diff --git a/etc/glance-api.conf b/etc/glance-api.conf index a97ca648d0..6c6e2d435f 100644 --- a/etc/glance-api.conf +++ b/etc/glance-api.conf @@ -4,27 +4,127 @@ # From glance.api # -# When true, this option sets the owner of an image to be the tenant. -# Otherwise, the owner of the image will be the authenticated user -# issuing the request. (boolean value) +# +# Set the image owner to tenant or the authenticated user. +# +# Assign a boolean value to determine the owner of an image. When set +# to +# True, the owner of the image is the tenant. When set to False, the +# owner of the image will be the authenticated user issuing the +# request. +# Setting it to False makes the image private to the associated user +# and +# sharing with other users within the same tenant (or "project") +# requires explicit image sharing via image membership. +# +# Services which consume this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * True +# * False +# +# Related options: +# * None +# +# (boolean value) #owner_is_tenant = true +# # Role used to identify an authenticated user as administrator. -# (string value) +# +# Provide a string value representing a Keystone role to identify an +# administrative user. Users with this role will be granted +# administrative privileges. The default value for this option is +# 'admin'. +# +# Services which consume this: +# * glance-api +# * glare-api +# * glance-registry +# * glance-scrubber +# +# Possible values: +# * A string value which is a valid Keystone role +# +# Related options: +# * None +# +# (string value) #admin_role = admin -# Allow unauthenticated users to access the API with read-only -# privileges. This only applies when using ContextMiddleware. (boolean -# value) +# +# Allow limited access to unauthenticated users. +# +# Assign a boolean to determine API access for unathenticated +# users. When set to False, the API cannot be accessed by +# unauthenticated users. When set to True, unauthenticated users can +# access the API with read-only privileges. This however only applies +# when using ContextMiddleware. +# +# Services which consumes this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * True +# * False +# +# Related options: +# * None +# +# (boolean value) #allow_anonymous_access = false -# Limits request ID length. (integer value) +# +# Limit the request ID length. +# +# Provide an integer value to limit the length of the request ID to +# the specified length. The default value is 64. Users can change this +# to any ineteger value between 0 and 16384 however keeping in mind +# that +# a larger value may flood the logs. +# +# Services which consumes this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * Integer value between 0 and 16384 +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #max_request_id_length = 64 -# Public url to use for versions endpoint. The default is None, which -# will use the request's host_url attribute to populate the URL base. -# If Glance is operating behind a proxy, you will want to change this -# to represent the proxy's URL. (string value) +# +# Public url endpoint to use for Glance/Glare versions response. +# +# This is the public url endpoint that will appear in the Glance/Glare +# "versions" response. If no value is specified, the endpoint that is +# displayed in the version's response is that of the host running the +# API service. Change the endpoint to represent the proxy URL if the +# API service is running behind a proxy. If the service is running +# behind a load balancer, add the load balancer's URL for this value. +# +# Services which consume this: +# * glance-api/glare-api +# +# Possible values: +# * None +# * Proxy URL +# * Load balancer URL +# +# Related options: +# * None +# +# (string value) #public_endpoint = # Whether to allow users to specify image properties beyond what the @@ -199,24 +299,213 @@ # value) #key_file = -# The path to the sqlite file database that will be used for image -# cache management. (string value) +# DEPRECATED: The HTTP header used to determine the scheme for the +# original request, even if it was removed by an SSL terminating +# proxy. Typical value is "HTTP_X_FORWARDED_PROTO". (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Use the http_proxy_to_wsgi middleware instead. +#secure_proxy_ssl_header = + +# +# The relative path to sqlite file database that will be used for +# image cache +# management. +# +# This is a relative path to the sqlite file database that tracks the +# age and +# usage statistics of image cache. The path is relative to image cache +# base +# directory, specified by the configuration option +# ``image_cache_dir``. +# +# This is a lightweight database with just one table. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * A valid relative path to sqlite file database +# +# Related options: +# * ``image_cache_dir`` +# +# (string value) #image_cache_sqlite_db = cache.db -# The driver to use for image cache management. (string value) +# +# The driver to use for image cache management. +# +# This configuration option provides the flexibility to choose between +# the +# different image-cache drivers available. An image-cache driver is +# responsible +# for providing the essential functions of image-cache like write +# images to/read +# images from cache, track age and usage of cached images, provide a +# list of +# cached images, fetch size of the cache, queue images for caching and +# clean up +# the cache, etc. +# +# The essential functions of a driver are defined in the base class +# ``glance.image_cache.drivers.base.Driver``. All image-cache drivers +# (existing +# and prospective) must implement this interface. Currently available +# drivers +# are ``sqlite`` and ``xattr``. These drivers primarily differ in the +# way they +# store the information about cached images: +# * The ``sqlite`` driver uses a sqlite database (which sits on +# every glance +# node locally) to track the usage of cached images. +# * The ``xattr`` driver uses the extended attributes of files to +# store this +# information. It also requires a filesystem that sets ``atime`` +# on the files +# when accessed. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * sqlite +# * xattr +# +# Related options: +# * None +# +# (string value) +# Allowed values: sqlite, xattr #image_cache_driver = sqlite -# The upper limit (the maximum size of accumulated cache in bytes) -# beyond which the cache pruner, if running, starts cleaning the image -# cache. (integer value) +# +# The upper limit on cache size, in bytes, after which the cache- +# pruner cleans +# up the image cache. +# +# NOTE: This is just a threshold for cache-pruner to act upon. It is +# NOT a +# hard limit beyond which the image cache would never grow. In fact, +# depending +# on how often the cache-pruner runs and how quickly the cache fills, +# the image +# cache can far exceed the size specified here very easily. Hence, +# care must be +# taken to appropriately schedule the cache-pruner and in setting this +# limit. +# +# Glance caches an image when it is downloaded. Consequently, the size +# of the +# image cache grows over time as the number of downloads increases. To +# keep the +# cache size from becoming unmanageable, it is recommended to run the +# cache-pruner as a periodic task. When the cache pruner is kicked +# off, it +# compares the current size of image cache and triggers a cleanup if +# the image +# cache grew beyond the size specified here. After the cleanup, the +# size of +# cache is less than or equal to size specified here. +# +# Services which consume this: +# * None (consumed by cache-pruner, an independent periodic task) +# +# Possible values: +# * Any non-negative integer +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #image_cache_max_size = 10737418240 -# The amount of time to let an incomplete image remain in the cache, -# before the cache cleaner, if running, will remove the incomplete -# image. (integer value) +# +# The amount of time, in seconds, an incomplete image remains in the +# cache. +# +# Incomplete images are images for which download is in progress. +# Please see the +# description of configuration option ``image_cache_dir`` for more +# detail. +# Sometimes, due to various reasons, it is possible the download may +# hang and +# the incompletely downloaded image remains in the ``incomplete`` +# directory. +# This configuration option sets a time limit on how long the +# incomplete images +# should remain in the ``incomplete`` directory before they are +# cleaned up. +# Once an incomplete image spends more time than is specified here, +# it'll be +# removed by cache-cleaner on its next run. +# +# It is recommended to run cache-cleaner as a periodic task on the +# Glance API +# nodes to keep the incomplete images from occupying disk space. +# +# Services which consume this: +# * None (consumed by cache-cleaner, an independent periodic task) +# +# Possible values: +# * Any non-negative integer +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #image_cache_stall_time = 86400 -# Base directory that the image cache uses. (string value) +# +# Base directory for image cache. +# +# This is the location where image data is cached and served out of. +# All cached +# images are stored directly under this directory. This directory also +# contains +# three subdirectories, namely, ``incomplete``, ``invalid`` and +# ``queue``. +# +# The ``incomplete`` subdirectory is the staging area for downloading +# images. An +# image is first downloaded to this directory. When the image download +# is +# successful it is moved to the base directory. However, if the +# download fails, +# the partially downloaded image file is moved to the ``invalid`` +# subdirectory. +# +# The ``queue``subdirectory is used for queuing images for download. +# This is +# used primarily by the cache-prefetcher, which can be scheduled as a +# periodic +# task like cache-pruner and cache-cleaner, to cache images ahead of +# their usage. +# Upon receiving the request to cache an image, Glance touches a file +# in the +# ``queue`` directory with the image id as the file name. The cache- +# prefetcher, +# when running, polls for the files in ``queue`` directory and starts +# downloading them in the order they were created. When the download +# is +# successful, the zero-sized file is deleted from the ``queue`` +# directory. +# If the download fails, the zero-sized file remains and it'll be +# retried the +# next time cache-prefetcher runs. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * A valid path +# +# Related options: +# * ``image_cache_sqlite_db`` +# +# (string value) #image_cache_dir = # Default publisher_id for outgoing notifications. (string value) @@ -239,11 +528,11 @@ # Maximum value: 65535 #registry_port = 9191 -# Whether to pass through the user token when making requests to the -# registry. To prevent failures with token expiration during big files -# upload, it is recommended to set this parameter to False.If -# "use_user_token" is not in effect, then admin credentials can be -# specified. (boolean value) +# DEPRECATED: Whether to pass through the user token when making +# requests to the registry. To prevent failures with token expiration +# during big files upload, it is recommended to set this parameter to +# False.If "use_user_token" is not in effect, then admin credentials +# can be specified. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -252,8 +541,8 @@ # been implemented with Keystone trusts support. #use_user_token = true -# The administrators user name. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators user name. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -262,8 +551,8 @@ # been implemented with Keystone trusts support. #admin_user = -# The administrators password. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators password. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -272,9 +561,9 @@ # been implemented with Keystone trusts support. #admin_password = -# The tenant name of the administrative user. If "use_user_token" is -# not in effect, then admin tenant name can be specified. (string -# value) +# DEPRECATED: The tenant name of the administrative user. If +# "use_user_token" is not in effect, then admin tenant name can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -283,8 +572,8 @@ # been implemented with Keystone trusts support. #admin_tenant_name = -# The URL to the keystone service. If "use_user_token" is not in -# effect and using keystone auth, then URL of keystone can be +# DEPRECATED: The URL to the keystone service. If "use_user_token" is +# not in effect and using keystone auth, then URL of keystone can be # specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. @@ -294,8 +583,9 @@ # been implemented with Keystone trusts support. #auth_url = -# The strategy to use for authentication. If "use_user_token" is not -# in effect, then auth strategy can be specified. (string value) +# DEPRECATED: The strategy to use for authentication. If +# "use_user_token" is not in effect, then auth strategy can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -304,9 +594,9 @@ # been implemented with Keystone trusts support. #auth_strategy = noauth -# The region for the authentication service. If "use_user_token" is -# not in effect and using keystone auth, then region name can be -# specified. (string value) +# DEPRECATED: The region for the authentication service. If +# "use_user_token" is not in effect and using keystone auth, then +# region name can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -375,10 +665,11 @@ # If set to true, the logging level will be set to DEBUG instead of # the default INFO level. (boolean value) +# Note: This option can be changed without restarting. #debug = false -# If set to false, the logging level will be set to WARNING instead of -# the default INFO level. (boolean value) +# DEPRECATED: If set to false, the logging level will be set to +# WARNING instead of the default INFO level. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. #verbose = true @@ -390,6 +681,7 @@ # configuration is set in the configuration file and other logging # configuration options are ignored (for example, # logging_context_format_string). (string value) +# Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -483,10 +775,6 @@ # Allowed values: redis, dummy #rpc_zmq_matchmaker = redis -# Type of concurrency used. Either "native" or "eventlet" (string -# value) -#rpc_zmq_concurrency = eventlet - # Number of ZeroMQ contexts, defaults to 1. (integer value) #rpc_zmq_contexts = 1 @@ -513,16 +801,23 @@ # Expiration timeout in seconds of a name service record about # existing target ( < 0 means no timeout). (integer value) -#zmq_target_expire = 120 +#zmq_target_expire = 300 + +# Update period in seconds of a name service record about existing +# target. (integer value) +#zmq_target_update = 180 # Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. # (boolean value) #use_pub_sub = true +# Use ROUTER remote proxy. (boolean value) +#use_router_proxy = true + # Minimal port number for random ports range. (port value) # Minimum value: 0 # Maximum value: 65535 -#rpc_zmq_min_port = 49152 +#rpc_zmq_min_port = 49153 # Maximal port number for random ports range. (integer value) # Minimum value: 1 @@ -541,12 +836,14 @@ #rpc_response_timeout = 60 # A URL representing the messaging driver to use and its full -# configuration. If not set, we fall back to the rpc_backend option -# and driver specific configuration. (string value) +# configuration. (string value) #transport_url = -# The messaging driver to use, defaults to rabbit. Other drivers -# include amqp and zmq. (string value) +# DEPRECATED: The messaging driver to use, defaults to rabbit. Other +# drivers include amqp and zmq. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rpc_backend = rabbit # The default exchange under which topics are scoped. May be @@ -562,7 +859,9 @@ # # Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (list value) +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) #allowed_origin = # Indicate that the actual request can include user credentials @@ -592,7 +891,9 @@ # # Indicate whether this resource may be shared with the domain -# received in the requests "origin" header. (list value) +# received in the requests "origin" header. Format: +# "://[:]", no trailing slash. Example: +# https://horizon.example.com (list value) #allowed_origin = # Indicate that the actual request can include user credentials @@ -621,8 +922,12 @@ # From oslo.db # -# The file name to use with SQLite. (string value) +# DEPRECATED: The file name to use with SQLite. (string value) # Deprecated group/name - [DEFAULT]/sqlite_db +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Should use config option connection or slave_connection to +# connect the database. #sqlite_db = oslo.sqlite # If True, SQLite uses synchronous mode. (boolean value) @@ -885,78 +1190,28 @@ # The config file that has the swift account(s)configs. (string value) #swift_store_config_file = -# RADOS images will be chunked into objects of this size (in -# megabytes). For best performance, this should be a power of two. -# (integer value) -#rbd_store_chunk_size = 8 - -# RADOS pool in which images are stored. (string value) -#rbd_store_pool = images - -# RADOS user to authenticate as (only applicable if using Cephx. If -# , a default will be chosen based on the client. section in -# rbd_store_ceph_conf) (string value) -#rbd_store_user = - -# Ceph configuration file path. If , librados will locate the -# default config. If using cephx authentication, this file should -# include a reference to the right keyring in a client. section +# Directory to which the Filesystem backend store writes images. # (string value) -#rbd_store_ceph_conf = /etc/ceph/ceph.conf +#filesystem_store_datadir = /var/lib/glance/images -# Timeout value (in seconds) used when connecting to ceph cluster. If -# value <= 0, no timeout is set and default librados value is used. -# (integer value) -#rados_connect_timeout = 0 +# List of directories and its priorities to which the Filesystem +# backend store writes images. (multi valued) +#filesystem_store_datadirs = -# Info to match when looking for cinder in the service catalog. Format -# is : separated values of the form: -# :: (string value) -#cinder_catalog_info = volumev2::publicURL - -# Override service catalog lookup with template for cinder endpoint -# e.g. http://localhost:8776/v2/%(tenant)s (string value) -#cinder_endpoint_template = - -# Region name of this node. If specified, it will be used to locate -# OpenStack services for stores. (string value) -# Deprecated group/name - [DEFAULT]/os_region_name -#cinder_os_region_name = - -# Location of ca certicates file to use for cinder client requests. -# (string value) -#cinder_ca_certificates_file = - -# Number of cinderclient retries on failed http calls (integer value) -#cinder_http_retries = 3 - -# Time period of time in seconds to wait for a cinder volume -# transition to complete. (integer value) -#cinder_state_transition_timeout = 300 - -# Allow to perform insecure SSL requests to cinder (boolean value) -#cinder_api_insecure = false - -# The address where the Cinder authentication service is listening. If -# , the cinder endpoint in the service catalog is used. (string +# The path to a file which contains the metadata to be returned with +# any location associated with this store. The file must contain a +# valid JSON object. The object should contain the keys 'id' and +# 'mountpoint'. The value for both keys should be 'string'. (string # value) -#cinder_store_auth_address = +#filesystem_store_metadata_file = -# User name to authenticate against Cinder. If , the user of -# current context is used. (string value) -#cinder_store_user_name = - -# Password for the user authenticating against Cinder. If , the -# current context auth token is used. (string value) -#cinder_store_password = - -# Project name where the image is stored in Cinder. If , the -# project in current context is used. (string value) -#cinder_store_project_name = - -# Path to the rootwrap configuration file to use for running commands -# as root. (string value) -#rootwrap_config = /etc/glance/rootwrap.conf +# The required permission for created image file. In this way the user +# other service used, e.g. Nova, who consumes the image could be the +# exclusive member of the group that owns the files created. Assigning +# it less then or equal to zero means don't change the default +# permission of the file. This value will be decoded as an octal +# digit. (integer value) +#filesystem_store_file_perm = 0 # The host where the S3 server is listening. (string value) #s3_store_host = @@ -1010,38 +1265,54 @@ # The password to use when connecting over a proxy. (string value) #s3_store_proxy_password = -# Images will be chunked into objects of this size (in megabytes). For -# best performance, this should be a power of two. (integer value) -#sheepdog_store_chunk_size = 64 +# Info to match when looking for cinder in the service catalog. Format +# is : separated values of the form: +# :: (string value) +#cinder_catalog_info = volumev2::publicURL -# Port of sheep daemon. (integer value) -#sheepdog_store_port = 7000 +# Override service catalog lookup with template for cinder endpoint +# e.g. http://localhost:8776/v2/%(tenant)s (string value) +#cinder_endpoint_template = -# IP address of sheep daemon. (string value) -#sheepdog_store_address = localhost +# Region name of this node. If specified, it will be used to locate +# OpenStack services for stores. (string value) +# Deprecated group/name - [glance_store]/os_region_name +#cinder_os_region_name = -# Directory to which the Filesystem backend store writes images. +# Location of ca certicates file to use for cinder client requests. # (string value) -#filesystem_store_datadir = /var/lib/glance/images +#cinder_ca_certificates_file = -# List of directories and its priorities to which the Filesystem -# backend store writes images. (multi valued) -#filesystem_store_datadirs = +# Number of cinderclient retries on failed http calls (integer value) +#cinder_http_retries = 3 -# The path to a file which contains the metadata to be returned with -# any location associated with this store. The file must contain a -# valid JSON object. The object should contain the keys 'id' and -# 'mountpoint'. The value for both keys should be 'string'. (string +# Time period of time in seconds to wait for a cinder volume +# transition to complete. (integer value) +#cinder_state_transition_timeout = 300 + +# Allow to perform insecure SSL requests to cinder (boolean value) +#cinder_api_insecure = false + +# The address where the Cinder authentication service is listening. If +# , the cinder endpoint in the service catalog is used. (string # value) -#filesystem_store_metadata_file = +#cinder_store_auth_address = -# The required permission for created image file. In this way the user -# other service used, e.g. Nova, who consumes the image could be the -# exclusive member of the group that owns the files created. Assigning -# it less then or equal to zero means don't change the default -# permission of the file. This value will be decoded as an octal -# digit. (integer value) -#filesystem_store_file_perm = 0 +# User name to authenticate against Cinder. If , the user of +# current context is used. (string value) +#cinder_store_user_name = + +# Password for the user authenticating against Cinder. If , the +# current context auth token is used. (string value) +#cinder_store_password = + +# Project name where the image is stored in Cinder. If , the +# project in current context is used. (string value) +#cinder_store_project_name = + +# Path to the rootwrap configuration file to use for running commands +# as root. (string