Yorc Server Configuration

Yorc has various configuration options that could be specified either by command-line flags, configuration file or environment variables.

If an option is specified several times using flags, environment and config file, command-line flag will have the precedence then the environment variable and finally the value defined in the configuration file.

Globals Command-line options

  • --ansible_use_openssh: Prefer OpenSSH over Paramiko a Python implementation of SSH (the default) to provision remote hosts. OpenSSH have several optimization like reusing connections that should improve preformance but may lead to issues on older systems.
  • --ansible_debug: Prints massive debug information from Ansible especially about connections
  • --ansible_connection_retries: Number of retries in case of Ansible SSH connection failure.
  • --ansible_cache_facts: If set to true, caches Ansible facts (values fetched on remote hosts about network/hardware/OS/virtualization configuration) so that these facts are not recomputed each time a new operation is a run for a given deployment (false by default: no caching).
  • --ansible_archive_artifacts: If set to true, archives operation bash/python scripts locally, copies this archive and unarchives it on remote hosts (requires tar to be installed on remote hosts), to avoid multiple time consuming remote copy operations of individual scripts (false by default: no archive).
  • --ansible_keep_generated_recipes: If set to true, generated Ansible recipes on Yorc server are not deleted. (false by default: generated recipes are deleted).
  • --operation_remote_base_dir: Specify an alternative working directory for Ansible on provisioned Compute.
  • --config or -c: Specify an alternative configuration file. By default Yorc will look for a file named config.yorc.json in /etc/yorc directory then if not found in the current directory.
  • --consul_address: Specify the address (using the format host:port) of Consul. Consul default is used if not provided.
  • --consul_token: Specify the security token to use with Consul. No security token used by default.
  • --consul_datacenter: Specify the Consul’s datacenter to use. Consul default (dc1) is used by default.
  • --consul_key_file: Specify the Consul client’s key to use when commuicating over TLS.
  • --consul_cert_file: Specify the Consul client’s certificate to use when commuicating over TLS.
  • --consul_ca_cert: Specify the CA used to sign Consul certificates.
  • --consul_ca_path: Specify the path to the CA used to sign Consul certificates
  • --consul_ssl: If set to true, enable SSL (false by default).
  • --consul_ssl_verify: If set to false, disable Consul certificate checking (true by default is ssl enabled).
  • --terraform_keep_generated_files: If set to true, generated Terraform infrastructures files on Yorc server are not deleted. (false by default: generated files are deleted).
  • --consul_publisher_max_routines: Maximum number of parallelism used to store key/values in Consul. If you increase the default value you may need to tweak the ulimit max open files. If set to 0 or less the default value (500) will be used.
  • --graceful_shutdown_timeout: Timeout to wait for a graceful shutdown of the Yorc server. After this delay the server immediately exits. The default is 5m.
  • --wf_step_graceful_termination_timeout: Timeout to wait for a graceful termination of a workflow step during concurrent workflow step failure. After this delay the step is set on error. The default is 2m.
  • --http_address: Restrict the listening interface for the Yorc HTTP REST API. By default Yorc listens on all available interfaces
  • --http_port: Port number for the Yorc HTTP REST API. If omitted or set to ‘0’ then the default port number is used, any positive integer will be used as it, and finally any negative value will let use a random port.
  • --keep_operation_remote_path: If set to true, do not delete temporary artifacts on provisioned Compute at the end of deployment (false by default for deployment temporary artifacts cleanup).
  • --key_file: File path to a PEM-encoded private key. The key is used to enable SSL for the Yorc HTTP REST API. This must be provided along with cert_file. If one of key_file or cert_file is not provided then SSL is disabled.
  • --cert_file: File path to a PEM-encoded certificate. The certificate is used to enable SSL for the Yorc HTTP REST API. This must be provided along with key_file. If one of key_file or cert_file is not provided then SSL is disabled.
  • --ca_file: If set to true, enable TLS certificate checking. Must be provided with cert_file ; key_file and ca_file. Disabled by default.
  • --ssl_verify: If set to true, enable TLS certificate checking for clients of the Yorc’s API. Must be provided with cert_file ; key_file and ca_file. Disabled by default.
  • --plugins_directory: The name of the plugins directory of the Yorc server. The default is to use a directory named plugins in the current directory.
  • --resources_prefix: Specify a prefix that will be used for names when creating resources such as Compute instances or volumes. Defaults to yorc-.
  • --workers_number: Yorc instances use a pool of workers to handle deployment tasks. This option defines the size of this pool. If not set the default value of 3 will be used.
  • --working_directory or -w: Specify an alternative working directory for Yorc. The default is to use a directory named work in the current directory.
  • --server_id: Specify the server ID used to identify the server node in a cluster. The default is server_0.

