Environment Variables with Special Scopes

Introduction

Some environment variables have a special, extended or global scope. Variables with special scope are related to a deployment menthod only. Variables with an extended scope do not directly configure services but functions underneath. Variables with a global scope can configure more than one service.

Examples:

  • The global environment variable OCIS_LOG_LEVEL is available in multiple services.

  • The extended environment variable OCIS_CONFIG_DIR can be used with ocis init.

  • The special environment variable OCIS_RUN_SERVICES is only available with a binary deployment.

Special Environment Variables

The following environment variables are only available with the Binary Setup and do not have any dependency to a release:

  • all releases

Name Description

OCIS_RUN_SERVICES

A comma-separated list of service names. Will start only the listed services.

OCIS_EXCLUDE_RUN_SERVICES

A comma-separated list of service names. Will start all services except for the ones listed. Has no effect when OCIS_RUN_SERVICES is set.

Extended Environment Variables

The extended variables are defined in the following way:

  • latest

  • 2.0.0

Environment variables with extended scope not included in a service
Name Type Default Value Description

MICRO_LOG_LEVEL

string

Error

Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support.

MICRO_LOG_LEVEL

MICRO_LOG_LEVEL

MICRO_REGISTRY

string

Go micro registry type to use. Supported types are: 'nats', 'kubernetes', 'etcd', 'consul' and 'memory'. Will be selected automatically. Only change on supervision of ownCloud Support.

MICRO_REGISTRY_ADDRESS

string

The bind address of the internal go micro framework. Only change on supervision of ownCloud Support.

OCIS_BASE_DATA_PATH

string

'/var/lib/ocis' or '$HOME/.ocis/'

The base directory location used by several services and for user data. Predefined to '/var/lib/ocis' for container images (inside the container) or '$HOME/.ocis/' for binary releases. Services can have, if available, an individual setting with an own environment variable.

OCIS_CONFIG_DIR

string

'/etc/ocis' or '$HOME/.ocis/config'

The default directory location for config files. Predefined to '/etc/ocis' for container images (inside the container) or '$HOME/.ocis/config' for binary releases.

Environment variables with extended scope not included in a service
Name Type Default Value Description

MICRO_LOG_LEVEL

string

Error

Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support.

MICRO_REGISTRY

string

Go micro registry type to use. Supported types are: 'nats', 'kubernetes', 'etcd', 'consul' and 'memory'. Will be selected automatically. Only change on supervision of ownCloud Support.

MICRO_REGISTRY_ADDRESS

string

The bind address of the internal go micro framework. Only change on supervision of ownCloud Support.

OCIS_BASE_DATA_PATH

string

'/var/lib/ocis' or '$HOME/.ocis/'

The base directory location used by several services and for user data. Predefined to '/var/lib/ocis' for container images (inside the container) or '$HOME/.ocis/' for binary releases. Services can have, if available, an individual setting with an own environment variable.

OCIS_CONFIG_DIR

string

'/etc/ocis' or '$HOME/.ocis/config'

The default directory location for config files. Predefined to '/etc/ocis' for container images (inside the container) or '$HOME/.ocis/config' for binary releases.

Global Environment Variables

The global variables are defined in the following way:

  • latest

  • 2.0.0

Environment variables with global scope available in multiple services
Name Services Type Default Value Description

ACCOUNTS_DEMO_USERS_AND_GROUPS

bool

false

Flag to enable or disable the creation of the demo users.

LDAP_BIND_DN

string

uid=libregraph,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.

LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_ID

string

owncloudUUID

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID’s.

LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_ID

string

owncloudUUID

LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID’s.

LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

OCIS_ADMIN_USER_ID

string

ID of the user that should receive admin privileges.

OCIS_CACHE_STORE_ADDRESS

string

A comma-separated list of addresses to connect to. Only valid if the above setting is set to "etcd"

OCIS_CACHE_STORE_SIZE

int

0

Maximum number of items per table in the ocmem cache store. Other cache stores will ignore the option and can grow indefinitely.

OCIS_CACHE_STORE_TYPE

string

The type of the cache store. Valid options are "noop", "ocmem", "etcd" and "memory"

OCIS_CORS_ALLOW_CREDENTIALS

bool

true

Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.

