Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Section DEFAULT

Supported keywords:

  • access
  • alt_names
  • app
  • bits
  • c
  • ca
  • children
  • cn
  • comment
  • comp_schedule
  • create_pg
  • devices_from
  • disable
  • drpnodes
  • email
  • encapnodes
  • env
  • flex_max
  • flex_min
  • flex_primary
  • flex_target
  • grant
  • hard_affinity
  • hard_anti_affinity
  • id
  • l
  • monitor_action
  • monitor_schedule
  • nodes
  • o
  • orchestrate
  • ou
  • parents
  • pg_blkio_weight
  • pg_cpu_quota
  • pg_cpu_shares
  • pg_cpus
  • pg_mem_limit
  • pg_mem_oom_control
  • pg_mem_swappiness
  • pg_mems
  • pg_vmem_limit
  • placement
  • pool
  • pre_monitor_action
  • priority
  • provision
  • provision_timeout
  • resinfo_schedule
  • rollback
  • run_schedule
  • share
  • shared
  • size
  • soft_affinity
  • soft_anti_affinity
  • st
  • start_timeout
  • stat_timeout
  • status_schedule
  • status_timeout
  • stonith
  • stop_timeout
  • sync_schedule
  • sync_timeout
  • timeout
  • topology
  • type
  • unprovision
  • unprovision_timeout
  • validity

Keyword access

required:    false
scopable:    true
candidates:  rwo, roo, rwx, rox
default:     rwo

Description:

The access mode of the volume.

  • rwo is Read Write Once
  • roo is Read Only Once
  • rwx is Read Write Many
  • rox is Read Only Many

rox and rwx modes are served by flex volume services.

Keyword alt_names

required:    false
scopable:    true
convert:     list

Example:

alt_names=www.opensvc.com opensvc.com

Description:

Certificate Signing Request Alternative Domain Names.

Keyword app

required:    false
scopable:    false
default:     default

Description:

A user-defined code linking to:

  • who is responsible for this service.
  • who is billable.

This code thus provides a most useful object grouping and filtering key.

Short and simple codes, like ERP, are easier to work with.

Keyword bits

required:    false
scopable:    true
default:     4kib
convert:     size

Example:

bits=8192

Description:

Certificate Private Key Length.

Keyword c

required:    false
scopable:    true

Example:

c=FR

Description:

Certificate Signing Request Country.

Keyword ca

required:    false
scopable:    true

Example:

ca=ca

Description:

The name of secret containing a certificate to use as a Certificate Authority. This secret must be in the same namespace.

Keyword children

required:    false
scopable:    false
convert:     listlowercase

Description:

The list of services or instances expressed as <path>[@<nodename>] that must be down or stdby up to allow this service to be stopped by the daemon.

The list is whitespace-separated.

Keyword cn

required:    false
scopable:    true

Example:

cn=test.opensvc.com

Description:

Certificate Signing Request Common Name.

Keyword comment

required:    false
scopable:    false

Description:

Comments help the users understand the role of the object and its resources.

Keyword comp_schedule

required:    false
scopable:    true
default:     ~00:00-06:00

Description:

The instance compliance run schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword create_pg

required:    false
scopable:    true
default:     true
convert:     bool

Description:

Use process grouping when possible.

If turned on, the agent will create a container group for:

  • the object
  • each resource group (ie, the subset:drivergroup tuple)
  • each resource

A container group allows capping the memory, swap and cpu usage. These cappings can be defined using the pg_* keywords in the DEFAULT, the subset or the resource section.

Keyword devices_from

required:    false
scopable:    false
convert:     list

Description:

The list of resources that contribute their exposed devices to the volume exposed devices.

If not specified, only the last disk contributes.

Keyword disable

required:    false
scopable:    true
convert:     bool

Description:

Disables the object instance, which has the following effects:

  • The instance status and the status of all its resource is n/a.
  • Stop and start actions have no effect, and not produce error.
  • Disabled resources are not enabled when DEFAULT.disable=false.

Keyword drpnodes

required:    false
scopable:    true
convert:     peers

Example:

drpnodes=n1 n2

Description:

A node selector expression specifying the list of cluster nodes hosting object instances when all primary nodes are unavailable, like in a DRP situation.

