Environment Variables with Special Scopes

Introduction

Some environment variables have a special, extended or global scope. Variables with special scope are related to a deployment method only. Variables with an extended scope do not directly configure services but functions underneath. Variables with a global scope can configure more than one service.

Examples:

  • The global environment variable OCIS_LOG_LEVEL is available in multiple services.

  • The extended environment variable OCIS_CONFIG_DIR can be used with ocis init.

  • The special environment variable OCIS_RUN_SERVICES is only available with a binary deployment.

Special Environment Variables

The following environment variables are only available when using a binary deployment. For additional information read the Start Infinite Scale documentation. Read the Environment Variable Types documentation for important details.

  • master + Rolling 6.1.0

Environment variables only available for binary deployments
Name Description

OCIS_RUN_SERVICES

A comma-separated list of service names. Will start only the listed services.

OCIS_EXCLUDE_RUN_SERVICES

A comma-separated list of service names. Will start all default services except of the ones listed. Has no effect when OCIS_RUN_SERVICES is set.

OCIS_ADD_RUN_SERVICES

A comma-separated list of service names. Will add the listed services to the default configuration. Has no effect when OCIS_RUN_SERVICES is set. Note that one can add services not started by the default list and exclude services from the default list by using both envvars at the same time.

OCIS_RUNTIME_PORT

The port where the runtime will start. Defaults to 9250. Only necessary when multiple runtimes are started in parallel. Each runtime must have its own port exclusively.

OCIS_RUNTIME_HOST

The hostname the runtime will listen to. Defaults to localhost.

Note to get the current list of services started by default, you need to run ocis server without restriction which services to start and run afterwards ocis list.

Extended Environment Variables

The extended variables are defined in the following way. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

  • master + Rolling 6.1.0

Environment variables with extended scope not included in a service

Name

Type

Default Value

Description

MICRO_LOG_LEVEL

string

Error

Set the log level for the internal go micro framework. Only change on supervision of ownCloud Support.

MICRO_REGISTRY

string

nats-js-kv

The Go micro registry type to use. Supported types are: 'memory', 'nats-js-kv' (default) and 'kubernetes'. Note that 'nats', 'etcd', 'consul' and 'mdns' are deprecated and will be removed in a later version. Only change on supervision of ownCloud Support.

MICRO_REGISTRY_ADDRESS

string

127.0.0.1:9233

The bind address of the internal go micro framework. Only change on supervision of ownCloud Support.

MICRO_REGISTRY_AUTH_PASSWORD

string

Optional when using nats to authenticate with the nats cluster.

MICRO_REGISTRY_AUTH_USERNAME

string

Optional when using nats to authenticate with the nats cluster.

OCIS_BASE_DATA_PATH

string

The base directory location used by several services and for user data. See the General Info section in the documentation for more details on defaults. Services can have, if available, an individual setting with an own environment variable.

OCIS_CONFIG_DIR

string

The default directory location for config files. See the General Info section in the documentation for more details on defaults.

_registryAddressEnv

_registryAddressEnv

_registryEnv

_registryPasswordEnv

_registryRegisterIntervalEnv

_registryRegisterTTLEnv

_registryUsernameEnv

Global Environment Variables

Note that the descriptions of these environment variables may differ depending on the service context.

The global variables are defined in the following way. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

  • master + Rolling 6.1.0

Environment variables with global scope available in multiple services
Name IV Services Type Default Value Description

IDM_CREATE_DEMO_USERS

pre5.0

bool

false

Flag to enable or disable the creation of the demo users.

OCIS_ADMIN_USER_ID

pre5.0

string

ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.

OCIS_ASYNC_UPLOADS

pre5.0

bool

true

Enable asynchronous file uploads.

OCIS_CACHE_AUTH_PASSWORD

5.0

string

Password for the configured store. Only applies when store type 'nats-js-kv' is configured.

OCIS_CACHE_AUTH_USERNAME

5.0

string

Username for the configured store. Only applies when store type 'nats-js-kv' is configured.

OCIS_CACHE_DATABASE

pre5.0

string

storage-system

The database name the configured store should use.

OCIS_CACHE_DISABLE_PERSISTENCE

5.0

bool

false

Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.

OCIS_CACHE_SIZE

pre5.0

int

0

The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default.

OCIS_CACHE_STORE

pre5.0

string

memory

The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.

OCIS_CACHE_STORE_NODES

pre5.0

[]string

[127.0.0.1:9233]

A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.

OCIS_CACHE_TTL

pre5.0

Duration

24m0s

Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_CREDENTIALS

pre5.0

bool

true

Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.

OCIS_CORS_ALLOW_HEADERS

pre5.0

[]string

[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]

A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_METHODS

pre5.0

[]string

[GET]

A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_ORIGINS

pre5.0

[]string

[*]

A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.

