karbor.conf¶

state_path¶

Type:	string
Default:	/var/lib/karbor

Top-level directory for maintaining karbor’s state

Deprecated Variations¶

Group	Name
DEFAULT	pybasedir

service_down_time¶

Type:	integer
Default:	60

Maximum time since last check-in for a service to be considered up

operationengine_topic¶

Type:	string
Default:	karbor-operationengine

The topic that OperationEngine nodes listen on

operationengine_manager¶

Type:	string
Default:	karbor.services.operationengine.manager.OperationEngineManager

Full class name for the Manager for OperationEngine

protection_topic¶

Type:	string
Default:	karbor-protection

The topic that protection nodes listen on

protection_manager¶

Type:	string
Default:	karbor.services.protection.manager.ProtectionManager

Full class name for the Manager for Protection

host¶

Type:	host address
Default:	ubuntu-xenial-rax-iad-0004962405

Name of this node. This can be an opaque identifier. It is not necessarily a host name, FQDN, or IP address.

auth_strategy¶

Type:	string
Default:	keystone
Valid Values:	noauth, keystone

The strategy to use for auth. Supports noauth or keystone.

osapi_max_limit¶

Type:	integer
Default:	1000

The maximum number of items that a collection resource returns in a single response

osapi_karbor_base_URL¶

Type:	string
Default:	<None>

Base URL that will be presented to users in links to the OpenStack Karbor API

query_instance_filters¶

Type:	list
Default:	status

Instance filter options which non-admin user could use to query instances. Default values are: [‘status’]

query_provider_filters¶

Type:	list
Default:	name,description

Provider filter options which non-admin user could use to query providers. Default values are: [‘name’, ‘description’]

query_checkpoint_filters¶

Type:	list
Default:	project_id,plan_id,start_date,end_date

Checkpoint filter options which non-admin user could use to query checkpoints. Default values are: [‘project_id’, ‘plan_id’, ‘start_date’, ‘end_date’]

enable_new_services¶

Type:	boolean
Default:	true

Services to be added to the available pool on create

thread_count¶

Type:	integer
Default:	10

The count of thread which executor will start

min_interval¶

Type:	integer
Default:	3600

The minimum interval of two adjacent time points. min_interval >= (max_window_time * 2)

min_window_time¶

Type:	integer
Default:	900

The minimum window time

max_window_time¶

Type:	integer
Default:	1800

The maximum window time

time_format¶

Type:	string
Default:	calendar
Valid Values:	crontab, calendar

The type of time format which is used to compute time

trigger_poll_interval¶

Type:	integer
Default:	15

Interval, in seconds, in which Karbor will poll for trigger events

scheduling_strategy¶

Type:	string
Default:	multi_node

Time trigger scheduling strategy

retained_operation_log_number¶

Type:	integer
Default:	5

The number of retained operation log

sync_status_interval¶

Type:	integer
Default:	20

update protection status interval

workflow_engine¶

Type:	string
Default:	karbor.services.protection.flows.workflow.TaskFlowEngine

The workflow engine provides flow and task interface

provider_registry¶

Type:	string
Default:	provider-registry

the provider registry

max_concurrent_operations¶

Type:	integer
Default:	0

number of maximum concurrent operation (protect, restore, delete) flows. 0 means no hard limit

tcp_keepalive¶

Type:	boolean
Default:	true

Sets the value of TCP_KEEPALIVE (True/False) for each server socket.

tcp_keepalive_interval¶

Type:	integer
Default:	<None>

Sets the value of TCP_KEEPINTVL in seconds for each server socket. Not supported on OS X.

tcp_keepalive_count¶

Type:	integer
Default:	<None>

Sets the value of TCP_KEEPCNT for each server socket. Not supported on OS X.

fatal_exception_format_errors¶

Type:	boolean
Default:	false

Make exception message format errors fatal.

report_interval¶

Type:	integer
Default:	10

Interval, in seconds, between nodes reporting state to datastore

periodic_interval¶

Type:	integer
Default:	60

Interval, in seconds, between running periodic tasks

periodic_fuzzy_delay¶

Type:	integer
Default:	60

Range, in seconds, to randomly delay when starting the periodic task OperationEngine to reduce stampeding. (Disable by setting to 0)

osapi_karbor_listen¶

Type:	host address
Default:	0.0.0.0

IP address on which OpenStack Karbor API listens

osapi_karbor_listen_port¶

Type:	port number
Default:	8799
Minimum Value:	0
Maximum Value:	65535

Port on which OpenStack Karbor API listens

osapi_karbor_workers¶

Type:	integer
Default:	<None>

Number of workers for OpenStack Karbor API service. The default is equal to the number of CPUs available.

