_xvp_multiplex_port = 5900

(IntOpt) Port for XVP to multiplex VNC connections on

console_xvp_pid = /var/run/xvp.pid

(StrOpt) XVP master process pid file

stub_compute = False

(BoolOpt) Stub calls to compute worker for tests

[libvirt]
xen_hvmloader_path = /usr/lib/xen/boot/hvmloader

(StrOpt) Location where the Xen hvmloader is kept

[xenserver]
agent_path = usr/sbin/xe-update-networking

(StrOpt) Specifies the path in which the XenAPI guest

agent should be located. If the agent is present, net-

260

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
work configuration is not injected into the image.
Used if compute_driver=xenapi.XenAPIDriver and
flat_injected=True

agent_resetnetwork_timeout = 60

(IntOpt) Number of seconds to wait for agent reply to resetnetwork request

agent_timeout = 30

(IntOpt) Number of seconds to wait for agent reply

agent_version_timeout = 300

(IntOpt) Number of seconds to wait for agent to be fully

operational

cache_images = all

(StrOpt) Cache glance images locally. `all` will cache all

images, `some` will only cache images that have the
image_property `cache_in_nova=True`, and `none` turns
off caching entirely

check_host = True

(BoolOpt) Ensure compute service is running on host XenAPI connects to.

connection_concurrent = 5

(IntOpt) Maximum number of concurrent XenAPI connections. Used only if compute_driver=xenapi.XenAPIDriver

connection_password = None

(StrOpt) Password for connection to

XenServer/Xen Cloud Platform. Used only if
compute_driver=xenapi.XenAPIDriver

connection_url = None

(StrOpt) URL for connection to XenServer/Xen

Cloud Platform. A special value of unix://local can be
used to connect to the local unix socket. Required if
compute_driver=xenapi.XenAPIDriver

connection_username = root

(StrOpt) Username for connection to

XenServer/Xen Cloud Platform. Used only if
compute_driver=xenapi.XenAPIDriver

default_os_type = linux

(StrOpt) Default OS type

disable_agent = False

(BoolOpt) Disables the use of the XenAPI agent in any image regardless of what image properties are present.

image_compression_level = None

(IntOpt) Compression level for images, e.g., 9 for gzip -9.

Range is 1-9, 9 being most compressed but most CPU intensive on dom0.

image_upload_handler =
nova.virt.xenapi.image.glance.GlanceStore

(StrOpt) Dom0 plugin driver used to handle image uploads.

introduce_vdi_retry_wait = 20

(IntOpt) Number of seconds to wait for an SR to settle if

the VDI does not exist when first introduced

ipxe_boot_menu_url = None

(StrOpt) URL to the iPXE boot menu

ipxe_mkisofs_cmd = mkisofs

(StrOpt) Name and optionally path of the tool used for

ISO image creation

ipxe_network_name = None

(StrOpt) Name of network to use for booting iPXE ISOs

iqn_prefix = iqn.2010-10.org.openstack

(StrOpt) IQN Prefix

login_timeout = 10

(IntOpt) Timeout in seconds for XenAPI login.

max_kernel_ramdisk_size = 16777216

(IntOpt) Maximum size in bytes of kernel or ramdisk images

num_vbd_unplug_retries = 10

(IntOpt) Maximum number of retries to unplug VBD

ovs_integration_bridge = xapi1

(StrOpt) Name of Integration Bridge used by Open

vSwitch

remap_vbd_dev = False

(BoolOpt) Used to enable the remapping of VBD dev

(Works around an issue in Ubuntu Maverick)

remap_vbd_dev_prefix = sd

(StrOpt) Specify prefix to remap VBD dev to (ex. /dev/

xvdb -> /dev/sdb)

running_timeout = 60

(IntOpt) Number of seconds to wait for instance to go to

running state

261

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

sparse_copy = True

(BoolOpt) Whether to use sparse_copy for copying data

on a resize down (False will use standard dd). This speeds
up resizes down considerably since large runs of zeros
won't have to be rsynced

sr_base_path = /var/run/sr-mount

(StrOpt) Base path to the storage repository

sr_matching_filter = default-sr:true

(StrOpt) Filter for finding the SR to be used to install

guest instances on. To use the Local Storage in default XenServer/XCP installations set this flag to other-config:i18n-key=local-storage. To select an SR with
a different matching criteria, you could set it to other-config:my_favorite_sr=true. On the other hand, to fall
back on the Default SR, as displayed by XenCenter, set this
flag to: default-sr:true

target_host = None

(StrOpt) The iSCSI Target Host

target_port = 3260

(StrOpt) The iSCSI Target Port, default is port 3260

torrent_base_url = None

(StrOpt) Base URL for torrent files.

torrent_download_stall_cutoff = 600

(IntOpt) Number of seconds a download can remain at

the same progress percentage w/o being considered a
stall

torrent_images = none

(StrOpt) Whether or not to download images via Bit Torrent (all|some|none).

torrent_listen_port_end = 6891

(IntOpt) End of port range to listen on

torrent_listen_port_start = 6881

(IntOpt) Beginning of port range to listen on

torrent_max_last_accessed = 86400

(IntOpt) Cached torrent files not accessed within this number of seconds can be reaped

torrent_max_seeder_processes_per_host = 1

(IntOpt) Maximum number of seeder processes to run concurrently within a given dom0. (-1 = no limit)

torrent_seed_chance = 1.0

(FloatOpt) Probability that peer will become a seeder. (1.0

= 100%)

torrent_seed_duration = 3600

(IntOpt) Number of seconds after downloading an image

via BitTorrent that it should be seeded for other peers.

use_agent_default = False

(BoolOpt) Determines if the XenAPI agent should be used

when the image used does not contain a hint to declare
if the agent is present or not. The hint is a glance property "xenapi_use_agent" that has the value "True" or "False".
Note that waiting for the agent when it is not present will
significantly increase server boot times.

use_join_force = True

(BoolOpt) To use for hosts with different CPUs

vhd_coalesce_max_attempts = 20

(IntOpt) Max number of times to poll for VHD to coalesce.

Used only if compute_driver=xenapi.XenAPIDriver

vhd_coalesce_poll_interval = 5.0

(FloatOpt) The interval used for polling of coalescing vhds.

Used only if compute_driver=xenapi.XenAPIDriver

vif_driver = nova.virt.xenapi.vif.XenAPIBridgeDriver

(StrOpt) The XenAPI VIF driver using XenServer Network

APIs.

Table2.63.Description of XCP VNC proxy configuration options

Configuration option = Default value

Description

[DEFAULT]
xvpvncproxy_base_url = http://127.0.0.1:6081/console

(StrOpt) Location of nova xvp VNC console proxy, in the

form "http://127.0.0.1:6081/console"

xvpvncproxy_host = 0.0.0.0

(StrOpt) Address that the XCP VNC proxy should bind to

xvpvncproxy_port = 6081

(IntOpt) Port that the XCP VNC proxy should bind to

262

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table2.64.Description of Zookeeper configuration options

Configuration option = Default value

Description

[zookeeper]
address = None

(StrOpt) The ZooKeeper addresses for servicegroup service

in the format of host1:port,host2:port,host3:port

recv_timeout = 4000

(IntOpt) The recv_timeout parameter for the zk session

sg_prefix = /servicegroups

(StrOpt) The prefix used in ZooKeeper to store ephemeral

nodes

sg_retry_interval = 5

(IntOpt) Number of seconds to wait until retrying to join

the session

Additional sample configuration files

Files in this section can be found in /etc/nova.

api-paste.ini
The Compute service stores its API configuration settings in the api-paste.ini file.
############
# Metadata #
############
[composite:metadata]
use = egg:Paste#urlmap
/: meta
[pipeline:meta]
pipeline = ec2faultwrap logrequest metaapp
[app:metaapp]
paste.app_factory = nova.api.metadata.handler:MetadataRequestHandler.factory
#######
# EC2 #
#######
[composite:ec2]
use = egg:Paste#urlmap
/services/Cloud: ec2cloud
[composite:ec2cloud]
use = call:nova.api.auth:pipeline_factory
noauth = ec2faultwrap logrequest ec2noauth cloudrequest validator ec2executor
keystone = ec2faultwrap logrequest ec2keystoneauth cloudrequest validator
ec2executor
[filter:ec2faultwrap]
paste.filter_factory = nova.api.ec2:FaultWrapper.factory
[filter:logrequest]
paste.filter_factory = nova.api.ec2:RequestLogging.factory
[filter:ec2lockout]
paste.filter_factory = nova.api.ec2:Lockout.factory
[filter:ec2keystoneauth]

263

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

paste.filter_factory = nova.api.ec2:EC2KeystoneAuth.factory
[filter:ec2noauth]
paste.filter_factory = nova.api.ec2:NoAuth.factory
[filter:cloudrequest]
controller = nova.api.ec2.cloud.CloudController
paste.filter_factory = nova.api.ec2:Requestify.factory
[filter:authorizer]
paste.filter_factory = nova.api.ec2:Authorizer.factory
[filter:validator]
paste.filter_factory = nova.api.ec2:Validator.factory
[app:ec2executor]
paste.app_factory = nova.api.ec2:Executor.factory
#############
# OpenStack #
#############
[composite:osapi_compute]
use = call:nova.api.openstack.urlmap:urlmap_factory
/: oscomputeversions
/v1.1: openstack_compute_api_v2
/v2: openstack_compute_api_v2
/v3: openstack_compute_api_v3
[composite:openstack_compute_api_v2]
use = call:nova.api.auth:pipeline_factory
noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
keystone = faultwrap sizelimit authtoken keystonecontext ratelimit
osapi_compute_app_v2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext
osapi_compute_app_v2
[composite:openstack_compute_api_v3]
use = call:nova.api.auth:pipeline_factory_v3
noauth = faultwrap sizelimit noauth_v3 osapi_compute_app_v3
keystone = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v3
[filter:faultwrap]
paste.filter_factory = nova.api.openstack:FaultWrapper.factory
[filter:noauth]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
[filter:noauth_v3]
paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareV3.factory
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.
limits:RateLimitingMiddleware.factory
[filter:sizelimit]
paste.filter_factory = nova.api.sizelimit:RequestBodySizeLimiter.factory
[app:osapi_compute_app_v2]
paste.app_factory = nova.api.openstack.compute:APIRouter.factory

264

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

OpenStack Configuration Reference

October 7, 2014

juno

rootwrap.conf
The rootwrap.conf file defines configuration values used by the rootwrap script when
the Compute service needs to escalate its privileges to those of the root user.
# Configuration for nova-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/nova/rootwrap.d,/usr/share/nova/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, user0, user1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR

New, updated and deprecated options in Juno for

OpenStack Compute
Table2.65.New options
Option = default value

(Type) Help string

[DEFAULT] baremetal_scheduler_default_filters = ['RetryFilter', 'AvailabilityZoneFilter', 'ComputeFilter', 'ComputeCapabilitiesFilter', 'ImagePropertiesFilter', 'ExactRamFilter',

'ExactDiskFilter', 'ExactCoreFilter']

(ListOpt) Which filter class names to use for filtering

baremetal hosts when not specified in the request.

[DEFAULT] block_device_allocate_retries = 60

(IntOpt) Number of times to retry block device allocation

on failures

[DEFAULT] block_device_allocate_retries_interval = 3

(IntOpt) Waiting time interval (seconds) between block

device allocation retries on failures

[DEFAULT] compute_resources = ['vcpu']

(ListOpt) The names of the extra resources to track.

[DEFAULT] quota_injected_file_path_length = 255

(IntOpt) Length of injected file path

[DEFAULT] quota_server_group_members = 10

(IntOpt) Number of servers per server group

[DEFAULT] quota_server_groups = 10

(IntOpt) Number of server groups per project

271

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] scheduler_use_baremetal_filters = False

(BoolOpt) Flag to decide whether to use

baremetal_scheduler_default_filters or not.

[DEFAULT] shutdown_timeout = 60

(IntOpt) Total amount of time to wait in seconds for an instance to perform a clean shutdown.

[cinder] api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to cinder

[cinder] ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for cinder

client requests.

[cinder] catalog_info = volume:cinder:publicURL

(StrOpt) Info to match when looking for cinder in the

service catalog. Format is: separated values of the form:
<service_type>:<service_name>:<endpoint_type>

[cinder] cross_az_attach = True

(BoolOpt) Allow attach between instance and volume in

different availability zones.

[cinder] endpoint_template = None

(StrOpt) Override service catalog lookup with template for cinder endpoint e.g. http://localhost:8776/v1/
%(project_id)s

[cinder] http_retries = 3

(IntOpt) Number of cinderclient retries on failed http calls

[cinder] http_timeout = None

(IntOpt) HTTP inactivity timeout (in seconds)

[cinder] os_region_name = None

(StrOpt) Region name of this node

[database] use_tpool = False

(BoolOpt) Enable the experimental use of thread pooling

for all DB API calls

[ephemeral_storage_encryption] cipher = aes-xts-plain64

(StrOpt) The cipher and mode to be used to encrypt

ephemeral storage. Which ciphers are available ciphers depends on kernel support. See /proc/crypto for the list of
available options.

[ephemeral_storage_encryption] enabled = False

(BoolOpt) Whether to encrypt ephemeral storage

[ephemeral_storage_encryption] key_size = 512

(IntOpt) The bit length of the encryption key to be used to

encrypt ephemeral storage (in XTS mode only half of the
bits are used for encryption key)

[glance] allowed_direct_url_schemes = []

(ListOpt) A list of url scheme that can be downloaded directly via the direct_url. Currently supported schemes:
[file].

[glance] api_insecure = False

(BoolOpt) Allow to perform insecure SSL (https) requests

to glance

[glance] api_servers = None

(ListOpt) A list of the glance api servers available to nova.

Prefix with https:// for ssl-based glance api servers. ([hostname|ip]:port)

[glance] host = $my_ip

(StrOpt) Default glance hostname or IP address

[glance] num_retries = 0

(IntOpt) Number of retries when downloading an image

from glance

[glance] port = 9292

(IntOpt) Default glance port

[glance] protocol = http

(StrOpt) Default protocol to use when connecting to

glance. Set to https for SSL.

[hyperv] wait_soft_reboot_seconds = 60

(IntOpt) Number of seconds to wait for instance to shut

down after soft reboot request is made. We fall back to
hard reboot if instance does not shutdown within this window.

[ironic] admin_auth_token = None

(StrOpt) Ironic keystone auth token.

[ironic] admin_password = None

(StrOpt) Ironic keystone admin password.

[ironic] admin_tenant_name = None

(StrOpt) Ironic keystone tenant name.

[ironic] admin_url = None

(StrOpt) Keystone public API endpoint.

[ironic] admin_username = None

(StrOpt) Ironic keystone admin name

272

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[ironic] api_endpoint = None

(StrOpt) URL for Ironic API endpoint.

[ironic] api_max_retries = 60

(IntOpt) How many retries when a request does conflict.

[ironic] api_retry_interval = 2

(IntOpt) How often to retry in seconds when a request

does conflict

[ironic] api_version = 1

(IntOpt) Version of Ironic API service endpoint.

[ironic] client_log_level = None

(StrOpt) Log level override for ironicclient. Set this in order

to override the global "default_log_levels", "verbose", and
"debug" settings.

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[libvirt] gid_maps = []

(ListOpt) List of guid targets and ranges.Syntax is guestgid:host-gid:countMaximum of 5 allowed.

[libvirt] hw_disk_discard = None

(StrOpt) Discard option for nova managed disks (valid options are: ignore, unmap). Need Libvirt(1.0.6) Qemu1.5
(raw format) Qemu1.6(qcow2 format)

[libvirt] hw_machine_type = None

(ListOpt) For qemu or KVM guests, set this option

to specify a default machine type per host architecture. You can find a list of supported machine types in
your environment by checking the output of the "virsh
capabilities"command. The format of the value for this
config option is host-arch=machine-type. For example:
x86_64=machinetype1,armv7l=machinetype2

[libvirt] mem_stats_period_seconds = 10

(IntOpt) A number of seconds to memory usage statistics

period. Zero or negative value mean to disable memory usage statistics.

[libvirt] sysinfo_serial = auto

(StrOpt) The data source used to the populate the

host "serial" UUID exposed to guest in the virtual BIOS.
Permitted options are "hardware", "os", "none" or
"auto" (default).

[libvirt] uid_maps = []

(ListOpt) List of uid targets and ranges.Syntax is guestuid:host-uid:countMaximum of 5 allowed.

[neutron] admin_auth_url = http://localhost:5000/v2.0

(StrOpt) Authorization URL for connecting to neutron in

admin context

[neutron] admin_password = None

(StrOpt) Password for connecting to neutron in admin

context

[neutron] admin_tenant_id = None

(StrOpt) Tenant id for connecting to neutron in admin

context

[neutron] admin_tenant_name = None

(StrOpt) Tenant name for connecting to neutron

in admin context. This option will be ignored if
neutron_admin_tenant_id is set. Note that with Keystone
V3 tenant names are only unique within a domain.

[neutron] admin_user_id = None

(StrOpt) User id for connecting to neutron in admin context

273

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[neutron] admin_username = None

(StrOpt) Username for connecting to neutron in admin

context

[neutron] allow_duplicate_networks = False

(BoolOpt) Allow an instance to have multiple vNICs attached to the same Neutron network.

[neutron] api_insecure = False

(BoolOpt) If set, ignore any SSL validation issues

[neutron] auth_strategy = keystone

(StrOpt) Authorization strategy for connecting to neutron

in admin context

[neutron] ca_certificates_file = None

(StrOpt) Location of CA certificates file to use for neutron

client requests.

[neutron] extension_sync_interval = 600

(IntOpt) Number of seconds before querying neutron for

extensions

[neutron] metadata_proxy_shared_secret =

(StrOpt) Shared secret to validate proxies Neutron metadata requests

[neutron] ovs_bridge = br-int

(StrOpt) Name of Integration Bridge used by Open

vSwitch

[neutron] region_name = None

(StrOpt) Region name for connecting to neutron in admin

context

[neutron] service_metadata_proxy = False

(BoolOpt) Set flag to indicate Neutron will proxy metadata

requests and resolve instance ids.

[neutron] url = http://127.0.0.1:9696

(StrOpt) URL for connecting to neutron

[neutron] url_timeout = 30

(IntOpt) Timeout value for connecting to neutron in seconds

[serial_console] base_url = http://127.0.0.1:6083/

(StrOpt) Location of serial console proxy.

[serial_console] enabled = False

(BoolOpt) Enable serial console related features

[serial_console] listen = 127.0.0.1

(StrOpt) IP address on which instance serial console should

listen

[serial_console] port_range = 10000:20000

(StrOpt) Range of TCP ports to use for serial ports on compute hosts

[serial_console] proxyclient_address = 127.0.0.1

(StrOpt) The address to which proxy clients (like nova-serialproxy) should connect

[vmware] host_port = 443

(IntOpt) Port for connection to VMware VC host.

Table2.66.New default values

Option

Previous default value

New default value

[DEFAULT] auth_strategy

noauth

keystone

[DEFAULT] default_log_levels

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO, iso8601=WARN

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN

[DEFAULT] dhcp_lease_time

120

86400

[DEFAULT]
logging_context_format_string

%(asctime)s.%(msecs)03d
%(process)d %(levelname)s %(name)s
[%(request_id)s %(user)s %(tenant)s]
%(instance)s%(message)s

%(asctime)s.%(msecs)03d
%(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s]
%(instance)s%(message)s

[database] mysql_sql_mode

None

TRADITIONAL

[database] sqlite_db

nova.sqlite

oslo.sqlite

274

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option

Previous default value

New default value

[keystone_authtoken]
revocation_cache_time

300

[libvirt] block_migration_flag

VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER,
VIR_MIGRATE_NON_SHARED_INC

VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER,
VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED,
VIR_MIGRATE_NON_SHARED_INC

[libvirt] live_migration_flag

VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER

VIR_MIGRATE_UNDEFINE_SOURCE,
VIR_MIGRATE_PEER2PEER,
VIR_MIGRATE_LIVE,
VIR_MIGRATE_TUNNELLED

Table2.67.Deprecated options
Deprecated option

New Option

[DEFAULT] quota_injected_file_path_bytes

[DEFAULT] quota_injected_file_path_length

[DEFAULT] neutron_url

[neutron] url

[DEFAULT] neutron_ca_certificates_file

[neutron] ca_certificates_file

[DEFAULT] neutron_api_insecure

[neutron] api_insecure

[DEFAULT] neutron_admin_username

[neutron] admin_username

[DEFAULT] neutron_auth_strategy

[neutron] auth_strategy

[DEFAULT] glance_api_servers

[glance] api_servers

[DEFAULT] neutron_admin_tenant_id

[neutron] admin_tenant_id

[DEFAULT] neutron_admin_tenant_name

[neutron] admin_tenant_name

[DEFAULT] neutron_metadata_proxy_shared_secret

[neutron] metadata_proxy_shared_secret

[DEFAULT] glance_port

[glance] port

[DEFAULT] neutron_region_name

[neutron] region_name

[DEFAULT] neutron_admin_password

[neutron] admin_password

[DEFAULT] glance_num_retries

[glance] num_retries

[DEFAULT] service_neutron_metadata_proxy

[neutron] service_metadata_proxy

[DEFAULT] glance_protocol

[glance] protocol

[DEFAULT] neutron_ovs_bridge

[neutron] ovs_bridge

[DEFAULT] glance_api_insecure

[glance] api_insecure

[DEFAULT] glance_host

[glance] host

[DEFAULT] neutron_admin_auth_url

[neutron] admin_auth_url

[DEFAULT] neutron_extension_sync_interval

[neutron] extension_sync_interval

[DEFAULT] neutron_url_timeout

[neutron] url_timeout

275

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

3. Dashboard
Table of Contents
Configure the dashboard .............................................................................................
Customize the dashboard ............................................................................................
Additional sample configuration files ...........................................................................
Dashboard log files .....................................................................................................

276
280
281
292

This chapter describes how to configure the OpenStack dashboard with Apache web server.

Configure the dashboard

You can configure the dashboard for a simple HTTP deployment.
You can configure the dashboard for a secured HTTPS deployment. While the standard installation uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard.
Also, you can configure the size of the VNC window in the dashboard.

Configure the dashboard for HTTP

You can configure the dashboard for a simple HTTP deployment. The standard installation
uses a non-encrypted HTTP channel.
1.

Specify the host for your OpenStack Identity Service endpoint in the /etc/openstack-dashboard/local_settings.py file with the OPENSTACK_HOST setting.
The following example shows this setting:
import os
from django.utils.translation import ugettext_lazy as _
DEBUG = False
TEMPLATE_DEBUG = DEBUG
PROD = True
USE_SSL = False
SITE_BRANDING = 'OpenStack Dashboard'
# Ubuntu-specific: Enables an extra panel in the 'Settings' section
# that easily generates a Juju environments.yaml for download,
# preconfigured with endpoints and credentials required for bootstrap
# and service deployment.
ENABLE_JUJU_PANEL = True
# Note: You should change this value
SECRET_KEY = 'elj1IWiLoWHgryYxFT6j7cM5fGOOxWY0'
# Specify a regular expression to validate user passwords.
# HORIZON_CONFIG = {
#
"password_validator": {
#
"regex": '.*',
#
"help_text": _("Your password does not meet the requirements.")
#
}
# }
LOCAL_PATH = os.path.dirname(os.path.abspath(__file__))

276

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

CACHES = {
'default': {
'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION' : '127.0.0.1:11211'
}
}
# Send email to the console by default
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
# Or send them to /dev/null
#EMAIL_BACKEND = 'django.core.mail.backends.dummy.EmailBackend'
#
#
#
#
#

Configure these for your outgoing email host

EMAIL_HOST = 'smtp.my-company.com'
EMAIL_PORT = 25
EMAIL_HOST_USER = 'djangomail'
EMAIL_HOST_PASSWORD = 'top-secret!'

# For multiple regions uncomment this configuration, and add (endpoint, title).
# AVAILABLE_REGIONS = [
#
('http://cluster1.example.com:5000/v2.0', 'cluster1'),
#
('http://cluster2.example.com:5000/v2.0', 'cluster2'),
# ]
OPENSTACK_HOST = "127.0.0.1"
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v2.0" % OPENSTACK_HOST
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
# capabilities of the auth backend for Keystone.
# If Keystone has been configured to use LDAP as the auth backend then set
# can_edit_user to False and name to 'ldap'.
#
# TODO(tres): Remove these once Keystone has an API to identify auth backend.
OPENSTACK_KEYSTONE_BACKEND = {
'name': 'native',
'can_edit_user': True
}
# OPENSTACK_ENDPOINT_TYPE specifies the endpoint type to use for the endpoints
# in the Keystone service catalog. Use this setting when Horizon is running
# external to the OpenStack environment. The default is 'internalURL'.
#OPENSTACK_ENDPOINT_TYPE = "publicURL"
# The number of Swift containers and objects to display on a single page before
# providing a paging element (a "more" link) to paginate results.
API_RESULT_LIMIT = 1000
# If you have external monitoring links, eg:
# EXTERNAL_MONITORING = [
#
['Nagios','http://foo.com'],
#
['Ganglia','http://bar.com'],
# ]
LOGGING = {
'version': 1,
# When set to True this will disable all logging except
# for loggers specified in this configuration dictionary. Note that
# if nothing is specified here and disable_existing_loggers is True,
# django.db.backends will still log unless it is disabled explicitly.
'disable_existing_loggers': False,
'handlers': {
'null': {
'level': 'DEBUG',
'class': 'django.utils.log.NullHandler',
},
'console': {
# Set the level to "DEBUG" for verbose output logging.
'level': 'INFO',
'class': 'logging.StreamHandler',
},
},
'loggers': {
# Logging from django.db.backends is VERY verbose, send to null
# by default.
'django.db.backends': {
'handlers': ['null'],
'propagate': False,

277

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

},
'horizon': {
'handlers': ['console'],
'propagate': False,
},
'novaclient': {
'handlers': ['console'],
'propagate': False,
},
'keystoneclient': {
'handlers': ['console'],
'propagate': False,
},
'nose.plugins.manager': {
'handlers': ['console'],
'propagate': False,
}
}
}

The service catalog configuration in the Identity Service determines whether a service
appears in the dashboard. For the full listing, see Horizon Settings and Configuration.
2.

Restart Apache http server. For Ubuntu/Debian/SUSE:

# service apache2 restart

or for Fedora/RHEL/CentOS:
# service httpd restart

Next, restart memcached:

# service memcached restart

Configure the dashboard for HTTPS

You can configure the dashboard for a secured HTTPS deployment. While the standard installation uses a non-encrypted HTTP channel, you can enable SSL support for the dashboard.
This example uses the http://openstack.example.com domain. Use a domain that
fits your current setup.
1.

In the /etc/openstack-dashboard/local_settings.py file, update the following options:

USE_SSL = True
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True

To enable HTTPS, the USE_SSL = True option is required.

The other options require that HTTPS is enabled; these options defend against crosssite scripting.
2.

Edit the /etc/apache2/ports.conf file and add the following line:

NameVirtualHost *:443

Edit the /etc/apache2/conf.d/openstack-dashboard.conf file as shown in

Example3.2, After [279]:

278

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Example3.1.Before
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>

Example3.2.After
<VirtualHost *:80>
ServerName openstack.example.com
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
<IfModule !mod_rewrite.c>
RedirectPermanent / https://openstack.example.com
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName openstack.example.com
SSLEngine On
# Remember to replace certificates and keys with valid paths in your environment
SSLCertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCACertificateFile /etc/apache2/SSL/openstack.example.com.crt
SSLCertificateKeyFile /etc/apache2/SSL/openstack.example.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# HTTP Strict Transport Security (HSTS) enforces that all communications
# with a server go over SSL. This mitigates the threat from attacks such
# as SSL-Strip which replaces links on the wire, stripping away https prefixes
# and potentially allowing an attacker to view confidential information on the
# wire
Header add Strict-Transport-Security "max-age=15768000"
WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
WSGIDaemonProcess horizon user=www-data group=www-data processes=3 threads=10
Alias /static /usr/share/openstack-dashboard/openstack_dashboard/static/
<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
# For Apache http server 2.2 and earlier:
Order allow,deny
Allow from all
# For Apache http server 2.4 and later:
# Require all granted
</Directory>
</VirtualHost>

In this configuration, the Apache HTTP server listens on port 443 and redirects all nonsecure requests to the HTTPS protocol. The secured section defines the private key,
public key, and certificate to use.
4.

Restart the Apache HTTP server.

For Debian, Ubuntu, or SUSE distributions:
# service apache2 restart

For Fedora, RHEL, or CentOS distributions:

# service httpd restart

279

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Restart memcached:
# service memcached restart

If you try to access the dashboard through HTTP, the browser redirects you to the
HTTPS page.

Change the size of the dashboard VNC window

The _detail_vnc.html file defines the size of the VNC window. To change the window
size, edit this file.
1.

Edit /usr/share/pyshared/horizon/dashboards/nova/instances/templates/instances/_detail_vnc.html.

Modify the width and height parameters, as follows:

Customize the dashboard

Adapted from How To Custom Brand The OpenStack Horizon Dashboard.
You install the OpenStack dashboard through the openstack-dashboard package. You
can customize the dashboard with your own colors, logo, and site title through a CSS file.
Canonical also provides an openstack-dashboard-ubuntu-theme package that
brands the Python-based Django interface.
1.

Create a graphical logo with a transparent background. The text TGen Cloud in this
example is rendered through .png files of multiple sizes created with a graphics program.
Use a 20027 for the logged-in banner graphic, and 36550 for the login screen graphic.

Set the HTML title, which appears at the top of the browser window, by adding the
following line to /etc/openstack-dashboard/local_settings.py:
SITE_BRANDING = "Example, Inc. Cloud"

Upload your new graphic files to the following location: /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/img/

Create a CSS style sheet in the following directory: /usr/share/openstack-dashboard/openstack_dashboard/static/dashboard/css/

Edit your CSS file to override the Ubuntu customizations in the ubuntu.css file.
Change the colors and image file names as appropriate, though the relative directory paths should be the same. The following example file shows you how to customize
your CSS file:
280

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

/*
* New theme colors for dashboard that override the defaults:
* dark blue: #355796 / rgb(53, 87, 150)
* light blue: #BAD3E1 / rgb(186, 211, 225)
*
* By Preston Lee <[email protected]>
*/
h1.brand {
background: #355796 repeat-x top left;
border-bottom: 2px solid #BAD3E1;
}
h1.brand a {
background: url(../img/my_cloud_logo_small.png) top left no-repeat;
}
#splash .login {
background: #355796 url(../img/my_cloud_logo_medium.png) no-repeat center 35px;
}
#splash .login .modal-header {
border-top: 1px solid #BAD3E1;
}
.btn-primary {
background-image: none !important;
background-color: #355796 !important;
border: none !important;
box-shadow: none;
}
.btn-primary:hover,
.btn-primary:active {
border: none;
box-shadow: none;
background-color: #BAD3E1 !important;
text-decoration: none;
}

Open the following HTML template in an editor: /usr/share/openstack-dashboard/openstack_dashboard/templates/_stylesheets.html

Add a line to include your custom.css file:

...
<link href='{{ STATIC_URL }}bootstrap/css/bootstrap.min.css' media='screen' rel='stylesheet' />
<link href='{{ STATIC_URL }}dashboard/css/{% choose_css %}' media='screen' rel='stylesheet' />
<link href='{{ STATIC_URL }}dashboard/css/custom.css' media='screen' rel='stylesheet' />
...

Restart Apache:
On Ubuntu:
# service apache2 restart

On Fedora, RHEL, CentOS:

# service httpd restart

On openSUSE:
# service apache2 restart

Reload the dashboard in your browser to view your changes.

Modify your CSS file as appropriate.

Additional sample configuration files

Find the following files in /etc/openstack-dashboard.
281

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

October 7, 2014

juno

]
],
"identity:get_trust": [
[
"rule:admin_or_owner"
]
],
"identity:list_trusts": [
[
"@"
]
],
"identity:list_roles_for_trust": [
[
"@"
]
],
"identity:check_role_for_trust": [
[
"@"
]
],
"identity:get_role_for_trust": [
[
"@"
]
],
"identity:delete_trust": [
[
"@"
]
]
}

nova_policy.json
The nova_policy.json file defines additional access controls for the dashboard that apply to the Compute service.

Note
The nova_policy.json file must match the Compute /etc/nova/policy.json policy file.
{
"context_is_admin": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"default": "rule:admin_or_owner",
"cells_scheduler_filter:TargetCellFilter": "is_admin:True",
"compute:create": "",
"compute:create:attach_network": "",
"compute:create:attach_volume": "",
"compute:create:forced_host": "is_admin:True",
"compute:get_all": "",
"compute:get_all_tenants": "",
"compute:unlock_override": "rule:admin_api",
"compute:shelve": "",
"compute:shelve_offload": "",
"compute:unshelve": "",

288

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"admin_api": "is_admin:True",
"compute_extension:accounts": "rule:admin_api",
"compute_extension:admin_actions": "rule:admin_api",
"compute_extension:admin_actions:pause": "rule:admin_or_owner",
"compute_extension:admin_actions:unpause": "rule:admin_or_owner",
"compute_extension:admin_actions:suspend": "rule:admin_or_owner",
"compute_extension:admin_actions:resume": "rule:admin_or_owner",
"compute_extension:admin_actions:lock": "rule:admin_or_owner",
"compute_extension:admin_actions:unlock": "rule:admin_or_owner",
"compute_extension:admin_actions:resetNetwork": "rule:admin_api",
"compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api",
"compute_extension:admin_actions:createBackup": "rule:admin_or_owner",
"compute_extension:admin_actions:migrateLive": "rule:admin_api",
"compute_extension:admin_actions:resetState": "rule:admin_api",
"compute_extension:admin_actions:migrate": "rule:admin_api",
"compute_extension:v3:os-admin-actions": "rule:admin_api",
"compute_extension:v3:os-admin-actions:pause": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:unpause": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:suspend": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:resume": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:lock": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:unlock": "rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:reset_network": "rule:admin_api",
"compute_extension:v3:os-admin-actions:inject_network_info":
"rule:admin_api",
"compute_extension:v3:os-admin-actions:create_backup":
"rule:admin_or_owner",
"compute_extension:v3:os-admin-actions:migrate_live": "rule:admin_api",
"compute_extension:v3:os-admin-actions:reset_state": "rule:admin_api",
"compute_extension:v3:os-admin-actions:migrate": "rule:admin_api",
"compute_extension:v3:os-admin-password": "",
"compute_extension:aggregates": "rule:admin_api",
"compute_extension:v3:os-aggregates": "rule:admin_api",
"compute_extension:agents": "rule:admin_api",
"compute_extension:v3:os-agents": "rule:admin_api",
"compute_extension:attach_interfaces": "",
"compute_extension:v3:os-attach-interfaces": "",
"compute_extension:baremetal_nodes": "rule:admin_api",
"compute_extension:v3:os-baremetal-nodes": "rule:admin_api",
"compute_extension:cells": "rule:admin_api",
"compute_extension:v3:os-cells": "rule:admin_api",
"compute_extension:certificates": "",
"compute_extension:v3:os-certificates": "",
"compute_extension:cloudpipe": "rule:admin_api",
"compute_extension:cloudpipe_update": "rule:admin_api",
"compute_extension:console_output": "",
"compute_extension:v3:consoles:discoverable": "",
"compute_extension:v3:os-console-output": "",
"compute_extension:consoles": "",
"compute_extension:v3:os-remote-consoles": "",
"compute_extension:coverage_ext": "rule:admin_api",
"compute_extension:v3:os-coverage": "rule:admin_api",
"compute_extension:createserverext": "",
"compute_extension:deferred_delete": "",
"compute_extension:v3:os-deferred-delete": "",
"compute_extension:disk_config": "",
"compute_extension:evacuate": "rule:admin_api",
"compute_extension:v3:os-evacuate": "rule:admin_api",
"compute_extension:extended_server_attributes": "rule:admin_api",
"compute_extension:v3:os-extended-server-attributes": "rule:admin_api",

289

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

"compute_extension:extended_status": "",
"compute_extension:v3:os-extended-status": "",
"compute_extension:extended_availability_zone": "",
"compute_extension:v3:os-extended-availability-zone": "",
"compute_extension:extended_ips": "",
"compute_extension:extended_ips_mac": "",
"compute_extension:extended_vif_net": "",
"compute_extension:v3:extension_info:discoverable": "",
"compute_extension:extended_volumes": "",
"compute_extension:v3:os-extended-volumes": "",
"compute_extension:v3:os-extended-volumes:attach": "",
"compute_extension:v3:os-extended-volumes:detach": "",
"compute_extension:fixed_ips": "rule:admin_api",
"compute_extension:v3:os-fixed-ips:discoverable": "",
"compute_extension:v3:os-fixed-ips": "rule:admin_api",
"compute_extension:flavor_access": "",
"compute_extension:v3:os-flavor-access": "",
"compute_extension:flavor_disabled": "",
"compute_extension:v3:os-flavor-disabled": "",
"compute_extension:flavor_rxtx": "",
"compute_extension:v3:os-flavor-rxtx": "",
"compute_extension:flavor_swap": "",
"compute_extension:flavorextradata": "",
"compute_extension:flavorextraspecs:index": "",
"compute_extension:flavorextraspecs:show": "",
"compute_extension:flavorextraspecs:create": "rule:admin_api",
"compute_extension:flavorextraspecs:update": "rule:admin_api",
"compute_extension:flavorextraspecs:delete": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:index": "",
"compute_extension:v3:flavor-extra-specs:show": "",
"compute_extension:v3:flavor-extra-specs:create": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:update": "rule:admin_api",
"compute_extension:v3:flavor-extra-specs:delete": "rule:admin_api",
"compute_extension:flavormanage": "rule:admin_api",
"compute_extension:floating_ip_dns": "",
"compute_extension:floating_ip_pools": "",
"compute_extension:floating_ips": "",
"compute_extension:floating_ips_bulk": "rule:admin_api",
"compute_extension:fping": "",
"compute_extension:fping:all_tenants": "rule:admin_api",
"compute_extension:hide_server_addresses": "is_admin:False",
"compute_extension:v3:os-hide-server-addresses": "is_admin:False",
"compute_extension:hosts": "rule:admin_api",
"compute_extension:v3:os-hosts": "rule:admin_api",
"compute_extension:hypervisors": "rule:admin_api",
"compute_extension:v3:os-hypervisors": "rule:admin_api",
"compute_extension:image_size": "",
"compute_extension:v3:os-image-metadata": "",
"compute_extension:v3:os-images": "",
"compute_extension:instance_actions": "",
"compute_extension:v3:os-instance-actions": "",
"compute_extension:instance_actions:events": "rule:admin_api",
"compute_extension:v3:os-instance-actions:events": "rule:admin_api",
"compute_extension:instance_usage_audit_log": "rule:admin_api",
"compute_extension:v3:os-instance-usage-audit-log": "rule:admin_api",
"compute_extension:v3:ips:discoverable": "",
"compute_extension:keypairs": "",
"compute_extension:keypairs:index": "",
"compute_extension:keypairs:show": "",
"compute_extension:keypairs:create": "",

290

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"compute_extension:keypairs:delete": "",
"compute_extension:v3:os-keypairs:discoverable": "",
"compute_extension:v3:os-keypairs": "",
"compute_extension:v3:os-keypairs:index": "",
"compute_extension:v3:os-keypairs:show": "",
"compute_extension:v3:os-keypairs:create": "",
"compute_extension:v3:os-keypairs:delete": "",
"compute_extension:multinic": "",
"compute_extension:v3:os-multinic": "",
"compute_extension:networks": "rule:admin_api",
"compute_extension:networks:view": "",
"compute_extension:networks_associate": "rule:admin_api",
"compute_extension:quotas:show": "",
"compute_extension:quotas:update": "rule:admin_api",
"compute_extension:quotas:delete": "rule:admin_api",
"compute_extension:v3:os-quota-sets:show": "",
"compute_extension:v3:os-quota-sets:update": "rule:admin_api",
"compute_extension:v3:os-quota-sets:delete": "rule:admin_api",
"compute_extension:quota_classes": "",
"compute_extension:v3:os-quota-class-sets": "",
"compute_extension:rescue": "",
"compute_extension:v3:os-rescue": "",
"compute_extension:security_group_default_rules": "rule:admin_api",
"compute_extension:security_groups": "",
"compute_extension:v3:os-security-groups": "",
"compute_extension:server_diagnostics": "rule:admin_api",
"compute_extension:v3:os-server-diagnostics": "rule:admin_api",
"compute_extension:server_password": "",
"compute_extension:v3:os-server-password": "",
"compute_extension:server_usage": "",
"compute_extension:v3:os-server-usage": "",
"compute_extension:services": "rule:admin_api",
"compute_extension:v3:os-services": "rule:admin_api",
"compute_extension:v3:servers:discoverable": "",
"compute_extension:shelve": "",
"compute_extension:shelveOffload": "rule:admin_api",
"compute_extension:v3:os-shelve:shelve": "",
"compute_extension:v3:os-shelve:shelve_offload": "rule:admin_api",
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
"compute_extension:v3:os-simple-tenant-usage:show": "rule:admin_or_owner",
"compute_extension:simple_tenant_usage:list": "rule:admin_api",
"compute_extension:v3:os-simple-tenant-usage:list": "rule:admin_api",
"compute_extension:unshelve": "",
"compute_extension:v3:os-shelve:unshelve": "",
"compute_extension:users": "rule:admin_api",
"compute_extension:virtual_interfaces": "",
"compute_extension:virtual_storage_arrays": "",
"compute_extension:volumes": "",
"compute_extension:volume_attachments:index": "",
"compute_extension:volume_attachments:show": "",
"compute_extension:volume_attachments:create": "",
"compute_extension:volume_attachments:update": "",
"compute_extension:volume_attachments:delete": "",
"compute_extension:volumetypes": "",
"compute_extension:availability_zone:list": "",
"compute_extension:v3:os-availability-zone:list": "",
"compute_extension:availability_zone:detail": "rule:admin_api",
"compute_extension:v3:os-availability-zone:detail": "rule:admin_api",
"compute_extension:used_limits_for_admin": "rule:admin_api",
"compute_extension:v3:os-used-limits": "",

291

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"compute_extension:v3:os-used-limits:tenant": "rule:admin_api",
"compute_extension:migrations:index": "rule:admin_api",
"compute_extension:v3:os-migrations:index": "rule:admin_api",
"volume:create": "",
"volume:get_all": "",
"volume:get_volume_metadata": "",
"volume:get_snapshot": "",
"volume:get_all_snapshots": "",
"volume_extension:types_manage": "rule:admin_api",
"volume_extension:types_extra_specs": "rule:admin_api",
"volume_extension:volume_admin_actions:reset_status": "rule:admin_api",
"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api",
"volume_extension:volume_admin_actions:force_delete": "rule:admin_api",
"network:get_all": "",
"network:get": "",
"network:create": "",
"network:delete": "",
"network:associate": "",
"network:disassociate": "",
"network:get_vifs_by_instance": "",
"network:allocate_for_instance": "",
"network:deallocate_for_instance": "",
"network:validate_networks": "",
"network:get_instance_uuids_by_ip_filter": "",
"network:get_instance_id_by_floating_address": "",
"network:setup_networks_on_host": "",
"network:get_backdoor_port": "",
"network:get_floating_ip": "",
"network:get_floating_ip_pools": "",
"network:get_floating_ip_by_address": "",
"network:get_floating_ips_by_project": "",
"network:get_floating_ips_by_fixed_address": "",
"network:allocate_floating_ip": "",
"network:deallocate_floating_ip": "",
"network:associate_floating_ip": "",
"network:disassociate_floating_ip": "",
"network:release_floating_ip": "",
"network:migrate_instance_start": "",
"network:migrate_instance_finish": "",
"network:get_fixed_ip": "",
"network:get_fixed_ip_by_address": "",
"network:add_fixed_ip_to_instance": "",
"network:remove_fixed_ip_from_instance": "",
"network:add_network_to_project": "",
"network:get_instance_nw_info": "",
"network:get_dns_domains": "",
"network:add_dns_entry": "",
"network:modify_dns_entry": "",
"network:delete_dns_entry": "",
"network:get_dns_entries_by_address": "",
"network:get_dns_entries_by_name": "",
"network:create_private_dns_domain": "",
"network:create_public_dns_domain": "",
"network:delete_dns_domain": ""
}

Dashboard log files

The dashboard is served to users through the Apache web server (httpd).
292

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

As a result, dashboard-related logs appear in files in the /var/log/httpd or /var/log/

apache2 directory on the system where the dashboard is hosted. The following table describes these files:

Table3.1.Dashboard/httpd log files

Log file

Description

access_log

Logs all attempts to access the web server.

error_log

Logs all unsuccessful attempts to access the web server, along with the
reason that each attempt failed.

293

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

4. Database Service
Table of Contents
Configure the database ............................................................................................... 303
Configure the RPC messaging system ........................................................................... 307
The Database Service provides a scalable and reliable Cloud Database-as-a-Service functionality for both relational and non-relational database engines.
The following tables provide a comprehensive list of the Database Service configuration options.

Table4.1.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
admin_roles = admin

(ListOpt) Roles to add to an admin user.

api_paste_config = api-paste.ini

(StrOpt) File name for the paste.deploy config for troveapi.

bind_host = 0.0.0.0

(StrOpt) IP address the API server will listen on.

bind_port = 8779

(IntOpt) Port the API server will listen on.

black_list_regex = None

(StrOpt) Exclude IP addresses that match this regular expression.

db_api_implementation = trove.db.sqlalchemy.api

(StrOpt) API Implementation for Trove database access.

hostname_require_valid_ip = True

(BoolOpt) Require user hostnames to be valid IP addresses.

(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for

each server socket. Not supported on OS X.

trove_api_workers = None

(IntOpt) Number of workers for the API service. The default will be the number of CPUs available.

trove_auth_url = http://0.0.0.0:5000/v2.0

(StrOpt) Trove authentication URL.

294

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

trove_conductor_workers = None

(IntOpt) Number of workers for the Conductor service.

The default will be the number of CPUs available.

trove_security_group_name_prefix = SecGroup

(StrOpt) Prefix to use when creating Security Groups.

trove_security_group_rule_cidr = 0.0.0.0/0

(StrOpt) CIDR to use when creating Security Group Rules.

trove_security_groups_support = True

(BoolOpt) Whether Trove should add Security Groups on

create.

users_page_size = 20

(IntOpt) Page size for listing users.

Table4.2.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

This may be a single algorithm or multiple. The algorithms
are those supported by Python standard hashlib.new().
The hashes will be tried in the order given, so put the pre-

295

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
ferred one first for performance. The result of the first
hash will be stored in the cache. This will typically be set to
multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are
expired this option should be set to a single value for better performance.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table4.3.Description of backup configuration options

Configuration option = Default value

Description

[DEFAULT]
backup_aes_cbc_key = default_aes_cbc_key

(StrOpt) Default OpenSSL aes_cbc key.

backup_chunk_size = 65536

(IntOpt) Chunk size (in bytes) to stream to the Swift container. This should be in multiples of 128 bytes, since this
is the size of an md5 digest block allowing the process to
update the file checksum during streaming. See: http://
stackoverflow.com/questions/1131220/

backup_runner =
trove.guestagent.backup.backup_types.InnoBackupEx

(StrOpt) Runner to use for backups.

backup_runner_options = {}

(DictOpt) Additional options to be passed to the backup

runner.

backup_segment_max_size = 2147483648

(IntOpt) Maximum size (in bytes) of each segment of the

backup file.

296

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

backup_swift_container = database_backups

(StrOpt) Swift container to put backups in.

backup_use_gzip_compression = True

(BoolOpt) Compress backups using gzip.

backup_use_openssl_encryption = True

(BoolOpt) Encrypt backups using OpenSSL.

backup_use_snet = False

(BoolOpt) Send backup files over snet.

backups_page_size = 20

(IntOpt) Page size for listing backups.

juno

Table4.4.Description of CA and SSL configuration options

Configuration option = Default value

Description

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients

cert_file = None

(StrOpt) Certificate file to use when starting the server securely

key_file = None

(StrOpt) Private key file to use when starting the server securely

Table4.5.Description of clients configuration options

Configuration option = Default value

Description

[DEFAULT]
remote_cinder_client =
trove.common.remote.cinder_client

(StrOpt) Client to send Cinder calls to.

remote_dns_client = trove.common.remote.dns_client

(StrOpt) Client to send DNS calls to.

remote_guest_client = trove.common.remote.guest_client (StrOpt) Client to send Guest Agent calls to.

remote_heat_client = trove.common.remote.heat_client

(StrOpt) Client to send Heat calls to.

remote_neutron_client =
trove.common.remote.neutron_client

(StrOpt) Client to send Neutron calls to.

remote_nova_client = trove.common.remote.nova_client

(StrOpt) Client to send Nova calls to.

remote_swift_client = trove.common.remote.swift_client

(StrOpt) Client to send Swift calls to.

Table4.6.Description of cluster configuration options

Configuration option = Default value

Description

[DEFAULT]
cluster_delete_time_out = 180

(IntOpt) Maximum time (in seconds) to wait for a cluster

delete.

cluster_usage_timeout = 675

(IntOpt) Maximum time (in seconds) to wait for a cluster

to become active.

clusters_page_size = 20

(IntOpt) Page size for listing clusters.

Table4.7.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
configurations_page_size = 20

(IntOpt) Page size for listing configurations.

databases_page_size = 20

(IntOpt) Page size for listing databases.

default_datastore = None

(StrOpt) The default datastore id or name to use if one is

not provided by the user. If the default value is None, the
field becomes required in the instance create request.

297

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

default_neutron_networks =

(ListOpt) List of IDs for management networks which

should be attached to the instance regardless of what NICs
are specified in the create API call.

default_notification_level = INFO

(StrOpt) Default notification level for outgoing notifications

default_password_length = 36

(IntOpt) Character length of generated passwords.

expected_filetype_suffixes = json

(ListOpt) Filetype endings not to be reattached to an ID by

the utils method correct_id_with_req.

host = 0.0.0.0

(StrOpt) Host to listen for RPC messages.

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

pybasedir = /usr/lib/python/site-packages/trove/trove

(StrOpt) Directory where the Trove python module is installed.

pydev_path = None

(StrOpt) Set path to pydevd library, used if pydevd is not

found in python sys.path.

taskmanager_queue = taskmanager

(StrOpt) Message queue name the Taskmanager will listen

to.

template_path = /etc/trove/templates/

(StrOpt) Path which leads to datastore templates.

usage_timeout = 600

(IntOpt) Maximum time (in seconds) to wait for a Guest to

become active.

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Table4.8.Description of Compute configuration options

Configuration option = Default value

Description

[DEFAULT]
ip_regex = None

(StrOpt) List IP addresses that match this regular expression.

nova_compute_service_type = compute

(StrOpt) Service type to use when searching catalog.

nova_compute_url = None

(StrOpt) URL without the tenant segment.

root_grant = ALL

(ListOpt) Permissions to grant to the 'root' user.

root_grant_option = True

(BoolOpt) Assign the 'root' user GRANT permissions.

Table4.9.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

backlog = 4096

(IntOpt) Number of backlog requests to configure the

socket with

disable_process_locking = False

(BoolOpt) Whether to disable inter-process locks

pydev_debug = disabled

(StrOpt) Enable or disable pydev remote debugging. If value is 'auto' tries to connect to remote debugger server,

298

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
but in case of error continues running with debugging disabled.

pydev_debug_host = None

(StrOpt) Pydev debug server host (localhost by default).

pydev_debug_port = None

(IntOpt) Pydev debug server port (5678 by default).

Table4.10.Description of DNS configuration options

Configuration option = Default value

Description

[DEFAULT]
dns_account_id =

(StrOpt) Tenant ID for DNSaaS.

dns_auth_url =

(StrOpt) Authentication URL for DNSaaS.

dns_domain_id =

(StrOpt) Domain ID used for adding DNS entries.

dns_domain_name =

(StrOpt) Domain name used for adding DNS entries.

dns_driver = trove.dns.driver.DnsDriver

(StrOpt) Driver for DNSaaS.

dns_endpoint_url = 0.0.0.0

(StrOpt) Endpoint URL for DNSaaS.

dns_hostname =

(StrOpt) Hostname used for adding DNS entries.

dns_instance_entry_factory =
trove.dns.driver.DnsInstanceEntryFactory

(StrOpt) Factory for adding DNS entries.

dns_management_base_url =

(StrOpt) Management URL for DNSaaS.

dns_passkey =

(StrOpt) Passkey for DNSaaS.

dns_region =

(StrOpt) Region name for DNSaaS.

dns_service_type =

(StrOpt) Service Type for DNSaaS.

dns_time_out = 120

(IntOpt) Maximum time (in seconds) to wait for a DNS entry add.

dns_ttl = 300

(IntOpt) Time (in seconds) before a refresh of DNS information occurs.

dns_username =

(StrOpt) Username for DNSaaS.

trove_dns_support = False

(BoolOpt) Whether Trove should add DNS entries on create (using Designate DNSaaS).

Table4.11.Description of guest agent configuration options

Configuration option = Default value

Description

[DEFAULT]
agent_call_high_timeout = 60

(IntOpt) Maximum time (in seconds) to wait for Guest

Agent 'slow' requests (such as restarting the database).

agent_call_low_timeout = 5

(IntOpt) Maximum time (in seconds) to wait for Guest

Agent 'quick'requests (such as retrieving a list of users or
databases).

agent_heartbeat_time = 10

(IntOpt) Maximum time (in seconds) for the Guest Agent

to reply to a heartbeat request.

guest_config = $pybasedir/etc/trove/troveguestagent.conf.sample

(StrOpt) Path to the Guest Agent config file.

guest_id = None

(StrOpt) ID of the Guest Instance.

ignore_dbs = lost+found, mysql, information_schema

(ListOpt) Databases to exclude when listing databases.

ignore_users = os_admin, root

(ListOpt) Users to exclude when listing users.

mount_options = defaults,noatime

(StrOpt) Options to use when mounting a volume.

storage_namespace =
trove.guestagent.strategies.storage.swift

(StrOpt) Namespace to load the default storage strategy

from.

storage_strategy = SwiftStorage

(StrOpt) Default strategy to store backups.

299

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

usage_sleep_time = 5

(IntOpt) Time to sleep during the check for an active

Guest.

juno

Table4.12.Description of Orchestration module configuration options

Configuration option = Default value

Description

[DEFAULT]
heat_service_type = orchestration

(StrOpt) Service type to use when searching catalog.

heat_time_out = 60

(IntOpt) Maximum time (in seconds) to wait for a Heat request to complete.

heat_url = None

(StrOpt) URL without the tenant segment.

Table4.13.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN, websocket=WARN

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

format_options = -m 5

(StrOpt) Options to use when formatting a volume.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

300

(StrOpt) Prefix each line of exception output with this format.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

network_label_regex = ^private$

(StrOpt) Regular expression to match Trove network labels.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table4.14.Description of network configuration options

Configuration option = Default value

Description

[DEFAULT]
network_driver = trove.network.nova.NovaNetwork

(StrOpt) Describes the actual network manager used for

the management of network attributes (security groups,
floating IPs, etc.).

neutron_service_type = network

(StrOpt) Service type to use when searching catalog.

neutron_url = None

(StrOpt) URL without the tenant segment.

Table4.15.Description of nova configuration options

Configuration option = Default value

Description

[DEFAULT]
nova_proxy_admin_pass =

(StrOpt) Admin password used to connect to Nova.

nova_proxy_admin_tenant_name =

(StrOpt) Admin tenant used to connect to Nova.

nova_proxy_admin_user =

(StrOpt) Admin username used to connect to Nova.

Table4.16.Description of quota configuration options

Configuration option = Default value

Description

[DEFAULT]
max_accepted_volume_size = 5

(IntOpt) Default maximum volume size (in GB) for an instance.

max_backups_per_user = 50

(IntOpt) Default maximum number of backups created by

a tenant.

max_instances_per_user = 5

(IntOpt) Default maximum number of instances per tenant.

max_volumes_per_user = 20

(IntOpt) Default maximum volume capacity (in GB) spanning across all Trove volumes per tenant.

quota_driver = trove.quota.quota.DbQuotaDriver

(StrOpt) Default driver to use for quota checks.

Table4.17.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]

301

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

host = 127.0.0.1

(StrOpt) Host to locate redis

password = None

(StrOpt) Password for Redis server. (optional)

port = 6379

(IntOpt) Use this port to connect to redis host.

juno

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON)

Table4.18.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider

Table4.19.Description of swift configuration options

Configuration option = Default value

Description

[DEFAULT]
swift_service_type = object-store

(StrOpt) Service type to use when searching catalog.

swift_url = None

(StrOpt) URL ending in AUTH_.

Table4.20.Description of taskmanager configuration options

Configuration option = Default value

Description

[DEFAULT]
cloudinit_location = /etc/trove/cloudinit

(StrOpt) Path to folder with cloudinit scripts.

datastore_manager = None

(StrOpt) Manager class in the Guest Agent, set up by the

Taskmanager on instance provision.

datastore_registry_ext = {}

(DictOpt) Extension for default datastore managers. Allows the use of custom managers for each of the datastores supported by Trove.

exists_notification_ticks = 360

(IntOpt) Number of report_intervals to wait between

pushing events (see report_interval).

exists_notification_transformer = None

(StrOpt) Transformer for exists notifications.

reboot_time_out = 120

(IntOpt) Maximum time (in seconds) to wait for a server

reboot.

resize_time_out = 600

(IntOpt) Maximum time (in seconds) to wait for a server

resize.

revert_time_out = 600

(IntOpt) Maximum time (in seconds) to wait for a server

resize revert.

server_delete_time_out = 60

(IntOpt) Maximum time (in seconds) to wait for a server

delete.

state_change_wait_time = 180

(IntOpt) Maximum time (in seconds) to wait for a state

change.

update_status_on_fail = True

(BoolOpt) Set the service and instance task statuses to ERROR when an instance fails to become active within the
configured usage_timeout.

usage_sleep_time = 5

(IntOpt) Time to sleep during the check for an active

Guest.

use_heat = False

(BoolOpt) Use Heat for provisioning.

use_nova_server_config_drive = False

(BoolOpt) Use config drive for file injection when booting

instance.

use_nova_server_volume = False

(BoolOpt) Whether to provision a Cinder volume for the

Nova instance.

302

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

verify_swift_checksum_on_restore = True

(BoolOpt) Enable verification of Swift checksum before

starting restore. Makes sure the checksum of original backup matches the checksum of the Swift backup file.

Table4.21.Description of volume configuration options

Configuration option = Default value

Description

[DEFAULT]
block_device_mapping = vdb

(StrOpt) Block device to map onto the created instance.

cinder_service_type = volumev2

(StrOpt) Service type to use when searching catalog.

cinder_url = None

(StrOpt) URL without the tenant segment.

cinder_volume_type = None

(StrOpt) Volume type to use when provisioning a Cinder

volume.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

trove_volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

volume_format_timeout = 120

(IntOpt) Maximum time (in seconds) to wait for a volume

format.

volume_fstype = ext3

(StrOpt) File system type used to format a volume.

volume_time_out = 60

(IntOpt) Maximum time (in seconds) to wait for a volume

attach.

Configure the database

Use the options to configure the used databases:

Table4.22.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
sql_connection = sqlite:///trove_test.sqlite

(StrOpt) SQL Connection.

sql_idle_timeout = 3600

(IntOpt) Idle time (in seconds) after which the connection

to the database is reestablished. Some databases will drop
connections after a specific amount of idle time. Setting
sql_idle_timeout to a lower value than this will ensure that
a reconnect occurs before the database can drop the connection.

sql_query_log = False

(BoolOpt) Write all SQL queries to a log.

sql_query_logging = False

(BoolOpt) Allow insecure logging while executing queries

through SQLAlchemy.

Table4.23.Description of Cassandra database configuration options

Configuration option = Default value

Description

[cassandra]
backup_incremental_strategy = {}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an incremental, the runner will use the default full backup.

backup_namespace = None

(StrOpt) Namespace to load backup strategies from.

backup_strategy = None

(StrOpt) Default strategy to perform backups.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

303

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

mount_point = /var/lib/cassandra

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

replication_strategy = None

(StrOpt) Default strategy for replication.

restore_namespace = None

(StrOpt) Namespace to load restore strategies from.

tcp_ports = 7000, 7001, 9042, 9160

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UDP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.24.Description of Couchbase database configuration options

Configuration option = Default value

Description

[couchbase]
backup_incremental_strategy = {}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an incremental, the runner will use the default full backup.

backup_namespace =
trove.guestagent.strategies.backup.couchbase_impl

(StrOpt) Namespace to load backup strategies from.

backup_strategy = CbBackup

(StrOpt) Default strategy to perform backups.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

mount_point = /var/lib/couchbase

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

replication_strategy = None

(StrOpt) Default strategy for replication.

restore_namespace =
trove.guestagent.strategies.restore.couchbase_impl

(StrOpt) Namespace to load restore strategies from.

root_on_create = True

(BoolOpt) Enable the automatic creation of the root user

for the service during instance-create. The generated password for the root user is immediately returned in the response of instance-create as the 'password' field.

tcp_ports = 8091, 8092, 4369, 11209-11211, 21100-21199

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UDP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.25.Description of MongoDB database configuration options

Configuration option = Default value

Description

[mongodb]
api_strategy =
(StrOpt) Class that implements datastore-specific API logic.
trove.common.strategies.mongodb.api.MongoDbAPIStrategy
backup_incremental_strategy = {}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an incremental, the runner will use the default full backup.

backup_namespace = None

(StrOpt) Namespace to load backup strategies from.

backup_strategy = None

(StrOpt) Default strategy to perform backups.

304

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

cluster_support = True

(BoolOpt) Enable clusters to be created and managed.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

guestagent_strategy =
(StrOpt) Class that implements datastore-specific Guest
trove.common.strategies.mongodb.guestagent.MongoDbGuestAgentStrategy
Agent API logic.
mount_point = /var/lib/mongodb

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

num_config_servers_per_cluster = 3

(IntOpt) The number of config servers to create per cluster.

num_query_routers_per_cluster = 1

(IntOpt) The number of query routers (mongos) to create

per cluster.

replication_strategy = None

(StrOpt) Default strategy for replication.

restore_namespace = None

(StrOpt) Namespace to load restore strategies from.

taskmanager_strategy =
(StrOpt) Class that implements datastore-specific task
trove.common.strategies.mongodb.taskmanager.MongoDbTaskManagerStrategy
manager logic.
tcp_ports = 2500, 27017

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UPD ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.26.Description of MySQL database configuration options

Configuration option = Default value

Description

[mysql]
backup_incremental_strategy = {'InnoBackupEx': 'InnoBackupExIncremental'}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an
incremental backup, the runner will use the default full
backup.

backup_namespace =
trove.guestagent.strategies.backup.mysql_impl

(StrOpt) Namespace to load backup strategies from.

backup_strategy = InnoBackupEx

(StrOpt) Default strategy to perform backups.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

mount_point = /var/lib/mysql

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

replication_namespace =
trove.guestagent.strategies.replication.mysql_binlog

(StrOpt) Namespace to load replication strategies from.

replication_password = NETOU7897NNLOU

(StrOpt) Password for replication slave user.

replication_strategy = MysqlBinlogReplication

(StrOpt) Default strategy for replication.

replication_user = slave_user

(StrOpt) Userid for replication slave.

restore_namespace =
trove.guestagent.strategies.restore.mysql_impl

(StrOpt) Namespace to load restore strategies from.

root_on_create = False

(BoolOpt) Enable the automatic creation of the root user

for the service during instance-create. The generated password for the root user is immediately returned in the response of instance-create as the 'password' field.

tcp_ports = 3306

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

305

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

udp_ports =

(ListOpt) List of UDP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

usage_timeout = 400

(IntOpt) Maximum time (in seconds) to wait for a Guest to

become active.

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.27.Description of Percona database configuration options

Configuration option = Default value

Description

[percona]
backup_incremental_strategy = {'InnoBackupEx': 'InnoBackupExIncremental'}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an
incremental backup, the runner will use the default full
backup.

backup_namespace =
trove.guestagent.strategies.backup.mysql_impl

(StrOpt) Namespace to load backup strategies from.

backup_strategy = InnoBackupEx

(StrOpt) Default strategy to perform backups.

device_path = /dev/vdb

(StrOpt) Device path for volume if volume support is enabled.

mount_point = /var/lib/mysql

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

replication_namespace =
trove.guestagent.strategies.replication.mysql_binlog

(StrOpt) Namespace to load replication strategies from.

replication_password = NETOU7897NNLOU

(StrOpt) Password for replication slave user.

replication_strategy = MysqlBinlogReplication

(StrOpt) Default strategy for replication.

replication_user = slave_user

(StrOpt) Userid for replication slave.

restore_namespace =
trove.guestagent.strategies.restore.mysql_impl

(StrOpt) Namespace to load restore strategies from.

root_on_create = False

(BoolOpt) Enable the automatic creation of the root user

for the service during instance-create. The generated password for the root user is immediately returned in the response of instance-create as the 'password' field.

tcp_ports = 3306

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UDP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

usage_timeout = 450

(IntOpt) Maximum time (in seconds) to wait for a Guest to

become active.

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.28.Description of PostgreSQL database configuration options

Configuration option = Default value

Description

[postgresql]
backup_incremental_strategy = {}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an incremental, the runner will use the default full backup.

backup_namespace =
trove.guestagent.strategies.backup.postgresql_impl

(StrOpt) Namespace to load backup strategies from.

