|
# =========================
|
|
# Pulp Server Configuration
|
|
# =========================
|
|
|
|
# This settings in this file are all commented by default, and the commented settings show the
|
|
# default values that Pulp will choose if not specified here.
|
|
|
|
# -- Common Configuration -----------------------------------------------------
|
|
|
|
# = Database =
|
|
#
|
|
# Controls the behavior of MongoDB under Pulp's usage.
|
|
#
|
|
# Authentication - If the username and the password keys have values provided,
|
|
# the pulp server will attempt to authenticate to the MongoDB server. The
|
|
# username and password provided here will be used to authenticate with the
|
|
# database specified in the name field.
|
|
#
|
|
# name: name of the database to use
|
|
# seeds: comma-separated list of hostname:port of database replica seed hosts
|
|
# username: The user name to use for authenticating to the MongoDB server
|
|
# password: The password to use for authenticating to the MongoDB server
|
|
# replica_set: uncomment and set this value to the name of replica set configured in MongoDB,
|
|
# if one is in use
|
|
# ssl: If True, create the connection to the server using SSL.
|
|
# ssl_keyfile: A path to the private keyfile used to identify the local connection against
|
|
# mongod. If included with the certfile then only the ssl_certfile is needed.
|
|
# ssl_certfile: The certificate file used to identify the local connection against mongod.
|
|
# verify_ssl: Specifies whether a certificate is required from the other side of the
|
|
# connection, and whether it will be validated if provided. If it is true, then
|
|
# the ssl_ca_certs parameter must point to a file of CA certificates used to
|
|
# validate the connection.
|
|
# ca_path: The ca_certs file contains a set of concatenated “certification authority”
|
|
# certificates, which are used to validate certificates passed from the other end
|
|
# of the connection.
|
|
|
|
[database]
|
|
name: pulp_database
|
|
seeds: localhost:27017
|
|
ssl: false
|
|
|
|
|
|
# = Server =
|
|
#
|
|
# Controls general Pulp web server behavior.
|
|
#
|
|
# server_name: hostname the admin client and consumers should use when accessing
|
|
# the server; if not specified, this is defaulted to the server's hostname
|
|
# default_login: default admin username of the Pulp server; this user will be
|
|
# the first time the server is started
|
|
# default_password: default password for admin when it is first created; this
|
|
# should be changed once the server is operational
|
|
# debugging_mode: boolean; toggles Pulp's debugging capabilities
|
|
# log_level: The desired logging level. Options are: CRITICAL, ERROR, WARNING, INFO, DEBUG,
|
|
# and NOTSET. Pulp will default to INFO.
|
|
[server]
|
|
server_name: puppet100.[redacted].net
|
|
key_url: /pulp/gpg
|
|
ks_url: /pulp/ks
|
|
default_login: admin
|
|
default_password: [redacted]
|
|
debugging_mode: false
|
|
log_level: INFO
|
|
|
|
|
|
# = Authentication =
|
|
#
|
|
# Keys used for message authentication.
|
|
#
|
|
# rsa_key:
|
|
# The RSA private key used for authentication.
|
|
# rsa_pub:
|
|
# The RSA public key used for authentication.
|
|
|
|
[authentication]
|
|
rsa_key = /etc/pki/pulp/rsa.key
|
|
rsa_pub = /etc/pki/pulp/rsa_pub.key
|
|
|
|
|
|
# = Security =
|
|
#
|
|
# Controls aspects of the Pulp web server security.
|
|
#
|
|
# For production installations, it is recommended that a new CA certificate be
|
|
# generated for the signing of user and consumer certificates and configured
|
|
# using the following properties.
|
|
#
|
|
# cacert: full path to the CA certificate that will be used to sign consumer
|
|
# and admin identification certificates; this must match the value of
|
|
# SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf
|
|
#
|
|
# cakey: path to the private key for the above CA certificate
|
|
#
|
|
# ssl_ca_certificate: full path to the CA certificate used to sign the Pulp
|
|
# server's SSL certificate; consumers will use this to verify the
|
|
# Pulp server's SSL certificate during the SSL handshake
|
|
#
|
|
# user_cert_expiration: number of days a user certificate is valid
|
|
#
|
|
# consumer_cert_expiration: number of days a consumer certificate is valid
|
|
#
|
|
|
|
[security]