value) +#rootwrap_config = /etc/glance/rootwrap.conf # ESX/ESXi or vCenter Server target system. The server value can be an # IP address or a DNS name. (string value) @@ -1070,7 +1341,7 @@ # If true, the ESX/vCenter server certificate is not verified. If # false, then the default CA truststore is used for verification. This # option is ignored if "vmware_ca_file" is set. (boolean value) -# Deprecated group/name - [DEFAULT]/vmware_api_insecure +# Deprecated group/name - [glance_store]/vmware_api_insecure #vmware_insecure = false # Specify a CA bundle file to use in verifying the ESX/vCenter server @@ -1091,6 +1362,40 @@ # free space available is selected. (multi valued) #vmware_datastores = +# Images will be chunked into objects of this size (in megabytes). For +# best performance, this should be a power of two. (integer value) +#sheepdog_store_chunk_size = 64 + +# Port of sheep daemon. (integer value) +#sheepdog_store_port = 7000 + +# IP address of sheep daemon. (string value) +#sheepdog_store_address = localhost + +# RADOS images will be chunked into objects of this size (in +# megabytes). For best performance, this should be a power of two. +# (integer value) +#rbd_store_chunk_size = 8 + +# RADOS pool in which images are stored. (string value) +#rbd_store_pool = images + +# RADOS user to authenticate as (only applicable if using Cephx. If +# , a default will be chosen based on the client. section in +# rbd_store_ceph_conf) (string value) +#rbd_store_user = + +# Ceph configuration file path. If , librados will locate the +# default config. If using cephx authentication, this file should +# include a reference to the right keyring in a client. section +# (string value) +#rbd_store_ceph_conf = /etc/ceph/ceph.conf + +# Timeout value (in seconds) used when connecting to ceph cluster. If +# value <= 0, no timeout is set and default librados value is used. +# (integer value) +#rados_connect_timeout = 0 + [image_format] @@ -1114,7 +1419,14 @@ # From keystonemiddleware.auth_token # -# Complete public Identity API endpoint. (string value) +# Complete "public" Identity API endpoint. This endpoint should not be +# an "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to +# authenticate. Although this endpoint should ideally be unversioned, +# client support in the wild varies. If you're using a versioned v2 +# endpoint here, then this should *not* be the same endpoint the +# service user utilizes for validating tokens, because normal end +# users may not be able to reach that endpoint. (string value) #auth_uri = # API version of the admin Identity API endpoint. (string value) @@ -1160,7 +1472,7 @@ # Optionally specify a list of memcached server(s) to use for caching. # If left undefined, tokens will instead be cached in-process. (list # value) -# Deprecated group/name - [DEFAULT]/memcache_servers +# Deprecated group/name - [keystone_authtoken]/memcache_servers #memcached_servers = # In order to prevent excessive effort spent validating tokens, the @@ -1172,7 +1484,8 @@ # Determines the frequency at which the list of revoked tokens is # retrieved from the Identity service (in seconds). A high number of # revocation events combined with a low cache duration may -# significantly reduce performance. (integer value) +# significantly reduce performance. Only valid for PKI tokens. +# (integer value) #revocation_cache_time = 10 # (Optional) If defined, indicate whether token data should be @@ -1243,11 +1556,11 @@ # value) #hash_algorithms = md5 -# Authentication type to load (unknown value) -# Deprecated group/name - [DEFAULT]/auth_plugin +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin #auth_type = -# Config Section from which to load plugin specific options (unknown +# Config Section from which to load plugin specific options (string # value) #auth_section = @@ -1258,32 +1571,44 @@ # From oslo.messaging # -# Host to locate redis. (string value) +# DEPRECATED: Host to locate redis. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #host = 127.0.0.1 -# Use this port to connect to redis host. (port value) +# DEPRECATED: Use this port to connect to redis host. (port value) # Minimum value: 0 # Maximum value: 65535 +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #port = 6379 -# Password for Redis server (optional). (string value) +# DEPRECATED: Password for Redis server (optional). (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #password = -# List of Redis Sentinel hosts (fault tolerance mode) e.g. +# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. # [host:port, host1:port ... ] (list value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #sentinel_hosts = # Redis replica set name. (string value) #sentinel_group_name = oslo-messaging-zeromq # Time in ms to wait between connection attempts. (integer value) -#wait_timeout = 500 +#wait_timeout = 5000 # Time in ms to wait before the transaction is killed. (integer value) -#check_timeout = 20000 +#check_timeout = 60000 # Timeout in ms on blocking socket operations (integer value) -#socket_timeout = 1000 +#socket_timeout = 10000 [oslo_concurrency] @@ -1448,7 +1773,7 @@ # How long to wait a missing client beforce abandoning to send it its # replies. This value should not be longer than rpc_response_timeout. # (integer value) -# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout #kombu_missing_consumer_retry_timeout = 60 # Determines how the next RabbitMQ node is chosen in case the one we @@ -1457,39 +1782,58 @@ # Allowed values: round-robin, shuffle #kombu_failover_strategy = round-robin -# The RabbitMQ broker address where a single node is used. (string -# value) +# DEPRECATED: The RabbitMQ broker address where a single node is used. +# (string value) # Deprecated group/name - [DEFAULT]/rabbit_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_host = localhost -# The RabbitMQ broker port where a single node is used. (port value) +# DEPRECATED: The RabbitMQ broker port where a single node is used. +# (port value) # Minimum value: 0 # Maximum value: 65535 # Deprecated group/name - [DEFAULT]/rabbit_port +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_port = 5672 -# RabbitMQ HA cluster host:port pairs. (list value) +# DEPRECATED: RabbitMQ HA cluster host:port pairs. (list value) # Deprecated group/name - [DEFAULT]/rabbit_hosts +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_hosts = $rabbit_host:$rabbit_port # Connect over SSL for RabbitMQ. (boolean value) # Deprecated group/name - [DEFAULT]/rabbit_use_ssl #rabbit_use_ssl = false -# The RabbitMQ userid. (string value) +# DEPRECATED: The RabbitMQ userid. (string value) # Deprecated group/name - [DEFAULT]/rabbit_userid +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_userid = guest -# The RabbitMQ password. (string value) +# DEPRECATED: The RabbitMQ password. (string value) # Deprecated group/name - [DEFAULT]/rabbit_password +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_password = guest # The RabbitMQ login method. (string value) # Deprecated group/name - [DEFAULT]/rabbit_login_method #rabbit_login_method = AMQPLAIN -# The RabbitMQ virtual host. (string value) +# DEPRECATED: The RabbitMQ virtual host. (string value) # Deprecated group/name - [DEFAULT]/rabbit_virtual_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_virtual_host = / # How frequently to retry connecting with RabbitMQ. (integer value) @@ -1524,7 +1868,7 @@ # automatically deleted. The parameter affects only reply and fanout # queues. (integer value) # Minimum value: 1 -#rabbit_transient_queues_ttl = 600 +#rabbit_transient_queues_ttl = 1800 # Specifies the number of messages to prefetch. Setting to zero allows # unlimited messages. (integer value) @@ -1552,7 +1896,7 @@ # How often to send heartbeats for consumer's connections (integer # value) -#heartbeat_interval = 1 +#heartbeat_interval = 3 # Enable SSL (boolean value) #ssl = @@ -1572,8 +1916,12 @@ # (floating point value) #host_connection_reconnect_delay = 0.25 +# Connection factory implementation (string value) +# Allowed values: new, single, read_write +#connection_factory = single + # Maximum number of connections to keep queued. (integer value) -#pool_max_size = 10 +#pool_max_size = 30 # Maximum number of connections to create above `pool_max_size`. # (integer value) @@ -1596,7 +1944,7 @@ # Persist notification messages. (boolean value) #notification_persistence = false -# Exchange name for for sending notifications (string value) +# Exchange name for sending notifications (string value) #default_notification_exchange = ${control_exchange}_notification # Max number of not acknowledged message which RabbitMQ can send to @@ -1655,7 +2003,7 @@ # From oslo.middleware.http_proxy_to_wsgi # -# Wether the application is behind a proxy or not. This determines if +# Whether the application is behind a proxy or not. This determines if # the middleware should parse the headers or not. (boolean value) #enable_proxy_headers_parsing = false @@ -1706,14 +2054,62 @@ # From glance.api # -# If False fully disable profiling feature. (boolean value) +# +# Enables the profiling for all services on this node. Default value +# is False +# (fully disable the profiling feature). +# +# Possible values: +# +# * True: Enables the feature +# * False: Disables the feature. The profiling cannot be started via +# this project +# operations. If the profiling is triggered by another project, this +# project part +# will be empty. +# (boolean value) +# Deprecated group/name - [profiler]/profiler_enabled #enabled = false -# If False doesn't trace SQL requests. (boolean value) +# +# Enables SQL requests profiling in services. Default value is False +# (SQL +# requests won't be traced). +# +# Possible values: +# +# * True: Enables SQL requests profiling. Each SQL query will be part +# of the +# trace and can the be analyzed by how much time was spent for that. +# * False: Disables SQL requests profiling. The spent time is only +# shown on a +# higher level of operations. Single SQL queries cannot be analyzed +# this +# way. +# (boolean value) #trace_sqlalchemy = false -# Secret key to use to sign Glance API and Glance Registry services -# tracing messages. (string value) +# +# Secret key(s) to use for encrypting context data for performance +# profiling. +# This string value should have the following format: +# [,,...], +# where each key is some random string. A user who triggers the +# profiling via +# the REST API has to set one of these keys in the headers of the REST +# API call +# to include profiling results of this node for this particular +# project. +# +# Both "enabled" flag and "hmac_keys" config options should be set to +# enable +# profiling. Also, to generate correct profiling information across +# all services +# at least one key needs to be consistent between OpenStack projects. +# This +# ensures it can be used from client side to generate the trace, +# containing +# information from all possible resources. (string value) #hmac_keys = SECRET_KEY @@ -1769,13 +2165,50 @@ # From glance.api # -# The mode in which the engine will run. Can be 'serial' or -# 'parallel'. (string value) +# +# Set the taskflow engine mode. +# +# Provide a string type value to set the mode in which the taskflow +# engine would schedule tasks to the workers on the hosts. Based on +# this mode, the engine executes tasks either in single or multiple +# threads. The possible values for this configuration option are: +# ``serial`` and ``parallel``. When set to ``serial``, the engine runs +# all the tasks in a single thread which results in serial execution +# of tasks. Setting this to ``parallel`` makes the engine run tasks in +# multiple threads. This results in parallel execution of tasks. +# +# Possible values: +# * serial +# * parallel +# +# Related options: +# * max_workers +# +# (string value) # Allowed values: serial, parallel #engine_mode = parallel -# The number of parallel activities executed at the same time by the -# engine. The value can be greater than one when the engine mode is -# 'parallel'. (integer value) +# +# Set the number of engine executable tasks. +# +# Provide an integer value to limit the number of workers that can be +# instantiated on the hosts. In other words, this number defines the +# number of parallel tasks that can be executed at the same time by +# the taskflow engine. This value can be greater than one when the +# engine mode is set to parallel. +# +# Possible values: +# * Integer value greater than or equal to 1 +# +# Related options: +# * engine_mode +# +# (integer value) +# Minimum value: 1 # Deprecated group/name - [task]/eventlet_executor_pool_size #max_workers = 10 + +# The format to which images will be automatically converted. When +# using the RBD backend, this should be set to 'raw' (string value) +# Allowed values: qcow2, raw, vmdk +#conversion_format = diff --git a/etc/glance-cache.conf b/etc/glance-cache.conf index a2494962d4..8a61f91ea1 100644 --- a/etc/glance-cache.conf +++ b/etc/glance-cache.conf @@ -99,24 +99,205 @@ # value) #digest_algorithm = sha256 -# The path to the sqlite file database that will be used for image -# cache management. (string value) +# +# The relative path to sqlite file database that will be used for +# image cache +# management. +# +# This is a relative path to the sqlite file database that tracks the +# age and +# usage statistics of image cache. The path is relative to image cache +# base +# directory, specified by the configuration option +# ``image_cache_dir``. +# +# This is a lightweight database with just one table. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * A valid relative path to sqlite file database +# +# Related options: +# * ``image_cache_dir`` +# +# (string value) #image_cache_sqlite_db = cache.db -# The driver to use for image cache management. (string value) +# +# The driver to use for image cache management. +# +# This configuration option provides the flexibility to choose between +# the +# different image-cache drivers available. An image-cache driver is +# responsible +# for providing the essential functions of image-cache like write +# images to/read +# images from cache, track age and usage of cached images, provide a +# list of +# cached images, fetch size of the cache, queue images for caching and +# clean up +# the cache, etc. +# +# The essential functions of a driver are defined in the base class +# ``glance.image_cache.drivers.base.Driver``. All image-cache drivers +# (existing +# and prospective) must implement this interface. Currently available +# drivers +# are ``sqlite`` and ``xattr``. These drivers primarily differ in the +# way they +# store the information about cached images: +# * The ``sqlite`` driver uses a sqlite database (which sits on +# every glance +# node locally) to track the usage of cached images. +# * The ``xattr`` driver uses the extended attributes of files to +# store this +# information. It also requires a filesystem that sets ``atime`` +# on the files +# when accessed. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * sqlite +# * xattr +# +# Related options: +# * None +# +# (string value) +# Allowed values: sqlite, xattr #image_cache_driver = sqlite -# The upper limit (the maximum size of accumulated cache in bytes) -# beyond which the cache pruner, if running, starts cleaning the image -# cache. (integer value) +# +# The upper limit on cache size, in bytes, after which the cache- +# pruner cleans +# up the image cache. +# +# NOTE: This is just a threshold for cache-pruner to act upon. It is +# NOT a +# hard limit beyond which the image cache would never grow. In fact, +# depending +# on how often the cache-pruner runs and how quickly the cache fills, +# the image +# cache can far exceed the size specified here very easily. Hence, +# care must be +# taken to appropriately schedule the cache-pruner and in setting this +# limit. +# +# Glance caches an image when it is downloaded. Consequently, the size +# of the +# image cache grows over time as the number of downloads increases. To +# keep the +# cache size from becoming unmanageable, it is recommended to run the +# cache-pruner as a periodic task. When the cache pruner is kicked +# off, it +# compares the current size of image cache and triggers a cleanup if +# the image +# cache grew beyond the size specified here. After the cleanup, the +# size of +# cache is less than or equal to size specified here. +# +# Services which consume this: +# * None (consumed by cache-pruner, an independent periodic task) +# +# Possible values: +# * Any non-negative integer +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #image_cache_max_size = 10737418240 -# The amount of time to let an incomplete image remain in the cache, -# before the cache cleaner, if running, will remove the incomplete -# image. (integer value) +# +# The amount of time, in seconds, an incomplete image remains in the +# cache. +# +# Incomplete images are images for which download is in progress. +# Please see the +# description of configuration option ``image_cache_dir`` for more +# detail. +# Sometimes, due to various reasons, it is possible the download may +# hang and +# the incompletely downloaded image remains in the ``incomplete`` +# directory. +# This configuration option sets a time limit on how long the +# incomplete images +# should remain in the ``incomplete`` directory before they are +# cleaned up. +# Once an incomplete image spends more time than is specified here, +# it'll be +# removed by cache-cleaner on its next run. +# +# It is recommended to run cache-cleaner as a periodic task on the +# Glance API +# nodes to keep the incomplete images from occupying disk space. +# +# Services which consume this: +# * None (consumed by cache-cleaner, an independent periodic task) +# +# Possible values: +# * Any non-negative integer +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #image_cache_stall_time = 86400 -# Base directory that the image cache uses. (string value) +# +# Base directory for image cache. +# +# This is the location where image data is cached and served out of. +# All cached +# images are stored directly under this directory. This directory also +# contains +# three subdirectories, namely, ``incomplete``, ``invalid`` and +# ``queue``. +# +# The ``incomplete`` subdirectory is the staging area for downloading +# images. An +# image is first downloaded to this directory. When the image download +# is +# successful it is moved to the base directory. However, if the +# download fails, +# the partially downloaded image file is moved to the ``invalid`` +# subdirectory. +# +# The ``queue``subdirectory is used for queuing images for download. +# This is +# used primarily by the cache-prefetcher, which can be scheduled as a +# periodic +# task like cache-pruner and cache-cleaner, to cache images ahead of +# their usage. +# Upon receiving the request to cache an image, Glance touches a file +# in the +# ``queue`` directory with the image id as the file name. The cache- +# prefetcher, +# when running, polls for the files in ``queue`` directory and starts +# downloading them in the order they were created. When the download +# is +# successful, the zero-sized file is deleted from the ``queue`` +# directory. +# If the download fails, the zero-sized file remains and it'll be +# retried the +# next time cache-prefetcher runs. +# +# Services which consume this: +# * glance-api +# +# Possible values: +# * A valid path +# +# Related options: +# * ``image_cache_sqlite_db`` +# +# (string value) #image_cache_dir = # Address to find the registry server. (string value) @@ -127,11 +308,11 @@ # Maximum value: 65535 #registry_port = 9191 -# Whether to pass through the user token when making requests to the -# registry. To prevent failures with token expiration during big files -# upload, it is recommended to set this parameter to False.If -# "use_user_token" is not in effect, then admin credentials can be -# specified. (boolean value) +# DEPRECATED: Whether to pass through the user token when making +# requests to the registry. To prevent failures with token expiration +# during big files upload, it is recommended to set this parameter to +# False.If "use_user_token" is not in effect, then admin credentials +# can be specified. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -140,8 +321,8 @@ # been implemented with Keystone trusts support. #use_user_token = true -# The administrators user name. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators user name. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -150,8 +331,8 @@ # been implemented with Keystone trusts support. #admin_user = -# The administrators password. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators password. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -160,9 +341,9 @@ # been implemented with Keystone trusts support. #admin_password = -# The tenant name of the administrative user. If "use_user_token" is -# not in effect, then admin tenant name can be specified. (string -# value) +# DEPRECATED: The tenant name of the administrative user. If +# "use_user_token" is not in effect, then admin tenant name can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -171,8 +352,8 @@ # been implemented with Keystone trusts support. #admin_tenant_name = -# The URL to the keystone service. If "use_user_token" is not in -# effect and using keystone auth, then URL of keystone can be +# DEPRECATED: The URL to the keystone service. If "use_user_token" is +# not in effect and using keystone auth, then URL of keystone can be # specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. @@ -182,8 +363,9 @@ # been implemented with Keystone trusts support. #auth_url = -# The strategy to use for authentication. If "use_user_token" is not -# in effect, then auth strategy can be specified. (string value) +# DEPRECATED: The strategy to use for authentication. If +# "use_user_token" is not in effect, then auth strategy can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -192,9 +374,9 @@ # been implemented with Keystone trusts support. #auth_strategy = noauth -# The region for the authentication service. If "use_user_token" is -# not in effect and using keystone auth, then region name can be -# specified. (string value) +# DEPRECATED: The region for the authentication service. If +# "use_user_token" is not in effect and using keystone auth, then +# region name can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -209,10 +391,11 @@ # If set to true, the logging level will be set to DEBUG instead of # the default INFO level. (boolean value) +# Note: This option can be changed without restarting. #debug = false -# If set to false, the logging level will be set to WARNING instead of -# the default INFO level. (boolean value) +# DEPRECATED: If set to false, the logging level will be set to +# WARNING instead of the default INFO level. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. #verbose = true @@ -224,6 +407,7 @@ # configuration is set in the configuration file and other logging # configuration options are ignored (for example, # logging_context_format_string). (string value) +# Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -301,6 +485,368 @@ #fatal_deprecations = false +[glance_store] + +# +# From glance.store +# + +# List of stores enabled. Valid stores are: cinder, file, http, rbd, +# sheepdog, swift, s3, vsphere (list value) +#stores = file,http + +# Default scheme to use to store image data. The scheme must be +# registered by one of the stores defined by the 'stores' config +# option. (string value) +#default_store = file + +# Minimum interval seconds to execute updating dynamic storage +# capabilities based on backend status then. It's not a periodic +# routine, the update logic will be executed only when interval +# seconds elapsed and an operation of store has triggered. The feature +# will be enabled only when the option value greater then zero. +# (integer value) +#store_capabilities_update_min_interval = 0 + +# Specify the path to the CA bundle file to use in verifying the +# remote server certificate. (string value) +#https_ca_certificates_file = + +# If true, the remote server certificate is not verified. If false, +# then the default CA truststore is used for verification. This option +# is ignored if "https_ca_certificates_file" is set. (boolean value) +#https_insecure = true + +# Specify the http/https proxy information that should be used to +# connect to the remote server. The proxy information should be a key +# value pair of the scheme and proxy. e.g. http:10.0.0.1:3128. You can +# specify proxies for multiple schemes by seperating the key value +# pairs with a comma.e.g. http:10.0.0.1:3128, https:10.0.0.1:1080. +# (dict value) +#http_proxy_information = + +# If True, swiftclient won't check for a valid SSL certificate when +# authenticating. (boolean value) +#swift_store_auth_insecure = false + +# A string giving the CA certificate file to use in SSL connections +# for verifying certs. (string value) +#swift_store_cacert = + +# The region of the swift endpoint to be used for single tenant. This +# setting is only necessary if the tenant has multiple swift +# endpoints. (string value) +#swift_store_region = + +# If set, the configured endpoint will be used. If None, the storage +# url from the auth response will be used. (string value) +#swift_store_endpoint = + +# A string giving the endpoint type of the swift service to use +# (publicURL, adminURL or internalURL). This setting is only used if +# swift_store_auth_version is 2. (string value) +#swift_store_endpoint_type = publicURL + +# A string giving the service type of the swift service to use. This +# setting is only used if swift_store_auth_version is 2. (string +# value) +#swift_store_service_type = object-store + +# Container within the account that the account should use for storing +# images in Swift when using single container mode. In multiple +# container mode, this will be the prefix for all containers. (string +# value) +#swift_store_container = glance + +# The size, in MB, that Glance will start chunking image files and do +# a large object manifest in Swift. (integer value) +#swift_store_large_object_size = 5120 + +# The amount of data written to a temporary disk buffer during the +# process of chunking the image file. (integer value) +#swift_store_large_object_chunk_size = 200 + +# A boolean value that determines if we create the container if it +# does not exist. (boolean value) +#swift_store_create_container_on_put = false + +# If set to True, enables multi-tenant storage mode which causes +# Glance images to be stored in tenant specific Swift accounts. +# (boolean value) +#swift_store_multi_tenant = false + +# When set to 0, a single-tenant store will only use one container to +# store all images. When set to an integer value between 1 and 32, a +# single-tenant store will use multiple containers to store images, +# and this value will determine how many containers are created.Used +# only when swift_store_multi_tenant is disabled. The total number of +# containers that will be used is equal to 16^N, so if this config +# option is set to 2, then 16^2=256 containers will be used to store +# images. (integer value) +#swift_store_multiple_containers_seed = 0 + +# A list of tenants that will be granted read/write access on all +# Swift containers created by Glance in multi-tenant mode. (list +# value) +#swift_store_admin_tenants = + +# If set to False, disables SSL layer compression of https swift +# requests. Setting to False may improve performance for images which +# are already in a compressed format, eg qcow2. (boolean value) +#swift_store_ssl_compression = true + +# The number of times a Swift download will be retried before the +# request fails. (integer value) +#swift_store_retry_get_count = 0 + +# The period of time (in seconds) before token expirationwhen +# glance_store will try to reques new user token. Default value 60 sec +# means that if token is going to expire in 1 min then glance_store +# request new user token. (integer value) +#swift_store_expire_soon_interval = 60 + +# If set to True create a trust for each add/get request to Multi- +# tenant store in order to prevent authentication token to be expired +# during uploading/downloading data. If set to False then user token +# is used for Swift connection (so no overhead on trust creation). +# Please note that this option is considered only and only if +# swift_store_multi_tenant=True (boolean value) +#swift_store_use_trusts = true + +# The reference to the default swift account/backing store parameters +# to use for adding new images. (string value) +#default_swift_reference = ref1 + +# Version of the authentication service to use. Valid versions are 2 +# and 3 for keystone and 1 (deprecated) for swauth and rackspace. +# (deprecated - use "auth_version" in swift_store_config_file) (string +# value) +#swift_store_auth_version = 2 + +# The address where the Swift authentication service is listening. +# (deprecated - use "auth_address" in swift_store_config_file) (string +# value) +#swift_store_auth_address = + +# The user to authenticate against the Swift authentication service +# (deprecated - use "user" in swift_store_config_file) (string value) +#swift_store_user = + +# Auth key for the user authenticating against the Swift +# authentication service. (deprecated - use "key" in +# swift_store_config_file) (string value) +#swift_store_key = + +# The config file that has the swift account(s)configs. (string value) +#swift_store_config_file = + +# Directory to which the Filesystem backend store writes images. +# (string value) +#filesystem_store_datadir = /var/lib/glance/images + +# List of directories and its priorities to which the Filesystem +# backend store writes images. (multi valued) +#filesystem_store_datadirs = + +# The path to a file which contains the metadata to be returned with +# any location associated with this store. The file must contain a +# valid JSON object. The object should contain the keys 'id' and +# 'mountpoint'. The value for both keys should be 'string'. (string +# value) +#filesystem_store_metadata_file = + +# The required permission for created image file. In this way the user +# other service used, e.g. Nova, who consumes the image could be the +# exclusive member of the group that owns the files created. Assigning +# it less then or equal to zero means don't change the default +# permission of the file. This value will be decoded as an octal +# digit. (integer value) +#filesystem_store_file_perm = 0 + +# The host where the S3 server is listening. (string value) +#s3_store_host = + +# The S3 query token access key. (string value) +#s3_store_access_key = + +# The S3 query token secret key. (string value) +#s3_store_secret_key = + +# The S3 bucket to be used to store the Glance data. (string value) +#s3_store_bucket = + +# The local directory where uploads will be staged before they are +# transferred into S3. (string value) +#s3_store_object_buffer_dir = + +# A boolean to determine if the S3 bucket should be created on upload +# if it does not exist or if an error should be returned to the user. +# (boolean value) +#s3_store_create_bucket_on_put = false + +# The S3 calling format used to determine the bucket. Either subdomain +# or path can be used. (string value) +#s3_store_bucket_url_format = subdomain + +# What size, in MB, should S3 start chunking image files and do a +# multipart upload in S3. (integer value) +#s3_store_large_object_size = 100 + +# What multipart upload part size, in MB, should S3 use when uploading +# parts. The size must be greater than or equal to 5M. (integer value) +#s3_store_large_object_chunk_size = 10 + +# The number of thread pools to perform a multipart upload in S3. +# (integer value) +#s3_store_thread_pools = 10 + +# Enable the use of a proxy. (boolean value) +#s3_store_enable_proxy = false + +# Address or hostname for the proxy server. (string value) +#s3_store_proxy_host = + +# The port to use when connecting over a proxy. (integer value) +#s3_store_proxy_port = 8080 + +# The username to connect to the proxy. (string value) +#s3_store_proxy_user = + +# The password to use when connecting over a proxy. (string value) +#s3_store_proxy_password = + +# Info to match when looking for cinder in the service catalog. Format +# is : separated values of the form: +# :: (string value) +#cinder_catalog_info = volumev2::publicURL + +# Override service catalog lookup with template for cinder endpoint +# e.g. http://localhost:8776/v2/%(tenant)s (string value) +#cinder_endpoint_template = + +# Region name of this node. If specified, it will be used to locate +# OpenStack services for stores. (string value) +# Deprecated group/name - [glance_store]/os_region_name +#cinder_os_region_name = + +# Location of ca certicates file to use for cinder client requests. +# (string value) +#cinder_ca_certificates_file = + +# Number of cinderclient retries on failed http calls (integer value) +#cinder_http_retries = 3 + +# Time period of time in seconds to wait for a cinder volume +# transition to complete. (integer value) +#cinder_state_transition_timeout = 300 + +# Allow to perform insecure SSL requests to cinder (boolean value) +#cinder_api_insecure = false + +# The address where the Cinder authentication service is listening. If +# , the cinder endpoint in the service catalog is used. (string +# value) +#cinder_store_auth_address = + +# User name to authenticate against Cinder. If , the user of +# current context is used. (string value) +#cinder_store_user_name = + +# Password for the user authenticating against Cinder. If , the +# current context auth token is used. (string value) +#cinder_store_password = + +# Project name where the image is stored in Cinder. If , the +# project in current context is used. (string value) +#cinder_store_project_name = + +# Path to the rootwrap configuration file to use for running commands +# as root. (string value) +#rootwrap_config = /etc/glance/rootwrap.conf + +# ESX/ESXi or vCenter Server target system. The server value can be an +# IP address or a DNS name. (string value) +#vmware_server_host = + +# Username for authenticating with VMware ESX/VC server. (string +# value) +#vmware_server_username = + +# Password for authenticating with VMware ESX/VC server. (string +# value) +#vmware_server_password = + +# Number of times VMware ESX/VC server API must be retried upon +# connection related issues. (integer value) +#vmware_api_retry_count = 10 + +# The interval used for polling remote tasks invoked on VMware ESX/VC +# server. (integer value) +#vmware_task_poll_interval = 5 + +# The name of the directory where the glance images will be stored in +# the VMware datastore. (string value) +#vmware_store_image_dir = /openstack_glance + +# If true, the ESX/vCenter server certificate is not verified. If +# false, then the default CA truststore is used for verification. This +# option is ignored if "vmware_ca_file" is set. (boolean value) +# Deprecated group/name - [glance_store]/vmware_api_insecure +#vmware_insecure = false + +# Specify a CA bundle file to use in verifying the ESX/vCenter server +# certificate. (string value) +#vmware_ca_file = + +# A list of datastores where the image can be stored. This option may +# be specified multiple times for specifying multiple datastores. The +# datastore name should be specified after its datacenter path, +# seperated by ":". An optional weight may be given after the +# datastore name, seperated again by ":". Thus, the required format +# becomes ::. When +# adding an image, the datastore with highest weight will be selected, +# unless there is not enough free space available in cases where the +# image size is already known. If no weight is given, it