Environment Variables with Special Scopes
Introduction
Some environment variables have a special, extended or global scope. Variables with special scope are related to a deployment method only. Variables with an extended scope do not directly configure services but functions underneath. Variables with a global scope can configure more than one service.
Examples:
-
The global environment variable
OCIS_LOG_LEVELis available in multiple services. -
The extended environment variable
OCIS_CONFIG_DIRcan be used withocis init. -
The special environment variable
OCIS_RUN_SERVICESis only available with a binary deployment.
Special Environment Variables
The following environment variables are only available with the Binary Setup. Read the Environment Variable Types documentation for important details.
| Name | Description |
|---|---|
|
A comma-separated list of service names. Will start only the listed services. |
|
A comma-separated list of service names. Will start all default services except of the ones listed. Has no effect when |
|
A comma-separated list of service names. Will add the listed services to the default configuration. Has no effect when |
Note to get the current list of services started by default, you need to run ocis server without restriction which services to start and afterwards ocis list.
| Name | Description |
|---|---|
|
A comma-separated list of service names. Will start only the listed services. |
|
A comma-separated list of service names. Will start all default services except of the ones listed. Has no effect when |
|
A comma-separated list of service names. Will add the listed services to the default configuration. Has no effect when |
Note to get the current list of services started by default, you need to run ocis server without restriction which services to load and afterwards ocis list.
| Name | Description |
|---|---|
|
A comma-separated list of service names. Will start only the listed services. |
|
A comma-separated list of service names. Will start all default services except of the ones listed. Has no effect when |
Note to get the current list of services started by default, you need to run ocis server without restriction which services to load and afterwards ocis list.
Extended Environment Variables
The extended variables are defined in the following way. Read the Environment Variable Types documentation for important details.
| Name | Type | Default Value | Description |
|---|---|---|---|
|
string |
Error |
Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
|
Go micro registry type to use. Supported types are: 'nats', 'kubernetes', 'etcd', 'consul', 'memory' and 'mdns'. Will be selected automatically. Only change on supervision of ownCloud Support. |
|
string |
|
The bind address of the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
'/var/lib/ocis' or '$HOME/.ocis/' |
The base directory location used by several services and for user data. Predefined to '/var/lib/ocis' for container images (inside the container) or '$HOME/.ocis/' for binary releases. Services can have, if available, an individual setting with an own environment variable. |
|
string |
'/etc/ocis' or '$HOME/.ocis/config' |
The default directory location for config files. Predefined to '/etc/ocis' for container images (inside the container) or '$HOME/.ocis/config' for binary releases. |
|
|
|
|
|
|
|
|
| Name | Type | Default Value | Description |
|---|---|---|---|
|
string |
Error |
Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
|
Go micro registry type to use. Supported types are: 'nats', 'kubernetes', 'etcd', 'consul', 'memory' and 'mdns'. Will be selected automatically. Only change on supervision of ownCloud Support. |
|
string |
|
The bind address of the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
'/var/lib/ocis' or '$HOME/.ocis/' |
The base directory location used by several services and for user data. Predefined to '/var/lib/ocis' for container images (inside the container) or '$HOME/.ocis/' for binary releases. Services can have, if available, an individual setting with an own environment variable. |
|
string |
'/etc/ocis' or '$HOME/.ocis/config' |
The default directory location for config files. Predefined to '/etc/ocis' for container images (inside the container) or '$HOME/.ocis/config' for binary releases. |
| Name | Type | Default Value | Description |
|---|---|---|---|
|
string |
Error |
Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
|
Go micro registry type to use. Supported types are: 'nats', 'kubernetes', 'etcd', 'consul' and 'memory'. Will be selected automatically. Only change on supervision of ownCloud Support. |
|
string |
|
The bind address of the internal go micro framework. Only change on supervision of ownCloud Support. |
|
string |
'/var/lib/ocis' or '$HOME/.ocis/' |
The base directory location used by several services and for user data. Predefined to '/var/lib/ocis' for container images (inside the container) or '$HOME/.ocis/' for binary releases. Services can have, if available, an individual setting with an own environment variable. |
|
string |
'/etc/ocis' or '$HOME/.ocis/config' |
The default directory location for config files. Predefined to '/etc/ocis' for container images (inside the container) or '$HOME/.ocis/config' for binary releases. |
Global Environment Variables
Note that the descriptions of these environment variables may differ depending on the service context.
The global variables are defined in the following way. Read the Environment Variable Types documentation for important details.