|
|
cacert: /etc/pki/pulp/ca.crt
|
|
cakey: /etc/pki/pulp/ca.key
|
|
ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt
|
|
user_cert_expiration: 7
|
|
consumer_cert_expiration: 3650
|
|
serial_number_path: /var/lib/pulp/sn.dat
|
|
|
|
|
|
# -- Advanced Configuration ---------------------------------------------------
|
|
|
|
# = Consumer History =
|
|
#
|
|
# Controls the storage of recorded consumer events.
|
|
#
|
|
# lifetime: number of days to store consumer events; events older
|
|
# than this will be purged; set to -1 to disable
|
|
|
|
[consumer_history]
|
|
lifetime: 180
|
|
|
|
|
|
# = Data Reaping =
|
|
#
|
|
# Controls the frequency in which reporting data is automatically removed from
|
|
# the database. Database entries that exceed the given thresholds will be
|
|
# deleted from the database when the reaper runs.
|
|
#
|
|
# reaper_interval: float; time in days between checks for old data in
|
|
# the database
|
|
#
|
|
# archived_calls: float; time in days to store archived calls
|
|
#
|
|
# consumer_history: float; time in days to store consumer history events
|
|
#
|
|
# repo_sync_history: float; time in days to store repository sync history events
|
|
#
|
|
# repo_publish_history: float; time in days to store repository publish history
|
|
# events
|
|
#
|
|
# repo_group_publish_history: float; time in days to store repository group
|
|
# publish history events
|
|
#
|
|
# task_status_history: float; time in days to store task status history in the db
|
|
# task_result_history: float; time in days to store task results history
|
|
|
|
[data_reaping]
|
|
reaper_interval: 0.25
|
|
archived_calls: 0.5
|
|
consumer_history: 60
|
|
repo_sync_history: 60
|
|
repo_publish_history: 60
|
|
repo_group_publish_history: 60
|
|
task_status_history: 7
|
|
task_result_history: 3
|
|
|
|
|
|
# = LDAP =
|
|
#
|
|
# Uncomment the below section with appropriate values to use an external LDAP
|
|
# server for user authentication.
|
|
#
|
|
# enabled: boolean; controls whether or not LDAP authentication is enabled
|
|
#
|
|
# uri: url of LDAP server
|
|
#
|
|
# base: location in the directory from which the LDAP search begins
|
|
#
|
|
# tls: boolean; controls whether or not to use TLS security
|
|
#
|
|
# default_role: Id of the role to assign LDAP users to by default. This is
|
|
# optional. This role must first be created on the Pulp server. If
|
|
# default_role is not set or doesn't exist, LDAP users are given same
|
|
# default permissions as local users.
|
|
#
|
|
# filter: directive to set more restrictive LDAP filter to limit the LDAP
|
|
# users who can authenticate to Pulp
|
|
|
|
# Deprecated! Please use apache's mod_authnz_ldap to do preauthentication. See
|
|
# pulp's user guide for details.
|
|
# [ldap]
|
|
# enabled: true # are you sure? This has been deprecated.
|
|
# uri: ldap://localhost
|
|
# base: dc=localhost
|
|
# tls: no
|
|
# default_role: <role-id>
|
|
# filter: (gidNumber=200)
|
|
|
|
|
|
# = OAuth =
|
|
#
|
|
# Uncomment the below section with appropriate values to use OAuth
|
|
# authentication.
|
|
#
|
|
# enabled: boolean; controls whether OAuth authentication is enabled
|
|
#
|
|
# oauth_key: string; key to enable OAuth style authentication
|
|
#
|
|
# oauth_secret: string; shared secret that can be used for OAuth style
|
|
# authentication
|
|
|
|
[oauth]