306

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

backup_strategy = PgDump

(StrOpt) Default strategy to perform backups.

device_path = /dev/vdb

(StrOpt) No help text available for this option.

ignore_dbs = postgres

(ListOpt) No help text available for this option.

ignore_users = os_admin, postgres, root

(ListOpt) No help text available for this option.

mount_point = /var/lib/postgresql

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

restore_namespace =
trove.guestagent.strategies.restore.postgresql_impl

(StrOpt) Namespace to load restore strategies from.

root_on_create = False

(BoolOpt) Enable the automatic creation of the root user

for the service during instance-create. The generated password for the root user is immediately returned in the response of instance-create as the 'password' field.

tcp_ports = 5432

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UPD ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

volume_support = True

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Table4.29.Description of Redis database configuration options

Configuration option = Default value

Description

[redis]
backup_incremental_strategy = {}

(DictOpt) Incremental Backup Runner based on the default strategy. For strategies that do not implement an incremental, the runner will use the default full backup.

backup_namespace = None

(StrOpt) Namespace to load backup strategies from.

backup_strategy = None

(StrOpt) Default strategy to perform backups.

device_path = None

(StrOpt) Device path for volume if volume support is enabled.

mount_point = /var/lib/redis

(StrOpt) Filesystem path for mounting volumes if volume

support is enabled.

replication_strategy = None

(StrOpt) Default strategy for replication.

restore_namespace = None

(StrOpt) Namespace to load restore strategies from.

tcp_ports = 6379

(ListOpt) List of TCP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

udp_ports =

(ListOpt) List of UDP ports and/or port ranges

to open in the security group (only applicable if
trove_security_groups_support is True).

volume_support = False

(BoolOpt) Whether to provision a Cinder volume for

datadir.

Configure the RPC messaging system

307

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configure RabbitMQ
Use these options to configure the RabbitMQ messaging system:

Table4.30.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled)

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled)

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled)

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions

rabbit_ha_queues = False

(BoolOpt) use H/A queues in RabbitMQ (x-ha-policy:

all).You need to wipe RabbitMQ database when changing
this option.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs

rabbit_max_retries = 0

(IntOpt) maximum retries with trying to connect to RabbitMQ (the default of 0 implies an infinite retry count)

rabbit_password = guest

(StrOpt) the RabbitMQ password

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used

rabbit_retry_backoff = 2

(IntOpt) how long to backoff for between retries when

connecting to RabbitMQ

rabbit_retry_interval = 1

(IntOpt) how frequently to retry connecting with RabbitMQ

rabbit_use_ssl = False

(BoolOpt) connect over SSL for RabbitMQ

rabbit_userid = guest

(StrOpt) the RabbitMQ userid

rabbit_virtual_host = /

(StrOpt) the RabbitMQ virtual host

Configure Qpid
Use these options to configure the Qpid messaging system:

Table4.31.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats

qpid_hostname = localhost

(StrOpt) Qpid broker hostname

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs

qpid_password =

(StrOpt) Password for qpid connection

qpid_port = 5672

(IntOpt) Qpid broker port

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth

308

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

qpid_tcp_nodelay = True

(BoolOpt) Disable Nagle algorithm

qpid_username =

(StrOpt) Username for qpid connection

juno

Configure ZeroMq
Use these options to configure the ZeroMq messaging system:

Table4.32.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver
trove.openstack.common.rpc.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Configure messaging
Use these common options to configure the RabbitMQ, Qpid, and ZeroMq messaging
drivers:

Table4.33.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

conductor_manager = trove.conductor.manager.Manager (StrOpt) Qualified class name to use for conductor manager.
conductor_queue = trove-conductor

(StrOpt) Message queue name the Conductor will listen

on.

control_exchange = openstack

(StrOpt) AMQP exchange to connect to if using RabbitMQ

or Qpid

default_publisher_id = $host

(StrOpt) Default publisher_id for outgoing notifications

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications

notification_service_id = {'postgresql':
'ac277e0d-4f21-40aa-b347-1ea31e571720', 'couchbase': 'fa62fe68-74d9-4779-a24e-36f19602c415', 'mongodb': 'c8c907af-7375-456f-b929-b637ff9209ee', 'redis': 'b216ffc5-1947-456c-a4cf-70f94c05f7d0', 'mysql':
'2f3ff068-2bfb-4f70-9a9d-a6bb65bc084b', 'cassandra':
'459a230d-4e97-4344-9067-2a54a310b0ed'}

(DictOpt) Unique ID to tag notification events.

309

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

notification_topics = notifications

(ListOpt) AMQP topic used for openstack notifications

Table4.34.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
allowed_rpc_exception_modules = nova.exception,
cinder.exception, exceptions

(ListOpt) Modules of exceptions that are permitted to be

recreatedupon receiving exception data from an rpc call.

matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

num_tries = 3

(IntOpt) Number of times to check if a volume exists.

report_interval = 10

(IntOpt) The interval (in seconds) which periodic tasks are

run.

rpc_backend = trove.openstack.common.rpc.impl_kombu

(StrOpt) The messaging module to use, defaults to kombu.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from call or multicall

rpc_thread_pool_size = 64

(IntOpt) Size of RPC thread pool

[rpc_notifier2]
topics = notifications

(ListOpt) AMQP topic(s) used for openstack notifications

[secure_messages]
enabled = True

(BoolOpt) Whether Secure Messaging (Signing) is enabled,

defaults to enabled

encrypt = False

(BoolOpt) Whether Secure Messaging (Encryption) is enabled, defaults to not enabled

enforced = False

(BoolOpt) Whether Secure Messaging (Signing) is enforced, defaults to not enforced

kds_endpoint = None

(StrOpt) KDS endpoint (ex: http://

kds.example.com:35357/v3)

secret_key = None

(MultiStrOpt) A list of keys: (ex: name:<base64 encoded

key>), ignored if secret_keys_file is set

secret_keys_file = None

(StrOpt) Path to the file containing the keys, takes precedence over secret_key

310

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

5. Data processing service

The Data processing service (sahara) provides a scalable data-processing stack and associated management interfaces.
The following tables provide a comprehensive list of the Data processing service configuration options.

Table5.1.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) The default exchange under which topics are

scoped. May be overridden by an exchange name specified in the transport_url option.

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_level = INFO

(StrOpt) Notification level for outgoing notifications

notification_publisher_id = None

(StrOpt) Notification publisher_id for outgoing notifications

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table5.2.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

311

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

312

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table5.3.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
cluster_remote_threshold = 70

(IntOpt) The same as global_remote_threshold, but for a

single cluster.

compute_topology_file = etc/sahara/compute.topology

(StrOpt) File with nova compute topology. It should contain mapping between nova computes and racks. File format: compute1 /rack1 compute2 /rack2 compute3 /rack2

detach_volume_timeout = 300

(IntOpt) Timeout for detaching volumes from instance (in

seconds).

enable_data_locality = False

(BoolOpt) Enables data locality for hadoop cluster. Also

enables data locality for Swift used by hadoop. If enabled,
'compute_topology' and 'swift_topology' configuration parameters should point to OpenStack and Swift topology
correspondingly.

enable_hypervisor_awareness = True

(BoolOpt) Enables four-level topology for data locality.

Works only if corresponding plugin supports such mode.

enable_notifications = False

(BoolOpt) Enables sending notifications to Ceilometer

global_remote_threshold = 100

(IntOpt) Maximum number of remote operations that will

be running at the same time. Note that each remote operation requires its own process to run.

host =

(StrOpt) Hostname or IP address that will be used to listen

on.

infrastructure_engine = direct

(StrOpt) An engine which will be used to provision infrastructure for Hadoop cluster.

job_binary_max_KB = 5120

(IntOpt) Maximum length of job binary data in kilobytes

that may be stored or retrieved in a single operation.

job_workflow_postfix =

(StrOpt) Postfix for storing jobs in hdfs. Will be added to '/

user/<hdfs user>/' path.

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

min_transient_cluster_active_time = 30

(IntOpt) Minimal "lifetime" in seconds for a transient cluster. Cluster is guaranteed to be "alive" within this time period.

node_domain = novalocal

(StrOpt) The suffix of the node's FQDN. In nova-network

that is the dhcp_domain config parameter.

os_region_name = None

(StrOpt) Region name used to get services endpoints.

periodic_enable = True

(BoolOpt) Enable periodic tasks.

periodic_fuzzy_delay = 60

(IntOpt) Range in seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0).

periodic_interval_max = 60

(IntOpt) Max interval size between periodic tasks execution in seconds.

plugins = vanilla, hdp

(ListOpt) List of plugins to be loaded. Sahara preserves the

order of the list when returning it.

port = 8386

(IntOpt) Port that will be used to listen on.

remote = ssh

(StrOpt) A method for Sahara to execute commands on

VMs.

313

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

run_external_periodic_tasks = True

(BoolOpt) Some periodic tasks can be run in a separate

process. Should we run them here?

swift_topology_file = etc/sahara/swift.topology

(StrOpt) File with Swift topology. It should contain mapping between Swift nodes and racks. File format: node1 /
rack1 node2 /rack2 node3 /rack2

use_floating_ips = True

(BoolOpt) If set to True, Sahara will use floating IPs to

communicate with instances. To make sure that all instances have floating IPs assigned in Nova Network set
"auto_assign_floating_ip=True" in nova.conf. If Neutron is
used for networking, make sure that all Node Groups have
"floating_ip_pool" parameter defined.

use_identity_api_v3 = True

(BoolOpt) Enables Sahara to use Keystone API v3. If that

flag is disabled, per-job clusters will not be terminated automatically.

use_namespaces = False

(BoolOpt) Use network namespaces for communication

(only valid to use in conjunction with use_neutron=True).

use_neutron = False

(BoolOpt) Use Neutron Networking (False indicates the

use of Nova networking).

[conductor]
use_local = True

(BoolOpt) Perform sahara-conductor operations locally.

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Table5.4.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
db_driver = sahara.db

(StrOpt) Driver to use for database access.

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

314

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

Table5.5.Description of domain configuration options

Configuration option = Default value

Description

[DEFAULT]
proxy_user_domain_name = None

(StrOpt) The domain Sahara will use to create new proxy

users for Swift object access.

proxy_user_role_names = Member

(ListOpt) A list of the role names that the proxy user

should assume through trust for Swift object access.

use_domain_for_proxy_users = False

(BoolOpt) Enables Sahara to use a domain for creating

temporary proxy users to access Swift. If this is enabled a
domain must be created for Sahara to use.

Table5.6.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
disable_process_locking = False

(BoolOpt) Enables or disables inter-process locks.

Table5.7.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqplib=WARN,
qpid.messaging=INFO, stevedore=INFO,
eventlet.wsgi.server=WARN, sqlalchemy=WARN,
boto=WARN, suds=INFO, keystone=INFO,
paramiko=WARN, requests=WARN, iso8601=WARN

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For

315

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_exchange = False

(BoolOpt) Log request/response exchange details: environ, headers and bodies.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table5.8.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

316

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Table5.9.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Table5.10.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]

317

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

juno

Table5.11.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = rabbit

(StrOpt) The messaging driver to use, defaults to rabbit.

Other drivers include qpid and zmq.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool.

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from a call.

rpc_thread_pool_size = 64

(IntOpt) Size of RPC greenthread pool.

Table5.12.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider.

Table5.13.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

318

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

6. Identity service
Table of Contents
Caching layer ...............................................................................................................
Identity service configuration file .................................................................................
Identity service sample configuration files ....................................................................
New, updated and deprecated options in Juno for OpenStack Identity .........................

319
321
338
367

This chapter details the OpenStack Identity service configuration options. For installation
prerequisites and step-by-step walkthroughs, see the OpenStack Installation Guide for your
distribution (docs.openstack.org) and Cloud Administrator Guide.

Caching layer
Identity supports a caching layer that is above the configurable subsystems, such as token
or assignment. The majority of the caching configuration options are set in the [cache]
section. However, each section that has the capability to be cached usually has a caching
option that will toggle caching for that specific section. By default, caching is globally disabled. Options are as follows:

Table6.1.Description of cache configuration options

Configuration option = Default value

Description

[cache]
backend = keystone.common.cache.noop

(StrOpt) Dogpile.cache backend module. It

is recommended that Memcache with pooling (keystone.cache.memcache_pool) or Redis
(dogpile.cache.redis) be used in production deployments.
Small workloads (single process) like devstack can use the
dogpile.cache.memory backend.

backend_argument = []

(MultiStrOpt) Arguments supplied to the backend

module. Specify this option once per argument to be
passed to the dogpile.cache backend. Example format:
"<argname>:<value>".

config_prefix = cache.keystone

(StrOpt) Prefix for building the configuration dictionary for

the cache region. This should not need to be changed unless there is another dogpile.cache region with the same
configuration name.

debug_cache_backend = False

(BoolOpt) Extra debugging from the cache backend

(cache keys, get/set/delete/etc calls). This is only really
useful if you need to see the specific cache-backend get/
set/delete calls with the keys/values. Typically this should
be left set to false.

enabled = False

(BoolOpt) Global toggle for all caching using the

should_cache_fn mechanism.

expiration_time = 600

(IntOpt) Default TTL, in seconds, for any cached item

in the dogpile.cache region. This applies to any cached
method that doesn't have an explicit cache expiration time
defined for it.

319

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

memcache_dead_retry = 300

(IntOpt) Number of seconds memcached

server is considered dead before it is tried
again. (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

memcache_pool_connection_get_timeout = 10

(IntOpt) Number of seconds that an operation will wait to

get a memcache client connection.

memcache_pool_maxsize = 10

(IntOpt) Max total number of open connections to every

memcached server. (keystone.cache.memcache_pool backend only)

memcache_pool_unused_timeout = 60

(IntOpt) Number of seconds a connection to memcached is held unused in the pool before it is closed.
(keystone.cache.memcache_pool backend only)

memcache_servers = localhost:11211

(ListOpt) Memcache servers in the format of

"host:port". (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

memcache_socket_timeout = 3

(IntOpt) Timeout in seconds for every call

to a server. (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

proxies =

(ListOpt) Proxy classes to import that will affect the

way the dogpile.cache backend functions. See the
dogpile.cache documentation on changing-backend-behavior.

[memcache]
dead_retry = 300

(IntOpt) Number of seconds memcached server is considered dead before it is tried again. This is used by the key
value store system (e.g. token pooled memcached persistence backend).

pool_connection_get_timeout = 10

(IntOpt) Number of seconds that an operation will wait to

get a memcache client connection. This is used by the key
value store system (e.g. token pooled memcached persistence backend).

pool_maxsize = 10

(IntOpt) Max total number of open connections to every

memcached server. This is used by the key value store system (e.g. token pooled memcached persistence backend).

pool_unused_timeout = 60

(IntOpt) Number of seconds a connection to memcached

is held unused in the pool before it is closed. This is used by
the key value store system (e.g. token pooled memcached
persistence backend).

Current functional backends are:

dogpile.cache.memcached - Memcached backend using the standard python-memcached library
dogpile.cache.pylibmc - Memcached backend using the pylibmc library
dogpile.cache.bmemcached - Memcached using python-binary-memcached library.
dogpile.cache.redis - Redis backend
dogpile.cache.dbm - Local DBM file backend
dogpile.cache.memory - In-memory cache, not suitable for use outside of testing as
it does not cleanup it's internal cache on cache expiration and does not share cache between processes. This means that caching and cache invalidation will not be consistent or
reliable.
320

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

dogpile.cache.mongo - MongoDB as caching backend.

Identity service configuration file

The Identity service is configured in the /etc/keystone/keystone.conf file.
The following tables provide a comprehensive list of the Identity service options.

Table6.2.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
admin_bind_host = 0.0.0.0

(StrOpt) The IP address of the network interface for the

admin service to listen on.

admin_endpoint = None

(StrOpt) The base admin endpoint URL for Keystone that

is advertised to clients (NOTE: this does NOT affect how
Keystone listens for connections). Defaults to the base
host URL of the request. E.g. a request to http://server:35357/v2.0/users will default to http://server:35357.
You should only need to set this value if the base URL contains a path (e.g. /prefix/v2.0) or the endpoint should be
found on a different server.

admin_port = 35357

(IntOpt) The port number which the admin service listens

on.

admin_token = ADMIN

(StrOpt) A "shared secret" that can be used to bootstrap

Keystone. This "token" does not represent a user, and carries no explicit authorization. To disable in production
(highly recommended), remove AdminTokenAuthMiddleware from your paste application pipelines (for example,
in keystone-paste.ini).

admin_workers = None

(IntOpt) The number of worker processes to serve the admin WSGI application. Defaults to number of CPUs (minimum of 2).

compute_port = 8774

(IntOpt) (Deprecated) The port which the OpenStack

Compute service listens on. This option was only used for
string replacement in the templated catalog backend.
Templated catalogs should replace the "$(compute_port)s"
substitution with the static port of the compute service. As
of Juno, this option is deprecated and will be removed in
the L release.

domain_id_immutable = True

(BoolOpt) Set this to false if you want to enable the ability for user, group and project entities to be moved between domains by updating their domain_id. Allowing
such movement is not recommended if the scope of a domain admin is being restricted by use of an appropriate
policy file (see policy.v3cloudsample as an example).

list_limit = None

(IntOpt) The maximum number of entities that will be returned in a collection, with no limit set by default. This
global limit may be then overridden for a specific driver, by
specifying a list_limit in the appropriate section (e.g. [assignment]).

max_param_size = 64

(IntOpt) Limit the sizes of user & project ID/names.

max_request_body_size = 114688

(IntOpt) Enforced by optional sizelimit middleware

(keystone.middleware:RequestBodySizeLimiter).

max_token_size = 8192

(IntOpt) Similar to max_param_size, but provides an exception for token values.

member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab

(StrOpt) During a SQL upgrade member_role_id will

be used to create a new role that will replace records
in the assignment table with explicit role grants. After

321

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
migration, the member_role_id will be used in the API
add_user_to_project.

member_role_name = _member_

(StrOpt) During a SQL upgrade member_role_name will be

used to create a new role that will replace records in the
assignment table with explicit role grants. After migration,
member_role_name will be ignored.

public_bind_host = 0.0.0.0

(StrOpt) The IP address of the network interface for the

public service to listen on.

public_endpoint = None

(StrOpt) The base public endpoint URL for Keystone that

is advertised to clients (NOTE: this does NOT affect how
Keystone listens for connections). Defaults to the base
host URL of the request. E.g. a request to http://server:5000/v2.0/users will default to http://server:5000. You
should only need to set this value if the base URL contains
a path (e.g. /prefix/v2.0) or the endpoint should be found
on a different server.

public_port = 5000

(IntOpt) The port number which the public service listens

on.

public_workers = None

(IntOpt) The number of worker processes to serve the

public WSGI application. Defaults to number of CPUs (minimum of 2).

strict_password_check = False

(BoolOpt) If set to true, strict password length checking is

performed for password manipulation. If a password exceeds the maximum length, the operation will fail with an
HTTP 403 Forbidden error. If set to false, passwords are
automatically truncated to the maximum length.

tcp_keepalive = False

(BoolOpt) Set this to true if you want to enable

TCP_KEEPALIVE on server sockets, i.e. sockets used by the
Keystone wsgi server for client connections.

tcp_keepidle = 600

(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for

each server socket. Only applies if tcp_keepalive is true.
Not supported on OS X.

[endpoint_filter]
driver =
(StrOpt) Endpoint Filter backend driver
keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
return_all_endpoints_if_no_filter = True

(BoolOpt) Toggle to return all active endpoints if no filter

exists.

[endpoint_policy]
driver =
(StrOpt) Endpoint policy backend driver
keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
[paste_deploy]
config_file = keystone-paste.ini

(StrOpt) Name of the paste configuration file that defines

the available pipelines.

Table6.3.Description of assignment configuration options

Configuration option = Default value

Description

[assignment]
cache_time = None

(IntOpt) TTL (in seconds) to cache assignment data. This

has no effect unless global caching is enabled.

caching = True

(BoolOpt) Toggle for assignment caching. This has no effect unless global caching is enabled.

driver = None

(StrOpt) Assignment backend driver.

list_limit = None

(IntOpt) Maximum number of entities that will be returned in an assignment collection.

322

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table6.4.Description of authorization configuration options

Configuration option = Default value

Description

[auth]
external = keystone.auth.plugins.external.DefaultDomain

(StrOpt) The external (REMOTE_USER) auth plugin module.

methods = external, password, token

(ListOpt) Default auth methods.

password = keystone.auth.plugins.password.Password

(StrOpt) The password auth plugin module.

token = keystone.auth.plugins.token.Token

(StrOpt) The token auth plugin module.

Table6.5.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

This may be a single algorithm or multiple. The algorithms
are those supported by Python standard hashlib.new().

323

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first
hash will be stored in the cache. This will typically be set to
multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are
expired this option should be set to a single value for better performance.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table6.6.Description of CA and SSL configuration options

Configuration option = Default value

Description

[signing]
ca_certs = /etc/keystone/ssl/certs/ca.pem

(StrOpt) Path of the CA for token signing.

ca_key = /etc/keystone/ssl/private/cakey.pem

(StrOpt) Path of the CA key for token signing.

cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/
CN=www.example.com

(StrOpt) Certificate subject (auto generated certificate) for

token signing.

certfile = /etc/keystone/ssl/certs/signing_cert.pem

(StrOpt) Path of the certfile for token signing. For nonproduction environments, you may be interested in using
`keystone-manage pki_setup` to generate self-signed certificates.

key_size = 2048

(IntOpt) Key size (in bits) for token signing cert (auto generated certificate).

324

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

keyfile = /etc/keystone/ssl/private/signing_key.pem

(StrOpt) Path of the keyfile for token signing.

token_format = None

(StrOpt) Deprecated in favor of provider in the [token]

section.

valid_days = 3650

(IntOpt) Days the token signing cert is valid for (auto generated certificate).

[ssl]
ca_certs = /etc/keystone/ssl/certs/ca.pem

(StrOpt) Path of the ca cert file for SSL.

ca_key = /etc/keystone/ssl/private/cakey.pem

(StrOpt) Path of the CA key file for SSL.

cert_required = False

(BoolOpt) Require client certificate.

cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/
CN=localhost

(StrOpt) SSL certificate subject (auto generated certificate).

certfile = /etc/keystone/ssl/certs/keystone.pem

(StrOpt) Path of the certfile for SSL. For non-production environments, you may be interested in using `keystone-manage ssl_setup` to generate self-signed certificates.

enable = False

(BoolOpt) Toggle for SSL support on the Keystone eventlet servers.

key_size = 1024

(IntOpt) SSL key length (in bits) (auto generated certificate).

keyfile = /etc/keystone/ssl/private/keystonekey.pem

(StrOpt) Path of the keyfile for SSL.

valid_days = 3650

(IntOpt) Days the certificate is valid for once signed (auto

generated certificate).

Table6.7.Description of catalog configuration options

Configuration option = Default value

Description

[catalog]
cache_time = None

(IntOpt) Time to cache catalog data (in seconds). This has

no effect unless global and catalog caching are enabled.

caching = True

(BoolOpt) Toggle for catalog caching. This has no effect

unless global caching is enabled.

driver = keystone.catalog.backends.sql.Catalog

(StrOpt) Catalog backend driver.

endpoint_substitution_whitelist = tenant_id, user_id,

public_bind_host, admin_bind_host, compute_host,
compute_port, admin_port, public_port, public_endpoint,
admin_endpoint

(ListOpt) (Deprecated) List of possible substitutions for use

in formatting endpoints. Use caution when modifying this
list. It will give users with permission to create endpoints
the ability to see those values in your configuration file.
This option will be removed in Juno.

list_limit = None

(IntOpt) Maximum number of entities that will be returned in a catalog collection.

template_file = default_catalog.templates

(StrOpt) Catalog template file name for use with the template catalog backend.

Table6.8.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

325

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table6.9.Description of credential configuration options

Configuration option = Default value

Description

[credential]
driver = keystone.credential.backends.sql.Credential

(StrOpt) Credential backend driver.

Table6.10.Description of database configuration options

Configuration option = Default value

Description

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

Table6.11.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]

326

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

pydev_debug_host = None

(StrOpt) Host to connect to for remote debugger.

pydev_debug_port = None

(IntOpt) Port to connect to for remote debugger.

standard_threads = False

(BoolOpt) Do not monkey-patch threading system modules.

[audit]
namespace = openstack

(StrOpt) namespace prefix for generated id

Table6.12.Description of EC2 configuration options

Configuration option = Default value

Description

[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2

(StrOpt) EC2Credential backend driver.

[keystone_ec2_token]
cafile = None

(StrOpt) A PEM encoded certificate authority to use when

verifying HTTPS connections. Defaults to the system CAs.

certfile = None

(StrOpt) Client certificate key filename. Required if EC2

server requires client certificate.

insecure = False

(BoolOpt) Disable SSL certificate verification.

keyfile = None

(StrOpt) Required if EC2 server requires client certificate.

url = http://localhost:5000/v2.0/ec2tokens

(StrOpt) URL to get token from ec2 request.

Table6.13.Description of federation configuration options

Configuration option = Default value

Description

[federation]
assertion_prefix =

(StrOpt) Value to be used when filtering assertion parameters from the environment.

driver =
keystone.contrib.federation.backends.sql.Federation

(StrOpt) Federation backend driver.

Table6.14.Description of identity configuration options

Configuration option = Default value

Description

[identity]
default_domain_id = default

(StrOpt) This references the domain to use for all Identity

API v2 requests (which are not aware of domains). A domain with this ID will be created for you by keystone-manage db_sync in migration 008. The domain referenced by
this ID cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API. There is nothing special
about this domain, other than the fact that it must exist to
order to maintain support for your v2 clients.

domain_config_dir = /etc/keystone/domains

(StrOpt) Path for Keystone to locate the domain specific identity configuration files if
domain_specific_drivers_enabled is set to true.

domain_specific_drivers_enabled = False

(BoolOpt) A subset (or all) of domains can have their own

identity driver, each with their own partial configuration

327

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
file in a domain configuration directory. Only values specific to the domain need to be placed in the domain specific
configuration file. This feature is disabled by default; set to
true to enable.

driver = keystone.identity.backends.sql.Identity

(StrOpt) Identity backend driver.

list_limit = None

(IntOpt) Maximum number of entities that will be returned in an identity collection.

max_password_length = 4096

(IntOpt) Maximum supported length for user passwords;

decrease to improve performance.

Table6.15.Description of KVS configuration options

Configuration option = Default value

Description

[kvs]
backends =

(ListOpt) Extra dogpile.cache backend modules to register

with the dogpile.cache library.

config_prefix = keystone.kvs

(StrOpt) Prefix for building the configuration dictionary for

the KVS region. This should not need to be changed unless
there is another dogpile.cache region with the same configuration name.

default_lock_timeout = 5

(IntOpt) Default lock timeout for distributed locking.

enable_key_mangler = True

(BoolOpt) Toggle to disable using a key-mangling function

to ensure fixed length keys. This is toggle-able for debugging purposes, it is highly recommended to always leave
this set to true.

Table6.16.Description of LDAP configuration options

Configuration option = Default value

Description

[ldap]
alias_dereferencing = default

(StrOpt) The LDAP dereferencing option for queries. This

can be either "never", "searching", "always", "finding" or
"default". The "default" option falls back to using default
dereferencing configured by your ldap.conf.

allow_subtree_delete = False

(BoolOpt) Delete subtrees using the subtree delete control. Only enable this option if your LDAP server supports
subtree deletion.

auth_pool_connection_lifetime = 60

(IntOpt) End user auth connection lifetime in seconds.

auth_pool_size = 100

(IntOpt) End user auth connection pool size.

chase_referrals = None

(BoolOpt) Override the system's default referral chasing

behavior for queries.

debug_level = None

(IntOpt) Sets the LDAP debugging level for LDAP calls. A

value of 0 means that debugging is not enabled. This value
is a bitmask, consult your LDAP documentation for possible values.

dumb_member = cn=dumb,dc=nonexistent

(StrOpt) DN of the "dummy member" to use when

"use_dumb_member" is enabled.

group_additional_attribute_mapping =

(ListOpt) Additional attribute mappings for groups. Attribute mapping format is <ldap_attr>:<user_attr>, where
ldap_attr is the attribute in the LDAP entry and user_attr is
the Identity API attribute.

group_allow_create = True

(BoolOpt) Allow group creation in LDAP backend.

group_allow_delete = True

(BoolOpt) Allow group deletion in LDAP backend.

group_allow_update = True

(BoolOpt) Allow group update in LDAP backend.

328

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

group_attribute_ignore =

(ListOpt) List of attributes stripped off the group on update.

group_desc_attribute = description

(StrOpt) LDAP attribute mapped to group description.

group_filter = None

(StrOpt) LDAP search filter for groups.

group_id_attribute = cn

(StrOpt) LDAP attribute mapped to group id.

group_member_attribute = member

(StrOpt) LDAP attribute mapped to show group membership.

group_name_attribute = ou

(StrOpt) LDAP attribute mapped to group name.

group_objectclass = groupOfNames

(StrOpt) LDAP objectclass for groups.

group_tree_dn = None

(StrOpt) Search base for groups.

page_size = 0

(IntOpt) Maximum results per page; a value of zero ("0")

disables paging.

password = None

(StrOpt) Password for the BindDN to query the LDAP server.

pool_connection_lifetime = 600

(IntOpt) Connection lifetime in seconds.

pool_connection_timeout = -1

(IntOpt) Connector timeout in seconds. Value -1 indicates

indefinite wait for response.

pool_retry_delay = 0.1

(FloatOpt) Time span in seconds to wait between two reconnect trials.

pool_retry_max = 3

(IntOpt) Maximum count of reconnect trials.

pool_size = 10

(IntOpt) Connection pool size.

project_additional_attribute_mapping =

(ListOpt) Additional attribute mappings for projects. Attribute mapping format is <ldap_attr>:<user_attr>, where
ldap_attr is the attribute in the LDAP entry and user_attr is
the Identity API attribute.

project_allow_create = True

(BoolOpt) Allow project creation in LDAP backend.

project_allow_delete = True

(BoolOpt) Allow project deletion in LDAP backend.

project_allow_update = True

(BoolOpt) Allow project update in LDAP backend.

project_attribute_ignore =

(ListOpt) List of attributes stripped off the project on update.

project_desc_attribute = description

(StrOpt) LDAP attribute mapped to project description.

project_domain_id_attribute = businessCategory

(StrOpt) LDAP attribute mapped to project domain_id.

project_enabled_attribute = enabled

(StrOpt) LDAP attribute mapped to project enabled.

project_enabled_emulation = False

(BoolOpt) If true, Keystone uses an alternative method to

determine if a project is enabled or not by checking if they
are a member of the "project_enabled_emulation_dn"
group.

project_enabled_emulation_dn = None

(StrOpt) DN of the group entry to hold enabled projects

when using enabled emulation.

project_filter = None

(StrOpt) LDAP search filter for projects.

project_id_attribute = cn

(StrOpt) LDAP attribute mapped to project id.

project_member_attribute = member

(StrOpt) LDAP attribute mapped to project membership

for user.

project_name_attribute = ou

(StrOpt) LDAP attribute mapped to project name.

project_objectclass = groupOfNames

(StrOpt) LDAP objectclass for projects.

project_tree_dn = None

(StrOpt) Search base for projects

query_scope = one

(StrOpt) The LDAP scope for queries, this can be either

"one" (onelevel/singleLevel) or "sub" (subtree/wholeSubtree).

329

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

role_additional_attribute_mapping =

(ListOpt) Additional attribute mappings for roles. Attribute mapping format is <ldap_attr>:<user_attr>, where
ldap_attr is the attribute in the LDAP entry and user_attr is
the Identity API attribute.

role_allow_create = True

(BoolOpt) Allow role creation in LDAP backend.

role_allow_delete = True

(BoolOpt) Allow role deletion in LDAP backend.

role_allow_update = True

(BoolOpt) Allow role update in LDAP backend.

role_attribute_ignore =

(ListOpt) List of attributes stripped off the role on update.

role_filter = None

(StrOpt) LDAP search filter for roles.

role_id_attribute = cn

(StrOpt) LDAP attribute mapped to role id.

role_member_attribute = roleOccupant

(StrOpt) LDAP attribute mapped to role membership.

role_name_attribute = ou

(StrOpt) LDAP attribute mapped to role name.

role_objectclass = organizationalRole

(StrOpt) LDAP objectclass for roles.

role_tree_dn = None

(StrOpt) Search base for roles.

suffix = cn=example,cn=com

(StrOpt) LDAP server suffix

tls_cacertdir = None

(StrOpt) CA certificate directory path for communicating

with LDAP servers.

tls_cacertfile = None

(StrOpt) CA certificate file path for communicating with

LDAP servers.

tls_req_cert = demand

(StrOpt) Valid options for tls_req_cert are demand, never,

and allow.

url = ldap://localhost

(StrOpt) URL for connecting to the LDAP server.

use_auth_pool = False

(BoolOpt) Enable LDAP connection pooling for end user

authentication. If use_pool is disabled, then this setting is
meaningless and is not used at all.

use_dumb_member = False

(BoolOpt) If true, will add a dummy member to groups.

This is required if the objectclass for groups requires the
"member" attribute.

use_pool = False

(BoolOpt) Enable LDAP connection pooling.

use_tls = False

(BoolOpt) Enable TLS for communicating with LDAP

servers.

user = None

(StrOpt) User BindDN to query the LDAP server.

user_additional_attribute_mapping =

(ListOpt) List of additional LDAP attributes used for

mapping additional attribute mappings for users. Attribute mapping format is <ldap_attr>:<user_attr>, where
ldap_attr is the attribute in the LDAP entry and user_attr is
the Identity API attribute.

user_allow_create = True

(BoolOpt) Allow user creation in LDAP backend.

user_allow_delete = True

(BoolOpt) Allow user deletion in LDAP backend.

user_allow_update = True

(BoolOpt) Allow user updates in LDAP backend.

user_attribute_ignore = default_project_id, tenants

(ListOpt) List of attributes stripped off the user on update.

user_default_project_id_attribute = None

(StrOpt) LDAP attribute mapped to default_project_id for

users.

user_enabled_attribute = enabled

(StrOpt) LDAP attribute mapped to user enabled flag.

user_enabled_default = True

(StrOpt) Default value to enable users. This should match

an appropriate int value if the LDAP server uses nonboolean (bitmask) values to indicate if a user is enabled
or disabled. If this is not set to "True" the typical value is
"512". This is typically used when "user_enabled_attribute
= userAccountControl".

330

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

user_enabled_emulation = False

(BoolOpt) If true, Keystone uses an alternative method to

determine if a user is enabled or not by checking if they
are a member of the "user_enabled_emulation_dn" group.

user_enabled_emulation_dn = None

(StrOpt) DN of the group entry to hold enabled users

when using enabled emulation.

user_enabled_invert = False

(BoolOpt) Invert the meaning of the boolean enabled

values. Some LDAP servers use a boolean lock attribute
where "true" means an account is disabled. Setting
"user_enabled_invert = true" will allow these lock attributes to be used. This setting will have no effect if
"user_enabled_mask" or "user_enabled_emulation" settings are in use.

user_enabled_mask = 0

(IntOpt) Bitmask integer to indicate the bit that the enabled value is stored in if the LDAP server represents "enabled" as a bit on an integer rather than a boolean. A value of "0" indicates the mask is not used. If this is not set
to "0" the typical value is "2". This is typically used when
"user_enabled_attribute = userAccountControl".

user_filter = None

(StrOpt) LDAP search filter for users.

user_id_attribute = cn

(StrOpt) LDAP attribute mapped to user id. WARNING:

must not be a multivalued attribute.

user_mail_attribute = mail

(StrOpt) LDAP attribute mapped to user email.

user_name_attribute = sn

(StrOpt) LDAP attribute mapped to user name.

user_objectclass = inetOrgPerson

(StrOpt) LDAP objectclass for users.

user_pass_attribute = userPassword

(StrOpt) LDAP attribute mapped to password.

user_tree_dn = None

(StrOpt) Search base for users.

Table6.17.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

331

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table6.18.Description of mapping configuration options

Configuration option = Default value

Description

[identity_mapping]
backward_compatible_ids = True

(BoolOpt) The format of user and group IDs changed

in Juno for backends that do not generate UUIDs (e.g.
LDAP), with keystone providing a hash mapping to the
underlying attribute in LDAP. By default this mapping is
disabled, which ensures that existing IDs will not change.
Even when the mapping is enabled by using domain specific drivers, any users and groups from the default domain
being handled by LDAP will still not be mapped to ensure
their IDs remain backward compatible. Setting this value to False will enable the mapping for even the default
LDAP driver. It is only safe to do this if you do not already
have assignments for users and groups from the default
LDAP domain, and it is acceptable for Keystone to provide
the different IDs to clients than it did previously. Typically this means that the only time you can set this value to
False is when configuring a fresh installation.

driver = keystone.identity.mapping_backends.sql.Mapping (StrOpt) Keystone Identity Mapping backend driver.

generator =
keystone.identity.id_generators.sha256.Generator

332

(StrOpt) Public ID generator for user and group entities.

The Keystone identity mapper only supports generators
that produce no more than 64 characters.

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table6.19.Description of memcache configuration options

Configuration option = Default value

Description

[memcache]
servers = localhost:11211

(ListOpt) Memcache servers in the format of "host:port".

socket_timeout = 3

(IntOpt) Timeout in seconds for every call to a server. This

is used by the key value store system (e.g. token pooled
memcached persistence backend).

Table6.20.Description of OAuth configuration options

Configuration option = Default value

Description

[oauth1]
access_token_duration = 86400

(IntOpt) Duration (in seconds) for the OAuth Access Token.

driver = keystone.contrib.oauth1.backends.sql.OAuth1

(StrOpt) Credential backend driver.

request_token_duration = 28800

(IntOpt) Duration (in seconds) for the OAuth Request Token.

Table6.21.Description of os_inherit configuration options

Configuration option = Default value

Description

[os_inherit]
enabled = False

(BoolOpt) role-assignment inheritance to projects from

owning domain can be optionally enabled.

Table6.22.Description of policy configuration options

Configuration option = Default value

Description

[DEFAULT]
policy_default_rule = default

(StrOpt) Default rule. Enforced when a requested rule is

not found.

policy_file = policy.json

(StrOpt) The JSON file that defines policies.

[policy]
driver = keystone.policy.backends.sql.Policy

(StrOpt) Policy backend driver.

list_limit = None

(IntOpt) Maximum number of entities that will be returned in a policy collection.

Table6.23.Description of revoke configuration options

Configuration option = Default value

Description

[revoke]
caching = True

(BoolOpt) Toggle for revocation event caching. This has no

effect unless global caching is enabled.

driver = keystone.contrib.revoke.backends.kvs.Revoke

(StrOpt) An implementation of the backend for persisting

revocation events.

expiration_buffer = 1800

(IntOpt) This value (calculated in seconds) is added to token expiration before a revocation event may be removed
from the backend.

Table6.24.Description of SAML configuration options

Configuration option = Default value

Description

[saml]

333

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

assertion_expiration_time = 3600

(IntOpt) Default TTL, in seconds, for any generated SAML

assertion created by Keystone.

certfile = /etc/keystone/ssl/certs/signing_cert.pem

(StrOpt) Path of the certfile for SAML signing. For nonproduction environments, you may be interested in using
`keystone-manage pki_setup` to generate self-signed certificates. Note, the path cannot contain a comma.

idp_contact_company = None

(StrOpt) Company of contact person.

idp_contact_email = None

(StrOpt) Email address of contact person.

idp_contact_name = None

(StrOpt) Given name of contact person

idp_contact_surname = None

(StrOpt) Surname of contact person.

idp_contact_telephone = None

(StrOpt) Telephone number of contact person.

idp_contact_type = other

(StrOpt) Contact type. Allowed values are: technical, support, administrative billing, and other

idp_entity_id = None

(StrOpt) Entity ID value for unique Identity Provider identification. Usually FQDN is set with a suffix. A value is required to generate IDP Metadata. For example: https://
keystone.example.com/v3/OS-FEDERATION/saml2/idp

idp_lang = en

(StrOpt) Language used by the organization.

idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml

(StrOpt) Path to the Identity Provider Metadata file.

This file should be generated with the keystone-manage
saml_idp_metadata command.

idp_organization_display_name = None

(StrOpt) Organization name to be displayed.

idp_organization_name = None

(StrOpt) Organization name the installation belongs to.

idp_organization_url = None

(StrOpt) URL of the organization.

idp_sso_endpoint = None

(StrOpt) Identity Provider Single-Sign-On service value, required in the Identity Provider's metadata. A value is required to generate IDP Metadata. For example: https://
keystone.example.com/v3/OS-FEDERATION/saml2/sso

keyfile = /etc/keystone/ssl/private/signing_key.pem

(StrOpt) Path of the keyfile for SAML signing. Note, the

path cannot contain a comma.

xmlsec1_binary = xmlsec1

(StrOpt) Binary to be called for XML signing. Install the appropriate package, specify absolute path or adjust your
PATH environment variable if the binary cannot be found.

Table6.25.Description of security configuration options

Configuration option = Default value

Description

[DEFAULT]
crypt_strength = 40000

(IntOpt) The value passed as the keyword "rounds" to

passlib's encrypt method.

Table6.26.Description of stats configuration options

Configuration option = Default value

Description

[stats]
driver = keystone.contrib.stats.backends.kvs.Stats

(StrOpt) Stats backend driver.

Table6.27.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider.

334

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table6.28.Description of token configuration options

Configuration option = Default value

Description

[token]
bind =

(ListOpt) External auth mechanisms that should add bind

information to token, e.g., kerberos,x509.

cache_time = None

(IntOpt) Time to cache tokens (in seconds). This has no effect unless global and token caching are enabled.

caching = True

(BoolOpt) Toggle for token system caching. This has no effect unless global caching is enabled.

driver = keystone.token.persistence.backends.sql.Token

(StrOpt) Token persistence backend driver.

enforce_token_bind = permissive

(StrOpt) Enforcement policy on tokens presented to Keystone with bind information. One of disabled, permissive,
strict, required or a specifically required bind mode, e.g.,
kerberos or x509 to require binding to that authentication.

expiration = 3600

(IntOpt) Amount of time a token should remain valid (in

seconds).

hash_algorithm = md5

(StrOpt) The hash algorithm to use for PKI tokens. This can
be set to any algorithm that hashlib supports. WARNING:
Before changing this value, the auth_token middleware
must be configured with the hash_algorithms, otherwise
token revocation will not be processed correctly.

provider = None

(StrOpt) Controls the token construction, validation, and revocation operations. Core providers are
"keystone.token.providers.[pkiz|pki|uuid].Provider". The
default provider is uuid.

revocation_cache_time = 3600

(IntOpt) Time to cache the revocation list and the revocation events if revoke extension is enabled (in seconds). This
has no effect unless global and token caching are enabled.

revoke_by_id = True

(BoolOpt) Revoke token by token identifier. Setting

revoke_by_id to true enables various forms of enumerating tokens, e.g. `list tokens for user`. These enumerations are processed to determine the list of tokens to revoke. Only disable if you are switching to using the Revoke
extension with a backend other than KVS, which stores
events in memory.

Table6.29.Description of trust configuration options

Configuration option = Default value

Description

[trust]
driver = keystone.trust.backends.sql.Trust

(StrOpt) Trust backend driver.

enabled = True

(BoolOpt) Delegation and impersonation features can be

optionally disabled.

Table6.30.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = rabbit

(StrOpt) The messaging driver to use, defaults to rabbit.

Other drivers include qpid and zmq.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

335

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool.

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from a call.

rpc_thread_pool_size = 64

(IntOpt) Size of RPC greenthread pool.

juno

Table6.31.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = keystone

(StrOpt) The default exchange under which topics are

scoped. May be overridden by an exchange name specified in the transport_url option.

default_publisher_id = None

(StrOpt) Default publisher_id for outgoing notifications

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table6.32.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Table6.33.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

336

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Table6.34.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Table6.35.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

337

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Identity service sample configuration files

You can find the files described in this section in the /etc/keystone directory.

keystone.conf
Use the keystone.conf file to configure most Identity service options:
[DEFAULT]
#
# Options defined in keystone
#
# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does not represent a user, and carries no
# explicit authorization. To disable in production (highly
# recommended), remove AdminTokenAuthMiddleware from your
# paste application pipelines (for example, in keystone# paste.ini). (string value)
#admin_token=ADMIN
# The IP Address of the network interface to for the public
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#public_bind_host=0.0.0.0
# The IP Address of the network interface to for the admin
# service to listen on. (string value)
# Deprecated group/name - [DEFAULT]/bind_host
#admin_bind_host=0.0.0.0
# The port which the OpenStack Compute service listens on.
# (integer value)
#compute_port=8774
# The port number which the admin service listens on. (integer
# value)
#admin_port=35357
# The port number which the public service listens on.
# (integer value)
#public_port=5000
#
#
#
#
#
#
#
#

The base public endpoint URL for keystone that are

advertised to clients (NOTE: this does NOT affect how
keystone listens for connections) (string value).
Defaults to the base host URL of the request. Eg a
request to http://server:5000/v2.0/users will
default to http://server:5000. You should only need
to set this value if the base URL contains a path
(eg /prefix/v2.0) or the endpoint should be found on

338

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# a different server.
#public_endpoint=http://localhost:%(public_port)s/
# The base admin endpoint URL for keystone that are advertised
# to clients (NOTE: this does NOT affect how keystone listens
# for connections) (string value).
# Defaults to the base host URL of the request. Eg a
# request to http://server:35357/v2.0/users will
# default to http://server:35357. You should only need
# to set this value if the base URL contains a path
# (eg /prefix/v2.0) or the endpoint should be found on
# a different server.
#admin_endpoint=http://localhost:%(admin_port)s/
# onready allows you to send a notification when the process
# is ready to serve For example, to have it notify using
# systemd, one could set shell command: "onready = systemd# notify --ready" or a module with notify() method: "onready =
# keystone.common.systemd". (string value)
#onready=<None>
# enforced by optional sizelimit middleware
# (keystone.middleware:RequestBodySizeLimiter). (integer
# value)
#max_request_body_size=114688
# limit the sizes of user & tenant ID/names. (integer value)
#max_param_size=64
# similar to max_param_size, but provides an exception for
# token values. (integer value)
#max_token_size=8192
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, the member_role_id will be used in the API
# add_user_to_project. (string value)
#member_role_id=9fe2ff9ee4384b1894a90878d3e92bab
# During a SQL upgrade member_role_id will be used to create a
# new role that will replace records in the
# user_tenant_membership table with explicit role grants.
# After migration, member_role_name will be ignored. (string
# value)
#member_role_name=_member_
# The value passed as the keyword "rounds" to passlib encrypt
# method. (integer value)
#crypt_strength=40000
# Set this to True if you want to enable TCP_KEEPALIVE on
# server sockets i.e. sockets used by the keystone wsgi server
# for client connections. (boolean value)
#tcp_keepalive=false
# Sets the value of TCP_KEEPIDLE in seconds for each server
# socket. Only applies if tcp_keepalive is True. Not supported
# on OS X. (integer value)
#tcp_keepidle=600

October 7, 2014

# Password for Redis server (optional). (string value)

#password=<None>
# Size of RPC greenthread pool. (integer value)
#rpc_thread_pool_size=64
# Driver or drivers to handle sending notifications. (multi
# valued)
#notification_driver=
# AMQP topic used for OpenStack notifications. (list value)
# Deprecated group/name - [rpc_notifier2]/topics
#notification_topics=notifications
# Seconds to wait for a response from a call. (integer value)
#rpc_response_timeout=60
# A URL representing the messaging driver to use and its full
# configuration. If not set, we fall back to the rpc_backend
# option and driver specific configuration. (string value)
#transport_url=<None>
# The messaging driver to use, defaults to rabbit. Other
# drivers include qpid and zmq. (string value)
#rpc_backend=rabbit
# The default exchange under which topics are scoped. May be
# overridden by an exchange name specified in the
# transport_url option. (string value)
#control_exchange=openstack

#
# Options defined in keystone.notifications
#
# Default publisher_id for outgoing notifications (string
# value)
#default_publisher_id=<None>

#
# Options defined in keystone.middleware.ec2_token
#
# URL to get token from ec2 request. (string value)
#keystone_ec2_url=http://localhost:5000/v2.0/ec2tokens
# Required if EC2 server requires client certificate. (string
# value)
#keystone_ec2_keyfile=<None>
# Client certificate key filename. Required if EC2 server
# requires client certificate. (string value)
#keystone_ec2_certfile=<None>
# A PEM encoded certificate authority to use when verifying
# HTTPS connections. Defaults to the system CAs. (string
# value)
#keystone_ec2_cafile=<None>

343

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Disable SSL certificate verification. (boolean value)

#keystone_ec2_insecure=false

#
# Options defined in keystone.openstack.common.eventlet_backdoor
#
# Enable eventlet backdoor. Acceptable values are 0, <port>,
# and <start>:<end>, where 0 results in listening on a random
# tcp port number; <port> results in listening on the
# specified port number (and not enabling backdoor if that
# port is in use); and <start>:<end> results in listening on
# the smallest unused port number within the specified range
# of port numbers. The chosen port is displayed in the
# service's log file. (string value)
#backdoor_port=<None>

#
# Options defined in keystone.openstack.common.lockutils
#
# Whether to disable inter-process locks (boolean value)
#disable_process_locking=false
# Directory to use for lock files. (string value)
#lock_path=<None>

#
# Options defined in keystone.openstack.common.log
#
# Print debugging output (set logging level to DEBUG instead
# of default WARNING level). (boolean value)
#debug=false
# Print more verbose output (set logging level to INFO instead
# of default WARNING level). (boolean value)
#verbose=false
# Log output to standard error (boolean value)
#use_stderr=true
# Format string to use for log messages with context (string
# value)
#logging_context_format_string=%(asctime)s.%(msecs)03d %(process)d
%(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s
%(message)s
# Format string to use for log messages without context
# (string value)
#logging_default_format_string=%(asctime)s.%(msecs)03d %(process)d
%(levelname)s %(name)s [-] %(instance)s%(message)s
# Data to append to log format when level is DEBUG (string
# value)
#logging_debug_format_suffix=%(funcName)s %(pathname)s:%(lineno)d

344

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Prefix each line of exception output with this format

# (string value)
#logging_exception_prefix=%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s
%(instance)s
# List of logger=LEVEL pairs (list value)
#default_log_levels=amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=
WARN,suds=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN
# Publish error events (boolean value)
#publish_errors=false
# Make deprecations fatal (boolean value)
#fatal_deprecations=false
# If an instance is passed with the log message, format it
# like this (string value)
#instance_format="[instance: %(uuid)s] "
# If an instance UUID is passed with the log message, format
# it like this (string value)
#instance_uuid_format="[instance: %(uuid)s] "
# The name of logging configuration file. It does not disable
# existing loggers, but just appends specified logging
# configuration to any other existing logging options. Please
# see the Python logging module documentation for details on
# logging configuration files. (string value)
# Deprecated group/name - [DEFAULT]/log_config
#log_config_append=<None>
# DEPRECATED. A logging.Formatter log message format string
# which may use any of the available logging.LogRecord
# attributes. This option is deprecated. Please use
# logging_context_format_string and
# logging_default_format_string instead. (string value)
#log_format=<None>
# Format string for %%(asctime)s in log records. Default:
# %(default)s (string value)
#log_date_format=%Y-%m-%d %H:%M:%S
# (Optional) Name of log file to output to. If no default is
# set, logging will go to stdout. (string value)
# Deprecated group/name - [DEFAULT]/logfile
#log_file=<None>
# (Optional) The base directory used for relative --log-file
# paths (string value)
# Deprecated group/name - [DEFAULT]/logdir
#log_dir=<None>
# Use syslog for logging. Existing syslog format is DEPRECATED
# during I, and then will be changed in J to honor RFC5424
# (boolean value)
#use_syslog=false
# (Optional) Use syslog rfc5424 format for logging. If
# enabled, will add APP-NAME (RFC5424) before the MSG part of

345

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# the syslog message. The old format without APP-NAME is

# deprecated in I, and will be removed in J. (boolean value)
#use_syslog_rfc_format=false
# Syslog facility to receive log lines (string value)
#syslog_log_facility=LOG_USER

#
# Options defined in keystone.openstack.common.policy
#
# JSON file containing policy (string value)
#policy_file=policy.json
# Rule enforced when requested rule is not found (string
# value)
#policy_default_rule=default

[assignment]
#
# Options defined in keystone
#
# Keystone Assignment backend driver. (string value)
#driver=<None>
# Toggle for assignment caching. This has no effect unless
# global caching is enabled. (boolean value)
#caching=true
# TTL (in seconds) to cache assignment data. This has no
# effect unless global caching is enabled. (integer value)
#cache_time=<None>
# Maximum number of entities that will be returned in an
# assignment collection. (integer value)
#list_limit=<None>

[auth]
#
# Options defined in keystone
#
# Default auth methods. (list value)
#methods=external,password,token
# The password auth plugin module. (string value)
#password=keystone.auth.plugins.password.Password
# The token auth plugin module. (string value)
#token=keystone.auth.plugins.token.Token
# The external (REMOTE_USER) auth plugin module. (string
# value)
#external=keystone.auth.plugins.external.DefaultDomain

346

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

[cache]
#
# Options defined in keystone
#
# Prefix for building the configuration dictionary for the
# cache region. This should not need to be changed unless
# there is another dogpile.cache region with the same
# configuration name. (string value)
#config_prefix=cache.keystone
# Default TTL, in seconds, for any cached item in the
# dogpile.cache region. This applies to any cached method that
# doesn't have an explicit cache expiration time defined for
# it. (integer value)
#expiration_time=600
# Dogpile.cache backend module. It is recommended that
# Memcache (dogpile.cache.memcached) or Redis
# (dogpile.cache.redis) be used in production deployments.
# Small workloads (single process) like devstack can use the
# dogpile.cache.memory backend. (string value)
#backend=keystone.common.cache.noop
# Use a key-mangling function (sha1) to ensure fixed length
# cache-keys. This is toggle-able for debugging purposes, it
# is highly recommended to always leave this set to True.
# (boolean value)
#use_key_mangler=true
# Arguments supplied to the backend module. Specify this
# option once per argument to be passed to the dogpile.cache
# backend. Example format: "<argname>:<value>". (multi valued)
#backend_argument=
# Proxy Classes to import that will affect the way the
# dogpile.cache backend functions. See the dogpile.cache
# documentation on changing-backend-behavior. Comma delimited
# list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2.
# (list value)
#proxies=
# Global toggle for all caching using the should_cache_fn
# mechanism. (boolean value)
#enabled=false
# Extra debugging from the cache backend (cache keys,
# get/set/delete/etc calls) This is only really useful if you
# need to see the specific cache-backend get/set/delete calls
# with the keys/values. Typically this should be left set to
# False. (boolean value)
#debug_cache_backend=false

[catalog]
#

347

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Options defined in keystone

#
# Catalog template file name for use with the template catalog
# backend. (string value)
#template_file=default_catalog.templates
# Keystone catalog backend driver. (string value)
#driver=keystone.catalog.backends.sql.Catalog
# Maximum number of entities that will be returned in a
# catalog collection. (integer value)
#list_limit=<None>

[credential]
#
# Options defined in keystone
#
# Keystone Credential backend driver. (string value)
#driver=keystone.credential.backends.sql.Credential

[database]
#
# Options defined in keystone.openstack.common.db.options
#
# The file name to use with SQLite (string value)
#sqlite_db=keystone.sqlite
# If True, SQLite uses synchronous mode (boolean value)
#sqlite_synchronous=true
# The backend to use for db (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend=sqlalchemy
# The SQLAlchemy connection string used to connect to the
# database (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection=<None>
# The SQL mode to be used for MySQL sessions. This option,
# including the default, overrides any server-set SQL mode. To
# use whatever SQL mode is set by the server configuration,
# set this to no value. Example: mysql_sql_mode= (string
# value)
#mysql_sql_mode=TRADITIONAL
#
#
#
#
#

Timeout before idle sql

value)
Deprecated group/name Deprecated group/name Deprecated group/name -

connections are reaped (integer

[DEFAULT]/sql_idle_timeout
[DATABASE]/sql_idle_timeout
[sql]/idle_timeout

348

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#idle_timeout=3600
# Minimum number of SQL connections to keep open in a pool
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
# Deprecated group/name - [DATABASE]/sql_min_pool_size
#min_pool_size=1
# Maximum number of SQL connections to keep open in a pool
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
# Deprecated group/name - [DATABASE]/sql_max_pool_size
#max_pool_size=<None>
# Maximum db connection retries during startup. (setting -1
# implies an infinite retry count) (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_retries
# Deprecated group/name - [DATABASE]/sql_max_retries
#max_retries=10
# Interval between retries of opening a sql connection
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_retry_interval
# Deprecated group/name - [DATABASE]/reconnect_interval
#retry_interval=10
# If set, use this value for max_overflow with sqlalchemy
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
#max_overflow=<None>
# Verbosity of SQL debugging information. 0=None,
# 100=Everything (integer value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug=0
# Add python stack traces to SQL as comment strings (boolean
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace
#connection_trace=false
# If set, use this value for pool_timeout with sqlalchemy
# (integer value)
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
#pool_timeout=<None>
# Enable the experimental use of database reconnect on
# connection lost (boolean value)
#use_db_reconnect=false
# seconds between db connection retries (integer value)
#db_retry_interval=1
# Whether to increase interval between db connection retries,
# up to db_max_retry_interval (boolean value)
#db_inc_retry_interval=true
# max seconds between db connection retries, if
# db_inc_retry_interval is enabled (integer value)

349

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#db_max_retry_interval=10
# maximum db connection retries before error is raised.
# (setting -1 implies an infinite retry count) (integer value)
#db_max_retries=20

[ec2]
#
# Options defined in keystone
#
# Keystone EC2Credential backend driver. (string value)
#driver=keystone.contrib.ec2.backends.kvs.Ec2

[endpoint_filter]
#
# Options defined in keystone
#
# Keystone Endpoint Filter backend driver (string value)
#driver=keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# Toggle to return all active endpoints if no filter exists.
# (boolean value)
#return_all_endpoints_if_no_filter=true

[federation]
#
# Options defined in keystone
#
# Keystone Federation backend driver. (string value)
#driver=keystone.contrib.federation.backends.sql.Federation
# Value to be used when filtering assertion parameters from
# the environment. (string value)
#assertion_prefix=

[identity]
#
# Options defined in keystone
#
# This references the domain to use for all Identity API v2
# requests (which are not aware of domains). A domain with
# this ID will be created for you by keystone-manage db_sync
# in migration 008. The domain referenced by this ID cannot
# be deleted on the v3 API, to prevent accidentally breaking
# the v2 API. There is nothing special about this domain,
# other than the fact that it must exist to order to maintain
# support for your v2 clients. (string value)
#default_domain_id=default

350

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# A subset (or all) of domains can have their own identity

# driver, each with their own partial configuration file in a
# domain configuration directory. Only values specific to the
# domain need to be placed in the domain specific
# configuration file. This feature is disabled by default; set
# to True to enable. (boolean value)
#domain_specific_drivers_enabled=false
# Path for Keystone to locate the domain specificidentity
# configuration files if domain_specific_drivers_enabled is
# set to true. (string value)
#domain_config_dir=/etc/keystone/domains
# Keystone Identity backend driver. (string value)
#driver=keystone.identity.backends.sql.Identity
# Maximum supported length for user passwords; decrease to
# improve performance. (integer value)
#max_password_length=4096
# Maximum number of entities that will be returned in an
# identity collection. (integer value)
#list_limit=<None>

[kvs]
#
# Options defined in keystone
#
# Extra dogpile.cache backend modules to register with the
# dogpile.cache library. (list value)
#backends=
# Prefix for building the configuration dictionary for the KVS
# region. This should not need to be changed unless there is
# another dogpile.cache region with the same configuration
# name. (string value)
#config_prefix=keystone.kvs
# Toggle to disable using a key-mangling function to ensure
# fixed length keys. This is toggle-able for debugging
# purposes, it is highly recommended to always leave this set
# to True. (boolean value)
#enable_key_mangler=true
# Default lock timeout for distributed locking. (integer
# value)
#default_lock_timeout=5

[ldap]
#
# Options defined in keystone
#
# URL for connecting to the LDAP server. (string value)

351

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

355

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#group_allow_update=true
# Allow group deletion in LDAP backend. (boolean value)
#group_allow_delete=true
# Additional attribute mappings for groups. Attribute mapping
# format is <ldap_attr>:<user_attr>, where ldap_attr is the
# attribute in the LDAP entry and user_attr is the Identity
# API attribute. (list value)
#group_additional_attribute_mapping=
# CA certificate file path for communicating with LDAP
# servers. (string value)
#tls_cacertfile=<None>
# CA certificate directory path for communicating with LDAP
# servers. (string value)
#tls_cacertdir=<None>
# Enable TLS for communicating with LDAP servers. (boolean
# value)
#use_tls=false
# valid options for tls_req_cert are demand, never, and allow.
# (string value)
#tls_req_cert=demand

[memcache]
#
# Options defined in keystone
#
# Memcache servers in the format of "host:port" (list value)
#servers=localhost:11211
# Number of compare-and-set attempts to make when using
# compare-and-set in the token memcache back end. (integer
# value)
#max_compare_and_set_retry=16

[oauth1]
#
# Options defined in keystone
#

356

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Keystone Credential backend driver. (string value)

#driver=keystone.contrib.oauth1.backends.sql.OAuth1
# Duration (in seconds) for the OAuth Request Token. (integer
# value)
#request_token_duration=28800
# Duration (in seconds) for the OAuth Access Token. (integer
# value)
#access_token_duration=86400

[os_inherit]
#
# Options defined in keystone
#
# role-assignment inheritance to projects from owning domain
# can be optionally enabled. (boolean value)
#enabled=false

[paste_deploy]
#
# Options defined in keystone
#
# Name of the paste configuration file that defines the
# available pipelines. (string value)
#config_file=keystone-paste.ini

[policy]
#
# Options defined in keystone
#
# Keystone Policy backend driver. (string value)
#driver=keystone.policy.backends.sql.Policy
# Maximum number of entities that will be returned in a policy
# collection. (integer value)
#list_limit=<None>

[revoke]
#
# Options defined in keystone
#
# An implementation of the backend for persisting revocation
# events. (string value)
#driver=keystone.contrib.revoke.backends.kvs.Revoke
# This value (calculated in seconds) is added to token
# expiration before a revocation event may be removed from the

357

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# backend. (integer value)

#expiration_buffer=1800
# Toggle for revocation event cacheing. This has no effect
# unless global caching is enabled. (boolean value)
#caching=true

[signing]
#
# Options defined in keystone
#
# Deprecated in favor of provider in the [token] section.
# (string value)
#token_format=<None>
# Path of the certfile for token signing. (string value)
#certfile=/etc/keystone/ssl/certs/signing_cert.pem
# Path of the keyfile for token signing. (string value)
#keyfile=/etc/keystone/ssl/private/signing_key.pem
# Path of the CA for token signing. (string value)
#ca_certs=/etc/keystone/ssl/certs/ca.pem
# Path of the CA Key for token signing. (string value)
#ca_key=/etc/keystone/ssl/private/cakey.pem
# Key Size (in bits) for token signing cert (auto generated
# certificate). (integer value)
#key_size=2048
# Day the token signing cert is valid for (auto generated
# certificate). (integer value)
#valid_days=3650
# Certificate Subject (auto generated certificate) for token
# signing. (string value)
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

[ssl]
#
# Options defined in keystone
#
# Toggle for SSL support on the keystone eventlet servers.
# (boolean value)
#enable=false
# Path of the certfile for SSL. (string value)
#certfile=/etc/keystone/ssl/certs/keystone.pem
# Path of the keyfile for SSL. (string value)
#keyfile=/etc/keystone/ssl/private/keystonekey.pem
# Path of the ca cert file for SSL. (string value)

358

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#ca_certs=/etc/keystone/ssl/certs/ca.pem
# Path of the CA key file for SSL. (string value)
#ca_key=/etc/keystone/ssl/private/cakey.pem
# Require client certificate. (boolean value)
#cert_required=false
# SSL Key Length (in bits) (auto generated certificate).
# (integer value)
#key_size=1024
# Days the certificate is valid for once signed (auto
# generated certificate). (integer value)
#valid_days=3650
# SSL Certificate Subject (auto generated certificate).
# (string value)
#cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=localhost

[stats]
#
# Options defined in keystone
#
# Keystone stats backend driver. (string value)
#driver=keystone.contrib.stats.backends.kvs.Stats

[token]
#
# Options defined in keystone
#
# External auth mechanisms that should add bind information to
# token e.g. kerberos, x509. (list value)
#bind=
# Enforcement policy on tokens presented to keystone with bind
# information. One of disabled, permissive, strict, required
# or a specifically required bind mode e.g. kerberos or x509
# to require binding to that authentication. (string value)
#enforce_token_bind=permissive
# Amount of time a token should remain valid (in seconds).
# (integer value)
#expiration=3600
# Controls the token construction, validation, and revocation
# operations. Core providers are
# "keystone.token.providers.[pki|uuid].Provider". (string
# value)
#provider=<None>
# Keystone Token persistence backend driver. (string value)
#driver=keystone.token.backends.sql.Token

359

October 7, 2014

juno

[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:service_v3]
paste.app_factory = keystone.service:v3_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = sizelimit url_normalize build_auth_context token_auth
admin_token_auth xml_body_v2 json_body ec2_extension user_crud_extension
public_service
[pipeline:admin_api]
pipeline = sizelimit url_normalize build_auth_context token_auth
admin_token_auth xml_body_v2 json_body ec2_extension s3_extension
crud_extension admin_service
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth
admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension
simple_cert_extension service_v3
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = sizelimit url_normalize xml_body public_version_service
[pipeline:admin_version_api]
pipeline = sizelimit url_normalize xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api

logging.conf
You can specify a special logging configuration file in the keystone.conf configuration
file. For example, /etc/keystone/logging.conf.
For details, see the (Python logging module documentation).
[loggers]
keys=root,access

362

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

[handlers]
keys=production,file,access_file,devel
[formatters]
keys=minimal,normal,debug

###########
# Loggers #
###########
[logger_root]
level=WARNING
handlers=file
[logger_access]
level=INFO
qualname=access
handlers=access_file

################
# Log Handlers #
################
[handler_production]
class=handlers.SysLogHandler
level=ERROR
formatter=normal
args=(('localhost', handlers.SYSLOG_UDP_PORT), handlers.SysLogHandler.
LOG_USER)
[handler_file]
class=handlers.WatchedFileHandler
level=WARNING
formatter=normal
args=('error.log',)
[handler_access_file]
class=handlers.WatchedFileHandler
level=INFO
formatter=minimal
args=('access.log',)
[handler_devel]
class=StreamHandler
level=NOTSET
formatter=debug
args=(sys.stdout,)

##################
# Log Formatters #
##################
[formatter_minimal]
format=%(message)s
[formatter_normal]

363

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

format=(%(name)s): %(asctime)s %(levelname)s %(message)s

[formatter_debug]
format=(%(name)s): %(asctime)s %(levelname)s %(module)s %(funcName)s
%(message)s

policy.json
Use the policy.json file to define additional access controls that apply to the Identity
service.
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"default": "rule:admin_required",
"identity:get_region": "",
"identity:list_regions": "",
"identity:create_region": "rule:admin_required",
"identity:update_region": "rule:admin_required",
"identity:delete_region": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
"identity:get_endpoint": "rule:admin_required",
"identity:list_endpoints": "rule:admin_required",
"identity:create_endpoint": "rule:admin_required",
"identity:update_endpoint": "rule:admin_required",
"identity:delete_endpoint": "rule:admin_required",
"identity:get_domain": "rule:admin_required",
"identity:list_domains": "rule:admin_required",
"identity:create_domain": "rule:admin_required",
"identity:update_domain": "rule:admin_required",
"identity:delete_domain": "rule:admin_required",
"identity:get_project": "rule:admin_required",
"identity:list_projects": "rule:admin_required",
"identity:list_user_projects": "rule:admin_or_owner",
"identity:create_project": "rule:admin_required",
"identity:update_project": "rule:admin_required",
"identity:delete_project": "rule:admin_required",
"identity:get_user": "rule:admin_required",
"identity:list_users": "rule:admin_required",
"identity:create_user": "rule:admin_required",
"identity:update_user": "rule:admin_required",
"identity:delete_user": "rule:admin_required",
"identity:change_password": "rule:admin_or_owner",

364

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"identity:get_group": "rule:admin_required",
"identity:list_groups": "rule:admin_required",
"identity:list_groups_for_user": "rule:admin_or_owner",
"identity:create_group": "rule:admin_required",
"identity:update_group": "rule:admin_required",
"identity:delete_group": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",
"identity:remove_user_from_group": "rule:admin_required",
"identity:check_user_in_group": "rule:admin_required",
"identity:add_user_to_group": "rule:admin_required",
"identity:get_credential": "rule:admin_required",
"identity:list_credentials": "rule:admin_required",
"identity:create_credential": "rule:admin_required",
"identity:update_credential": "rule:admin_required",
"identity:delete_credential": "rule:admin_required",
"identity:ec2_get_credential": "rule:admin_or_owner",
"identity:ec2_list_credentials": "rule:admin_or_owner",
"identity:ec2_create_credential": "rule:admin_or_owner",
"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and
user_id:%(target.credential.user_id)s)",
"identity:get_role": "rule:admin_required",
"identity:list_roles": "rule:admin_required",
"identity:create_role": "rule:admin_required",
"identity:update_role": "rule:admin_required",
"identity:delete_role": "rule:admin_required",
"identity:check_grant": "rule:admin_required",
"identity:list_grants": "rule:admin_required",
"identity:create_grant": "rule:admin_required",
"identity:revoke_grant": "rule:admin_required",
"identity:list_role_assignments": "rule:admin_required",
"identity:get_policy": "rule:admin_required",
"identity:list_policies": "rule:admin_required",
"identity:create_policy": "rule:admin_required",
"identity:update_policy": "rule:admin_required",
"identity:delete_policy": "rule:admin_required",
"identity:check_token": "rule:admin_required",
"identity:validate_token": "rule:service_or_admin",
"identity:validate_token_head": "rule:service_or_admin",
"identity:revocation_list": "rule:service_or_admin",
"identity:revoke_token": "rule:admin_or_owner",
"identity:create_trust": "user_id:%(trust.trustor_user_id)s",
"identity:get_trust": "rule:admin_or_owner",
"identity:list_trusts": "",
"identity:list_roles_for_trust": "",
"identity:check_role_for_trust": "",
"identity:get_role_for_trust": "",
"identity:delete_trust": "",
"identity:create_consumer": "rule:admin_required",
"identity:get_consumer": "rule:admin_required",
"identity:list_consumers": "rule:admin_required",

365

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"identity:delete_consumer": "rule:admin_required",
"identity:update_consumer": "rule:admin_required",
"identity:authorize_request_token": "rule:admin_required",
"identity:list_access_token_roles": "rule:admin_required",
"identity:get_access_token_role": "rule:admin_required",
"identity:list_access_tokens": "rule:admin_required",
"identity:get_access_token": "rule:admin_required",
"identity:delete_access_token": "rule:admin_required",
"identity:list_projects_for_endpoint": "rule:admin_required",
"identity:add_endpoint_to_project": "rule:admin_required",
"identity:check_endpoint_in_project": "rule:admin_required",
"identity:list_endpoints_for_project": "rule:admin_required",
"identity:remove_endpoint_from_project": "rule:admin_required",
"identity:create_identity_provider": "rule:admin_required",
"identity:list_identity_providers": "rule:admin_required",
"identity:get_identity_providers": "rule:admin_required",
"identity:update_identity_provider": "rule:admin_required",
"identity:delete_identity_provider": "rule:admin_required",
"identity:create_protocol": "rule:admin_required",
"identity:update_protocol": "rule:admin_required",
"identity:get_protocol": "rule:admin_required",
"identity:list_protocols": "rule:admin_required",
"identity:delete_protocol": "rule:admin_required",
"identity:create_mapping": "rule:admin_required",
"identity:get_mapping": "rule:admin_required",
"identity:list_mappings": "rule:admin_required",
"identity:delete_mapping": "rule:admin_required",
"identity:update_mapping": "rule:admin_required",
"identity:list_projects_for_groups": "",
"identity:list_domains_for_groups": "",
"identity:list_revoke_events": ""
}

Domain-specific configuration
Identity enables you to configure domain-specific authentication drivers. For example, you
can configure a domain to have its own LDAP or SQL server.
By default, the option to configure domain-specific drivers is disabled.
To enable domain-specific drivers, set these options in [identity] section in the
keystone.conf file:
[identity]
domain_specific_drivers_enabled = True
domain_config_dir = /etc/keystone/domains

When you enable domain-specific drivers, Identity looks in the

domain_config_dir directory for configuration files that are named as follows:
keystone.DOMAIN_NAME.conf, where DOMAIN_NAME is the domain name.