Configuration files

Configuration files are either JSON or YAML formatted as a single object containing the following configuration options. By default Yorc will look for a file named config.yorc.json in /etc/yorc directory then if not found in the current directory. The –config command line flag allows to specify an alternative configuration file.

Below is an example of configuration file.

{
  "resources_prefix": "yorc1-",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  }
}

Below is an example of configuration file with TLS enabled.

{
  "resources_prefix": "yorc1-",
  "key_file": "/etc/pki/tls/private/yorc.key",
  "cert_file": "/etc/pki/tls/certs/yorc.crt",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  }
}
  • key_file: Equivalent to –key_file command-line flag.
  • ca_file: Equivalent to –ca_file command-line flag.

Ansible configuration

Below is an example of configuration file with Ansible configuration options.

{
  "resources_prefix": "yorc1-",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  },
  "ansible": {
    "use_openssh": true,
    "connection_retries": 3,
    "hosted_operations": {
      "unsandboxed_operations_allowed": false,
      "default_sandbox": {
        "image": "jfloff/alpine-python:2.7-slim",
        "entrypoint": ["python", "-c"],
        "command": ["import time;time.sleep(31536000);"]
      }
    }
  }
}

All available configuration options for Ansible are:

  • hosted_operations: This is a complex structure that allow to define the behavior of a Yorc server when it executes an hosted operation. For more information about hosted operation please see The hosted operations paragraph in the TOSCA support section. This structure contains the following configuration options:

    • unsandboxed_operations_allowed: This option control if operations can be executed directly on the system that hosts Yorc if no default sandbox is defined. This is not permitted by default.
    • default_sandbox: This complex structure allows to define the default docker container to use to sandbox orchestrator-hosted operations. Bellow configuration options entrypoint and command should be carefully set to run the container and make it sleep until operations are executed on it. Defaults options will run a python inline script that sleeps for 1 year.

      • image: This is the docker image identifier (in the docker format [repository/]name[:tag]) is option is required.
      • entrypoint: This allows to override the default image entrypoint. If both entrypoint and command are empty the default value for entrypoint is ["python", "-c"].
      • command: This allows to run a command within the container. If both entrypoint and command are empty the default value for command is ["import time;time.sleep(31536000);"].
      • env: An optional list environment variables to set when creating the container. The format of each variable is var_name=value.

Ansible performance considerations

As described in TOSCA Supported Operations implementations, Yorc supports these builtin implementations for operations to execute on remote hosts :

  • Bash scripts
  • Python scripts
  • Ansible Playbooks

It is recommended to implement operations as Ansible Playbooks to get the best execution performance.

When operations are not implemented using Ansible playbooks, see the Performance section on TOSCA Operations to improve the performance of scripts execution on remote hosts.

Consul configuration

Below is an example of configuration file with Consul configuration options.

{
  "resources_prefix": "yorc1-",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  },
  "consul": {
    "address": "http://consul-host:8500",
    "datacenter": "dc1",
    "publisher_max_routines": 500
  }
}

All available configuration options for Consul are:

Terraform configuration

Below is an example of configuration file with Terraform configuration options.

{
  "resources_prefix": "yorc1-",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  },
  "terraform": {
    "keep_generated_files": false
  }
}

All available configuration options for Terraform are:

Telemetry configuration

Telemetry configuration can only be done via the configuration file. By default telemetry data are only stored in memory. See Yorc Telemetry for more information about telemetry.

Below is an example of configuration file with telemetry metrics forwarded to a Statsd instance and with a Prometheus HTTP endpoint exposed.

{
  "resources_prefix": "yorc1-",
  "infrastructures": {
    "openstack": {
      "auth_url": "http://your-openstack:5000/v2.0",
      "tenant_name": "your-tenant",
      "user_name": "os-user",
      "password": "os-password",
      "private_network_name": "default-private-network",
      "default_security_groups": ["default"]
    }
  },
  "telemetry": {
    "statsd_address": "127.0.0.1:8125",
    "expose_prometheus_endpoint": true
  }
}

All available configuration options for telemetry are:

  • service_name: Metrics keys prefix, defaults to yorc.
  • disable_hostname: Specifies if gauge values should not be prefixed with the local hostname. Defaults to false.
  • disable_go_runtime_metrics: Specifies Go runtime metrics (goroutines, memory, …) should not be published. Defaults to false.
  • statsd_address: Specify the address (in form <address>:<port>) of a statsd server to forward metrics data to.
  • statsite_address: Specify the address (in form <address>:<port>) of a statsite server to forward metrics data to.
  • expose_prometheus_endpoint: Specify if an HTTP Prometheus endpoint should be exposed allowing Prometheus to scrape metrics.

