Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
447 lines (411 sloc) 18.2 KB
# =========================
# Pulp Server Configuration
# =========================
# The settings in this file are all commented by default, and the commented settings show the
# default values that Pulp Server will choose if not specified here.
# -- Common Configuration -----------------------------------------------------
# = Database =
#
# Controls the behavior of MongoDB under Pulp's usage.
#
# Authentication - If the username and the password keys have values provided,
# the pulp server will attempt to authenticate to the MongoDB server. The
# username and password provided here will be used to authenticate with the
# database specified in the name field.
#
# Replica Sets - If more than one seed is provided, a connection will be attempted to each seed
# until a connection is made. When multiple seeds are provided, the 'replica_set' value must also
# be specified.
#
# name: name of the database to use
# seeds: comma-separated list of hostname:port of database replica seed hosts
# username: The user name to use for authenticating to the MongoDB server
# password: The password to use for authenticating to the MongoDB server
# replica_set: uncomment and set this value to the name of replica set configured in MongoDB,
# if one is in use
# ssl: If True, create the connection to the server using SSL.
# ssl_keyfile: A path to the private keyfile used to identify the local connection against
# mongod. If included with the certfile then only the ssl_certfile is needed.
# ssl_certfile: The certificate file used to identify the local connection against mongod.
# verify_ssl: Specifies whether a certificate is required from the other side of the
# connection, and whether it will be validated if provided. If it is true, then
# the ca_cert parameter must point to a file of CA certificates used to
# validate the connection.
# ca_path: The ca_certs file contains a set of concatenated “certification authority”
# certificates, which are used to validate certificates passed from the other end
# of the connection.
# unsafe_autoretry: If true, retry commands to the database if there is a connection error.
# Warning: if set to true, this setting can result in duplicate records.
# write_concern: Write concern of 'majority' or 'all'. When 'all' is specified, 'w' is set to
# number of seeds specified. For version of MongoDB < 2.6, replica_set must also
# be specified. Please note that 'all' will cause Pulp to halt if any of the
# replica set members is not available. 'majority' is used by defau
[database]
name: <%= scope['pulp::db_name'] %>
seeds: <%= scope['pulp::db_seeds'] %>
<%# Auth is currently only working on mongo >= 2.6 -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::db_username')) -%>
username: <%= scope['pulp::db_username'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::db_password')) -%>
password: <%= scope['pulp::db_password'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::db_replica_set')) -%>
replica_set: <%= scope['pulp::db_replica_set'] %>
<% end -%>
ssl: <%= scope['pulp::db_ssl'] %>
<% if scope['pulp::db_ssl'] -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::db_ssl_keyfile')) -%>
ssl_keyfile: <%= scope['pulp::db_ssl_keyfile'] %>
<% end -%>
ssl_certfile: <%= scope['pulp::db_ssl_certfile'] %>
verify_ssl: <%= scope['pulp::db_verify_ssl'] %>
ca_path: <%= scope['pulp::db_ca_path'] %>
<% end -%>
unsafe_autoretry: <%= scope['pulp::db_unsafe_autoretry'] %>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::db_write_concern'))-%>
write_concern: <%= scope['pulp::db_write_concern'] %>
<% end -%>
# = Server =
#
# Controls general Pulp web server behavior.
#
# server_name: hostname the admin client and consumers should use when accessing
# the server; if not specified, this defaults to the server's fully qualified
# domain name (FQDN)
# default_login: default admin username of the Pulp server; this user will be
# the first time the server is started
# default_password: default password for admin when it is first created; this
# should be changed once the server is operational
# debugging_mode: boolean; toggles Pulp's debugging capabilities
# log_level: The desired logging level. Options are: CRITICAL, ERROR, WARNING, INFO, DEBUG,
# and NOTSET. Pulp will default to INFO.
# working_directory:path to where pulp workers can create working directories needed to complete tasks
[server]
server_name: <%= scope['pulp::server_name'] %>
key_url: <%= scope['pulp::key_url'] %>
ks_url: <%= scope['pulp::ks_url'] %>
default_login: <%= scope['pulp::default_login'] %>
default_password: <%= scope['pulp::default_password'] %>
debugging_mode: <%= scope['pulp::debugging_mode'] %>
log_level: <%= scope['pulp::log_level'] %>
log_type: <%= scope['pulp::log_type'] %>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::server_working_directory')) -%>