366

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Any options that you define in the domain-specific configuration file override options in the
primary configuration file for the specified domain. Any domain without a domain-specific
configuration file uses only the options in the primary configuration file.

New, updated and deprecated options in Juno for

OpenStack Identity
Table6.36.New options
Option = default value

(Type) Help string

[DEFAULT] admin_workers = None

(IntOpt) The number of worker processes to serve the admin WSGI application. Defaults to number of CPUs (minimum of 2).

[DEFAULT] public_workers = None

(IntOpt) The number of worker processes to serve the

public WSGI application. Defaults to number of CPUs (minimum of 2).

[DEFAULT] strict_password_check = False

(BoolOpt) If set to true, strict password length checking is

[cache] memcache_dead_retry = 300

(IntOpt) Number of seconds memcached

server is considered dead before it is tried
again. (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

[cache] memcache_pool_connection_get_timeout = 10

(IntOpt) Number of seconds that an operation will wait to

get a memcache client connection.

[cache] memcache_pool_maxsize = 10

(IntOpt) Max total number of open connections to every

memcached server. (keystone.cache.memcache_pool backend only)

[cache] memcache_pool_unused_timeout = 60

(IntOpt) Number of seconds a connection to memcached is held unused in the pool before it is closed.
(keystone.cache.memcache_pool backend only)

[cache] memcache_servers = ['localhost:11211']

(ListOpt) Memcache servers in the format of

"host:port". (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

[cache] memcache_socket_timeout = 3

(IntOpt) Timeout in seconds for every call

to a server. (dogpile.cache.memcache and
keystone.cache.memcache_pool backends only)

[catalog] cache_time = None

(IntOpt) Time to cache catalog data (in seconds). This has

no effect unless global and catalog caching are enabled.

[catalog] caching = True

(BoolOpt) Toggle for catalog caching. This has no effect

unless global caching is enabled.

[database] slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

[endpoint_policy] driver =
(StrOpt) Endpoint policy backend driver
keystone.contrib.endpoint_policy.backends.sql.EndpointPolicy
[identity_mapping] backward_compatible_ids = True

367

(BoolOpt) The format of user and group IDs changed

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

ue to False will enable the mapping for even the default
LDAP driver. It is only safe to do this if you do not already
have assignments for users and groups from the default
LDAP domain, and it is acceptable for Keystone to provide
the different IDs to clients than it did previously. Typically this means that the only time you can set this value to
False is when configuring a fresh installation.

[identity_mapping] driver =
keystone.identity.mapping_backends.sql.Mapping

(StrOpt) Keystone Identity Mapping backend driver.

[identity_mapping] generator =
keystone.identity.id_generators.sha256.Generator

(StrOpt) Public ID generator for user and group entities.

The Keystone identity mapper only supports generators
that produce no more than 64 characters.

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[keystone_ec2_token] cafile = None

(StrOpt) A PEM encoded certificate authority to use when

verifying HTTPS connections. Defaults to the system CAs.

[keystone_ec2_token] certfile = None

(StrOpt) Client certificate key filename. Required if EC2

server requires client certificate.

[keystone_ec2_token] insecure = False

(BoolOpt) Disable SSL certificate verification.

[keystone_ec2_token] keyfile = None

(StrOpt) Required if EC2 server requires client certificate.

[keystone_ec2_token] url = http://localhost:5000/v2.0/

ec2tokens

(StrOpt) URL to get token from ec2 request.

[ldap] auth_pool_connection_lifetime = 60

(IntOpt) End user auth connection lifetime in seconds.

[ldap] auth_pool_size = 100

(IntOpt) End user auth connection pool size.

[ldap] debug_level = None

(IntOpt) Sets the LDAP debugging level for LDAP calls. A

value of 0 means that debugging is not enabled. This value
is a bitmask, consult your LDAP documentation for possible values.

[ldap] pool_connection_lifetime = 600

(IntOpt) Connection lifetime in seconds.

[ldap] pool_connection_timeout = -1

(IntOpt) Connector timeout in seconds. Value -1 indicates

indefinite wait for response.

[ldap] pool_retry_delay = 0.1

(FloatOpt) Time span in seconds to wait between two reconnect trials.

[ldap] pool_retry_max = 3

(IntOpt) Maximum count of reconnect trials.

[ldap] pool_size = 10

(IntOpt) Connection pool size.

[ldap] project_additional_attribute_mapping = []

[ldap] project_allow_create = True

(BoolOpt) Allow project creation in LDAP backend.

[ldap] project_allow_delete = True

(BoolOpt) Allow project deletion in LDAP backend.

368

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[ldap] project_allow_update = True

(BoolOpt) Allow project update in LDAP backend.

[ldap] project_attribute_ignore = []

(ListOpt) List of attributes stripped off the project on update.

[ldap] project_desc_attribute = description

(StrOpt) LDAP attribute mapped to project description.

[ldap] project_domain_id_attribute = businessCategory

(StrOpt) LDAP attribute mapped to project domain_id.

[ldap] project_enabled_attribute = enabled

(StrOpt) LDAP attribute mapped to project enabled.

[ldap] project_enabled_emulation = False

(BoolOpt) If true, Keystone uses an alternative method to

determine if a project is enabled or not by checking if they
are a member of the "project_enabled_emulation_dn"
group.

[ldap] project_enabled_emulation_dn = None

(StrOpt) DN of the group entry to hold enabled projects

when using enabled emulation.

[ldap] project_filter = None

(StrOpt) LDAP search filter for projects.

[ldap] project_id_attribute = cn

(StrOpt) LDAP attribute mapped to project id.

[ldap] project_member_attribute = member

(StrOpt) LDAP attribute mapped to project membership

for user.

[ldap] project_name_attribute = ou

(StrOpt) LDAP attribute mapped to project name.

[ldap] project_objectclass = groupOfNames

(StrOpt) LDAP objectclass for projects.

[ldap] project_tree_dn = None

(StrOpt) Search base for projects

[ldap] use_auth_pool = False

(BoolOpt) Enable LDAP connection pooling for end user

authentication. If use_pool is disabled, then this setting is
meaningless and is not used at all.

[ldap] use_pool = False

(BoolOpt) Enable LDAP connection pooling.

[ldap] user_enabled_invert = False

(BoolOpt) Invert the meaning of the boolean enabled

[memcache] dead_retry = 300

(IntOpt) Number of seconds memcached server is considered dead before it is tried again. This is used by the key
value store system (e.g. token pooled memcached persistence backend).

[memcache] pool_connection_get_timeout = 10

(IntOpt) Number of seconds that an operation will wait to

get a memcache client connection. This is used by the key
value store system (e.g. token pooled memcached persistence backend).

[memcache] pool_maxsize = 10

(IntOpt) Max total number of open connections to every

memcached server. This is used by the key value store system (e.g. token pooled memcached persistence backend).

[memcache] pool_unused_timeout = 60

(IntOpt) Number of seconds a connection to memcached

is held unused in the pool before it is closed. This is used by
the key value store system (e.g. token pooled memcached
persistence backend).

[memcache] socket_timeout = 3

(IntOpt) Timeout in seconds for every call to a server. This

is used by the key value store system (e.g. token pooled
memcached persistence backend).

[saml] assertion_expiration_time = 3600

(IntOpt) Default TTL, in seconds, for any generated SAML

assertion created by Keystone.

[saml] certfile = /etc/keystone/ssl/certs/signing_cert.pem

369

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[saml] idp_contact_company = None

(StrOpt) Company of contact person.

[saml] idp_contact_email = None

(StrOpt) Email address of contact person.

[saml] idp_contact_name = None

(StrOpt) Given name of contact person

[saml] idp_contact_surname = None

(StrOpt) Surname of contact person.

[saml] idp_contact_telephone = None

(StrOpt) Telephone number of contact person.

[saml] idp_contact_type = other

(StrOpt) Contact type. Allowed values are: technical, support, administrative billing, and other

[saml] idp_entity_id = None

[saml] idp_lang = en

(StrOpt) Language used by the organization.

[saml] idp_metadata_path = /etc/keystone/saml2_idp_metadata.xml

(StrOpt) Path to the Identity Provider Metadata file.

This file should be generated with the keystone-manage
saml_idp_metadata command.

[saml] idp_organization_display_name = None

(StrOpt) Organization name to be displayed.

[saml] idp_organization_name = None

(StrOpt) Organization name the installation belongs to.

[saml] idp_organization_url = None

(StrOpt) URL of the organization.

[saml] idp_sso_endpoint = None

[saml] keyfile = /etc/keystone/ssl/private/signing_key.pem (StrOpt) Path of the keyfile for SAML signing. Note, the
path cannot contain a comma.
[saml] xmlsec1_binary = xmlsec1

(StrOpt) Binary to be called for XML signing. Install the appropriate package, specify absolute path or adjust your
PATH environment variable if the binary cannot be found.

[token] hash_algorithm = md5

Table6.37.New default values

Option

Previous default value

New default value

[DEFAULT] control_exchange

openstack

keystone

[DEFAULT] default_log_levels

amqp=WARN, amqplib=WARN,
amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN,
sqlalchemy=WARN, suds=INFO,
suds=INFO, iso8601=WARN,
oslo.messaging=INFO,
requests.packages.urllib3.connectionpool=WARN
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,
urllib3.connectionpool=WARN,
websocket=WARN,
keystonemiddleware=WARN,
routes.middleware=WARN,
stevedore=WARN

[database] sqlite_db

keystone.sqlite

oslo.sqlite

[keystone_authtoken]
revocation_cache_time

300

[ldap] user_mail_attribute

mail

[token] driver

keystone.token.backends.sql.Token

keystone.token.persistence.backends.sql.Token

370

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Table6.38.Deprecated options
Deprecated option

New Option

[ldap] tenant_allow_delete

[ldap] project_allow_delete

[ldap] tenant_allow_create

[ldap] project_allow_create

[ldap] tenant_objectclass

[ldap] project_objectclass

[ldap] tenant_filter

[ldap] project_filter

[ldap] tenant_member_attribute

[ldap] project_member_attribute

[ldap] tenant_additional_attribute_mapping

[ldap] project_additional_attribute_mapping

[ldap] tenant_allow_update

[ldap] project_allow_update

[ldap] tenant_desc_attribute

[ldap] project_desc_attribute

[ldap] tenant_enabled_emulation

[ldap] project_enabled_emulation

[ldap] tenant_name_attribute

[ldap] project_name_attribute

[ldap] tenant_attribute_ignore

[ldap] project_attribute_ignore

[ldap] tenant_enabled_attribute

[ldap] project_enabled_attribute

[ldap] tenant_id_attribute

[ldap] project_id_attribute

[ldap] tenant_domain_id_attribute

[ldap] project_domain_id_attribute

[ldap] tenant_tree_dn

[ldap] project_tree_dn

[ldap] tenant_enabled_emulation_dn

[ldap] project_enabled_emulation_dn

371

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

7. Image Service
Table of Contents
Configure the API ........................................................................................................
Configure the RPC messaging system ...........................................................................
Support for ISO images ...............................................................................................
Configure back ends ....................................................................................................
Image Service sample configuration files ......................................................................
New, updated and deprecated options in Juno for OpenStack Image Service ................

379
380
383
383
389
408

Compute relies on an external image service to store virtual machine images and maintain a
catalog of available images. By default, Compute is configured to use the OpenStack Image
Service (Glance), which is currently the only supported image service.
If your installation requires euca2ools to register new images, you must run the nova-objectstore service. This service provides an Amazon S3 front-end for Glance, which is required by euca2ools.
To customize the Compute Service, use the configuration option settings documented in
Table2.30, Description of glance configuration options [242] and Table2.50, Description of S3 configuration options [254].
You can modify many options in the OpenStack Image Service. The following tables provide
a comprehensive list.

Table7.1.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

372

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

373

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table7.2.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
allow_additional_image_properties = True

(BoolOpt) Whether to allow users to specify image properties beyond what the image schema provides

api_limit_max = 1000

(IntOpt) Maximum permissible number of items that could

be returned by a request

backlog = 4096

(IntOpt) The backlog value that will be used when creating the TCP listener socket.

bind_host = 0.0.0.0

(StrOpt) Address to bind the server. Useful when selecting

a particular network interface.

bind_port = None

(IntOpt) The port on which the server will listen.

data_api = glance.db.sqlalchemy.api

(StrOpt) Python module path of data access API

image_location_quota = 10

(IntOpt) Maximum number of locations allowed on an image. Negative values evaluate to unlimited.

image_member_quota = 128

(IntOpt) Maximum number of image members per image.

Negative values evaluate to unlimited.

image_property_quota = 128

(IntOpt) Maximum number of properties allowed on an

image. Negative values evaluate to unlimited.

image_tag_quota = 128

(IntOpt) Maximum number of tags allowed on an image.

Negative values evaluate to unlimited.

limit_param_default = 25

(IntOpt) Default value for the number of items returned

by a request if not specified explicitly in the request

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

metadata_encryption_key = None

(StrOpt) Key used for encrypting sensitive metadata while

talking to the registry or database.

metadata_source_path = /etc/glance/metadefs/

(StrOpt) Path to the directory where json metadata files

are stored

property_protection_file = None

(StrOpt) The location of the property protection file.

property_protection_rule_format = roles

(StrOpt) This config value indicates whether "roles" or

"policies" are used in the property protection file.

show_image_direct_url = False

(BoolOpt) Whether to include the backend image storage

location in image properties. Revealing storage location
can be a security risk, so use this setting with caution!

user_storage_quota = 0

(StrOpt) Set a system wide quota for every user. This value
is the total capacity that a user can use across all storage
systems. A value of 0 means unlimited.Optional unit can
be specified for the value. Accepted units are B, KB, MB,
GB and TB representing Bytes, KiloBytes, MegaBytes, GigaBytes and TeraBytesrespectively. If no unit is specified then
Bytes is assumed. Note that there should not be any space
between value and unit and units are case sensitive.

workers = 4

(IntOpt) The number of child process workers that will be

created to service requests. The default will be equal to
the number of CPUs available.

[glance_store]
os_region_name = None

(StrOpt) Region name of this node

374

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[image_format]
container_formats = ami, ari, aki, bare, ovf, ova

(ListOpt) Supported values for the 'container_format' image attribute

disk_formats = ami, ari, aki, vhd, vmdk, raw, qcow2, vdi,

iso

(ListOpt) Supported values for the 'disk_format' image attribute

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

[task]
eventlet_executor_pool_size = 1000

(IntOpt) Specifies the maximum number of eventlet

threads which can be spun up by the eventlet based task
executor to perform execution of Glance tasks.

task_executor = eventlet

(StrOpt) Specifies which task executor to be used to run

the task scripts.

task_time_to_live = 48

(IntOpt) Time in hours for which a task lives after, either

succeeding or failing

Table7.3.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
db_enforce_mysql_charset = True

(BoolOpt) DEPRECATED. TO BE REMOVED IN THE JUNO

RELEASE. Whether or not to enforce that all DB tables
have charset utf8. If your database tables do not have
charset utf8 you will need to convert before this option is
removed. This option is only relevant if your database engine is MySQL.

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

375

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

Table7.4.Description of flagmappings configuration options

Configuration option = Default value

Description

[DEFAULT]
cleanup_scrubber = False

(BoolOpt) A boolean that determines if the scrubber

should clean up the files it uses for taking data. Only
one server in your deployment should be designated the
cleanup host.

cleanup_scrubber_time = 86400

(IntOpt) Items must have a modified time that is older

than this value in order to be candidates for cleanup.

delayed_delete = False

(BoolOpt) Turn on/off delayed delete.

image_cache_dir = None

(StrOpt) Base directory that the Image Cache uses.

image_cache_driver = sqlite

(StrOpt) The driver to use for image cache management.

image_cache_max_size = 10737418240

(IntOpt) The maximum size in bytes that the cache can

use.

image_cache_sqlite_db = cache.db

(StrOpt) The path to the sqlite file database that will be

used for image cache management.

image_cache_stall_time = 86400

(IntOpt) The amount of time to let an image remain in the

cache without being accessed.

scrub_time = 0

(IntOpt) The amount of time in seconds to delay before

performing a delete.

scrubber_datadir = /var/lib/glance/scrubber

(StrOpt) Directory that the scrubber will use to track information about what to delete. Make sure this is set in
glance-api.conf and glance-scrubber.conf.

Table7.5.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

376

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Table7.6.Description of policy configuration options

Configuration option = Default value

Description

[DEFAULT]
policy_default_rule = default

(StrOpt) The default policy to use.

policy_file = policy.json

(StrOpt) The location of the policy file.

Table7.7.Description of profiler configuration options

Configuration option = Default value

Description

[profiler]
enabled = True

(BoolOpt) If False fully disable profiling feature.

377

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

trace_sqlalchemy = True

(BoolOpt) If False doesn't trace SQL requests.

juno

Table7.8.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Table7.9.Description of registry configuration options

Configuration option = Default value

Description

[DEFAULT]
admin_password = None

(StrOpt) The administrators password. If "use_user_token"

is not in effect, then admin credentials can be specified.

admin_tenant_name = None

(StrOpt) The tenant name of the administrative user. If

"use_user_token" is not in effect, then admin tenant name
can be specified.

admin_user = None

(StrOpt) The administrators user name. If

"use_user_token" is not in effect, then admin credentials
can be specified.

auth_region = None

(StrOpt) The region for the authentication service. If

"use_user_token" is not in effect and using keystone auth,
then region name can be specified.

auth_strategy = noauth

(StrOpt) The strategy to use for authentication. If

"use_user_token" is not in effect, then auth strategy can
be specified.

auth_url = None

(StrOpt) The URL to the keystone service. If

"use_user_token" is not in effect and using keystone auth,
then URL of keystone can be specified.

registry_client_ca_file = None

(StrOpt) The path to the certifying authority cert file to

use in SSL connections to the registry server.

registry_client_cert_file = None

(StrOpt) The path to the cert file to use in SSL connections

to the registry server.

registry_client_insecure = False

(BoolOpt) When using SSL in connections to the registry

server, do not require validation via a certifying authority.

registry_client_key_file = None

(StrOpt) The path to the key file to use in SSL connections

to the registry server.

registry_client_protocol = http

(StrOpt) The protocol to use for communication with the

registry server. Either http or https.

registry_client_timeout = 600

(IntOpt) The period of time, in seconds, that the API server will wait for a registry request to complete. A value of 0
implies no timeout.

registry_host = 0.0.0.0

(StrOpt) Address to find the registry server.

registry_port = 9191

(IntOpt) Port the registry server is listening on.

Table7.10.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]

378

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider.

pydev_worker_debug_host = None

(StrOpt) The hostname/IP of the pydev process listening

for debug connections

pydev_worker_debug_port = 5678

(IntOpt) The port on which a pydev process is listening for

connections.

Configure the API

The Image Service has two APIs: the user-facing API, and the registry API, which is for internal requests that require access to the database.
Both of the APIs currently have two major versions, v1 and v2. It is possible to run either
or both versions, by setting appropriate values of enable_v1_api, enable_v2_api,
enable_v1_registry and enable_v2_registry. If the v2 API is used, running
glance-registry is optional, as v2 of glance-api can connect directly to the
database.
Tables of all the options used to configure the APIs, including enabling SSL and modifying
WSGI settings are found below.

Table7.11.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
admin_role = admin

(StrOpt) Role used to identify an authenticated user as administrator.

allow_anonymous_access = False

(BoolOpt) Allow unauthenticated users to access the API

with read-only privileges. This only applies when using
ContextMiddleware.

enable_v1_api = True

(BoolOpt) Deploy the v1 OpenStack Images API.

enable_v1_registry = True

(BoolOpt) Deploy the v1 OpenStack Registry API.

enable_v2_api = True

(BoolOpt) Deploy the v2 OpenStack Images API.

enable_v2_registry = True

(BoolOpt) Deploy the v2 OpenStack Registry API.

eventlet_hub = poll

(StrOpt) Name of eventlet hub to use. Traditionally, we

have only supported 'poll', however 'selects' may be appropriate for some platforms. See http://eventlet.net/doc/
hubs.html for more details.

image_size_cap = 1099511627776

(IntOpt) Maximum size of image a user can upload in

bytes. Defaults to 1099511627776 bytes (1 TB).

location_strategy = location_order

(StrOpt) This value sets what strategy will be used to determine the image location order. Currently two strategies are packaged with Glance 'location_order' and
'store_type'.

max_header_line = 16384

owner_is_tenant = True

(BoolOpt) When true, this option sets the owner of an image to be the tenant. Otherwise, the owner of the image
will be the authenticated user issuing the request.

send_identity_headers = False

(BoolOpt) Whether to pass through headers containing user and tenant information when making requests to the

379

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
registry. This allows the registry to use the context middleware without keystonemiddleware's auth_token middleware, removing calls to the keystone auth service. It is recommended that when using this option, secure communication between glance api and glance registry is ensured
by means other than auth_token middleware.

show_multiple_locations = False

(BoolOpt) Whether to include the backend image locations in image properties. Revealing storage location can
be a security risk, so use this setting with caution! The
overrides show_image_direct_url.

tcp_keepidle = 600

(IntOpt) The value for the socket option TCP_KEEPIDLE.

This is the time in seconds that the connection must be idle
before TCP starts sending keepalive probes.

use_user_token = True

(BoolOpt) Whether to pass through the user token when

making requests to the registry.

[glance_store]
default_store = file

(StrOpt) Default scheme to use to store image data. The

scheme must be registered by one of the stores defined by
the 'stores' config option.

stores = file, http

(ListOpt) List of stores enabled

[paste_deploy]
config_file = None

(StrOpt) Name of the paste configuration file.

flavor = None

(StrOpt) Partial name of a pipeline in your paste configuration file with the service name removed. For example, if
your paste section name is [pipeline:glance-api-keystone]
use the value "keystone"

[store_type_location_strategy]
store_type_preference =

(ListOpt) The store names to use to get store preference

order. The name must be registered by one of the stores
defined by the 'known_stores' config option. This option
will be applied when you using 'store_type' option as image location strategy defined by the 'location_strategy'
config option.

Table7.12.Description of CA and SSL configuration options

Configuration option = Default value

Description

[DEFAULT]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients.

cert_file = None

(StrOpt) Certificate file to use when starting API server securely.

key_file = None

(StrOpt) Private key file to use when starting API server securely.

Configure the RPC messaging system

OpenStack projects use an open standard for messaging middleware known as AMQP. This
messaging middleware enables the OpenStack services that run on multiple servers to talk
to each other. The OpenStack common library project, oslo, supports three implementations of AMQP: RabbitMQ, Qpid, and ZeroMQ.
The following tables contain settings to configure the messaging middleware for the Image
Service:
380

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table7.13.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Table7.14.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

what was originally used by impl_qpid. Version 2 includes
some backwards-incompatible changes that allow bro-

381

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
ker federation to work. Users should update to version 2
when they are able to take everything down, as it requires
a clean break.

qpid_username =

(StrOpt) Username for Qpid connection.

Table7.15.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Table7.16.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) The default exchange under which topics are

scoped. May be overridden by an exchange name specified in the transport_url option.

default_publisher_id = image.localhost

(StrOpt) Default publisher_id for outgoing notifications.

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table7.17.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
allowed_rpc_exception_modules =
(ListOpt) Modules of exceptions that are permitted to be
openstack.common.exception, glance.common.exception, recreatedupon receiving exception data from an rpc call.
exceptions
matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = rabbit

(StrOpt) The messaging driver to use, defaults to rabbit.

Other drivers include qpid and zmq.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

382

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool.

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from a call.

rpc_thread_pool_size = 64

(IntOpt) Size of RPC greenthread pool.

juno

Support for ISO images

You can load ISO images into the Image Service. You can subsequently boot an ISO image
using Compute.

Procedure7.1.To load an ISO image to an Image Service data store

Obtain the ISO image. For example, ubuntu-13.04-server-amd64.iso.

In the Image Service, run the following command:

$ glance image-create --name ubuntu.iso \
--is-public True --container-format bare \
--disk-format iso < ubuntu-13.04-server-amd64.iso

In this command, ubuntu.iso is the name for the ISO image after it is loaded to the
Image Service, and ubuntu-13.04-server-amd64.iso is the name of the source
ISO image.
3.

Optionally, confirm the upload in Compute.

Run this command:
$ nova image-list

Procedure7.2.To boot an instance from an ISO image

Run this command:

$ nova boot --image ubuntu.iso \
--flavor 1 instance_name

In this command, ubuntu.iso is the ISO image, and instance_name is the name of
the new instance.

Configure back ends

The Image Service supports several back ends for storing virtual machine images:
OpenStack Block Storage (cinder)
A directory on a local file system
GridFS
Ceph RBD
Amazon S3
Sheepdog

383

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

OpenStack Object Storage (swift)

VMware ESX
The following tables detail the options available for each.

Table7.18.Description of cinder configuration options

Configuration option = Default value

Description

[glance_store]
cinder_api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to cinder

cinder_ca_certificates_file = None

(StrOpt) Location of ca certicates file to use for cinder

client requests.

cinder_catalog_info = volume:cinder:publicURL

(StrOpt) Info to match when looking for cinder in the service catalog. Format is : separated values of the form:
<service_type>:<service_name>:<endpoint_type>

cinder_endpoint_template = None

(StrOpt) Override service catalog lookup with template for cinder endpoint e.g. http://localhost:8776/v1/
%(project_id)s

cinder_http_retries = 3

(IntOpt) Number of cinderclient retries on failed http calls

Table7.19.Description of filesystem configuration options

Configuration option = Default value

Description

[glance_store]
filesystem_store_datadir = None

(StrOpt) Directory to which the Filesystem backend store

writes images.

filesystem_store_datadirs = None

(MultiStrOpt) List of directories and its priorities to which

the Filesystem backend store writes images.

filesystem_store_file_perm = 0

(IntOpt) The required permission for created image file. In

this way the user other service used, e.g. Nova, who consumes the image could be the exclusive member of the
group that owns the files created. Assigning it less then or
equal to zero means don't change the default permission
of the file. This value will be decoded as an octal digit.

filesystem_store_metadata_file = None

(StrOpt) The path to a file which contains the metadata to

be returned with any location associated with this store.
The file must contain a valid JSON dict.

Table7.20.Description of GridFS configuration options

Configuration option = Default value

Description

[glance_store]
mongodb_store_db = None

(StrOpt) Database to use

mongodb_store_uri = None

(StrOpt) Hostname or IP address of the instance to connect to, or a mongodb URI, or a list of hostnames / mongodb URIs. If host is an IPv6 literal it must be enclosed in '['
and ']' characters following the RFC2732 URL syntax (e.g.
'[::1]' for localhost)

Table7.21.Description of RBD configuration options

Configuration option = Default value

Description

[glance_store]
rbd_store_ceph_conf = /etc/ceph/ceph.conf

(StrOpt) Ceph configuration file path. If <None>, librados will locate the default config. If using cephx authen-

384

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
tication, this file should include a reference to the right
keyring in a client.<USER> section

rbd_store_chunk_size = 8

(IntOpt) RADOS images will be chunked into objects of

this size (in megabytes). For best performance, this should
be a power of two.

rbd_store_pool = images

(StrOpt) RADOS pool in which images are stored.

rbd_store_user = None

(StrOpt) RADOS user to authenticate as (only applicable if

using Cephx. If <None>, a default will be chosen based on
the client. section in rbd_store_ceph_conf)

Table7.22.Description of S3 configuration options

Configuration option = Default value

Description

[glance_store]
s3_store_access_key = None

(StrOpt) The S3 query token access key.

s3_store_bucket = None

(StrOpt) The S3 bucket to be used to store the Glance data.

s3_store_bucket_url_format = subdomain

(StrOpt) The S3 calling format used to determine the bucket. Either subdomain or path can be used.

s3_store_create_bucket_on_put = False

(BoolOpt) A boolean to determine if the S3 bucket should

be created on upload if it does not exist or if an error
should be returned to the user.

s3_store_host = None

(StrOpt) The host where the S3 server is listening.

s3_store_object_buffer_dir = None

(StrOpt) The local directory where uploads will be staged

before they are transferred into S3.

s3_store_secret_key = None

(StrOpt) The S3 query token secret key.

Table7.23.Description of Sheepdog configuration options

Configuration option = Default value

Description

[glance_store]
sheepdog_store_address = localhost

(StrOpt) IP address of sheep daemon.

sheepdog_store_chunk_size = 64

(IntOpt) Images will be chunked into objects of this size (in

megabytes). For best performance, this should be a power
of two.

sheepdog_store_port = 7000

(IntOpt) Port of sheep daemon.

Table7.24.Description of swift configuration options

Configuration option = Default value

Description

[DEFAULT]
default_swift_reference = ref1

(StrOpt) The reference to the default swift account/backing store parameters to use for adding new images.

swift_store_auth_address = None

(StrOpt) The address where the Swift authentication service is listening.(deprecated)

swift_store_config_file = None

(StrOpt) The config file that has the swift

account(s)configs.

swift_store_key = None

(StrOpt) Auth key for the user authenticating against the

Swift authentication service. (deprecated)

swift_store_user = None

(StrOpt) The user to authenticate against the Swift authentication service (deprecated)

[glance_store]

385

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

default_swift_reference = ref1

(StrOpt) The reference to the default swift account/backing store parameters to use for adding new images.

swift_enable_snet = False

(BoolOpt) Whether to use ServiceNET to communicate

with the Swift storage servers.

swift_store_admin_tenants =

(ListOpt) A list of tenants that will be granted read/write

access on all Swift containers created by Glance in multi-tenant mode.

swift_store_auth_address = None

(StrOpt) The address where the Swift authentication service is listening.(deprecated)

swift_store_auth_insecure = False

(BoolOpt) If True, swiftclient won't check for a valid SSL

certificate when authenticating.

swift_store_auth_version = 2

(StrOpt) Version of the authentication service to use.

Valid versions are 2 for keystone and 1 for swauth and
rackspace. (deprecated)

swift_store_config_file = None

(StrOpt) The config file that has the swift

account(s)configs.

swift_store_container = glance

(StrOpt) Container within the account that the account

should use for storing images in Swift.

swift_store_create_container_on_put = False

(BoolOpt) A boolean value that determines if we create

the container if it does not exist.

swift_store_endpoint_type = publicURL

(StrOpt) A string giving the endpoint type of the swift service to use (publicURL, adminURL or internalURL). This setting is only used if swift_store_auth_version is 2.

swift_store_key = None

(StrOpt) Auth key for the user authenticating against the

Swift authentication service. (deprecated)

swift_store_large_object_chunk_size = 200

(IntOpt) The amount of data written to a temporary disk

buffer during the process of chunking the image file.

swift_store_large_object_size = 5120

(IntOpt) The size, in MB, that Glance will start chunking

image files and do a large object manifest in Swift.

swift_store_multi_tenant = False

(BoolOpt) If set to True, enables multi-tenant storage

mode which causes Glance images to be stored in tenant
specific Swift accounts.

swift_store_region = None

(StrOpt) The region of the swift endpoint to be used for

single tenant. This setting is only necessary if the tenant
has multiple swift endpoints.

swift_store_retry_get_count = 0

(IntOpt) The number of times a Swift download will be retried before the request fails.

swift_store_service_type = object-store

(StrOpt) A string giving the service type of the swift service

to use. This setting is only used if swift_store_auth_version
is 2.

swift_store_ssl_compression = True

(BoolOpt) If set to False, disables SSL layer compression of

https swift requests. Setting to False may improve performance for images which are already in a compressed format, eg qcow2.

swift_store_user = None

(StrOpt) The user to authenticate against the Swift authentication service (deprecated)

Configure vCenter data stores for the Image Service back

end
To use vCenter data stores for the Image Service back end, you must update the glanceapi.conf file, as follows:
Add data store parameters to the VMware Datastore Store Options section.
386

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Specify vSphere as the back end.

Note
You must configure any configured Image Service data stores for the Compute
service.
You can specify vCenter data stores directly by using the data store name or Storage Policy
Based Management (SPBM), which requires vCenter Server 5.5 or later. For details, see the
section called Configure vCenter data stores for the back end [388].

Note
If you intend to use multiple data stores for the back end, use the SPBM feature.
In the DEFAULT section, set the default_store parameter to vsphere, as shown in this
code sample:
[DEFAULT]
# Which back end scheme should Glance use by default is not specified
# in a request to add a new image to Glance? Known schemes are determined
# by the known_stores option below.
# Default: 'file'
default_store = vsphere

The following table describes the parameters in the VMware Datastore Store Options section:

Table7.25.Description of VMware configuration options

Configuration option = Default value

Description

[glance_store]
vmware_api_insecure = False

(BoolOpt) Allow to perform insecure SSL requests to ESX/

VC.

vmware_api_retry_count = 10

(IntOpt) Number of times VMware ESX/VC server API

must be retried upon connection related issues.

vmware_datacenter_path = ha-datacenter

(StrOpt) Inventory path to a datacenter. If the

vmware_server_host specified is an ESX/ESXi, the
vmware_datacenter_path is optional. If specified, it should
be "ha-datacenter".

vmware_datastore_name = None

(StrOpt) Datastore associated with the datacenter.

vmware_server_host = None

(StrOpt) ESX/ESXi or vCenter Server target system. The

server value can be an IP address or a DNS name.

vmware_server_password = None

(StrOpt) Password for authenticating with VMware ESX/

VC server.

vmware_server_username = None

(StrOpt) Username for authenticating with VMware ESX/

VC server.

vmware_store_image_dir = /openstack_glance

(StrOpt) The name of the directory where the glance images will be stored in the VMware datastore.

vmware_task_poll_interval = 5

(IntOpt) The interval used for polling remote tasks invoked

on VMware ESX/VC server.

The following block of text shows a sample configuration:

# ============ VMware Datastore Store Options =====================

387

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# ESX/ESXi or vCenter Server target system.

# The server value can be an IP address or a DNS name
# e.g. 127.0.0.1, 127.0.0.1:443, www.vmware-infra.com
vmware_server_host = 192.168.0.10
# Server username (string value)
vmware_server_username = ADMINISTRATOR
# Server password (string value)
vmware_server_password = password
# Inventory path to a datacenter (string value)
# Value optional when vmware_server_ip is an ESX/ESXi host: if specified
# should be `ha-datacenter`.
vmware_datacenter_path = DATACENTER
# Datastore associated with the datacenter (string value)
vmware_datastore_name = datastore1
# PBM service WSDL file location URL. e.g.
# file:///opt/SDK/spbm/wsdl/pbmService.wsdl Not setting this
# will disable storage policy based placement of images.
# (string value)
#vmware_pbm_wsdl_location =
# The PBM policy. If `pbm_wsdl_location` is set, a PBM policy needs
# to be specified. This policy will be used to select the datastore
# in which the images will be stored.
#vmware_pbm_policy =
# The interval used for polling remote tasks
# invoked on VMware ESX/VC server in seconds (integer value)
vmware_task_poll_interval = 5
# Absolute path of the folder containing the images in the datastore
# (string value)
vmware_store_image_dir = /openstack_glance
# Allow to perform insecure SSL requests to the target system (boolean value)
vmware_api_insecure = False

Configure vCenter data stores for the back end

You can specify a vCenter data store for the back end by setting the
vmware_datastore_name parameter value to the vCenter name of the data store. This
configuration limits the back end to a single data store.
Alternatively, you can specify a SPBM policy, which can comprise multiple vCenter data
stores. Both approaches are described.

Note
SPBM requires vCenter Server 5.5 or later.

Procedure7.3.To configure a single data store

If present, comment or delete the vmware_pbm_wsdl_location and

vmware_pbm_policy parameters.
388

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Uncomment and define the vmware_datastore_name parameter with the name of

the vCenter data store.

Complete the other vCenter configuration parameters as appropriate.

Procedure7.4.To configure multiple data stores using SPBM

In vCenter, use tagging to identify the data stores and define a storage policy:
a.

Create the tag.

Apply the tag to the data stores to be used by the SPBM policy.

Create a tag-based storage policy that uses one or more tags to identify a set of
data stores.

Note
For details about creating tags in vSphere, see the vSphere documentation.
For details about storage policies in vSphere, see the vSphere documentation.
2.

Return to the glance-api.conf file.

Comment or delete the vmware_datastore_name parameter.

Uncomment and define the vmware_pbm_policy parameter by entering the same

value as the tag you defined and applied to the data stores in vCenter.

Uncomment and define the vmware_pbm_wsdl_location parameter by entering

the location of the PBM service WSDL file. For example, file:///opt/SDK/spbm/
wsdl/pbmService.wsdl.

Note
If you do not set this parameter, the storage policy cannot be used to place
images in the data store.
Complete the other vCenter configuration parameters as appropriate.

Image Service sample configuration files

You can find the files that are described in this section in the /etc/glance/ directory.

glance-api.conf
The configuration file for the Image Service API is found in the glance-api.conf file.
This file must be modified after installation.
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
#verbose = False

389

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Show debugging output in logs (sets DEBUG log level output)

#debug = False
# Which backend scheme should Glance use by default is not specified
# in a request to add a new image to Glance? Known schemes are determined
# by the known_stores option below.
# Default: 'file'
default_store = file
# List of which store classes and store class locations are
# currently known to glance at startup.
# Existing but disabled stores:
#
glance.store.rbd.Store,
#
glance.store.s3.Store,
#
glance.store.swift.Store,
#
glance.store.sheepdog.Store,
#
glance.store.cinder.Store,
#
glance.store.gridfs.Store,
#
glance.store.vmware_datastore.Store,
#known_stores = glance.store.filesystem.Store,
#
glance.store.http.Store

# Maximum image size (in bytes) that may be uploaded through the
# Glance API server. Defaults to 1 TB.
# WARNING: this value should only be increased after careful consideration
# and must be set to a value under 8 EB (9223372036854775808).
#image_size_cap = 1099511627776
# Address to bind the API server
bind_host = 0.0.0.0
# Port the bind the API server to
bind_port = 9292
# Log to this file. Make sure you do not set the same log file for both the
API
# and registry servers!
#
# If `log_file` is omitted and `use_syslog` is false, then log messages are
# sent to stdout as a fallback.
log_file = /var/log/glance/api.log
# Backlog requests when creating socket
backlog = 4096
# TCP_KEEPIDLE value in seconds when creating socket.
# Not supported on OS X.
#tcp_keepidle = 600
# API to use for accessing data. Default value points to sqlalchemy
# package, it is also possible to use: glance.db.registry.api
# data_api = glance.db.sqlalchemy.api
# Number of Glance API worker processes to start.
# On machines with more than one CPU increasing this value
# may improve performance (especially if using SSL with
# compression turned on). It is typically recommended to set
# this value to the number of CPUs present on your machine.
workers = 1

390

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#

October 7, 2014

juno

Maximum line size of message headers to be accepted.

max_header_line may need to be increased when using large tokens
(typically those generated by the Keystone v3 API with big service
catalogs)
max_header_line = 16384

# Role used to identify an authenticated user as administrator

#admin_role = admin
# Allow unauthenticated users to access the API with read-only
# privileges. This only applies when using ContextMiddleware.
#allow_anonymous_access = False
# Allow access to version 1 of glance api
#enable_v1_api = True
# Allow access to version 2 of glance api
#enable_v2_api = True
# Return the URL that references where the data is stored on
# the backend storage system. For example, if using the
# file system store a URL of 'file:///path/to/image' will
# be returned to the user in the 'direct_url' meta-data field.
# The default value is false.
#show_image_direct_url = False
# Send headers containing user and tenant information when making requests to
# the v1 glance registry. This allows the registry to function as if a user is
# authenticated without the need to authenticate a user itself using the
# auth_token middleware.
# The default value is false.
#send_identity_headers = False
# Supported values for the 'container_format' image attribute
#container_formats=ami,ari,aki,bare,ovf,ova
# Supported values for the 'disk_format' image attribute
#disk_formats=ami,ari,aki,vhd,vmdk,raw,qcow2,vdi,iso
# Directory to use for lock files. Default to a temp directory
# (string value). This setting needs to be the same for both
# glance-scrubber and glance-api.
#lock_path=<None>
# Property Protections config file
# This file contains the rules for property protections and the roles/policies
# associated with it.
# If this config value is not specified, by default, property protections
# won't be enforced.
# If a value is specified and the file is not found, then the glance-api
# service will not start.
#property_protection_file =
# Specify whether 'roles' or 'policies' are used in the
# property_protection_file.
# The default value for property_protection_rule_format is 'roles'.
#property_protection_rule_format = roles
# Specifies how long (in hours) a task is supposed to live in the tasks DB

391

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# after succeeding or failing before getting soft-deleted.

# The default value for task_time_to_live is 48 hours.
# task_time_to_live = 48
# This value sets what strategy will be used to determine the image location
# order. Currently two strategies are packaged with Glance 'location_order'
# and 'store_type'.
#location_strategy = location_order
# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log_file`
#use_syslog = False
# Facility to use. If unset defaults to LOG_USER.
#syslog_log_facility = LOG_LOCAL0
# ================= SSL Options ===============================
# Certificate file to use when starting API server securely
#cert_file = /path/to/certfile
# Private key file to use when starting API server securely
#key_file = /path/to/keyfile
# CA certificate file to use to verify connecting clients
#ca_file = /path/to/cafile
# ================= Security Options ==========================
# AES key for encrypting store 'location' metadata, including
# -- if used -- Swift or S3 credentials
# Should be set to a random string of length 16, 24 or 32 bytes
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
# ============ Registry Options ===============================
# Address to find the registry server
registry_host = 0.0.0.0
# Port the registry server is listening on
registry_port = 9191
# What protocol to use when connecting to the registry server?
# Set to https for secure HTTP communication
registry_client_protocol = http
# The path to the key file to use in SSL connections to the
# registry server, if any. Alternately, you may set the
# GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file
#registry_client_key_file = /path/to/key/file
# The path to the cert file to use in SSL connections to the
# registry server, if any. Alternately, you may set the
# GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file
#registry_client_cert_file = /path/to/cert/file
# The path to the certifying authority cert file to use in SSL connections
# to the registry server, if any. Alternately, you may set the

392

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file

#registry_client_ca_file = /path/to/ca/file
# When using SSL in connections to the registry server, do not require
# validation via a certifying authority. This is the registry's equivalent of
# specifying --insecure on the command line using glanceclient for the API
# Default: False
#registry_client_insecure = False
# The period of time, in seconds, that the API server will wait for a registry
# request to complete. A value of '0' implies no timeout.
# Default: 600
#registry_client_timeout = 600
# Whether to automatically create the database tables.
# Default: False
#db_auto_create = False
# Enable DEBUG log messages from sqlalchemy which prints every database
# query and response.
# Default: False
#sqlalchemy_debug = True
# Pass the user's token through for API requests to the registry.
# Default: True
#use_user_token = True
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
#admin_user = None
# Admin password
#admin_password = None
# Admin tenant name
#admin_tenant_name = None
# Keystone endpoint
#auth_url = None
# Keystone region
#auth_region = None
# Auth strategy
#auth_strategy = keystone
# ============ Notification System Options =====================
#
#
#
#
#

Notifications can be sent when images are create, updated or deleted.

There are three methods of sending notifications, logging (via the
log_file directive), rabbit (via a rabbitmq queue), qpid (via a Qpid
message queue), or noop (no notifications sent, the default)
NOTE: THIS CONFIGURATION OPTION HAS BEEN DEPRECATED IN FAVOR OF
`notification_driver`
# notifier_strategy = default
# Driver or drivers to handle sending notifications
# notification_driver = noop
# Default publisher_id for outgoing notifications.
# default_publisher_id = image.localhost
# Configuration options if sending notifications via rabbitmq (these are

393

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# the defaults)
rabbit_host = localhost
rabbit_port = 5672
rabbit_use_ssl = false
rabbit_userid = guest
rabbit_password = guest
rabbit_virtual_host = /
rabbit_notification_exchange = glance
rabbit_notification_topic = notifications
rabbit_durable_queues = False
# Configuration options if sending notifications via Qpid (these are
# the defaults)
qpid_notification_exchange = glance
qpid_notification_topic = notifications
qpid_hostname = localhost
qpid_port = 5672
qpid_username =
qpid_password =
qpid_sasl_mechanisms =
qpid_reconnect_timeout = 0
qpid_reconnect_limit = 0
qpid_reconnect_interval_min = 0
qpid_reconnect_interval_max = 0
qpid_reconnect_interval = 0
qpid_heartbeat = 5
# Set to 'ssl' to enable SSL
qpid_protocol = tcp
qpid_tcp_nodelay = True
# ============ Filesystem Store Options ========================
# Directory that the Filesystem backend store
# writes image data to
filesystem_store_datadir = /var/lib/glance/images/
#
#
#
#
#
#

A list of directories where image data can be stored.

This option may be specified multiple times for specifying multiple store
directories. Either one of filesystem_store_datadirs or
filesystem_store_datadir option is required. A priority number may be given
after each directory entry, separated by a ":".
When adding an image, the highest priority directory will be selected,
unless
# there is not enough space available in cases where the image size is already
# known. If no priority is given, it is assumed to be zero and the directory
# will be considered for selection last. If multiple directories have the same
# priority, then the one with the most free space available is selected.
# If same store is specified multiple times then BadStoreConfiguration
# exception will be raised.
#filesystem_store_datadirs = /var/lib/glance/images/:1
# A path to a JSON file that contains metadata describing the storage
# system. When show_multiple_locations is True the information in this
# file will be returned with any location that is contained in this
# store.
#filesystem_store_metadata_file = None
# ============ Swift Store Options =============================
# Version of the authentication service to use

394

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Valid versions are '2' for keystone and '1' for swauth and rackspace
swift_store_auth_version = 2
# Address where the Swift authentication service lives
# Valid schemes are 'http://' and 'https://'
# If no scheme specified, default to 'https://'
# For swauth, use something like '127.0.0.1:8080/v1.0/'
swift_store_auth_address = 127.0.0.1:5000/v2.0/
# User to authenticate against the Swift authentication service
# If you use Swift authentication service, set it to 'account':'user'
# where 'account' is a Swift storage account and 'user'
# is a user in that account
swift_store_user = jdoe:jdoe
# Auth key for the user authenticating against the
# Swift authentication service
swift_store_key = a86850deb2742ec3cb41518e26aa2d89
# Container within the account that the account should use
# for storing images in Swift
swift_store_container = glance
# Do we create the container if it does not exist?
swift_store_create_container_on_put = False
# What size, in MB, should Glance start chunking image files
# and do a large object manifest in Swift? By default, this is
# the maximum object size in Swift, which is 5GB
swift_store_large_object_size = 5120
# When doing a large object manifest, what size, in MB, should
# Glance write chunks to Swift? This amount of data is written
# to a temporary disk buffer during the process of chunking
# the image file, and the default is 200MB
swift_store_large_object_chunk_size = 200
# Whether to use ServiceNET to communicate with the Swift storage servers.
# (If you aren't RACKSPACE, leave this False!)
#
# To use ServiceNET for authentication, prefix hostname of
# `swift_store_auth_address` with 'snet-'.
# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
swift_enable_snet = False
# If set to True enables multi-tenant storage mode which causes Glance images
# to be stored in tenant specific Swift accounts.
#swift_store_multi_tenant = False
# A list of swift ACL strings that will be applied as both read and
# write ACLs to the containers created by Glance in multi-tenant
# mode. This grants the specified tenants/users read and write access
# to all newly created image objects. The standard swift ACL string
# formats are allowed, including:
# <tenant_id>:<username>
# <tenant_name>:<username>
# *:<username>
# Multiple ACLs can be combined using a comma separated list, for
# example: swift_store_admin_tenants = service:glance,*:admin
#swift_store_admin_tenants =

395

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# The region of the swift endpoint to be used for single tenant. This setting
# is only necessary if the tenant has multiple swift endpoints.
#swift_store_region =
# If set to False, disables SSL layer compression of https swift requests.
# Setting to 'False' may improve performance for images which are already
# in a compressed format, eg qcow2. If set to True, enables SSL layer
# compression (provided it is supported by the target swift proxy).
#swift_store_ssl_compression = True
# The number of times a Swift download will be retried before the
# request fails
#swift_store_retry_get_count = 0
# ============ S3 Store Options =============================
# Address where the S3 authentication service lives
# Valid schemes are 'http://' and 'https://'
# If no scheme specified, default to 'http://'
s3_store_host = 127.0.0.1:8080/v1.0/
# User to authenticate against the S3 authentication service
s3_store_access_key = <20-char AWS access key>
# Auth key for the user authenticating against the
# S3 authentication service
s3_store_secret_key = <40-char AWS secret key>
# Container within the account that the account should use
# for storing images in S3. Note that S3 has a flat namespace,
# so you need a unique bucket name for your glance images. An
# easy way to do this is append your AWS access key to "glance".
# S3 buckets in AWS *must* be lowercased, so remember to lowercase
# your AWS access key if you use it in your bucket name below!
s3_store_bucket = <lowercased 20-char aws access key>glance
# Do we create the bucket if it does not exist?
s3_store_create_bucket_on_put = False
# When sending images to S3, the data will first be written to a
# temporary buffer on disk. By default the platform's temporary directory
# will be used. If required, an alternative directory can be specified here.
#s3_store_object_buffer_dir = /path/to/dir
# When forming a bucket url, boto will either set the bucket name as the
# subdomain or as the first token of the path. Amazon's S3 service will
# accept it as the subdomain, but Swift's S3 middleware requires it be
# in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'.
#s3_store_bucket_url_format = subdomain
# ============ RBD Store Options =============================
# Ceph configuration file path
# If using cephx authentication, this file should
# include a reference to the right keyring
# in a client.<USER> section
#rbd_store_ceph_conf = /etc/ceph/ceph.conf
# RADOS user to authenticate as (only applicable if using cephx)

396

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# If <None>, a default will be chosen based on the client. section

# in rbd_store_ceph_conf
#rbd_store_user = <None>
# RADOS pool in which images are stored
#rbd_store_pool = images
# RADOS images will be chunked into objects of this size (in megabytes).
# For best performance, this should be a power of two
#rbd_store_chunk_size = 8
# ============ Sheepdog Store Options =============================
sheepdog_store_address = localhost
sheepdog_store_port = 7000
# Images will be chunked into objects of this size (in megabytes).
# For best performance, this should be a power of two
sheepdog_store_chunk_size = 64
# ============ Cinder Store Options ===============================
# Info to match when looking for cinder in the service catalog
# Format is : separated values of the form:
# <service_type>:<service_name>:<endpoint_type> (string value)
#cinder_catalog_info = volume:cinder:publicURL
# Override service catalog lookup with template for cinder endpoint
# e.g. http://localhost:8776/v1/%(project_id)s (string value)
#cinder_endpoint_template = <None>
# Region name of this node (string value)
#os_region_name = <None>
# Location of ca certicates file to use for cinder client requests
# (string value)
#cinder_ca_certificates_file = <None>
# Number of cinderclient retries on failed http calls (integer value)
#cinder_http_retries = 3
# Allow to perform insecure SSL requests to cinder (boolean value)
#cinder_api_insecure = False
# ============ VMware Datastore Store Options =====================
# ESX/ESXi or vCenter Server target system.
# The server value can be an IP address or a DNS name
# e.g. 127.0.0.1, 127.0.0.1:443, www.vmware-infra.com
#vmware_server_host = <None>
# Server username (string value)
#vmware_server_username = <None>
# Server password (string value)
#vmware_server_password = <None>
# Inventory path to a datacenter (string value)
# Value optional when vmware_server_ip is an ESX/ESXi host: if specified

397

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# should be `ha-datacenter`.
#vmware_datacenter_path = <None>
# Datastore associated with the datacenter (string value)
#vmware_datastore_name = <None>
# The number of times we retry on failures
# e.g., socket error, etc (integer value)
#vmware_api_retry_count = 10
# The interval used for polling remote tasks
# invoked on VMware ESX/VC server in seconds (integer value)
#vmware_task_poll_interval = 5
# Absolute path of the folder containing the images in the datastore
# (string value)
#vmware_store_image_dir = /openstack_glance
# Allow to perform insecure SSL requests to the target system (boolean value)
#vmware_api_insecure = False
# ============ Delayed Delete Options =============================
# Turn on/off delayed delete
delayed_delete = False
# Delayed delete time in seconds
scrub_time = 43200
# Directory that the scrubber will use to remind itself of what to delete
# Make sure this is also set in glance-scrubber.conf
scrubber_datadir = /var/lib/glance/scrubber
# =============== Quota Options ==================================
# The maximum number of image members allowed per image
#image_member_quota = 128
# The maximum number of image properties allowed per image
#image_property_quota = 128
# The maximum number of tags allowed per image
#image_tag_quota = 128
# The maximum number of locations allowed per image
#image_location_quota = 10
# Set a system wide quota for every user. This value is the total number
# of bytes that a user can use across all storage systems. A value of
# 0 means unlimited.
#user_storage_quota = 0
# =============== Image Cache Options =============================
# Base directory that the Image Cache uses
image_cache_dir = /var/lib/glance/image-cache/
# =============== Manager Options =================================
# DEPRECATED. TO BE REMOVED IN THE JUNO RELEASE.

398

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Whether or not to enforce that all DB tables have charset utf8.

# If your database tables do not have charset utf8 you will
# need to convert before this option is removed. This option is
# only relevant if your database engine is MySQL.
#db_enforce_mysql_charset = True
# =============== Database Options =================================
[database]
# The file name to use with SQLite (string value)
#sqlite_db = glance.sqlite
# If True, SQLite uses synchronous mode (boolean value)
#sqlite_synchronous = True
# The backend to use for db (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend = sqlalchemy
# The SQLAlchemy connection string used to connect to the
# database (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
# The SQL mode to be used for MySQL sessions. This option,
# including the default, overrides any server-set SQL mode. To
# use whatever SQL mode is set by the server configuration,
# set this to no value. Example: mysql_sql_mode= (string
# value)
#mysql_sql_mode = TRADITIONAL
# Timeout before idle sql
# value)
# Deprecated group/name # Deprecated group/name # Deprecated group/name #idle_timeout = 3600

connections are reaped (integer

[DEFAULT]/sql_idle_timeout
[DATABASE]/sql_idle_timeout
[sql]/idle_timeout

# Minimum number of SQL connections to keep open in a pool

connection retries during startup. (setting -1

infinite retry count) (integer value)
group/name - [DEFAULT]/sql_max_retries
group/name - [DATABASE]/sql_max_retries
= 10

# Interval between retries of opening a sql connection

# (integer value)

399

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Deprecated group/name - [DEFAULT]/sql_retry_interval

# Deprecated group/name - [DATABASE]/reconnect_interval
#retry_interval = 10
# If set, use this value for max_overflow with sqlalchemy
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
#max_overflow = <None>
# Verbosity of SQL debugging information. 0=None,
# 100=Everything (integer value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug = 0
# Add python stack traces to SQL as comment strings (boolean
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace
#connection_trace = False
# If set, use this value for pool_timeout with sqlalchemy
# (integer value)
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
#pool_timeout = <None>
# Enable the experimental use of database reconnect on
# connection lost (boolean value)
#use_db_reconnect = False
# seconds between db connection retries (integer value)
#db_retry_interval = 1
# Whether to increase interval between db connection retries,
# up to db_max_retry_interval (boolean value)
#db_inc_retry_interval = True
# max seconds between db connection retries, if
# db_inc_retry_interval is enabled (integer value)
#db_max_retry_interval = 10
# maximum db connection retries before error is raised.
# (setting -1 implies an infinite retry count) (integer value)
#db_max_retries = 20
[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
[paste_deploy]
# Name of the paste configuration file that defines the available pipelines
#config_file = glance-api-paste.ini
#
#
#
#

Partial name of a pipeline in your paste configuration file with the

service name removed. For example, if your paste section name is
[pipeline:glance-api-keystone], you would configure the flavor below
as 'keystone'.

400

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

#flavor=
[store_type_location_strategy]
# The scheme list to use to get store preference order. The scheme must be
# registered by one of the stores defined by the 'known_stores' config option.
# This option will be applied when you using 'store_type' option as image
# location strategy defined by the 'location_strategy' config option.
#store_type_preference =

glance-registry.conf
Configuration for the Image Service's registry, which stores the metadata about images, is
found in the glance-registry.conf file.
This file must be modified after installation.
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
#verbose = False
# Show debugging output in logs (sets DEBUG log level output)
#debug = False
# Address to bind the registry server
bind_host = 0.0.0.0
# Port the bind the registry server to
bind_port = 9191
# Log to this file. Make sure you do not set the same log file for both the
API
# and registry servers!
#
# If `log_file` is omitted and `use_syslog` is false, then log messages are
# sent to stdout as a fallback.
log_file = /var/log/glance/registry.log
# Backlog requests when creating socket
backlog = 4096
# TCP_KEEPIDLE value in seconds when creating socket.
# Not supported on OS X.
#tcp_keepidle = 600
# API to use for accessing data. Default value points to sqlalchemy
# package.
#data_api = glance.db.sqlalchemy.api
# Enable Registry API versions individually or simultaneously
#enable_v1_registry = True
#enable_v2_registry = True
# Limit the api to return `param_limit_max` items in a call to a container. If
# a larger `limit` query param is provided, it will be reduced to this value.
api_limit_max = 1000
# If a `limit` query param is not provided in an api request, it will
# default to `limit_param_default`
limit_param_default = 25

401

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Role used to identify an authenticated user as administrator

#admin_role = admin
# Whether to automatically create the database tables.
# Default: False
#db_auto_create = False
# Enable DEBUG log messages from sqlalchemy which prints every database
# query and response.
# Default: False
#sqlalchemy_debug = True
# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log_file`
#use_syslog = False
# Facility to use. If unset defaults to LOG_USER.
#syslog_log_facility = LOG_LOCAL1
# ================= SSL Options ===============================
# Certificate file to use when starting registry server securely
#cert_file = /path/to/certfile
# Private key file to use when starting registry server securely
#key_file = /path/to/keyfile
# CA certificate file to use to verify connecting clients
#ca_file = /path/to/cafile
# ================= Database Options ==========================
[database]
# The file name to use with SQLite (string value)
#sqlite_db = glance.sqlite
# If True, SQLite uses synchronous mode (boolean value)
#sqlite_synchronous = True
# The backend to use for db (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend = sqlalchemy
# The SQLAlchemy connection string used to connect to the
# database (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection = <None>
# The SQL mode to be used for MySQL sessions. This option,
# including the default, overrides any server-set SQL mode. To
# use whatever SQL mode is set by the server configuration,
# set this to no value. Example: mysql_sql_mode= (string
# value)
#mysql_sql_mode = TRADITIONAL
# Timeout before idle sql connections are reaped (integer

402

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

406

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Directory that the scrubber will use to remind itself of what to delete
# Make sure this is also set in glance-api.conf
scrubber_datadir = /var/lib/glance/scrubber
# Only one server in your deployment should be designated the cleanup host
cleanup_scrubber = False
# pending_delete items older than this time are candidates for cleanup
cleanup_scrubber_time = 86400
# Address to find the registry server for cleanups
registry_host = 0.0.0.0
# Port the registry server is listening on
registry_port = 9191
#
#
#
#
#

Auth settings if using Keystone

auth_url = http://127.0.0.1:5000/v2.0/
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%

# Directory to use for lock files. Default to a temp directory

# (string value). This setting needs to be the same for both
# glance-scrubber and glance-api.
#lock_path=<None>
# ================= Security Options ==========================
# AES key for encrypting store 'location' metadata, including
# -- if used -- Swift or S3 credentials
# Should be set to a random string of length 16, 24 or 32 bytes
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>

policy.json
The /etc/glance/policy.json file defines additional access controls that apply to the
Image Service.
{
"context_is_admin":
"default": "",

"role:admin",

"add_image": "",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "",
"copy_from": "",
"download_image": "",
"upload_image": "",
"delete_image_location": "",
"get_image_location": "",
"set_image_location": "",

407

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "",
"manage_image_cache": "role:admin",
"get_task": "",
"get_tasks": "",
"add_task": "",
"modify_task": ""
}

New, updated and deprecated options in Juno for

OpenStack Image Service
Table7.26.New options
Option = default value

(Type) Help string

[DEFAULT] db_enforce_mysql_charset = True

(BoolOpt) DEPRECATED. TO BE REMOVED IN THE JUNO

[DEFAULT] default_swift_reference = ref1

(StrOpt) The reference to the default swift account/backing store parameters to use for adding new images.