is assumed to +# be zero and the directory will be considered for selection last. If +# multiple datastores have the same weight, then the one with the most +# free space available is selected. (multi valued) +#vmware_datastores = + +# Images will be chunked into objects of this size (in megabytes). For +# best performance, this should be a power of two. (integer value) +#sheepdog_store_chunk_size = 64 + +# Port of sheep daemon. (integer value) +#sheepdog_store_port = 7000 + +# IP address of sheep daemon. (string value) +#sheepdog_store_address = localhost + +# RADOS images will be chunked into objects of this size (in +# megabytes). For best performance, this should be a power of two. +# (integer value) +#rbd_store_chunk_size = 8 + +# RADOS pool in which images are stored. (string value) +#rbd_store_pool = images + +# RADOS user to authenticate as (only applicable if using Cephx. If +# , a default will be chosen based on the client. section in +# rbd_store_ceph_conf) (string value) +#rbd_store_user = + +# Ceph configuration file path. If , librados will locate the +# default config. If using cephx authentication, this file should +# include a reference to the right keyring in a client. section +# (string value) +#rbd_store_ceph_conf = /etc/ceph/ceph.conf + +# Timeout value (in seconds) used when connecting to ceph cluster. If +# value <= 0, no timeout is set and default librados value is used. +# (integer value) +#rados_connect_timeout = 0 + + [oslo_policy] # diff --git a/etc/glance-registry.conf b/etc/glance-registry.conf index d83164339a..0b382eda42 100644 --- a/etc/glance-registry.conf +++ b/etc/glance-registry.conf @@ -4,21 +4,103 @@ # From glance.registry # -# When true, this option sets the owner of an image to be the tenant. -# Otherwise, the owner of the image will be the authenticated user -# issuing the request. (boolean value) +# +# Set the image owner to tenant or the authenticated user. +# +# Assign a boolean value to determine the owner of an image. When set +# to +# True, the owner of the image is the tenant. When set to False, the +# owner of the image will be the authenticated user issuing the +# request. +# Setting it to False makes the image private to the associated user +# and +# sharing with other users within the same tenant (or "project") +# requires explicit image sharing via image membership. +# +# Services which consume this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * True +# * False +# +# Related options: +# * None +# +# (boolean value) #owner_is_tenant = true +# # Role used to identify an authenticated user as administrator. -# (string value) +# +# Provide a string value representing a Keystone role to identify an +# administrative user. Users with this role will be granted +# administrative privileges. The default value for this option is +# 'admin'. +# +# Services which consume this: +# * glance-api +# * glare-api +# * glance-registry +# * glance-scrubber +# +# Possible values: +# * A string value which is a valid Keystone role +# +# Related options: +# * None +# +# (string value) #admin_role = admin -# Allow unauthenticated users to access the API with read-only -# privileges. This only applies when using ContextMiddleware. (boolean -# value) +# +# Allow limited access to unauthenticated users. +# +# Assign a boolean to determine API access for unathenticated +# users. When set to False, the API cannot be accessed by +# unauthenticated users. When set to True, unauthenticated users can +# access the API with read-only privileges. This however only applies +# when using ContextMiddleware. +# +# Services which consumes this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * True +# * False +# +# Related options: +# * None +# +# (boolean value) #allow_anonymous_access = false -# Limits request ID length. (integer value) +# +# Limit the request ID length. +# +# Provide an integer value to limit the length of the request ID to +# the specified length. The default value is 64. Users can change this +# to any ineteger value between 0 and 16384 however keeping in mind +# that +# a larger value may flood the logs. +# +# Services which consumes this: +# * glance-api +# * glare-api +# * glance-registry +# +# Possible values: +# * Integer value between 0 and 16384 +# +# Related options: +# * None +# +# (integer value) +# Minimum value: 0 #max_request_id_length = 64 # Whether to allow users to specify image properties beyond what the @@ -146,9 +228,12 @@ # value) #key_file = -# The HTTP header used to determine the scheme for the original -# request, even if it was removed by an SSL terminating proxy. Typical -# value is "HTTP_X_FORWARDED_PROTO". (string value) +# DEPRECATED: The HTTP header used to determine the scheme for the +# original request, even if it was removed by an SSL terminating +# proxy. Typical value is "HTTP_X_FORWARDED_PROTO". (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Use the http_proxy_to_wsgi middleware instead. #secure_proxy_ssl_header = # The number of child process workers that will be created to service @@ -181,10 +266,11 @@ # If set to true, the logging level will be set to DEBUG instead of # the default INFO level. (boolean value) +# Note: This option can be changed without restarting. #debug = false -# If set to false, the logging level will be set to WARNING instead of -# the default INFO level. (boolean value) +# DEPRECATED: If set to false, the logging level will be set to +# WARNING instead of the default INFO level. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. #verbose = true @@ -196,6 +282,7 @@ # configuration is set in the configuration file and other logging # configuration options are ignored (for example, # logging_context_format_string). (string value) +# Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -289,10 +376,6 @@ # Allowed values: redis, dummy #rpc_zmq_matchmaker = redis -# Type of concurrency used. Either "native" or "eventlet" (string -# value) -#rpc_zmq_concurrency = eventlet - # Number of ZeroMQ contexts, defaults to 1. (integer value) #rpc_zmq_contexts = 1 @@ -319,16 +402,23 @@ # Expiration timeout in seconds of a name service record about # existing target ( < 0 means no timeout). (integer value) -#zmq_target_expire = 120 +#zmq_target_expire = 300 + +# Update period in seconds of a name service record about existing +# target. (integer value) +#zmq_target_update = 180 # Use PUB/SUB pattern for fanout methods. PUB/SUB always uses proxy. # (boolean value) #use_pub_sub = true +# Use ROUTER remote proxy. (boolean value) +#use_router_proxy = true + # Minimal port number for random ports range. (port value) # Minimum value: 0 # Maximum value: 65535 -#rpc_zmq_min_port = 49152 +#rpc_zmq_min_port = 49153 # Maximal port number for random ports range. (integer value) # Minimum value: 1 @@ -347,12 +437,14 @@ #rpc_response_timeout = 60 # A URL representing the messaging driver to use and its full -# configuration. If not set, we fall back to the rpc_backend option -# and driver specific configuration. (string value) +# configuration. (string value) #transport_url = -# The messaging driver to use, defaults to rabbit. Other drivers -# include amqp and zmq. (string value) +# DEPRECATED: The messaging driver to use, defaults to rabbit. Other +# drivers include amqp and zmq. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rpc_backend = rabbit # The default exchange under which topics are scoped. May be @@ -367,8 +459,12 @@ # From oslo.db # -# The file name to use with SQLite. (string value) +# DEPRECATED: The file name to use with SQLite. (string value) # Deprecated group/name - [DEFAULT]/sqlite_db +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Should use config option connection or slave_connection to +# connect the database. #sqlite_db = oslo.sqlite # If True, SQLite uses synchronous mode. (boolean value) @@ -482,7 +578,14 @@ # From keystonemiddleware.auth_token # -# Complete public Identity API endpoint. (string value) +# Complete "public" Identity API endpoint. This endpoint should not be +# an "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to +# authenticate. Although this endpoint should ideally be unversioned, +# client support in the wild varies. If you're using a versioned v2 +# endpoint here, then this should *not* be the same endpoint the +# service user utilizes for validating tokens, because normal end +# users may not be able to reach that endpoint. (string value) #auth_uri = # API version of the admin Identity API endpoint. (string value) @@ -528,7 +631,7 @@ # Optionally specify a list of memcached server(s) to use for caching. # If left undefined, tokens will instead be cached in-process. (list # value) -# Deprecated group/name - [DEFAULT]/memcache_servers +# Deprecated group/name - [keystone_authtoken]/memcache_servers #memcached_servers = # In order to prevent excessive effort spent validating tokens, the @@ -540,7 +643,8 @@ # Determines the frequency at which the list of revoked tokens is # retrieved from the Identity service (in seconds). A high number of # revocation events combined with a low cache duration may -# significantly reduce performance. (integer value) +# significantly reduce performance. Only valid for PKI tokens. +# (integer value) #revocation_cache_time = 10 # (Optional) If defined, indicate whether token data should be @@ -611,11 +715,11 @@ # value) #hash_algorithms = md5 -# Authentication type to load (unknown value) -# Deprecated group/name - [DEFAULT]/auth_plugin +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin #auth_type = -# Config Section from which to load plugin specific options (unknown +# Config Section from which to load plugin specific options (string # value) #auth_section = @@ -626,32 +730,44 @@ # From oslo.messaging # -# Host to locate redis. (string value) +# DEPRECATED: Host to locate redis. (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #host = 127.0.0.1 -# Use this port to connect to redis host. (port value) +# DEPRECATED: Use this port to connect to redis host. (port value) # Minimum value: 0 # Maximum value: 65535 +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #port = 6379 -# Password for Redis server (optional). (string value) +# DEPRECATED: Password for Redis server (optional). (string value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #password = -# List of Redis Sentinel hosts (fault tolerance mode) e.g. +# DEPRECATED: List of Redis Sentinel hosts (fault tolerance mode) e.g. # [host:port, host1:port ... ] (list value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #sentinel_hosts = # Redis replica set name. (string value) #sentinel_group_name = oslo-messaging-zeromq # Time in ms to wait between connection attempts. (integer value) -#wait_timeout = 500 +#wait_timeout = 5000 # Time in ms to wait before the transaction is killed. (integer value) -#check_timeout = 20000 +#check_timeout = 60000 # Timeout in ms on blocking socket operations (integer value) -#socket_timeout = 1000 +#socket_timeout = 10000 [oslo_messaging_amqp] @@ -798,7 +914,7 @@ # How long to wait a missing client beforce abandoning to send it its # replies. This value should not be longer than rpc_response_timeout. # (integer value) -# Deprecated group/name - [DEFAULT]/kombu_reconnect_timeout +# Deprecated group/name - [oslo_messaging_rabbit]/kombu_reconnect_timeout #kombu_missing_consumer_retry_timeout = 60 # Determines how the next RabbitMQ node is chosen in case the one we @@ -807,39 +923,58 @@ # Allowed values: round-robin, shuffle #kombu_failover_strategy = round-robin -# The RabbitMQ broker address where a single node is used. (string -# value) +# DEPRECATED: The RabbitMQ broker address where a single node is used. +# (string value) # Deprecated group/name - [DEFAULT]/rabbit_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_host = localhost -# The RabbitMQ broker port where a single node is used. (port value) +# DEPRECATED: The RabbitMQ broker port