If not specified or left empty, the node evaluating the keyword is assumed to be the only instance hosting node.

Labels can be used to define a list of nodes by an arbitrary property. For example cn=fr cn=kr would be evaluated as n1 n2 n3 if n1 and n2 have the cn=fr label and n3 has the cn=kr label.

The glob syntax can be used in the node selector expression. For example n1 n[23] n4* would be expanded to n1 n2 n3 n4 in a n1 n2 n3 n4 n5 cluster.

The drpnodes can be data synchronization targets for sync resources.

Keyword email

required:    false
scopable:    true

Example:

email=test@opensvc.com

Description:

Certificate Signing Request Email.

Keyword encapnodes

required:    false
scopable:    false
convert:     list

Example:

encapnodes=n1 n2

Description:

A node selector expression specifying the list of cluster nodes hosting object encapsulated instances.

An object with container resources can have resources managed by OpensSVC agents deployed in these containers. These encapsulated agents form an encapsulated cluster, usually a single node cluster for a failover service.

For example a test/svc/s1 failover service, with a container#0 resource managing a e1 lxc host, can define encapnodes = e1. A app#1 resource with encap = true is then managed by the OpenSVC agent in e1.

Keyword env

required:    false
scopable:    false

Default:

The same as the node env.

Description:

A code like PRD, DEV, etc… the agent can use to enforce data protection policies:

  • A non-PRD object instance can not be started on a PRD node
  • A PRD object instance can be started on a non-PRD node (typically in a DRP situation)

The default value is read from the node env keyword.

Keyword flex_max

required:    false
scopable:    false
depends:     topology=flex
default:     {#nodes}
convert:     int

Default:

The number of elements in nodes.

Description:

The maximum number of up instances of this object in the cluster. Above this number the aggregated object status is degraded to warn.

The 0 value is interpreted as unlimited.

Keyword flex_min

required:    false
scopable:    false
depends:     topology=flex
default:     1
convert:     int

Description:

The minimum number of up instances of this object in the cluster. Below this number the aggregated object status is degraded to warn.

Keyword flex_primary

required:    false
scopable:    true
depends:     topology=flex
convert:     listlowercase

Default:

The first node of nodes.

Description:

The node in charge of syncing the other nodes in a flex object.

Keyword flex_target

required:    false
scopable:    false
depends:     topology=flex
default:     {flex_min}
convert:     int

Default:

The value of flex_min.

Description:

The optimal number of up instances of the object in the cluster. The value must be between flex_min and flex_max.

If orchestrate=ha, the daemon is free to take action to reach the flex_target.

Keyword grant

required:    false
scopable:    true
convert:     listlowercase

Example:

grant=admin:test* guest:*

Description:

Grant roles to the user.

A whitespace-separated list of pervasives role or per-namespace roles.

Pervasive roles:

  • root

    Add resource triggers, non-containerized resources (non-root users can only add container.docker, container.podman task.docker, task.podman and volume)

  • squatter

    Create a new namespace.

  • prioritizer

    Set the priority keyword of an object.

  • blacklistadmin

    Clear the blacklist of daemon listeners clients.

  • <per-namespace role>:<namespace selector>

Per-namespace roles:

  • admin

    Create, delete objects in the namespace.

  • operator

    Start, stop, provision, unprovision, freeze, unfreeze objects in the namespace.

  • guest

    List and read configuration and status of the objects in the namespace.

A namespace selector is a glob pattern applied to existing namespaces.

Keyword hard_affinity

required:    false
scopable:    false
convert:     listlowercase

Example:

hard_affinity=svc1 svc2

Description:

A whitespace separated list of object paths.

These objects must be started on the local node to allow the local monitor to start an instance of the service.

Keyword hard_anti_affinity

required:    false
scopable:    false
convert:     listlowercase

Example:

hard_anti_affinity=svc1 svc2

Description:

A whitespace separated list of object paths.

These object must not be started on the local node to allow the local monitor to start an instance of the object.

Keyword id

required:    false
scopable:    false

Default:

A random generated UUID.

Description:

A rfc4122 random uuid generated by the agent.

Keyword l

required:    false
scopable:    true

Example:

l=Gouvieux

Description:

Certificate Signing Request Location.