[DEFAULT] metadata_source_path = /etc/glance/

metadefs/

(StrOpt) Path to the directory where json metadata files

are stored

[DEFAULT] swift_store_config_file = None

(StrOpt) The config file that has the swift

account(s)configs.

[database] slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

[glance_store] default_store = file

(StrOpt) Default scheme to use to store image data. The

scheme must be registered by one of the stores defined by
the 'stores' config option.

[glance_store] default_swift_reference = ref1

(StrOpt) The reference to the default swift account/backing store parameters to use for adding new images.

[glance_store] filesystem_store_datadir = None

(StrOpt) Directory to which the Filesystem backend store

writes images.

[glance_store] filesystem_store_datadirs = None

(MultiStrOpt) List of directories and its priorities to which

the Filesystem backend store writes images.

[glance_store] filesystem_store_metadata_file = None

(StrOpt) The path to a file which contains the metadata to

be returned with any location associated with this store.
The file must contain a valid JSON dict.

[glance_store] stores = ['file', 'http']

(ListOpt) List of stores enabled

[glance_store] swift_store_auth_address = None

(StrOpt) The address where the Swift authentication service is listening.(deprecated)

[glance_store] swift_store_config_file = None

(StrOpt) The config file that has the swift

account(s)configs.

[glance_store] swift_store_key = None

(StrOpt) Auth key for the user authenticating against the

Swift authentication service. (deprecated)

[glance_store] swift_store_user = None

(StrOpt) The user to authenticate against the Swift authentication service (deprecated)

408

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[profiler] enabled = True

(BoolOpt) If False fully disable profiling feature.

[profiler] trace_sqlalchemy = True

(BoolOpt) If False doesn't trace SQL requests.

[task] eventlet_executor_pool_size = 1000

(IntOpt) Specifies the maximum number of eventlet

threads which can be spun up by the eventlet based task
executor to perform execution of Glance tasks.

[task] task_executor = eventlet

(StrOpt) Specifies which task executor to be used to run

the task scripts.

Table7.27.New default values

Option

Previous default value

[DEFAULT] default_log_levels

New default value

[DEFAULT] user_storage_quota

[DEFAULT] workers

[database] sqlite_db

glance.sqlite

oslo.sqlite

[keystone_authtoken]
revocation_cache_time

300

Table7.28.Deprecated options
Deprecated option

New Option

[DEFAULT] swift_store_auth_address

[glance_store] swift_store_auth_address

[DEFAULT] filesystem_store_metadata_file

[glance_store] filesystem_store_metadata_file

[DEFAULT] swift_store_key

[glance_store] swift_store_key

[DEFAULT] filesystem_store_datadir

[glance_store] filesystem_store_datadir

[DEFAULT] known_stores

[glance_store] stores

[DEFAULT] default_store

[glance_store] default_store

[DEFAULT] swift_store_user

[glance_store] swift_store_user

[DEFAULT] filesystem_store_datadirs

[glance_store] filesystem_store_datadirs

409

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

8. Networking
Table of Contents
Networking configuration options ...............................................................................
Log files used by Networking ......................................................................................
Networking sample configuration files .........................................................................
New, updated and deprecated options in Juno for OpenStack Networking ..................

410
449
449
466

This chapter explains the OpenStack Networking configuration options. For installation prerequisites, steps, and use cases, see the OpenStack Installation Guide for your distribution
(docs.openstack.org) and Cloud Administrator Guide.

Networking configuration options

The options and descriptions listed in this introduction are auto generated from the code in
the Networking service project, which provides software-defined networking between VMs
run in Compute. The list contains common options, while the subsections list the options for
the various networking plug-ins.

Table8.1.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
admin_password = None

(StrOpt) Admin password

admin_tenant_name = None

(StrOpt) Admin tenant name

admin_user = None

(StrOpt) Admin username

agent_down_time = 75

(IntOpt) Seconds to regard the agent is down; should be

at least twice report_interval, to be sure the agent is down
for good.

api_workers = 0

(IntOpt) Number of separate worker processes for service

auth_ca_cert = None

(StrOpt) Certificate Authority public key (CA cert) file for

ssl

auth_insecure = False

(BoolOpt) Turn off verification of the certificate for ssl

auth_region = None

(StrOpt) Authentication region

auth_strategy = keystone

(StrOpt) The type of authentication to use

auth_url = None

(StrOpt) Authentication URL

base_mac = fa:16:3e:00:00:00

(StrOpt) The base MAC address Neutron will use for VIFs

bind_host = 0.0.0.0

(StrOpt) The host IP to bind to

bind_port = 9696

(IntOpt) The port to bind to

ca_certs = None

(StrOpt) CA certificates

check_child_processes = False

(BoolOpt) Periodically check child processes

check_child_processes_action = respawn

(StrOpt) Action to be executed when a child process dies

check_child_processes_interval = 60

(IntOpt) Interval between checks of child process liveness

(seconds)

core_plugin = None

(StrOpt) The core plugin Neutron will use

ctl_cert = None

(StrOpt) controller certificate

410

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

ctl_privkey = None

(StrOpt) controller private key

dhcp_agent_notification = True

(BoolOpt) Allow sending resource operation notification

to DHCP agent

dhcp_agents_per_network = 1

(IntOpt) Number of DHCP agents scheduled to host a network.

dhcp_confs = $state_path/dhcp

(StrOpt) Location to store DHCP server config files

dhcp_delete_namespaces = False

(BoolOpt) Delete namespace after removing a dhcp server.

dhcp_domain = openstacklocal

(StrOpt) Domain to use for building the hostnames

dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq

(StrOpt) The driver used to manage the DHCP server.

dhcp_lease_duration = 86400

(IntOpt) DHCP lease duration (in seconds). Use -1 to tell

dnsmasq to use infinite lease times.

endpoint_type = publicURL

(StrOpt) Network service endpoint type to pull from the

keystone catalog

force_gateway_on_subnet = True

(BoolOpt) Ensure that configured gateway is on subnet.

For IPv6, validate only if gateway is not a link local address. Deprecated, to be removed during the K release, at
which point the check will be mandatory.

host = localhost

(StrOpt) The hostname Neutron is running on

interface_driver = None

(StrOpt) The driver used to manage the virtual interface.

ip_lib_force_root = False

(BoolOpt) Force ip_lib calls to use the root helper

lock_path = None

(StrOpt) Directory to use for lock files.

mac_generation_retries = 16

(IntOpt) How many times Neutron will retry MAC generation

max_allowed_address_pair = 10

(IntOpt) Maximum number of allowed address pairs

max_dns_nameservers = 5

(IntOpt) Maximum number of DNS nameservers

max_fixed_ips_per_port = 5

(IntOpt) Maximum number of fixed ips per port

max_subnet_host_routes = 20

(IntOpt) Maximum number of host routes per subnet

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

periodic_fuzzy_delay = 5

(IntOpt) Range of seconds to randomly delay when starting the periodic task scheduler to reduce stampeding. (Disable by setting to 0)

periodic_interval = 40

(IntOpt) Seconds between running periodic tasks

report_interval = 300

(IntOpt) Interval between two metering reports

root_helper = sudo

(StrOpt) Root helper application.

state_path = /var/lib/neutron

(StrOpt) Where to store Neutron state files. This directory

must be writable by the agent.

[AGENT]
root_helper = sudo

(StrOpt) Root helper application.

[PROXY]
admin_password = None

(StrOpt) Admin password

admin_tenant_name = None

(StrOpt) Admin tenant name

admin_user = None

(StrOpt) Admin user

auth_region = None

(StrOpt) Authentication region

auth_strategy = keystone

(StrOpt) The type of authentication to use

auth_url = None

(StrOpt) Authentication URL

[heleos]
admin_password = None

(StrOpt) ESM admin password.

411

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Networking plug-ins
OpenStack Networking introduces the concept of a plug-in, which is a back-end implementation of the OpenStack Networking API. A plug-in can use a variety of technologies to implement the logical API requests. Some OpenStack Networking plug-ins might use basic Linux VLANs and IP tables, while others might use more advanced technologies, such as L2-inL3 tunneling or OpenFlow. These sections detail the configuration options for the various
plug-ins.

BigSwitch configuration options

Table8.2.Description of BigSwitch configuration options
Configuration option = Default value

Description

[NOVA]
node_override_vif_802.1qbg =

(ListOpt) Nova compute nodes to manually set VIF type to

802.1qbg

node_override_vif_802.1qbh =

(ListOpt) Nova compute nodes to manually set VIF type to

802.1qbh

node_override_vif_binding_failed =

(ListOpt) Nova compute nodes to manually set VIF type to

binding_failed

node_override_vif_bridge =

(ListOpt) Nova compute nodes to manually set VIF type to

bridge

node_override_vif_distributed =

(ListOpt) Nova compute nodes to manually set VIF type to

distributed

node_override_vif_dvs =

(ListOpt) Nova compute nodes to manually set VIF type to

dvs

node_override_vif_hostdev =

(ListOpt) Nova compute nodes to manually set VIF type to

hostdev

node_override_vif_hw_veb =

(ListOpt) Nova compute nodes to manually set VIF type to

hw_veb

node_override_vif_hyperv =

(ListOpt) Nova compute nodes to manually set VIF type to

hyperv

node_override_vif_ivs =

(ListOpt) Nova compute nodes to manually set VIF type to

ivs

node_override_vif_midonet =

(ListOpt) Nova compute nodes to manually set VIF type to

midonet

node_override_vif_mlnx_direct =

(ListOpt) Nova compute nodes to manually set VIF type to

mlnx_direct

node_override_vif_other =

(ListOpt) Nova compute nodes to manually set VIF type to

other

node_override_vif_ovs =

(ListOpt) Nova compute nodes to manually set VIF type to

ovs

node_override_vif_unbound =

(ListOpt) Nova compute nodes to manually set VIF type to

unbound

node_override_vif_vrouter =

(ListOpt) Nova compute nodes to manually set VIF type to

vrouter

412

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

vif_type = ovs

(StrOpt) Virtual interface type to configure on Nova compute nodes

vif_types = unbound, binding_failed, ovs, ivs, bridge,

802.1qbg, 802.1qbh, hyperv, midonet, mlnx_direct, hostdev, hw_veb, dvs, other, distributed, vrouter

(ListOpt) List of allowed vif_type values.

[RESTPROXY]
add_meta_server_route = True

(BoolOpt) Flag to decide if a route to the metadata server

should be injected into the VM

auto_sync_on_failure = True

(BoolOpt) If neutron fails to create a resource because the

backend controller doesn't know of a dependency, the
plugin automatically triggers a full data synchronization to
the controller.

cache_connections = True

(BoolOpt) Re-use HTTP/HTTPS connections to the controller.

consistency_interval = 60

(IntOpt) Time between verifications that the backend controller database is consistent with Neutron. (0 to disable)

neutron_id = neutron-shock

(StrOpt) User defined identifier for this Neutron deployment

no_ssl_validation = False

(BoolOpt) Disables SSL certificate validation for controllers

server_auth = None

(StrOpt) The username and password for authenticating

against the Big Switch or Floodlight controller.

server_ssl = True

(BoolOpt) If True, Use SSL when connecting to the Big

Switch or Floodlight controller.

server_timeout = 10

(IntOpt) Maximum number of seconds to wait for proxy

request to connect and complete.

servers = localhost:8800

(ListOpt) A comma separated list of Big Switch or Floodlight servers and port numbers. The plugin proxies the requests to the Big Switch/Floodlight server, which performs
the networking configuration. Only oneserver is needed per deployment, but you may wish todeploy multiple
servers to support failover.

ssl_cert_directory = /etc/neutron/plugins/bigswitch/ssl

(StrOpt) Directory containing ca_certs and host_certs certificate directories.

ssl_sticky = True

(BoolOpt) Trust and store the first certificate received for

each controller address and use it to validate future connections to that address.

sync_data = False

(BoolOpt) Sync data on connect

thread_pool_size = 4

(IntOpt) Maximum number of threads to spawn to handle

large volumes of port creations.

[RESTPROXYAGENT]
integration_bridge = br-int

(StrOpt) Name of integration bridge on compute nodes

used for security group insertion.

polling_interval = 5

(IntOpt) Seconds between agent checks for port changes

virtual_switch_type = ovs

(StrOpt) Virtual switch type.

[ROUTER]
max_router_rules = 200

(IntOpt) Maximum number of router rules

tenant_default_router_rule = ['*:any:any:permit']

(MultiStrOpt) The default router rules installed in new tenant routers. Repeat the config option for each rule. Format is <tenant>:<source>:<destination>:<action> Use an *
to specify default for all tenants.

413

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Brocade configuration options

Table8.3.Description of Brocade configuration options
Configuration option = Default value

Description

[PHYSICAL_INTERFACE]
physical_interface = eth0

(StrOpt) The network interface to use when creatinga port

[SWITCH]
address =

(StrOpt) The address of the host to SSH to

ostype = NOS

(StrOpt) Currently unused

password =

(StrOpt) The SSH password to use

username =

(StrOpt) The SSH username to use

CISCO configuration options

Table8.4.Description of Cisco configuration options
Configuration option = Default value

Description

[CISCO]
model_class =
(StrOpt) Model Class
neutron.plugins.cisco.models.virt_phy_sw_v2.VirtualPhysicalSwitchModelV2
nexus_l3_enable = False

(BoolOpt) Enable L3 support on the Nexus switches

provider_vlan_auto_create = True

(BoolOpt) Provider VLANs are automatically created as

needed on the Nexus switch

provider_vlan_auto_trunk = True

(BoolOpt) Provider VLANs are automatically trunked as

needed on the ports of the Nexus switch

provider_vlan_name_prefix = p-

(StrOpt) VLAN Name prefix for provider vlans

svi_round_robin = False

(BoolOpt) Distribute SVI interfaces over all switches

vlan_name_prefix = q-

(StrOpt) VLAN Name prefix

[CISCO_N1K]
bridge_mappings =

(StrOpt) N1K Bridge Mappings

default_network_profile = default_network_profile

(StrOpt) N1K default network profile

default_policy_profile = service_profile

(StrOpt) N1K default policy profile

enable_tunneling = True

(BoolOpt) N1K Enable Tunneling

http_pool_size = 4

(IntOpt) Number of threads to use to make HTTP requests

http_timeout = 15

(IntOpt) N1K http timeout duration in seconds

integration_bridge = br-int

(StrOpt) N1K Integration Bridge

network_node_policy_profile = dhcp_pp

(StrOpt) N1K policy profile for network node

network_vlan_ranges = vlan:1:4095

(StrOpt) N1K Network VLAN Ranges

poll_duration = 60

(IntOpt) N1K Policy profile polling duration in seconds

restrict_policy_profiles = False

(BoolOpt) Restrict the visibility of policy profiles to the tenants

tenant_network_type = local

(StrOpt) N1K Tenant Network Type

tunnel_bridge = br-tun

(StrOpt) N1K Tunnel Bridge

vxlan_id_ranges = 5000:10000

(StrOpt) N1K VXLAN ID Ranges

[cisco_csr_ipsec]
status_check_interval = 60

(IntOpt) Status check interval for Cisco CSR IPSec connections

414

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[general]
backlog_processing_interval = 10

(IntOpt) Time in seconds between renewed scheduling attempts of non-scheduled routers.

cfg_agent_down_time = 60

(IntOpt) Seconds of no status update until a cfg agent is

considered down.

default_security_group = mgmt_sec_grp

(StrOpt) Default security group applied on management

port. Default value is mgmt_sec_grp.

ensure_nova_running = True

(BoolOpt) Ensure that Nova is running before attempting

to create any VM.

l3_admin_tenant = L3AdminTenant

(StrOpt) Name of the L3 admin tenant.

management_network = osn_mgmt_nw

(StrOpt) Name of management network for device configuration. Default value is osn_mgmt_nw

service_vm_config_path = /opt/stack/data/neutron/cisco/config_drive

(StrOpt) Path to config drive files for service VM instances.

templates_path = /opt/stack/data/neutron/cisco/templates

(StrOpt) Path to templates for hosting devices.

[hosting_devices]
csr1kv_booting_time = 420

(IntOpt) Booting time in seconds before a CSR1kv becomes operational.

csr1kv_cfgagent_router_driver =
(StrOpt) Config agent driver for CSR1kv.
neutron.plugins.cisco.cfg_agent.device_drivers.csr1kv.csr1kv_routing_driver.CSR1kvRoutingDriver
csr1kv_configdrive_template = csr1kv_cfg_template

(StrOpt) CSR1kv configdrive template file.

csr1kv_device_driver =
(StrOpt) Hosting device driver for CSR1kv.
neutron.plugins.cisco.l3.hosting_device_drivers.csr1kv_hd_driver.CSR1kvHostingDeviceDriver
csr1kv_flavor = 621

(StrOpt) UUID of Nova flavor for CSR1kv.

csr1kv_image = csr1kv_openstack_img

(StrOpt) Name of Glance image for CSR1kv.

csr1kv_password = cisco

(StrOpt) Password to use for CSR1kv configurations.

csr1kv_plugging_driver =
(StrOpt) Plugging driver for CSR1kv.
neutron.plugins.cisco.l3.plugging_drivers.n1kv_trunking_driver.N1kvTrunkingPlugDriver
csr1kv_username = stack

(StrOpt) Username to use for CSR1kv configurations.

[ml2_cisco]
svi_round_robin = False

(BoolOpt) Distribute SVI interfaces over all switches

vlan_name_prefix = q-

(StrOpt) VLAN Name prefix

[n1kv]
management_port_profile = osn_mgmt_pp

(StrOpt) Name of N1kv port profile for management

ports.

t1_network_profile = osn_t1_np

(StrOpt) Name of N1kv network profile for T1 networks

(i.e., trunk networks for VXLAN segmented traffic).

t1_port_profile = osn_t1_pp

(StrOpt) Name of N1kv port profile for T1 ports (i.e., ports

carrying traffic from VXLAN segmented networks).

t2_network_profile = osn_t2_np

(StrOpt) Name of N1kv network profile for T2 networks

(i.e., trunk networks for VLAN segmented traffic).

t2_port_profile = osn_t2_pp

(StrOpt) Name of N1kv port profile for T2 ports (i.e., ports

carrying traffic from VLAN segmented networks).

Table8.5.Description of cfg agent configuration options

Configuration option = Default value

Description

[cfg_agent]
device_connection_timeout = 30

(IntOpt) Time in seconds for connecting to a hosting device

415

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

async_requests = True

(BoolOpt) Define if the requests have run asynchronously

or not

dummy_utif_id = None

(StrOpt) Dummy user traffic Security Zone id

esm_mgmt = None

(StrOpt) ESM management root address

inband_id = None

(StrOpt) In band Security Zone id

mgmt_id = None

(StrOpt) Management Security Zone id

oob_id = None

(StrOpt) Out of band Security Zone id

416

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

resource_pool_id = default

(StrOpt) Shared resource pool id

router_image = None

(StrOpt) Router image id (Embrane FW/VPN)

juno

IBM SDN-VE configuration options

Table8.8.Description of SDN-VE configuration options
Configuration option = Default value

Description

[SDNVE]
base_url = /one/nb/v2/

(StrOpt) Base URL for SDN-VE controller REST API.

controller_ips = 127.0.0.1

(ListOpt) List of IP addresses of SDN-VE controller(s).

default_tenant_type = OVERLAY

(StrOpt) Tenant type: OVERLAY (default) or OF.

format = json

(StrOpt) SDN-VE request/response format.

info = sdnve_info_string

(StrOpt) SDN-VE RPC subject.

integration_bridge = None

(StrOpt) Integration bridge to use.

interface_mappings =

(ListOpt) List of
<physical_network_name>:<interface_name> mappings.

of_signature = SDNVE-OF

(StrOpt) The string in tenant description that indicates the

tenant is a OF tenant.

out_of_band = True

(BoolOpt) Indicating if controller is out of band or not.

overlay_signature = SDNVE-OVERLAY

(StrOpt) The string in tenant description that indicates the

tenant is a OVERLAY tenant.

password = admin

(StrOpt) SDN-VE administrator password.

port = 8443

(StrOpt) SDN-VE controller port number.

reset_bridge = True

(BoolOpt) Whether to reset the integration bridge before

use.

use_fake_controller = False

(BoolOpt) Whether to use a fake controller.

userid = admin

(StrOpt) SDN-VE administrator user ID.

[SDNVE_AGENT]
polling_interval = 2

(IntOpt) Agent polling interval if necessary.

root_helper = sudo

(StrOpt) Using root helper.

rpc = True

(BoolOpt) Whether to use rpc.

Linux bridge Agent configuration options

Table8.9.Description of Linux Bridge agent configuration options
Configuration option = Default value

Description

[LINUX_BRIDGE]
physical_interface_mappings =

(ListOpt) List of <physical_network>:<physical_interface>

[VLANS]
network_vlan_ranges =

(ListOpt) List of
<physical_network>:<vlan_min>:<vlan_max> or
<physical_network>

tenant_network_type = local

(StrOpt) Network type for tenant networks (local, vlan, or

none)

[VXLAN]
enable_vxlan = False

(BoolOpt) Enable VXLAN on the agent. Can be enabled

when agent is managed by ml2 plugin using linuxbridge
mechanism driver

417

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

l2_population = False

(BoolOpt) Extension to use alongside ml2 plugin's

l2population mechanism driver. It enables the plugin to
populate VXLAN forwarding table.

local_ip =

(StrOpt) Local IP address of the VXLAN endpoints.

tos = None

(IntOpt) TOS for vxlan interface protocol packets.

ttl = None

(IntOpt) TTL for vxlan interface protocol packets.

vxlan_group = 224.0.0.1

(StrOpt) Multicast group for vxlan interface.

Mellanox configuration options

Table8.10.Description of Mellanox configuration options
Configuration option = Default value

Description

[ESWITCH]
backoff_rate = 2

(IntOpt) backoff rate multiplier for waiting period between retries for request to daemon, i.e. value of 2 will
double the request timeout each retry

daemon_endpoint = tcp://127.0.0.1:60001

(StrOpt) eswitch daemon end point

physical_interface_mappings =

(ListOpt) List of <physical_network>:<physical_interface>

request_timeout = 3000

(IntOpt) The number of milliseconds the agent will wait

for response on request to daemon.

[MLNX]
network_vlan_ranges = default:1:1000

(ListOpt) List of
<physical_network>:<vlan_min>:<vlan_max> or
<physical_network>

physical_network_type = eth

(StrOpt) Physical network type for provider network (eth

or ib)

physical_network_type_mappings =

(ListOpt) List of
<physical_network>:<physical_network_type> with
physical_network_type is either eth or ib

tenant_network_type = vlan

(StrOpt) Network type for tenant networks (local, vlan, or

none)

Meta Plug-in configuration options

The Meta Plug-in allows you to use multiple plug-ins at the same time.

Table8.11.Description of meta configuration options

Configuration option = Default value

Description

[META]
default_flavor =

(StrOpt) Default flavor to use, when flavor:network is not

specified at network creation.

default_l3_flavor =

(StrOpt) Default L3 flavor to use, when flavor:router is not

specified at router creation. Ignored if 'l3_plugin_list' is
blank.

extension_map =

(StrOpt) Comma separated list of method:flavor to select

specific plugin for a method. This has priority over method
search order based on 'plugin_list'.

l3_plugin_list =

(StrOpt) Comma separated list of flavor:neutron_plugin

for L3 service plugins to load. This is intended for specifying L2 plugins which support L3 functions. If you use a
router service plugin, set this blank.

418

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

plugin_list =

(StrOpt) Comma separated list of flavor:neutron_plugin

for plugins to load. Extension method is searched in the list
order and the first one is used.

rpc_flavor =

(StrOpt) Specifies flavor for plugin to handle 'q-plugin' RPC

requests.

supported_extension_aliases =

(StrOpt) Comma separated list of supported extension

aliases.

Modular Layer 2 (ml2) configuration options

The Modular Layer 2 (ml2) plug-in has two components: network types and mechanisms.
You can configure these components separately. This section describes these configuration
options.

MTU bug with VXLAN tunnelling

Due to a bug in Linux Bridge software maximum transmission unit (MTU) handling, using VXLAN tunnels does not work by default.
A simple workaround is to increase the MTU value of the physical interface
and physical switch fabric by at least 50 bytes. For example, increase the MTU
value to 1550. This value enables an automatic 50-byte MTU difference between the physical interface (1500) and the VXLAN interface (automatically
1500-50 = 1450). An MTU value of 1450 causes issues when virtual machine
taps are configured at an MTU value of 1500.
Another workaround is to decrease the virtual Ethernet devices' MTU. Set the
network_device_mtu option to 1450 in the neutron.conf file, and set
all guest virtual machines' MTU to the same value by using a DHCP option.
For information about how to use this option, see Configure OVS plug-in.

Table8.12.Description of ML2 configuration options

Configuration option = Default value

Description

[ml2]
extension_drivers =

(ListOpt) An ordered list of extension driver entrypoints to

be loaded from the neutron.ml2.extension_drivers namespace.

mechanism_drivers =

(ListOpt) An ordered list of networking mechanism driver entrypoints to be loaded from the
neutron.ml2.mechanism_drivers namespace.

tenant_network_types = local

(ListOpt) Ordered list of network_types to allocate as tenant networks.

type_drivers = local, flat, vlan, gre, vxlan

(ListOpt) List of network type driver entrypoints to be

loaded from the neutron.ml2.type_drivers namespace.

Modular Layer 2 (ml2) Flat Type configuration options

Table8.13.Description of ML2 Flat mechanism driver configuration options
Configuration option = Default value

Description

[ml2_type_flat]

419

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

flat_networks =

(ListOpt) List of physical_network names with which flat

networks can be created. Use * to allow flat networks
with arbitrary physical_network names.

Modular Layer 2 (ml2) GRE Type configuration options

Description

[ml2_arista]
eapi_host =

(StrOpt) Arista EOS IP address. This is required field. If not

set, all communications to Arista EOSwill fail.

eapi_password =

(StrOpt) Password for Arista EOS. This is required field. If

not set, all communications to Arista EOS will fail.

eapi_username =

(StrOpt) Username for Arista EOS. This is required field. If

not set, all communications to Arista EOSwill fail.

region_name = RegionOne

(StrOpt) Defines Region Name that is assigned to this

OpenStack Controller. This is useful when multiple OpenStack/Neutron controllers are managing the same Arista
HW clusters. Note that this name must match with the region name registered (or known) to keystone service. Au-

420

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
thentication with Keysotne is performed by EOS. This is optional. If not set, a value of "RegionOne" is assumed.

sync_interval = 180

(IntOpt) Sync interval in seconds between Neutron plugin

and EOS. This interval defines how often the synchronization is performed. This is an optional field. If not set, a value of 180 seconds is assumed.

use_fqdn = True

(BoolOpt) Defines if hostnames are sent to Arista EOS

as FQDNs ("node1.domain.com") or as short names
("node1"). This is optional. If not set, a value of "True" is assumed.

Table8.18.Description of Arista layer-3 service plug-in configuration options

Configuration option = Default value

Description

[l3_arista]
l3_sync_interval = 180

(IntOpt) Sync interval in seconds between L3 Service plugin and EOS. This interval defines how often the synchronization is performed. This is an optional field. If not set, a
value of 180 seconds is assumed

mlag_config = False

(BoolOpt) This flag is used indicate if Arista Switches are

configured in MLAG mode. If yes, all L3 config is pushed to
both the switches automatically. If this flag is set to True,
ensure to specify IP addresses of both switches. This is optional. If not set, a value of "False" is assumed.

primary_l3_host =

(StrOpt) Arista EOS IP address. This is required field. If not

set, all communications to Arista EOS will fail

primary_l3_host_password =

(StrOpt) Password for Arista EOS. This is required field. If

not set, all communications to Arista EOS will fail

primary_l3_host_username =

(StrOpt) Username for Arista EOS. This is required field. If

not set, all communications to Arista EOS will fail

secondary_l3_host =

(StrOpt) Arista EOS IP address for second Switch MLAGed

with the first one. This an optional field, however, if
mlag_config flag is set, then this is required. If not set, all
communications to Arista EOS will fail

use_vrf = False

(BoolOpt) A "True" value for this flag indicates to create

a router in VRF. If not set, all routers are created in default VRF.This is optional. If not set, a value of "False" is assumed.

Modular Layer 2 (ml2) BigSwitch Mechanism configuration options

Table8.19.Description of ML2 BigSwitch mechanism driver configuration
options
Configuration option = Default value

Description

[NOVA]
node_override_vif_802.1qbg =

(ListOpt) Nova compute nodes to manually set VIF type to

802.1qbg

node_override_vif_802.1qbh =

(ListOpt) Nova compute nodes to manually set VIF type to

802.1qbh

node_override_vif_binding_failed =

(ListOpt) Nova compute nodes to manually set VIF type to

binding_failed

node_override_vif_bridge =

(ListOpt) Nova compute nodes to manually set VIF type to

bridge

node_override_vif_distributed =

(ListOpt) Nova compute nodes to manually set VIF type to

distributed

421

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

node_override_vif_dvs =

(ListOpt) Nova compute nodes to manually set VIF type to

dvs

node_override_vif_hostdev =

(ListOpt) Nova compute nodes to manually set VIF type to

hostdev

node_override_vif_hw_veb =

(ListOpt) Nova compute nodes to manually set VIF type to

hw_veb

node_override_vif_hyperv =

(ListOpt) Nova compute nodes to manually set VIF type to

hyperv

node_override_vif_ivs =

(ListOpt) Nova compute nodes to manually set VIF type to

ivs

node_override_vif_midonet =

(ListOpt) Nova compute nodes to manually set VIF type to

midonet

node_override_vif_mlnx_direct =

(ListOpt) Nova compute nodes to manually set VIF type to

mlnx_direct

node_override_vif_other =

(ListOpt) Nova compute nodes to manually set VIF type to

other

node_override_vif_ovs =

(ListOpt) Nova compute nodes to manually set VIF type to

ovs

node_override_vif_unbound =

(ListOpt) Nova compute nodes to manually set VIF type to

unbound

node_override_vif_vrouter =

(ListOpt) Nova compute nodes to manually set VIF type to

vrouter

vif_type = ovs

(StrOpt) Virtual interface type to configure on Nova compute nodes

vif_types = unbound, binding_failed, ovs, ivs, bridge,

802.1qbg, 802.1qbh, hyperv, midonet, mlnx_direct, hostdev, hw_veb, dvs, other, distributed, vrouter

(ListOpt) List of allowed vif_type values.

[RESTPROXY]
add_meta_server_route = True

(BoolOpt) Flag to decide if a route to the metadata server

should be injected into the VM

auto_sync_on_failure = True

(BoolOpt) If neutron fails to create a resource because the

backend controller doesn't know of a dependency, the
plugin automatically triggers a full data synchronization to
the controller.

cache_connections = True

(BoolOpt) Re-use HTTP/HTTPS connections to the controller.

consistency_interval = 60

(IntOpt) Time between verifications that the backend controller database is consistent with Neutron. (0 to disable)

neutron_id = neutron-shock

(StrOpt) User defined identifier for this Neutron deployment

no_ssl_validation = False

(BoolOpt) Disables SSL certificate validation for controllers

server_auth = None

(StrOpt) The username and password for authenticating

against the Big Switch or Floodlight controller.

server_ssl = True

(BoolOpt) If True, Use SSL when connecting to the Big

Switch or Floodlight controller.

server_timeout = 10

(IntOpt) Maximum number of seconds to wait for proxy

request to connect and complete.

servers = localhost:8800

422

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

ssl_cert_directory = /etc/neutron/plugins/bigswitch/ssl

(StrOpt) Directory containing ca_certs and host_certs certificate directories.

ssl_sticky = True

(BoolOpt) Trust and store the first certificate received for

each controller address and use it to validate future connections to that address.

sync_data = False

(BoolOpt) Sync data on connect

thread_pool_size = 4

(IntOpt) Maximum number of threads to spawn to handle

large volumes of port creations.

[RESTPROXYAGENT]
integration_bridge = br-int

(StrOpt) Name of integration bridge on compute nodes

used for security group insertion.

polling_interval = 5

(IntOpt) Seconds between agent checks for port changes

virtual_switch_type = ovs

(StrOpt) Virtual switch type.

[ROUTER]
max_router_rules = 200

(IntOpt) Maximum number of router rules

tenant_default_router_rule = ['*:any:any:permit']

Modular Layer 2 (ml2) Brocade Mechanism configuration options

Table8.20.Description of ML2 Brocade mechanism driver configuration
options
Configuration option = Default value

Description

[ml2_brocade]
address =

(StrOpt) The address of the host to SSH to

ostype = NOS

(StrOpt) OS Type of the switch

osversion = 4.0.0

(StrOpt) OS Version number

password = password

(StrOpt) The SSH password to use

physical_networks =

(StrOpt) Allowed physical networks

rbridge_id = 1

(StrOpt) Rbridge id of provider edge router(s)

username = admin

(StrOpt) The SSH username to use

Modular Layer 2 (ml2) Cisco Mechanism configuration options

Table8.21.Description of ML2 Cisco mechanism driver configuration options
Configuration option = Default value

Description

[DEFAULT]
apic_system_id = openstack

(StrOpt) Prefix for APIC domain/names/profiles created

[ml2_cisco]
managed_physical_network = None

(StrOpt) The physical network managed by the switches.

[ml2_cisco_apic]
apic_agent_poll_interval = 2

(FloatOpt) Interval between agent poll for topology (in

sec)

apic_agent_report_interval = 30

(FloatOpt) Interval between agent status updates (in sec)

apic_app_profile_name = ${apic_system_id}_app

(StrOpt) Name for the app profile used for Openstack

apic_domain_name = ${apic_system_id}

(StrOpt) Name for the domain created on APIC

423

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

apic_entity_profile = ${apic_system_id}_entity_profile

(StrOpt) Name of the entity profile to be created

apic_function_profile =
${apic_system_id}_function_profile

(StrOpt) Name of the function profile to be created

apic_host_uplink_ports =

(ListOpt) The uplink ports to check for ACI connectivity

apic_hosts =

(ListOpt) An ordered list of host names or IP addresses of

the APIC controller(s).

apic_lacp_profile = ${apic_system_id}_lacp_profile

(StrOpt) Name of the LACP profile to be created

apic_name_mapping = use_name

(StrOpt) Name mapping strategy to use: use_uuid |

use_name

apic_node_profile = ${apic_system_id}_node_profile

(StrOpt) Name of the node profile to be created

apic_password = None

(StrOpt) Password for the APIC controller

apic_sync_interval = 0

(IntOpt) Synchronization interval in seconds

apic_use_ssl = True

(BoolOpt) Use SSL to connect to the APIC controller

apic_username = None

(StrOpt) Username for the APIC controller

apic_vlan_ns_name = ${apic_system_id}_vlan_ns

(StrOpt) Name for the vlan namespace to be used for

Openstack

apic_vlan_range = 2:4093

(StrOpt) Range of VLAN's to be used for Openstack

apic_vpc_pairs =

(ListOpt) The switch pairs for VPC connectivity

root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/ (StrOpt) Setup root helper as rootwrap or sudo
neutron/rootwrap.conf

Modular Layer 2 (ml2) Freescale SDN Mechanism configuration options

Table8.22.Description of ML2 Freescale SDN mechanism driver configuration
options
Configuration option = Default value

Description

[ml2_fslsdn]
crd_api_insecure = False

(BoolOpt) If set, ignore any SSL validation issues.

crd_auth_strategy = keystone

(StrOpt) Auth strategy for connecting to neutron in admin

context.

crd_auth_url = http://127.0.0.1:5000/v2.0/

(StrOpt) CRD Auth URL.

crd_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for CRD

client requests.

crd_password = password

(StrOpt) CRD Service Password.

crd_region_name = RegionOne

(StrOpt) Region name for connecting to CRD Service in admin context.

crd_tenant_name = service

(StrOpt) CRD Tenant Name.

crd_url = http://127.0.0.1:9797

(StrOpt) URL for connecting to CRD service.

crd_url_timeout = 30

(IntOpt) Timeout value for connecting to CRD service in

seconds.

crd_user_name = crd

(StrOpt) CRD service Username.

Modular Layer 2 (ml2) Mellanox Mechanism configuration options

Table8.23.Description of Mellanox ML2 mechanism driver configuration
options
Configuration option = Default value

Description

[ESWITCH]

424

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

vnic_type = mlnx_direct

(StrOpt) Type of VM network interface: mlnx_direct or

hostdev

Modular Layer 2 (ml2) OpenDaylight Mechanism configuration options

Table8.24.Description of ML2 OpenDaylight mechanism driver configuration
options
Configuration option = Default value

Description

[ml2_odl]
password = None

(StrOpt) HTTP password for authentication

session_timeout = 30

(IntOpt) Tomcat session timeout in minutes.

timeout = 10

(IntOpt) HTTP timeout in seconds.

url = None

(StrOpt) HTTP URL of OpenDaylight REST interface.

username = None

(StrOpt) HTTP username for authentication

Modular Layer 2 (ml2) OpenFlow Mechanism configuration options

Table8.25.Description of ML2 ofagent mechanism driver configuration
options
Configuration option = Default value

Description

[DEFAULT]
ofp_listen_host =

(StrOpt) openflow listen host

ofp_ssl_listen_port = 6633

(IntOpt) openflow ssl listen port

ofp_tcp_listen_port = 6633

(IntOpt) openflow tcp listen port

[AGENT]
dont_fragment = True

(BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet carrying GRE/VXLAN tunnel.

get_datapath_retry_times = 60

(IntOpt) Number of seconds to retry acquiring an Open

vSwitch datapath

physical_interface_mappings =

(ListOpt) List of <physical_network>:<physical_interface>

Modular Layer 2 (ml2) L2 Population Mechanism configuration options

Table8.26.Description of ML2 L2 population configuration options
Configuration option = Default value

Description

[l2pop]
agent_boot_time = 180

(IntOpt) Delay within which agent is expected to update

existing ports whent it restarts

Modular Layer 2 (ml2) Tail-f NCS Mechanism configuration options

Table8.27.Description of ML2 NCS mechanism driver configuration options
Configuration option = Default value

Description

[ml2_ncs]
password = None

(StrOpt) HTTP password for authentication

425

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

timeout = 10

(IntOpt) HTTP timeout in seconds.

url = None

(StrOpt) HTTP URL of Tail-f NCS REST interface.

username = None

(StrOpt) HTTP username for authentication

juno

Modular Layer 2 (ml2) SR-IOV Mechanism configuration options

Table8.28.Description of ML2 ML2 SR-IOV driver configuration options
Configuration option = Default value

Description

[ml2_sriov]
agent_required = False

(BoolOpt) SRIOV neutron agent is required for port binding

supported_pci_vendor_devs = 15b3:1004, 8086:10c9

(ListOpt) Supported PCI vendor devices, defined by

vendor_id:product_id according to the PCI ID Repository.
Default enables support for Intel and Mellanox SR-IOV capable NICs

MidoNet configuration options

Table8.29.Description of Midonet configuration options
Configuration option = Default value

Description

[MIDONET]
midonet_host_uuid_path = /etc/midolman/host_uuid.properties

(StrOpt) Path to midonet host uuid file

midonet_uri = http://localhost:8080/midonet-api

(StrOpt) MidoNet API server URI.

mode = dev

(StrOpt) Operational mode. Internal dev use only.

password = passw0rd

(StrOpt) MidoNet admin password.

project_id = 77777777-7777-7777-7777-777777777777

(StrOpt) ID of the project that MidoNet admin userbelongs to.

provider_router_id = None

(StrOpt) Virtual provider router ID.

username = admin

(StrOpt) MidoNet admin username.

NEC configuration options

Table8.30.Description of Nec configuration options
Configuration option = Default value

Description

[OFC]
api_max_attempts = 3

(IntOpt) Maximum attempts per OFC API request. NEC

plugin retries API request to OFC when OFC returns ServiceUnavailable (503). The value must be greater than 0.

cert_file = None

(StrOpt) Location of certificate file.

driver = trema

(StrOpt) Driver to use.

enable_packet_filter = True

(BoolOpt) Enable packet filter.

host = 127.0.0.1

(StrOpt) Host to connect to.

insecure_ssl = False

(BoolOpt) Disable SSL certificate verification.

key_file = None

(StrOpt) Location of key file.

path_prefix =

(StrOpt) Base URL of OFC REST API. It is prepended to

each API request.

426

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

port = 8888

(StrOpt) Port to connect to.

use_ssl = False

(BoolOpt) Use SSL to connect.

juno

[PROVIDER]
default_router_provider = l3-agent

(StrOpt) Default router provider to use.

router_providers = l3-agent, openflow

(ListOpt) List of enabled router providers.

[fwaas]
driver =

(StrOpt) Name of the FWaaS Driver

Nuage configuration options

Table8.31.Description of Nuage configuration options
Configuration option = Default value

Description

[RESTPROXY]
auth_resource =

(StrOpt) Nuage provided uri for initial authorization to access VSD

base_uri = /

(StrOpt) Nuage provided base uri to reach out to VSD

default_floatingip_quota = 254

(IntOpt) Per Net Partition quota of floating ips

default_net_partition_name = OpenStackDefaultNetParti- (StrOpt) Default Network partition in which VSD will ortion
chestrate network resources using openstack
organization = system

(StrOpt) Organization name in which VSD will orchestrate

network resources using openstack

server = localhost:8800

(StrOpt) IP Address and Port of Nuage's VSD server

serverauth = username:password

(StrOpt) Username and password for authentication

serverssl = False

(BoolOpt) Boolean for SSL connection with VSD server

[SYNCMANAGER]
enable_sync = False

(BoolOpt) Nuage plugin will sync resources between openstack and VSD

sync_interval = 0

(IntOpt) Sync interval in seconds between openstack and

VSD. It defines how often the synchronization is done. If
not set, value of 0 is assumed and sync will be performed
only once, at the Neutron startup time.

One Convergence NVSD configuration options

Table8.32.Description of NVSD driver configuration options
Configuration option = Default value

Description

[AGENT]
integration_bridge = br-int

(StrOpt) integration bridge

[nvsd]
nvsd_ip = 127.0.0.1

(StrOpt) NVSD Controller IP address

nvsd_passwd = oc123

(StrOpt) NVSD Controller password

nvsd_port = 8082

(IntOpt) NVSD Controller Port number

nvsd_retries = 0

(IntOpt) Number of login retries to NVSD controller

nvsd_user = ocplugin

(StrOpt) NVSD Controller username

request_timeout = 30

(IntOpt) NVSD controller REST API request timeout in seconds

427

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

OpenContrail configuration options

Table8.33.Description of OpenContrail configuration options
Configuration option = Default value

Description

[CONTRAIL]
api_server_ip = 127.0.0.1

(StrOpt) IP address to connect to opencontrail controller

api_server_port = 8082

(IntOpt) Port to connect to opencontrail controller

Open vSwitch Agent configuration options

Table8.34.Description of Open vSwitch agent configuration options
Configuration option = Default value

Description

[DEFAULT]
ovs_integration_bridge = br-int

(StrOpt) Name of Open vSwitch bridge to use

ovs_use_veth = False

(BoolOpt) Uses veth for an interface or not

ovs_vsctl_timeout = 10

(IntOpt) Timeout in seconds for ovs-vsctl commands

[AGENT]
arp_responder = False

(BoolOpt) Enable local ARP responder if it is supported.

Requires OVS 2.1 and ML2 l2population driver. Allows the
switch (when supporting an overlay) to respond to an ARP
request locally without performing a costly ARP broadcast
into the overlay.

dont_fragment = True

(BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet carrying GRE/VXLAN tunnel.

enable_distributed_routing = False

(BoolOpt) Make the l2 agent run in DVR mode.

l2_population = False

(BoolOpt) Use ML2 l2population mechanism driver to

learn remote MAC and IPs and improve tunnel scalability.

minimize_polling = True

(BoolOpt) Minimize polling by monitoring ovsdb for interface changes.

ovsdb_monitor_respawn_interval = 30

(IntOpt) The number of seconds to wait before respawning the ovsdb monitor after losing communication with it.

tunnel_types =

(ListOpt) Network types supported by the agent (gre and/

or vxlan).

veth_mtu = None

(IntOpt) MTU size of veth interfaces

vxlan_udp_port = 4789

(IntOpt) The UDP port to use for VXLAN tunnels.

[CISCO_N1K]
local_ip = 10.0.0.3

(StrOpt) N1K Local IP

[OVS]
bridge_mappings =

(ListOpt) List of <physical_network>:<bridge>. Deprecated

for ofagent.

enable_tunneling = False

(BoolOpt) Enable tunneling support.

int_peer_patch_port = patch-tun

(StrOpt) Peer patch port in integration bridge for tunnel

bridge.

integration_bridge = br-int

(StrOpt) Integration bridge to use.

local_ip =

(StrOpt) Local IP address of GRE tunnel endpoints.

network_vlan_ranges =

(ListOpt) List of
<physical_network>:<vlan_min>:<vlan_max> or
<physical_network>.

tenant_network_type = local

(StrOpt) Network type for tenant networks (local, vlan,

gre, vxlan, or none).

428

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

tun_peer_patch_port = patch-int

(StrOpt) Peer patch port in tunnel bridge for integration

bridge.

tunnel_bridge = br-tun

(StrOpt) Tunnel bridge to use.

tunnel_id_ranges =

(ListOpt) List of <tun_min>:<tun_max>.

tunnel_type =

(StrOpt) The type of tunnels to use when utilizing tunnels,

either 'gre' or 'vxlan'.

use_veth_interconnection = False

(BoolOpt) Use veths instead of patch ports to interconnect

the integration bridge to physical bridges.

PLUMgrid configuration options

Table8.35.Description of PLUMgrid configuration options
Configuration option = Default value

Description

[plumgriddirector]
director_server = localhost

(StrOpt) PLUMgrid Director server to connect to

director_server_port = 8080

(StrOpt) PLUMgrid Director server port to connect to

driver = neutron.plugins.plumgrid.drivers.plumlib.Plumlib

(StrOpt) PLUMgrid Driver

password = password

(StrOpt) PLUMgrid Director admin password

servertimeout = 5

(IntOpt) PLUMgrid Director server timeout

username = username

(StrOpt) PLUMgrid Director admin username

Ryu configuration options

Table8.36.Description of RYU configuration options
Configuration option = Default value

Description

[DEFAULT]
wsapi_host =

(StrOpt) webapp listen host

wsapi_port = 8080

(IntOpt) webapp listen port

[OVS]
openflow_rest_api = 127.0.0.1:8080

(StrOpt) OpenFlow REST API location.

ovsdb_interface = None

(StrOpt) OVSDB interface to connect to.

ovsdb_ip = None

(StrOpt) OVSDB IP to connect to.

ovsdb_port = 6634

(IntOpt) OVSDB port to connect to.

tunnel_interface = None

(StrOpt) Tunnel interface to use.

tunnel_ip = None

(StrOpt) Tunnel IP to use.

tunnel_key_max = 16777215

(IntOpt) Maximum tunnel ID to use.

tunnel_key_min = 1

(IntOpt) Minimum tunnel ID to use.

SR-IOV configuration options

Table8.37.Description of SR-IOV configuration options
Configuration option = Default value

Description

[SRIOV_NIC]
exclude_devices =

(ListOpt) List of <network_device>:<excluded_devices>

mapping network_device to the agent's node-specific
list of virtual functions that should not be used for virtual networking. excluded_devices is a semicolon separat-

429

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
ed list of virtual functions (BDF format).to exclude from
network_device. The network_device in the mapping
should appear in the physical_device_mappings list.

physical_device_mappings =

(ListOpt) List of <physical_network>:<network_device>

mapping physical network names to the agent's node-specific physical network device of SR-IOV physical function to
be used for VLAN networks. All physical networks listed in
network_vlan_ranges on the server should have mappings
to appropriate interfaces on each agent

VMware NSX configuration options

Table8.38.Description of VMware configuration options
Configuration option = Default value

Description

[DEFAULT]
default_interface_name = breth0

(StrOpt) Name of the interface on a L2 Gateway transport

nodewhich should be used by default when setting up a
network connection

default_l2_gw_service_uuid = None

(StrOpt) Unique identifier of the NSX L2 Gateway service

which will be used by default for network gateways

default_l3_gw_service_uuid = None

(StrOpt) Unique identifier of the NSX L3 Gateway service

which will be used for implementing routers and floating
IPs

default_service_cluster_uuid = None

(StrOpt) Unique identifier of the Service Cluster which will

be used by logical services like dhcp and metadata

default_tz_uuid = None

(StrOpt) This is uuid of the default NSX Transport zone

that will be used for creating tunneled isolated "Neutron"
networks. It needs to be created in NSX before starting
Neutron with the nsx plugin.

http_timeout = 75

(IntOpt) Time before aborting a request

nsx_controllers = None

(ListOpt) Lists the NSX controllers in this cluster

nsx_password = admin

(StrOpt) Password for NSX controllers in this cluster

nsx_user = admin

(StrOpt) User name for NSX controllers in this cluster

redirects = 2

(IntOpt) Number of times a redirect should be followed

retries = 2

(IntOpt) Number of time a request should be retried

[ESWITCH]
retries = 3

(IntOpt) The number of retries the agent will send request

to daemon before giving up

[NSX]
agent_mode = agent

(StrOpt) The mode used to implement DHCP/metadata

services.

concurrent_connections = 10

(IntOpt) Maximum concurrent connections to each NSX

controller.

default_transport_type = stt

(StrOpt) The default network tranport type to use (stt,

gre, bridge, ipsec_gre, or ipsec_stt)

max_lp_per_bridged_ls = 5000

(IntOpt) Maximum number of ports of a logical switch on

a bridged transport zone (default 5000)

max_lp_per_overlay_ls = 256

(IntOpt) Maximum number of ports of a logical switch on

an overlay transport zone (default 256)

metadata_mode = access_network

(StrOpt) If set to access_network this enables a dedicated

connection to the metadata proxy for metadata server access via Neutron router. If set to dhcp_host_route this enables host route injection via the dhcp agent. This option

430

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
is only useful if running on a host that does not support
namespaces otherwise access_network should be used.

nsx_gen_timeout = -1

(IntOpt) Number of seconds a generation id should be

valid for (default -1 meaning do not time out)

replication_mode = service

(StrOpt) The default option leverages service nodes to perform packet replication though one could set to this to
'source' to perform replication locally. This is useful if one
does not want to deploy a service node(s). It must be set
to 'service' for leveraging distributed routers.

[NSX_DHCP]
default_lease_time = 43200

(IntOpt) Default DHCP lease time

domain_name = openstacklocal

(StrOpt) Domain to use for building the hostnames

extra_domain_name_servers =

(ListOpt) Comma separated list of additional domain

name servers

[NSX_LSN]
sync_on_missing_data = False

(BoolOpt) Pull LSN information from NSX in case it is missing from the local data store. This is useful to rebuild the
local store in case of server recovery.

[NSX_METADATA]
metadata_server_address = 127.0.0.1

(StrOpt) IP address used by Metadata server.

metadata_server_port = 8775

(IntOpt) TCP Port used by Metadata server.

metadata_shared_secret =

(StrOpt) Shared secret to sign instance-id request

[NSX_SYNC]
always_read_status = False

(BoolOpt) Always read operational status from backend on show operations. Enabling this option might slow
down the system.

max_random_sync_delay = 0

(IntOpt) Maximum value for the additional random delay

in seconds between runs of the state synchronization task

min_chunk_size = 500

(IntOpt) Minimum number of resources to be retrieved

from NSX during state synchronization

min_sync_req_delay = 1

(IntOpt) Minimum delay, in seconds, between two state

synchronization queries to NSX. It must not exceed
state_sync_interval

state_sync_interval = 10

(IntOpt) Interval in seconds between runs of the state synchronization task. Set it to 0 to disable it

[vcns]
datacenter_moid = None

(StrOpt) Optional parameter identifying the ID of datacenter to deploy NSX Edges

datastore_id = None

(StrOpt) Optional parameter identifying the ID of datastore to deploy NSX Edges

deployment_container_id = None

(StrOpt) Optional parameter identifying the ID of datastore to deploy NSX Edges

external_network = None

(StrOpt) Network ID for physical network connectivity

manager_uri = None

(StrOpt) uri for vsm

password = default

(StrOpt) Password for vsm

resource_pool_id = None

(StrOpt) Optional parameter identifying the ID of resource

to deploy NSX Edges

task_status_check_interval = 2000

(IntOpt) Task status check interval

user = admin

(StrOpt) User name for vsm

431

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configure the Oslo RPC messaging system

Configure RabbitMQ
OpenStack Oslo RPC uses RabbitMQ by default. Use these options to configure the RabbitMQ message system. The rpc_backend option is optional as long as RabbitMQ is the
default messaging system. However, if it is included the configuration, you must set it to
neutron.openstack.common.rpc.impl_kombu.
rpc_backend=neutron.openstack.common.rpc.impl_kombu

Use these options to configure the RabbitMQ messaging system. You can configure messaging communication for different installation scenarios, tune retries
for RabbitMQ, and define the size of the RPC thread pool. To monitor notifications through RabbitMQ, you must set the notification_driver option to
neutron.openstack.common.notifier.rpc_notifier in the neutron.conf file:

Table8.39.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

432

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

juno

Configure Qpid
Use these options to configure the Qpid messaging system for OpenStack Oslo RPC. Qpid is
not the default messaging system, so you must enable it by setting the rpc_backend option in the neutron.conf file:
rpc_backend=neutron.openstack.common.rpc.impl_qpid

This critical option points the compute nodes to the Qpid broker (server). Set the
qpid_hostname option to the host name where the broker runs in the neutron.conf
file.

Note
The --qpid_hostname option accepts a host name or IP address value.
qpid_hostname=hostname.example.com

If the Qpid broker listens on a port other than the AMQP default of 5672, you must set the
qpid_port option to that value:
qpid_port=12345

If you configure the Qpid broker to require authentication, you must add a user name and
password to the configuration:
qpid_username=username
qpid_password=password

By default, TCP is used as the transport. To enable SSL, set the qpid_protocol option:
qpid_protocol=ssl

Use these additional options to configure the Qpid messaging driver for OpenStack Oslo
RPC. These options are used infrequently.

Table8.40.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

433

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Table8.41.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Configure messaging
Use these common options to configure the RabbitMQ, Qpid, and ZeroMq messaging
drivers:

Table8.42.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]

434

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend =
neutron.openstack.common.rpc.impl_kombu

(StrOpt) The messaging module to use, defaults to kombu.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from call or multicall

rpc_thread_pool_size = 64

(IntOpt) Size of RPC thread pool

rpc_workers = 0

(IntOpt) Number of RPC worker processes for service

[AGENT]
rpc_support_old_agents = False

(BoolOpt) Enable server RPC compatibility with old agents

Table8.43.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Table8.44.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) AMQP exchange to connect to if using RabbitMQ

or Qpid

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Agent
Use the following options to alter agent-related settings.

Table8.45.Description of agent configuration options

Configuration option = Default value

Description

[DEFAULT]
external_pids = $state_path/external/pids

(StrOpt) Location to store child pid files

network_device_mtu = None

(IntOpt) MTU setting for device.

435

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

API
Use the following options to alter API-related settings.

Table8.46.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
allow_bulk = True

(BoolOpt) Allow the usage of the bulk API

allow_pagination = False

(BoolOpt) Allow the usage of the pagination

allow_sorting = False

(BoolOpt) Allow the usage of the sorting

api_extensions_path =

(StrOpt) The path for API extensions

api_paste_config = api-paste.ini

(StrOpt) The API paste config file to use

backlog = 4096

(IntOpt) Number of backlog requests to configure the

socket with

max_header_line = 16384

(IntOpt) Max header line to accommodate large tokens

max_request_body_size = 114688

(IntOpt) the maximum body size per each request(bytes)

pagination_max_limit = -1

(StrOpt) The maximum number of items returned in a single response, value was 'infinite' or negative integer means
no limit

retry_until_window = 30

(IntOpt) Number of seconds to keep retrying to listen

run_external_periodic_tasks = True

(BoolOpt) Some periodic tasks can be run in a separate

process. Should we run them here?

service_plugins =

(ListOpt) The service plugins Neutron will use

tcp_keepidle = 600

(IntOpt) Sets the value of TCP_KEEPIDLE in seconds for

each server socket. Not supported on OS X.

[service_providers]
service_provider = []

(MultiStrOpt) Defines providers for advanced services using the format: <service_type>:<name>:<driver>[:default]

Token authentication
Use the following options to alter token authentication settings.

Table8.47.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

436

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

437

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
cache. If the value is not one of these options or empty,
auth_token will raise an exception on initialization.

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Compute
Use the following options to alter Compute-related settings.

Table8.48.Description of Compute configuration options

Configuration option = Default value

Description

[DEFAULT]
notify_nova_on_port_data_changes = True

(BoolOpt) Send notification to nova when port data

(fixed_ips/floatingip) changes so nova can update its
cache.

notify_nova_on_port_status_changes = True

(BoolOpt) Send notification to nova when port status

changes

nova_admin_auth_url = http://localhost:5000/v2.0

(StrOpt) Authorization URL for connecting to nova in admin context

nova_admin_password = None

(StrOpt) Password for connection to nova in admin context

nova_admin_tenant_id = None

(StrOpt) The uuid of the admin nova tenant

nova_admin_username = None

(StrOpt) Username for connecting to nova in admin context

nova_api_insecure = False

(BoolOpt) If True, ignore any SSL validation issues

nova_ca_certificates_file = None

(StrOpt) CA file for novaclient to verify server certificates

nova_client_cert =

(StrOpt) Client certificate for nova metadata api server.

nova_client_priv_key =

(StrOpt) Private key of client certificate.

nova_region_name = None

(StrOpt) Name of nova region to use. Useful if keystone

manages more than one region.

nova_url = http://127.0.0.1:8774/v2

(StrOpt) URL for connection to nova

send_events_interval = 2

(IntOpt) Number of seconds between sending events to

nova if there are any events to send.

Database
Use the following options to alter Database-related settings.

Table8.49.Description of database configuration options

Configuration option = Default value

Description

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

438

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

Logging
Use the following options to alter debug settings.

Table8.50.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

439

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

disable_process_locking = False

(BoolOpt) Whether to disable inter-process locks

juno

DHCP agent
Use the following options to alter Database-related settings.

Table8.51.Description of DHCP agent configuration options

Configuration option = Default value

Description

[DEFAULT]
dnsmasq_config_file =

(StrOpt) Override the default dnsmasq settings with this

file

dnsmasq_dns_servers = None

(ListOpt) Comma-separated list of the DNS servers which

will be used as forwarders.

dnsmasq_lease_max = 16777216

(IntOpt) Limit number of leases to prevent a denial-of-service.

enable_isolated_metadata = False

(BoolOpt) Support Metadata requests on isolated networks.

enable_metadata_network = False

(BoolOpt) Allows for serving metadata requests from a

dedicated network. Requires enable_isolated_metadata =
True

num_sync_threads = 4

(IntOpt) Number of threads to use during sync process.

resync_interval = 5

(IntOpt) Interval to resync.

use_namespaces = True

(BoolOpt) Allow overlapping IP.

Distributed virtual router

Use the following options to alter DVR-related settings.

Table8.52.Description of DVR configuration options

Configuration option = Default value

Description

[DEFAULT]
dvr_base_mac = fa:16:3f:00:00:00

(StrOpt) The base mac address used for unique DVR instances by Neutron

router_distributed = False

(BoolOpt) System-wide flag to determine the type of

router that tenants can create. Only admin can override.

Embrane LBaaS driver

Use the following options to alter Embrane Load-Balancer-as-a-Service related settings.

Table8.53.Description of Embrane LBaaS driver configuration options

Configuration option = Default value

Description

[heleoslb]
admin_password = None

(StrOpt) ESM admin password.

admin_username = None

(StrOpt) ESM admin username.

async_requests = None

(BoolOpt) Define if the requests have run asynchronously

or not

dummy_utif_id = None

(StrOpt) Dummy user traffic Security Zone id for LBs

440

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

esm_mgmt = None

(StrOpt) ESM management root address

inband_id = None

(StrOpt) In band Security Zone id for LBs

lb_flavor = small

(StrOpt) choose LB image flavor to use, accepted values:

small, medium

lb_image = None

(StrOpt) Load Balancer image id (Embrane LB)

mgmt_id = None

(StrOpt) Management Security Zone id for LBs

oob_id = None

(StrOpt) Out of band Security Zone id for LBs

resource_pool_id = None

(StrOpt) Shared resource pool id

sync_interval = 60

(IntOpt) resource synchronization interval in seconds

Firewall-as-a-Service driver
Use the following options in the fwaas_driver.ini file for the FWaaS driver.

Table8.54.Description of FwaaS configuration options

Configuration option = Default value

Description

[fwaas]
enabled = False

(BoolOpt) Enable FWaaS

IPv6 router advertisement

Use the following options to alter IPv6 RA settings.

Table8.55.Description of IPv6 router advertisement configuration options

Configuration option = Default value

Description

[DEFAULT]
ra_confs = $state_path/ra

(StrOpt) Location to store IPv6 RA config files

L3 agent
Use the following options in the l3_agent.ini file for the L3 agent.

Table8.56.Description of L3 agent configuration options

Configuration option = Default value

Description

[DEFAULT]
agent_mode = legacy

(StrOpt) The working mode for the agent. Allowed modes

are: 'legacy' - this preserves the existing behavior where
the L3 agent is deployed on a centralized networking
node to provide L3 services like DNAT, and SNAT. Use this
mode if you do not want to adopt DVR. 'dvr' - this mode
enables DVR functionality and must be used for an L3
agent that runs on a compute host. 'dvr_snat' - this enables centralized SNAT support in conjunction with DVR.
This mode must be used for an L3 agent running on a centralized node (or in single-host deployments, e.g. devstack)

allow_automatic_l3agent_failover = False

(BoolOpt) Automatically reschedule routers from offline

L3 agents to online L3 agents.

enable_metadata_proxy = True

(BoolOpt) Allow running metadata proxy.

441

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

external_network_bridge = br-ex

(StrOpt) Name of bridge used for external network traffic.

gateway_external_network_id =

(StrOpt) UUID of external network for routers implemented by the agents.

ha_confs_path = $state_path/ha_confs

(StrOpt) Location to store keepalived/conntrackd config

files

ha_vrrp_advert_int = 2

(IntOpt) The advertisement interval in seconds

ha_vrrp_auth_password = None

(StrOpt) VRRP authentication password

ha_vrrp_auth_type = PASS

(StrOpt) VRRP authentication type AH/PASS

handle_internal_only_routers = True

(BoolOpt) Agent should implement routers with no gateway

l3_ha = False

(BoolOpt) Enable HA mode for virtual routers.

l3_ha_net_cidr = 169.254.192.0/18

(StrOpt) Subnet used for the l3 HA admin network.

max_l3_agents_per_router = 3

(IntOpt) Maximum number of agents on which a router

will be scheduled.

min_l3_agents_per_router = 2

(IntOpt) Minimum number of agents on which a router

will be scheduled.

router_id =

(StrOpt) If namespaces is disabled, the l3 agent can only

configure a router that has the matching router ID.

send_arp_for_ha = 3

(IntOpt) Send this many gratuitous ARPs for HA setup, if

less than or equal to 0, the feature is disabled

Load-Balancer-as-a-Service agent
Use the following options in the lbaas_agent.ini file for the LBaaS agent.

Table8.57.Description of LBaaS configuration options

Configuration option = Default value

Description

[DEFAULT]
device_driver =
(MultiStrOpt) Drivers used to manage loadbalancing de['neutron.services.loadbalancer.drivers.haproxy.namespace_driver.HaproxyNSDriver']
vices
loadbalancer_pool_scheduler_driver =
(StrOpt) Driver to use for scheduling pool to a default
neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
loadbalancer agent

Table8.58.Description of LBaaS haproxy configuration options

Configuration option = Default value

Description

[haproxy]
loadbalancer_state_path = $state_path/lbaas

(StrOpt) Location to store config and state files

send_gratuitous_arp = 3

(IntOpt) When delete and re-add the same vip, send

this many gratuitous ARPs to flush the ARP cache in the
Router. Set it below or equal to 0 to disable this feature.

user_group = nogroup

(StrOpt) The user group

[radware]
actions_to_skip = setup_l2_l3

(ListOpt) List of actions that are not pushed to the completion queue.

ha_secondary_address = None

(StrOpt) IP address of secondary vDirect server.

l2_l3_ctor_params = {'ha_network_name': 'HA-Network', 'service': '_REPLACE_', 'ha_ip_pool_name': 'default',

'twoleg_enabled': '_REPLACE_', 'allocate_ha_ips': True,
'allocate_ha_vrrp': True}

(DictOpt) Parameter for l2_l3 workflow constructor.

l2_l3_setup_params = {'data_ip_address': '192.168.200.99', (DictOpt) Parameter for l2_l3 workflow setup.