where a single node is used. +# (port value) # Minimum value: 0 # Maximum value: 65535 # Deprecated group/name - [DEFAULT]/rabbit_port +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_port = 5672 -# RabbitMQ HA cluster host:port pairs. (list value) +# DEPRECATED: RabbitMQ HA cluster host:port pairs. (list value) # Deprecated group/name - [DEFAULT]/rabbit_hosts +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_hosts = $rabbit_host:$rabbit_port # Connect over SSL for RabbitMQ. (boolean value) # Deprecated group/name - [DEFAULT]/rabbit_use_ssl #rabbit_use_ssl = false -# The RabbitMQ userid. (string value) +# DEPRECATED: The RabbitMQ userid. (string value) # Deprecated group/name - [DEFAULT]/rabbit_userid +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_userid = guest -# The RabbitMQ password. (string value) +# DEPRECATED: The RabbitMQ password. (string value) # Deprecated group/name - [DEFAULT]/rabbit_password +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_password = guest # The RabbitMQ login method. (string value) # Deprecated group/name - [DEFAULT]/rabbit_login_method #rabbit_login_method = AMQPLAIN -# The RabbitMQ virtual host. (string value) +# DEPRECATED: The RabbitMQ virtual host. (string value) # Deprecated group/name - [DEFAULT]/rabbit_virtual_host +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Replaced by [DEFAULT]/transport_url #rabbit_virtual_host = / # How frequently to retry connecting with RabbitMQ. (integer value) @@ -902,7 +1037,7 @@ # How often to send heartbeats for consumer's connections (integer # value) -#heartbeat_interval = 1 +#heartbeat_interval = 3 # Enable SSL (boolean value) #ssl = @@ -922,8 +1057,12 @@ # (floating point value) #host_connection_reconnect_delay = 0.25 +# Connection factory implementation (string value) +# Allowed values: new, single, read_write +#connection_factory = single + # Maximum number of connections to keep queued. (integer value) -#pool_max_size = 10 +#pool_max_size = 30 # Maximum number of connections to create above `pool_max_size`. # (integer value) @@ -946,7 +1085,7 @@ # Persist notification messages. (boolean value) #notification_persistence = false -# Exchange name for for sending notifications (string value) +# Exchange name for sending notifications (string value) #default_notification_exchange = ${control_exchange}_notification # Max number of not acknowledged message which RabbitMQ can send to @@ -1045,12 +1184,60 @@ # From glance.registry # -# If False fully disable profiling feature. (boolean value) +# +# Enables the profiling for all services on this node. Default value +# is False +# (fully disable the profiling feature). +# +# Possible values: +# +# * True: Enables the feature +# * False: Disables the feature. The profiling cannot be started via +# this project +# operations. If the profiling is triggered by another project, this +# project part +# will be empty. +# (boolean value) +# Deprecated group/name - [profiler]/profiler_enabled #enabled = false -# If False doesn't trace SQL requests. (boolean value) +# +# Enables SQL requests profiling in services. Default value is False +# (SQL +# requests won't be traced). +# +# Possible values: +# +# * True: Enables SQL requests profiling. Each SQL query will be part +# of the +# trace and can the be analyzed by how much time was spent for that. +# * False: Disables SQL requests profiling. The spent time is only +# shown on a +# higher level of operations. Single SQL queries cannot be analyzed +# this +# way. +# (boolean value) #trace_sqlalchemy = false -# Secret key to use to sign Glance API and Glance Registry services -# tracing messages. (string value) +# +# Secret key(s) to use for encrypting context data for performance +# profiling. +# This string value should have the following format: +# [,,...], +# where each key is some random string. A user who triggers the +# profiling via +# the REST API has to set one of these keys in the headers of the REST +# API call +# to include profiling results of this node for this particular +# project. +# +# Both "enabled" flag and "hmac_keys" config options should be set to +# enable +# profiling. Also, to generate correct profiling information across +# all services +# at least one key needs to be consistent between OpenStack projects. +# This +# ensures it can be used from client side to generate the trace, +# containing +# information from all possible resources. (string value) #hmac_keys = SECRET_KEY diff --git a/etc/glance-scrubber.conf b/etc/glance-scrubber.conf index cc88406b84..74f8cda0c6 100644 --- a/etc/glance-scrubber.conf +++ b/etc/glance-scrubber.conf @@ -112,8 +112,27 @@ # Turn on/off delayed delete. (boolean value) #delayed_delete = false +# # Role used to identify an authenticated user as administrator. -# (string value) +# +# Provide a string value representing a Keystone role to identify an +# administrative user. Users with this role will be granted +# administrative privileges. The default value for this option is +# 'admin'. +# +# Services which consume this: +# * glance-api +# * glare-api +# * glance-registry +# * glance-scrubber +# +# Possible values: +# * A string value which is a valid Keystone role +# +# Related options: +# * None +# +# (string value) #admin_role = admin # Whether to pass through headers containing user and tenant @@ -167,11 +186,11 @@ # (integer value) #registry_client_timeout = 600 -# Whether to pass through the user token when making requests to the -# registry. To prevent failures with token expiration during big files -# upload, it is recommended to set this parameter to False.If -# "use_user_token" is not in effect, then admin credentials can be -# specified. (boolean value) +# DEPRECATED: Whether to pass through the user token when making +# requests to the registry. To prevent failures with token expiration +# during big files upload, it is recommended to set this parameter to +# False.If "use_user_token" is not in effect, then admin credentials +# can be specified. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -180,8 +199,8 @@ # been implemented with Keystone trusts support. #use_user_token = true -# The administrators user name. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators user name. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -190,8 +209,8 @@ # been implemented with Keystone trusts support. #admin_user = -# The administrators password. If "use_user_token" is not in effect, -# then admin credentials can be specified. (string value) +# DEPRECATED: The administrators password. If "use_user_token" is not +# in effect, then admin credentials can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -200,9 +219,9 @@ # been implemented with Keystone trusts support. #admin_password = -# The tenant name of the administrative user. If "use_user_token" is -# not in effect, then admin tenant name can be specified. (string -# value) +# DEPRECATED: The tenant name of the administrative user. If +# "use_user_token" is not in effect, then admin tenant name can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -211,8 +230,8 @@ # been implemented with Keystone trusts support. #admin_tenant_name = -# The URL to the keystone service. If "use_user_token" is not in -# effect and using keystone auth, then URL of keystone can be +# DEPRECATED: The URL to the keystone service. If "use_user_token" is +# not in effect and using keystone auth, then URL of keystone can be # specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. @@ -222,8 +241,9 @@ # been implemented with Keystone trusts support. #auth_url = -# The strategy to use for authentication. If "use_user_token" is not -# in effect, then auth strategy can be specified. (string value) +# DEPRECATED: The strategy to use for authentication. If +# "use_user_token" is not in effect, then auth strategy can be +# specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -232,9 +252,9 @@ # been implemented with Keystone trusts support. #auth_strategy = noauth -# The region for the authentication service. If "use_user_token" is -# not in effect and using keystone auth, then region name can be -# specified. (string value) +# DEPRECATED: The region for the authentication service. If +# "use_user_token" is not in effect and using keystone auth, then +# region name can be specified. (string value) # This option is deprecated for removal. # Its value may be silently ignored in the future. # Reason: This option was considered harmful and has been deprecated @@ -257,10 +277,11 @@ # If set to true, the logging level will be set to DEBUG instead of # the default INFO level. (boolean value) +# Note: This option can be changed without restarting. #debug = false -# If set to false, the logging level will be set to WARNING instead of -# the default INFO level. (boolean value) +# DEPRECATED: If set to false, the logging level will be set to +# WARNING instead of the default INFO level. (boolean value) # This option is deprecated for removal. # Its value may be silently ignored in the future. #verbose = true @@ -272,6 +293,7 @@ # configuration is set in the configuration file and other logging # configuration options are ignored (for example, # logging_context_format_string). (string value) +# Note: This option can be changed without restarting. # Deprecated group/name - [DEFAULT]/log_config #log_config_append = @@ -355,8 +377,12 @@ # From oslo.db # -# The file name to use with SQLite. (string value) +# DEPRECATED: The file name to use with SQLite. (string value) # Deprecated group/name - [DEFAULT]/sqlite_db +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Should use config option connection or slave_connection to +# connect the database. #sqlite_db = oslo.sqlite # If True, SQLite uses synchronous mode. (boolean value) @@ -464,6 +490,368 @@ #use_tpool = false +[glance_store] + +# +# From glance.store +# + +# List of stores enabled. Valid stores are: cinder, file, http, rbd, +# sheepdog, swift, s3, vsphere (list value) +#stores = file,http + +# Default scheme to use to store image data. The scheme must be +# registered by one of the stores defined by the 'stores' config +# option. (string value) +#default_store = file + +# Minimum interval seconds to execute updating dynamic storage +# capabilities based on backend status then. It's not a periodic +# routine, the update logic will be executed only when interval +# seconds elapsed and an operation of store has triggered. The feature +# will be enabled only when the option value greater then zero. +# (integer value) +#store_capabilities_update_min_interval = 0 + +# Specify the path to the CA bundle file to use in verifying the +# remote server certificate. (string value) +#https_ca_certificates_file = + +# If true, the remote server certificate is not verified. If false, +# then the default CA truststore is used for verification. This option +# is ignored if "https_ca_certificates_file" is set. (boolean value) +#https_insecure = true + +# Specify the http/https proxy information that should be used to +# connect to the remote server. The proxy information should be a key +# value pair of the scheme and proxy. e.g. http:10.0.0.1:3128. You can +# specify proxies for multiple schemes by seperating the key value +# pairs with a comma.e.g. http:10.0.0.1:3128, https:10.0.0.1:1080. +# (dict value) +#http_proxy_information = + +# If True, swiftclient won't check for a valid SSL certificate when +# authenticating. (boolean value) +#swift_store_auth_insecure = false + +# A string giving the CA certificate file to use in SSL connections +# for verifying certs. (string value) +#swift_store_cacert = + +# The region of the swift endpoint to be used for single tenant. This +# setting is only necessary if the tenant has multiple swift +# endpoints. (string value) +#swift_store_region = + +# If set, the configured endpoint will be used. If None, the storage +# url from the auth response will be used. (string