Note that some global environment variables have been deprecated and replaced by a new one starting with OCIS_ for naming consistency:
-
All envvars starting with
LDAP_ -
All envvars starting with
IDM_exceptIDM_CREATE_DEMO_USERS -
The following envvars:
OCIS_REVA_GATEWAY,STORAGE_TRANSFER_SECRET,OCIS_ASYNC_UPLOADS,USERLOG_MACHINE_AUTH_API_KEY. -
Note that
WEB_UI_CONFIG_FILEis not a global envar and will dropped from the list in a later release.
| Name | Services | Type | Default Value | Description |
|---|---|---|---|---|
|
bool |
false |
The default role assignments the demo users should be setup. |
|
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
|
string |
|
ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |
|
|
bool |
true |
Enable asynchronous file uploads. |
|
|
string |
ocis |
The database name the configured store should use. |
|
|
int |
0 |
The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default. |
|
|
string |
memory |
The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. |
|
|
Duration |
10m0s |
Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. |
|
|
bool |
true |
Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
|
|
[]string |
[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest] |
A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. |
|
|
[]string |
[GET] |
A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. |
|
|
[]string |
[*] |
A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. |
|
|
string |
messagepack |
The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. |
|
|
string |
sync |
The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. |
|
|
string |
|
The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. |
|
|
bool |
false |
Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404. |
|
|
string |
Community |
||
|
bool |
true |
Changing this value is NOT supported. Enables the support for resharing in the clients. |
|
|
string |
ocis-cluster |
The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. |
|
|
bool |
false |
Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. |
|
|
string |
127.0.0.1:9233 |
The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
|
|
string |
|
The root CA certificate used to validate the server’s TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. |
|
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |
|
|
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
|
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
|
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
|
bool |
false |
Whether to verify the server TLS certificates. |
|
|
string |
|
The secret to mint and validate jwt tokens. |
|
|
string |
|
The URL to access keycloak. |
|
|
string |
|
The client ID to authenticate with keycloak. |
|
|
string |
|
The realm the client is defined in. |
|
|
string |
|
The client secret to use in authentication. |
|
|
bool |
false |
Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. |
|
|
string |
|
The realm users are defined. |
|
|
string |
uid=reva,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
|
string |
cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. |
|
|
string |
attribute |
An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. |
|
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
|
string |
cn |
LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
|
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. |
|
|
string |
LDAP Attribute to use for the email address of groups (can be empty). |
||
|
string |
member |
LDAP Attribute that is used for group members. |
|
|
string |
sub |
LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
|
bool |
true |
Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables). |
|
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
|
string |
ownCloudUserEnabled |
LDAP attribute to use as a flag telling if the user is enabled or disabled. |
|
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
|
string |
displayname |
LDAP Attribute to use for the displayname of users. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. |
|
|
string |
LDAP Attribute to use for the email address of users. |
||
|
string |
uid |
LDAP Attribute to use for username of users. |
|
|
string |
ownCloudUserType |
LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. |
|
|
string |
sub |
LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Activates colorized log output. |
|
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
|
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
|
bool |
false |
Activates pretty log output. |
|
|
string |
|
Machine auth API key used to validate internal requests necessary for the access to resources from other services. |
|
|
string |
https://localhost:9200 |
The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. |
|
|
string |
memory |
The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. |
|
|
int |
0 |
The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitely set as default. |
|
|
Duration |
336h0m0s |
Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. |
|
|
string |
com.owncloud.api.gateway |
CS3 gateway used to look up user metadata |
|
|
string |
|
The ID of the service account the service should use. See the 'auth-service' service description for more details. |
|
|
string |
|
The service account secret. |
|
|
bool |
false |
Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service. |
|
|
uint64 |
0 |
Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. |
|
|
string |
|
API key for the STORAGE-SYSTEM system user. |
|
|
string |
|
ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |
|
|
string |
internal |
IDP of the oCIS STORAGE-SYSTEM system user. |
|
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
bool |
false |
Activates tracing. |
|
|
string |
|
The endpoint of the tracing agent. |
|
|
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
|
string |
|
The storage transfer secret. |
|
|
string |
|
(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. |
|
|
string |
https://localhost:9200 |
The public facing URL of the oCIS frontend. |
|
|
Duration |
0s |
The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details. |
|
|
string |
com.owncloud.api.settings |
Endpoint of the permissions service. The endpoints can differ for 'ocis' and 's3ng'. |
Note that some global environment variables have been deprecated and replaced by a new one starting with OCIS_ for naming consistency:
-
All envvars starting with
LDAP_ -
All envvars starting with
IDM_exceptIDM_CREATE_DEMO_USERS -
The following envvars:
REVA_GATEWAY,STORAGE_TRANSFER_SECRET,STORAGE_USERS_OCIS_ASYNC_UPLOADS,USERLOG_MACHINE_AUTH_API_KEY. -
Note that
WEB_UI_CONFIG_FILEis not a global envar and will dropped from the list in a later release.