working_directory: <%= scope['pulp::server_working_directory'] %>
<% end -%>
# = Authentication =
#
# Keys used for message authentication.
#
# rsa_key:
# The RSA private key used for authentication.
# rsa_pub:
# The RSA public key used for authentication.
[authentication]
rsa_key = <%= scope['pulp::rsa_key'] %>
rsa_pub = <%= scope['pulp::rsa_pub'] %>
# = Security =
#
# Controls aspects of the Pulp web server security.
#
# For production installations, it is recommended that a new CA certificate be
# generated for the signing of user and consumer certificates and configured
# using the following properties.
#
# cacert: full path to the CA certificate that will be used to sign consumer
# and admin identification certificates; this must match the value of
# SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf
# Deprecated! - Please note that both cacert and cakey settings will be
# removed in the next major release since Pulp will not sign certificates.
# However, Pulp will continue to support client certificates generated
# by users through Apache and pulp-admin.
#
# cakey: path to the private key for the above CA certificate
#
# ssl_ca_certificate: full path to the CA certificate used to sign the Pulp
# server's SSL certificate; consumers will use this to verify the
# Pulp server's SSL certificate during the SSL handshake
# Deprecated! - Please note that this setting will be removed in the next
# major release and will be replaced by a setting in the consumer.conf file
# that will allow the user to specify a directory path containing certificates.
#
# user_cert_expiration: number of days a user certificate is valid
#
# consumer_cert_expiration: number of days a consumer certificate is valid
#
[security]
cacert: <%= scope['pulp::ca_cert'] %>
cakey: <%= scope['pulp::ca_key'] %>
ssl_ca_certificate: <%= scope['pulp::ca_cert'] %>
user_cert_expiration: <%= scope['pulp::user_cert_expiration'] %>
consumer_cert_expiration: <%= scope['pulp::consumer_cert_expiration'] %>
serial_number_path: <%= scope['pulp::serial_number_path'] %>
# -- Advanced Configuration ---------------------------------------------------
# = Consumer History =
#
# Controls the storage of recorded consumer events.
#
# lifetime: number of days to store consumer events; events older
# than this will be purged; set to -1 to disable
[consumer_history]
lifetime: <%= scope['pulp::consumer_history_lifetime'] %>
# = Data Reaping =
#
# Controls the frequency in which reporting data is automatically removed from
# the database. Database entries that exceed the given thresholds will be
# deleted from the database when the reaper runs.
#
# reaper_interval: float; time in days between checks for old data in
# the database
#
# consumer_history: float; time in days to store consumer history events
#
# repo_sync_history: float; time in days to store repository sync history events
#
# repo_publish_history: float; time in days to store repository publish history
# events
#
# repo_group_publish_history: float; time in days to store repository group
# publish history events
#
# task_status_history: float; time in days to store task status history in the db
# task_result_history: float; time in days to store task results history
[data_reaping]