OCIS_DECOMPOSEDFS_METADATA_BACKEND

pre5.0

string

messagepack

The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'.

OCIS_DECOMPOSEDFS_PROPAGATOR

pre5.0

string

sync

The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.

OCIS_DEFAULT_LANGUAGE

5.0

string

The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.

OCIS_DISABLE_PREVIEWS

pre5.0

bool

false

Set this option to 'true' to disable previews in all the different web file listing views. This can speed up file listings in folders with many files. The only list view that is not affected by this setting is the trash bin, as it does not allow previewing at all.

OCIS_DISABLE_VERSIONING

next

bool

false

Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.

OCIS_EDITION

pre5.0

string

Community

Edition of oCIS. Used for branding purposes.

OCIS_EVENTS_AUTH_PASSWORD

5.0

string

The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.

OCIS_EVENTS_AUTH_USERNAME

5.0

string

The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.

OCIS_EVENTS_CLUSTER

pre5.0

string

ocis-cluster

The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.

OCIS_EVENTS_ENABLE_TLS

pre5.0

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.

OCIS_EVENTS_ENDPOINT

pre5.0

string

127.0.0.1:9233

The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.

OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE

pre5.0

string

The root CA certificate used to validate the server’s TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.

OCIS_GATEWAY_GRPC_ADDR

5.0

string

127.0.0.1:9142

The bind address of the gateway GRPC address.

OCIS_GRPC_CLIENT_TLS_CACERT

pre5.0

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_GRPC_CLIENT_TLS_MODE

pre5.0

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.

OCIS_HTTP_TLS_CERTIFICATE

pre5.0

string

Path/File name of the TLS server certificate (in PEM format) for the http services.

OCIS_HTTP_TLS_ENABLED

pre5.0

bool

false

Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.

OCIS_HTTP_TLS_KEY

pre5.0

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.

OCIS_INSECURE

pre5.0

bool

false

Whether to verify the server TLS certificates.

OCIS_JWT_SECRET

pre5.0

string

The secret to mint and validate jwt tokens.

OCIS_KEYCLOAK_BASE_PATH

pre5.0

string

The URL to access keycloak.

OCIS_KEYCLOAK_CLIENT_ID

pre5.0

string

The client id to authenticate with keycloak.

OCIS_KEYCLOAK_CLIENT_REALM

pre5.0

string

The realm the client is defined in.

OCIS_KEYCLOAK_CLIENT_SECRET

pre5.0

string

The client secret to use in authentication.

OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY

pre5.0

bool

false

Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.

OCIS_KEYCLOAK_USER_REALM

pre5.0

string

The realm users are defined.

OCIS_LDAP_BIND_DN

pre5.0

string

uid=idp,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

OCIS_LDAP_BIND_PASSWORD

pre5.0

string

Password to use for authenticating the 'bind_dn'.

OCIS_LDAP_CACERT

pre5.0

string

/var/lib/ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/idp.

OCIS_LDAP_DISABLED_USERS_GROUP_DN

pre5.0

string

cn=DisabledUsersGroup,ou=groups,o=libregraph-idm

The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.

OCIS_LDAP_DISABLE_USER_MECHANISM

pre5.0

string

attribute

An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.

OCIS_LDAP_GROUP_BASE_DN

pre5.0

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

OCIS_LDAP_GROUP_FILTER

pre5.0

string

LDAP filter to add to the default filters for group searches.

OCIS_LDAP_GROUP_OBJECTCLASS

pre5.0

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

OCIS_LDAP_GROUP_SCHEMA_DISPLAYNAME

pre5.0

string

cn

LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).

OCIS_LDAP_GROUP_SCHEMA_GROUPNAME

pre5.0

string

cn

LDAP Attribute to use for the name of groups.

OCIS_LDAP_GROUP_SCHEMA_ID

pre5.0

string

owncloudUUID

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

OCIS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING

pre5.0

bool

false

Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID’s.

OCIS_LDAP_GROUP_SCHEMA_MAIL

pre5.0

string

mail

LDAP Attribute to use for the email address of groups (can be empty).

OCIS_LDAP_GROUP_SCHEMA_MEMBER

pre5.0

string

member

LDAP Attribute that is used for group members.

OCIS_LDAP_GROUP_SCOPE

pre5.0

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

OCIS_LDAP_INSECURE

pre5.0

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

OCIS_LDAP_SERVER_WRITE_ENABLED

pre5.0

bool

true

Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OCIS_LDAP_USER_SCHEMA_* and 'OCIS_LDAP_GROUP_SCHEMA_* variables).

OCIS_LDAP_URI

pre5.0

string

ldaps://localhost:9235

Url of the LDAP service to use as IDP.

OCIS_LDAP_USER_BASE_DN

pre5.0

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

OCIS_LDAP_USER_ENABLED_ATTRIBUTE

pre5.0

string

ownCloudUserEnabled

LDAP Attribute to use as a flag telling if the user is enabled or disabled.