'data_port': 1, 'gateway': '192.168.200.1', 'ha_port': 2,
'data_ip_mask': '255.255.255.0'}
l2_l3_workflow_name = openstack_l2_l3

(StrOpt) Name of l2_l3 workflow. Default:

openstack_l2_l3.

l4_action_name = BaseCreate

(StrOpt) Name of the l4 workflow action. Default: BaseCreate.

l4_workflow_name = openstack_l4

(StrOpt) Name of l4 workflow. Default: openstack_l4.

service_adc_type = VA

(StrOpt) Service ADC type. Default: VA.

service_adc_version =

(StrOpt) Service ADC version.

service_cache = 20

(IntOpt) Size of service cache. Default: 20.

service_compression_throughput = 100

(IntOpt) Service compression throughput. Default: 100.

service_ha_pair = False

(BoolOpt) Enables or disables the Service HA pair. Default:

False.

service_isl_vlan = -1

(IntOpt) A required VLAN for the interswitch link to use.

service_resource_pool_ids =

(ListOpt) Resource pool IDs.

service_session_mirroring_enabled = False

(BoolOpt) Enable or disable Alteon interswitch link for

stateful session failover. Default: False.

service_ssl_throughput = 100

(IntOpt) Service SSL throughput. Default: 100.

service_throughput = 1000

(IntOpt) Service throughput. Default: 1000.

vdirect_address = None

(StrOpt) IP address of vDirect server.

vdirect_password = radware

(StrOpt) vDirect user password.

vdirect_user = vDirect

(StrOpt) vDirect user name.

Logging
Use the following options to alter logging settings.

Table8.61.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN

(ListOpt) List of logger=LEVEL pairs.

443

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_ssl = False

(BoolOpt) Enable SSL on the API server

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

Metadata Agent
Use the following options in the metadata_agent.ini file for the Metadata agent.

Table8.62.Description of metadata configuration options

Configuration option = Default value

Description

[DEFAULT]

444

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

meta_flavor_driver_mappings = None

(StrOpt) Mapping between flavor and LinuxInterfaceDriver. It is specific to MetaInterfaceDriver used with
admin_user, admin_password, admin_tenant_name,
admin_url, auth_strategy, auth_region and
endpoint_type.

metadata_backlog = 4096

(IntOpt) Number of backlog requests to configure the

metadata server socket with

metadata_port = 9697

(IntOpt) TCP Port used by Neutron metadata namespace

proxy.

metadata_proxy_shared_secret =

(StrOpt) Shared secret to sign instance-id request

metadata_proxy_socket = $state_path/metadata_proxy

(StrOpt) Location of Metadata Proxy UNIX domain socket

metadata_workers = 2

(IntOpt) Number of separate worker processes for metadata server

nova_metadata_insecure = False

(BoolOpt) Allow to perform insecure SSL (https) requests

to nova metadata

nova_metadata_ip = 127.0.0.1

(StrOpt) IP address used by Nova metadata server.

nova_metadata_port = 8775

(IntOpt) TCP Port used by Nova metadata server.

nova_metadata_protocol = http

(StrOpt) Protocol to access nova metadata, http or https

Metering Agent
Use the following options in the metering_agent.ini file for the Metering agent.

Table8.63.Description of metering agent configuration options

Configuration option = Default value

Description

[DEFAULT]
driver =
(StrOpt) Metering driver
neutron.services.metering.drivers.noop.noop_driver.NoopMeteringDriver
measure_interval = 30

(IntOpt) Interval between two metering measures

[AGENT]
report_interval = 30

(FloatOpt) Seconds between nodes reporting state to server; should be less than agent_down_time, best if it is half
or less than agent_down_time.

Policy
Use the following options in the neutron.conf file to change policy settings.

Table8.64.Description of policy configuration options

Configuration option = Default value

Description

[DEFAULT]
allow_overlapping_ips = False

(BoolOpt) Allow overlapping IP support in Neutron

policy_file = policy.json

(StrOpt) The policy file to use

Quotas
Use the following options in the neutron.conf file for the quota system.
445

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table8.65.Description of quotas configuration options

Configuration option = Default value

Description

[DEFAULT]
max_routes = 30

(IntOpt) Maximum number of routes

[QUOTAS]
default_quota = -1

(IntOpt) Default number of resource allowed per tenant.

A negative value means unlimited.

quota_driver = neutron.db.quota_db.DbQuotaDriver

(StrOpt) Default driver to use for quota checks

quota_firewall = 1

(IntOpt) Number of firewalls allowed per tenant. A negative value means unlimited.

quota_firewall_policy = 1

(IntOpt) Number of firewall policies allowed per tenant. A

negative value means unlimited.

quota_firewall_rule = 100

(IntOpt) Number of firewall rules allowed per tenant. A

negative value means unlimited.

quota_floatingip = 50

(IntOpt) Number of floating IPs allowed per tenant. A

negative value means unlimited.

quota_health_monitor = -1

(IntOpt) Number of health monitors allowed per tenant. A

negative value means unlimited.

quota_items = network, subnet, port

(ListOpt) Resource name(s) that are supported in quota

features

quota_member = -1

(IntOpt) Number of pool members allowed per tenant. A

negative value means unlimited.

quota_network = 10

(IntOpt) Number of networks allowed per tenant.A negative value means unlimited.

quota_network_gateway = 5

(IntOpt) Number of network gateways allowed per tenant, -1 for unlimited

quota_packet_filter = 100

(IntOpt) Number of packet_filters allowed per tenant, -1

for unlimited

quota_pool = 10

(IntOpt) Number of pools allowed per tenant. A negative

value means unlimited.

quota_port = 50

(IntOpt) Number of ports allowed per tenant. A negative

value means unlimited.

quota_router = 10

(IntOpt) Number of routers allowed per tenant. A negative value means unlimited.

quota_security_group = 10

(IntOpt) Number of security groups allowed per tenant. A

negative value means unlimited.

quota_security_group_rule = 100

(IntOpt) Number of security rules allowed per tenant. A

negative value means unlimited.

quota_subnet = 10

(IntOpt) Number of subnets allowed per tenant, A negative value means unlimited.

quota_vip = 10

(IntOpt) Number of vips allowed per tenant. A negative

value means unlimited.

Rootwrap
Use the following options in the neutron.conf file for the rootwrap settings

Table8.66.Description of rootwrap configuration options

Configuration option = Default value

Description

[DEFAULT]

446

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

filters_path = /etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap

List of directories to load filter definitions from (separated by ','). These directories MUST all be only writeable by
root !

exec_dirs = /sbin,/usr/sbin,/bin,/usr/bin

List of directories to search executables in, in case filters

do not explicitely specify a full path (separated by ',') If not
specified, defaults to system PATH environment variable.
These directories MUST all be only writeable by root !

use_syslog = False

Enable logging to syslog Default value is False

syslog_log_facility = syslog

Which syslog facility to use. Valid values include auth, authpriv, syslog, local0, local1... Default value is 'syslog'

syslog_log_level = ERROR

Which messages to log. INFO means log all usage ERROR

means only log unsuccessful attempts

[xenapi]
xenapi_connection_url = <None>

XenAPI configuration is only required by the L2 agent if it

is to target a XenServer/XCP compute host's dom0.

xenapi_connection_username = root

No help text available for this option.

xenapi_connection_password = <None>

No help text available for this option.

Scheduler
Use the following options in the neutron.conf file to change scheduler settings.

Table8.67.Description of scheduler configuration options

Configuration option = Default value

Description

[DEFAULT]
network_auto_schedule = True

(BoolOpt) Allow auto scheduling networks to DHCP agent.

network_scheduler_driver =
(StrOpt) Driver to use for scheduling network to DHCP
neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler agent
router_auto_schedule = True

(BoolOpt) Allow auto scheduling of routers to L3 agent.

router_delete_namespaces = False

(BoolOpt) Delete namespace after removing a router.

router_scheduler_driver =
neutron.scheduler.l3_agent_scheduler.ChanceScheduler

(StrOpt) Driver to use for scheduling router to a default L3

agent

Security Groups
Use the following options in the configuration file for your driver to change security group
settings.

Table8.68.Description of security groups configuration options

Configuration option = Default value

Description

[SECURITYGROUP]
enable_ipset = True

(BoolOpt) Use ipset to speed-up the iptables based security groups.

enable_security_group = True

(BoolOpt) Controls whether the neutron security group

API is enabled in the server. It should be false when using
no security groups or using the nova security group API.

firewall_driver = None

(StrOpt) Driver for security groups firewall in the L2 agent

447

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

SSL and Certification Authority

Use the following options in the neutron.conf file to enable SSL.

Table8.69.Description of CA and SSL configuration options

Configuration option = Default value

Description

[DEFAULT]
ssl_ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients

ssl_cert_file = None

(StrOpt) Certificate file to use when starting the server securely

ssl_key_file = None

(StrOpt) Private key file to use when starting the server securely

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients

cert_file = None

(StrOpt) Certificate file to use when starting the server securely

key_file = None

(StrOpt) Private key file to use when starting the server securely

Testing
Use the following options to alter testing-related features.

Table8.70.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider

vArmour Firewall-as-a-Service driver

Use the following options in the l3_agent.ini file for the vArmour FWaaS driver.

Table8.71.Description of vArmour configuration options

Configuration option = Default value

Description

[vArmour]
director = localhost

(StrOpt) vArmour director ip

director_port = 443

(StrOpt) vArmour director port

password = varmour

(StrOpt) vArmour director password

username = varmour

(StrOpt) vArmour director username

VPN
Use the following options in the vpn_agent.ini file for the VPN agent.

Table8.72.Description of VPN configuration options

Configuration option = Default value

Description

[ipsec]

448

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

config_base_dir = $state_path/ipsec

(StrOpt) Location to store ipsec server config files

ipsec_status_check_interval = 60

(IntOpt) Interval for checking ipsec status

juno

[openswan]
ipsec_config_template = /usr/lib/python/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.conf.template

(StrOpt) Template file for ipsec configuration

ipsec_secret_template = /usr/lib/python/site-packages/neutron/services/vpn/device_drivers/template/openswan/ipsec.secret.template

(StrOpt) Template file for ipsec secret configuration

[vpnagent]
vpn_device_driver =
(MultiStrOpt) The vpn device drivers Neutron will use
['neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver']

Log files used by Networking

The corresponding log file of each Networking service is stored in the /var/log/neutron/ directory of the host on which each service runs.

Table8.73.Log files used by Networking services

Log file

Service/interface

dhcp-agent.log

neutron-dhcp-agent

l3-agent.log

neutron-l3-agent

lbaas-agent.log

neutron-lbaas-agent a

linuxbridge-agent.log

neutron-linuxbridge-agent

metadata-agent.log

neutron-metadata-agent

metering-agent.log

neutron-metering-agent

openvswitch-agent.log

neutron-openvswitch-agent

server.log

neutron-server

The neutron-lbaas-agent service only runs when Load-Balancer-as-a-Service is enabled.

Networking sample configuration files

All the files in this section can be found in /etc/neutron/.

neutron.conf
Use the neutron.conf file to configure the majority of the OpenStack Networking options.
[DEFAULT]
# Print more verbose output (set logging level to INFO instead of default
WARNING level).
# verbose = False
# Print debugging output (set logging level to DEBUG instead of default
WARNING level).
# debug = False
# Where to store Neutron state files.
# user executing the agent.

449

This directory must be writable by the

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# state_path = /var/lib/neutron
# Where to store lock files
lock_path = $state_path/lock
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# log_date_format = %Y-%m-%d %H:%M:%S
#
#
#
#
#
#

use_syslog
->
log_file and log_dir
->
(not log_file) and log_dir
->
use_stderr
->
(not user_stderr) and (not log_file) ->
publish_errors
->

syslog
log_dir/log_file
log_dir/{binary_name}.log
stderr
stdout
notification system

# use_syslog = False
# syslog_log_facility = LOG_USER
# use_stderr = True
# log_file =
# log_dir =
# publish_errors = False
# Address to bind the API server to
# bind_host = 0.0.0.0
# Port the bind the API server to
# bind_port = 9696
# Path to the extensions. Note that this can be a colon-separated list of
# paths. For example:
# api_extensions_path = extensions:/path/to/more/extensions:/even/more/
extensions
# The __path__ of neutron.extensions is appended to this, so if your
# extensions are in there you don't need to specify them here
# api_extensions_path =
# (StrOpt) Neutron core plugin entrypoint to be loaded from the
# neutron.core_plugins namespace. See setup.cfg for the entrypoint names of
the
# plugins included in the neutron source distribution. For compatibility with
# previous versions, the class name of a plugin can be specified instead of
its
# entrypoint name.
#
# core_plugin =
# Example: core_plugin = ml2
#
#
#
#
#
#
#
#

(ListOpt) List of service plugin entrypoints to be loaded from the

neutron.service_plugins namespace. See setup.cfg for the entrypoint names of
the plugins included in the neutron source distribution. For compatibility
with previous versions, the class name of a plugin can be specified instead
of its entrypoint name.
service_plugins =
Example: service_plugins = router,firewall,lbaas,vpnaas,metering

# Paste configuration file

# api_paste_config = api-paste.ini

450

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# The strategy to be used for auth.

# Supported values are 'keystone'(default), 'noauth'.
# auth_strategy = keystone
#
#
#
#
#
#
#

Base MAC
4h octet
randomly
3 octet
base_mac
4 octet
base_mac

address. The first 3 octets will remain unchanged. If the

is not 00, it will also be used. The others will be
generated.
= fa:16:3e:00:00:00
= fa:16:3e:4f:00:00

# Maximum amount of retries to generate a unique MAC address

# mac_generation_retries = 16
# DHCP Lease duration (in seconds)
# dhcp_lease_duration = 86400
# Allow sending resource operation notification to DHCP agent
# dhcp_agent_notification = True
#
#
#
#
#
#
#
#
#
#
#
#

Enable or disable bulk create/update/delete operations

allow_bulk = True
Enable or disable pagination
allow_pagination = False
Enable or disable sorting
allow_sorting = False
Enable or disable overlapping IPs for subnets
Attention: the following parameter MUST be set to False if Neutron is
being used in conjunction with nova security groups
allow_overlapping_ips = False
Ensure that configured gateway is on subnet
force_gateway_on_subnet = False

# RPC configuration options. Defined in rpc init

# The messaging module to use, defaults to kombu.
# rpc_backend = neutron.openstack.common.rpc.impl_kombu
# Size of RPC thread pool
# rpc_thread_pool_size = 64
# Size of RPC connection pool
# rpc_conn_pool_size = 30
# Seconds to wait for a response from call or multicall
# rpc_response_timeout = 60
# Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.
# rpc_cast_timeout = 30
# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call.
# allowed_rpc_exception_modules = neutron.openstack.common.exception, nova.
exception
# AMQP exchange to connect to if using RabbitMQ or QPID
# control_exchange = neutron
# If passed, use a fake RabbitMQ provider
# fake_rabbit = False
# Configuration options if sending notifications via kombu rpc (these are
# the defaults)
# SSL version to use (valid only if SSL enabled)

451

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

kombu_ssl_version =
SSL key file (valid only if SSL enabled)
kombu_ssl_keyfile =
SSL cert file (valid only if SSL enabled)
kombu_ssl_certfile =
SSL certification authority file (valid only if SSL enabled)
kombu_ssl_ca_certs =
IP address of the RabbitMQ installation
rabbit_host = localhost
Password of the RabbitMQ server
rabbit_password = guest
Port where RabbitMQ server is running/listening
rabbit_port = 5672
RabbitMQ single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
rabbit_hosts is defaulted to '$rabbit_host:$rabbit_port'
rabbit_hosts = localhost:5672
User ID used for RabbitMQ connections
rabbit_userid = guest
Location of a virtual RabbitMQ installation.
rabbit_virtual_host = /
Maximum retries with trying to connect to RabbitMQ
(the default of 0 implies an infinite retry count)
rabbit_max_retries = 0
RabbitMQ connection retry interval
rabbit_retry_interval = 1
Use HA queues in RabbitMQ (x-ha-policy: all). You need to
wipe RabbitMQ database when changing this option. (boolean value)
rabbit_ha_queues = false

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

QPID
rpc_backend=neutron.openstack.common.rpc.impl_qpid
Qpid broker hostname
qpid_hostname = localhost
Qpid broker port
qpid_port = 5672
Qpid single or HA cluster (host:port pairs i.e: host1:5672, host2:5672)
qpid_hosts is defaulted to '$qpid_hostname:$qpid_port'
qpid_hosts = localhost:5672
Username for qpid connection
qpid_username = ''
Password for qpid connection
qpid_password = ''
Space separated list of SASL mechanisms to use for auth
qpid_sasl_mechanisms = ''
Seconds between connection keepalive heartbeats
qpid_heartbeat = 60
Transport to use, either 'tcp' or 'ssl'
qpid_protocol = tcp
Disable Nagle algorithm
qpid_tcp_nodelay = True

#
#
#
#
#

ZMQ
rpc_backend=neutron.openstack.common.rpc.impl_zmq
ZeroMQ bind address. Should be a wildcard (*), an ethernet interface, or IP.
The "host" option should point or resolve to this address.
rpc_zmq_bind_address = *

# ============ Notification System Options =====================

452

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Notifications can be sent when network/subnet/port are created, updated or

deleted.
# There are three methods of sending notifications: logging (via the
# log_file directive), rpc (via a message queue) and
# noop (no notifications sent, the default)
# Notification_driver
# Do nothing driver
# notification_driver
# Logging driver
# notification_driver
# RPC driver.
notification_driver =

can be defined multiple times

= neutron.openstack.common.notifier.no_op_notifier
= neutron.openstack.common.notifier.log_notifier
neutron.openstack.common.notifier.rpc_notifier

# default_notification_level is used to form actual topic name(s) or to set

logging level
# default_notification_level = INFO
# default_publisher_id is a part of the notification payload
# host = myhost.com
# default_publisher_id = $host
# Defined in rpc_notifier, can be comma separated values.
# The actual topic names will be %s.%(default_notification_level)s
# notification_topics = notifications
#
#
#
#
#
#

Default maximum number of items returned in a single response,

value == infinite and value < 0 means no max limit, and value must
be greater than 0. If the number of items requested is greater than
pagination_max_limit, server will just return pagination_max_limit
of number of items.
pagination_max_limit = -1

# Maximum number of DNS nameservers per subnet

# max_dns_nameservers = 5
# Maximum number of host routes per subnet
# max_subnet_host_routes = 20
# Maximum number of fixed ips per port
# max_fixed_ips_per_port = 5
#
#
#
#
#

=========== items for agent management extension =============

Seconds to regard the agent as down; should be at least twice
report_interval, to be sure the agent is down for good
agent_down_time = 75
=========== end of items for agent management extension =====

# =========== items for agent scheduler extension =============

# Driver to use for scheduling network to DHCP agent
# network_scheduler_driver = neutron.scheduler.dhcp_agent_scheduler.
ChanceScheduler
# Driver to use for scheduling router to a default L3 agent
# router_scheduler_driver = neutron.scheduler.l3_agent_scheduler.
ChanceScheduler
# Driver to use for scheduling a loadbalancer pool to an lbaas agent
# loadbalancer_pool_scheduler_driver = neutron.services.loadbalancer.
agent_scheduler.ChanceScheduler
# Allow auto scheduling networks to DHCP agent. It will schedule non-hosted

453

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# networks to first DHCP agent which sends get_active_networks message to

# neutron server
# network_auto_schedule = True
# Allow auto scheduling routers to L3 agent. It will schedule non-hosted
# routers to first L3 agent which sends sync_routers message to neutron server
# router_auto_schedule = True
# Number of DHCP agents scheduled to host a network. This enables redundant
# DHCP agents for configured networks.
# dhcp_agents_per_network = 1
# ===========

end of items for agent scheduler extension =====

# =========== WSGI parameters related to the API server ==============

# Number of separate worker processes to spawn. The default, 0, runs the
# worker thread in the current process. Greater than 0 launches that number
of
# child processes as workers. The parent process manages them.
# api_workers = 0
# Number of separate RPC worker processes to spawn. The default, 0, runs the
# worker thread in the current process. Greater than 0 launches that number
of
# child processes as RPC workers. The parent process manages them.
# This feature is experimental until issues are addressed and testing has been
# enabled for various plugins for compatibility.
# rpc_workers = 0
# Sets the value of TCP_KEEPIDLE in seconds to use for each server socket when
# starting API server. Not supported on OS X.
# tcp_keepidle = 600
# Number of seconds to keep retrying to listen
# retry_until_window = 30
# Number of backlog requests to configure the socket with.
# backlog = 4096
# Max header line to accommodate large tokens
# max_header_line = 16384
# Enable SSL on the API server
# use_ssl = False
# Certificate file to use when starting API server securely
# ssl_cert_file = /path/to/certfile
# Private key file to use when starting API server securely
# ssl_key_file = /path/to/keyfile
#
#
#
#
#
#

CA certificate file to use when starting API server securely to

verify connecting clients. This is an optional parameter only required if
API clients need to authenticate to the API server using SSL certificates
signed by a trusted CA
ssl_ca_file = /path/to/cafile
======== end of WSGI parameters related to the API server ==========

# ======== neutron nova interactions ==========

454

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Send notification to nova when port status is active.

# notify_nova_on_port_status_changes = True
# Send notifications to nova when port data (fixed_ips/floatingips) change
# so nova can update it's cache.
# notify_nova_on_port_data_changes = True
# URL for connection to nova (Only supports one nova region currently).
# nova_url = http://127.0.0.1:8774/v2
# Name of nova region to use. Useful if keystone manages more than one region
# nova_region_name =
# Username for connection to nova in admin context
# nova_admin_username =
# The uuid of the admin nova tenant
# nova_admin_tenant_id =
# Password for connection to nova in admin context.
# nova_admin_password =
# Authorization URL for connection to nova in admin context.
# nova_admin_auth_url =
# Number of seconds between sending events to nova if there are any events to
send
# send_events_interval = 2
# ======== end of neutron nova interactions ==========
[quotas]
# Default driver to use for quota checks
# quota_driver = neutron.db.quota_db.DbQuotaDriver
# Resource name(s) that are supported in quota features
# quota_items = network,subnet,port
# Default number of resource allowed per tenant. A negative value means
# unlimited.
# default_quota = -1
# Number of networks allowed per tenant. A negative value means unlimited.
# quota_network = 10
# Number of subnets allowed per tenant. A negative value means unlimited.
# quota_subnet = 10
# Number of ports allowed per tenant. A negative value means unlimited.
# quota_port = 50
# Number of security groups allowed per tenant. A negative value means
# unlimited.
# quota_security_group = 10
# Number of security group rules allowed per tenant. A negative value means
# unlimited.
# quota_security_group_rule = 100
# Number of vips allowed per tenant. A negative value means unlimited.

455

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# quota_vip = 10
# Number of pools allowed per tenant. A negative value means unlimited.
# quota_pool = 10
#
#
#
#
#

Number of pool members allowed per tenant. A negative value means unlimited.
The default is unlimited because a member is not a real resource consumer
on Openstack. However, on back-end, a member is a resource consumer
and that is the reason why quota is possible.
quota_member = -1

#
#
#
#
#
#

Number of health monitors allowed per tenant. A negative value means

unlimited.
The default is unlimited because a health monitor is not a real resource
consumer on Openstack. However, on back-end, a member is a resource consumer
and that is the reason why quota is possible.
quota_health_monitors = -1

# Number of routers allowed per tenant. A negative value means unlimited.

# quota_router = 10
# Number of floating IPs allowed per tenant. A negative value means unlimited.
# quota_floatingip = 50
[agent]
# Use "sudo neutron-rootwrap /etc/neutron/rootwrap.conf" to use the real
# root filter facility.
# Change to "sudo" to skip the filtering and just run the comand directly
# root_helper = sudo
#
#
#
#

=========== items for agent management extension =============

seconds between nodes reporting state to server; should be less than
agent_down_time, best if it is half or less than agent_down_time
report_interval = 30

# ===========

end of items for agent management extension =====

[keystone_authtoken]
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
signing_dir = $state_path/keystone-signing
[database]
# This line MUST be changed to actually run the plugin.
# Example:
# connection = mysql://root:[email protected]:3306/neutron
# Replace 127.0.0.1 above with the IP address of the database used by the
# main neutron server. (Leave it as is if the database runs on this host.)
# connection = sqlite://
# The SQLAlchemy connection string used to connect to the slave database
# slave_connection =
# Database reconnection retry times - in event connectivity is lost
# set to -1 implies an infinite retry count
# max_retries = 10

456

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Database reconnection interval in seconds - if the initial connection to the

# database fails
# retry_interval = 10
# Minimum number of SQL connections to keep open in a pool
# min_pool_size = 1
# Maximum number of SQL connections to keep open in a pool
# max_pool_size = 10
# Timeout in seconds before idle sql connections are reaped
# idle_timeout = 3600
# If set, use this value for max_overflow with sqlalchemy
# max_overflow = 20
# Verbosity of SQL debugging information. 0=None, 100=Everything
# connection_debug = 0
# Add python stack traces to SQL as comment strings
# connection_trace = False
# If set, use this value for pool_timeout with sqlalchemy
# pool_timeout = 10
[service_providers]
# Specify service providers (drivers) for advanced services like loadbalancer,
VPN, Firewall.
# Must be in form:
# service_provider=<service_type>:<name>:<driver>[:default]
# List of allowed service types includes LOADBALANCER, FIREWALL, VPN
# Combination of <service type> and <name> must be unique; <driver> must also
be unique
# This is multiline option, example for default provider:
# service_provider=LOADBALANCER:name:lbaas_plugin_driver_path:default
# example of non-default provider:
# service_provider=FIREWALL:name2:firewall_driver_path
# --- Reference implementations --service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.
haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
service_provider=VPN:openswan:neutron.services.vpn.service_drivers.ipsec.
IPsecVPNDriver:default
# In order to activate Radware's lbaas driver you need to uncomment the next
line.
# If you want to keep the HA Proxy as the default lbaas driver, remove the
attribute default from the line below.
# Otherwise comment the HA Proxy line
# service_provider = LOADBALANCER:Radware:neutron.services.loadbalancer.
drivers.radware.driver.LoadBalancerDriver:default
# uncomment the following line to make the 'netscaler' LBaaS provider
available.
# service_provider=LOADBALANCER:NetScaler:neutron.services.loadbalancer.
drivers.netscaler.netscaler_driver.NetScalerPluginDriver
# Uncomment the following line (and comment out the OpenSwan VPN line) to
enable Cisco's VPN driver.
# service_provider=VPN:cisco:neutron.services.vpn.service_drivers.cisco_ipsec.
CiscoCsrIPsecVPNDriver:default
# Uncomment the line below to use Embrane heleos as Load Balancer service
provider.

457

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# service_provider=LOADBALANCER:Embrane:neutron.services.loadbalancer.drivers.
embrane.driver.EmbraneLbaas:default

api-paste.ini
Use the api-paste.ini to configure the OpenStack Networking API.
[composite:neutron]
use = egg:Paste#urlmap
/: neutronversions
/v2.0: neutronapi_v2_0
[composite:neutronapi_v2_0]
use = call:neutron.auth:pipeline_factory
noauth = request_id catch_errors extensions neutronapiapp_v2_0
keystone = request_id catch_errors authtoken keystonecontext extensions
neutronapiapp_v2_0
[filter:request_id]
paste.filter_factory = neutron.openstack.common.middleware.
request_id:RequestIdMiddleware.factory
[filter:catch_errors]
paste.filter_factory = neutron.openstack.common.middleware.
catch_errors:CatchErrorsMiddleware.factory
[filter:keystonecontext]
paste.filter_factory = neutron.auth:NeutronKeystoneContext.factory
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
[filter:extensions]
paste.filter_factory = neutron.api.
extensions:plugin_aware_extension_middleware_factory
[app:neutronversions]
paste.app_factory = neutron.api.versions:Versions.factory
[app:neutronapiapp_v2_0]
paste.app_factory = neutron.api.v2.router:APIRouter.factory

policy.json
Use the policy.json file to define additional access controls that apply to the OpenStack
Networking service.
{
"context_is_admin": "role:admin",
"admin_or_owner": "rule:context_is_admin or tenant_id:%(tenant_id)s",
"admin_or_network_owner": "rule:context_is_admin or tenant_id:
%(network:tenant_id)s",
"admin_only": "rule:context_is_admin",

458

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

"regular_user": "",
"shared": "field:networks:shared=True",
"shared_firewalls": "field:firewalls:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"subnets:private:read": "rule:admin_or_owner",
"subnets:private:write": "rule:admin_or_owner",
"subnets:shared:read": "rule:regular_user",
"subnets:shared:write": "rule:admin_only",
"create_subnet": "rule:admin_or_network_owner",
"get_subnet": "rule:admin_or_owner or rule:shared",
"update_subnet": "rule:admin_or_network_owner",
"delete_subnet": "rule:admin_or_network_owner",
"create_network": "",
"get_network": "rule:admin_or_owner or rule:shared or rule:external",
"get_network:router:external": "rule:regular_user",
"get_network:segments": "rule:admin_only",
"get_network:provider:network_type": "rule:admin_only",
"get_network:provider:physical_network": "rule:admin_only",
"get_network:provider:segmentation_id": "rule:admin_only",
"get_network:queue_id": "rule:admin_only",
"create_network:shared": "rule:admin_only",
"create_network:router:external": "rule:admin_only",
"create_network:segments": "rule:admin_only",
"create_network:provider:network_type": "rule:admin_only",
"create_network:provider:physical_network": "rule:admin_only",
"create_network:provider:segmentation_id": "rule:admin_only",
"update_network": "rule:admin_or_owner",
"update_network:segments": "rule:admin_only",
"update_network:shared": "rule:admin_only",
"update_network:provider:network_type": "rule:admin_only",
"update_network:provider:physical_network": "rule:admin_only",
"update_network:provider:segmentation_id": "rule:admin_only",
"delete_network": "rule:admin_or_owner",
"create_port": "",
"create_port:mac_address": "rule:admin_or_network_owner",
"create_port:fixed_ips": "rule:admin_or_network_owner",
"create_port:port_security_enabled": "rule:admin_or_network_owner",
"create_port:binding:host_id": "rule:admin_only",
"create_port:binding:profile": "rule:admin_only",
"create_port:mac_learning_enabled": "rule:admin_or_network_owner",
"get_port": "rule:admin_or_owner",
"get_port:queue_id": "rule:admin_only",
"get_port:binding:vif_type": "rule:admin_only",
"get_port:binding:vif_details": "rule:admin_only",
"get_port:binding:host_id": "rule:admin_only",
"get_port:binding:profile": "rule:admin_only",
"update_port": "rule:admin_or_owner",
"update_port:fixed_ips": "rule:admin_or_network_owner",
"update_port:port_security_enabled": "rule:admin_or_network_owner",
"update_port:binding:host_id": "rule:admin_only",
"update_port:binding:profile": "rule:admin_only",
"update_port:mac_learning_enabled": "rule:admin_or_network_owner",
"delete_port": "rule:admin_or_owner",
"create_router:external_gateway_info:enable_snat": "rule:admin_only",

459

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

"update_router:external_gateway_info:enable_snat": "rule:admin_only",
"create_firewall": "",
"get_firewall": "rule:admin_or_owner",
"create_firewall:shared": "rule:admin_only",
"get_firewall:shared": "rule:admin_only",
"update_firewall": "rule:admin_or_owner",
"delete_firewall": "rule:admin_or_owner",
"create_firewall_policy": "",
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewalls",
"create_firewall_policy:shared": "rule:admin_or_owner",
"update_firewall_policy": "rule:admin_or_owner",
"delete_firewall_policy": "rule:admin_or_owner",
"create_firewall_rule": "",
"get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls",
"update_firewall_rule": "rule:admin_or_owner",
"delete_firewall_rule": "rule:admin_or_owner",
"create_qos_queue": "rule:admin_only",
"get_qos_queue": "rule:admin_only",
"update_agent": "rule:admin_only",
"delete_agent": "rule:admin_only",
"get_agent": "rule:admin_only",
"create_dhcp-network": "rule:admin_only",
"delete_dhcp-network": "rule:admin_only",
"get_dhcp-networks": "rule:admin_only",
"create_l3-router": "rule:admin_only",
"delete_l3-router": "rule:admin_only",
"get_l3-routers": "rule:admin_only",
"get_dhcp-agents": "rule:admin_only",
"get_l3-agents": "rule:admin_only",
"get_loadbalancer-agent": "rule:admin_only",
"get_loadbalancer-pools": "rule:admin_only",
"create_router": "rule:regular_user",
"get_router": "rule:admin_or_owner",
"update_router:add_router_interface": "rule:admin_or_owner",
"update_router:remove_router_interface": "rule:admin_or_owner",
"delete_router": "rule:admin_or_owner",
"create_floatingip": "rule:regular_user",
"update_floatingip": "rule:admin_or_owner",
"delete_floatingip": "rule:admin_or_owner",
"get_floatingip": "rule:admin_or_owner",
"create_network_profile": "rule:admin_only",
"update_network_profile": "rule:admin_only",
"delete_network_profile": "rule:admin_only",
"get_network_profiles": "",
"get_network_profile": "",
"update_policy_profiles": "rule:admin_only",
"get_policy_profiles": "",
"get_policy_profile": "",
"create_metering_label": "rule:admin_only",
"delete_metering_label": "rule:admin_only",

460

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

"get_metering_label": "rule:admin_only",
"create_metering_label_rule": "rule:admin_only",
"delete_metering_label_rule": "rule:admin_only",
"get_metering_label_rule": "rule:admin_only",
"get_service_provider": "rule:regular_user",
"get_lsn": "rule:admin_only",
"create_lsn": "rule:admin_only"
}

rootwrap.conf
Use the rootwrap.conf file to define configuration values used by the rootwrap script
when the OpenStack Networking service must escalate its privileges to those of the root user.
# Configuration for neutron-rootwrap
# This file should be owned by (and only-writeable by) the root user
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
filters_path=/etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap,/etc/quantum/
rootwrap.d,/usr/share/quantum/rootwrap
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
exec_dirs=/sbin,/usr/sbin,/bin,/usr/bin
# Enable logging to syslog
# Default value is False
use_syslog=False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility=syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level=ERROR
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url=<None>
xenapi_connection_username=root
xenapi_connection_password=<None>

461

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration files for plug-in agents

Each plug-in agent that runs on an OpenStack Networking node, to perform local networking configuration for the node's VMs and networking services, has its own configuration
file.

dhcp_agent.ini
[DEFAULT]
# Show debugging output in log (sets DEBUG log level output)
# debug = False
#
#
#
#

The DHCP agent will resync its state with Neutron to recover from any
transient notification or rpc errors. The interval is number of
seconds between attempts.
resync_interval = 5

# The DHCP agent requires an interface driver be set. Choose the one that best
# matches your plugin.
# interface_driver =
# Example of interface_driver option for OVS based plugins(OVS, Ryu, NEC, NVP,
# BigSwitch/Floodlight)
# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
# Name of Open vSwitch bridge to use
# ovs_integration_bridge = br-int
#
#
#
#

Use veth for an OVS interface or not.

Support kernels with limited namespace support
(e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
ovs_use_veth = False

# Example of interface_driver option for LinuxBridge

# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
# The agent can use other DHCP drivers. Dnsmasq is the simplest and requires
# no additional setup of the DHCP server.
# dhcp_driver = neutron.agent.linux.dhcp.Dnsmasq
# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
# iproute2 package that supports namespaces).
# use_namespaces = True
#
#
#
#
#
#

The DHCP server can assist with providing metadata support on isolated
networks. Setting this value to True will cause the DHCP server to append
specific host routes to the DHCP request. The metadata service will only
be activated when the subnet does not contain any router port. The guest
instance must be configured to request host routes via DHCP (Option 121).
enable_isolated_metadata = False

#
#
#
#
#
#
#

Allows for serving metadata requests coming from a dedicated metadata

access network whose cidr is 169.254.169.254/16 (or larger prefix), and
is connected to a Neutron router from which the VMs send metadata
request. In this case DHCP Option 121 will not be injected in VMs, as
they will be able to reach 169.254.169.254 through a router.
This option requires enable_isolated_metadata = True
enable_metadata_network = False

462

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Number of threads to use during sync process. Should not exceed connection
# pool size configured on server.
# num_sync_threads = 4
# Location to store DHCP server config files
# dhcp_confs = $state_path/dhcp
# Domain to use for building the hostnames
# dhcp_domain = openstacklocal
# Override the default dnsmasq settings with this file
# dnsmasq_config_file =
# Comma-separated list of DNS servers which will be used by dnsmasq
# as forwarders.
# dnsmasq_dns_servers =
# Limit number of leases to prevent a denial-of-service.
# dnsmasq_lease_max = 16777216
# Location to DHCP lease relay UNIX domain socket
# dhcp_lease_relay_socket = $state_path/dhcp/lease_relay
# Location of Metadata Proxy UNIX domain socket
# metadata_proxy_socket = $state_path/metadata_proxy
#
#
#
#
#
#
#

dhcp_delete_namespaces, which is false by default, can be set to True if

namespaces can be deleted cleanly on the host running the dhcp agent.
Do not enable this until you understand the problem with the Linux iproute
utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
you are sure that your version of iproute does not suffer from the problem.
If True, namespaces will be deleted when a dhcp server is disabled.
dhcp_delete_namespaces = False

# Timeout for ovs-vsctl commands.

# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
# ovs_vsctl_timeout = 10

l3_agent.ini
[DEFAULT]
# Show debugging output in log (sets DEBUG log level output)
# debug = False
# L3 requires that an interface driver be set. Choose the one that best
# matches your plugin.
# interface_driver =
# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC)
# that supports L3 agent
# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
#
#
#
#

Use veth for an OVS interface or not.

Support kernels with limited namespace support
(e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
ovs_use_veth = False

463

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Example of interface_driver option for LinuxBridge

# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
# Allow overlapping IP (Must have kernel build with CONFIG_NET_NS=y and
# iproute2 package that supports namespaces).
# use_namespaces = True
# If use_namespaces is set as False then the agent can only configure one
router.
# This is done by setting the specific router_id.
# router_id =
#
#
#
#
#
#

When external_network_bridge is set, each L3 agent can be associated

with no more than one external network. This value should be set to the UUID
of that external network. To allow L3 agent support multiple external
networks, both the external_network_bridge and gateway_external_network_id
must be left empty.
gateway_external_network_id =

#
#
#
#
#

Indicates that this L3 agent should also handle routers that do not have
an external network gateway configured. This option should be True only
for a single agent in a Neutron deployment, and may be False for all agents
if all routers must have an external network gateway
handle_internal_only_routers = True

#
#
#
#

Name of bridge used for external network traffic. This should be set to
empty value for the linux bridge. when this parameter is set, each L3 agent
can be associated with no more than one external network.
external_network_bridge = br-ex

# TCP Port used by Neutron metadata server

# metadata_port = 9697
# Send this many gratuitous ARPs for HA setup. Set it below or equal to 0
# to disable this feature.
# send_arp_for_ha = 0
# seconds between re-sync routers' data if needed
# periodic_interval = 40
# seconds to start to sync routers' data after
# starting agent
# periodic_fuzzy_delay = 5
# enable_metadata_proxy, which is true by default, can be set to False
# if the Nova metadata server is not available
# enable_metadata_proxy = True
# Location of Metadata Proxy UNIX domain socket
# metadata_proxy_socket = $state_path/metadata_proxy
#
#
#
#
#
#
#

router_delete_namespaces, which is false by default, can be set to True if

namespaces can be deleted cleanly on the host running the L3 agent.
Do not enable this until you understand the problem with the Linux iproute
utility mentioned in https://bugs.launchpad.net/neutron/+bug/1052535 and
you are sure that your version of iproute does not suffer from the problem.
If True, namespaces will be deleted when a router is destroyed.
router_delete_namespaces = False

464

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Timeout for ovs-vsctl commands.

# If the timeout expires, ovs commands will fail with ALARMCLOCK error.
# ovs_vsctl_timeout = 10

lbaas_agent.ini
[DEFAULT]
# Show debugging output in log (sets DEBUG log level output).
# debug = False
#
#
#
#

The LBaaS agent will resync its state with Neutron to recover from any
transient notification or rpc errors. The interval is number of
seconds between attempts.
periodic_interval = 10

# LBaas requires an interface driver be set. Choose the one that best
# matches your plugin.
# interface_driver =
# Example of interface_driver option for OVS based plugins (OVS, Ryu, NEC,
NVP,
# BigSwitch/Floodlight)
# interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver
#
#
#
#

Use veth for an OVS interface or not.

Support kernels with limited namespace support
(e.g. RHEL 6.5) so long as ovs_use_veth is set to True.
ovs_use_veth = False

# Example of interface_driver option for LinuxBridge

# interface_driver = neutron.agent.linux.interface.BridgeInterfaceDriver
# The agent requires drivers to manage the loadbalancer. HAProxy is the
opensource version.
# Multiple device drivers reflecting different service providers could be
specified:
# device_driver = path.to.provider1.driver.Driver
# device_driver = path.to.provider2.driver.Driver
# Default is:
# device_driver = neutron.services.loadbalancer.drivers.haproxy.
namespace_driver.HaproxyNSDriver
[haproxy]
# Location to store config and state files
# loadbalancer_state_path = $state_path/lbaas
# The user group
# user_group = nogroup

metadata_agent.ini
[DEFAULT]
# Show debugging output in log (sets DEBUG log level output)

465

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# debug = True
# The Neutron user information for accessing the Neutron API.
auth_url = http://localhost:5000/v2.0
auth_region = RegionOne
# Turn off verification of the certificate for ssl
# auth_insecure = False
# Certificate Authority public key (CA cert) file for ssl
# auth_ca_cert =
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
# Network service endpoint type to pull from the keystone catalog
# endpoint_type = adminURL
# IP address used by Nova metadata server
# nova_metadata_ip = 127.0.0.1
# TCP Port used by Nova metadata server
# nova_metadata_port = 8775
#
#
#
#

When proxying metadata requests, Neutron signs the Instance-ID header with a
shared secret to prevent spoofing. You may select any string for a secret,
but it must match here and in the configuration used by the Nova Metadata
Server. NOTE: Nova uses a different key:
neutron_metadata_proxy_shared_secret
# metadata_proxy_shared_secret =
# Location of Metadata Proxy UNIX domain socket
# metadata_proxy_socket = $state_path/metadata_proxy
# Number of separate worker processes for metadata server
# metadata_workers = 0
# Number of backlog requests to configure the metadata server socket with
# metadata_backlog = 128
#
#
#
#
#
#
#

URL to connect to the cache backend.

Example of URL using memory caching backend
with ttl set to 5 seconds: cache_url = memory://?default_ttl=5
default_ttl=0 parameter will cause cache entries to never expire.
Otherwise default_ttl specifies time in seconds a cache entry is valid for.
No cache is used in case no value is passed.
cache_url =

New, updated and deprecated options in Juno for

OpenStack Networking
Table8.74.New options
Option = default value

(Type) Help string

[DEFAULT] agent_down_time = 75

(IntOpt) Seconds to regard the agent is down; should be

at least twice report_interval, to be sure the agent is down
for good.

466

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] agent_mode = legacy

(StrOpt) The working mode for the agent. Allowed modes

[DEFAULT] allow_automatic_l3agent_failover = False

(BoolOpt) Automatically reschedule routers from offline

L3 agents to online L3 agents.

[DEFAULT] apic_system_id = openstack

(StrOpt) Prefix for APIC domain/names/profiles created

[DEFAULT] check_child_processes = False

(BoolOpt) Periodically check child processes

[DEFAULT] check_child_processes_action = respawn

(StrOpt) Action to be executed when a child process dies

[DEFAULT] check_child_processes_interval = 60

(IntOpt) Interval between checks of child process liveness

(seconds)

[DEFAULT] dhcp_agents_per_network = 1

(IntOpt) Number of DHCP agents scheduled to host a network.

[DEFAULT] dvr_base_mac = fa:16:3f:00:00:00

(StrOpt) The base mac address used for unique DVR instances by Neutron

[DEFAULT] enable_metadata_proxy = True

(BoolOpt) Allow running metadata proxy.

[DEFAULT] gateway_external_network_id =

(StrOpt) UUID of external network for routers implemented by the agents.

[DEFAULT] ha_confs_path = $state_path/ha_confs

(StrOpt) Location to store keepalived/conntrackd config

files

[DEFAULT] ha_vrrp_advert_int = 2

(IntOpt) The advertisement interval in seconds

[DEFAULT] ha_vrrp_auth_password = None

(StrOpt) VRRP authentication password

[DEFAULT] ha_vrrp_auth_type = PASS

(StrOpt) VRRP authentication type AH/PASS

[DEFAULT] handle_internal_only_routers = True

(BoolOpt) Agent should implement routers with no gateway

[DEFAULT] kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

[DEFAULT] l3_ha = False

(BoolOpt) Enable HA mode for virtual routers.

[DEFAULT] l3_ha_net_cidr = 169.254.192.0/18

(StrOpt) Subnet used for the l3 HA admin network.

[DEFAULT] loadbalancer_pool_scheduler_driver =
(StrOpt) Driver to use for scheduling pool to a default
neutron.services.loadbalancer.agent_scheduler.ChanceScheduler
loadbalancer agent
[DEFAULT] max_l3_agents_per_router = 3

(IntOpt) Maximum number of agents on which a router

will be scheduled.

[DEFAULT] max_routes = 30

(IntOpt) Maximum number of routes

[DEFAULT] metadata_port = 9697

(IntOpt) TCP Port used by Neutron metadata namespace

proxy.

[DEFAULT] min_l3_agents_per_router = 2

(IntOpt) Minimum number of agents on which a router

will be scheduled.

[DEFAULT] network_auto_schedule = True

(BoolOpt) Allow auto scheduling networks to DHCP agent.

[DEFAULT] network_scheduler_driver =
(StrOpt) Driver to use for scheduling network to DHCP
neutron.scheduler.dhcp_agent_scheduler.ChanceScheduler agent
[DEFAULT] nova_api_insecure = False

(BoolOpt) If True, ignore any SSL validation issues

[DEFAULT] nova_ca_certificates_file = None

(StrOpt) CA file for novaclient to verify server certificates

[DEFAULT] nova_client_cert =

(StrOpt) Client certificate for nova metadata api server.

[DEFAULT] nova_client_priv_key =

(StrOpt) Private key of client certificate.

467

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] nova_metadata_insecure = False

(BoolOpt) Allow to perform insecure SSL (https) requests

to nova metadata

[DEFAULT] nova_metadata_protocol = http

(StrOpt) Protocol to access nova metadata, http or https

[DEFAULT] qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

[DEFAULT] ra_confs = $state_path/ra

(StrOpt) Location to store IPv6 RA config files

[DEFAULT] rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

[DEFAULT] router_auto_schedule = True

(BoolOpt) Allow auto scheduling of routers to L3 agent.

[DEFAULT] router_delete_namespaces = False

(BoolOpt) Delete namespace after removing a router.

[DEFAULT] router_distributed = False

(BoolOpt) System-wide flag to determine the type of

router that tenants can create. Only admin can override.

[DEFAULT] router_id =

(StrOpt) If namespaces is disabled, the l3 agent can only

configure a router that has the matching router ID.

[DEFAULT] router_scheduler_driver =
neutron.scheduler.l3_agent_scheduler.ChanceScheduler

(StrOpt) Driver to use for scheduling router to a default L3

agent

[DEFAULT] send_arp_for_ha = 3

(IntOpt) Send this many gratuitous ARPs for HA setup, if

less than or equal to 0, the feature is disabled

[DEFAULT] transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

[DEFAULT] use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

[AGENT] arp_responder = False

(BoolOpt) Enable local ARP responder if it is supported.

Requires OVS 2.1 and ML2 l2population driver. Allows the
switch (when supporting an overlay) to respond to an ARP
request locally without performing a costly ARP broadcast
into the overlay.

[AGENT] dont_fragment = True

(BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet carrying GRE/VXLAN tunnel.

[AGENT] enable_distributed_routing = False

(BoolOpt) Make the l2 agent run in DVR mode.

[AGENT] physical_interface_mappings = []

(ListOpt) List of <physical_network>:<physical_interface>

[CISCO_N1K] http_pool_size = 4

(IntOpt) Number of threads to use to make HTTP requests

[CISCO_N1K] restrict_policy_profiles = False

(BoolOpt) Restrict the visibility of policy profiles to the tenants

[CONTRAIL] api_server_ip = 127.0.0.1

(StrOpt) IP address to connect to opencontrail controller

[CONTRAIL] api_server_port = 8082

(IntOpt) Port to connect to opencontrail controller

[HYPERV] network_vlan_ranges = []

(ListOpt) List of
<physical_network>:<vlan_min>:<vlan_max> or
<physical_network>

[HYPERV] tenant_network_type = local

(StrOpt) Network type for tenant networks (local, flat,

vlan or none)

[NOVA] node_override_vif_distributed = []

(ListOpt) Nova compute nodes to manually set VIF type to

distributed

[NOVA] node_override_vif_dvs = []

(ListOpt) Nova compute nodes to manually set VIF type to

dvs

[NOVA] node_override_vif_hw_veb = []

(ListOpt) Nova compute nodes to manually set VIF type to

hw_veb

[NOVA] node_override_vif_vrouter = []

(ListOpt) Nova compute nodes to manually set VIF type to

vrouter

468

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[NSX_DHCP] default_lease_time = 43200

(IntOpt) Default DHCP lease time

[NSX_DHCP] domain_name = openstacklocal

(StrOpt) Domain to use for building the hostnames

[NSX_DHCP] extra_domain_name_servers = []

(ListOpt) Comma separated list of additional domain

name servers

[NSX_LSN] sync_on_missing_data = False

(BoolOpt) Pull LSN information from NSX in case it is missing from the local data store. This is useful to rebuild the
local store in case of server recovery.

[NSX_METADATA] metadata_server_address = 127.0.0.1

(StrOpt) IP address used by Metadata server.

[NSX_METADATA] metadata_server_port = 8775

(IntOpt) TCP Port used by Metadata server.

[NSX_METADATA] metadata_shared_secret =

(StrOpt) Shared secret to sign instance-id request

[OVS] use_veth_interconnection = False

(BoolOpt) Use veths instead of patch ports to interconnect

the integration bridge to physical bridges.

[PHYSICAL_INTERFACE] physical_interface = eth0

(StrOpt) The network interface to use when creatinga port

[QUOTAS] quota_firewall = 1

(IntOpt) Number of firewalls allowed per tenant. A negative value means unlimited.

[QUOTAS] quota_firewall_policy = 1

(IntOpt) Number of firewall policies allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_firewall_rule = 100

(IntOpt) Number of firewall rules allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_floatingip = 50

(IntOpt) Number of floating IPs allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_health_monitor = -1

(IntOpt) Number of health monitors allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_member = -1

(IntOpt) Number of pool members allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_network_gateway = 5

(IntOpt) Number of network gateways allowed per tenant, -1 for unlimited

[QUOTAS] quota_packet_filter = 100

(IntOpt) Number of packet_filters allowed per tenant, -1

for unlimited

[QUOTAS] quota_pool = 10

(IntOpt) Number of pools allowed per tenant. A negative

value means unlimited.

[QUOTAS] quota_router = 10

(IntOpt) Number of routers allowed per tenant. A negative value means unlimited.

[QUOTAS] quota_security_group = 10

(IntOpt) Number of security groups allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_security_group_rule = 100

(IntOpt) Number of security rules allowed per tenant. A

negative value means unlimited.

[QUOTAS] quota_vip = 10

(IntOpt) Number of vips allowed per tenant. A negative

value means unlimited.

[SECURITYGROUP] enable_ipset = True

(BoolOpt) Use ipset to speed-up the iptables based security groups.

[SRIOV_NIC] exclude_devices = []

(ListOpt) List of <network_device>:<excluded_devices>

mapping network_device to the agent's node-specific
list of virtual functions that should not be used for virtual networking. excluded_devices is a semicolon separated list of virtual functions (BDF format).to exclude from
network_device. The network_device in the mapping
should appear in the physical_device_mappings list.

[SRIOV_NIC] physical_device_mappings = []

(ListOpt) List of <physical_network>:<network_device>

469

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[SWITCH] address =

(StrOpt) The address of the host to SSH to

[SWITCH] ostype = NOS

(StrOpt) Currently unused

[SWITCH] password =

(StrOpt) The SSH password to use

[SWITCH] username =

(StrOpt) The SSH username to use

[SYNCMANAGER] enable_sync = False

(BoolOpt) Nuage plugin will sync resources between openstack and VSD

[SYNCMANAGER] sync_interval = 0

(IntOpt) Sync interval in seconds between openstack and

VSD. It defines how often the synchronization is done. If
not set, value of 0 is assumed and sync will be performed
only once, at the Neutron startup time.

[cfg_agent] device_connection_timeout = 30

(IntOpt) Time in seconds for connecting to a hosting device

[cfg_agent] hosting_device_dead_timeout = 300

(IntOpt) The time in seconds until a backlogged hosting

device is presumed dead. This value should be set up high
enough to recover from a period of connectivity loss or
high load when the device may not be responding.

[cfg_agent] routing_svc_helper_class =
(StrOpt) Path of the routing service helper class.
neutron.plugins.cisco.cfg_agent.service_helpers.routing_svc_helper.RoutingServiceHelper
[cfg_agent] rpc_loop_interval = 10

(IntOpt) Interval when the process_services() loop executes in seconds. This is when the config agent lets each
service helper to process its neutron resources.

[database] mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

[database] sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

[database] sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

[general] backlog_processing_interval = 10

(IntOpt) Time in seconds between renewed scheduling attempts of non-scheduled routers.

[general] cfg_agent_down_time = 60

(IntOpt) Seconds of no status update until a cfg agent is

considered down.

[general] default_security_group = mgmt_sec_grp

(StrOpt) Default security group applied on management

port. Default value is mgmt_sec_grp.

[general] ensure_nova_running = True

(BoolOpt) Ensure that Nova is running before attempting

to create any VM.

[general] l3_admin_tenant = L3AdminTenant

(StrOpt) Name of the L3 admin tenant.

[general] management_network = osn_mgmt_nw

(StrOpt) Name of management network for device configuration. Default value is osn_mgmt_nw

[general] service_vm_config_path = /opt/stack/data/neutron/cisco/config_drive

(StrOpt) Path to config drive files for service VM instances.

[general] templates_path = /opt/stack/data/neutron/cisco/templates

(StrOpt) Path to templates for hosting devices.

[haproxy] send_gratuitous_arp = 3

(IntOpt) When delete and re-add the same vip, send

this many gratuitous ARPs to flush the ARP cache in the
Router. Set it below or equal to 0 to disable this feature.

[hosting_devices] csr1kv_booting_time = 420

(IntOpt) Booting time in seconds before a CSR1kv becomes operational.

[hosting_devices] csr1kv_cfgagent_router_driver =
(StrOpt) Config agent driver for CSR1kv.
neutron.plugins.cisco.cfg_agent.device_drivers.csr1kv.csr1kv_routing_driver.CSR1kvRoutingDriver
[hosting_devices] csr1kv_configdrive_template =
csr1kv_cfg_template

(StrOpt) CSR1kv configdrive template file.

470

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Option = default value

juno

(Type) Help string

[hosting_devices] csr1kv_device_driver =
(StrOpt) Hosting device driver for CSR1kv.
neutron.plugins.cisco.l3.hosting_device_drivers.csr1kv_hd_driver.CSR1kvHostingDeviceDriver
[hosting_devices] csr1kv_flavor = 621

(StrOpt) UUID of Nova flavor for CSR1kv.

[hosting_devices] csr1kv_image = csr1kv_openstack_img

(StrOpt) Name of Glance image for CSR1kv.

[hosting_devices] csr1kv_password = cisco

(StrOpt) Password to use for CSR1kv configurations.

[hosting_devices] csr1kv_plugging_driver =
(StrOpt) Plugging driver for CSR1kv.
neutron.plugins.cisco.l3.plugging_drivers.n1kv_trunking_driver.N1kvTrunkingPlugDriver
[hosting_devices] csr1kv_username = stack

(StrOpt) Username to use for CSR1kv configurations.

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[l3_arista] l3_sync_interval = 180

[l3_arista] mlag_config = False

(BoolOpt) This flag is used indicate if Arista Switches are

[l3_arista] primary_l3_host =

(StrOpt) Arista EOS IP address. This is required field. If not

set, all communications to Arista EOS will fail

[l3_arista] primary_l3_host_password =

(StrOpt) Password for Arista EOS. This is required field. If

not set, all communications to Arista EOS will fail

[l3_arista] primary_l3_host_username =

(StrOpt) Username for Arista EOS. This is required field. If

not set, all communications to Arista EOS will fail

[l3_arista] secondary_l3_host =

(StrOpt) Arista EOS IP address for second Switch MLAGed

with the first one. This an optional field, however, if
mlag_config flag is set, then this is required. If not set, all
communications to Arista EOS will fail

[l3_arista] use_vrf = False

(BoolOpt) A "True" value for this flag indicates to create

a router in VRF. If not set, all routers are created in default VRF.This is optional. If not set, a value of "False" is assumed.

[ml2] extension_drivers = []

(ListOpt) An ordered list of extension driver entrypoints to

be loaded from the neutron.ml2.extension_drivers namespace.

[ml2_brocade] rbridge_id = 1

(StrOpt) Rbridge id of provider edge router(s)

[ml2_cisco_apic] apic_agent_poll_interval = 2

(FloatOpt) Interval between agent poll for topology (in

sec)

[ml2_cisco_apic] apic_agent_report_interval = 30

(FloatOpt) Interval between agent status updates (in sec)

[ml2_cisco_apic] apic_app_profile_name =
${apic_system_id}_app

(StrOpt) Name for the app profile used for Openstack

471

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[ml2_cisco_apic] apic_domain_name = ${apic_system_id}

(StrOpt) Name for the domain created on APIC

[ml2_cisco_apic] apic_entity_profile =
${apic_system_id}_entity_profile

(StrOpt) Name of the entity profile to be created

[ml2_cisco_apic] apic_function_profile =
${apic_system_id}_function_profile

(StrOpt) Name of the function profile to be created

[ml2_cisco_apic] apic_host_uplink_ports = []

(ListOpt) The uplink ports to check for ACI connectivity

[ml2_cisco_apic] apic_hosts = []

(ListOpt) An ordered list of host names or IP addresses of

the APIC controller(s).

[ml2_cisco_apic] apic_lacp_profile =
${apic_system_id}_lacp_profile

(StrOpt) Name of the LACP profile to be created

[ml2_cisco_apic] apic_name_mapping = use_name

(StrOpt) Name mapping strategy to use: use_uuid |

use_name

[ml2_cisco_apic] apic_node_profile =
${apic_system_id}_node_profile

(StrOpt) Name of the node profile to be created

[ml2_cisco_apic] apic_password = None

(StrOpt) Password for the APIC controller

[ml2_cisco_apic] apic_sync_interval = 0

(IntOpt) Synchronization interval in seconds

[ml2_cisco_apic] apic_use_ssl = True

(BoolOpt) Use SSL to connect to the APIC controller

[ml2_cisco_apic] apic_username = None

(StrOpt) Username for the APIC controller

[ml2_cisco_apic] apic_vlan_ns_name =
${apic_system_id}_vlan_ns

(StrOpt) Name for the vlan namespace to be used for

Openstack

[ml2_cisco_apic] apic_vlan_range = 2:4093

(StrOpt) Range of VLAN's to be used for Openstack

[ml2_cisco_apic] apic_vpc_pairs = []

(ListOpt) The switch pairs for VPC connectivity

[ml2_cisco_apic] root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf

(StrOpt) Setup root helper as rootwrap or sudo

[ml2_fslsdn] crd_api_insecure = False

(BoolOpt) If set, ignore any SSL validation issues.

[ml2_fslsdn] crd_auth_strategy = keystone

(StrOpt) Auth strategy for connecting to neutron in admin

context.

[ml2_fslsdn] crd_auth_url = http://127.0.0.1:5000/v2.0/

(StrOpt) CRD Auth URL.

[ml2_fslsdn] crd_ca_certificates_file = None

(StrOpt) Location of ca certificates file to use for CRD

client requests.

[ml2_fslsdn] crd_password = password

(StrOpt) CRD Service Password.

[ml2_fslsdn] crd_region_name = RegionOne

(StrOpt) Region name for connecting to CRD Service in admin context.

[ml2_fslsdn] crd_tenant_name = service

(StrOpt) CRD Tenant Name.

[ml2_fslsdn] crd_url = http://127.0.0.1:9797

(StrOpt) URL for connecting to CRD service.

[ml2_fslsdn] crd_url_timeout = 30

(IntOpt) Timeout value for connecting to CRD service in

seconds.

[ml2_fslsdn] crd_user_name = crd

(StrOpt) CRD service Username.

[ml2_sriov] agent_required = False

(BoolOpt) SRIOV neutron agent is required for port binding

[ml2_sriov] supported_pci_vendor_devs = ['15b3:1004',

'8086:10c9']

(ListOpt) Supported PCI vendor devices, defined by

vendor_id:product_id according to the PCI ID Repository.
Default enables support for Intel and Mellanox SR-IOV capable NICs

[n1kv] management_port_profile = osn_mgmt_pp

(StrOpt) Name of N1kv port profile for management

ports.

[n1kv] t1_network_profile = osn_t1_np

(StrOpt) Name of N1kv network profile for T1 networks

(i.e., trunk networks for VXLAN segmented traffic).

[n1kv] t1_port_profile = osn_t1_pp

(StrOpt) Name of N1kv port profile for T1 ports (i.e., ports

carrying traffic from VXLAN segmented networks).

472

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[n1kv] t2_network_profile = osn_t2_np

(StrOpt) Name of N1kv network profile for T2 networks

(i.e., trunk networks for VLAN segmented traffic).

[n1kv] t2_port_profile = osn_t2_pp

(StrOpt) Name of N1kv port profile for T2 ports (i.e., ports

carrying traffic from VLAN segmented networks).

[netscaler_driver] netscaler_ncc_password = None

(StrOpt) Password to login to the NetScaler Control Center

Server.

[netscaler_driver] netscaler_ncc_uri = None

(StrOpt) The URL to reach the NetScaler Control Center

Server.

[netscaler_driver] netscaler_ncc_username = None

(StrOpt) Username to login to the NetScaler Control Center Server.

[plumgriddirector] director_server = localhost

(StrOpt) PLUMgrid Director server to connect to

[plumgriddirector] director_server_port = 8080

(StrOpt) PLUMgrid Director server port to connect to

[plumgriddirector] driver =
neutron.plugins.plumgrid.drivers.plumlib.Plumlib

(StrOpt) PLUMgrid Driver

[plumgriddirector] password = password

(StrOpt) PLUMgrid Director admin password

[plumgriddirector] servertimeout = 5

(IntOpt) PLUMgrid Director server timeout

[plumgriddirector] username = username

(StrOpt) PLUMgrid Director admin username

[radware] actions_to_skip = ['setup_l2_l3']

(ListOpt) List of actions that are not pushed to the completion queue.

[radware] ha_secondary_address = None

(StrOpt) IP address of secondary vDirect server.

[radware] l2_l3_ctor_params = {'ha_network_name': 'HANetwork', 'service': '_REPLACE_', 'ha_ip_pool_name': 'default', 'twoleg_enabled': '_REPLACE_', 'allocate_ha_ips':
True, 'allocate_ha_vrrp': True}

(DictOpt) Parameter for l2_l3 workflow constructor.

[radware] l2_l3_setup_params = {'data_ip_address':

(DictOpt) Parameter for l2_l3 workflow setup.
'192.168.200.99', 'data_port': 1, 'gateway': '192.168.200.1',
'ha_port': 2, 'data_ip_mask': '255.255.255.0'}
[radware] l2_l3_workflow_name = openstack_l2_l3

(StrOpt) Name of l2_l3 workflow. Default:

openstack_l2_l3.

[radware] l4_action_name = BaseCreate

(StrOpt) Name of the l4 workflow action. Default: BaseCreate.

[radware] l4_workflow_name = openstack_l4

(StrOpt) Name of l4 workflow. Default: openstack_l4.

[radware] service_adc_type = VA

(StrOpt) Service ADC type. Default: VA.

[radware] service_adc_version =

(StrOpt) Service ADC version.

[radware] service_cache = 20

(IntOpt) Size of service cache. Default: 20.

[radware] service_compression_throughput = 100

(IntOpt) Service compression throughput. Default: 100.

[radware] service_ha_pair = False

(BoolOpt) Enables or disables the Service HA pair. Default:

False.

[radware] service_isl_vlan = -1

(IntOpt) A required VLAN for the interswitch link to use.

[radware] service_resource_pool_ids = []

(ListOpt) Resource pool IDs.

[radware] service_session_mirroring_enabled = False

(BoolOpt) Enable or disable Alteon interswitch link for

stateful session failover. Default: False.

[radware] service_ssl_throughput = 100

(IntOpt) Service SSL throughput. Default: 100.

[radware] service_throughput = 1000

(IntOpt) Service throughput. Default: 1000.

[radware] vdirect_address = None

(StrOpt) IP address of vDirect server.

[radware] vdirect_password = radware

(StrOpt) vDirect user password.

[radware] vdirect_user = vDirect

(StrOpt) vDirect user name.

[vpnagent] vpn_device_driver =
(MultiStrOpt) The vpn device drivers Neutron will use
['neutron.services.vpn.device_drivers.ipsec.OpenSwanDriver']

473

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table8.75.New default values

Option

Previous default value

New default value

[DEFAULT] control_exchange

neutron

openstack

[DEFAULT] default_log_levels

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
iso8601=WARN

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN

[DEFAULT] endpoint_type

adminURL

publicURL

[DEFAULT] force_gateway_on_subnet False

True

[DEFAULT] http_timeout

[DEFAULT] metadata_backlog

128

4096

[DEFAULT] metadata_workers

[DEFAULT] rpc_zmq_matchmaker

neutron.openstack.common.rpc.matchmaker.MatchMakerLocalhost
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

[CISCO_N1K] poll_duration

[NOVA] vif_types

unbound, binding_failed, ovs, ivs,

bridge, 802.1qbg, 802.1qbh, hyperv,
midonet, mlnx_direct, hostdev, other

unbound, binding_failed, ovs, ivs,

bridge, 802.1qbg, 802.1qbh, hyperv, midonet, mlnx_direct, hostdev, hw_veb, dvs, other, distributed,
vrouter

[SDNVE] default_tenant_type

OVERLAY

[database] connection

sqlite://

None

[database] max_overflow

None

[database] max_pool_size

None

[database] pool_timeout

None

[database] slave_connection
[keystone_authtoken]
revocation_cache_time

None
300

Table8.76.Deprecated options
Deprecated option

New Option

[rpc_notifier2] topics

[DEFAULT] notification_topics

474

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

9. Object Storage
Table of Contents
Introduction to Object Storage ....................................................................................
Object Storage general service configuration ...............................................................
Object server configuration .........................................................................................
Object expirer configuration ........................................................................................
Container server configuration ....................................................................................
Container sync realms configuration ............................................................................
Container reconciler configuration ...............................................................................
Account server configuration .......................................................................................
Proxy server configuration ...........................................................................................
Proxy server memcache configuration ..........................................................................
Rsyncd configuration ...................................................................................................
Configure Object Storage features ..............................................................................
New, updated and deprecated options in Juno for OpenStack Object Storage ..............