reaper_interval: 0.25
archived_calls: 0.5
consumer_history: 60
repo_sync_history: 60
repo_publish_history: 60
repo_group_publish_history: 60
task_status_history: 7
task_result_history: 3
# = LDAP =
#
# Uncomment the below section with appropriate values to use an external LDAP
# server for user authentication.
#
# enabled: boolean; controls whether or not LDAP authentication is enabled
#
# uri: url of LDAP server
#
# base: location in the directory from which the LDAP search begins
#
# tls: boolean; controls whether or not to use TLS security
#
# default_role: Id of the role to assign LDAP users to by default. This is
# optional. This role must first be created on the Pulp server. If
# default_role is not set or doesn't exist, LDAP users are given same
# default permissions as local users.
#
# filter: directive to set more restrictive LDAP filter to limit the LDAP
# users who can authenticate to Pulp
# Deprecated! Please use apache's mod_authnz_ldap to do preauthentication. See
# pulp's user guide for details.
# [ldap]
# enabled: true # are you sure? This has been deprecated.
# uri: ldap://localhost
# base: dc=localhost
# tls: no
# default_role: <role-id>
# filter: (gidNumber=200)
# = OAuth =
#
# Uncomment the below section with appropriate values to use OAuth
# authentication.
#
# enabled: boolean; controls whether OAuth authentication is enabled
#
# oauth_key: string; key to enable OAuth style authentication
#
# oauth_secret: string; shared secret that can be used for OAuth style
# authentication
[oauth]
enabled: <%= scope['pulp::oauth_enabled'] %>
oauth_key: <%= scope['pulp::oauth_key'] %>
oauth_secret: <%= scope['pulp::oauth_secret'] %>
# = Messaging =
#
# Controls Pulp's configuration of broker settings for communicating to the Consumer Agent.
#
# url: the url used to contact the broker. This setting uses the form:
#
# <protocol>://<host>:<port>/<virtual-host>
#
# Or to use a username and password:
#
# <protocol>://<user>:<password>@<host>:<port>/<virtual-host>
#
# Supported <protocol> values are 'tcp' or 'ssl' depending on if SSL should be used or not.
# The <virtual-host> is optional, and is only applicable to RabbitMQ broker environments.
#
# The default broker string is 'tcp://localhost:5672'.
#
# transport: The type of broker you are connecting to. The default is 'qpid'. For RabbitMQ,
# 'rabbitmq' should be used.
#
# cacert: Absolute path to PEM encoded CA certificate file, used by Pulp to validate the identity
# of the broker using SSL. The default is '/etc/pki/qpid/ca/ca.crt'.
#
# clientcert: Absolute path to PEM encoded file containing both the private key and
# certificate Pulp should present to the broker to be authenticated by the broker. The default
# is '/etc/pki/qpid/client/client.pem'.
#
# auth_enabled:
# Message authentication enabled flag. The default is 'true' which enables authentication.
# To disable authentication, use 'false'.
#
# topic_exchange: The name of the exchange to use. The exchange must be a topic exchange. The
# default is 'amq.topic', which is a default exchange that is guaranteed to exist on a Qpid
# broker. This setting is a string, and therefore includes the single quotes.
#
# event_notifications_enabled:
# Enables or disables Pulp event notfications on the message bus. Defaults to 'false'.
#
# event_notification_url:
# The AMQP URL for event notifications. Defaults to 'qpid://localhost:5672/'.
[messaging]
url: <%= scope['pulp::messaging_url'] %>
transport: <%= scope['pulp::messaging_transport'] %>
auth_enabled: <%= scope['pulp::messaging_auth_enabled'] %>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::messaging_ca_cert')) -%>
cacert: <%= scope['pulp::messaging_ca_cert'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::messaging_client_cert')) -%>
clientcert: <%= scope['pulp::messaging_client_cert'] %>
<% end -%>
topic_exchange: '<%= scope['pulp::messaging_topic_exchange'] %>'
event_notifications_enabled: <%= scope['pulp::messaging_event_notifications_enabled'] %>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::messaging_event_notification_url')) -%>