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

cinder_endpoint¶

Type:	string
Default:	<None>

URL of the cinder endpoint.

cinder_catalog_info¶

Type:	string
Default:	volumev3:cinderv3:publicURL

Info to match when looking for cinder in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if cinder_endpoint is unset

cinder_ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

cinder_auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to Cinder.

auth_uri¶

Type:	string
Default:	u''

Unversioned keystone url in format like http://0.0.0.0:5000.

sqlite_synchronous¶

Type:	boolean
Default:	true

If True, SQLite uses synchronous mode.

Deprecated Variations¶

Group	Name
DEFAULT	sqlite_synchronous

backend¶

Type:	string
Default:	sqlalchemy

The back end to use for the database.

Deprecated Variations¶

Group	Name
DEFAULT	db_backend

connection¶

Type:	string
Default:	<None>

The SQLAlchemy connection string to use to connect to the database.

Deprecated Variations¶

Group	Name
DEFAULT	sql_connection
DATABASE	sql_connection
sql	connection

slave_connection¶

Type:	string
Default:	<None>

The SQLAlchemy connection string to use to connect to the slave database.

mysql_sql_mode¶

Type:	string
Default:	TRADITIONAL

The SQL mode to be used for MySQL sessions. This option, including the default, overrides any server-set SQL mode. To use whatever SQL mode is set by the server configuration, set this to no value. Example: mysql_sql_mode=

mysql_enable_ndb¶

Type:	boolean
Default:	false

If True, transparently enables support for handling MySQL Cluster (NDB).

connection_recycle_time¶

Type:	integer
Default:	3600

Connections which have been present in the connection pool longer than this number of seconds will be replaced with a new one the next time they are checked out from the pool.

Deprecated Variations¶

Group	Name
DATABASE	idle_timeout
database	idle_timeout
DEFAULT	sql_idle_timeout
DATABASE	sql_idle_timeout
sql	idle_timeout

min_pool_size¶

Type:	integer
Default:	1

Minimum number of SQL connections to keep open in a pool.

Deprecated Variations¶

Group	Name
DEFAULT	sql_min_pool_size
DATABASE	sql_min_pool_size

max_pool_size¶

Type:	integer
Default:	5

Maximum number of SQL connections to keep open in a pool. Setting a value of 0 indicates no limit.

Deprecated Variations¶

Group	Name
DEFAULT	sql_max_pool_size
DATABASE	sql_max_pool_size

max_retries¶

Type:	integer
Default:	10

Maximum number of database connection retries during startup. Set to -1 to specify an infinite retry count.

Deprecated Variations¶

Group	Name
DEFAULT	sql_max_retries
DATABASE	sql_max_retries

retry_interval¶

Type:	integer
Default:	10

Interval between retries of opening a SQL connection.

Deprecated Variations¶

Group	Name
DEFAULT	sql_retry_interval
DATABASE	reconnect_interval

max_overflow¶

Type:	integer
Default:	50

If set, use this value for max_overflow with SQLAlchemy.

Deprecated Variations¶

Group	Name
DEFAULT	sql_max_overflow
DATABASE	sqlalchemy_max_overflow

connection_debug¶

Type:	integer
Default:	0
Minimum Value:	0
Maximum Value:	100

Verbosity of SQL debugging information: 0=None, 100=Everything.

Deprecated Variations¶

Group	Name
DEFAULT	sql_connection_debug

connection_trace¶

Type:	boolean
Default:	false

Add Python stack traces to SQL as comment strings.

Deprecated Variations¶

Group	Name
DEFAULT	sql_connection_trace

pool_timeout¶

Type:	integer
Default:	<None>

If set, use this value for pool_timeout with SQLAlchemy.

Deprecated Variations¶

Group	Name
DATABASE	sqlalchemy_pool_timeout

use_db_reconnect¶

Type:	boolean
Default:	false

Enable the experimental use of database reconnect on connection lost.

db_retry_interval¶

Type:	integer
Default:	1

Seconds between retries of a database transaction.

db_inc_retry_interval¶

Type:	boolean
Default:	true

If True, increases the interval between retries of a database operation up to db_max_retry_interval.

db_max_retry_interval¶

Type:	integer
Default:	10

If db_inc_retry_interval is set, the maximum seconds between retries of a database operation.

db_max_retries¶

Type:	integer
Default:	20

Maximum retries in case of connection error or deadlock error before error is raised. Set to -1 to specify an infinite retry count.

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

glance_endpoint¶

Type:	string
Default:	<None>

URL of the glance endpoint.

glance_catalog_info¶

Type:	string
Default:	image:glance:publicURL

Info to match when looking for glance in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if glance_endpoint is unset

glance_ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

glance_auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to Glance.

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

www_authenticate_uri¶

Type:	string
Default:	<None>

Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint.