475
475
477
486
489
496
497
500
506
522
522
523
539

OpenStack Object Storage uses multiple configuration files for multiple services and background daemons, and paste.deploy to manage server configurations. Default configuration options appear in the [DEFAULT] section. You can override the default values by setting values in the other sections.

Introduction to Object Storage

Object Storage is a robust, highly scalable and fault tolerant storage platform for unstructured data such as objects. Objects are stored bits, accessed through a RESTful, HTTP-based
interface. You cannot access data at the block or file level. Object Storage is commonly
used to archive and back up data, with use cases in virtual machine image, photo, video
and music storage.
Object Storage provides a high degree of availability, throughput, and performance with its
scale out architecture. Each object is replicated across multiple servers, residing within the
same data center or across data centers, which mitigates the risk of network and hardware
failure. In the event of hardware failure, Object Storage will automatically copy objects to
a new location to ensure that there are always three copies available. Object Storage is an
eventually consistent distributed storage platform; it sacrifices consistency for maximum
availability and partition tolerance. Object Storage enables you to create a reliable platform
by using commodity hardware and inexpensive storage.
For more information, review the key concepts in the developer documentation at
docs.openstack.org/developer/swift/.

Object Storage general service configuration

Most Object Storage services fall into two categories, Object Storage's WSGI servers and
background daemons.
475

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Object Storage uses paste.deploy to manage server configurations. Read more at http://
pythonpaste.org/deploy/.
Default configuration options are set in the `[DEFAULT]` section, and any options specified
there can be overridden in any of the other sections when the syntax set option_name
= value is in place.
Configuration for servers and daemons can be expressed together in the same file for each
type of server, or separately. If a required section for the service trying to start is missing,
there will be an error. Sections not used by the service are ignored.
Consider the example of an Object Storage node. By convention configuration for the object-server, object-updater, object-replicator, and object-auditor exist
in a single file /etc/swift/object-server.conf:
[DEFAULT]
[pipeline:main]
pipeline = object-server
[app:object-server]
use = egg:swift#object
[object-replicator]
reclaim_age = 259200
[object-updater]
[object-auditor]

Object Storage services expect a configuration path as the first argument:

$ swift-object-auditor
Usage: swift-object-auditor CONFIG [options]
Error: missing config path argument

If you omit the object-auditor section, this file cannot be used as the configuration path
when starting the swift-object-auditor daemon:
$ swift-object-auditor /etc/swift/object-server.conf
Unable to find object-auditor config section in /etc/swift/object-server.conf

If the configuration path is a directory instead of a file, all of the files in the directory with
the file extension ".conf" will be combined to generate the configuration object which is delivered to the Object Storage service. This is referred to generally as "directory-based configuration".
Directory-based configuration leverages ConfigParser's native multi-file support. Files ending in ".conf" in the given directory are parsed in lexicographical order. File names starting
with '.' are ignored. A mixture of file and directory configuration paths is not supported - if
the configuration path is a file, only that file will be parsed.
The Object Storage service management tool swift-init has adopted the convention of
looking for /etc/swift/{type}-server.conf.d/ if the file /etc/swift/{type}server.conf file does not exist.
476

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

When using directory-based configuration, if the same option under the same section appears more than once in different files, the last value parsed is said to override previous occurrences. You can ensure proper override precedence by prefixing the files in the configuration directory with numerical values, as in the following example file layout:
/etc/swift/
default.base
object-server.conf.d/
000_default.conf -> ../default.base
001_default-override.conf
010_server.conf
020_replicator.conf
030_updater.conf
040_auditor.conf

You can inspect the resulting combined configuration object using the swift-config command-line tool.
All the services of an Object Store deployment share a common configuration
in the [swift-hash] section of the /etc/swift/swift.conf file. The
swift_hash_path_suffix and swift_hash_path_prefix values must be identical
on all the nodes.

Table9.1.Description of configuration options for [swift-hash] in

swift.conf
Configuration option = Default value

Description

swift_hash_path_prefix = changeme

A prefix used by hash_path to offer a bit more security

when generating hashes for paths. It simply appends this
value to all paths; if someone knows this suffix, it's easier
for them to guess the hash a path will end up with. New
installations are advised to set this parameter to a random
secret, which would not be disclosed ouside the organization. The same secret needs to be used by all swift servers
of the same cluster. Existing installations should set this parameter to an empty string.

swift_hash_path_suffix = changeme

A suffix used by hash_path to offer a bit more security

Object server configuration

Find an example object server configuration at etc/object-server.conf-sample in
the source code repository.
The available configuration options are:

477

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.2.Description of configuration options for [DEFAULT] in objectserver.conf

Configuration option = Default value

Description

backlog = 4096

Maximum number of allowed pending TCP connections

bind_ip = 0.0.0.0

IP Address for server to bind to

bind_port = 6000

Port for server to bind to

bind_timeout = 30

Seconds to attempt bind before giving up

client_timeout = 60

Timeout to read one chunk from a client external services

conn_timeout = 0.5

Connection timeout to external services

devices = /srv/node

Parent directory of where devices are mounted

disable_fallocate = false

Disable "fast fail" fallocate checks if the underlying filesystem does not support it.

disk_chunk_size = 65536

Size of chunks to read/write to disk

eventlet_debug = false

If true, turn on debug logging for eventlet

expiring_objects_account_name = expiring_objects

No help text available for this option.

expiring_objects_container_divisor = 86400

No help text available for this option.

fallocate_reserve = 0

You can set fallocate_reserve to the number of bytes you'd

like fallocate to reserve, whether there is space for the given file size or not. This is useful for systems that behave
badly when they completely run out of space; you can
make the services pretend they're out of space early. server. For most cases, this should be `egg:swift#object`.

log_address = /dev/log

Location where syslog sends the logs to

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

max_clients = 1024

Maximum number of clients one worker can process simultaneously Lowering the number of clients handled per
worker, and raising the number of workers can lessen the
impact that a CPU intensive, or blocking, request can have
on other requests served by the same worker. If the maximum number of clients is set to one, then a given worker will not perform another call while processing, allowing
other workers a chance to process it.

mount_check = true

Whether or not check if the devices are mounted to prevent accidentally writing to the root device

478

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

network_chunk_size = 65536

Size of chunks to read/write over the network

node_timeout = 3

Request timeout to external services

swift_dir = /etc/swift

Swift configuration directory

user = swift

User to run as

workers = auto

a much higher value, one can reduce the impact of slow

file system operations in one request from negatively impacting other requests.

Table9.3.Description of configuration options for [app-object-server]

in object-server.conf
Configuration option = Default value

Description

allowed_headers = Content-Disposition, Content-Encoding, X-Delete-At, X-Object-Manifest, X-Static-Large-Object

Comma-separated list of headers that can be set in metadata of an object

auto_create_account_prefix = .

Prefix to use when automatically creating accounts

keep_cache_private = false

Allow non-public objects to stay in kernel's buffer cache

keep_cache_size = 5424880

Largest object size to keep in buffer cache

max_upload_time = 86400

Maximum time allowed to upload an object

mb_per_sync = 512

On PUT requests, sync file every n MB

replication_concurrency = 4

Set to restrict the number of concurrent incoming REPLICATION requests; set to 0 for unlimited

replication_failure_ratio = 1.0

If the value of failures / successes of REPLICATION subrequests exceeds this ratio, the overall REPLICATION request
will be aborted

replication_failure_threshold = 100

The number of subrequest failures before the

replication_failure_ratio is checked

replication_lock_timeout = 15

Number of seconds to wait for an existing replication device lock before giving up.

replication_one_per_device = True

Restricts incoming REPLICATION requests to one per device, replication_currency above allowing. This can help
control I/O to each device, but you may wish to set this to
False to allow multiple REPLICATION requests (up to the
above replication_concurrency setting) per device.

replication_server = false

If defined, tells server how to handle replication verbs in

requests. When set to True (or 1), only replication verbs
will be accepted. When set to False, replication verbs will
be rejected. When undefined, server will accept any verb
in the request.

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_level = INFO

Log level

set log_name = object-server

Label to use when logging

set log_requests = true

Whether or not to log requests

slow = 0

If > 0, Minimum time in seconds for a PUT or DELETE request to complete

splice = no

No help text available for this option.

threads_per_disk = 0

Size of the per-disk thread pool used for performing disk

I/O. The default of 0 means to not use a per-disk thread
pool. It is recommended to keep this value small, as large
values can result in high read latencies due to large queue
depths. A good starting point is 4 threads per disk.

use = egg:swift#object

Entry point of paste.deploy in the server

479

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.4.Description of configuration options for [pipeline-main] in

object-server.conf
Configuration option = Default value

Description

pipeline = healthcheck recon object-server

No help text available for this option.

Table9.5.Description of configuration options for [object-replicator]

in object-server.conf
Configuration option = Default value

Description

concurrency = 1

Number of replication workers to spawn

daemonize = on

Whether or not to run replication as a daemon

handoff_delete = auto

By default handoff partitions will be removed when it has

successfully replicated to all the canonical nodes. If set to
an integer n, it will remove the partition if it is successfully replicated to n nodes. The default setting should not
be changed, except for extremem situations. This uses
what's set here, or what's set in the DEFAULT section, or
10 (though other sections use 3 as the final default).

handoffs_first = False

If set to True, partitions that are not supposed to be on

the node will be replicated first. The default setting should
not be changed, except for extreme situations.

http_timeout = 60

Maximum duration for an HTTP request

lockup_timeout = 1800

Attempts to kill all workers if nothing replications for

lockup_timeout seconds

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = object-replicator

Label used when logging

node_timeout = <whatever's in the DEFAULT section or

10>

Request timeout to external services

reclaim_age = 604800

Time elapsed in seconds before an object can be reclaimed

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

ring_check_interval = 15

How often (in seconds) to check the ring

rsync_bwlimit = 0

No help text available for this option.

rsync_error_log_line_length = 0

No help text available for this option.

rsync_io_timeout = 30

Passed to rsync for a max duration (seconds) of an I/O op

rsync_timeout = 900

Max duration (seconds) of a partition rsync

run_pause = 30

Time in seconds to wait between replication passes

stats_interval = 300

Interval in seconds between logging replication statistics

sync_method = rsync

No help text available for this option.

vm_test_mode = no

Indicates that you are using a VM environment

Table9.6.Description of configuration options for [object-updater] in

object-server.conf
Configuration option = Default value

Description

concurrency = 1

Number of replication workers to spawn

interval = 300

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

480

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

log_level = INFO

Logging level

log_name = object-updater

Label used when logging

node_timeout = <whatever's in the DEFAULT section or

10>

Request timeout to external services

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

slowdown = 0.01

Time in seconds to wait between objects

juno

Table9.7.Description of configuration options for [object-auditor] in

object-server.conf
Configuration option = Default value

Description

bytes_per_second = 10000000

Maximum bytes audited per second. Should be tuned according to individual system specs. 0 is unlimited. mounted to prevent accidentally writing to the root device process simultaneously (it will actually accept(2) N + 1). Setting this to one (1) will only handle one request at a time,
without accepting another request concurrently. By increasing the number of workers to a much higher value,
one can reduce the impact of slow file system operations
in one request from negatively impacting other requests.
underlying filesystem does not support it. to setup custom
log handlers. bytes you'd like fallocate to reserve, whether
there is space for the given file size or not. This is useful for
systems that behave badly when they completely run out
of space; you can make the services pretend they're out of
space early. container server. For most cases, this should
be `egg:swift#container`.

concurrency = 1

Number of replication workers to spawn

disk_chunk_size = 65536

Size of chunks to read/write to disk

files_per_second = 20

Maximum files audited per second. Should be tuned according to individual system specs. 0 is unlimited.

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = object-auditor

Label used when logging

log_time = 3600

Frequency of status logs in seconds.

object_size_stats =

No help text available for this option.

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

zero_byte_files_per_second = 50

Maximum zero byte files audited per second.

Table9.8.Description of configuration options for [filter-healthcheck]

in object-server.conf
Configuration option = Default value

Description

disable_path =

No help text available for this option.

use = egg:swift#healthcheck

Entry point of paste.deploy in the server

Table9.9.Description of configuration options for [filter-recon] in

object-server.conf
Configuration option = Default value

Description

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

recon_lock_path = /var/lock

No help text available for this option.

481

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

use = egg:swift#recon

Entry point of paste.deploy in the server

juno

Table9.10.Description of configuration options for [filter-xprofile] in

object-server.conf
Configuration option = Default value

Description

dump_interval = 5.0

No help text available for this option.

dump_timestamp = false

No help text available for this option.

flush_at_shutdown = false

No help text available for this option.

log_filename_prefix = /tmp/log/swift/profile/default.profile

No help text available for this option.

path = /__profile__

No help text available for this option.

profile_module = eventlet.green.profile

No help text available for this option.

unwind = false

No help text available for this option.

use = egg:swift#xprofile

Entry point of paste.deploy in the server

Sample object server configuration file

[DEFAULT]
# bind_ip = 0.0.0.0
# bind_port = 6000
# bind_timeout = 30
# backlog = 4096
# user = swift
# swift_dir = /etc/swift
# devices = /srv/node
# mount_check = true
# disable_fallocate = false
# expiring_objects_container_divisor = 86400
# expiring_objects_account_name = expiring_objects
#
# Use an integer to override the number of pre-forked processes that will
# accept connections.
# workers = auto
#
# Maximum concurrent requests per worker
# max_clients = 1024
#
# You can specify default log routing here if you want:
# log_name = swift
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# comma separated list of functions to call to setup custom log handlers.
# functions get passed: conf, name, log_to_console, log_route, fmt, logger,
# adapted_logger
# log_custom_handlers =
#
# If set, log_udp_host will override log_address
# log_udp_host =
# log_udp_port = 514
#
# You can enable StatsD logging here:
# log_statsd_host = localhost

482

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

log_statsd_port = 8125
log_statsd_default_sample_rate = 1.0
log_statsd_sample_rate_factor = 1.0
log_statsd_metric_prefix =
eventlet_debug = false
You can set fallocate_reserve to the number of bytes you'd like fallocate to
reserve, whether there is space for the given file size or not.
fallocate_reserve = 0
Time to wait while attempting to connect to another backend node.
conn_timeout = 0.5
Time to wait while sending each chunk of data to another backend node.
node_timeout = 3
Time to wait while receiving each chunk of data from a client or another
backend node.
client_timeout = 60
network_chunk_size = 65536
disk_chunk_size = 65536

[pipeline:main]
pipeline = healthcheck recon object-server
[app:object-server]
use = egg:swift#object
# You can override the default log routing for this app here:
# set log_name = object-server
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_requests = true
# set log_address = /dev/log
#
# max_upload_time = 86400
# slow = 0
#
# Objects smaller than this are not evicted from the buffercache once read
# keep_cache_size = 5424880
#
# If true, objects for authenticated GET requests may be kept in buffer cache
# if small enough
# keep_cache_private = false
#
# on PUTs, sync data every n MB
# mb_per_sync = 512
#
# Comma separated list of headers that can be set in metadata on an object.
# This list is in addition to X-Object-Meta-* headers and cannot include
# Content-Type, etag, Content-Length, or deleted
# allowed_headers = Content-Disposition, Content-Encoding, X-Delete-At, XObject-Manifest, X-Static-Large-Object
#
# auto_create_account_prefix = .
#
# A value of 0 means "don't use thread pools". A reasonable starting point is
# 4.
# threads_per_disk = 0
#
# Configure parameter for creating specific server

483

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

To handle all verbs, including replication verbs, do not specify

"replication_server" (this is the default). To only handle replication,
set to a True value (e.g. "True" or "1"). To handle only non-replication
verbs, set to "False". Unless you have a separate replication network, you
should not specify any value for "replication_server".
replication_server = false
Set to restrict the number of concurrent incoming REPLICATION requests
Set to 0 for unlimited
Note that REPLICATION is currently an ssync only item
replication_concurrency = 4
Restricts incoming REPLICATION requests to one per device,
replication_currency above allowing. This can help control I/O to each
device, but you may wish to set this to False to allow multiple REPLICATION
requests (up to the above replication_concurrency setting) per device.
replication_one_per_device = True
Number of seconds to wait for an existing replication device lock before
giving up.
replication_lock_timeout = 15
These next two settings control when the REPLICATION subrequest handler will
abort an incoming REPLICATION attempt. An abort will occur if there are at
least threshold number of failures and the value of failures / successes
exceeds the ratio. The defaults of 100 and 1.0 means that at least 100
failures have to occur and there have to be more failures than successes for
an abort to occur.
replication_failure_threshold = 100
replication_failure_ratio = 1.0

[filter:healthcheck]
use = egg:swift#healthcheck
# An optional filesystem path, which if present, will cause the healthcheck
# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE"
# disable_path =
[filter:recon]
use = egg:swift#recon
#recon_cache_path = /var/cache/swift
#recon_lock_path = /var/lock
[object-replicator]
# You can override the default log routing for this app here (don't use set!):
# log_name = object-replicator
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# vm_test_mode = no
# daemonize = on
# run_pause = 30
# concurrency = 1
# stats_interval = 300
#
# The sync method to use; default is rsync but you can use ssync to try the
# EXPERIMENTAL all-swift-code-no-rsync-callouts method. Once ssync is verified
# as having performance comparable to, or better than, rsync, we plan to
# deprecate rsync so we can move on with more features for replication.
# sync_method = rsync

484

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

max duration of a partition rsync

rsync_timeout = 900
bandwidth limit for rsync in kB/s. 0 means unlimited
rsync_bwlimit = 0
passed to rsync for io op timeout
rsync_io_timeout = 30

node_timeout = <whatever's in the DEFAULT section or 10>

max duration of an http request; this is for REPLICATE finalization calls
and
# so should be longer than node_timeout
# http_timeout = 60
#
# attempts to kill all workers if nothing replicates for lockup_timeout
seconds
# lockup_timeout = 1800
#
# The replicator also performs reclamation
# reclaim_age = 604800
#
# ring_check_interval = 15
# recon_cache_path = /var/cache/swift
#
# limits how long rsync error log lines are
# 0 means to log the entire line
# rsync_error_log_line_length = 0
#
# handoffs_first and handoff_delete are options for a special case
# such as disk full in the cluster. These two options SHOULD NOT BE
# CHANGED, except for such an extreme situations. (e.g. disks filled up
# or are about to fill up. Anyway, DO NOT let your drives fill up)
# handoffs_first is the flag to replicate handoffs prior to canonical
# partitions. It allows to force syncing and deleting handoffs quickly.
# If set to a True value(e.g. "True" or "1"), partitions
# that are not supposed to be on the node will be replicated first.
# handoffs_first = False
#
# handoff_delete is the number of replicas which are ensured in swift.
# If the number less than the number of replicas is set, object-replicator
# could delete local handoffs even if all replicas are not ensured in the
# cluster. Object-replicator would remove local handoff partition directories
# after syncing partition when the number of successful responses is greater
# than or equal to this number. By default(auto), handoff partitions will be
# removed when it has successfully replicated to all the canonical nodes.
# handoff_delete = auto
[object-updater]
# You can override the default log routing for this app here (don't use set!):
# log_name = object-updater
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# interval = 300
# concurrency = 1
# node_timeout = <whatever's in the DEFAULT section or 10>
# slowdown will sleep that amount between objects

485

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# slowdown = 0.01
#
# recon_cache_path = /var/cache/swift
[object-auditor]
# You can override the default log routing for this app here (don't use set!):
# log_name = object-auditor
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# files_per_second = 20
# bytes_per_second = 10000000
# log_time = 3600
# zero_byte_files_per_second = 50
# recon_cache_path = /var/cache/swift
#
#
#
#

Takes a comma separated list of ints. If set, the object auditor will
increment a counter for every object whose size is <= to the given break
points and report the result after a full scan.
object_size_stats =

Object expirer configuration

Find an example object expirer configuration at etc/object-expirer.conf-sample
in the source code repository.
The available configuration options are:

Table9.11.Description of configuration options for [DEFAULT] in objectexpirer.conf

Configuration option = Default value

Description

log_address = /dev/log

Location where syslog sends the logs to

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

swift_dir = /etc/swift

Swift configuration directory

user = swift

User to run as

486

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.12.Description of configuration options for [app-proxy-server]

in object-expirer.conf
Configuration option = Default value

Description

use = egg:swift#proxy

No help text available for this option.

access_log_facility = LOG_LOCAL0

No help text available for this option.

access_log_headers = false

No help text available for this option.

access_log_headers_only =

If access_log_headers is True and access_log_headers_only

is set only these headers are logged. Multiple headers can be defined as comma separated list like this:
access_log_headers_only = Host, X-Object-Meta-Mtime

access_log_level = INFO

No help text available for this option.

access_log_name = swift

No help text available for this option.

access_log_statsd_default_sample_rate = 1.0

No help text available for this option.

access_log_statsd_host = localhost

No help text available for this option.

access_log_statsd_metric_prefix =

No help text available for this option.

access_log_statsd_port = 8125

No help text available for this option.

access_log_statsd_sample_rate_factor = 1.0

No help text available for this option.

access_log_udp_host =

No help text available for this option.

access_log_udp_port = 514

No help text available for this option.

log_statsd_valid_http_methods =
GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS

No help text available for this option.

logged with access_log_headers = True.

No help text available for this option.

reveal_sensitive_prefix = 16

The X-Auth-Token is sensitive data. If revealed to an unauthorised person, they can now make requests against an
account until the token expires. Set reveal_sensitive_prefix
to the number of characters of the token that are logged.
For example reveal_sensitive_prefix = 12 so only first 12
characters of the token are logged. Or, set to 0 to completely remove the token.

use = egg:swift#proxy_logging

Entry point of paste.deploy in the server

487

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.16.Description of configuration options for [object-expirer] in

object-expirer.conf
Configuration option = Default value

Description

auto_create_account_prefix = .

Prefix to use when automatically creating accounts

concurrency = 1

Number of replication workers to spawn

expiring_objects_account_name = expiring_objects

No help text available for this option.

interval = 300

Minimum time for a pass to take

process = 0

(it will actually accept(2) N + 1). Setting this to one (1) will
only handle one request at a time, without accepting another request concurrently.

processes = 0

No help text available for this option.

reclaim_age = 604800

Time elapsed in seconds before an object can be reclaimed

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

report_interval = 300

No help text available for this option.

Table9.17.Description of configuration options for [pipeline-main] in

object-expirer.conf
Configuration option = Default value

Description

pipeline = catch_errors proxy-logging cache proxy-server

No help text available for this option.

Sample object expirer configuration file

488

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

#
#
#
#
#
#
#
#
#
#

must be set to at least 1

concurrency = 1
processes is how many parts to divide the work into, one part per process
that will be doing the work
processes set 0 means that a single process will be doing all the work
processes can also be specified on the command line and will override the
config value
processes = 0
process is which of the parts a particular process will work on
process can also be specified on the command line and will overide the
config
#
value
# process is "zero based", if you want to use 3 processes, you should run
# processes with process set to 0, 1, and 2
# process = 0
[pipeline:main]
pipeline = catch_errors cache proxy-server
[app:proxy-server]
use = egg:swift#proxy
# See proxy-server.conf-sample for options
[filter:cache]
use = egg:swift#memcache
# See proxy-server.conf-sample for options
[filter:catch_errors]
use = egg:swift#catch_errors
# See proxy-server.conf-sample for options

Container server configuration

Find an example container server configuration at etc/container-server.confsample in the source code repository.
The available configuration options are:

Table9.18.Description of configuration options for [DEFAULT] in

container-server.conf
Configuration option = Default value

Description

allowed_sync_hosts = 127.0.0.1

No help text available for this option.

backlog = 4096

Maximum number of allowed pending TCP connections

bind_ip = 0.0.0.0

IP Address for server to bind to

bind_port = 6001

Port for server to bind to

bind_timeout = 30

Seconds to attempt bind before giving up

db_preallocation = off

If you don't mind the extra disk space usage in overhead,

you can turn this on to preallocate disk space with SQLite
databases to decrease fragmentation. underlying filesystem does not support it. to setup custom log handlers.
bytes you'd like fallocate to reserve, whether there is space
for the given file size or not. This is useful for systems that
behave badly when they completely run out of space; you
can make the services pretend they're out of space early.
server. For most cases, this should be `egg:swift#account`.
replication passes account can be reclaimed

489

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

devices = /srv/node

Parent directory of where devices are mounted

disable_fallocate = false

Disable "fast fail" fallocate checks if the underlying filesystem does not support it.

eventlet_debug = false

If true, turn on debug logging for eventlet

fallocate_reserve = 0

You can set fallocate_reserve to the number of bytes you'd

log_address = /dev/log

Location where syslog sends the logs to

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

max_clients = 1024

mount_check = true

Whether or not check if the devices are mounted to prevent accidentally writing to the root device

swift_dir = /etc/swift

Swift configuration directory

user = swift

User to run as

workers = auto

a much higher value, one can reduce the impact of slow

file system operations in one request from negatively impacting other requests.

Table9.19.Description of configuration options for [app-containerserver] in container-server.conf

Configuration option = Default value

Description

allow_versions = false

Enable/Disable object versioning feature

auto_create_account_prefix = .

Prefix to use when automatically creating accounts

conn_timeout = 0.5

Connection timeout to external services

490

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

node_timeout = 3

Request timeout to external services

replication_server = false

If defined, tells server how to handle replication verbs in

requests. When set to True (or 1), only replication verbs
will be accepted. When set to False, replication verbs will
be rejected. When undefined, server will accept any verb
in the request.

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_level = INFO

Log level

set log_name = container-server

Label to use when logging

set log_requests = true

Whether or not to log requests

use = egg:swift#container

Entry point of paste.deploy in the server

Table9.20.Description of configuration options for [pipeline-main] in

container-server.conf
Configuration option = Default value

Description

pipeline = healthcheck recon container-server

No help text available for this option.

Table9.21.Description of configuration options for [containerreplicator] in container-server.conf

Configuration option = Default value

Description

concurrency = 8

Number of replication workers to spawn

conn_timeout = 0.5

Connection timeout to external services

interval = 30

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = container-replicator

Label used when logging

max_diffs = 100

Caps how long the replicator spends trying to sync a

database per pass

node_timeout = 10

Request timeout to external services

per_diff = 1000

Limit number of items to get per diff

reclaim_age = 604800

Time elapsed in seconds before an object can be reclaimed

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

run_pause = 30

Time in seconds to wait between replication passes

vm_test_mode = no

Indicates that you are using a VM environment

Table9.22.Description of configuration options for [container-updater]

in container-server.conf
Configuration option = Default value

Description

account_suppression_time = 60

Seconds to suppress updating an account that has generated an error (timeout, not yet found, etc.)

concurrency = 4

Number of replication workers to spawn

conn_timeout = 0.5

Connection timeout to external services

interval = 300

Minimum time for a pass to take

491

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = container-updater

Label used when logging

node_timeout = 3

Request timeout to external services

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

slowdown = 0.01

Time in seconds to wait between objects

juno

Table9.23.Description of configuration options for [container-auditor]

in container-server.conf
Configuration option = Default value

Description

containers_per_second = 200

Maximum containers audited per second. Should be tuned

according to individual system specs. 0 is unlimited. mounted to prevent accidentally writing to the root device process simultaneously (it will actually accept(2) N + 1). Setting this to one (1) will only handle one request at a time,
without accepting another request concurrently. By increasing the number of workers to a much higher value,
one can reduce the impact of slow file system operations
in one request from negatively impacting other requests.

interval = 1800

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = container-auditor

Label used when logging

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

Table9.24.Description of configuration options for [container-sync] in

container-server.conf
Configuration option = Default value

Description

container_time = 60

Maximum amount of time to spend syncing each container

interval = 300

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = container-sync

Label used when logging

sync_proxy = http://10.1.1.1:8888,http://10.1.1.2:8888

If you need to use an HTTP proxy, set it here. Defaults to

no proxy.

Table9.25.Description of configuration options for [filterhealthcheck] in container-server.conf

Configuration option = Default value

Description

disable_path =

No help text available for this option.

use = egg:swift#healthcheck

Entry point of paste.deploy in the server

492

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.26.Description of configuration options for [filter-recon] in

container-server.conf
Configuration option = Default value

Description

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

use = egg:swift#recon

Entry point of paste.deploy in the server

Table9.27.Description of configuration options for [filter-xprofile] in

container-server.conf
Configuration option = Default value

Description

dump_interval = 5.0

No help text available for this option.

dump_timestamp = false

No help text available for this option.

flush_at_shutdown = false

No help text available for this option.

log_filename_prefix = /tmp/log/swift/profile/default.profile

No help text available for this option.

path = /__profile__

No help text available for this option.

profile_module = eventlet.green.profile

No help text available for this option.

unwind = false

No help text available for this option.

use = egg:swift#xprofile

Entry point of paste.deploy in the server

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

#
#
#
#
#
#
#
#
#
#
#

[realm1]
key = realm1key
key2 = realm1key2
cluster_name1 = https://host1/v1/
cluster_name2 = https://host2/v1/

#
#
#
#
#
#
#
#

Each section name is the name of a sync realm. A sync realm is a set of
clusters that have agreed to allow container syncing with each other. Realm
names will be considered case insensitive.

[realm2]
key = realm2key
key2 = realm2key2
cluster_name3 = https://host3/v1/
cluster_name4 = https://host4/v1/

The key is the overall cluster-to-cluster key used in combination with the
external users' key that they set on their containers' X-Container-Sync-Key
metadata header values. These keys will be used to sign each request the
container sync daemon makes and used to validate each incoming container
sync
# request.
#
# The key2 is optional and is an additional key incoming requests will be
# checked against. This is so you can rotate keys if you wish; you move the
# existing key to key2 and make a new key value.
#
# Any values in the realm section whose names begin with cluster_ will
indicate
# the name and endpoint of a cluster and will be used by external users in
# their containers' X-Container-Sync-To metadata header values with the format
# "realm_name/cluster_name/container_name". Realm and cluster names are
# considered case insensitive.
#
# The endpoint is what the container sync daemon will use when sending out
# requests to that cluster. Keep in mind this endpoint must be reachable by
all
# container servers, since that is where the container sync daemon runs. Note
# the the endpoint ends with /v1/ and that the container sync daemon will then
# add the account/container/obj name after that.
#
# Distribute this container-sync-realms.conf file to all your proxy servers
# and container servers.

Container reconciler configuration

Find an example container sync realms configuration at etc/container-reconciler.conf-sample in the source code repository.
The available configuration options are:

Table9.31.Description of configuration options for [DEFAULT] in

container-reconciler.conf
Configuration option = Default value

Description

log_address = /dev/log

Location where syslog sends the logs to

497

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

swift_dir = /etc/swift

Swift configuration directory

user = swift

User to run as

Table9.32.Description of configuration options for [app-proxy-server]

in container-reconciler.conf
Configuration option = Default value

Description

use = egg:swift#proxy

Entry point of paste.deploy in the server

Table9.33.Description of configuration options for [containerreconciler] in container-reconciler.conf

Configuration option = Default value

Description

interval = 30

Minimum time for a pass to take

reclaim_age = 604800

Time elapsed in seconds before an object can be reclaimed

request_tries = 3

No help text available for this option.

Table9.34.Description of configuration options for [filter-cache] in

container-reconciler.conf
Configuration option = Default value

Description

use = egg:swift#memcache

Entry point of paste.deploy in the server

Table9.35.Description of configuration options for [filtercatch_errors] in container-reconciler.conf

Configuration option = Default value

Description

use = egg:swift#catch_errors

Entry point of paste.deploy in the server

Table9.36.Description of configuration options for [filter-proxylogging] in container-reconciler.conf

Configuration option = Default value

Description

use = egg:swift#proxy_logging

Entry point of paste.deploy in the server

498

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.37.Description of configuration options for [pipeline-main] in

container-reconciler.conf
Configuration option = Default value

Description

pipeline = catch_errors proxy-logging cache proxy-server

No help text available for this option.

Sample container sync reconciler configuration file

[DEFAULT]
# swift_dir = /etc/swift
# user = swift
# You can specify default log routing here if you want:
# log_name = swift
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# comma separated list of functions to call to setup custom log handlers.
# functions get passed: conf, name, log_to_console, log_route, fmt, logger,
# adapted_logger
# log_custom_handlers =
#
# If set, log_udp_host will override log_address
# log_udp_host =
# log_udp_port = 514
#
# You can enable StatsD logging here:
# log_statsd_host = localhost
# log_statsd_port = 8125
# log_statsd_default_sample_rate = 1.0
# log_statsd_sample_rate_factor = 1.0
# log_statsd_metric_prefix =
[container-reconciler]
# The reconciler will re-attempt reconciliation if the source object is not
# available up to reclaim_age seconds before it gives up and deletes the entry
# in the queue.
# reclaim_age = 604800
# The cycle time of the daemon
# interval = 30
# Server errors from requests will be retried by default
# request_tries = 3
[pipeline:main]
pipeline = catch_errors proxy-logging cache proxy-server
[app:proxy-server]
use = egg:swift#proxy
# See proxy-server.conf-sample for options
[filter:cache]
use = egg:swift#memcache
# See proxy-server.conf-sample for options
[filter:proxy-logging]
use = egg:swift#proxy_logging
[filter:catch_errors]
use = egg:swift#catch_errors

499

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# See proxy-server.conf-sample for options

Account server configuration

Find an example account server configuration at etc/account-server.conf-sample
in the source code repository.
The available configuration options are:

Table9.38.Description of configuration options for [DEFAULT] in accountserver.conf

Configuration option = Default value

Description

backlog = 4096

Maximum number of allowed pending TCP connections

bind_ip = 0.0.0.0

IP Address for server to bind to

bind_port = 6002

Port for server to bind to

bind_timeout = 30

Seconds to attempt bind before giving up

db_preallocation = off

If you don't mind the extra disk space usage in overhead,

devices = /srv/node

Parent directory of where devices are mounted

disable_fallocate = false

Disable "fast fail" fallocate checks if the underlying filesystem does not support it.

eventlet_debug = false

If true, turn on debug logging for eventlet

fallocate_reserve = 0

You can set fallocate_reserve to the number of bytes you'd

log_address = /dev/log

Location where syslog sends the logs to

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

500

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

max_clients = 1024

mount_check = true

Whether or not check if the devices are mounted to prevent accidentally writing to the root device

swift_dir = /etc/swift

Swift configuration directory

user = swift

User to run as

workers = auto

a much higher value, one can reduce the impact of slow

file system operations in one request from negatively impacting other requests.

Table9.39.Description of configuration options for [app-accountserver] in account-server.conf

Configuration option = Default value

Description

auto_create_account_prefix = .

Prefix to use when automatically creating accounts

replication_server = false

If defined, tells server how to handle replication verbs in

requests. When set to True (or 1), only replication verbs
will be accepted. When set to False, replication verbs will
be rejected. When undefined, server will accept any verb
in the request.

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_level = INFO

Log level

set log_name = account-server

Label to use when logging

set log_requests = true

Whether or not to log requests

use = egg:swift#account

Entry point of paste.deploy in the server

Table9.40.Description of configuration options for [pipeline-main] in

account-server.conf
Configuration option = Default value

Description

pipeline = healthcheck recon account-server

No help text available for this option.

Table9.41.Description of configuration options for [accountreplicator] in account-server.conf

Configuration option = Default value

Description

concurrency = 8

Number of replication workers to spawn

conn_timeout = 0.5

Connection timeout to external services

error_suppression_interval = 60

Time in seconds that must elapse since the last error for a
node to be considered no longer error limited

error_suppression_limit = 10

Error count to consider a node error limited

interval = 30

Minimum time for a pass to take

501

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = account-replicator

Label used when logging

max_diffs = 100

Caps how long the replicator spends trying to sync a

database per pass

node_timeout = 10

Request timeout to external services

per_diff = 1000

Limit number of items to get per diff

reclaim_age = 604800

Time elapsed in seconds before an object can be reclaimed

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

run_pause = 30

Time in seconds to wait between replication passes

vm_test_mode = no

Indicates that you are using a VM environment

Table9.42.Description of configuration options for [account-auditor] in

account-server.conf
Configuration option = Default value

Description

accounts_per_second = 200

Maximum accounts audited per second. Should be tuned

according to individual system specs. 0 is unlimited.

interval = 1800

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = account-auditor

Label used when logging

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

Table9.43.Description of configuration options for [account-reaper] in

account-server.conf
Configuration option = Default value

Description

concurrency = 25

Number of replication workers to spawn

conn_timeout = 0.5

Connection timeout to external services

delay_reaping = 0

Normally, the reaper begins deleting account information

for deleted accounts immediately; you can set this to delay its work however. The value is in seconds, 2592000 =
30 days, for example. bind to giving up worker can process
simultaneously (it will actually accept(2) N + 1). Setting this
to one (1) will only handle one request at a time, without
accepting another request concurrently. By increasing the
number of workers to a much higher value, one can reduce the impact of slow file system operations in one request from negatively impacting other requests.

interval = 3600

Minimum time for a pass to take

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_level = INFO

Logging level

log_name = account-reaper

Label used when logging

node_timeout = 10

Request timeout to external services

reap_warn_after = 2592000

No help text available for this option.

502

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.44.Description of configuration options for [filterhealthcheck] in account-server.conf

Configuration option = Default value

Description

disable_path =

No help text available for this option.

use = egg:swift#healthcheck

Entry point of paste.deploy in the server

Table9.45.Description of configuration options for [filter-recon] in

account-server.conf
Configuration option = Default value

Description

recon_cache_path = /var/cache/swift

Directory where stats for a few items will be stored

use = egg:swift#recon

Entry point of paste.deploy in the server

Table9.46.Description of configuration options for [filter-xprofile] in

account-server.conf
Configuration option = Default value

Description

dump_interval = 5.0

No help text available for this option.

dump_timestamp = false

No help text available for this option.

flush_at_shutdown = false

No help text available for this option.

log_filename_prefix = /tmp/log/swift/profile/default.profile

No help text available for this option.

path = /__profile__

No help text available for this option.

profile_module = eventlet.green.profile

No help text available for this option.

unwind = false

No help text available for this option.

use = egg:swift#xprofile

Entry point of paste.deploy in the server

Sample account server configuration file

[DEFAULT]
# bind_ip = 0.0.0.0
# bind_port = 6002
# bind_timeout = 30
# backlog = 4096
# user = swift
# swift_dir = /etc/swift
# devices = /srv/node
# mount_check = true
# disable_fallocate = false
#
# Use an integer to override the number of pre-forked processes that will
# accept connections.
# workers = auto
#
# Maximum concurrent requests per worker
# max_clients = 1024
#
# You can specify default log routing here if you want:
# log_name = swift
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# comma separated list of functions to call to setup custom log handlers.

503

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

functions get passed: conf, name, log_to_console, log_route, fmt, logger,

adapted_logger
log_custom_handlers =
If set, log_udp_host will override log_address
log_udp_host =
log_udp_port = 514
You can enable StatsD logging here:
log_statsd_host = localhost
log_statsd_port = 8125
log_statsd_default_sample_rate = 1.0
log_statsd_sample_rate_factor = 1.0
log_statsd_metric_prefix =

If you don't mind the extra disk space usage in overhead, you can turn this
on to preallocate disk space with SQLite databases to decrease
fragmentation.
# db_preallocation = off
#
# eventlet_debug = false
#
# You can set fallocate_reserve to the number of bytes you'd like fallocate to
# reserve, whether there is space for the given file size or not.
# fallocate_reserve = 0
[pipeline:main]
pipeline = healthcheck recon account-server
[app:account-server]
use = egg:swift#account
# You can override the default log routing for this app here:
# set log_name = account-server
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_requests = true
# set log_address = /dev/log
#
# auto_create_account_prefix = .
#
# Configure parameter for creating specific server
# To handle all verbs, including replication verbs, do not specify
# "replication_server" (this is the default). To only handle replication,
# set to a True value (e.g. "True" or "1"). To handle only non-replication
# verbs, set to "False". Unless you have a separate replication network, you
# should not specify any value for "replication_server".
# replication_server = false
[filter:healthcheck]
use = egg:swift#healthcheck
# An optional filesystem path, which if present, will cause the healthcheck
# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE"
# disable_path =
[filter:recon]
use = egg:swift#recon
# recon_cache_path = /var/cache/swift
[account-replicator]
# You can override the default log routing for this app here (don't use set!):

504

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

log_name = account-replicator
log_facility = LOG_LOCAL0
log_level = INFO
log_address = /dev/log
vm_test_mode = no
per_diff = 1000
max_diffs = 100
concurrency = 8
interval = 30
How long without an error before a node's error count is reset. This will
also be how long before a node is reenabled after suppression is triggered.
error_suppression_interval = 60
How many errors can accumulate before a node is temporarily ignored.
error_suppression_limit = 10
node_timeout = 10
conn_timeout = 0.5
The replicator also performs reclamation
reclaim_age = 604800
Time in seconds to wait between replication passes
run_pause = 30
recon_cache_path = /var/cache/swift

[account-auditor]
# You can override the default log routing for this app here (don't use set!):
# log_name = account-auditor
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# Will audit each account at most once per interval
# interval = 1800
#
# log_facility = LOG_LOCAL0
# log_level = INFO
# accounts_per_second = 200
# recon_cache_path = /var/cache/swift
[account-reaper]
# You can override the default log routing for this app here (don't use set!):
# log_name = account-reaper
# log_facility = LOG_LOCAL0
# log_level = INFO
# log_address = /dev/log
#
# concurrency = 25
# interval = 3600
# node_timeout = 10
# conn_timeout = 0.5
#
# Normally, the reaper begins deleting account information for deleted
accounts
# immediately; you can set this to delay its work however. The value is in
# seconds; 2592000 = 30 days for example.

505

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

delay_reaping = 0
If the account fails to be be reaped due to a persistent error, the
account reaper will log a message such as:
Account <name> has not been reaped since <date>
You can search logs for this message if space is not being reclaimed
after you delete account(s).
Default is 2592000 seconds (30 days). This is in addition to any time
requested by delay_reaping.
reap_warn_after = 2592000

Proxy server configuration

Find an example proxy server configuration at etc/proxy-server.conf-sample in the
source code repository.
The available configuration options are:

Table9.47.Description of configuration options for [DEFAULT] in proxyserver.conf

Configuration option = Default value

Description

admin_key = secret_admin_key

to use for admin calls that are HMAC signed. Default is

empty, which will disable admin calls to /info. the proxy
server. For most cases, this should be `egg:swift#proxy`.
request whenever it has to failover to a handoff node

backlog = 4096

Maximum number of allowed pending TCP connections

bind_ip = 0.0.0.0

IP Address for server to bind to

bind_port = 8080

Port for server to bind to

bind_timeout = 30

Seconds to attempt bind before giving up

cert_file = /etc/swift/proxy.crt

to the ssl .crt. This should be enabled for testing purposes

only.

client_timeout = 60

Timeout to read one chunk from a client external services

cors_allow_origin =

is a list of hosts that are included with any CORS request

by default and returned with the Access-Control-Allow-Origin header in addition to what the container has set. to
call to setup custom log handlers. for eventlet the proxy
server. For most cases, this should be `egg:swift#proxy`.
request whenever it has to failover to a handoff node

disallowed_sections = container_quotas, tempurl,

bulk_delete.max_failed_deletes

No help text available for this option.

eventlet_debug = false

If true, turn on debug logging for eventlet

expiring_objects_account_name = expiring_objects

No help text available for this option.

expiring_objects_container_divisor = 86400

No help text available for this option.

expose_info = true

Enables exposing configuration settings via HTTP GET /info.

key_file = /etc/swift/proxy.key

to the ssl .key. This should be enabled for testing purposes

only.

log_address = /dev/log

Location where syslog sends the logs to

log_custom_handlers =

Comma-separated list of functions to call to setup custom

log handlers.

log_facility = LOG_LOCAL0

Syslog log facility

log_headers = false

No help text available for this option.

log_level = INFO

Logging level

506

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

log_name = swift

Label used when logging

log_statsd_default_sample_rate = 1.0

Defines the probability of sending a sample for any given

event or timing measurement.

log_statsd_host = localhost

If not set, the StatsD feature is disabled.

log_statsd_metric_prefix =

Value will be prepended to every metric sent to the StatsD

server.

log_statsd_port = 8125

Port value for the StatsD server.

log_statsd_sample_rate_factor = 1.0

Not recommended to set this to a value less than

1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

log_udp_host =

If not set, the UDP receiver for syslog is disabled.

log_udp_port = 514

Port value for UDP receiver, if enabled.

max_clients = 1024

strict_cors_mode = True

No help text available for this option.

swift_dir = /etc/swift

Swift configuration directory

trans_id_suffix =

No help text available for this option.

user = swift

User to run as

workers = auto

a much higher value, one can reduce the impact of slow

file system operations in one request from negatively impacting other requests.

Table9.48.Description of configuration options for [app-proxy-server]

in proxy-server.conf
Configuration option = Default value

Description

account_autocreate = false

If set to 'true' authorized accounts that do not yet exist

within the Swift cluster will be automatically created.

allow_account_management = false

Whether account PUTs and DELETEs are even callable

auto_create_account_prefix = .

Prefix to use when automatically creating accounts

client_chunk_size = 65536

Chunk size to read from clients

conn_timeout = 0.5

Connection timeout to external services

deny_host_headers =

No help text available for this option.

error_suppression_interval = 60

Time in seconds that must elapse since the last error for a
node to be considered no longer error limited

error_suppression_limit = 10

Error count to consider a node error limited

log_handoffs = true

No help text available for this option.

max_containers_per_account = 0

If set to a positive value, trying to create a container

when the account already has at least this maximum
containers will result in a 403 Forbidden. Note: This is
a soft limit, meaning a user might exceed the cap for
recheck_account_existence before the 403s kick in.

max_containers_whitelist =

is a comma separated list of account names that ignore

the max_containers_per_account cap.

507

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

max_large_object_get_time = 86400

No help text available for this option.

node_timeout = 10

Request timeout to external services

object_chunk_size = 65536

Chunk size to read from object servers

object_post_as_copy = true

Set object_post_as_copy = false to turn on fast posts

where only the metadata changes are stored anew and
the original data file is kept in place. This makes for quicker posts; but since the container metadata isn't updated
in this mode, features like container sync won't be able to
sync posts.

post_quorum_timeout = 0.5

No help text available for this option.

put_queue_depth = 10

No help text available for this option.

read_affinity = r1z1=100, r1z2=200, r2=300

No help text available for this option.

recheck_account_existence = 60

Cache timeout in seconds to send memcached for account

existence

recheck_container_existence = 60

Cache timeout in seconds to send memcached for container existence

recoverable_node_timeout = node_timeout

Request timeout to external services for requests that, on

failure, can be recovered from. For example, object GET.
from a client external services

request_node_count = 2 * replicas

* replicas Set to the number of nodes to contact for a normal request. You can use '* replicas' at the end to have it
use the number given times the number of replicas for the
ring being used for the request. conf file for values will only be shown to the list of swift_owners. The exact default
definition of a swift_owner is headers> up to the auth system in use, but usually indicates administrative responsibilities. paste.deploy to use for auth. To use tempauth set to:
`egg:swift#tempauth` each request

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_level = INFO

Log level

set log_name = proxy-server

Label to use when logging

sorting_method = shuffle

No help text available for this option.

swift_owner_headers = x-container-read, x-container-write, x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2,

x-account-access-control

the sample These are the headers whose conf file for values will only be shown to the list of swift_owners. The exact default definition of a swift_owner is headers> up to
the auth system in use, but usually indicates administrative
responsibilities. paste.deploy to use for auth. To use tempauth set to: `egg:swift#tempauth` each request

timing_expiry = 300

No help text available for this option.

use = egg:swift#proxy

Entry point of paste.deploy in the server

write_affinity = r1, r2

No help text available for this option.

write_affinity_node_count = 2 * replicas

No help text available for this option.

Table9.49.Description of configuration options for [pipeline-main] in

proxy-server.conf
Configuration option = Default value

Description

pipeline = catch_errors gatekeeper healthcheck proxylogging cache container_sync bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo proxy-logging proxy-server

No help text available for this option.

508

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.50.Description of configuration options for [filter-accountquotas] in proxy-server.conf

Configuration option = Default value

Description

use = egg:swift#account_quotas

Entry point of paste.deploy in the server

Table9.51.Description of configuration options for [filter-authtoken]

in proxy-server.conf
Configuration option = Default value

Description

admin_password = password

No help text available for this option.

admin_tenant_name = service

No help text available for this option.

admin_user = swift

No help text available for this option.

auth_host = keystonehost

No help text available for this option.

auth_port = 35357

No help text available for this option.

auth_protocol = http

No help text available for this option.

auth_uri = http://keystonehost:5000/

No help text available for this option.

cache = swift.cache

No help text available for this option.

delay_auth_decision = 1

No help text available for this option.

include_service_catalog = False

No help text available for this option.

Table9.52.Description of configuration options for [filter-cache] in

proxy-server.conf
Configuration option = Default value

Description

memcache_max_connections = 2

Max number of connections to each memcached server

per worker services

memcache_serialization_support = 2

No help text available for this option.

memcache_servers = 127.0.0.1:11211

Comma separated list of memcached servers ip:port services

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = cache

Label to use when logging

use = egg:swift#memcache

Entry point of paste.deploy in the server

Table9.53.Description of configuration options for [filtercatch_errors] in proxy-server.conf

Configuration option = Default value

Description

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = catch_errors

Label to use when logging

use = egg:swift#catch_errors

Entry point of paste.deploy in the server

509

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.54.Description of configuration options for [filtercontainer_sync] in proxy-server.conf

Configuration option = Default value

Description

allow_full_urls = true

No help text available for this option.

current = //REALM/CLUSTER

No help text available for this option.

use = egg:swift#container_sync

Entry point of paste.deploy in the server

Table9.55.Description of configuration options for [filter-dlo] in

proxy-server.conf
Configuration option = Default value

Description

max_get_time = 86400

No help text available for this option.

rate_limit_after_segment = 10

Rate limit the download of large object segments after

this segment is downloaded.

rate_limit_segments_per_sec = 1

Rate limit large object downloads at this rate. contact

for a normal request. You can use '* replicas' at the
end to have it use the number given times the number of replicas for the ring being used for the request.
paste.deploy to use for auth. To use tempauth set to:
`egg:swift#tempauth` each request

use = egg:swift#dlo

Entry point of paste.deploy in the server

Table9.56.Description of configuration options for [filter-gatekeeper]

in proxy-server.conf
Configuration option = Default value

Description

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = gatekeeper

Label to use when logging

use = egg:swift#gatekeeper

Entry point of paste.deploy in the server

Table9.57.Description of configuration options for [filterhealthcheck] in proxy-server.conf

Configuration option = Default value

Description

disable_path =

No help text available for this option.

use = egg:swift#healthcheck

Entry point of paste.deploy in the server

Table9.58.Description of configuration options for [filterkeystoneauth] in proxy-server.conf

Configuration option = Default value

Description

allow_names_in_acls = true

No help text available for this option.

default_domain_id = default

No help text available for this option.

operator_roles = admin, swiftoperator

No help text available for this option.

reseller_admin_role = ResellerAdmin

No help text available for this option.

use = egg:swift#keystoneauth

Entry point of paste.deploy in the server

510

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.59.Description of configuration options for [filter-listendpoints] in proxy-server.conf

Configuration option = Default value

Description

list_endpoints_path = /endpoints/

No help text available for this option.

use = egg:swift#list_endpoints

Entry point of paste.deploy in the server

Table9.60.Description of configuration options for [filter-proxylogging] in proxy-server.conf

Configuration option = Default value

Description

access_log_address = /dev/log

No help text available for this option.

access_log_facility = LOG_LOCAL0

No help text available for this option.

access_log_headers = false

No help text available for this option.

access_log_headers_only =

If access_log_headers is True and access_log_headers_only

is set only these headers are logged. Multiple headers can be defined as comma separated list like this:
access_log_headers_only = Host, X-Object-Meta-Mtime

access_log_level = INFO

No help text available for this option.

access_log_name = swift

No help text available for this option.

access_log_statsd_default_sample_rate = 1.0

No help text available for this option.

access_log_statsd_host = localhost

No help text available for this option.

access_log_statsd_metric_prefix =

No help text available for this option.

access_log_statsd_port = 8125

No help text available for this option.

access_log_statsd_sample_rate_factor = 1.0

No help text available for this option.

access_log_udp_host =

No help text available for this option.

access_log_udp_port = 514

No help text available for this option.

log_statsd_valid_http_methods =
GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS

No help text available for this option.

logged with access_log_headers = True.

No help text available for this option.

reveal_sensitive_prefix = 16

use = egg:swift#proxy_logging

Entry point of paste.deploy in the server

Table9.61.Description of configuration options for [filter-tempauth] in

proxy-server.conf
Configuration option = Default value

Description

allow_overrides = true

No help text available for this option.

auth_prefix = /auth/

The HTTP request path prefix for the auth service. Swift itself reserves anything beginning with the letter `v`.

reseller_prefix = AUTH

The naming scope for the auth service. Swift

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

511

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

set log_name = tempauth

Label to use when logging

storage_url_scheme = default

Scheme to return with storage urls: http, https, or default

(chooses based on what the server is running as) This can
be useful with an SSL load balancer in front of a non-SSL
server.

token_life = 86400

The number of seconds a token is valid.

use = egg:swift#tempauth

Entry point of paste.deploy in the server

user_admin_admin = admin .admin .reseller_admin

No help text available for this option.

user_test2_tester2 = testing2 .admin

No help text available for this option.

user_test_tester = testing .admin

No help text available for this option.

user_test_tester3 = testing3

No help text available for this option.

Table9.62.Description of configuration options for [filter-xprofile] in

proxy-server.conf
Configuration option = Default value

Description

dump_interval = 5.0

No help text available for this option.

dump_timestamp = false

No help text available for this option.

flush_at_shutdown = false

No help text available for this option.

log_filename_prefix = /tmp/log/swift/profile/default.profile

No help text available for this option.

path = /__profile__

No help text available for this option.

profile_module = eventlet.green.profile

No help text available for this option.

unwind = false

No help text available for this option.

use = egg:swift#xprofile

Entry point of paste.deploy in the server

Sample proxy server configuration file

[DEFAULT]
# bind_ip = 0.0.0.0
# bind_port = 80
# bind_timeout = 30
# backlog = 4096
# swift_dir = /etc/swift
# user = swift
# Enables exposing configuration settings via HTTP GET /info.
# expose_info = true
#
#
#
#
#
#
#
#
#

Key to use for admin calls that are HMAC signed.

which will disable admin calls to /info.
admin_key = secret_admin_key

Default is empty,

#
#
#
#

Use an integer to override the number of pre-forked processes that will

accept connections. Should default to the number of effective cpu
cores in the system. It's worth noting that individual workers will
use many eventlet co-routines to service multiple concurrent requests.

Allows the ability to withhold sections from showing up in the public

calls to /info. The following would cause the sections 'container_quotas'
and 'tempurl' to not be listed. Default is empty, allowing all registered
fetures to be listed via HTTP GET /info.
disallowed_sections = container_quotas, tempurl

512

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

workers = auto
Maximum concurrent requests per worker
max_clients = 1024
Set the following two lines to enable SSL. This is for testing only.
cert_file = /etc/swift/proxy.crt
key_file = /etc/swift/proxy.key
expiring_objects_container_divisor = 86400
expiring_objects_account_name = expiring_objects
You can specify default log routing here if you want:
log_name = swift
log_facility = LOG_LOCAL0
log_level = INFO
log_headers = false
log_address = /dev/log

This optional suffix (default is empty) that would be appended to the swift
transaction
# id allows one to easily figure out from which cluster that X-Trans-Id
belongs to.
# This is very useful when one is managing more than one swift cluster.
# trans_id_suffix =
#
# comma separated list of functions to call to setup custom log handlers.
# functions get passed: conf, name, log_to_console, log_route, fmt, logger,
# adapted_logger
# log_custom_handlers =
#
# If set, log_udp_host will override log_address
# log_udp_host =
# log_udp_port = 514
#
# You can enable StatsD logging here:
# log_statsd_host = localhost
# log_statsd_port = 8125
# log_statsd_default_sample_rate = 1.0
# log_statsd_sample_rate_factor = 1.0
# log_statsd_metric_prefix =
#
# Use a comma separated list of full url (http://foo.bar:1234,https://foo.bar)
# cors_allow_origin =
#
# client_timeout = 60
# eventlet_debug = false
[pipeline:main]
pipeline = catch_errors gatekeeper healthcheck proxy-logging cache
container_sync bulk tempurl slo dlo ratelimit tempauth container-quotas
account-quotas proxy-logging proxy-server
[app:proxy-server]
use = egg:swift#proxy
# You can override the default log routing for this app here:
# set log_name = proxy-server
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_address = /dev/log

513

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

log_handoffs = true
recheck_account_existence = 60
recheck_container_existence = 60
object_chunk_size = 8192
client_chunk_size = 8192
How long the proxy server will wait on responses from the a/c/o servers.
node_timeout = 10
How long the proxy server will wait for an initial response and to read a
chunk of data from the object servers while serving GET / HEAD requests.
Timeouts from these requests can be recovered from so setting this to
something lower than node_timeout would provide quicker error recovery
while allowing for a longer timeout for non-recoverable requests (PUTs).
Defaults to node_timeout, should be overriden if node_timeout is set to a
high number to prevent client timeouts from firing before the proxy server
has a chance to retry.
recoverable_node_timeout = node_timeout
conn_timeout = 0.5
How long to wait for requests to finish after a quorum has been established.
post_quorum_timeout = 0.5
How long without an error before a node's error count is reset. This will
also be how long before a node is reenabled after suppression is triggered.
error_suppression_interval = 60
How many errors can accumulate before a node is temporarily ignored.
error_suppression_limit = 10
If set to 'true' any authorized user may create and delete accounts; if
'false' no one, even authorized, can.
allow_account_management = false

Set object_post_as_copy = false to turn on fast posts where only the

metadata
# changes are stored anew and the original data file is kept in place. This
# makes for quicker posts; but since the container metadata isn't updated in
# this mode, features like container sync won't be able to sync posts.
# object_post_as_copy = true
#
# If set to 'true' authorized accounts that do not yet exist within the Swift
# cluster will be automatically created.
# account_autocreate = false
#
# If set to a positive value, trying to create a container when the account
# already has at least this maximum containers will result in a 403 Forbidden.
# Note: This is a soft limit, meaning a user might exceed the cap for
# recheck_account_existence before the 403s kick in.
# max_containers_per_account = 0
#
# This is a comma separated list of account hashes that ignore the
# max_containers_per_account cap.
# max_containers_whitelist =
#
# Comma separated list of Host headers to which the proxy will deny requests.
# deny_host_headers =
#

514

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

Prefix used when automatically creating accounts.

auto_create_account_prefix = .
Depth of the proxy put queue.
put_queue_depth = 10
Storage nodes can be chosen at random (shuffle), by using timing
measurements (timing), or by using an explicit match (affinity).
Using timing measurements may allow for lower overall latency, while
using affinity allows for finer control. In both the timing and
affinity cases, equally-sorting nodes are still randomly chosen to
spread load.
The valid values for sorting_method are "affinity", "shuffle", and "timing".
sorting_method = shuffle
If the "timing" sorting_method is used, the timings will only be valid for
the number of seconds configured by timing_expiry.
timing_expiry = 300

The maximum time (seconds) that a large object connection is allowed to

last.
# max_large_object_get_time = 86400
#
# Set to the number of nodes to contact for a normal request. You can use
# '* replicas' at the end to have it use the number given times the number of
# replicas for the ring being used for the request.
# request_node_count = 2 * replicas
#
# Which backend servers to prefer on reads. Format is r<N> for region
# N or r<N>z<M> for region N, zone M. The value after the equals is
# the priority; lower numbers are higher priority.
#
# Example: first read from region 1 zone 1, then region 1 zone 2, then
# anything in region 2, then everything else:
# read_affinity = r1z1=100, r1z2=200, r2=300
# Default is empty, meaning no preference.
# read_affinity =
#
# Which backend servers to prefer on writes. Format is r<N> for region
# N or r<N>z<M> for region N, zone M. If this is set, then when
# handling an object PUT request, some number (see setting
# write_affinity_node_count) of local backend servers will be tried
# before any nonlocal ones.
#
# Example: try to write to regions 1 and 2 before writing to any other
# nodes:
# write_affinity = r1, r2
# Default is empty, meaning no preference.
# write_affinity =
#
# The number of local (as governed by the write_affinity setting)
# nodes to attempt to contact first, before any non-local ones. You
# can use '* replicas' at the end to have it use the number given
# times the number of replicas for the ring being used for the
# request.
# write_affinity_node_count = 2 * replicas
#
# These are the headers whose values will only be shown to swift_owners. The
# exact definition of a swift_owner is up to the auth system in use, but
# usually indicates administrative responsibilities.

515

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# swift_owner_headers = x-container-read, x-container-write, x-container-synckey, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-tempurl-key-2, x-account-access-control

storage_domain = example.com
path_root = v1
reseller_prefixes = AUTH

[filter:catch_errors]
use = egg:swift#catch_errors
# You can override the default log routing for this filter here:
# set log_name = catch_errors
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_headers = false
# set log_address = /dev/log
[filter:cname_lookup]
# Note: this middleware requires python-dnspython
use = egg:swift#cname_lookup
# You can override the default log routing for this filter here:
# set log_name = cname_lookup
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_headers = false
# set log_address = /dev/log
#
# Specify the storage_domain that match your cloud, multiple domains
# can be specified separated by a comma
# storage_domain = example.com
#
# lookup_depth = 1
# Note: Put staticweb just after your auth filter(s) in the pipeline
[filter:staticweb]
use = egg:swift#staticweb
# Note: Put tempurl before dlo, slo and your auth filter(s) in the pipeline
[filter:tempurl]
use = egg:swift#tempurl
# The methods allowed with Temp URLs.
# methods = GET HEAD PUT
#
# The headers to remove from incoming requests. Simply a whitespace delimited
# list of header names and names can optionally end with '*' to indicate a
# prefix match. incoming_allow_headers is a list of exceptions to these
# removals.
# incoming_remove_headers = x-timestamp
#
# The headers allowed as exceptions to incoming_remove_headers. Simply a
# whitespace delimited list of header names and names can optionally end with
# '*' to indicate a prefix match.
# incoming_allow_headers =
#
# The headers to remove from outgoing responses. Simply a whitespace delimited
# list of header names and names can optionally end with '*' to indicate a
# prefix match. outgoing_allow_headers is a list of exceptions to these

519

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#

October 7, 2014

juno

removals.
outgoing_remove_headers = x-object-meta-*
The headers allowed as exceptions to outgoing_remove_headers. Simply a
whitespace delimited list of header names and names can optionally end with
'*' to indicate a prefix match.
outgoing_allow_headers = x-object-meta-public-*

# Note: Put formpost just before your auth filter(s) in the pipeline
[filter:formpost]
use = egg:swift#formpost
# Note: Just needs to be placed before the proxy-server in the pipeline.
[filter:name_check]
use = egg:swift#name_check
# forbidden_chars = '"`<>
# maximum_length = 255
# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$
[filter:list-endpoints]
use = egg:swift#list_endpoints
# list_endpoints_path = /endpoints/
[filter:proxy-logging]
use = egg:swift#proxy_logging
# If not set, logging directives from [DEFAULT] without "access_" will be used
# access_log_name = swift
# access_log_facility = LOG_LOCAL0
# access_log_level = INFO
# access_log_address = /dev/log
#
# If set, access_log_udp_host will override access_log_address
# access_log_udp_host =
# access_log_udp_port = 514
#
# You can use log_statsd_* from [DEFAULT] or override them here:
# access_log_statsd_host = localhost
# access_log_statsd_port = 8125
# access_log_statsd_default_sample_rate = 1.0
# access_log_statsd_sample_rate_factor = 1.0
# access_log_statsd_metric_prefix =
# access_log_headers = false
#
# If access_log_headers is True and access_log_headers_only is set only
# these headers are logged. Multiple headers can be defined as comma separated
# list like this: access_log_headers_only = Host, X-Object-Meta-Mtime
# access_log_headers_only =
#
# By default, the X-Auth-Token is logged. To obscure the value,
# set reveal_sensitive_prefix to the number of characters to log.
# For example, if set to 12, only the first 12 characters of the
# token appear in the log. An unauthorized access of the log file
# won't allow unauthorized usage of the token. However, the first
# 12 or so characters is unique enough that you can trace/debug
# token usage. Set to 0 to suppress the token completely (replaced
# by '...' in the log).
# Note: reveal_sensitive_prefix will not affect the value
# logged with access_log_headers=True.
# reveal_sensitive_prefix = 8192
#

520

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# What HTTP methods are allowed for StatsD logging (comma-sep); request
methods
# not in this list will have "BAD_METHOD" for the <verb> portion of the
metric.
# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS
#
# Note: The double proxy-logging in the pipeline is not a mistake. The
# left-most proxy-logging is there to log requests that were handled in
# middleware and never made it through to the right-most middleware (and
# proxy server). Double logging is prevented for normal requests. See
# proxy-logging docs.
# Note: Put before both ratelimit and auth in the pipeline.
[filter:bulk]
use = egg:swift#bulk
# max_containers_per_extraction = 10000
# max_failed_extractions = 1000
# max_deletes_per_request = 10000
# max_failed_deletes = 1000
#
#
#
#

In order to keep a connection active during a potentially long bulk request,

Swift may return whitespace prepended to the actual response body. This
whitespace will be yielded no more than every yield_frequency seconds.
yield_frequency = 10

# Note: The following parameter is used during a bulk delete of objects and
# their container. This would frequently fail because it is very likely
# that all replicated objects have not been deleted by the time the middleware
got a
# successful response. It can be configured the number of retries. And the
# number of seconds to wait between each retry will be 1.5**retry
# delete_container_retry_count = 0
# Note: Put after auth in the pipeline.
[filter:container-quotas]
use = egg:swift#container_quotas
# Note: Put before both ratelimit and auth in the pipeline.
[filter:slo]
use = egg:swift#slo
# max_manifest_segments = 1000
# max_manifest_size = 2097152
# min_segment_size = 1048576
# Start rate-limiting SLO segment serving after the Nth segment of a
# segmented object.
# rate_limit_after_segment = 10
#
# Once segment rate-limiting kicks in for an object, limit segments served
# to N per second. 0 means no rate-limiting.
# rate_limit_segments_per_sec = 0
#
# Time limit on GET requests (seconds)
# max_get_time = 86400
# Note: Put before both ratelimit and auth in the pipeline, but after
# gatekeeper, catch_errors, and proxy_logging (the first instance).
# If you don't put it in the pipeline, it will be inserted for you.
[filter:dlo]
use = egg:swift#dlo

521

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

#
#
#
#
#
#
#
#
#
#

October 7, 2014

juno

Start rate-limiting DLO segment serving after the Nth segment of a

segmented object.
rate_limit_after_segment = 10
Once segment rate-limiting kicks in for an object, limit segments served
to N per second. 0 means no rate-limiting.
rate_limit_segments_per_sec = 1
Time limit on GET requests (seconds)
max_get_time = 86400

[filter:account-quotas]
use = egg:swift#account_quotas
[filter:gatekeeper]
use = egg:swift#gatekeeper
# You can override the default log routing for this filter here:
# set log_name = gatekeeper
# set log_facility = LOG_LOCAL0
# set log_level = INFO
# set log_headers = false
# set log_address = /dev/log
[filter:container_sync]
use = egg:swift#container_sync
# Set this to false if you want to disallow any full url values to be set for
# any new X-Container-Sync-To headers. This will keep any new full urls from
# coming in, but won't change any existing values already in the cluster.
# Updating those will have to be done manually, as knowing what the true realm
# endpoint should be cannot always be guessed.
# allow_full_urls = true

Proxy server memcache configuration

Find an example memcache configuration for the proxy server at etc/memcache.confsample in the source code repository.
The available configuration options are:

Table9.63.Description of configuration options for [memcache] in

memcache.conf
Configuration option = Default value

Description

memcache_max_connections = 2

Max number of connections to each memcached server

per worker services

memcache_serialization_support = 2

No help text available for this option.

memcache_servers = 127.0.0.1:11211

Comma separated list of memcached servers ip:port services

Rsyncd configuration
Find an example rsyncd configuration at etc/rsyncd.conf-sample in the source code
repository.
The available configuration options are:
522

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

No help text available for this option.

