# ========================= # Pulp Server Configuration # ========================= # This settings in this file are all commented by default, and the commented settings show the # default values that Pulp will choose if not specified here. # -- Common Configuration ----------------------------------------------------- # = Database = # # Controls the behavior of MongoDB under Pulp's usage. # # Authentication - If the username and the password keys have values provided, # the pulp server will attempt to authenticate to the MongoDB server. The # username and password provided here will be used to authenticate with the # database specified in the name field. # # name: name of the database to use # seeds: comma-separated list of hostname:port of database replica seed hosts # username: The user name to use for authenticating to the MongoDB server # password: The password to use for authenticating to the MongoDB server # replica_set: uncomment and set this value to the name of replica set configured in MongoDB, # if one is in use # ssl: If True, create the connection to the server using SSL. # ssl_keyfile: A path to the private keyfile used to identify the local connection against # mongod. If included with the certfile then only the ssl_certfile is needed. # ssl_certfile: The certificate file used to identify the local connection against mongod. # verify_ssl: Specifies whether a certificate is required from the other side of the # connection, and whether it will be validated if provided. If it is true, then # the ssl_ca_certs parameter must point to a file of CA certificates used to # validate the connection. # ca_path: The ca_certs file contains a set of concatenated “certification authority” # certificates, which are used to validate certificates passed from the other end # of the connection. [database] name: pulp_database seeds: localhost:27017 ssl: false # = Server = # # Controls general Pulp web server behavior. # # server_name: hostname the admin client and consumers should use when accessing # the server; if not specified, this is defaulted to the server's hostname # default_login: default admin username of the Pulp server; this user will be # the first time the server is started # default_password: default password for admin when it is first created; this # should be changed once the server is operational # debugging_mode: boolean; toggles Pulp's debugging capabilities # log_level: The desired logging level. Options are: CRITICAL, ERROR, WARNING, INFO, DEBUG, # and NOTSET. Pulp will default to INFO. [server] server_name: puppet100.[redacted].net key_url: /pulp/gpg ks_url: /pulp/ks default_login: admin default_password: [redacted] debugging_mode: false log_level: INFO # = Authentication = # # Keys used for message authentication. # # rsa_key: # The RSA private key used for authentication. # rsa_pub: # The RSA public key used for authentication. [authentication] rsa_key = /etc/pki/pulp/rsa.key rsa_pub = /etc/pki/pulp/rsa_pub.key # = Security = # # Controls aspects of the Pulp web server security. # # For production installations, it is recommended that a new CA certificate be # generated for the signing of user and consumer certificates and configured # using the following properties. # # cacert: full path to the CA certificate that will be used to sign consumer # and admin identification certificates; this must match the value of # SSLCACertificateFile in /etc/httpd/conf.d/pulp.conf # # cakey: path to the private key for the above CA certificate # # ssl_ca_certificate: full path to the CA certificate used to sign the Pulp # server's SSL certificate; consumers will use this to verify the # Pulp server's SSL certificate during the SSL handshake # # user_cert_expiration: number of days a user certificate is valid # # consumer_cert_expiration: number of days a consumer certificate is valid # [security] cacert: /etc/pki/pulp/ca.crt cakey: /etc/pki/pulp/ca.key ssl_ca_certificate: /etc/pki/pulp/ssl_ca.crt user_cert_expiration: 7 consumer_cert_expiration: 3650 serial_number_path: /var/lib/pulp/sn.dat # -- Advanced Configuration --------------------------------------------------- # = Consumer History = # # Controls the storage of recorded consumer events. # # lifetime: number of days to store consumer events; events older # than this will be purged; set to -1 to disable [consumer_history] lifetime: 180 # = Data Reaping = # # Controls the frequency in which reporting data is automatically removed from # the database. Database entries that exceed the given thresholds will be # deleted from the database when the reaper runs. # # reaper_interval: float; time in days between checks for old data in # the database # # archived_calls: float; time in days to store archived calls # # consumer_history: float; time in days to store consumer history events # # repo_sync_history: float; time in days to store repository sync history events # # repo_publish_history: float; time in days to store repository publish history # events # # repo_group_publish_history: float; time in days to store repository group # publish history events # # task_status_history: float; time in days to store task status history in the db # task_result_history: float; time in days to store task results history [data_reaping] reaper_interval: 0.25 archived_calls: 0.5 consumer_history: 60 repo_sync_history: 60 repo_publish_history: 