OCIS_CORS_ALLOW_HEADERS

[]string

[Authorization Origin Content-Type Accept X-Requested-With]

A comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.

OCIS_CORS_ALLOW_METHODS

[]string

[GET POST PUT PATCH DELETE OPTIONS]

A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method

OCIS_CORS_ALLOW_ORIGINS

[]string

[*]

A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

OCIS_EVENTS_ENABLE_TLS

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

OCIS_HTTP_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the http services.

OCIS_HTTP_TLS_ENABLED

bool

false

Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.

OCIS_HTTP_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.

OCIS_INSECURE

bool

false

Whether to verify the server TLS certificates.

OCIS_JWT_SECRET

string

The secret to mint and validate jwt tokens.

OCIS_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

OCIS_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_MACHINE_AUTH_API_KEY

string

The machine auth API key used to validate internal requests necessary to access resources from other services.

OCIS_OIDC_ISSUER

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

OCIS_SYSTEM_USER_API_KEY

string

API key for the STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_ID

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_URL

string

https://localhost:9200

The public facing URL of WebDAV.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

STORAGE_TRANSFER_SECRET

string

Transfer secret for signing file up- and download requests.

STORAGE_USERS_OCIS_ASYNC_UPLOADS

bool

false

Enable asynchronous file uploads.

Environment variables with global scope available in multiple services
Name Services Type Default Value Description

ACCOUNTS_DEMO_USERS_AND_GROUPS

bool

false

The default role assignments the demo users should be setup.

LDAP_BIND_DN

string

uid=reva,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idm.

LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_GROUP_SCHEMA_DISPLAYNAME

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

LDAP_GROUP_SCHEMA_GROUPNAME

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).

LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.

LDAP_GROUP_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

LDAP_GROUP_SCHEMA_MEMBER

string

member

LDAP Attribute that is used for group members.

LDAP_GROUP_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.

LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_USER_SCHEMA_DISPLAYNAME

string

displayname

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_ID

string

ownclouduuid

LDAP Attribute to use as the unique id for users. This should be a stable globally unique ID like a UUID.

LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

bool

false

Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.

LDAP_USER_SCHEMA_MAIL

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_USERNAME

string

uid

LDAP Attribute to use for username of users.

LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.

OCIS_ADMIN_USER_ID

string

ID of the user that should receive admin privileges.

OCIS_CACHE_STORE_ADDRESS

[]string

[]

Node addresses to use for the cache store.

OCIS_CACHE_STORE_SIZE

int

0

Maximum number of items per table in the ocmem cache store. Other cache stores will ignore the option and can grow indefinitely.

OCIS_CACHE_STORE_TYPE

string

memory

Store implementation for the cache. Valid values are "memory" (default), "redis", and "etcd".

OCIS_CORS_ALLOW_CREDENTIALS

bool

true

Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.

OCIS_CORS_ALLOW_HEADERS

[]string

[Authorization Origin Content-Type Accept X-Requested-With]

A comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers.

OCIS_CORS_ALLOW_METHODS

[]string

[GET POST PUT PATCH DELETE OPTIONS]

A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method

OCIS_CORS_ALLOW_ORIGINS

[]string

[*]

A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

OCIS_EVENTS_ENABLE_TLS

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the grpc services.

OCIS_GRPC_TLS_ENABLED

bool

false

Activates TLS for the grpc based services using the server certifcate and key configured via OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY. If OCIS_GRPC_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with OCIS_GRPC_CLIENT_TLS_MODE=insecure.

OCIS_GRPC_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the grpc services.

OCIS_HTTP_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the http services.

OCIS_HTTP_TLS_ENABLED

bool

false

Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.

OCIS_HTTP_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.

OCIS_INSECURE

bool

false

Whether to verify the server TLS certificates.

OCIS_JWT_SECRET

string

The secret to mint and validate jwt tokens.

OCIS_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

OCIS_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_MACHINE_AUTH_API_KEY

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

OCIS_OIDC_ISSUER

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

OCIS_SYSTEM_USER_API_KEY

string

API key for the STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_ID

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_URL

string

https://localhost:9200

The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

STORAGE_TRANSFER_SECRET

string

The storage transfer secret.