Configure Object Storage features

Object Storage zones
In OpenStack Object Storage, data is placed across different tiers of failure domains. First,
data is spread across regions, then zones, then servers, and finally across drives. Data is
placed to get the highest failure domain isolation. If you deploy multiple regions, the Object Storage service places the data across the regions. Within a region, each replica of the
data should be stored in unique zones, if possible. If there is only one zone, data should be
placed on different servers. And if there is only one server, data should be placed on different drives.
Regions are widely separated installations with a high-latency or otherwise constrained network link between them. Zones are arbitrarily assigned, and it is up to the administrator
of the Object Storage cluster to choose an isolation level and attempt to maintain the isolation level through appropriate zone assignment. For example, a zone may be defined
as a rack with a single power source. Or a zone may be a DC room with a common utility
provider. Servers are identified by a unique IP/port. Drives are locally attached storage volumes identified by mount point.
In small clusters (five nodes or fewer), everything is normally in a single zone. Larger Object
Storage deployments may assign zone designations differently; for example, an entire cab523

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

inet or rack of servers may be designated as a single zone to maintain replica availability if
the cabinet becomes unavailable (for example, due to failure of the top of rack switches or
a dedicated circuit). In very large deployments, such as service provider level deployments,
each zone might have an entirely autonomous switching and power infrastructure, so that
even the loss of an electrical circuit or switching aggregator would result in the loss of a single replica at most.

Rackspace zone recommendations

For ease of maintenance on OpenStack Object Storage, Rackspace recommends that you
set up at least five nodes. Each node is assigned its own zone (for a total of five zones),
which gives you host level redundancy. This enables you to take down a single zone for
maintenance and still guarantee object availability in the event that another zone fails during your maintenance.
You could keep each server in its own cabinet to achieve cabinet level isolation, but you
may wish to wait until your Object Storage service is better established before developing
cabinet-level isolation. OpenStack Object Storage is flexible; if you later decide to change
the isolation level, you can take down one zone at a time and move them to appropriate
new homes.

RAID controller configuration

OpenStack Object Storage does not require RAID. In fact, most RAID configurations cause
significant performance degradation. The main reason for using a RAID controller is the
battery-backed cache. It is very important for data integrity reasons that when the operating system confirms a write has been committed that the write has actually been committed to a persistent location. Most disks lie about hardware commits by default, instead writing to a faster write cache for performance reasons. In most cases, that write cache exists
only in non-persistent memory. In the case of a loss of power, this data may never actually
get committed to disk, resulting in discrepancies that the underlying file system must handle.
OpenStack Object Storage works best on the XFS file system, and this document assumes
that the hardware being used is configured appropriately to be mounted with the nobarriers option. For more information, refer to the XFS FAQ: http://xfs.org/index.php/XFS_FAQ
To get the most out of your hardware, it is essential that every disk used in OpenStack Object Storage is configured as a standalone, individual RAID 0 disk; in the case of 6 disks, you
would have six RAID 0s or one JBOD. Some RAID controllers do not support JBOD or do not
support battery backed cache with JBOD. To ensure the integrity of your data, you must
ensure that the individual drive caches are disabled and the battery backed cache in your
RAID card is configured and used. Failure to configure the controller properly in this case
puts data at risk in the case of sudden loss of power.
You can also use hybrid drives or similar options for battery backed up cache configurations
without a RAID controller.

Throttle resources through rate limits

Rate limiting in OpenStack Object Storage is implemented as a pluggable middleware that
you configure on the proxy server. Rate limiting is performed on requests that result in
524

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

database writes to the account and container SQLite databases. It uses memcached and is
dependent on the proxy servers having highly synchronized time. The rate limits are limited
by the accuracy of the proxy server clocks.

Configure rate limiting

All configuration is optional. If no account or container limits are provided, no rate limiting
occurs. Available configuration options include:

Table9.67.Description of configuration options for [filter-ratelimit]

in proxy-server.conf
Configuration option = Default value

Description

account_blacklist = c,d

Comma separated lists of account names that will not be

allowed. Returns a 497 response. r: for containers of size x,
limit requests per second to r. Will limit PUT, DELETE, and
POST requests to /a/c/o. container_listing_ratelimit_x = r:
for containers of size x, limit listing requests per second to
r. Will limit GET requests to /a/c.

account_ratelimit = 0

If set, will limit PUT and DELETE requests to /

account_name/container_name. Number is in requests per
second.

account_whitelist = a,b

Comma separated lists of account names that will not be

rate limited.

clock_accuracy = 1000

Represents how accurate the proxy servers' system clocks

are with each other. 1000 means that all the proxies' clock
are accurate to each other within 1 millisecond. No ratelimit should be higher than the clock accuracy.

container_listing_ratelimit_0 = 100

No help text available for this option.

container_listing_ratelimit_10 = 50

No help text available for this option.

container_listing_ratelimit_50 = 20

No help text available for this option.

container_ratelimit_0 = 100

No help text available for this option.

container_ratelimit_10 = 50

No help text available for this option.

container_ratelimit_50 = 20

No help text available for this option.

log_sleep_time_seconds = 0

To allow visibility into rate limiting set this value > 0 and all
sleeps greater than the number will be logged.

max_sleep_time_seconds = 60

App will immediately return a 498 response if

the necessary sleep time ever exceeds the given
max_sleep_time_seconds.

rate_buffer_seconds = 5

Number of seconds the rate counter can drop and be allowed to catch up (at a faster than listed rate). A larger
number will result in larger spikes in rate but better average accuracy.

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = ratelimit

Label to use when logging

use = egg:swift#ratelimit

Entry point of paste.deploy in the server

with container_limit_x = r

No help text available for this option.

The container rate limits are linearly interpolated from the values given. A sample container
rate limiting could be:
525

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

container_ratelimit_100 = 100
container_ratelimit_200 = 50
container_ratelimit_500 = 20
This would result in:

Table9.68.Values for Rate Limiting with Sample Configuration Settings

Container Size

Rate Limit

0-99

No limiting

100

150

500

1000

Health check
Provides an easy way to monitor whether the Object Storage proxy server is alive. If you access the proxy with the path /healthcheck, it responds with OK in the response body,
which monitoring tools can use.

Table9.69.Description of configuration options for [filterhealthcheck] in account-server.conf

Configuration option = Default value

Description

disable_path =

No help text available for this option.

use = egg:swift#healthcheck

Entry point of paste.deploy in the server

Domain remap
Middleware that translates container and account parts of a domain to path parameters
that the proxy server understands.

Table9.70.Description of configuration options for [filterdomain_remap] in proxy-server.conf

Configuration option = Default value

Description

path_root = v1

Root path

reseller_prefixes = AUTH

Reseller prefix

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = domain_remap

Label to use when logging

storage_domain = example.com

Domain that matches your cloud. Multiple domains can be

specified using a comma-separated list.

526

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

use = egg:swift#domain_remap

Entry point of paste.deploy in the server

juno

CNAME lookup
Middleware that translates an unknown domain in the host header to something that ends
with the configured storage_domain by looking up the given domain's CNAME record in
DNS.

Table9.71.Description of configuration options for [filtercname_lookup] in proxy-server.conf

Configuration option = Default value

Description

lookup_depth = 1

Because CNAMES can be recursive, specifies the number of

levels through which to search.

set log_address = /dev/log

Location where syslog sends the logs to

set log_facility = LOG_LOCAL0

Syslog log facility

set log_headers = false

If True, log headers in each request

set log_level = INFO

Log level

set log_name = cname_lookup

Label to use when logging

storage_domain = example.com

Domain that matches your cloud. Multiple domains can be

specified using a comma-separated list.

use = egg:swift#cname_lookup

Entry point of paste.deploy in the server

Temporary URL
Allows the creation of URLs to provide temporary access to objects. For example, a website
may wish to provide a link to download a large object in OpenStack Object Storage, but
the Object Storage account has no public access. The website can generate a URL that provides GET access for a limited time to the resource. When the web browser user clicks on
the link, the browser downloads the object directly from Object Storage, eliminating the
need for the website to act as a proxy for the request. If the user shares the link with all his
friends, or accidentally posts it on a forum, the direct access is limited to the expiration time
set when the website created the link.
A temporary URL is the typical URL associated with an object, with two additional query parameters:
temp_url_sig

A cryptographic signature

temp_url_expires

An expiration date, in Unix time

An example of a temporary URL:

https://swift-cluster.example.com/v1/AUTH_a422b2-91f3-2f46-74b7d7c9e8958f5d30/container/object?
temp_url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&
temp_url_expires=1323479485

To create temporary URLs, first set the X-Account-Meta-Temp-URL-Key header on

your Object Storage account to an arbitrary string. This string serves as a secret key. For
527

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

example, to set a key of b3968d0207b54ece87cccc06515a89d4 using the swift command-line tool:

$ swift post -m "Temp-URL-Key:b3968d0207b54ece87cccc06515a89d4"

Next, generate an HMAC-SHA1 (RFC 2104) signature to specify:

Which HTTP method to allow (typically GET or PUT)
The expiry date as a Unix timestamp
The full path to the object
The secret key set as the X-Account-Meta-Temp-URL-Key
Here is code generating the signature for a GET for 24 hours on /v1/AUTH_account/
container/object:
import hmac
from hashlib import sha1
from time import time
method = 'GET'
duration_in_seconds = 60*60*24
expires = int(time() + duration_in_seconds)
path = '/v1/AUTH_a422b2-91f3-2f46-74b7-d7c9e8958f5d30/container/object'
key = 'mykey'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
sig = hmac.new(key, hmac_body, sha1).hexdigest()
s = 'https://{host}/{path}?temp_url_sig={sig}&temp_url_expires={expires}'
url = s.format(host='swift-cluster.example.com', path=path, sig=sig, expires=
expires)

Any alteration of the resource path or query arguments results in a 401 Unauthorized error. Similarly, a PUT where GET was the allowed method returns a 401. HEAD is allowed if
GET or PUT is allowed. Using this in combination with browser form post translation middleware could also allow direct-from-browser uploads to specific locations in Object Storage.

Note
Changing the X-Account-Meta-Temp-URL-Key invalidates any previously generated temporary URLs within 60 seconds (the memcache time for the
key). Object Storage supports up to two keys, specified by X-Account-MetaTemp-URL-Key and X-Account-Meta-Temp-URL-Key-2. Signatures are
checked against both keys, if present. This is to allow for key rotation without
invalidating all existing temporary URLs.
Object Storage includes a script called swift-temp-url that generates the query parameters
automatically:
$ bin/swift-temp-url GET 3600 /v1/AUTH_account/container/object mykey
/v1/AUTH_account/container/object?
temp_url_sig=5c4cc8886f36a9d0919d708ade98bf0cc71c9e91&
temp_url_expires=1374497657

Because this command only returns the path, you must prefix the Object Storage host
name (for example, https://swift-cluster.example.com).
528

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

With GET Temporary URLs, a Content-Disposition header is set on the response so

that browsers interpret this as a file attachment to be saved. The file name chosen is based
on the object name, but you can override this with a filename query parameter. The following example specifies a filename of My Test File.pdf:
https://swift-cluster.example.com/v1/AUTH_a422b2-91f3-2f46-74b7d7c9e8958f5d30/container/object?
temp_url_sig=da39a3ee5e6b4b0d3255bfef95601890afd80709&
temp_url_expires=1323479485&
filename=My+Test+File.pdf

To enable Temporary URL functionality, edit /etc/swift/proxy-server.conf to add

tempurl to the pipeline variable defined in the [pipeline:main] section. The tempurl entry should appear immediately before the authentication filters in the pipeline,
such as authtoken, tempauth or keystoneauth. For example:
[pipeline:main]
pipeline = pipeline = healthcheck cache tempurl authtoken keystoneauth proxyserver

Table9.72.Description of configuration options for [filter-tempurl] in

proxy-server.conf
Configuration option = Default value

Description

incoming_allow_headers =

Headers allowed as exceptions to

incoming_remove_headers. Simply a whitespace delimited
list of header names and names can optionally end with '*'
to indicate a prefix match.

incoming_remove_headers = x-timestamp

Headers to remove from incoming requests. Simply a

whitespace delimited list of header names and names can
optionally end with '*' to indicate a prefix match.

methods = GET HEAD PUT POST DELETE

HTTP methods allowed with Temporary URLs

outgoing_allow_headers = x-object-meta-public-*

Headers allowed as exceptions to

outgoing_allow_headers. Simply a whitespace delimited
list of header names and names can optionally end with '*'
to indicate a prefix match.

outgoing_remove_headers = x-object-meta-*

Headers to remove from outgoing responses. Simply a

whitespace delimited list of header names and names can
optionally end with '*' to indicate a prefix match.

use = egg:swift#tempurl

Entry point of paste.deploy in the server

Name check filter

Name Check is a filter that disallows any paths that contain defined forbidden characters or
that exceed a defined length.

Table9.73.Description of configuration options for [filter-name_check]

in proxy-server.conf
Configuration option = Default value

Description

forbidden_chars = '"`<>

Characters that are not allowed in a name

forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$

Substrings to forbid, using regular expression syntax

maximum_length = 255

Maximum length of a name

529

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

Description

use = egg:swift#name_check

Entry point of paste.deploy in the server

juno

Constraints
To change the OpenStack Object Storage internal limits, update the values in the swiftconstraints section in the swift.conf file. Use caution when you update these values
because they affect the performance in the entire cluster.

Table9.74.Description of configuration options for [swift-constraints]

in swift.conf
Configuration option = Default value

Description

account_listing_limit = 10000

No help text available for this option.

container_listing_limit = 10000

No help text available for this option.

max_account_name_length = 256

No help text available for this option.

max_container_name_length = 256

No help text available for this option.

max_file_size = 5368709122

No help text available for this option.

max_header_size = 8192

max_header_size is the max number of bytes in the utf8

encoding of each header. Using 8192 as default because
eventlet use 8192 as max size of header line. This value
may need to be increased when using identity v3 API
tokens including more than 7 catalog entries. See also
include_service_catalog in proxy-server.conf-sample (documented in overview_auth.rst)

max_meta_count = 90

No help text available for this option.

max_meta_name_length = 128

No help text available for this option.

max_meta_overall_size = 4096

No help text available for this option.

max_meta_value_length = 256

No help text available for this option.

max_object_name_length = 1024

No help text available for this option.

Cluster health
Use the swift-dispersion-report tool to measure overall cluster health. This tool checks if
a set of deliberately distributed containers and objects are currently in their proper places
within the cluster. For instance, a common deployment has three replicas of each object.
The health of that object can be measured by checking if each replica is in its proper place.
If only 2 of the 3 is in place the objects health can be said to be at 66.66%, where 100%
would be perfect. A single objects health, especially an older object, usually reflects the
health of that entire partition the object is in. If you make enough objects on a distinct
percentage of the partitions in the cluster,you get a good estimate of the overall cluster
health. In practice, about 1% partition coverage seems to balance well between accuracy and the amount of time it takes to gather results. The first thing that needs to be done
to provide this health value is create a new account solely for this usage. Next, you need
to place the containers and objects throughout the system so that they are on distinct
partitions. The swift-dispersion-populate tool does this by making up random container
and object names until they fall on distinct partitions. Last, and repeatedly for the life of
the cluster, you must run the swift-dispersion-report tool to check the health of each of
these containers and objects. These tools need direct access to the entire cluster and to the
ring files (installing them on a proxy server suffices). The swift-dispersion-populate and
530

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

swift-dispersion-report commands both use the same configuration file, /etc/swift/

dispersion.conf. Example dispersion.conf file:
[dispersion]
auth_url = http://localhost:8080/auth/v1.0
auth_user = test:tester
auth_key = testing

There are also configuration options for specifying the dispersion coverage, which defaults
to 1%, retries, concurrency, and so on. However, the defaults are usually fine. Once the configuration is in place, run swift-dispersion-populate to populate the containers and objects
throughout the cluster. Now that those containers and objects are in place, you can run
swift-dispersion-report to get a dispersion report, or the overall health of the cluster. Here
is an example of a cluster in perfect health:
$ swift-dispersion-report
Queried 2621 containers for dispersion reporting, 19s, 0 retries
100.00% of container copies found (7863 of 7863)
Sample represents 1.00% of the container partition space
Queried 2619 objects for dispersion reporting, 7s, 0 retries
100.00% of object copies found (7857 of 7857)
Sample represents 1.00% of the object partition space

Now, deliberately double the weight of a device in the object ring (with replication turned
off) and re-run the dispersion report to show what impact that has:
$ swift-ring-builder object.builder set_weight d0 200
$ swift-ring-builder object.builder rebalance
...
$ swift-dispersion-report
Queried 2621 containers for dispersion reporting, 8s, 0 retries
100.00% of container copies found (7863 of 7863)
Sample represents 1.00% of the container partition space
Queried 2619 objects for dispersion reporting, 7s, 0 retries
There were 1763 partitions missing one copy.
77.56% of object copies found (6094 of 7857)
Sample represents 1.00% of the object partition space

You can see the health of the objects in the cluster has gone down significantly. Of course,
this test environment has just four devices, in a production environment with many devices
the impact of one device change is much less. Next, run the replicators to get everything
put back into place and then rerun the dispersion report:
... start object replicators and monitor logs until they're caught up ...
$ swift-dispersion-report
Queried 2621 containers for dispersion reporting, 17s, 0 retries
100.00% of container copies found (7863 of 7863)
Sample represents 1.00% of the container partition space
Queried 2619 objects for dispersion reporting, 7s, 0 retries
100.00% of object copies found (7857 of 7857)
Sample represents 1.00% of the object partition space

Alternatively, the dispersion report can also be output in JSON format. This allows it to be
more easily consumed by third-party utilities:
531

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

$ swift-dispersion-report -j
{"object": {"retries:": 0, "missing_two": 0, "copies_found": 7863,
"missing_one": 0,
"copies_expected": 7863, "pct_found": 100.0, "overlapping": 0, "missing_all":
0}, "container":
{"retries:": 0, "missing_two": 0, "copies_found": 12534, "missing_one": 0,
"copies_expected":
12534, "pct_found": 100.0, "overlapping": 15, "missing_all": 0}}

Table9.75.Description of configuration options for [dispersion] in

dispersion.conf
Configuration option = Default value

Description

auth_key = testing

No help text available for this option.

auth_url = http://localhost:8080/auth/v1.0

Endpoint for auth server, such as keystone

auth_user = test:tester

Default user for dispersion in this context

auth_version = 1.0

Indicates which version of auth

concurrency = 25

Number of replication workers to spawn

container_populate = yes

No help text available for this option.

container_report = yes

No help text available for this option.

dispersion_coverage = 1.0

No help text available for this option.

dump_json = no

No help text available for this option.

endpoint_type = publicURL

Indicates whether endpoint for auth is public or internal

keystone_api_insecure = no

Allow accessing insecure keystone server. The keystone's

certificate will not be verified.

object_populate = yes

No help text available for this option.

object_report = yes

No help text available for this option.

retries = 5

No help text available for this option.

swift_dir = /etc/swift

Swift configuration directory

Static Large Object (SLO) support

This feature is very similar to Dynamic Large Object (DLO) support in that it enables the user to upload many objects concurrently and afterwards download them as a single object.
It is different in that it does not rely on eventually consistent container listings to do so. Instead, a user-defined manifest of the object segments is used.

Table9.76.Description of configuration options for [filter-slo] in

proxy-server.conf
Configuration option = Default value

Description

max_get_time = 86400

No help text available for this option.

max_manifest_segments = 1000

No help text available for this option.

max_manifest_size = 2097152

No help text available for this option.

min_segment_size = 1048576

No help text available for this option.

rate_limit_after_segment = 10

Rate limit the download of large object segments after

this segment is downloaded.

rate_limit_segments_per_sec = 0

Rate limit large object downloads at this rate. contact

for a normal request. You can use '* replicas' at the
end to have it use the number given times the number of replicas for the ring being used for the request.

532

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
paste.deploy to use for auth. To use tempauth set to:
`egg:swift#tempauth` each request

use = egg:swift#slo

Entry point of paste.deploy in the server

Container quotas
The container_quotas middleware implements simple quotas that can be imposed on
Object Storage containers by a user with the ability to set container metadata, most likely
the account administrator. This can be useful for limiting the scope of containers that are
delegated to non-admin users, exposed to formpost uploads, or just as a self-imposed sanity check.
Any object PUT operations that exceed these quotas return a 403 response (forbidden).
Quotas are subject to several limitations: eventual consistency, the timeliness of the cached
container_info (60 second TTL by default), and it is unable to reject chunked transfer uploads that exceed the quota (though once the quota is exceeded, new chunked transfers
are refused).
Set quotas by adding meta values to the container. These values are validated when you set
them:
X-Container-Meta-Quota-Bytes: Maximum size of the container, in bytes.
X-Container-Meta-Quota-Count: Maximum object count of the container.

Table9.77.Description of configuration options for [filter-containerquotas] in proxy-server.conf

Configuration option = Default value

Description

use = egg:swift#container_quotas

Entry point of paste.deploy in the server

Account quotas
The x-account-meta-quota-bytes metadata entry must be requests (PUT, POST) if a
given account quota (in bytes) is exceeded while DELETE requests are still allowed.
The x-account-meta-quota-bytes metadata entry must be set to store and enable
the quota. Write requests to this metadata entry are only permitted for resellers. There
is no account quota limitation on a reseller account even if x-account-meta-quota-bytes is set.
Any object PUT operations that exceed the quota return a 413 response (request entity too
large) with a descriptive body.
The following command uses an admin account that own the Reseller role to set a quota
on the test account:
$ swift -A http://127.0.0.1:8080/auth/v1.0 -U admin:admin -K admin \
--os-storage-url http://127.0.0.1:8080/v1/AUTH_test post -m quota-bytes:10000

533

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Here is the stat listing of an account where quota has been set:
$ swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat
Account: AUTH_test
Containers: 0
Objects: 0
Bytes: 0
Meta Quota-Bytes: 10000
X-Timestamp: 1374075958.37454
X-Trans-Id: tx602634cf478546a39b1be-0051e6bc7a

This command removes the account quota:

$ swift -A http://127.0.0.1:8080/auth/v1.0 -U admin:admin -K admin --osstorage-url http://127.0.0.1:8080/v1/AUTH_test post -m quota-bytes:

Bulk delete
Use bulk-delete to delete multiple files from an account with a single request. Responds
to DELETE requests with a header 'X-Bulk-Delete: true_value'. The body of the DELETE request is a new line-separated list of files to delete. The files listed must be URL encoded and
in the form:
/container_name/obj_name

If all files are successfully deleted (or did not exist), the operation returns HTTPOk. If any
files failed to delete, the operation returns HTTPBadGateway. In both cases, the response
body is a JSON dictionary that shows the number of files that were successfully deleted or
not found. The files that failed are listed.

Table9.78.Description of configuration options for [filter-bulk] in

proxy-server.conf
Configuration option = Default value

Description

delete_container_retry_count = 0

No help text available for this option.

max_containers_per_extraction = 10000

No help text available for this option.

max_deletes_per_request = 10000

No help text available for this option.

max_failed_deletes = 1000

No help text available for this option.

max_failed_extractions = 1000

No help text available for this option.

use = egg:swift#bulk

Entry point of paste.deploy in the server

yield_frequency = 10

No help text available for this option.

Configure Object Storage with the S3 API

The Swift3 middleware emulates the S3 REST API on top of Object Storage.
The following operations are currently supported:
GET Service
DELETE Bucket
534

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

GET Bucket (List Objects)

PUT Bucket
DELETE Object
GET Object
HEAD Object
PUT Object
PUT Object (Copy)
To use this middleware, first download the latest version from its repository to your proxy
server(s).
$ git clone https://github.com/stackforge/swift3.git

Then, install it using standard python mechanisms, such as:

# python setup.py install

Alternatively, if you have configured the Ubuntu Cloud Archive, you may use:
# apt-get install swift-python-s3

To add this middleware to your configuration, add the swift3 middleware in front of the
swauth middleware, and before any other middleware that looks at Object Storage requests (like rate limiting).
Ensure that your proxy-server.conf file contains swift3 in the pipeline and the
[filter:swift3] section, as shown below:
[pipeline:main]
pipeline = healthcheck cache swift3 swauth proxy-server
[filter:swift3]
use = egg:swift3#swift3

Next, configure the tool that you use to connect to the S3 API. For S3curl, for example, you
must add your host IP information by adding your host IP to the @endpoints array (line 33
in s3curl.pl):
my @endpoints = ( '1.2.3.4');

Now you can send commands to the endpoint, such as:

$ ./s3curl.pl - 'a7811544507ebaf6c9a7a8804f47ea1c' -key 'a7d8e981-e296-d2bacb3b-db7dd23159bd' -get - -s -v http://1.2.3.4:8080

To set up your client, ensure you are using the ec2 credentials, which can be downloaded
from the API Endpoints tab of the dashboard. The host should also point to the Object
Storage node's hostname. It also will have to use the old-style calling format, and not the
535

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

hostname-based container format. Here is an example client setup using the Python boto library on a locally installed all-in-one Object Storage installation.
connection = boto.s3.Connection(
aws_access_key_id='a7811544507ebaf6c9a7a8804f47ea1c',
aws_secret_access_key='a7d8e981-e296-d2ba-cb3b-db7dd23159bd',
port=8080,
host='127.0.0.1',
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat())

Drive audit
The swift-drive-audit configuration items reference a script that can be run by using cron to watch for bad drives. If errors are detected, it unmounts the bad drive, so that
OpenStack Object Storage can work around it. It takes the following options:

Table9.79.Description of configuration options for [drive-audit] in

drive-audit.conf
Configuration option = Default value

Description

device_dir = /srv/node

Directory devices are mounted under

error_limit = 1

Number of errors to find before a device is unmounted

log_address = /dev/log

Location where syslog sends the logs to

log_facility = LOG_LOCAL0

Syslog log facility

log_file_pattern = /var/log/kern.*[!.][!g][!z]

Location of the log file with globbing pattern to check

against device errors locate device blocks with errors in the
log file

log_level = INFO

Logging level

log_max_line_length = 0

Caps the length of log lines to the value given; no limit if

set to 0, the default.

minutes = 60

Number of minutes to look back in `/var/log/kern.log`

regex_pattern_1 = \berror\b.*\b(dm-[0-9]{1,2}\d?)\b

No help text available for this option.

Form post
Middleware that provides the ability to upload objects to a cluster using an HTML form
POST. The format of the form is:
<![CDATA[
<form action="<swift-url>" method="POST"
enctype="multipart/form-data">
<input type="hidden" name="redirect" value="<redirect-url>" />
<input type="hidden" name="max_file_size" value="<bytes>" />
<input type="hidden" name="max_file_count" value="<count>" />
<input type="hidden" name="expires" value="<unix-timestamp>" />
<input type="hidden" name="signature" value="<hmac>" />
<input type="file" name="file1" /><br />
<input type="submit" />
</form>]]>

The swift-url is the URL to the Object Storage destination, such as: https://swiftcluster.example.com/v1/AUTH_account/container/object_prefix The name
536

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

of each file uploaded is appended to the specified swift-url. So, you can upload directly
to the root of container with a URL like: https://swift-cluster.example.com/v1/
AUTH_account/container/ Optionally, you can include an object prefix to better separate different users uploads, such as: https://swift-cluster.example.com/v1/
AUTH_account/container/object_prefix

Note
The form method must be POST and the enctype must be set as multipart/form-data.
The redirect attribute is the URL to redirect the browser to after the upload completes. The
URL has status and message query parameters added to it, indicating the HTTP status code
for the upload (2xx is success) and a possible message for further information if there was
an error (such as max_file_size exceeded).
The max_file_size attribute must be included and indicates the largest single file upload that can be done, in bytes.
The max_file_count attribute must be included and indicates the maximum number of files that can be uploaded with the form. Include additional <![CDATA[<input
type="file" name="filexx"/>]]> attributes if desired.
The expires attribute is the Unix timestamp before which the form must be submitted before it is invalidated.
The signature attribute is the HMAC-SHA1 signature of the form. This sample Python code
shows how to compute the signature:
import hmac
from hashlib import sha1
from time import time
path = '/v1/account/container/object_prefix'
redirect = 'https://myserver.com/some-page'
max_file_size = 104857600
max_file_count = 10
expires = int(time() + 600)
key = 'mykey'
hmac_body = '%s\n%s\n%s\n%s\n%s' % (path, redirect,
max_file_size, max_file_count, expires)
signature = hmac.new(key, hmac_body, sha1).hexdigest()

The key is the value of the X-Account-Meta-Temp-URL-Key header on the account.

Be certain to use the full path, from the /v1/ onward.
The command-line tool swift-form-signature may be used (mostly just when testing) to
compute expires and signature.
The file attributes must appear after the other attributes to be processed correctly. If attributes come after the file, they are not sent with the sub-request because on the server
side, all attributes in the file cannot be parsed unless the whole file is read into memory and
the server does not have enough memory to service these requests. So, attributes that follow the file are ignored.
537

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table9.80.Description of configuration options for [filter-formpost] in

proxy-server.conf
Configuration option = Default value

Description

use = egg:swift#formpost

Entry point of paste.deploy in the server

Static web sites

When configured, this middleware serves container data as a static web site with index
file and error file resolution and optional file listings. This mode is normally only active for
anonymous requests.

Table9.81.Description of configuration options for [filter-staticweb]

in proxy-server.conf
Configuration option = Default value

Description

use = egg:swift#staticweb

Entry point of paste.deploy in the server

Cross-origin resource sharing

Cross-Origin Resource Sharing (CORS) is a mechanism that allows code running in a browser
(JavaScript for example) to make requests to a domain, other than the one it was originated from. OpenStack Object Storage supports CORS requests to containers and objects within the containers using metadata held on the container.
In addition to the metadata on containers, you can use the cors_allow_origin option
in the proxy-server.conf file to set a list of hosts that are included with any CORS request by default.

Endpoint listing middleware

The endpoint listing middleware enables third-party services that use data locality information to integrate with OpenStack Object Storage. This middleware reduces network overhead and is designed for third-party services that run inside the firewall. Deploy this middleware on a proxy server because usage of this middleware is not authenticated.
Format requests for endpoints, as follows:
/endpoints/{account}/{container}/{object}
/endpoints/{account}/{container}
/endpoints/{account}

Use the list_endpoints_path configuration option in the proxy_server.conf file

to customize the /endpoints/ path.
Responses are JSON-encoded lists of endpoints, as follows:
http://{server}:{port}/{dev}/{part}/{acc}/{cont}/{obj}
http://{server}:{port}/{dev}/{part}/{acc}/{cont}
http://{server}:{port}/{dev}/{part}/{acc}

An example response is:

http://10.1.1.1:6000/sda1/2/a/c2/o1

538

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

http://10.1.1.1:6000/sda1/2/a/c2
http://10.1.1.1:6000/sda1/2/a

New, updated and deprecated options in Juno for

OpenStack Object Storage
Table9.82.New options
Option = default value

(Type) Help string

account-server.conf: [DEFAULT] log_max_line_length = 0

(StrOpt) Caps the length of log lines to the value given; no

limit if set to 0, the default.

account-server.conf: [filter-xprofile] dump_interval = 5.0

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] dump_timestamp =

false

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] flush_at_shutdown =

false

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] log_filename_prefix

= /tmp/log/swift/profile/default.profile

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] path = /profile

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] profile_module =

eventlet.green.profile

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] unwind = false

(StrOpt) No help text available for this option.

account-server.conf: [filter-xprofile] use =

egg:swift#xprofile

(StrOpt) Entry point of paste.deploy in the server

container-reconciler.conf: [DEFAULT] log_address = /dev/

log

(StrOpt) Location where syslog sends the logs to

container-reconciler.conf: [DEFAULT] log_custom_handlers (StrOpt) Comma-separated list of functions to call to setup

=
custom log handlers.
container-reconciler.conf: [DEFAULT] log_facility =
LOG_LOCAL0

(StrOpt) Syslog log facility

container-reconciler.conf: [DEFAULT] log_level = INFO

(StrOpt) Logging level

container-reconciler.conf: [DEFAULT] log_name = swift

(StrOpt) Label used when logging

container-reconciler.conf: [DEFAULT]
log_statsd_default_sample_rate = 1.0

(StrOpt) Defines the probability of sending a sample for

any given event or timing measurement.

container-reconciler.conf: [DEFAULT] log_statsd_host = lo- (StrOpt) If not set, the StatsD feature is disabled.
calhost
container-reconciler.conf: [DEFAULT]
log_statsd_metric_prefix =

(StrOpt) Value will be prepended to every metric sent to

the StatsD server.

container-reconciler.conf: [DEFAULT] log_statsd_port =

8125

(StrOpt) Port value for the StatsD server.

container-reconciler.conf: [DEFAULT]
log_statsd_sample_rate_factor = 1.0

(StrOpt) Not recommended to set this to a value less

than 1.0, if frequency of logging is too high, tune the
log_statsd_default_sample_rate instead.

container-reconciler.conf: [DEFAULT] log_udp_host =

(StrOpt) If not set, the UDP receiver for syslog is disabled.

container-reconciler.conf: [DEFAULT] log_udp_port = 514

(StrOpt) Port value for UDP receiver, if enabled.

container-reconciler.conf: [DEFAULT] swift_dir = /etc/swift (StrOpt) Swift configuration directory

container-reconciler.conf: [DEFAULT] user = swift

(StrOpt) User to run as

container-reconciler.conf: [app-proxy-server] use =

egg:swift#proxy

(StrOpt) Entry point of paste.deploy in the server

container-reconciler.conf: [container-reconciler] interval =

(StrOpt) Minimum time for a pass to take

539

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

container-reconciler.conf: [container-reconciler]
reclaim_age = 604800

(StrOpt) Time elapsed in seconds before an object can be

reclaimed

container-reconciler.conf: [container-reconciler]
request_tries = 3

(StrOpt) No help text available for this option.

container-reconciler.conf: [filter-cache] use =

egg:swift#memcache

(StrOpt) Entry point of paste.deploy in the server

container-reconciler.conf: [filter-catch_errors] use =

egg:swift#catch_errors

(StrOpt) Entry point of paste.deploy in the server

container-reconciler.conf: [filter-proxy-logging] use =

egg:swift#proxy_logging

(StrOpt) Entry point of paste.deploy in the server

container-reconciler.conf: [pipeline-main] pipeline =

catch_errors proxy-logging cache proxy-server

(StrOpt) No help text available for this option.

container-server.conf: [DEFAULT] log_max_line_length = 0 (StrOpt) Caps the length of log lines to the value given; no
limit if set to 0, the default.
container-server.conf: [filter-xprofile] dump_interval = 5.0

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] dump_timestamp =

false

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] flush_at_shutdown = (StrOpt) No help text available for this option.
false
container-server.conf: [filter-xprofile] log_filename_prefix
= /tmp/log/swift/profile/default.profile

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] path = /profile

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] profile_module =

eventlet.green.profile

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] unwind = false

(StrOpt) No help text available for this option.

container-server.conf: [filter-xprofile] use =

egg:swift#xprofile

(StrOpt) Entry point of paste.deploy in the server

drive-audit.conf: [drive-audit] log_max_line_length = 0

(StrOpt) Caps the length of log lines to the value given; no

limit if set to 0, the default.

object-expirer.conf: [DEFAULT] log_max_line_length = 0

(StrOpt) Caps the length of log lines to the value given; no

limit if set to 0, the default.

object-expirer.conf: [filter-proxy-logging]
access_log_address = /dev/log

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_facility = LOG_LOCAL0

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_headers = false

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_headers_only =

(StrOpt) If access_log_headers is True and

access_log_headers_only is set only these headers are
logged. Multiple headers can be defined as comma separated list like this: access_log_headers_only = Host, X-Object-Meta-Mtime

object-expirer.conf: [filter-proxy-logging] access_log_level

= INFO

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging] access_log_name (StrOpt) No help text available for this option.
= swift
object-expirer.conf: [filter-proxy-logging]
access_log_statsd_default_sample_rate = 1.0

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_statsd_host = localhost

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_statsd_metric_prefix =

(StrOpt) No help text available for this option.

540

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

object-expirer.conf: [filter-proxy-logging]
access_log_statsd_port = 8125

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_statsd_sample_rate_factor = 1.0

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_udp_host =

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
access_log_udp_port = 514

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging] log_statsd_valid_http_methods =

GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging] logged with

access_log_headers = True.

(StrOpt) No help text available for this option.

object-expirer.conf: [filter-proxy-logging]
reveal_sensitive_prefix = 16

(StrOpt) The X-Auth-Token is sensitive data. If revealed

to an unauthorised person, they can now make requests against an account until the token expires. Set
reveal_sensitive_prefix to the number of characters of the
token that are logged. For example reveal_sensitive_prefix
= 12 so only first 12 characters of the token are logged. Or,
set to 0 to completely remove the token.

object-expirer.conf: [filter-proxy-logging] use =

egg:swift#proxy_logging

(StrOpt) Entry point of paste.deploy in the server

object-expirer.conf: [object-expirer] reclaim_age = 604800

(StrOpt) Time elapsed in seconds before an object can be

reclaimed

object-expirer.conf: [object-expirer] recon_cache_path = /

var/cache/swift

(StrOpt) Directory where stats for a few items will be

stored

object-server.conf: [DEFAULT] log_max_line_length = 0

(StrOpt) Caps the length of log lines to the value given; no

limit if set to 0, the default.

object-server.conf: [app-object-server] splice = no

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] dump_interval = 5.0

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] dump_timestamp = false (StrOpt) No help text available for this option.
object-server.conf: [filter-xprofile] flush_at_shutdown =
false

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] log_filename_prefix = /

tmp/log/swift/profile/default.profile

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] path = /profile

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] profile_module =

eventlet.green.profile

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] unwind = false

(StrOpt) No help text available for this option.

object-server.conf: [filter-xprofile] use = egg:swift#xprofile (StrOpt) Entry point of paste.deploy in the server
object-server.conf: [object-auditor] concurrency = 1

(StrOpt) Number of replication workers to spawn

object-server.conf: [object-auditor] disk_chunk_size =

65536

(StrOpt) Size of chunks to read/write to disk

proxy-server.conf: [DEFAULT] log_max_line_length = 0

(StrOpt) Caps the length of log lines to the value given; no

limit if set to 0, the default.

proxy-server.conf: [DEFAULT] strict_cors_mode = True

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-container_sync] current = //

REALM/CLUSTER

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-keystoneauth]
allow_names_in_acls = true

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-keystoneauth] default_domain_id (StrOpt) No help text available for this option.
= default

541

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

proxy-server.conf: [filter-xprofile] dump_interval = 5.0

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] dump_timestamp = false (StrOpt) No help text available for this option.
proxy-server.conf: [filter-xprofile] flush_at_shutdown =
false

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] log_filename_prefix = /

tmp/log/swift/profile/default.profile

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] path = /profile

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] profile_module =

eventlet.green.profile

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] unwind = false

(StrOpt) No help text available for this option.

proxy-server.conf: [filter-xprofile] use = egg:swift#xprofile

(StrOpt) Entry point of paste.deploy in the server

swift.conf: [storage-policy-0] default = yes

(StrOpt) 0 means to not use a per-disk thread pool. It is

recommended to keep this value small, as large values can
result in high read latencies due to large queue depths. A
good starting point is 4 threads per disk.

swift.conf: [storage-policy-0] name = Policy-0

(StrOpt) No help text available for this option.

swift.conf: [storage-policy-1] name = silver

(StrOpt) No help text available for this option.

Table9.83.New default values

Option

Previous default value

New default value

dispersion.conf: [dispersion]
auth_version

2.0

1.0

drive-audit.conf: [drive-audit]
log_file_pattern

/var/log/kern*

/var/log/kern.*[!.][!g][!z]

object-expirer.conf: [pipeline-main]
pipeline

catch_errors cache proxy-server

catch_errors proxy-logging cache

proxy-server

proxy-server.conf: [DEFAULT]
bind_port

8080

proxy-server.conf: [DEFAULT]
disallowed_sections

container_quotas, tempurl

container_quotas, tempurl,
bulk_delete.max_failed_deletes

proxy-server.conf: [app-proxy-server]
client_chunk_size

8192

65536

proxy-server.conf: [app-proxy-server]
object_chunk_size

8192

65536

proxy-server.conf: [filter-proxy-logging] reveal_sensitive_prefix

8192

proxy-server.conf: [filter-tempurl]
methods

GET HEAD PUT

GET HEAD PUT POST DELETE

proxy-server.conf: [pipeline-main]
pipeline

catch_errors gatekeeper healthcheck

proxy-logging cache container_sync
bulk tempurl slo dlo ratelimit tempauth container-quotas account-quotas proxy-logging proxy-server

catch_errors gatekeeper healthcheck

proxy-logging cache container_sync
bulk tempurl ratelimit tempauth container-quotas account-quotas slo dlo
proxy-logging proxy-server

542

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

10. Orchestration
Table of Contents
Configure APIs ............................................................................................................
Configure Clients .........................................................................................................
Configure the RPC messaging system ...........................................................................
New, updated and deprecated options in Juno for Orchestration .................................

548
551
554
557

The Orchestration service is designed to manage the lifecycle of infrastructure and applications within OpenStack clouds. Its various agents and services are configured in the /etc/
heat/heat.conf file.
To install Orchestration, see the OpenStack Installation Guide for your distribution
(docs.openstack.org).
The following tables provide a comprehensive list of the Orchestration configuration options.

Table10.1.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

543

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

544

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.2.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
deferred_auth_method = password

(StrOpt) Select deferred auth method, stored password or

trusts.

environment_dir = /etc/heat/environment.d

(StrOpt) The directory to search for environment files.

event_purge_batch_size = 10

(IntOpt) Controls how many events will be pruned whenever a stack's events exceed max_events_per_stack. Set
this lower to keep more events at the expense of more frequent purges.

host = localhost

(StrOpt) Name of the engine node. This can be an opaque

identifier. It is not necessarily a hostname, FQDN, or IP address.

instance_driver = heat.engine.nova

(StrOpt) Driver to use for controlling instances.

instance_user = ec2-user

(StrOpt) The default user for new instances. This option

is deprecated and will be removed in the Juno release.
If it's empty, Heat will use the default user set up with
your cloud image (for OS::Nova::Server) or 'ec2-user' (for
AWS::EC2::Instance).

keystone_backend =
heat.common.heat_keystoneclient.KeystoneClientV3

(StrOpt) Fully qualified class name to use as a keystone

backend.

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

periodic_interval = 60

(IntOpt) Seconds between running periodic tasks.

plugin_dirs = /usr/lib64/heat, /usr/lib/heat

(ListOpt) List of directories to search for plug-ins.

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

[revision]
heat_revision = unknown

(StrOpt) Heat build revision. If you would prefer to manage your build revision separately, you can move this section to a different file and add it as another config option.

Table10.3.Description of crypt configuration options

Configuration option = Default value

Description

[DEFAULT]
auth_encryption_key = notgood but just long enough i
think

(StrOpt) Encryption key used for authentication info in

database.

Table10.4.Description of database configuration options

Configuration option = Default value

Description

[database]
backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

545

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

Table10.5.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

disable_process_locking = False

(BoolOpt) Enables or disables inter-process locks.

Table10.6.Description of load balancer configuration options

Configuration option = Default value

Description

[DEFAULT]
loadbalancer_template = None

(StrOpt) Custom template for the built-in loadbalancer

nested stack.

546

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.7.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN

(ListOpt) List of logger=LEVEL pairs.

fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

547

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.8.Description of quota configuration options

Configuration option = Default value

Description

[DEFAULT]
max_events_per_stack = 1000

(IntOpt) Maximum events that will be available per stack.

Older events will be deleted when this is reached. Set to 0
for unlimited events per stack.

max_nested_stack_depth = 3

(IntOpt) Maximum depth allowed when using nested

stacks.

max_resources_per_stack = 1000

(IntOpt) Maximum resources allowed per top-level stack.

max_stacks_per_tenant = 100

(IntOpt) Maximum number of stacks any one tenant may

have active at one time.

max_template_size = 524288

(IntOpt) Maximum raw byte size of any template.

Table10.9.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Table10.10.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider

Configure APIs
The following options allow configuration of the APIs that Orchestration supports. Currently this includes compatibility APIs for CloudFormation and CloudWatch and a native API.

Table10.11.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
action_retry_limit = 5

(IntOpt) Number of times to retry to bring a resource to a

non-error state. Set to 0 to disable retries.

heat_metadata_server_url =

(StrOpt) URL of the Heat metadata server.

heat_stack_user_role = heat_stack_user

(StrOpt) Keystone role for heat template-defined users.

heat_waitcondition_server_url =

(StrOpt) URL of the Heat waitcondition server.

heat_watch_server_url =

(StrOpt) URL of the Heat CloudWatch server.

max_json_body_size = 1048576

(IntOpt) Maximum raw byte size of JSON request body.

Should be larger than max_template_size.

num_engine_workers = 1

(IntOpt) Number of heat-engine processes to fork and run.

policy_default_rule = default

(StrOpt) Default rule. Enforced when a requested rule is

not found.

policy_file = policy.json

(StrOpt) The JSON file that defines policies.

548

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

secure_proxy_ssl_header = X-Forwarded-Proto

(StrOpt) The HTTP Header that will be used to determine

which the original request protocol scheme was, even if it
was removed by an SSL terminator proxy.

stack_action_timeout = 3600

(IntOpt) Timeout in seconds for stack action (ie. create or

update).

stack_domain_admin = None

(StrOpt) Keystone username, a user with roles sufficient to

manage users and projects in the stack_user_domain.

stack_domain_admin_password = None

(StrOpt) Keystone password for stack_domain_admin user.

stack_user_domain_id = None

(StrOpt) Keystone domain ID which contains

heat template-defined users. If this option is set,
stack_user_domain_name option will be ignored.

stack_user_domain_name = None

(StrOpt) Keystone domain name which contains heat template-defined users. If `stack_user_domain_id` option is
set, this option is ignored.

trusts_delegated_roles = heat_stack_owner

(ListOpt) Subset of trustor roles to be delegated to heat.

[auth_password]
allowed_auth_uris =

(ListOpt) Allowed keystone endpoints for auth_uri when

multi_cloud is enabled. At least one endpoint needs to be
specified.

multi_cloud = False

(BoolOpt) Allow orchestration of multiple clouds.

[ec2authtoken]
allowed_auth_uris =

(ListOpt) Allowed keystone endpoints for auth_uri when

multi_cloud is enabled. At least one endpoint needs to be
specified.

auth_uri = None

(StrOpt) Authentication Endpoint URI.

multi_cloud = False

(BoolOpt) Allow orchestration of multiple clouds.

[heat_api]
backlog = 4096

(IntOpt) Number of backlog requests to configure the

socket with.

bind_host = 0.0.0.0

(StrOpt) Address to bind the server. Useful when selecting

a particular network interface.

bind_port = 8004

(IntOpt) The port on which the server will listen.

cert_file = None

(StrOpt) Location of the SSL certificate file to use for SSL

mode.

key_file = None

(StrOpt) Location of the SSL key file to use for enabling

SSL mode.

max_header_line = 16384

workers = 0

(IntOpt) Number of workers for Heat service.

[paste_deploy]
api_paste_config = api-paste.ini

(StrOpt) The API paste config file to use.

flavor = None

(StrOpt) The flavor to use.

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients.

cert_file = None

(StrOpt) Certificate file to use when starting the server securely.

key_file = None

(StrOpt) Private key file to use when starting the server securely.

549

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.12.Description of Cloudformation-compatible API configuration

options
Configuration option = Default value

Description

[DEFAULT]
instance_connection_https_validate_certificates = 1

(StrOpt) Instance connection to CFN/CW API validate certs

if SSL is used.

instance_connection_is_secure = 0

(StrOpt) Instance connection to CFN/CW API via https.

[heat_api_cfn]
backlog = 4096

(IntOpt) Number of backlog requests to configure the

socket with.

bind_host = 0.0.0.0

(StrOpt) Address to bind the server. Useful when selecting

a particular network interface.

bind_port = 8000

(IntOpt) The port on which the server will listen.

cert_file = None

(StrOpt) Location of the SSL certificate file to use for SSL

mode.

key_file = None

(StrOpt) Location of the SSL key file to use for enabling

SSL mode.

max_header_line = 16384

workers = 0

(IntOpt) Number of workers for Heat service.

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients.

cert_file = None

(StrOpt) Certificate file to use when starting the server securely.

key_file = None

(StrOpt) Private key file to use when starting the server securely.

Table10.13.Description of CloudWatch API configuration options

Configuration option = Default value

Description

[DEFAULT]
enable_cloud_watch_lite = True

(BoolOpt) Enable the legacy OS::Heat::CWLiteAlarm resource.

heat_watch_server_url =

(StrOpt) URL of the Heat CloudWatch server.

[heat_api_cloudwatch]
backlog = 4096

(IntOpt) Number of backlog requests to configure the

socket with.

bind_host = 0.0.0.0

(StrOpt) Address to bind the server. Useful when selecting

a particular network interface.

bind_port = 8003

(IntOpt) The port on which the server will listen.

cert_file = None

(StrOpt) Location of the SSL certificate file to use for SSL

mode.

key_file = None

(StrOpt) Location of the SSL key file to use for enabling

SSL mode.

max_header_line = 16384

workers = 0

(IntOpt) Number of workers for Heat service.

550

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[ssl]
ca_file = None

(StrOpt) CA certificate file to use to verify connecting

clients.

cert_file = None

(StrOpt) Certificate file to use when starting the server securely.

key_file = None

(StrOpt) Private key file to use when starting the server securely.

Table10.14.Description of metadata API configuration options

Configuration option = Default value

Description

[DEFAULT]
heat_metadata_server_url =

(StrOpt) URL of the Heat metadata server.

Table10.15.Description of waitcondition API configuration options

Configuration option = Default value

Description

[DEFAULT]
heat_waitcondition_server_url =

(StrOpt) URL of the Heat waitcondition server.

Configure Clients
The following options allow configuration of the clients that Orchestration uses to talk to
other services.

Table10.16.Description of clients configuration options

Configuration option = Default value

Description

[DEFAULT]
region_name_for_services = None

(StrOpt) Default region name used to get services endpoints.

[clients]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.17.Description of client backends configuration options

Configuration option = Default value

Description

[DEFAULT]
cloud_backend = heat.engine.clients.OpenStackClients

(StrOpt) Fully qualified class name to use as a client backend.

Table10.18.Description of ceilometer clients configuration options

Configuration option = Default value

Description

[clients_ceilometer]

551

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.19.Description of cinder clients configuration options

Configuration option = Default value

Description

[clients_cinder]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

http_log_debug = False

(BoolOpt) Allow client's debug log output.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.20.Description of glance clients configuration options

Configuration option = Default value

Description

[clients_glance]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.21.Description of heat clients configuration options

Configuration option = Default value

Description

[clients_heat]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

url = None

(StrOpt) Optional heat url in format like

http://0.0.0.0:8004/v1/%(tenant_id)s.

552

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.22.Description of keystone clients configuration options

Configuration option = Default value

Description

[clients_keystone]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.23.Description of neutron clients configuration options

Configuration option = Default value

Description

[clients_neutron]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.24.Description of nova clients configuration options

Configuration option = Default value

Description

[clients_nova]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

http_log_debug = False

(BoolOpt) Allow client's debug log output.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Table10.25.Description of swift clients configuration options

Configuration option = Default value

Description

[clients_swift]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

553

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.26.Description of trove clients configuration options

Configuration option = Default value

Description

[clients_trove]
ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

Configure the RPC messaging system

Configure RabbitMQ
OpenStack Oslo RPC uses RabbitMQ by default. Use these options to configure the RabbitMQ message system. The rpc_backend option is optional as long as RabbitMQ is the default messaging system. However, if it is included in the configuration, you must set it to
heat.openstack.common.rpc.impl_kombu.
rpc_backend = heat.openstack.common.rpc.impl_kombu

Use these options to configure the RabbitMQ messaging system. You can configure messaging communication for different installation scenarios, tune retries
for RabbitMQ, and define the size of the RPC thread pool. To monitor notifications through RabbitMQ, you must set the notification_driver option to
heat.openstack.common.notifier.rpc_notifier in the heat.conf file:

Table10.27.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

554

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Configure Qpid
Use these options to configure the Qpid messaging system for OpenStack Oslo RPC. Qpid is
not the default messaging system, so you must enable it by setting the rpc_backend option in the heat.conf file:
rpc_backend=heat.openstack.common.rpc.impl_qpid

This critical option points the compute nodes to the Qpid broker (server). Set the
qpid_hostname option to the host name where the broker runs in the heat.conf file.

Note
The qpid_hostname option accepts a host name or IP address value.
qpid_hostname = hostname.example.com

If the Qpid broker listens on a port other than the AMQP default of 5672, you must set the
qpid_port option to that value:
qpid_port = 12345

If you configure the Qpid broker to require authentication, you must add a user name and
password to the configuration:
qpid_username = username
qpid_password = password

By default, TCP is used as the transport. To enable SSL, set the qpid_protocol option:
qpid_protocol = ssl

Use these additional options to configure the Qpid messaging driver for OpenStack Oslo
RPC. These options are used infrequently.
555

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.28.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Table10.29.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Configure messaging
Use these common options to configure the RabbitMQ, Qpid, and ZeroMq messaging
drivers:
556

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table10.30.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) AMQP exchange to connect to if using RabbitMQ

or Qpid

default_notification_level = INFO

(StrOpt) Default notification level for outgoing notifications.

default_publisher_id = None

(StrOpt) Default publisher_id for outgoing notifications.

list_notifier_drivers = None

(MultiStrOpt) List of drivers to send notifications (DEPRECATED).

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table10.31.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
engine_life_check_timeout = 2

(IntOpt) RPC timeout for the engine liveness check that is

used for stack locking.

matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend = heat.openstack.common.rpc.impl_kombu

(StrOpt) The messaging module to use, defaults to kombu.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from call or multicall

rpc_thread_pool_size = 64

(IntOpt) Size of RPC thread pool

Table10.32.Description of notification configuration options

Configuration option = Default value

Description

[DEFAULT]
onready = None

(StrOpt) Deprecated.

New, updated and deprecated options in Juno for

Orchestration
Table10.33.New options
Option = default value

(Type) Help string

[DEFAULT] action_retry_limit = 5

(IntOpt) Number of times to retry to bring a resource to a

non-error state. Set to 0 to disable retries.

557

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] cloud_backend =
heat.engine.clients.OpenStackClients

(StrOpt) Fully qualified class name to use as a client backend.

[DEFAULT] enable_cloud_watch_lite = True

(BoolOpt) Enable the legacy OS::Heat::CWLiteAlarm resource.

[DEFAULT] kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

[DEFAULT] loadbalancer_template = None

(StrOpt) Custom template for the built-in loadbalancer

nested stack.

[DEFAULT] num_engine_workers = 1

(IntOpt) Number of heat-engine processes to fork and run.

[DEFAULT] qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

[DEFAULT] rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

[DEFAULT] stack_user_domain_id = None

(StrOpt) Keystone domain ID which contains

heat template-defined users. If this option is set,
stack_user_domain_name option will be ignored.

[DEFAULT] stack_user_domain_name = None

(StrOpt) Keystone domain name which contains heat template-defined users. If `stack_user_domain_id` option is
set, this option is ignored.

[DEFAULT] transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

[DEFAULT] use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

[clients_cinder] http_log_debug = False

(BoolOpt) Allow client's debug log output.

[clients_glance] ca_file = None

(StrOpt) Optional CA cert file to use in SSL connections.

[clients_glance] cert_file = None

(StrOpt) Optional PEM-formatted certificate chain file.

[clients_glance] endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with the OpenStack service.

[clients_glance] insecure = False

(BoolOpt) If set, then the server's certificate will not be

verified.

[clients_glance] key_file = None

(StrOpt) Optional PEM-formatted file that contains the private key.

[clients_nova] http_log_debug = False

(BoolOpt) Allow client's debug log output.

[database] db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

[database] db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

[database] db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

[database] db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

[database] mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

[database] sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

[database] sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

[database] use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

558

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

Table10.34.New default values

Option

Previous default value

New default value

[DEFAULT] control_exchange

heat

openstack

[DEFAULT] default_log_levels

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
iso8601=WARN

amqp=WARN, amqplib=WARN,
boto=WARN, qpid=WARN,
sqlalchemy=WARN, suds=INFO,
oslo.messaging=INFO,
iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN

[DEFAULT] list_notifier_drivers

heat.openstack.common.notifier.no_op_notifier
None

[DEFAULT] rpc_zmq_matchmaker

heat.openstack.common.rpc.matchmaker.MatchMakerLocalhost
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

[database] connection

sqlite:////home/gpocentek/Workspace/OpenStack/openstack-doc-tools/
autogenerate_config_docs/sources/
heat/heat/openstack/common/db/
$sqlite_db

[database] slave_connection
[keystone_authtoken]
revocation_cache_time

None

None
300

Table10.35.Deprecated options
Deprecated option

New Option

[DEFAULT] db_backend

[database] backend

[DEFAULT] stack_user_domain

[DEFAULT] stack_user_domain_id

[rpc_notifier2] topics

[DEFAULT] notification_topics

559

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

11. Telemetry
Table of Contents
Telemetry sample configuration files ........................................................................... 572
New, updated and deprecated options in Juno for Telemetry ...................................... 592
The Telemetry service collects measurements within OpenStack. Its various agents and services are configured in the /etc/ceilometer/ceilometer.conf file.
To install Telemetry, see the OpenStack Installation Guide for your distribution
(docs.openstack.org).
The following tables provide a comprehensive list of the Telemetry configuration options.

Table11.1.Description of alarm configuration options

Configuration option = Default value

Description

[alarm]
evaluation_interval = 60

(IntOpt) Period of evaluation cycle, should be >= than configured pipeline interval for collection of underlying metrics.

notifier_rpc_topic = alarm_notifier

(StrOpt) The topic that ceilometer uses for alarm notifier

messages.

partition_rpc_topic = alarm_partition_coordination

(StrOpt) The topic that ceilometer uses for alarm partition

coordination messages. DEPRECATED: RPC-based partitionedalarm evaluation service will be removed in Kilo in
favour of the default alarm evaluation service using tooz
for partitioning.

project_alarm_quota = None

(IntOpt) Maximum number of alarms defined for a

project.

record_history = True

(BoolOpt) Record alarm change events.

rest_notifier_certificate_file =

(StrOpt) SSL Client certificate for REST notifier.

rest_notifier_certificate_key =

(StrOpt) SSL Client private key for REST notifier.

rest_notifier_max_retries = 0

(IntOpt) Number of retries for REST notifier

rest_notifier_ssl_verify = True

(BoolOpt) Whether to verify the SSL Server certificate

when calling alarm action.

user_alarm_quota = None

(IntOpt) Maximum number of alarms defined for a user.

Table11.2.Description of AMQP configuration options

Configuration option = Default value

Description

[DEFAULT]
amqp_auto_delete = False

(BoolOpt) Auto-delete queues in amqp.

amqp_durable_queues = False

(BoolOpt) Use durable queues in amqp.

control_exchange = openstack

(StrOpt) AMQP exchange to connect to if using RabbitMQ

or Qpid

notification_driver = []

(MultiStrOpt) Driver or drivers to handle sending notifications.

notification_topics = notifications

(ListOpt) AMQP topic used for OpenStack notifications.

560

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

Table11.3.Description of API configuration options

Configuration option = Default value

Description

[DEFAULT]
api_paste_config = api_paste.ini

(StrOpt) Configuration file for WSGI definition of API.

pipeline_cfg_file = pipeline.yaml

(StrOpt) Configuration file for pipeline definition.

policy_default_rule = default

(StrOpt) Default rule. Enforced when a requested rule is

not found.

policy_file = policy.json

(StrOpt) The JSON file that defines policies.

reserved_metadata_length = 256

(IntOpt) Limit on length of reserved metadata values.

reserved_metadata_namespace = metering.

(ListOpt) List of metadata prefixes reserved for metering

use.

[api]
enable_reverse_dns_lookup = False

(BoolOpt) Set it to False if your environment does not

need or have dns server, otherwise it will delay the response from api.

host = 0.0.0.0

(StrOpt) The listen IP for the ceilometer API server.

pecan_debug = False

(BoolOpt) Toggle Pecan Debug Middleware. Defaults to

global debug value.

port = 8777

(IntOpt) The port for the ceilometer API server.

Table11.4.Description of authorization configuration options

Configuration option = Default value

Description

[service_credentials]
insecure = False

(BoolOpt) Disables X.509 certificate validation when an

SSL connection to Identity Service is established.

os_auth_url = http://localhost:5000/v2.0

(StrOpt) Auth URL to use for OpenStack service access.

os_cacert = None

(StrOpt) Certificate chain for SSL validation.

os_endpoint_type = publicURL

(StrOpt) Type of endpoint in Identity service catalog to use

for communication with OpenStack services.

os_password = admin

(StrOpt) Password to use for OpenStack service access.

os_region_name = None

(StrOpt) Region name to use for OpenStack service endpoints.

os_tenant_id =

(StrOpt) Tenant ID to use for OpenStack service access.

os_tenant_name = admin

(StrOpt) Tenant name to use for OpenStack service access.

os_username = ceilometer

(StrOpt) User name to use for OpenStack service access.

Table11.5.Description of authorization token configuration options

Configuration option = Default value

Description

[keystone_authtoken]
admin_password = None

(StrOpt) Keystone account password

admin_tenant_name = admin

(StrOpt) Keystone service account tenant name to validate

user tokens

admin_token = None

(StrOpt) This option is deprecated and may be removed

in a future release. Single shared secret with the Keystone
configuration used for bootstrapping a Keystone instal-

561

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description
lation, or otherwise bypassing the normal authentication
process. This option should not be used, use `admin_user`
and `admin_password` instead.

admin_user = None

(StrOpt) Keystone account username

auth_admin_prefix =

(StrOpt) Prefix to prepend at the beginning of the path.

Deprecated, use identity_uri.

auth_host = 127.0.0.1

(StrOpt) Host providing the admin Identity API endpoint.

Deprecated, use identity_uri.

auth_port = 35357

(IntOpt) Port of the admin Identity API endpoint. Deprecated, use identity_uri.

auth_protocol = https

(StrOpt) Protocol of the admin Identity API endpoint (http

or https). Deprecated, use identity_uri.

auth_uri = None

(StrOpt) Complete public Identity API endpoint

auth_version = None

(StrOpt) API version of the admin Identity API endpoint

cache = None

(StrOpt) Env key for the swift cache

cafile = None

(StrOpt) A PEM encoded Certificate Authority to use when

verifying HTTPs connections. Defaults to system CAs.

certfile = None

(StrOpt) Required if Keystone server requires client certificate

check_revocations_for_cached = False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

delay_auth_decision = False

(BoolOpt) Do not handle authorization requests within

the middleware, but delegate the authorization decision
to downstream WSGI components

enforce_token_bind = permissive

hash_algorithms = md5

(ListOpt) Hash algorithms to use for hashing PKI tokens.

http_connect_timeout = None

(BoolOpt) Request timeout value for communicating with

Identity API server.

http_request_max_retries = 3

(IntOpt) How many times are we trying to reconnect

when communicating with Identity API Server.

identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

include_service_catalog = True

(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for
service catalog on token validation and will not set the XService-Catalog header.

insecure = False

(BoolOpt) Verify HTTPS connections.