Keyword monitor_action

required:    false
scopable:    true
candidates:  crash, freezestop, none, reboot, switch
default:     none
convert:     list

Example:

monitor_action=reboot

Description:

The action to trigger when a monitored resource is no longer in the “up” or “standby up” state, and all restart attempts for the resource have failed.

The reboot and crash monitor actions do not attempt to cleanly stop any processes. On Linux, they utilize system-level sysrq triggers.

This behavior is designed to ensure that the host stops writing to shared disks as quickly as possible, minimizing the risk of data corruption. This is critical because a failover node is likely preparing to write to the same shared disks.

You can append a fallback monitor action to this keyword. A common example is freezestop reboot. In this case, the reboot action will be executed if the stop fails or times out.

Other monitor_actions values:

  • none: Is the No Operation monitor action (the default value).
  • freezestop: freeze and subsequently stop the monitored instance.
  • switch: try monitored instance stop to allow any other cluster nodes to takeover the instance.

Keyword monitor_schedule

required:    false
scopable:    true
default:     @1m

Description:

The instance monitored resources status evaluation schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword nodes

required:    false
scopable:    true
default:     *
convert:     nodes

Description:

A node selector expression specifying the list of cluster nodes hosting object instances.

If not specified or left empty, the node evaluating the keyword is assumed to be the only instance hosting node.

Labels can be used to define a list of nodes by an arbitrary property. For example cn=fr cn=kr would be evaluated as n1 n2 n3 if n1 and n2 have the cn=fr label and n3 has the cn=kr label.

The glob syntax can be used in the node selector expression. For example n1 n[23] n4* would be expanded to n1 n2 n3 n4 in a n1 n2 n3 n4 n5 cluster.

Keyword o

required:    false
scopable:    true

Example:

o=OpenSVC

Description:

Certificate Signing Request Organization.

Keyword orchestrate

required:    false
scopable:    false
candidates:  no, ha, start
default:     no

Description:

Orchestrate defines how the daemon will manage the service.

  • no The daemon does not try to keep the service up. On boot, the service won’t be started.

    The daemon does not try to reach the flex_target number of up instances for flex services.

  • start Services with topology=failover won’t failover automatically only if the target instance is the natural placement leader. Which means the service is started when its primary node reboots, if it does not run elsewhere already.

    The daemon does not try to reach the flex_target number of up instances for flex services.

  • ha Services with topology=failover failover automatically.

    The daemon tries to reach the flex_target number of up instances for flex services.

The resource restart policy is not affected by the orchestrate value.

Keyword ou

required:    false
scopable:    true

Example:

ou=Lab

Description:

Certificate Signing Request Organizational Unit.

Keyword parents

required:    false
scopable:    false
convert:     listlowercase

Description:

The list of services or instances expressed as <path>[@<nodename>] that must be up to allow this service to be started by the daemon.

The list is whitespace-separated.

Keyword pg_blkio_weight

required:    false
scopable:    true

Example:

pg_blkio_weight=50

Description:

Block IO relative weight. Value: between 10 and 1000.

The kernel default is 1000.

Keyword pg_cpu_quota

required:    false
scopable:    true

Example:

pg_cpu_quota=50%@all

Description:

The kernel default value is used, which usually is 1024 shares.

In a cpu-bound situation, this setting ensures the service does not use more than its share of cpu resource. The actual percentile depends on shares allowed to other services.

Keyword pg_cpu_shares

required:    false
scopable:    true
convert:     size

Example:

pg_cpu_shares=512

Description:

The kernel default value is used, which usually is 1024 shares.

In a cpu-bound situation, this setting ensures the service does not use more than its share of cpu resource. The actual percentile depends on shares allowed to other services.

Keyword pg_cpus

required:    false
scopable:    true
depends:     create_pg=true

Example:

pg_cpus=0-2

Description:

Allow service process to bind only the specified cpus.

Cpus are specified as list or range : 0,1,2 or 0-2.

Keyword pg_mem_limit

required:    false
scopable:    true
convert:     size

Example:

pg_mem_limit=512m

Description:

Ensures the service does not use more than specified memory (in bytes).

The Out-Of-Memory killer is triggered in case of tresspassing.