Deprecated configuration options

Deprecated since version 3.0.0.

Environment variables

  • YORC_CONSUL_SSL: Equivalent to –consul_ssl command-line flag.
  • YORC_HTTP_PORT: Equivalent to –http_port command-line flag.
  • YORC_KEY_FILE: Equivalent to –key_file command-line flag.
  • YORC_CERT_FILE: Equivalent to –cert_file command-line flag.
  • YORC_SSL_VERIFY: Equivalent to –ssl_verify command-line flag.
  • YORC_CA_FILE: Equivalent to –ca_file command-line flag.
  • YORC_SERVER_ID: Equivalent to –server_id command-line flag.
  • YORC_LOG: If set to 1 or DEBUG, enables debug logging for Yorc.

Infrastructures configuration

Due to the pluggable nature of infrastructures support in Yorc their configuration differ from other configurable options. An infrastructure configuration option could be specified by either a its configuration placeholder in the configuration file, a command line flag or an environment variable.

The general principle is for a configurable option option_1 for infrastructure infra1 it should be specified in the configuration file as following:

{
  "infrastructures": {
    "infra1": {
      "option_1": "value"
    }
  }
}

Similarly a command line flag with the name --infrastructure_infra1_option_1 and an environment variable with the name YORC_INFRA_INFRA1_OPTION_1 will be automatically supported and recognized. The default order of precedence apply here.

Builtin infrastructures configuration

OpenStack

OpenStack infrastructure key name is openstack in lower case.

Option Name Description Data Type Required Default
auth_url Specify the authentication url for OpenStack (should be the Keystone endpoint ie: http://your-openstack:5000/v2.0). string yes  
tenant_id Specify the OpenStack tenant id to use. string Either this or tenant_name should be provided.  
tenant_name Specify the OpenStack tenant name to use. string Either this or tenant_id should be provided.  
user_name Specify the OpenStack user name to use. string yes  
password Specify the OpenStack password to use. string yes  
region Specify the OpenStack region to use string no RegionOne
private_network_name Specify the name of private network to use as primary adminstration network between Yorc and Compute instances. It should be a private network accessible by this instance of Yorc. string Required to use the PRIVATE keyword for TOSCA admin networks  
provisioning_over_fip_allowed This allows to perform the provisioning of a Compute over the associated floating IP if it exists. This is useful when Yorc is not deployed on the same private network than the provisioned Compute. boolean no false
default_security_groups Default security groups to be used when creating a Compute instance. It should be a comma-separated list of security group names list of strings no  
insecure Trust self-signed SSL certificates boolean no false
cacert_file Specify a custom CA certificate when communicating over SSL. You can specify either a path to the file or the contents of the certificate string no  
cert Specify client certificate file for SSL client authentication. You can specify either a path to the file or the contents of the certificate string no  
key Specify client private key file for SSL client authentication. You can specify either a path to the file or the contents of the key string no  

Kubernetes

Kubernetes infrastructure key name is kubernetes in lower case.

Option Name Description Data Type Required Default
master_url URL of the HTTP API of Kubernetes is exposed. Format: https://<host>:<port> string yes  
ca_file Path to a trusted root certificates for server string no  
cert_file Path to the TLS client certificate used for authentication string no  
key_file Path to the TLS client key used for authentication string no  
insecure Server should be accessed without verifying the TLS certificate (testing only) boolean no  

Google Cloud Platform

Google Cloud Platform infrastructure key name is google in lower case.

Option Name Description Data Type Required Default
project ID of the project to apply any resources to string yes  
application_credentials Path of file containing credentials* string no Google Application Default Credentials
credentials Content of file containing credentials string no Google Application Default Credentials
region The region to operate under string no  

application_credentials is the path (accessible to Yorc server) of a file containing service account private keys in JSON format. This file can be downloaded from the Google Cloud Console at Google Cloud service account file.

If no file path is specified in application_credentials and no file content is specified in credentials, the orchestrator will fall back to using the Google Application Default Credentials if any.

AWS

AWS infrastructure key name is aws in lower case.

Option Name Description Data Type Required Default
access_key Specify the AWS access key credential. string yes  
secret_key Specify the AWS secret key credential. string yes  
region Specify the AWS region to use. string yes  

Slurm

Slurm infrastructure key name is slurm in lower case.

Option Name Description Data Type Required Default
user_name SSH Username to be used to connect to the Slurm Client’s node string yes  
password SSH Password to be used to connect to the Slurm Client’s node string Either this or private_key should be provided  
private_key SSH Private key to be used to connect to the Slurm Client’s node string Either this or password should be provided  
url IP address of the Slurm Client’s node string yes  
port SSH Port to be used to connect to the Slurm Client’s node string yes  
default_job_name Default name for the job allocation. string no  

Vault configuration

Due to the pluggable nature of vaults support in Yorc their configuration differ from other configurable options. A vault configuration option could be specified by either its configuration placeholder in the configuration file, a command line flag or an environment variable.