Deprecated Variations¶

Group	Name
keystone_authtoken	auth_uri

auth_uri¶

Type:	string
Default:	<None>

Complete “public” Identity API endpoint. This endpoint should not be an “admin” endpoint, as it should be accessible by all end users. Unauthenticated clients are redirected to this endpoint to authenticate. Although this endpoint should ideally be unversioned, client support in the wild varies. If you’re using a versioned v2 endpoint here, then this should not be the same endpoint the service user utilizes for validating tokens, because normal end users may not be able to reach that endpoint. This option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

Warning

This option is deprecated for removal since Queens. Its value may be silently ignored in the future.

Reason:	The auth_uri option is deprecated in favor of www_authenticate_uri and will be removed in the S release.

auth_version¶

Type:	string
Default:	<None>

API version of the admin Identity API endpoint.

delay_auth_decision¶

Type:	boolean
Default:	false

Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components.

http_connect_timeout¶

Type:	integer
Default:	<None>

Request timeout value for communicating with Identity API server.

http_request_max_retries¶

Type:	integer
Default:	3

How many times are we trying to reconnect when communicating with Identity API Server.

cache¶

Type:	string
Default:	<None>

Request environment key where the Swift cache object is stored. When auth_token middleware is deployed with a Swift cache, use this option to have the middleware share a caching backend with swift. Otherwise, use the memcached_servers option instead.

certfile¶

Type:	string
Default:	<None>

Required if identity server requires client certificate

keyfile¶

Type:	string
Default:	<None>

Required if identity server requires client certificate

cafile¶

Type:	string
Default:	<None>

A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.

insecure¶

Type:	boolean
Default:	false

Verify HTTPS connections.

region_name¶

Type:	string
Default:	<None>

The region in which the identity server can be found.

signing_dir¶

Type:	string
Default:	<None>

Directory used to cache files related to PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:	PKI token format is no longer supported.

memcached_servers¶

Type:	list
Default:	<None>

Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.

Deprecated Variations¶

Group	Name
keystone_authtoken	memcache_servers

token_cache_time¶

Type:	integer
Default:	300

In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.

revocation_cache_time¶

Type:	integer
Default:	10

Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance. Only valid for PKI tokens. This option has been deprecated in the Ocata release and will be removed in the P release.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:	PKI token format is no longer supported.

memcache_security_strategy¶

Type:	string
Default:	None
Valid Values:	None, MAC, ENCRYPT

(Optional) If defined, indicate whether token data should be authenticated or authenticated and encrypted. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.

memcache_secret_key¶

Type:	string
Default:	<None>

(Optional, mandatory if memcache_security_strategy is defined) This string is used for key derivation.

memcache_pool_dead_retry¶

Type:	integer
Default:	300

(Optional) Number of seconds memcached server is considered dead before it is tried again.

memcache_pool_maxsize¶

Type:	integer
Default:	10

(Optional) Maximum total number of open connections to every memcached server.

memcache_pool_socket_timeout¶

Type:	integer
Default:	3

(Optional) Socket timeout in seconds for communicating with a memcached server.

memcache_pool_unused_timeout¶

Type:	integer
Default:	60

(Optional) Number of seconds a connection to memcached is held unused in the pool before it is closed.

memcache_pool_conn_get_timeout¶

Type:	integer
Default:	10

(Optional) Number of seconds that an operation will wait to get a memcached client connection from the pool.

memcache_use_advanced_pool¶

Type:	boolean
Default:	false

(Optional) Use the advanced (eventlet safe) memcached client pool. The advanced pool will only work under python 2.x.

include_service_catalog¶

Type:	boolean
Default:	true

(Optional) Indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.

enforce_token_bind¶

Type:	string
Default:	permissive

Used to control the use and type of token binding. Can be set to: “disabled” to not check token binding. “permissive” (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. “strict” like “permissive” but if the bind type is unknown the token will be rejected. “required” any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.

check_revocations_for_cached¶

Type:	boolean
Default:	false

If true, the revocation list will be checked for cached tokens. This requires that PKI tokens are configured on the identity server.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:	PKI token format is no longer supported.

hash_algorithms¶

Type:	list
Default:	md5

Hash algorithms to use for hashing PKI tokens. This may be a single algorithm or multiple. The algorithms are those supported by Python standard hashlib.new(). The hashes will be tried in the order given, so put the preferred one first for performance. The result of the first hash will be stored in the cache. This will typically be set to multiple values only while migrating from a less secure algorithm to a more secure one. Once all the old tokens are expired this option should be set to a single value for better performance.

Warning

This option is deprecated for removal since Ocata. Its value may be silently ignored in the future.