Keyword pg_mem_oom_control

required:    false
scopable:    true

Example:

pg_mem_oom_control=1

Description:

A flag (0 or 1) that enables or disables the Out of Memory killer for the processes of the group.

  • If enabled (0), tasks that attempt to consume more memory than they are allowed are immediately killed by the OOM killer.
  • If disabled (1), tasks are allowed to continue to try allocating memory, stressing the system.

The OOM killer is enabled by default in every cgroup using the memory controller.

Keyword pg_mem_swappiness

required:    false
scopable:    true

Example:

pg_mem_swappiness=40

Description:

Set a swappiness percentile value for the process group.

Keyword pg_mems

required:    false
scopable:    true

Example:

pg_mems=0-2

Description:

Allow service process to bind only the specified memory nodes.

Memory nodes are specified as list or range : 0,1,2 or 0-2.

Keyword pg_vmem_limit

required:    false
scopable:    true
convert:     size

Example:

pg_vmem_limit=1g

Description:

Ensures the service does not use more than specified memory+swap (in bytes).

The Out-Of-Memory killer is triggered in case of tresspassing. The specified value must be greater than pg_mem_limit.

Keyword placement

required:    false
scopable:    false
candidates:  , none, nodes order, last start, load avg, shift, spread, score
default:     nodes order

Description:

Set a service instances placement policy:

  • none

    No placement policy. a policy for dummy, observe-only, services.

  • nodes order

    The left-most available node is allowed to start a service instance when necessary.

  • last start

    The preferred instances is the one started last.

  • load avg

    The least loaded node takes precedences.

  • shift

    Shift the nodes order ranking by the service prefix converter to an integer.

  • spread

    A spread policy tends to perfect leveling with many services.

  • score

    The highest scoring node takes precedence (the score is a composite indice of load, mem and swap).

Keyword pool

required:    false
scopable:    true

Description:

The name of the pool this volume was allocated from.

Keyword pre_monitor_action

required:    false
scopable:    true

Example:

pre_monitor_action=/bin/true

Description:

A callout to execute before the monitor_action.

For example, if monitor_action = freezestop, a pre_monitor_action script may decide to crash the server if it detects a situation were freezestop can not succeed (for example, a fs can not be umounted due to an unresponsive storage array).

Keyword priority

required:    false
scopable:    false
default:     50
convert:     int

Description:

When the daemon has so many actions to submit in parallel that the node.max_parallel limit is reached, this priority is used to determine which service are served first.

The priority is an just an number used as a sort key. The smaller the number, the higher the priority.

The priority setting is dropped from a service configuration injected via the api by a user not having the prioritizer grant.

Keyword provision

required:    false
scopable:    true
default:     true
convert:     bool

Description:

Set in the default section, provision=false cancels the instance provision action before looping over the resources. In this case, the action returns an error.

This acts like a glass the user has to break to access the provision button.

Keyword provision_timeout

required:    false
scopable:    true
convert:     duration

Example:

provision_timeout=1m30s

Description:

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

Keyword resinfo_schedule

required:    false
scopable:    true
default:     @60m

Description:

The instance key-val table emit schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword rollback

required:    false
scopable:    true
default:     true
convert:     bool

Description:

If set to false, the default rollback on start action error behaviour is disabled, leaving the instance in its half-started state (avail warn).

The daemon then refuses to failover a service if any instance is in warn availabity state. It is highly recommended to not use rollback=false if orchestrate=ha.

Keyword run_schedule

required:    false
scopable:    true

Description:

The instance tasks run action default schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword share

required:    false
scopable:    false
default:     {namespace}
convert:     list

Example:

share=ns1 ns2

Description:

A list of namespaces that objects are allowed to decode this key-value store keys.

The * special value means all.

By default a key-value store only shares to its own namespace.

Keyword shared

required:    false
scopable:    true
default:     true
convert:     bool

Description:

If true, the resource will be considered shared during provision and unprovision actions.

A shared resource driver can implement a different behaviour depending on weither it is run from the leader instance, or not:

  • When --leader is set, the driver creates and configures the system objects. For example the disk.disk driver allocates a SAN disk and discover its block devices.