|
|
enabled: true
|
|
oauth_key: katello
|
|
oauth_secret: SBNzZcMxYisovUB9HMkMzGQBGeo5tKPA
|
|
|
|
|
|
# = Messaging =
|
|
#
|
|
# Controls Pulp's configuration of broker settings for communicating to the Consumer Agent.
|
|
#
|
|
# url: the url used to contact the broker. This setting uses the form:
|
|
#
|
|
# <protocol>://<host>:<port>/<virtual-host>
|
|
#
|
|
# Or to use a username and password:
|
|
#
|
|
# <protocol>://<user>:<password>@<host>:<port>/<virtual-host>
|
|
#
|
|
# Supported <protocol> values are 'tcp' or 'ssl' depending on if SSL should be used or not.
|
|
# The <virtual-host> is optional, and is only applicable to RabbitMQ broker environments.
|
|
#
|
|
# The default broker string is 'tcp://localhost:5672'.
|
|
#
|
|
# transport: The type of broker you are connecting to. The default is 'qpid'. For RabbitMQ,
|
|
# 'rabbitmq' should be used.
|
|
#
|
|
# cacert: Absolute path to PEM encoded CA certificate file, used by Pulp to validate the identity
|
|
# of the broker using SSL. The default is '/etc/pki/qpid/ca/ca.crt'.
|
|
#
|
|
# clientcert: Absolute path to PEM encoded file containing both the private key and
|
|
# certificate Pulp should present to the broker to be authenticated by the broker. The default
|
|
# is '/etc/pki/qpid/client/client.pem'.
|
|
#
|
|
# auth_enabled:
|
|
# Message authentication enabled flag. The default is 'true' which enables authentication.
|
|
# To disable authentication, use 'false'.
|
|
#
|
|
# topic_exchange: The name of the exchange to use. The exchange must be a topic exchange. The
|
|
# default is 'amq.topic', which is a default exchange that is guaranteed to exist on a Qpid
|
|
# broker. This setting is a string, and therefore includes the single quotes.
|
|
#
|
|
|
|
[messaging]
|
|
url: ssl://puppet100.[redacted].net:5671
|
|
transport: qpid
|
|
auth_enabled: false
|
|
cacert: /etc/pki/katello/certs/katello-default-ca.crt
|
|
clientcert: /etc/pki/katello/qpid_client_striped.crt
|
|
topic_exchange: 'amq.topic'
|
|
|
|
|
|
# = Asynchronous Tasks =
|
|
#
|
|
# Controls Pulp's Celery settings. These settings are used by the Pulp Server and Pulp Workers to
|
|
# perform asynchronous, server-side task work such as syncing, publishing, or deletion of content.
|
|
# Communication between these different components occurs through the broker.
|
|
#
|
|
# broker_url: A URL to a broker that Celery can use to queue tasks. For example, to configure
|
|
# Celery with a Qpid backend, set broker_url to:
|
|
#
|
|
# qpid://<username>:<password>@<hostname>:<port>/
|
|
#
|
|
# For RabbitMQ you can use the following broker_url style:
|
|
#
|
|
# amqp://<username>:<password>@<hostname>:<port>/<vhost>
|
|
#
|
|
# celery_require_ssl: Require SSL if set to 'true', otherwise do not require SSL. The default is
|
|
# 'false'.
|
|
#
|
|
# cacert: The absolute path to the PEM encoded CA Certificate allowing identity validation of the
|
|
# message bus. The default is '/etc/pki/pulp/qpid/ca.crt'.
|
|
#
|
|
# keyfile: The absolute path to the keyfile used for authentication to the message bus. This is the
|
|
# private key that corresponds with the certificate. The default value is
|
|
# '/etc/pki/pulp/qpid/client.crt'. Sometimes the key is kept in the same file as the
|
|
# certificate it corresponds with, and the default assumes this is the case.
|
|
#
|
|
# certfile: The absolute path to the PEM encoded certificate used for authentication to the message
|
|
# bus. The default value is '/etc/pki/pulp/qpid/client.crt'.
|
|
#
|
|
|
|
[tasks]
|
|
broker_url: qpid://puppet100.[redacted].net:5671
|
|
celery_require_ssl: true
|
|
cacert: /etc/pki/katello/certs/katello-default-ca.crt
|
|
keyfile: /etc/pki/katello/qpid_client_striped.crt
|
|
certfile: /etc/pki/katello/qpid_client_striped.crt
|
|
|
|
|
|
# = Email =
|
|
#
|
|
# Settings that allow the system to send email. It is recommended that
|
|
# the system relay through a local MTA on the machine. Pulp does not retry in
|
|
# case of error, so it is important to have a real MTA available locally.
|
|
#
|
|
# If there is a need to test email sending, it is recommended to run this:
|
|
# $ python -m smtpd -n -c DebuggingServer localhost:1025
|
|
# which will write each message to stdout.
|
|
#
|
|
# host: host name of the MTA pulp should relay through
|
|
#
|
|
# port: destination port to connect on
|
|
#
|
|
# from: the "From" address of each email the system sends
|
|
#
|
|
# enabled: boolean controls whether or not emails will be sent
|
|
|
|
[email]
|
|
host: localhost
|
|
port: 25
|
|
from: no-reply@[redacted].net
|
|
enabled: false
|
|
|