| Name | Services | Type | Default Value | Description |
|---|---|---|---|---|
|
bool |
false |
The default role assignments the demo users should be setup. |
|
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
|
string |
|
ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |
|
|
bool |
false |
Enable asynchronous file uploads. |
|
|
string |
ocis |
The database name the configured store should use. |
|
|
int |
0 |
The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512. |
|
|
string |
memory |
The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. |
|
|
Duration |
10s |
Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '10s' (10 seconds). |
|
|
bool |
true |
Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
|
|
[]string |
[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id] |
A blank or comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. |
|
|
[]string |
[GET POST PUT PATCH DELETE OPTIONS] |
A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method |
|
|
[]string |
[*] |
A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin |
|
|
string |
messagepack |
The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. |
|
|
string |
sync |
The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. |
|
|
bool |
false |
Set this option to 'true' to disable previews in all the different web file listing views. This can speed up file listings in folders with many files. The only list view that is not affected by this setting is the trash bin, as it does not allow previewing at all. |
|
|
string |
Community |
||
|
string |
ocis-cluster |
The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. |
|
|
bool |
false |
Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. |
|
|
string |
127.0.0.1:9233 |
The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
|
|
string |
|
The root CA certificate used to validate the server’s TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false. |
|
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |
|
|
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
|
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
|
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
|
bool |
false |
Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments. |
|
|
string |
|
The secret to mint and validate JWT tokens. |
|
|
string |
|
The URL to access keycloak. |
|
|
string |
|
The client ID to authenticate with keycloak. |
|
|
string |
|
The realm the client is defined in. |
|
|
string |
|
The client secret to use in authentication. |
|
|
bool |
false |
Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. |
|
|
string |
|
The realm users are defined. |
|
|
string |
uid=reva,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
|
string |
cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. |
|
|
string |
attribute |
An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. |
|
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
|
string |
cn |
LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
|
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. |
|
|
string |
LDAP Attribute to use for the email address of groups (can be empty). |
||
|
string |
member |
LDAP Attribute that is used for group members. |
|
|
string |
sub |
LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
|
bool |
true |
Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables). |
|
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
|
string |
ownCloudUserEnabled |
LDAP attribute to use as a flag telling if the user is enabled or disabled. |
|
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
|
string |
displayname |
LDAP Attribute to use for the displayname of users. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. |
|
|
string |
LDAP Attribute to use for the email address of users. |
||
|
string |
uid |
LDAP Attribute to use for username of users. |
|
|
string |
ownCloudUserType |
LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. |
|
|
string |
sub |
LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Activates colorized log output. |
|
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
|
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
|
bool |
false |
Activates pretty log output. |
|
|
string |
|
Machine auth API key used to validate internal requests necessary to access resources from other services. |
|
|
string |
https://localhost:9200 |
URL of the OIDC issuer. It defaults to URL of the builtin IDP. |
|
|
string |
memory |
The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. |
|
|
int |
0 |
The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512. |
|
|
Duration |
0s |
Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks). |
|
|
string |
com.owncloud.api.gateway |
The CS3 gateway endpoint. |
|
|
bool |
false |
Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service. |
|
|
uint64 |
0 |
Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OCIS_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service. |
|
|
string |
|
API key for the STORAGE-SYSTEM system user. |
|
|
string |
|
ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |
|
|
string |
internal |
IDP of the oCIS STORAGE-SYSTEM system user. |
|
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
bool |
false |
Activates tracing. |
|
|
string |
|
The endpoint of the tracing agent. |
|
|
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
|
string |
|
Transfer secret for signing file up- and download requests. |
|
|
string |
https://localhost:9200 |
URL of the OIDC issuer. It defaults to URL of the builtin IDP. |
|
|
Duration |
0s |
The delay in seconds between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. |
|
|
string |
com.owncloud.api.settings |
Endpoint of the permissions service. The endpoints can differ for 'ocis' and 's3ng'. |
|
|
string |
|
Machine auth API key used to validate internal requests necessary to access resources from other services. |
|
|
string |
|
Read the ownCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details. |
| Name | Services | Type | Default Value | Description |
|---|---|---|---|---|
|
bool |
false |
The default role assignments the demo users should be setup. |
|
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
bool |
false |
Activates tracing. |
|
|
string |
|
The endpoint of the tracing agent. |
|
|
string |
|
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
|
string |
uid=reva,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
|
string |
cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. |
|
|
string |
none |
An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. |
|
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
|
string |
cn |
LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
|
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s. |
|
|
string |
LDAP Attribute to use for the email address of groups (can be empty). |
||
|
string |
member |
LDAP Attribute that is used for group members. |
|
|
string |
sub |
LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
|
string |
ownCloudUserEnabled |
LDAP attribute to use as a flag telling if the user is enabled or disabled. |
|
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
|
string |
displayname |
LDAP Attribute to use for the displayname of users. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user id’s. |
|
|
string |
LDAP Attribute to use for the email address of users. |
||
|
string |
uid |
LDAP Attribute to use for username of users. |
|
|
string |
ownCloudUserType |
LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. |
|
|
string |
sub |
LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. |
|
|
string |
|
ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |
|
|
bool |
false |
Enable asynchronous file uploads. |
|
|
string |
ocis |
The database name the configured store should use. |
|
|
int |
0 |
The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512. |
|
|
string |
memory |
The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. |
|
|
Duration |
10m0s |
Default time to live for entries in the cache. Only applied when access tokens has no expiration. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '10m' (10 minutes). |
|
|
bool |
true |
Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
|
|
[]string |
[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id] |
A comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. |
|
|
[]string |
[GET POST PUT PATCH DELETE OPTIONS] |
A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method |
|
|
[]string |
[*] |
A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin |
|
|
string |
messagepack |
The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. |
|
|
string |
Community |
||
|
string |
ocis-cluster |
The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. |
|
|
bool |
false |
Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. |
|
|
string |
127.0.0.1:9233 |
The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
|
|
string |
|
The root CA certificate used to validate the server’s TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false. |
|
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |
|
|
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
|
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
|
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
|
bool |
false |
Whether to verify the server TLS certificates. |
|
|
string |
|
The secret to mint and validate jwt tokens. |
|
|
string |
|
The URL to access keycloak. |
|
|
string |
|
The client id to authenticate with keycloak. |
|
|
string |
|
The realm the client is defined in. |
|
|
string |
|
The client secret to use in authentication. |
|
|
bool |
false |
Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. |
|
|
string |
|
The realm users are defined. |
|
|
string |
uid=reva,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
|
string |
cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. |
|
|
string |
none |
An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. |
|
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
|
string |
cn |
LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). |
|
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s. |
|
|
string |
LDAP Attribute to use for the email address of groups (can be empty). |
||
|
string |
member |
LDAP Attribute that is used for group members. |
|
|
string |
sub |
LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
|
bool |
true |
Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables). |
|
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
|
string |
ownCloudUserEnabled |
LDAP attribute to use as a flag telling if the user is enabled or disabled. |
|
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
|
string |
displayname |
LDAP Attribute to use for the displayname of users. |
|
|
string |
ownclouduuid |
LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. |
|
|
bool |
false |
Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user id’s. |
|
|
string |
LDAP Attribute to use for the email address of users. |
||
|
string |
uid |
LDAP Attribute to use for username of users. |
|
|
string |
ownCloudUserType |
LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. |
|
|
string |
sub |
LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. |
|
|
bool |
false |
Activates colorized log output. |
|
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
|
string |
|
The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace". |
|
|
bool |
false |
Activates pretty log output. |
|
|
string |
|
Machine auth API key used to validate internal requests necessary for the access to resources from other services. |
|
|
string |
https://localhost:9200 |
URL of the OIDC issuer. It defaults to URL of the builtin IDP. |
|
|
string |
|
The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
|
[]string |
[] |
A comma separated list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. |
|
|
int |
0 |
The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512. |
|
|
Duration |
0s |
Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks). |
|
|
string |
127.0.0.1:9142 |
The CS3 gateway endpoint. |
|
|
bool |
false |
Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service. |
|
|
uint64 |
0 |
Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OCIS_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service. |
|
|
string |
|
API key for the STORAGE-SYSTEM system user. |
|
|
string |
|
ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. |
|
|
string |
internal |
IDP of the oCIS STORAGE-SYSTEM system user. |
|
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
|
bool |
false |
Activates tracing. |
|
|
string |
|
The endpoint of the tracing agent. |
|
|
string |
|
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
|
string |
|
The storage transfer secret. |
|
|
string |
https://localhost:9200 |
The public facing URL of the oCIS frontend. |
|
|
string |
127.0.0.1:9142 |
The CS3 gateway endpoint. |
|
|
string |
|
The storage transfer secret. |
|
|
bool |
false |
Enable asynchronous file uploads. |
|
|
string |
127.0.0.1:9191 |
Endpoint of the permissions service. The endpoints can differ for 'ocis' and 's3ng'. |
|
|
string |
|
Machine auth API key used to validate internal requests necessary to access resources from other services. |
|
|
string |
|
Read the ownCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details. |