  • When --leader is not set, the driver does not redo the actions already done by the leader, but may do some. For example, the disk.disk driver skips the SAN disk allocation, but discovers the block devices.

The daemon takes care of setting the --leader flags on the commands it submits during deploy, purge, provision and unprovision orchestrations.

Warning: If admins want to submit --local provision or unprovision commands themselves, they have to set the --leader flag correctly.

Flex objects usually don’t use shared resources. But if they do, only the flex primary gets --leader commands.

Keyword size

required:    false
scopable:    true
convert:     size

Description:

The size used by this volume in its pool.

Keyword soft_affinity

required:    false
scopable:    false
convert:     listlowercase

Example:

soft_affinity=svc1 svc2

Description:

A whitespace separated list of services that must be started on the node to allow the monitor to start this service.

If the local node is the only candidate ignore this constraint and allow start.

Keyword soft_anti_affinity

required:    false
scopable:    false
convert:     listlowercase

Example:

soft_anti_affinity=svc1 svc2

Description:

A whitespace separated list of services that must not be started on the node to allow the monitor to start this service.

If the local node is the only candidate ignore this constraint and allow start.

Keyword st

required:    false
scopable:    true

Example:

st=Oise

Description:

Certificate Signing Request State.

Keyword start_timeout

required:    false
scopable:    true
convert:     duration

Example:

start_timeout=1m30s

Description:

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

Keyword stat_timeout

required:    false
scopable:    true
convert:     duration

Description:

The fs resources status evaluation includes a stat syscall test. This keyword defines the maximum wait time for those stat calls to respond.

When expired, the resource status is degraded is to warn, which can trigger a monitor action (reboot or crash the node) if the resource is monitored.

Keyword status_schedule

required:    false
scopable:    true
default:     @10m

Description:

The instance status evaluation schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword status_timeout

required:    false
scopable:    true
default:     1m
convert:     duration

Example:

status_timeout=10s

Description:

The maximum duration of the instance status evaluation.

For example, the total start action duration is constrained by different timeouts:

  • the start_timeout Limiting the start action duration.

  • the stop_timeout Limiting the start rollback duration triggered by start errors.

  • the status_timeout Limiting the post-start instance status evaluation duration.

Keyword stonith

required:    false
scopable:    false
depends:     topology=failover
default:     false
convert:     bool

Description:

Shoot The Other Node In The Head, aka fence, using a callout.

The callout is triggered after a quorum vote won, when the surviving node is about to start a local instance of a service that was known to be started on a unreachable peer node.

The callout is meant to prevent the peer from writing to shared disks, remote databases, and from responding to clients.

The Fence Agents project is a well known bundle of callout used by many clustering tools.

Keyword stop_timeout

required:    false
scopable:    true
convert:     duration

Example:

stop_timeout=1m30s

Description:

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

Keyword sync_schedule

required:    false
scopable:    true
default:     04:00-06:00

Description:

The instance sync default schedule.

See usr/share/doc/schedule for the schedule syntax.

Keyword sync_timeout

required:    false
scopable:    true
convert:     duration

Example:

sync_timeout=1m30s

Description:

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

Keyword timeout

required:    false
scopable:    true
default:     1h
convert:     duration

Example:

timeout=2h

Description:

Wait for <duration> before declaring a state-changing action a failure.

A per-action <action>_timeout can override this value.

Keyword topology

required:    false
scopable:    false
candidates:  failover, flex
default:     failover

Description:

  • failover

    The service is allowed to be up on one node at a time.

  • flex

    The service can be up on flex_target nodes, where flex_target must be in the [flex_min, flex_max] range.

Keyword type

required:    false
scopable:    false

Description:

The resource driver name.

Keyword unprovision

required:    false
scopable:    true
default:     true
convert:     bool

Description:

Set in the default section, unprovision=false cancels the instance provision action before looping over the resources. In this case, the action returns an error.

This acts like a glass the user has to break to access the unprovision button.

Keyword unprovision_timeout

required:    false
scopable:    true
convert:     duration

Example:

unprovision_timeout=1m30s

Description:

Wait for <duration> before declaring the action a failure.

Takes precedence over timeout.

Keyword validity

required:    false
scopable:    true
default:     1y
convert:     duration

Example:

validity=10y

Description:

Certificate Validity duration.