Reason:	PKI token format is no longer supported.

service_token_roles¶

Type:	list
Default:	service

A choice of roles that must be present in a service token. Service tokens are allowed to request that an expired token can be used and so this check should tightly control that only actual services should be sending this token. Roles here are applied as an ANY check so any role in this list must be present. For backwards compatibility reasons this currently only affects the allow_expired check.

service_token_roles_required¶

Type:	boolean
Default:	false

For backwards compatibility reasons we must let valid service tokens pass that don’t pass the service_token_roles check as valid. Setting this true will become the default in a future release and should be enabled if possible.

auth_type¶

Type:	unknown type
Default:	<None>

Authentication type to load

Deprecated Variations¶

Group	Name
keystone_authtoken	auth_plugin

auth_section¶

Type:	unknown type
Default:	<None>

Config Section from which to load plugin specific options

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

manila_endpoint¶

Type:	string
Default:	<None>

URL of the manila endpoint.

manila_catalog_info¶

Type:	string
Default:	sharev2:manilav2:publicURL

Info to match when looking for manila in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if manila_endpoint is unset

manila_ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

manila_auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to manila.

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

neutron_endpoint¶

Type:	string
Default:	<None>

URL of the neutron endpoint.

neutron_catalog_info¶

Type:	string
Default:	network:neutron:publicURL

Info to match when looking for neutron in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if neutron_endpoint is unset

neutron_ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

neutron_auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to Neutron.

service_name¶

Type:	string
Default:	<None>

The name of service registered in Keystone

service_type¶

Type:	string
Default:	<None>

The type of service registered in Keystone

version¶

Type:	string
Default:	<None>

The version of service client

region_id¶

Type:	string
Default:	RegionOne

The region id which the service belongs to.

interface¶

Type:	string
Default:	internal

The network interface of the endpoint. Valid values are: public, admin, internal.

ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to service.

nova_endpoint¶

Type:	string
Default:	<None>

URL of the nova endpoint. <endpoint_url>

nova_catalog_info¶

Type:	string
Default:	compute:nova:publicURL

Info to match when looking for nova in the service catalog. Format is: separated values of the form: <service_type>:<service_name>:<endpoint_type> - Only used if nova_endpoint is unset

nova_ca_cert_file¶

Type:	string
Default:	<None>

Location of the CA certificate file to use for client requests in SSL connections.

nova_auth_insecure¶

Type:	boolean
Default:	false

Bypass verification of server certificate when making SSL connection to Nova.

max_concurrent_operations¶

Type:	integer
Default:	0

number of maximum concurrent running operations,0 means no hard limit

executor¶

Type:	string
Default:	green_thread
Valid Values:	thread_pool, green_thread

The name of executor which is used to run operations

disable_process_locking¶

Type:	boolean
Default:	false

Enables or disables inter-process locks.

Deprecated Variations¶

Group	Name
DEFAULT	disable_process_locking

lock_path¶

Type:	string
Default:	<None>

Directory to use for lock files. For security, the specified directory should only be writable by the user running the processes that need locking. Defaults to environment variable OSLO_LOCK_PATH. If external locks are used, a lock path must be set.

Deprecated Variations¶

Group	Name
DEFAULT	lock_path

enforce_scope¶

Type:	boolean
Default:	false

This option controls whether or not to enforce scope when evaluating policies. If True, the scope of the token used in the request is compared to the scope_types of the policy being enforced. If the scopes do not match, an InvalidScope exception will be raised. If False, a message will be logged informing operators that policies are being invoked with mismatching scope.

policy_file¶

Type:	string
Default:	policy.json

The file that defines policies.

Deprecated Variations¶

Group	Name
DEFAULT	policy_file

policy_default_rule¶

Type:	string
Default:	default

Default rule. Enforced when a requested rule is not found.

Deprecated Variations¶

Group	Name
DEFAULT	policy_default_rule

policy_dirs¶

Type:	multi-valued
Default:	policy.d

Directories where policy configuration files are stored. They can be relative to any directory in the search path defined by the config_dir option, or absolute paths. The file defined by policy_file must exist for these directories to be searched. Missing or empty directories are ignored.

Deprecated Variations¶

Group	Name
DEFAULT	policy_dirs

remote_content_type¶

Type:	string
Default:	application/x-www-form-urlencoded
Valid Values:	application/x-www-form-urlencoded, application/json

Content Type to send and receive data for REST based policy check

remote_ssl_verify_server_crt¶

Type:	boolean
Default:	false

server identity verification for REST based policy check

remote_ssl_ca_crt_file¶

Type:	string
Default:	<None>

Absolute path to ca cert file for REST based policy check

remote_ssl_client_crt_file¶

Type:	string
Default:	<None>

Absolute path to client cert for REST based policy check

remote_ssl_client_key_file¶

Type:	string
Default:	<None>

Absolute path client key file REST based policy check