event_notification_url: <%= scope['pulp::messaging_event_notification_url'] %>
<% end -%>
# = Asynchronous Tasks =
#
# Controls Pulp's Celery settings. These settings are used by the Pulp Server and Pulp Workers to
# perform asynchronous, server-side task work such as syncing, publishing, or deletion of content.
# Communication between these different components occurs through the broker.
#
# broker_url: A URL to a broker that Celery can use to queue tasks. For example, to configure
# Celery with a Qpid backend, set broker_url to:
#
# qpid://<username>:<password>@<hostname>:<port>/
#
# For RabbitMQ you can use the following broker_url style:
#
# amqp://<username>:<password>@<hostname>:<port>/<vhost>
#
# celery_require_ssl: Require SSL if set to 'true', otherwise do not require SSL. The default is
# 'false'.
#
# cacert: The absolute path to the PEM encoded CA Certificate allowing identity validation of the
# message bus. The default is '/etc/pki/pulp/qpid/ca.crt'.
#
# keyfile: The absolute path to the keyfile used for authentication to the message bus. This is the
# private key that corresponds with the certificate. The default value is
# '/etc/pki/pulp/qpid/client.crt'. Sometimes the key is kept in the same file as the
# certificate it corresponds with, and the default assumes this is the case.
#
# certfile: The absolute path to the PEM encoded certificate used for authentication to the message
# bus. The default value is '/etc/pki/pulp/qpid/client.crt'.
#
# login_method: Select the SASL login method used to connect to the broker. This should be left
# unset except in special cases such as SSL client certificate authentication.
# worker_timeout: The amount of time (in seconds) before considering a worker as missing. If Pulp's
# mongo database has slow I/O, then setting a higher number may resolve issues where workers are
# going missing incorrectly. Defaults to 30.
[tasks]
broker_url: <%= scope['pulp::broker_url'] %>
celery_require_ssl: <%= scope['pulp::broker_use_ssl'] %>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::messaging_ca_cert')) -%>
cacert: <%= scope['pulp::messaging_ca_cert'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::messaging_client_cert')) -%>
keyfile: <%= scope['pulp::messaging_client_cert'] %>
certfile: <%= scope['pulp::messaging_client_cert'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::tasks_login_method')) -%>
login_method: <%= scope['pulp::tasks_login_method'] %>
<% end -%>
worker_timeout: <%= scope['pulp::worker_timeout'] %>
# = Email =
#
# Settings that allow the system to send email. It is recommended that
# the system relay through a local MTA on the machine. Pulp does not retry in
# case of error, so it is important to have a real MTA available locally.
#
# If there is a need to test email sending, it is recommended to run this:
# $ python -m smtpd -n -c DebuggingServer localhost:1025
# which will write each message to stdout.
#
# host: host name of the MTA pulp should relay through
#
# port: destination port to connect on
#
# from: the "From" address of each email the system sends
#
# enabled: boolean controls whether or not emails will be sent
[email]
host: <%= scope['pulp::email_host'] %>
port: <%= scope['pulp::email_port'] %>
from: <%= scope['pulp::email_from'] %>
enabled: <%= scope['pulp::email_enabled'] %>
# = Lazy =
#
# Settings for lazy content loading.
#
# enabled:
# This controls whether redirect is enabled
#
# redirect_host:
# The host FQDN or IP to which requests are redirected.
#
# redirect_port:
# The TCP port to which requests are redirected
#
# redirect_path:
# The base path to which requests are redirected
#
# https_retrieval:
# boolean; controls whether Pulp uses HTTPS or HTTP to
# retrieve content from the streamer.
# WARNING: Setting this to 'false' is not safe if you wish
# to use Pulp to provide repository entitlement
# enforcement. It is strongly recommended to keep
# this set to 'true' and use certificates that are
# signed by a trusted authority on the web server
# that serves as the streamer reverse proxy.
#
# download_interval:
# The interval in minutes between checks for content cached
# by the Squid proxy.
#
# download_concurrency:
# The number of downloads to perform concurrently when
# downloading content from the Squid cache.
[lazy]
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::lazy_redirect_host')) -%>
redirect_host: <%= scope['pulp::lazy_redirect_host'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::lazy_redirect_port')) -%>
redirect_port: <%= scope['pulp::lazy_redirect_port'] %>
<% end -%>
<% unless [nil, :undefined, :undef, ''].include?(scope.lookupvar('pulp::lazy_redirect_path')) -%>
redirect_path: <%= scope['pulp::lazy_redirect_path'] %>
<% end -%>
https_retrieval: <%= scope['pulp::lazy_https_retrieval'] %>
download_interval: <%= scope['pulp::lazy_download_interval'] %>
download_concurrency: <%= scope['pulp::lazy_download_concurrency'] %>
# = Profiling =
#
# Settings for profiling Pulp tasks
#
# enabled:
# This enables the cProfile Python module to profile individual tasks and
# store the output by task ID in a directory. Note that enabling this can
# impact performance.
#
# profile_directory:
# The directory that the cProfiles are stored in. This directory must be
# writeable and readable by Pulp.
[profiling]
enabled: <%= scope['pulp::enable_profiling'] %>
directory: <%= scope['pulp::profiling_directory'] %>
You can’t perform that action at this time.