The general principle is for a configurable option option_1 it should be specified in the configuration file as following:

{
  "vault": {
    "type": "vault_implementation",
    "option_1": "value"
  }
}

Similarly a command line flag with the name --vault_option_1 and an environment variable with the name YORC_VAULT_OPTION_1 will be automatically supported and recognized. The default order of precedence apply here.

type is the only mandatory option for all vaults configurations, it allows to select the vault implementation by specifying it’s ID. If the type option is not present either in the config file, as a command line flag or as an environment variable, Vault configuration will be ignored.

The integration with a Vault is totally optional and this configuration part may be leave empty.

Builtin Vaults configuration

HashiCorp’s Vault

This is the only builtin supported Vault implementation. Implementation ID to use with the vault type configuration parameter is hashicorp.

Bellow are recognized configuration options for Vault:

Option Name Description Data Type Required Default
address Address is the address of the Vault server. This should be a complete URL such as “https://vault.example.com”. string yes  
max_retries MaxRetries controls the maximum number of times to retry when a 5xx error occurs. Set to 0 or less to disable retrying. integer no 0
timeout Timeout is for setting custom timeout parameter in the HttpClient. string no  
ca_cert CACert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate. string no  
ca_path CAPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate. string no  
client_cert ClientCert is the path to the certificate for Vault communication. string no  
client_key ClientKey is the path to the private key for Vault communication string no  
tls_server_name TLSServerName, if set, is used to set the SNI host when connecting via TLS. string no  
tls_skip_verify Disables SSL verification boolean no false
token Specifies the access token to use to connect to vault. This is highly discouraged to this option in the configuration file as the token is a sensitive data and should not be written on disk. Prefer the associated environment variable string no  

Yorc Client CLI Configuration

This section is dedicated to the CLI part of yorc that covers everything except the server configuration detailed above. It focus on configuration options commons to all the commands. Sub commands may have additional options please use the cli help command to see them.

Just like for its server part Yorc Client CLI has various configuration options that could be specified either by command-line flags, configuration file or environment variables.

If an option is specified several times using flags, environment and config file, command-line flag will have the precedence then the environment variable and finally the value defined in the configuration file.

Command-line options

  • --ca_file: This provides a file path to a PEM-encoded certificate authority. This implies the use of HTTPS to connect to the Yorc REST API.
  • --ca_path: Path to a directory of PEM-encoded certificates authorities. This implies the use of HTTPS to connect to the Yorc REST API.
  • --cert_file: File path to a PEM-encoded client certificate used to authenticate to the Yorc API. This must be provided along with key-file. If one of key-file or cert-file is not provided then SSL authentication is disabled. If both cert-file and key-file are provided this implies the use of HTTPS to connect to the Yorc REST API.
  • -c or --config: config file (default is /etc/yorc/yorc-client.[json|yaml])
  • --key_file: File path to a PEM-encoded client private key used to authenticate to the Yorc API. This must be provided along with cert-file. If one of key-file or cert-file is not provided then SSL authentication is disabled. If both cert-file and key-file are provided this implies the use of HTTPS to connect to the Yorc REST API.
  • --skip_tls_verify: Controls whether a client verifies the server’s certificate chain and host name. If set to true, TLS accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing. This implies the use of HTTPS to connect to the Yorc REST API.
  • -s or --ssl_enabled: Use HTTPS to connect to the Yorc REST API. This is automatically implied if one of --ca_file, --ca_path, --cert_file, --key_file or --skip_tls_verify is provided.
  • --yorc_api: specify the host and port used to join the Yorc’ REST API (default “localhost:8800”)

Configuration files

Configuration files are either JSON or YAML formatted as a single object containing the following configuration options. By default Yorc will look for a file named yorc-client.json or yorc-client.yaml in /etc/yorc directory then if not found in the current directory. The –config command line flag allows to specify an alternative configuration file.

  • ca_file: Equivalent to –ca_file command-line flag.
  • ca_path: Equivalent to –ca_path command-line flag.
  • key_file: Equivalent to –key_file command-line flag.
  • yorc_api: Equivalent to –yorc_api command-line flag.

Environment variables

  • YORC_CA_FILE: Equivalent to –ca_file command-line flag.
  • YORC_CA_PATH: Equivalent to –ca_path command-line flag.
  • YORC_CERT_FILE: Equivalent to –cert_file command-line flag.
  • YORC_KEY_FILE: Equivalent to –key_file command-line flag.
  • YORC_API: Equivalent to –yorc_api command-line flag.