value) +#swift_store_endpoint = + +# A string giving the endpoint type of the swift service to use +# (publicURL, adminURL or internalURL). This setting is only used if +# swift_store_auth_version is 2. (string value) +#swift_store_endpoint_type = publicURL + +# A string giving the service type of the swift service to use. This +# setting is only used if swift_store_auth_version is 2. (string +# value) +#swift_store_service_type = object-store + +# Container within the account that the account should use for storing +# images in Swift when using single container mode. In multiple +# container mode, this will be the prefix for all containers. (string +# value) +#swift_store_container = glance + +# The size, in MB, that Glance will start chunking image files and do +# a large object manifest in Swift. (integer value) +#swift_store_large_object_size = 5120 + +# The amount of data written to a temporary disk buffer during the +# process of chunking the image file. (integer value) +#swift_store_large_object_chunk_size = 200 + +# A boolean value that determines if we create the container if it +# does not exist. (boolean value) +#swift_store_create_container_on_put = false + +# If set to True, enables multi-tenant storage mode which causes +# Glance images to be stored in tenant specific Swift accounts. +# (boolean value) +#swift_store_multi_tenant = false + +# When set to 0, a single-tenant store will only use one container to +# store all images. When set to an integer value between 1 and 32, a +# single-tenant store will use multiple containers to store images, +# and this value will determine how many containers are created.Used +# only when swift_store_multi_tenant is disabled. The total number of +# containers that will be used is equal to 16^N, so if this config +# option is set to 2, then 16^2=256 containers will be used to store +# images. (integer value) +#swift_store_multiple_containers_seed = 0 + +# A list of tenants that will be granted read/write access on all +# Swift containers created by Glance in multi-tenant mode. (list +# value) +#swift_store_admin_tenants = + +# If set to False, disables SSL layer compression of https swift +# requests. Setting to False may improve performance for images which +# are already in a compressed format, eg qcow2. (boolean value) +#swift_store_ssl_compression = true + +# The number of times a Swift download will be retried before the +# request fails. (integer value) +#swift_store_retry_get_count = 0 + +# The period of time (in seconds) before token expirationwhen +# glance_store will try to reques new user token. Default value 60 sec +# means that if token is going to expire in 1 min then glance_store +# request new user token. (integer value) +#swift_store_expire_soon_interval = 60 + +# If set to True create a trust for each add/get request to Multi- +# tenant store in order to prevent authentication token to be expired +# during uploading/downloading data. If set to False then user token +# is used for Swift connection (so no overhead on trust creation). +# Please note that this option is considered only and only if +# swift_store_multi_tenant=True (boolean value) +#swift_store_use_trusts = true + +# The reference to the default swift account/backing store parameters +# to use for adding new images. (string value) +#default_swift_reference = ref1 + +# Version of the authentication service to use. Valid versions are 2 +# and 3 for keystone and 1 (deprecated) for swauth and rackspace. +# (deprecated - use "auth_version" in swift_store_config_file) (string +# value) +#swift_store_auth_version = 2 + +# The address where the Swift authentication service is listening. +# (deprecated - use "auth_address" in swift_store_config_file) (string +# value) +#swift_store_auth_address = + +# The user to authenticate against the Swift authentication service +# (deprecated - use "user" in swift_store_config_file) (string value) +#swift_store_user = + +# Auth key for the user authenticating against the Swift +# authentication service. (deprecated - use "key" in +# swift_store_config_file) (string value) +#swift_store_key = + +# The config file that has the swift account(s)configs. (string value) +#swift_store_config_file = + +# Directory to which the Filesystem backend store writes images. +# (string value) +#filesystem_store_datadir = /var/lib/glance/images + +# List of directories and its priorities to which the Filesystem +# backend store writes images. (multi valued) +#filesystem_store_datadirs = + +# The path to a file which contains the metadata to be returned with +# any location associated with this store. The file must contain a +# valid JSON object. The object should contain the keys 'id' and +# 'mountpoint'. The value for both keys should be 'string'. (string +# value) +#filesystem_store_metadata_file = + +# The required permission for created image file. In this way the user +# other service used, e.g. Nova, who consumes the image could be the +# exclusive member of the group that owns the files created. Assigning +# it less then or equal to zero means don't change the default +# permission of the file. This value will be decoded as an octal +# digit. (integer value) +#filesystem_store_file_perm = 0 + +# The host where the S3 server is listening. (string value) +#s3_store_host = + +# The S3 query token access key. (string value) +#s3_store_access_key = + +# The S3 query token secret key. (string value) +#s3_store_secret_key = + +# The S3 bucket to be used to store the Glance data. (string value) +#s3_store_bucket = + +# The local directory where uploads will be staged before they are +# transferred into S3. (string value) +#s3_store_object_buffer_dir = + +# A boolean to determine if the S3 bucket should be created on upload +# if it does not exist or if an error should be returned to the user. +# (boolean value) +#s3_store_create_bucket_on_put = false + +# The S3 calling format used to determine the bucket. Either subdomain +# or path can be used. (string value) +#s3_store_bucket_url_format = subdomain + +# What size, in MB, should S3 start chunking image files and do a +# multipart upload in S3. (integer value) +#s3_store_large_object_size = 100 + +# What multipart upload part size, in MB, should S3 use when uploading +# parts. The size must be greater than or equal to 5M. (integer value) +#s3_store_large_object_chunk_size = 10 + +# The number of thread pools to perform a multipart upload in S3. +# (integer value) +#s3_store_thread_pools = 10 + +# Enable the use of a proxy. (boolean value) +#s3_store_enable_proxy = false + +# Address or hostname for the proxy server. (string value) +#s3_store_proxy_host = + +# The port to use when connecting over a proxy. (integer value) +#s3_store_proxy_port = 8080 + +# The username to connect to the proxy. (string value) +#s3_store_proxy_user = + +# The password to use when connecting over a proxy. (string value) +#s3_store_proxy_password = + +# Info to match when looking for cinder in the service catalog. Format +# is : separated values of the form: +# :: (string value) +#cinder_catalog_info = volumev2::publicURL + +# Override service catalog lookup with template for cinder endpoint +# e.g. http://localhost:8776/v2/%(tenant)s (string value) +#cinder_endpoint_template = + +# Region name of this node. If specified, it will be used to locate +# OpenStack services for stores. (string value) +# Deprecated group/name - [glance_store]/os_region_name +#cinder_os_region_name = + +# Location of ca certicates file to use for cinder client requests. +# (string value) +#cinder_ca_certificates_file = + +# Number of cinderclient retries on failed http calls (integer value) +#cinder_http_retries = 3 + +# Time period of time in seconds to wait for a cinder volume +# transition to complete. (integer value) +#cinder_state_transition_timeout = 300 + +# Allow to perform insecure SSL requests to cinder (boolean value) +#cinder_api_insecure = false + +# The address where the Cinder authentication service is listening. If +# , the cinder endpoint in the service catalog is used. (string +# value) +#cinder_store_auth_address = + +# User name to authenticate against Cinder. If , the user of +# current context is used. (string value) +#cinder_store_user_name = + +# Password for the user authenticating against Cinder. If , the +# current context auth token is used. (string value) +#cinder_store_password = + +# Project name where the image is stored in Cinder. If , the +# project in current context is used. (string value) +#cinder_store_project_name = + +# Path to the rootwrap configuration file to use for running commands +# as root. (string value) +#rootwrap_config = /etc/glance/rootwrap.conf + +# ESX/ESXi or vCenter Server target system. The server value can be an +# IP address or a DNS name. (string value) +#vmware_server_host = + +# Username for authenticating with VMware ESX/VC server. (string +# value) +#vmware_server_username = + +# Password for authenticating with VMware ESX/VC server. (string +# value) +#vmware_server_password = + +# Number of times VMware ESX/VC server API must be retried upon +# connection related issues. (integer value) +#vmware_api_retry_count = 10 + +# The interval used for polling remote tasks invoked on VMware ESX/VC +# server. (integer value) +#vmware_task_poll_interval = 5 + +# The name of the directory where the glance images will be stored in +# the VMware datastore. (string value) +#vmware_store_image_dir = /openstack_glance + +# If true, the ESX/vCenter server certificate is not verified. If +# false, then the default CA truststore is used for verification. This +# option is ignored if "vmware_ca_file" is set. (boolean value) +# Deprecated group/name - [glance_store]/vmware_api_insecure +#vmware_insecure = false + +# Specify a CA bundle file to use in verifying the ESX/vCenter server +# certificate. (string value) +#vmware_ca_file = + +# A list of datastores where the image can be stored. This option may +# be specified multiple times for specifying multiple datastores. The +# datastore name should be specified after its datacenter path, +# seperated by ":". An optional weight may be given after the +# datastore name, seperated again by ":". Thus, the required format +# becomes ::. When +# adding an image, the datastore with highest weight will be selected, +# unless there is not enough free space available in cases where the +# image size is already known. If no weight is given, it is assumed to +# be zero and the directory will be considered for selection last. If +# multiple datastores have the same weight, then the one with the most +# free space available is selected. (multi valued) +#vmware_datastores = + +# Images will be chunked into objects of this size (in megabytes). For +# best performance, this should be a power of two. (integer value) +#sheepdog_store_chunk_size = 64 + +# Port of sheep daemon. (integer value) +#sheepdog_store_port = 7000 + +# IP address of sheep daemon. (string value) +#sheepdog_store_address = localhost + +# RADOS images will be chunked into objects of this size (in +# megabytes). For best performance, this should be a power of two. +# (integer value) +#rbd_store_chunk_size = 8 + +# RADOS pool in which images are stored. (string value) +#rbd_store_pool = images + +# RADOS user to authenticate as (only applicable if using Cephx. If +# , a default will be chosen based on the client. section in +# rbd_store_ceph_conf) (string value) +#rbd_store_user = + +# Ceph configuration file path. If , librados will locate the +# default config. If using cephx authentication, this file should +# include a reference to the right keyring in a client. section +# (string value) +#rbd_store_ceph_conf = /etc/ceph/ceph.conf + +# Timeout value (in seconds) used when connecting to ceph cluster. If +# value <= 0, no timeout is set and default librados value is used. +# (integer value) +#rados_connect_timeout = 0 + + [oslo_concurrency] #