OCIS_LDAP_USER_FILTER

pre5.0

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

OCIS_LDAP_USER_OBJECTCLASS

pre5.0

string

inetOrgPerson

LDAP User ObjectClass like 'inetOrgPerson'.

OCIS_LDAP_USER_SCHEMA_DISPLAYNAME

pre5.0

string

displayname

LDAP Attribute to use for the displayname of users.

OCIS_LDAP_USER_SCHEMA_ID

pre5.0

string

ownCloudUUID

LDAP User UUID attribute like 'uid'.

OCIS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING

pre5.0

bool

false

Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID’s.

OCIS_LDAP_USER_SCHEMA_MAIL

pre5.0

string

mail

LDAP User email attribute like 'mail'.

OCIS_LDAP_USER_SCHEMA_USERNAME

pre5.0

string

displayName

LDAP User name attribute like 'displayName'.

OCIS_LDAP_USER_SCHEMA_USER_TYPE

pre5.0

string

ownCloudUserType

LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.

OCIS_LDAP_USER_SCOPE

pre5.0

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

OCIS_LOG_COLOR

pre5.0

bool

false

Activates colorized log output.

OCIS_LOG_FILE

pre5.0

string

The path to the log file. Activates logging to this file if set.

OCIS_LOG_LEVEL

pre5.0

string

The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.

OCIS_LOG_PRETTY

pre5.0

bool

false

Activates pretty log output.

OCIS_MACHINE_AUTH_API_KEY

pre5.0

string

Machine auth API key used to validate internal requests necessary for the access to resources from other services.

OCIS_OIDC_ISSUER

pre5.0

string

https://localhost:9200

The identity provider href for the openid-discovery relation.

OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST

5.0

string

Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.

OCIS_PASSWORD_POLICY_DISABLED

5.0

bool

false

Disable the password policy. Defaults to false if not set.

OCIS_PASSWORD_POLICY_MIN_CHARACTERS

5.0

int

8

Define the minimum password length. Defaults to 8 if not set.

OCIS_PASSWORD_POLICY_MIN_DIGITS

5.0

int

1

Define the minimum number of digits. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS

5.0

int

1

Define the minimum number of uppercase letters. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS

5.0

int

1

Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS

5.0

int

1

Define the minimum number of lowercase letters. Defaults to 1 if not set.

OCIS_PERSISTENT_STORE

pre5.0

string

memory

The type of the store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details.

OCIS_PERSISTENT_STORE_AUTH_PASSWORD

5.0

string

The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.

OCIS_PERSISTENT_STORE_AUTH_USERNAME

5.0

string

The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.

OCIS_PERSISTENT_STORE_NODES

pre5.0

[]string

[]

A list of nodes to access the configured store. This has no effect when 'memory' or 'ocmem' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.

OCIS_PERSISTENT_STORE_SIZE

pre5.0

int

0

The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default.

OCIS_PERSISTENT_STORE_TTL

pre5.0

Duration

336h0m0s

Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.

OCIS_REVA_GATEWAY

pre5.0

string

com.owncloud.api.gateway

The CS3 gateway endpoint.

OCIS_SERVICE_ACCOUNT_ID

5.0

string

The ID of the service account the service should use. See the 'auth-service' service description for more details.

OCIS_SERVICE_ACCOUNT_SECRET

5.0

string

The service account secret.

OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD

5.0

bool

true

Set this to true if you want to enforce passwords on all public shares.

OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD

5.0

bool

false

Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service.

OCIS_SHOW_USER_EMAIL_IN_RESULTS

6.0.0

bool

false

Mask user email addresses in responses.

OCIS_SPACES_MAX_QUOTA

pre5.0

uint64

0

Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OCIS_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.

OCIS_SYSTEM_USER_API_KEY

pre5.0

string

API key for the STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_ID

pre5.0

string

ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP

pre5.0

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_TRACING_COLLECTOR

pre5.0

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_TRACING_ENABLED

pre5.0

bool

false

Activates tracing.

OCIS_TRACING_ENDPOINT

pre5.0

string

The endpoint of the tracing agent.

OCIS_TRACING_TYPE

pre5.0

string

The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.

OCIS_TRANSFER_SECRET

pre5.0

string

Transfer secret for signing file up- and download requests.

OCIS_TRANSLATION_PATH

pre5.0

string

(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.

OCIS_URL

pre5.0

string

https://localhost:9200

The identity provider href for the openid-discovery relation.

OCIS_WOPI_DISABLE_CHAT

next

bool

false

Disable chat in the frontend.

STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY

pre5.0

Duration

0s

The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.

STORAGE_USERS_PERMISSION_ENDPOINT

pre5.0

string

com.owncloud.api.settings

Endpoint of the permissions service. The endpoints can differ for 'ocis' and 's3ng'.