60 repo_group_publish_history: 60 task_status_history: 7 task_result_history: 3 # = LDAP = # # Uncomment the below section with appropriate values to use an external LDAP # server for user authentication. # # enabled: boolean; controls whether or not LDAP authentication is enabled # # uri: url of LDAP server # # base: location in the directory from which the LDAP search begins # # tls: boolean; controls whether or not to use TLS security # # default_role: Id of the role to assign LDAP users to by default. This is # optional. This role must first be created on the Pulp server. If # default_role is not set or doesn't exist, LDAP users are given same # default permissions as local users. # # filter: directive to set more restrictive LDAP filter to limit the LDAP # users who can authenticate to Pulp # Deprecated! Please use apache's mod_authnz_ldap to do preauthentication. See # pulp's user guide for details. # [ldap] # enabled: true # are you sure? This has been deprecated. # uri: ldap://localhost # base: dc=localhost # tls: no # default_role: # filter: (gidNumber=200) # = OAuth = # # Uncomment the below section with appropriate values to use OAuth # authentication. # # enabled: boolean; controls whether OAuth authentication is enabled # # oauth_key: string; key to enable OAuth style authentication # # oauth_secret: string; shared secret that can be used for OAuth style # authentication [oauth] enabled: true oauth_key: katello oauth_secret: SBNzZcMxYisovUB9HMkMzGQBGeo5tKPA # = Messaging = # # Controls Pulp's configuration of broker settings for communicating to the Consumer Agent. # # url: the url used to contact the broker. This setting uses the form: # # ://:/ # # Or to use a username and password: # # ://:@:/ # # Supported values are 'tcp' or 'ssl' depending on if SSL should be used or not. # The is optional, and is only applicable to RabbitMQ broker environments. # # The default broker string is 'tcp://localhost:5672'. # # transport: The type of broker you are connecting to. The default is 'qpid'. For RabbitMQ, # 'rabbitmq' should be used. # # cacert: Absolute path to PEM encoded CA certificate file, used by Pulp to validate the identity # of the broker using SSL. The default is '/etc/pki/qpid/ca/ca.crt'. # # clientcert: Absolute path to PEM encoded file containing both the private key and # certificate Pulp should present to the broker to be authenticated by the broker. The default # is '/etc/pki/qpid/client/client.pem'. # # auth_enabled: # Message authentication enabled flag. The default is 'true' which enables authentication. # To disable authentication, use 'false'. # # topic_exchange: The name of the exchange to use. The exchange must be a topic exchange. The # default is 'amq.topic', which is a default exchange that is guaranteed to exist on a Qpid # broker. This setting is a string, and therefore includes the single quotes. # [messaging] url: ssl://puppet100.[redacted].net:5671 transport: qpid auth_enabled: false cacert: /etc/pki/katello/certs/katello-default-ca.crt clientcert: /etc/pki/katello/qpid_client_striped.crt topic_exchange: 'amq.topic' # = Asynchronous Tasks = # # Controls Pulp's Celery settings. These settings are used by the Pulp Server and Pulp Workers to # perform asynchronous, server-side task work such as syncing, publishing, or deletion of content. # Communication between these different components occurs through the broker. # # broker_url: A URL to a broker that Celery can use to queue tasks. For example, to configure # Celery with a Qpid backend, set broker_url to: # # qpid://:@:/ # # For RabbitMQ you can use the following broker_url style: # # amqp://:@:/ # # celery_require_ssl: Require SSL if set to 'true', otherwise do not require SSL. The default is # 'false'. # # cacert: The absolute path to the PEM encoded CA Certificate allowing identity validation of the # message bus. The default is '/etc/pki/pulp/qpid/ca.crt'. # # keyfile: The absolute path to the keyfile used for authentication to the message bus. This is the # private key that corresponds with the certificate. The default value is # '/etc/pki/pulp/qpid/client.crt'. Sometimes the key is kept in the same file as the # certificate it corresponds with, and the default assumes this is the case. # # certfile: The absolute path to the PEM encoded certificate used for authentication to the message # bus. The default value is '/etc/pki/pulp/qpid/client.crt'. # [tasks] broker_url: qpid://puppet100.[redacted].net:5671 celery_require_ssl: true cacert: /etc/pki/katello/certs/katello-default-ca.crt keyfile: /etc/pki/katello/qpid_client_striped.crt certfile: /etc/pki/katello/qpid_client_striped.crt # = Email = # # Settings that allow the system to send email. It is recommended that # the system relay through a local MTA on the machine. Pulp does not retry in # case of error, so it is important to have a real MTA available locally. # # If there is a need to test email sending, it is recommended to run this: # $ python -m smtpd -n -c DebuggingServer localhost:1025 # which will write each message to stdout. # # host: host name of the MTA pulp should relay through # # port: destination port to connect on # # from: the "From" address of each email the system sends # # enabled: boolean controls whether or not emails will be sent [email] host: localhost port: 25 from: no-reply@[redacted].net enabled: false