562

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

keyfile = None

(StrOpt) Required if Keystone server requires client certificate

memcache_secret_key = None

(StrOpt) (optional, mandatory if

memcache_security_strategy is defined) this string is used
for key derivation.

memcache_security_strategy = None

revocation_cache_time = 10

(IntOpt) Determines the frequency at which the list of

revoked tokens is retrieved from the Identity service (in
seconds). A high number of revocation events combined
with a low cache duration may significantly reduce performance.

signing_dir = None

(StrOpt) Directory used to cache files related to PKI tokens

token_cache_time = 300

(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens
for a configurable duration (in seconds). Set to -1 to disable caching completely.

Table11.6.Description of collector configuration options

Configuration option = Default value

Description

[DEFAULT]
collector_workers = 1

(IntOpt) Number of workers for collector service. A single

collector is enabled by default.

[collector]
requeue_sample_on_dispatcher_error = False

(BoolOpt) Requeue the sample on the collector sample

queue when the collector fails to dispatch it. This is only
valid if the sample come from the notifier publisher

udp_address = 0.0.0.0

(StrOpt) Address to which the UDP socket is bound. Set to

an empty string to disable.

udp_port = 4952

(IntOpt) Port to which the UDP socket is bound.

[dispatcher_file]
backup_count = 0

(IntOpt) The max number of the files to keep.

file_path = None

(StrOpt) Name and the location of the file to record meters.

max_bytes = 0

(IntOpt) The max size of the file.

Table11.7.Description of common configuration options

Configuration option = Default value

Description

[DEFAULT]
host = localhost

(StrOpt) Name of this node, which must be valid in an

AMQP key. Can be an opaque identifier. For ZeroMQ only,
must be a valid host name, FQDN, or IP address.

lock_path = None

(StrOpt) Directory to use for lock files.

memcached_servers = None

(ListOpt) Memcached servers or None for in process cache.

notification_workers = 1

(IntOpt) Number of workers for notification service. A single notification agent is enabled by default.

563

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

rootwrap_config = /etc/ceilometer/rootwrap.conf

(StrOpt) Path to the rootwrap configuration file touse for

running commands as root

[central]
partitioning_group_prefix = None

(StrOpt) Work-load partitioning group prefix. Use only

if you want to run multiple central agents with different
config files. For each sub-group of the central agent pool
with the same partitioning_group_prefix a disjoint subset
of pollsters should be loaded.

[compute]
workload_partitioning = False

(BoolOpt) Enable work-load partitioning, allowing multiple compute agents to be run simultaneously.

[coordination]
backend_url = None

(StrOpt) The backend URL to use for distributed coordination. If left empty, per-deployment central agent and perhost compute agent won't do workload partitioning and
will only function correctly if a single instance of that service is running.

heartbeat = 1.0

(FloatOpt) Number of seconds between heartbeats for distributed coordination (float)

[keystone_authtoken]
memcached_servers = None

(ListOpt) Optionally specify a list of memcached server(s)

to use for caching. If left undefined, tokens will instead be
cached in-process.

Table11.8.Description of database configuration options

Configuration option = Default value

Description

[DEFAULT]
database_connection = None

(StrOpt) DEPRECATED - Database connection string.

[database]
alarm_connection = None

(StrOpt) The connection string used to connect to the

alarm database. (if unset, connection is used)

backend = sqlalchemy

(StrOpt) The back end to use for the database.

connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the database.

connection_debug = 0

(IntOpt) Verbosity of SQL debugging information:

0=None, 100=Everything.

connection_trace = False

(BoolOpt) Add Python stack traces to SQL as comment

strings.

db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

idle_timeout = 3600

(IntOpt) Timeout before idle SQL connections are reaped.

max_overflow = None

(IntOpt) If set, use this value for max_overflow with

SQLAlchemy.

max_pool_size = None

(IntOpt) Maximum number of SQL connections to keep

open in a pool.

max_retries = 10

(IntOpt) Maximum db connection retries during startup.

Set to -1 to specify an infinite retry count.

564

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

metering_connection = None

(StrOpt) The connection string used to connect to the

meteting database. (if unset, connection is used)

min_pool_size = 1

(IntOpt) Minimum number of SQL connections to keep

open in a pool.

mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

pool_timeout = None

(IntOpt) If set, use this value for pool_timeout with

SQLAlchemy.

retry_interval = 10

(IntOpt) Interval between retries of opening a SQL connection.

slave_connection = None

(StrOpt) The SQLAlchemy connection string to use to connect to the slave database.

sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

time_to_live = -1

(IntOpt) Number of seconds that samples are kept in the

database for (<= 0 means forever).

use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

use_tpool = False

(BoolOpt) Enable the experimental use of thread pooling

for all DB API calls

Table11.9.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
backdoor_port = None

(StrOpt) Enable eventlet backdoor. Acceptable values are

disable_process_locking = False

(BoolOpt) Enables or disables inter-process locks.

nova_http_log_debug = False

(BoolOpt) Allow novaclient's debug log output.

Table11.10.Description of events configuration options

Configuration option = Default value

Description

[event]
definitions_cfg_file = event_definitions.yaml

(StrOpt) Configuration file for event definitions.

drop_unmatched_notifications = False

(BoolOpt) Drop notifications if no event definition matches. (Otherwise, we convert them with just the default
traits)

[notification]
ack_on_event_error = True

(BoolOpt) Acknowledge message when event persistence

fails.

store_events = False

(BoolOpt) Save event details.

565

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table11.11.Description of exchange configuration options

Configuration option = Default value

Description

[DEFAULT]
cinder_control_exchange = cinder

(StrOpt) Exchange name for Cinder notifications.

glance_control_exchange = glance

(StrOpt) Exchange name for Glance notifications.

heat_control_exchange = heat

(StrOpt) Exchange name for Heat notifications

http_control_exchanges = ['nova', 'glance', 'neutron', 'cinder']

(MultiStrOpt) Exchanges name to listen for notifications.

ironic_exchange = ironic

(StrOpt) Exchange name for Ironic notifications.

keystone_control_exchange = keystone

(StrOpt) Exchange name for Keystone notifications.

neutron_control_exchange = neutron

(StrOpt) Exchange name for Neutron notifications.

nova_control_exchange = nova

(StrOpt) Exchange name for Nova notifications.

sahara_control_exchange = sahara

(StrOpt) Exchange name for Data Processing notifications

sample_source = openstack

(StrOpt) Source for samples emitted on this instance.

trove_control_exchange = trove

(StrOpt) Exchange name for DBaaS notifications

Table11.12.Description of glance configuration options

Configuration option = Default value

Description

[DEFAULT]
glance_page_size = 0

(IntOpt) Number of items to request in each paginated

Glance API request (parameter used by glancecelient). If
this is less than or equal to 0, page size is not specified (default value in glanceclient is used).

Table11.13.Description of inspector configuration options

Configuration option = Default value

Description

[DEFAULT]
hypervisor_inspector = libvirt

(StrOpt) Inspector to use for inspecting the hypervisor layer.

libvirt_type = kvm

(StrOpt) Libvirt domain type (valid options are: kvm, lxc,

qemu, uml, xen).

libvirt_uri =

(StrOpt) Override the default libvirt URI (which is dependent on libvirt_type).

Table11.14.Description of IPMI configuration options

Configuration option = Default value

Description

[ipmi]
node_manager_init_retry = 3

(IntOpt) Number of retries upon Intel Node Manager initialization failure

Table11.15.Description of logging configuration options

Configuration option = Default value

Description

[DEFAULT]
debug = False

(BoolOpt) Print debugging output (set logging level to DEBUG instead of default WARNING level).

default_log_levels = amqp=WARN, amqplib=WARN,

boto=WARN, qpid=WARN, sqlalchemy=WARN,
suds=INFO, oslo.messaging=INFO, iso8601=WARN,
requests.packages.urllib3.connectionpool=WARN,

(ListOpt) List of logger=LEVEL pairs.

566

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

urllib3.connectionpool=WARN, websocket=WARN,
keystonemiddleware=WARN, routes.middleware=WARN,
stevedore=WARN
fatal_deprecations = False

(BoolOpt) Enables or disables fatal status of deprecations.

fatal_exception_format_errors = False

(BoolOpt) Make exception message format errors fatal

instance_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance that is passed with the

log message.

instance_name_template = instance-%08x

(StrOpt) Template string to be used to generate instance

names

instance_usage_audit_period = month

(StrOpt) Time period to generate instance usages for.

Time period must be hour, day, month or year

instance_uuid_format = "[instance: %(uuid)s] "

(StrOpt) The format for an instance UUID that is passed

with the log message.

log_config_append = None

(StrOpt) The name of a logging configuration file. This file

is appended to any existing logging configuration files. For
details about logging configuration files, see the Python
logging module documentation.

log_date_format = %Y-%m-%d %H:%M:%S

(StrOpt) Format string for %%(asctime)s in log records. Default: %(default)s .

log_dir = None

(StrOpt) (Optional) The base directory used for relative -log-file paths.

log_file = None

(StrOpt) (Optional) Name of log file to output to. If no default is set, logging will go to stdout.

log_format = None

logging_context_format_string = %(asctime)s.
%(msecs)03d %(process)d %(levelname)s %(name)s
[%(request_id)s %(user_identity)s] %(instance)s
%(message)s

(StrOpt) Format string to use for log messages with context.

logging_debug_format_suffix = %(funcName)s
%(pathname)s:%(lineno)d

(StrOpt) Data to append to log format when level is DEBUG.

(StrOpt) Prefix each line of exception output with this format.

publish_errors = False

(BoolOpt) Enables or disables publication of error events.

syslog_log_facility = LOG_USER

(StrOpt) Syslog facility to receive log lines.

use_stderr = True

(BoolOpt) Log output to standard error.

use_syslog = False

(BoolOpt) Use syslog for logging. Existing syslog format

is DEPRECATED during I, and will change in J to honor
RFC5424.

use_syslog_rfc_format = False

(BoolOpt) (Optional) Enables or disables syslog rfc5424

format for logging. If enabled, prefixes the MSG part of
the syslog message with APP-NAME (RFC5424). The format without the APP-NAME is deprecated in I, and will be
removed in J.

verbose = False

(BoolOpt) Print more verbose output (set logging level to

INFO instead of default WARNING level).

567

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table11.16.Description of nova configuration options

Configuration option = Default value

Description

[DEFAULT]
enable_new_services = True

(BoolOpt) Services to be added to the available pool on

create

monkey_patch = False

(BoolOpt) Whether to log monkey patching

monkey_patch_modules =
nova.api.ec2.cloud:nova.notifications.notify_decorator,
nova.compute.api:nova.notifications.notify_decorator

(ListOpt) List of modules/decorators to monkey patch

network_api_class = nova.network.api.API

(StrOpt) The full class name of the network API class to

use

password_length = 12

(IntOpt) Length of generated instance admin passwords

snapshot_name_template = snapshot-%s

(StrOpt) Template string to be used to generate snapshot

names

Table11.17.Description of nova cells configuration options

Configuration option = Default value

Description

[cells]
bandwidth_update_interval = 600

(IntOpt) Seconds between bandwidth updates for cells.

call_timeout = 60

(IntOpt) Seconds to wait for response from a call to a cell.

capabilities = hypervisor=xenserver;kvm, os=linux;windows (ListOpt) Key/Multi-value list with the capabilities of the
cell
cell_type = compute

(StrOpt) Type of cell: api or compute

enable = False

(BoolOpt) Enable cell functionality

manager = nova.cells.manager.CellsManager

(StrOpt) Manager for cells

mute_child_interval = 300

(IntOpt) Number of seconds after which a lack of capability and capacity updates signals the child cell is to be treated as a mute.

name = nova

(StrOpt) Name of this cell

reserve_percent = 10.0

(FloatOpt) Percentage of cell capacity to hold in reserve.

Affects both memory and disk utilization

topic = cells

(StrOpt) The topic cells nodes listen on

[upgrade_levels]
cells = None

(StrOpt) Set a version cap for messages sent to local cells

services

Table11.18.Description of Qpid configuration options

Configuration option = Default value

Description

[DEFAULT]
qpid_heartbeat = 60

(IntOpt) Seconds between connection keepalive heartbeats.

qpid_hostname = localhost

(StrOpt) Qpid broker hostname.

qpid_hosts = $qpid_hostname:$qpid_port

(ListOpt) Qpid HA cluster host:port pairs.

qpid_password =

(StrOpt) Password for Qpid connection.

qpid_port = 5672

(IntOpt) Qpid broker port.

qpid_protocol = tcp

(StrOpt) Transport to use, either 'tcp' or 'ssl'.

qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

568

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

qpid_sasl_mechanisms =

(StrOpt) Space separated list of SASL mechanisms to use

for auth.

qpid_tcp_nodelay = True

(BoolOpt) Whether to disable the Nagle algorithm.

qpid_topology_version = 1

(IntOpt) The qpid topology version to use. Version 1 is

qpid_username =

(StrOpt) Username for Qpid connection.

Table11.19.Description of RabbitMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
kombu_reconnect_delay = 1.0

(FloatOpt) How long to wait before reconnecting in response to an AMQP consumer cancel notification.

kombu_ssl_ca_certs =

(StrOpt) SSL certification authority file (valid only if SSL enabled).

kombu_ssl_certfile =

(StrOpt) SSL cert file (valid only if SSL enabled).

kombu_ssl_keyfile =

(StrOpt) SSL key file (valid only if SSL enabled).

kombu_ssl_version =

(StrOpt) SSL version to use (valid only if SSL enabled). valid

values are TLSv1, SSLv23 and SSLv3. SSLv2 may be available on some distributions.

rabbit_ha_queues = False

(BoolOpt) Use HA queues in RabbitMQ (x-ha-policy: all).

If you change this option, you must wipe the RabbitMQ
database.

rabbit_host = localhost

(StrOpt) The RabbitMQ broker address where a single

node is used.

rabbit_hosts = $rabbit_host:$rabbit_port

(ListOpt) RabbitMQ HA cluster host:port pairs.

rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

rabbit_max_retries = 0

(IntOpt) Maximum number of RabbitMQ connection retries. Default is 0 (infinite retry count).

rabbit_password = guest

(StrOpt) The RabbitMQ password.

rabbit_port = 5672

(IntOpt) The RabbitMQ broker port where a single node is

used.

rabbit_retry_backoff = 2

(IntOpt) How long to backoff for between retries when

connecting to RabbitMQ.

rabbit_retry_interval = 1

(IntOpt) How frequently to retry connecting with RabbitMQ.

rabbit_use_ssl = False

(BoolOpt) Connect over SSL for RabbitMQ.

rabbit_userid = guest

(StrOpt) The RabbitMQ userid.

rabbit_virtual_host = /

(StrOpt) The RabbitMQ virtual host.

Table11.20.Description of Redis configuration options

Configuration option = Default value

Description

[matchmaker_redis]
host = 127.0.0.1

(StrOpt) Host to locate redis.

password = None

(StrOpt) Password for Redis server (optional).

port = 6379

(IntOpt) Use this port to connect to redis host.

569

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Configuration option = Default value

juno

Description

[matchmaker_ring]
ringfile = /etc/oslo/matchmaker_ring.json

(StrOpt) Matchmaker ring file (JSON).

Table11.21.Description of rootwrap configuration options

Configuration option = Default value

Description

[DEFAULT]
filters_path = /etc/ceilometer/rootwrap.d,/usr/share/
ceilometer/rootwrap

List of directories to load filter definitions from (separated by ','). These directories MUST all be only writeable by
root !

exec_dirs = /sbin,/usr/sbin,/bin,/usr/bin

List of directories to search executables in, in case filters

do not explicitely specify a full path (separated by ',') If not
specified, defaults to system PATH environment variable.
These directories MUST all be only writeable by root !

use_syslog = False

Enable logging to syslog Default value is False

syslog_log_facility = syslog

Which syslog facility to use. Valid values include auth, authpriv, syslog, user0, user1... Default value is 'syslog'

syslog_log_level = ERROR

Which messages to log. INFO means log all usage ERROR

means only log unsuccessful attempts

Table11.22.Description of RPC configuration options

Configuration option = Default value

Description

[DEFAULT]
dispatcher = ['database']

(MultiStrOpt) Dispatcher to process data.

matchmaker_heartbeat_freq = 300

(IntOpt) Heartbeat frequency.

matchmaker_heartbeat_ttl = 600

(IntOpt) Heartbeat time-to-live.

rpc_backend =
ceilometer.openstack.common.rpc.impl_kombu

(StrOpt) The messaging module to use, defaults to kombu.

rpc_cast_timeout = 30

(IntOpt) Seconds to wait before a cast expires (TTL). Only

supported by impl_zmq.

rpc_conn_pool_size = 30

(IntOpt) Size of RPC connection pool

rpc_response_timeout = 60

(IntOpt) Seconds to wait for a response from call or multicall

rpc_thread_pool_size = 64

(IntOpt) Size of RPC thread pool

[notification]
messaging_urls = []

(MultiStrOpt) Messaging URLs to listen for notifications.

Example: transport://user:pass@host1:port[,hostN:portN]/
virtual_host (DEFAULT/transport_url is used if empty)

[publisher]
metering_secret = change this or be hacked

(StrOpt) Secret value for signing metering messages.

[publisher_notifier]
metering_driver = messagingv2

(StrOpt) The driver that ceilometer uses for metering notifications.

metering_topic = metering

(StrOpt) The topic that ceilometer uses for metering notifications.

[publisher_rpc]
metering_topic = metering

(StrOpt) The topic that ceilometer uses for metering messages.

570

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Table11.23.Description of service types configuration options

Configuration option = Default value

Description

[service_types]
glance = image

(StrOpt) Glance service type.

kwapi = energy

(StrOpt) Kwapi service type.

neutron = network

(StrOpt) Neutron service type.

nova = compute

(StrOpt) Nova service type.

swift = object-store

(StrOpt) Swift service type.

Table11.24.Description of swift configuration options

Configuration option = Default value

Description

[DEFAULT]
reseller_prefix = AUTH_

(StrOpt) Swift reseller prefix. Must be on par with

reseller_prefix in proxy-server.conf.

Table11.25.Description of testing configuration options

Configuration option = Default value

Description

[DEFAULT]
fake_rabbit = False

(BoolOpt) If passed, use a fake RabbitMQ provider

Table11.26.Description of TripleO configuration options

Configuration option = Default value

Description

[hardware]
readonly_user_name = ro_snmp_user

(StrOpt) SNMPd user name of all nodes running in the

cloud.

readonly_user_password = password

(StrOpt) SNMPd password of all the nodes running in the

cloud

url_scheme = snmp://

(StrOpt) URL scheme to use for hardware nodes

Table11.27.Description of VMware configuration options

Configuration option = Default value

Description

[vmware]
api_retry_count = 10

(IntOpt) Number of times a VMware Vsphere API must be

retried

host_ip =

(StrOpt) IP address of the VMware Vsphere host

host_password =

(StrOpt) Password of VMware Vsphere

host_username =

(StrOpt) Username of VMware Vsphere

task_poll_interval = 0.5

(FloatOpt) Sleep time in seconds for polling an ongoing

async task

wsdl_location = None

(StrOpt) Optional vim service WSDL location e.g http://

<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds

Table11.28.Description of XenAPI configuration options

Configuration option = Default value

Description

[xenapi]

571

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Configuration option = Default value

Description

connection_password = None

(StrOpt) Password for connection to XenServer/Xen Cloud

Platform

connection_url = None

(StrOpt) URL for connection to XenServer/Xen Cloud Platform

connection_username = root

(StrOpt) Username for connection to XenServer/Xen

Cloud Platform

login_timeout = 10

(IntOpt) Timeout in seconds for XenAPI login.

Table11.29.Description of ZeroMQ configuration options

Configuration option = Default value

Description

[DEFAULT]
rpc_zmq_bind_address = *

(StrOpt) ZeroMQ bind address. Should be a wildcard (*),

an ethernet interface, or IP. The "host" option should point
or resolve to this address.

rpc_zmq_contexts = 1

(IntOpt) Number of ZeroMQ contexts, defaults to 1.

rpc_zmq_host = localhost

(StrOpt) Name of this node. Must be a valid hostname,

FQDN, or IP address. Must match "host" option, if running
Nova.

rpc_zmq_ipc_dir = /var/run/openstack

(StrOpt) Directory for holding IPC sockets.

rpc_zmq_matchmaker =
(StrOpt) MatchMaker driver.
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost
rpc_zmq_port = 9501

(IntOpt) ZeroMQ receiver listening port.

rpc_zmq_topic_backlog = None

(IntOpt) Maximum number of ingress messages to locally

buffer per topic. Default is unlimited.

Telemetry sample configuration files

All the files in this section can be found in the /etc/ceilometer/ directory.

ceilometer.conf
The configuration for the Telemetry services and agents is found in the
ceilometer.conf file.
This file must be modified after installation.

[DEFAULT]
#
# Options defined in ceilometer.middleware
#
# Exchanges name to listen for notifications. (multi valued)
#http_control_exchanges=nova
#http_control_exchanges=glance
#http_control_exchanges=neutron
#http_control_exchanges=cinder

#
# Options defined in ceilometer.pipeline

572

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

#
# Configuration file for pipeline definition. (string value)
#pipeline_cfg_file=pipeline.yaml

#
# Options defined in ceilometer.sample
#
# Source for samples emitted on this instance. (string value)
# Deprecated group/name - [DEFAULT]/counter_source
#sample_source=openstack

#
# Options defined in ceilometer.service
#
# Name of this node, which must be valid in an AMQP key. Can
# be an opaque identifier. For ZeroMQ only, must be a valid
# host name, FQDN, or IP address. (string value)
#host=ceilometer
# Dispatcher to process data. (multi valued)
#dispatcher=database
# Number of workers for collector service. A single
# collector is enabled by default. (integer value)
#collector_workers=1
# Number of workers for notification service. A single
# notification agent is enabled by default. (integer value)
#notification_workers=1

#
# Options defined in ceilometer.api.app
#
# The strategy to use for auth: noauth or keystone. (string
# value)
#auth_strategy=keystone
# Deploy the deprecated v1 API. (boolean value)
#enable_v1_api=true

#
# Options defined in ceilometer.compute.notifications
#
# Exchange name for Nova notifications. (string value)
#nova_control_exchange=nova

#
# Options defined in ceilometer.compute.util
#

573

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# List of metadata prefixes reserved for metering use. (list

# value)
#reserved_metadata_namespace=metering.
# Limit on length of reserved metadata values. (integer value)
#reserved_metadata_length=256

#
# Options defined in ceilometer.compute.virt.inspector
#
# Inspector to use for inspecting the hypervisor layer.
# (string value)
#hypervisor_inspector=libvirt

#
# Options defined in ceilometer.compute.virt.libvirt.inspector
#
# Libvirt domain type (valid options are: kvm, lxc, qemu, uml,
# xen). (string value)
#libvirt_type=kvm
# Override the default libvirt URI (which is dependent on
# libvirt_type). (string value)
#libvirt_uri=

#
# Options defined in ceilometer.image.notifications
#
# Exchange name for Glance notifications. (string value)
#glance_control_exchange=glance

#
# Options defined in ceilometer.network.notifications
#
# Exchange name for Neutron notifications. (string value)
# Deprecated group/name - [DEFAULT]/quantum_control_exchange
#neutron_control_exchange=neutron

# enabled, will add APP-NAME (RFC5424) before the MSG part of
# the syslog message. The old format without APP-NAME is
# deprecated in I, and will be removed in J. (boolean value)
#use_syslog_rfc_format=false
# Syslog facility to receive log lines (string value)
#syslog_log_facility=LOG_USER

#
# Options defined in ceilometer.openstack.common.middleware.sizelimit
#
# The maximum body size per request, in bytes (integer value)
# Deprecated group/name - [DEFAULT]/osapi_max_request_body_size
#max_request_body_size=114688

#
# Options defined in ceilometer.openstack.common.notifier.api
#
# Driver or drivers to handle sending notifications (multi
# valued)
#notification_driver=
# Default notification level for outgoing notifications
# (string value)
#default_notification_level=INFO
# Default publisher_id for outgoing notifications (string
# value)
#default_publisher_id=<None>

#
# Options defined in ceilometer.openstack.common.notifier.rpc_notifier
#
# AMQP topic used for OpenStack notifications (list value)
#notification_topics=notifications

#
# Options defined in ceilometer.openstack.common.policy
#
# JSON file containing policy (string value)
#policy_file=policy.json
# Rule enforced when requested rule is not found (string
# value)
#policy_default_rule=default

#
# Options defined in ceilometer.openstack.common.rpc
#

577

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# The messaging module to use, defaults to kombu. (string

# value)
#rpc_backend=ceilometer.openstack.common.rpc.impl_kombu
# Size of RPC thread pool (integer value)
#rpc_thread_pool_size=64
# Size of RPC connection pool (integer value)
#rpc_conn_pool_size=30
# Seconds to wait for a response from call or multicall
# (integer value)
#rpc_response_timeout=60
# Seconds to wait before a cast expires (TTL). Only supported
# by impl_zmq. (integer value)
#rpc_cast_timeout=30
# Modules of exceptions that are permitted to be recreated
# upon receiving exception data from an rpc call. (list value)
#allowed_rpc_exception_modules=nova.exception,cinder.exception,exceptions
# If passed, use a fake RabbitMQ provider (boolean value)
#fake_rabbit=false
# AMQP exchange to connect to if using RabbitMQ or Qpid
# (string value)
#control_exchange=openstack

#
# Options defined in ceilometer.openstack.common.rpc.amqp
#
# Use durable queues in amqp. (boolean value)
# Deprecated group/name - [DEFAULT]/rabbit_durable_queues
#amqp_durable_queues=false
# Auto-delete queues in amqp. (boolean value)
#amqp_auto_delete=false

#
# Options defined in ceilometer.openstack.common.rpc.impl_kombu
#
# If SSL is enabled, the SSL version to use. Valid values are
# TLSv1, SSLv23 and SSLv3. SSLv2 might be available on some
# distributions. (string value)
#kombu_ssl_version=
# SSL key file (valid only if SSL enabled) (string value)
#kombu_ssl_keyfile=
# SSL cert file (valid only if SSL enabled) (string value)
#kombu_ssl_certfile=
# SSL certification authority file (valid only if SSL enabled)
# (string value)
#kombu_ssl_ca_certs=

578

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# The RabbitMQ broker address where a single node is used

# (string value)
#rabbit_host=localhost
# The RabbitMQ broker port where a single node is used
# (integer value)
#rabbit_port=5672
# RabbitMQ HA cluster host:port pairs (list value)
#rabbit_hosts=$rabbit_host:$rabbit_port
# Connect over SSL for RabbitMQ (boolean value)
#rabbit_use_ssl=false
# The RabbitMQ userid (string value)
#rabbit_userid=guest
# The RabbitMQ password (string value)
#rabbit_password=guest
# The RabbitMQ virtual host (string value)
#rabbit_virtual_host=/
# How frequently to retry connecting with RabbitMQ (integer
# value)
#rabbit_retry_interval=1
# How long to backoff for between retries when connecting to
# RabbitMQ (integer value)
#rabbit_retry_backoff=2
# Maximum number of RabbitMQ connection retries. Default is 0
# (infinite retry count) (integer value)
#rabbit_max_retries=0
# Use HA queues in RabbitMQ (x-ha-policy: all). If you change
# this option, you must wipe the RabbitMQ database. (boolean
# value)
#rabbit_ha_queues=false

#
# Options defined in ceilometer.openstack.common.rpc.impl_qpid
#
# Qpid broker hostname (string value)
#qpid_hostname=localhost
# Qpid broker port (integer value)
#qpid_port=5672
# Qpid HA cluster host:port pairs (list value)
#qpid_hosts=$qpid_hostname:$qpid_port
# Username for qpid connection (string value)
#qpid_username=
# Password for qpid connection (string value)
#qpid_password=

579

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Space separated list of SASL mechanisms to use for auth

# (string value)
#qpid_sasl_mechanisms=
# Seconds between connection keepalive heartbeats (integer
# value)
#qpid_heartbeat=60
# Transport to use, either 'tcp' or 'ssl' (string value)
#qpid_protocol=tcp
# Disable Nagle algorithm (boolean value)
#qpid_tcp_nodelay=true
# The qpid topology version to use. Version 1 is what was
# originally used by impl_qpid. Version 2 includes some
# backwards-incompatible changes that allow broker federation
# to work. Users should update to version 2 when they are
# able to take everything down, as it requires a clean break.
# (integer value)
#qpid_topology_version=1

#
# Options defined in ceilometer.openstack.common.rpc.impl_zmq
#
# ZeroMQ bind address. Should be a wildcard (*), an ethernet
# interface, or IP. The "host" option should point or resolve
# to this address. (string value)
#rpc_zmq_bind_address=*
# MatchMaker driver (string value)
#rpc_zmq_matchmaker=ceilometer.openstack.common.rpc.matchmaker.
MatchMakerLocalhost
# ZeroMQ receiver listening port (integer value)
#rpc_zmq_port=9501
# Number of ZeroMQ contexts, defaults to 1 (integer value)
#rpc_zmq_contexts=1
# Maximum number of ingress messages to locally buffer per
# topic. Default is unlimited. (integer value)
#rpc_zmq_topic_backlog=<None>
# Directory for holding IPC sockets (string value)
#rpc_zmq_ipc_dir=/var/run/openstack
# Name of this node. Must be a valid hostname, FQDN, or IP
# address. Must match "host" option, if running Nova. (string
# value)
#rpc_zmq_host=ceilometer

#
# Options defined in ceilometer.openstack.common.rpc.matchmaker
#

580

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Heartbeat frequency (integer value)

#matchmaker_heartbeat_freq=300
# Heartbeat time-to-live. (integer value)
#matchmaker_heartbeat_ttl=600

#
# Options defined in ceilometer.orchestration.notifications
#
# Exchange name for Heat notifications (string value)
#heat_control_exchange=heat

#
# Options defined in ceilometer.storage
#
# DEPRECATED - Database connection string. (string value)
#database_connection=<None>

#
# Options defined in ceilometer.storage.sqlalchemy.models
#
# MySQL engine to use. (string value)
#mysql_engine=InnoDB

#
# Options defined in ceilometer.volume.notifications
#
# Exchange name for Cinder notifications. (string value)
#cinder_control_exchange=cinder

[alarm]
#
# Options defined in ceilometer.cli
#
# Class to launch as alarm evaluation service. (string value)
#evaluation_service=ceilometer.alarm.service.SingletonAlarmService

#
# Options defined in ceilometer.alarm.notifier.rest
#
# SSL Client certificate for REST notifier. (string value)
#rest_notifier_certificate_file=
# SSL Client private key for REST notifier. (string value)
#rest_notifier_certificate_key=
# Whether to verify the SSL Server certificate when calling

581

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# alarm action. (boolean value)

#rest_notifier_ssl_verify=true

#
# Options defined in ceilometer.alarm.rpc
#
# The topic that ceilometer uses for alarm notifier messages.
# (string value)
#notifier_rpc_topic=alarm_notifier
# The topic that ceilometer uses for alarm partition
# coordination messages. (string value)
#partition_rpc_topic=alarm_partition_coordination

#
# Options defined in ceilometer.alarm.service
#
# Period of evaluation cycle, should be >= than configured
# pipeline interval for collection of underlying metrics.
# (integer value)
# Deprecated group/name - [alarm]/threshold_evaluation_interval
#evaluation_interval=60

#
# Options defined in ceilometer.api.controllers.v2
#
# Record alarm change events. (boolean value)
#record_history=true

[api]
#
# Options defined in ceilometer.api
#
# The port for the ceilometer API server. (integer value)
# Deprecated group/name - [DEFAULT]/metering_api_port
#port=8777
# The listen IP for the ceilometer API server. (string value)
#host=0.0.0.0

[collector]
#
# Options defined in ceilometer.collector
#
# Address to which the UDP socket is bound. Set to an empty
# string to disable. (string value)
#udp_address=0.0.0.0

582

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# Port to which the UDP socket is bound. (integer value)

#udp_port=4952

[database]
#
# Options defined in ceilometer.openstack.common.db.api
#
# The backend to use for db (string value)
# Deprecated group/name - [DEFAULT]/db_backend
#backend=sqlalchemy

#
# Options defined in ceilometer.openstack.common.db.sqlalchemy.session
#
# The SQLAlchemy connection string used to connect to the
# database (string value)
# Deprecated group/name - [DEFAULT]/sql_connection
# Deprecated group/name - [DATABASE]/sql_connection
# Deprecated group/name - [sql]/connection
#connection=sqlite:////ceilometer/openstack/common/db/$sqlite_db
# The SQLAlchemy connection string used to connect to the
# slave database (string value)
#slave_connection=
# Timeout before idle sql
# value)
# Deprecated group/name # Deprecated group/name # Deprecated group/name #idle_timeout=3600

connections are reaped (integer

[DEFAULT]/sql_idle_timeout
[DATABASE]/sql_idle_timeout
[sql]/idle_timeout

# Minimum number of SQL connections to keep open in a pool

# (integer value)
# Deprecated group/name - [DEFAULT]/sql_min_pool_size
# Deprecated group/name - [DATABASE]/sql_min_pool_size
#min_pool_size=1
# Maximum number of SQL connections to keep open in a pool
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_pool_size
# Deprecated group/name - [DATABASE]/sql_max_pool_size
#max_pool_size=<None>
# Maximum db connection retries during startup. (setting -1
# implies an infinite retry count) (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_retries
# Deprecated group/name - [DATABASE]/sql_max_retries
#max_retries=10
# Interval between retries of opening a sql connection
# (integer value)
# Deprecated group/name - [DEFAULT]/sql_retry_interval
# Deprecated group/name - [DATABASE]/reconnect_interval
#retry_interval=10

583

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# If set, use this value for max_overflow with sqlalchemy

# (integer value)
# Deprecated group/name - [DEFAULT]/sql_max_overflow
# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow
#max_overflow=<None>
# Verbosity of SQL debugging information. 0=None,
# 100=Everything (integer value)
# Deprecated group/name - [DEFAULT]/sql_connection_debug
#connection_debug=0
# Add python stack traces to SQL as comment strings (boolean
# value)
# Deprecated group/name - [DEFAULT]/sql_connection_trace
#connection_trace=false
# If set, use this value for pool_timeout with sqlalchemy
# (integer value)
# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout
#pool_timeout=<None>

#
# Options defined in ceilometer.storage
#
# Number of seconds that samples are kept in the database for
# (<= 0 means forever). (integer value)
#time_to_live=-1

[dispatcher_file]
#
# Options defined in ceilometer.dispatcher.file
#
# Name and the location of the file to record meters. (string
# value)
#file_path=<None>
# The max size of the file. (integer value)
#max_bytes=0
# The max number of the files to keep. (integer value)
#backup_count=0

[event]
#
# Options defined in ceilometer.event.converter
#
# Configuration file for event definitions. (string value)
#definitions_cfg_file=event_definitions.yaml
# Drop notifications if no event definition matches.
# (Otherwise, we convert them with just the default traits)

584

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

# (boolean value)
#drop_unmatched_notifications=false

[keystone_authtoken]
#
# Options defined in keystoneclient.middleware.auth_token
#
# Prefix to prepend at the beginning of the path (string
# value)
#auth_admin_prefix=
# Host providing the admin Identity API endpoint (string
# value)
#auth_host=127.0.0.1
# Port of the admin Identity API endpoint (integer value)
#auth_port=35357
# Protocol of the admin Identity API endpoint(http or https)
# (string value)
#auth_protocol=https
# Complete public Identity API endpoint (string value)
#auth_uri=<None>
# API version of the admin Identity API endpoint (string
# value)
#auth_version=<None>
# Do not handle authorization requests within the middleware,
# but delegate the authorization decision to downstream WSGI
# components (boolean value)
#delay_auth_decision=false
# Request timeout value for communicating with Identity API
# server. (boolean value)
#http_connect_timeout=<None>
# How many times are we trying to reconnect when communicating
# with Identity API Server. (integer value)
#http_request_max_retries=3
# Allows to pass in the name of a fake http_handler callback
# function used instead of httplib.HTTPConnection or
# httplib.HTTPSConnection. Useful for unit testing where
# network is not available. (string value)
#http_handler=<None>
# Single shared secret with the Keystone configuration used
# for bootstrapping a Keystone installation, or otherwise
# bypassing the normal authentication process. (string value)
#admin_token=<None>
# Keystone account username (string value)
#admin_user=<None>
# Keystone account password (string value)

585

juno

juno

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

# Type of endpoint in Identity service catalog to use for

# communication with OpenStack services. (string value)
#os_endpoint_type=publicURL
# Disables X.509 certificate validation when an SSL connection
# to Identity Service is established. (boolean value)
#insecure=false

publishers:
- rpc://
- name: disk_sink
transformers:
- name: "rate_of_change"
parameters:
source:
map_from:
name: "disk\\.(read|write)\\.(bytes|requests)"
unit: "(B|request)"
target:
map_to:
name: "disk.\\1.\\2.rate"
unit: "\\1/s"
type: "gauge"
publishers:
- rpc://
- name: network_sink
transformers:
- name: "rate_of_change"
parameters:
source:
map_from:
name: "network\\.(incoming|outgoing)\\.(bytes|packets)"
unit: "(B|packet)"
target:
map_to:
name: "network.\\1.\\2.rate"
unit: "\\1/s"
type: "gauge"
publishers:
- rpc://

policy.json
The policy.json file defines additional access controls that apply to the Telemetry service.
{
"context_is_admin":

[["role:admin"]]

New, updated and deprecated options in Juno for

Telemetry
Table11.30.New options
Option = default value

(Type) Help string

[DEFAULT] api_paste_config = api_paste.ini

(StrOpt) Configuration file for WSGI definition of API.

[DEFAULT] enable_new_services = True

(BoolOpt) Services to be added to the available pool on

create

[DEFAULT] fatal_exception_format_errors = False

(BoolOpt) Make exception message format errors fatal

[DEFAULT] glance_page_size = 0

(IntOpt) Number of items to request in each paginated

Glance API request (parameter used by glancecelient). If
this is less than or equal to 0, page size is not specified (default value in glanceclient is used).

592

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[DEFAULT] instance_name_template = instance-%08x

(StrOpt) Template string to be used to generate instance

names

[DEFAULT] instance_usage_audit_period = month

(StrOpt) Time period to generate instance usages for.

Time period must be hour, day, month or year

[DEFAULT] ironic_exchange = ironic

(StrOpt) Exchange name for Ironic notifications.

[DEFAULT] keystone_control_exchange = keystone

(StrOpt) Exchange name for Keystone notifications.

[DEFAULT] monkey_patch = False

(BoolOpt) Whether to log monkey patching

[DEFAULT] monkey_patch_modules =
['nova.api.ec2.cloud:nova.notifications.notify_decorator',
'nova.compute.api:nova.notifications.notify_decorator']

(ListOpt) List of modules/decorators to monkey patch

[DEFAULT] network_api_class = nova.network.api.API

(StrOpt) The full class name of the network API class to

use

[DEFAULT] nova_http_log_debug = False

(BoolOpt) Allow novaclient's debug log output.

[DEFAULT] password_length = 12

(IntOpt) Length of generated instance admin passwords

[DEFAULT] qpid_receiver_capacity = 1

(IntOpt) The number of prefetched messages held by receiver.

[DEFAULT] rabbit_login_method = AMQPLAIN

(StrOpt) the RabbitMQ login method

[DEFAULT] rootwrap_config = /etc/ceilometer/rootwrap.conf

(StrOpt) Path to the rootwrap configuration file touse for

running commands as root

[DEFAULT] sahara_control_exchange = sahara

(StrOpt) Exchange name for Data Processing notifications

[DEFAULT] snapshot_name_template = snapshot-%s

(StrOpt) Template string to be used to generate snapshot

names

[DEFAULT] transport_url = None

(StrOpt) A URL representing the messaging driver to use

and its full configuration. If not set, we fall back to the
rpc_backend option and driver specific configuration.

[DEFAULT] trove_control_exchange = trove

(StrOpt) Exchange name for DBaaS notifications

[alarm] project_alarm_quota = None

(IntOpt) Maximum number of alarms defined for a

project.

[alarm] rest_notifier_max_retries = 0

(IntOpt) Number of retries for REST notifier

[alarm] user_alarm_quota = None

(IntOpt) Maximum number of alarms defined for a user.

[api] enable_reverse_dns_lookup = False

(BoolOpt) Set it to False if your environment does not

need or have dns server, otherwise it will delay the response from api.

[api] pecan_debug = False

(BoolOpt) Toggle Pecan Debug Middleware. Defaults to

global debug value.

[central] partitioning_group_prefix = None

(StrOpt) Work-load partitioning group prefix. Use only

[collector] requeue_sample_on_dispatcher_error = False

(BoolOpt) Requeue the sample on the collector sample

queue when the collector fails to dispatch it. This is only
valid if the sample come from the notifier publisher

[compute] workload_partitioning = False

(BoolOpt) Enable work-load partitioning, allowing multiple compute agents to be run simultaneously.

[coordination] backend_url = None

[coordination] heartbeat = 1.0

(FloatOpt) Number of seconds between heartbeats for distributed coordination (float)

593

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[database] alarm_connection = None

(StrOpt) The connection string used to connect to the

alarm database. (if unset, connection is used)

[database] db_inc_retry_interval = True

(BoolOpt) If True, increases the interval between database

connection retries up to db_max_retry_interval.

[database] db_max_retries = 20

(IntOpt) Maximum database connection retries before error is raised. Set to -1 to specify an infinite retry count.

[database] db_max_retry_interval = 10

(IntOpt) If db_inc_retry_interval is set, the maximum seconds between database connection retries.

[database] db_retry_interval = 1

(IntOpt) Seconds between database connection retries.

[database] metering_connection = None

(StrOpt) The connection string used to connect to the

meteting database. (if unset, connection is used)

[database] mysql_sql_mode = TRADITIONAL

(StrOpt) The SQL mode to be used for MySQL sessions.

This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by
the server configuration, set this to no value. Example:
mysql_sql_mode=

[database] sqlite_db = oslo.sqlite

(StrOpt) The file name to use with SQLite.

[database] sqlite_synchronous = True

(BoolOpt) If True, SQLite uses synchronous mode.

[database] use_db_reconnect = False

(BoolOpt) Enable the experimental use of database reconnect on connection lost.

[database] use_tpool = False

(BoolOpt) Enable the experimental use of thread pooling

for all DB API calls

[hardware] readonly_user_name = ro_snmp_user

(StrOpt) SNMPd user name of all nodes running in the

cloud.

[hardware] readonly_user_password = password

(StrOpt) SNMPd password of all the nodes running in the

cloud

[hardware] url_scheme = snmp://

(StrOpt) URL scheme to use for hardware nodes

[ipmi] node_manager_init_retry = 3

(IntOpt) Number of retries upon Intel Node Manager initialization failure

[keystone_authtoken] check_revocations_for_cached =
False

(BoolOpt) If true, the revocation list will be checked for

cached tokens. This requires that PKI tokens are configured on the Keystone server.

[keystone_authtoken] hash_algorithms = ['md5']

(ListOpt) Hash algorithms to use for hashing PKI tokens.

[keystone_authtoken] identity_uri = None

(StrOpt) Complete admin Identity API endpoint. This

should specify the unversioned root endpoint e.g. https://
localhost:35357/

[notification] messaging_urls = []

(MultiStrOpt) Messaging URLs to listen for notifications.

Example: transport://user:pass@host1:port[,hostN:portN]/
virtual_host (DEFAULT/transport_url is used if empty)

[publisher_notifier] metering_driver = messagingv2

(StrOpt) The driver that ceilometer uses for metering notifications.

[publisher_notifier] metering_topic = metering

(StrOpt) The topic that ceilometer uses for metering notifications.

[service_types] glance = image

(StrOpt) Glance service type.

[service_types] kwapi = energy

(StrOpt) Kwapi service type.

594

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Option = default value

(Type) Help string

[service_types] neutron = network

(StrOpt) Neutron service type.

[service_types] nova = compute

(StrOpt) Nova service type.

[service_types] swift = object-store

(StrOpt) Swift service type.

[upgrade_levels] cells = None

(StrOpt) Set a version cap for messages sent to local cells

services

[vmware] wsdl_location = None

(StrOpt) Optional vim service WSDL location e.g http://

<server>/vimService.wsdl. Optional over-ride to default location for bug work-arounds

[xenapi] connection_password = None

(StrOpt) Password for connection to XenServer/Xen Cloud

Platform

[xenapi] connection_url = None

(StrOpt) URL for connection to XenServer/Xen Cloud Platform

[xenapi] connection_username = root

(StrOpt) Username for connection to XenServer/Xen

Cloud Platform

[xenapi] login_timeout = 10

(IntOpt) Timeout in seconds for XenAPI login.

Table11.31.New default values

Option

Previous default value

[DEFAULT] default_log_levels

[DEFAULT] rpc_zmq_matchmaker

ceilometer.openstack.common.rpc.matchmaker.MatchMakerLocalhost
oslo.messaging._drivers.matchmaker.MatchMakerLocalhost

[database] connection

sqlite:////home/gpocentek/Workspace/OpenStack/openstack-doc-tools/
autogenerate_config_docs/sources/
ceilometer/ceilometer/openstack/common/db/$sqlite_db

[database] slave_connection
[keystone_authtoken]
revocation_cache_time

New default value

None

None
300

Table11.32.Deprecated options
Deprecated option

New Option

[rpc_notifier2] topics

[DEFAULT] notification_topics

595

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

AppendixA.Firewalls and default ports

On some deployments, such as ones where restrictive firewalls are in place, you might need
to manually configure a firewall to permit OpenStack service traffic.
To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:

TableA.1.Default ports that OpenStack components use

OpenStack service

Default ports

Port type

Block Storage (cinder)

8776

publicurl and adminurl

Compute (nova) endpoints

8774

publicurl and adminurl

Compute API (nova-api)

8773, 8775

Compute ports for access to virtual machine consoles

5900-5999

Compute VNC proxy for browsers ( openstack-nova-novncproxy)

6080

Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)

6081

Proxy port for HTML5 console used by Compute service

6082

Identity service (keystone) administrative endpoint

35357

adminurl

Identity service public endpoint

5000

publicurl

Image Service (glance) API

9292

publicurl and adminurl

Image Service registry

9191

Networking (neutron)

9696

Object Storage (swift)

6000, 6001, 6002

Orchestration (heat) endpoint

8004

Orchestration AWS CloudFormation-compatible API

(openstack-heat-api-cfn)

8000

Orchestration AWS CloudWatch-compatible API (openstack-heat-api-cloudwatch)

8003

Telemetry (ceilometer)

8777

publicurl and adminurl

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In
this case, you must configure the firewall to allow traffic to and from HTTP.
This table lists the ports that other OpenStack components use:

TableA.2.Default ports that secondary services related to OpenStack

components use
Service

Default port

Used by

HTTP

OpenStack dashboard (Horizon) when it is not configured to use secure access.

HTTP alternate

8080

OpenStack Object Storage (swift) service.

HTTPS

443

Any OpenStack service that is enabled for SSL, especially

secure-access dashboard.

rsync

873

OpenStack Object Storage. Required.

iSCSI target

3260

OpenStack Block Storage. Required.

596

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

Service

Default port

Used by

MySQL database service

3306

Most OpenStack components.

Message Broker (AMQP traf- 5672

fic)

juno

OpenStack Block Storage, Networking, Orchestration, and

Compute.

On some deployments, the default port used by a service may fall within the defined local
port range of a host. To check a host's local port range:
$ sysctl -a | grep ip_local_port_range

If a service's default port falls within this range, run the following program to check if the
port has already been assigned to another application:
$ lsof -i :PORT

Configure the service to use a different port if the default port is already being used by another application.

597

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

AppendixB.Community support
Table of Contents
Documentation ...........................................................................................................
ask.openstack.org ........................................................................................................
OpenStack mailing lists ................................................................................................
The OpenStack wiki .....................................................................................................
The Launchpad Bugs area ...........................................................................................
The OpenStack IRC channel .........................................................................................
Documentation feedback ............................................................................................
OpenStack distribution packages .................................................................................

598
599
599
600
600
601
601
601

The following resources are available to help you run and use OpenStack. The OpenStack
community constantly improves and adds to the main features of OpenStack, but if you
have any questions, do not hesitate to ask. Use the following resources to get OpenStack
support, and troubleshoot your installations.

Documentation
For the available OpenStack documentation, see docs.openstack.org.
To provide feedback on documentation, join and use the
<[email protected]> mailing list at OpenStack Documentation
Mailing List, or report a bug.
The following books explain how to install an OpenStack cloud and its associated components:
Installation Guide for Debian 7.0
Installation Guide for openSUSE and SUSE Linux Enterprise Server
Installation Guide for Red Hat Enterprise Linux, CentOS, and Fedora
Installation Guide for Ubuntu 14.04 (LTS)
The following books explain how to configure and run an OpenStack cloud:
Architecture Design Guide
Cloud Administrator Guide
Configuration Reference
Operations Guide
High Availability Guide
Security Guide
598

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Virtual Machine Image Guide

The following books explain how to use the OpenStack dashboard and command-line
clients:
API Quick Start
End User Guide
Admin User Guide
Command-Line Interface Reference
The following documentation provides reference and guidance information for the OpenStack APIs:
OpenStack API Complete Reference (HTML)
API Complete Reference (PDF)
OpenStack Block Storage Service API v2 Reference
OpenStack Compute API v2 and Extensions Reference
OpenStack Identity Service API v2.0 Reference
OpenStack Image Service API v2 Reference
OpenStack Networking API v2.0 Reference
OpenStack Object Storage API v1 Reference
The Training Guides offer software training for cloud administration and management.

ask.openstack.org
During the set up or testing of OpenStack, you might have questions about how a specific task is completed or be in a situation where a feature does not work correctly. Use
the ask.openstack.org site to ask questions and get answers. When you visit the http://
ask.openstack.org site, scan the recently asked questions to see whether your question has
already been answered. If not, ask a new question. Be sure to give a clear, concise summary
in the title and provide as much detail as possible in the description. Paste in your command
output or stack traces, links to screen shots, and any other information which might be useful.

OpenStack mailing lists

A great way to get answers and insights is to post your question or problematic scenario
to the OpenStack mailing list. You can learn from and help others who might have similar issues. To subscribe or view the archives, go to http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack. You might be interested in the other mailing lists for specific
projects or development, which you can find on the wiki. A description of all mailing lists is
available at http://wiki.openstack.org/MailingLists.
599

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

The OpenStack wiki

The OpenStack wiki contains a broad range of topics but some of the information can be
difficult to find or is a few pages deep. Fortunately, the wiki search feature enables you to
search by title or content. If you search for specific information, such as about networking
or nova, you can find a large amount of relevant material. More is being added all the time,
so be sure to check back often. You can find the search box in the upper-right corner of any
OpenStack wiki page.

The Launchpad Bugs area

The OpenStack community values your set up and testing efforts and wants your feedback.
To log a bug, you must sign up for a Launchpad account at https://launchpad.net/+login.
You can view existing bugs and report bugs in the Launchpad Bugs area. Use the search
feature to determine whether the bug has already been reported or already been fixed. If
it still seems like your bug is unreported, fill out a bug report.
Some tips:
Give a clear, concise summary.
Provide as much detail as possible in the description. Paste in your command output or
stack traces, links to screen shots, and any other information which might be useful.
Be sure to include the software and package versions that you are using, especially if
you are using a development branch, such as, "Juno release" vs git commit
bc79c3ecc55929bac585d04a03475b72e06a3208.
Any deployment-specific information is helpful, such as whether you are using Ubuntu
14.04 or are performing a multi-node installation.
The following Launchpad Bugs areas are available:
Bugs: OpenStack Block Storage (cinder)
Bugs: OpenStack Compute (nova)
Bugs: OpenStack Dashboard (horizon)
Bugs: OpenStack Identity (keystone)
Bugs: OpenStack Image Service (glance)
Bugs: OpenStack Networking (neutron)
Bugs: OpenStack Object Storage (swift)
Bugs: Bare Metal (ironic)
Bugs: Data Processing Service (sahara)
Bugs: Database Service (trove)
600

A F T - Ju no -D R A F T - Ju no -D R A F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -D RA F T - Ju no -

OpenStack Configuration Reference

October 7, 2014

juno

Bugs: Orchestration (heat)

Bugs: Telemetry (ceilometer)
Bugs: Queue Service (marconi)
Bugs: OpenStack API Documentation (developer.openstack.org)
Bugs: OpenStack Documentation (docs.openstack.org)

The OpenStack IRC channel

The OpenStack community lives in the #openstack IRC channel on the Freenode network.
You can hang out, ask questions, or get immediate feedback for urgent and pressing issues.
To install an IRC client or use a browser-based client, go to http://webchat.freenode.net/.
You can also use Colloquy (Mac OS X, http://colloquy.info/), mIRC (Windows, http://
www.mirc.com/), or XChat (Linux). When you are in the IRC channel and want to share
code or command output, the generally accepted method is to use a Paste Bin. The OpenStack project has one at http://paste.openstack.org. Just paste your longer amounts of text
or logs in the web form and you get a URL that you can paste into the channel. The OpenStack IRC channel is #openstack on irc.freenode.net. You can find a list of all OpenStack IRC channels at https://wiki.openstack.org/wiki/IRC.

Documentation feedback
To provide feedback on documentation, join and use the
<[email protected]> mailing list at OpenStack Documentation
Mailing List, or report a bug.

OpenStack distribution packages

The following Linux distributions provide community-supported packages for OpenStack:
Debian: http://wiki.debian.org/OpenStack
CentOS, Fedora, and Red Hat Enterprise Linux: http://openstack.redhat.com/
openSUSE and SUSE Linux Enterprise Server: http://en.opensuse.org/Portal:OpenStack
Ubuntu: https://wiki.ubuntu.com/ServerTeam/CloudArchive

601

Winbond - Flash Roadmap - Q1 2024 (Version A) - 20240109
No ratings yet
Winbond - Flash Roadmap - Q1 2024 (Version A) - 20240109
37 pages
Openshift Container Platform 4.13 Architecture en Us
No ratings yet
Openshift Container Platform 4.13 Architecture en Us
83 pages
Capstone Project
No ratings yet
Capstone Project
4 pages
RHEL 8.5 - Tuning Performance in Identity Management
No ratings yet
RHEL 8.5 - Tuning Performance in Identity Management
41 pages
Micro Project On DBMS
97% (29)
Micro Project On DBMS
12 pages
Extending Puppet - Second Edition
From Everand
Extending Puppet - Second Edition
Alessandro Franceschi
No ratings yet
OpenStack Object Storage (Swift) Essentials
From Everand
OpenStack Object Storage (Swift) Essentials
Amar Kapadia
No ratings yet
TR-4323-DeSIGN-0814 Highly Available OpenStack Deployment With NetApp Storage
No ratings yet
TR-4323-DeSIGN-0814 Highly Available OpenStack Deployment With NetApp Storage
64 pages
NAS Platform v13 4 5118 Replication and Disaster Recovery Administration Guide MK-92HNAS009-15
No ratings yet
NAS Platform v13 4 5118 Replication and Disaster Recovery Administration Guide MK-92HNAS009-15
108 pages
CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0
No ratings yet
CIS Red Hat Enterprise Linux 8 Benchmark v2.0.0
711 pages
Red Hat Openstack Platform 13: Transitioning To Containerized Services
No ratings yet
Red Hat Openstack Platform 13: Transitioning To Containerized Services
31 pages
OSP8 Roadmap
No ratings yet
OSP8 Roadmap
84 pages
NCC Group Understanding Hardening Linux Containers-1.0
No ratings yet
NCC Group Understanding Hardening Linux Containers-1.0
122 pages
The Leading Open Source Backup Solution: Bacula Console and Operators Guide
No ratings yet
The Leading Open Source Backup Solution: Bacula Console and Operators Guide
39 pages
Red Hat Openstack Platform-16.2-Creating and Managing Instances-En-us
No ratings yet
Red Hat Openstack Platform-16.2-Creating and Managing Instances-En-us
48 pages
Configuring Fault Tolerance With A Dell Networking R1-2210 in A VRTX Chassis
No ratings yet
Configuring Fault Tolerance With A Dell Networking R1-2210 in A VRTX Chassis
51 pages
OpenStack For NFV and SDN
No ratings yet
OpenStack For NFV and SDN
2 pages
Dell Emc Ready Architecture Guide Red Hat v16 1
No ratings yet
Dell Emc Ready Architecture Guide Red Hat v16 1
77 pages
Seminar of Mobile Data Mvno
No ratings yet
Seminar of Mobile Data Mvno
0 pages
BK Install Guide Opendaylight
No ratings yet
BK Install Guide Opendaylight
57 pages
Contrail Networking Monitoring and Troubleshooting Guide
No ratings yet
Contrail Networking Monitoring and Troubleshooting Guide
537 pages
Red Hat Openstack Platform-16.2-High Availability Deployment and Usage-En-us
No ratings yet
Red Hat Openstack Platform-16.2-High Availability Deployment and Usage-En-us
59 pages
Ubuntu Research (2824391)
No ratings yet
Ubuntu Research (2824391)
4 pages
SPP Practical Guidance PDF
No ratings yet
SPP Practical Guidance PDF
500 pages
OCE K8s Architecture
No ratings yet
OCE K8s Architecture
17 pages
Red Hat Virtualization-4.4-Planning and Prerequisites Guide-En-Us
No ratings yet
Red Hat Virtualization-4.4-Planning and Prerequisites Guide-En-Us
38 pages
Jenkins Installation Steps
No ratings yet
Jenkins Installation Steps
17 pages
PDI2000 Labs
No ratings yet
PDI2000 Labs
281 pages
Dzone2018 Researchguide Devops
No ratings yet
Dzone2018 Researchguide Devops
69 pages
Siemonster v4 High Level Design v10 Public
100% (1)
Siemonster v4 High Level Design v10 Public
22 pages
Datasheet Ceph
No ratings yet
Datasheet Ceph
2 pages
Deploying Vthunder Adc For Web Application Services On Oracle Cloud Infrastructure
No ratings yet
Deploying Vthunder Adc For Web Application Services On Oracle Cloud Infrastructure
35 pages
SPARC M7 Course PDF
No ratings yet
SPARC M7 Course PDF
518 pages
Red Hat OpenStack Platform-10-Network Functions Virtualization Configuration Guide-en-US
No ratings yet
Red Hat OpenStack Platform-10-Network Functions Virtualization Configuration Guide-en-US
123 pages
Red Hat Enterprise Linux-7-Virtualization Deployment and Administration Guide-En-US
No ratings yet
Red Hat Enterprise Linux-7-Virtualization Deployment and Administration Guide-En-US
586 pages
Configure LDAP Client To Authenticate With LDAP Server
No ratings yet
Configure LDAP Client To Authenticate With LDAP Server
6 pages
Redp 5670
No ratings yet
Redp 5670
46 pages
Aws Govcloud (Us) : User Guide
No ratings yet
Aws Govcloud (Us) : User Guide
78 pages
Tuning For Web Serving On RHEL 64 KVM
No ratings yet
Tuning For Web Serving On RHEL 64 KVM
19 pages
OpenShift Container Platform-4.6-Installing On OpenStack-en-US
No ratings yet
OpenShift Container Platform-4.6-Installing On OpenStack-en-US
178 pages
Vmware
No ratings yet
Vmware
208 pages
Software-Defined Networking (SDN) Deployment Guide
No ratings yet
Software-Defined Networking (SDN) Deployment Guide
38 pages
JBoss Enterprise Application Platform 6.3 Security Guide en US
No ratings yet
JBoss Enterprise Application Platform 6.3 Security Guide en US
331 pages
Current Growth of Internet Subscribers in Bangladesh and Its Benefit Towards Our Economy: A Study On Premium Connectivity Ltd. (PCL)
No ratings yet
Current Growth of Internet Subscribers in Bangladesh and Its Benefit Towards Our Economy: A Study On Premium Connectivity Ltd. (PCL)
50 pages
2 Service Definitions
No ratings yet
2 Service Definitions
33 pages
Virtual Appliances Quick Start Guide - Bitnami Documentation
No ratings yet
Virtual Appliances Quick Start Guide - Bitnami Documentation
17 pages
AMIT PATIL RESUME New
No ratings yet
AMIT PATIL RESUME New
4 pages
ODL and OpenStack - Workshop - 0
No ratings yet
ODL and OpenStack - Workshop - 0
38 pages
TM NGN
No ratings yet
TM NGN
14 pages
Presentation FOSS
No ratings yet
Presentation FOSS
37 pages
IBM ProtecTIER
No ratings yet
IBM ProtecTIER
516 pages
QRadar-Nissan - Ver 0.4
No ratings yet
QRadar-Nissan - Ver 0.4
5 pages
Telecommunication Engineering Unit 2
No ratings yet
Telecommunication Engineering Unit 2
27 pages
How To Sell Hillstone 306. Cloudhive v2.8
No ratings yet
How To Sell Hillstone 306. Cloudhive v2.8
98 pages
Step by Step Install Guide OpenQRM Data Center Management and Cloud Computing Platform
100% (1)
Step by Step Install Guide OpenQRM Data Center Management and Cloud Computing Platform
32 pages
CIS Oracle MySQL Community Server 5.6 Benchmark v1.0.0
100% (1)
CIS Oracle MySQL Community Server 5.6 Benchmark v1.0.0
75 pages
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
No ratings yet
Red Hat Enterprise Linux-8-Deploying Different Types of Servers-En-US
190 pages
Setting Up WAN Emulation Using WAN-Bridge Live-CD v1.10
No ratings yet
Setting Up WAN Emulation Using WAN-Bridge Live-CD v1.10
8 pages
AX Training v1.12
No ratings yet
AX Training v1.12
242 pages
Red Hat OpenStack Platform-11-High Availability For Compute Instances-En-US
No ratings yet
Red Hat OpenStack Platform-11-High Availability For Compute Instances-En-US
14 pages
ACTE r3 Student Guide
No ratings yet
ACTE r3 Student Guide
563 pages
Red Hat OpenStack Platform-8-Director Installation and Usage-En-US
No ratings yet
Red Hat OpenStack Platform-8-Director Installation and Usage-En-US
165 pages
What Is ?: System Center Operations Manager (SCOM
No ratings yet
What Is ?: System Center Operations Manager (SCOM
18 pages
VVCS v2v Convert VirtualBox To VMware
No ratings yet
VVCS v2v Convert VirtualBox To VMware
37 pages
Insight Basic
No ratings yet
Insight Basic
29 pages
OP Training Guides
No ratings yet
OP Training Guides
928 pages
Cinder
No ratings yet
Cinder
7 pages
What Is SCSI?: Small Computer System Interface
No ratings yet
What Is SCSI?: Small Computer System Interface
52 pages
Quantum PDF
No ratings yet
Quantum PDF
31 pages
Fio
No ratings yet
Fio
31 pages
Sqliosim
No ratings yet
Sqliosim
12 pages
Lab 2 - B Tree
No ratings yet
Lab 2 - B Tree
4 pages
Management & Administration: Backup & Restore
No ratings yet
Management & Administration: Backup & Restore
8 pages
9800938-01 8089 Assembler Users Guide Aug79
No ratings yet
9800938-01 8089 Assembler Users Guide Aug79
246 pages
549-00-0032 Q IOCU Configuration
No ratings yet
549-00-0032 Q IOCU Configuration
52 pages
Lancelot User Manual
No ratings yet
Lancelot User Manual
8 pages
End Term Question Paper Linux For Devices 2021
No ratings yet
End Term Question Paper Linux For Devices 2021
2 pages
PYTHON DATA TYPES
No ratings yet
PYTHON DATA TYPES
6 pages
RC Israsas 1618251322151
No ratings yet
RC Israsas 1618251322151
2 pages
End-Sem Exam - Computer Organization and Architecture (Duration - 1 HR and 5 Minutes) (Time - 11am To 12.05pm) Date - 25-April-2021
No ratings yet
End-Sem Exam - Computer Organization and Architecture (Duration - 1 HR and 5 Minutes) (Time - 11am To 12.05pm) Date - 25-April-2021
15 pages
CS13002 Programming and Data Structures PDF
No ratings yet
CS13002 Programming and Data Structures PDF
17 pages
Communication Protocol X 25 PDF
No ratings yet
Communication Protocol X 25 PDF
2 pages
Course Module CpE Operating System 1
No ratings yet
Course Module CpE Operating System 1
84 pages
CH 08
No ratings yet
CH 08
31 pages
Httppush SDK Explanation Document
No ratings yet
Httppush SDK Explanation Document
9 pages
Data Modeling Using The Entity-Relationship Model
No ratings yet
Data Modeling Using The Entity-Relationship Model
49 pages
Bakya
No ratings yet
Bakya
4 pages
Computer Networks Lab: 1) Write A Program For Distance Vector Algorithm To Find Suitable Path For Transmission
No ratings yet
Computer Networks Lab: 1) Write A Program For Distance Vector Algorithm To Find Suitable Path For Transmission
20 pages
Anatomy of DAX Query Plan
No ratings yet
Anatomy of DAX Query Plan
38 pages
Fir Filter (Verilog Code)
No ratings yet
Fir Filter (Verilog Code)
3 pages
Oracle SQL Syllabus
No ratings yet
Oracle SQL Syllabus
9 pages
Creating Temporary Variables
No ratings yet
Creating Temporary Variables
5 pages
Oracle Form Builder
No ratings yet
Oracle Form Builder
37 pages
PLC Cpu 414-H
No ratings yet
PLC Cpu 414-H
9 pages
Computer Architecture and Assembly Language Programming - CS401 Spring 2009 Assignment 02 Solution
No ratings yet
Computer Architecture and Assembly Language Programming - CS401 Spring 2009 Assignment 02 Solution
3 pages
DBMS Languages
No ratings yet
DBMS Languages
15 pages
11g Oracle Search
No ratings yet
11g Oracle Search
39 pages
QPNP Smbcharger.c
No ratings yet
QPNP Smbcharger.c
154 pages
Database Resit
No ratings yet
Database Resit
43 pages