{ "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Cluster configuration", "properties": { "app": { "additionalProperties": false, "description": "Using Tarantool as an application server, you can run your own Lua applications. In the `app` section, you can load the application and provide an application configuration in the `app.cfg` section.", "properties": { "cfg": { "additionalProperties": { "description": "Mapping for arbitrary user-defined configuration values, accessible in the application via `config:get('app.cfg')`." }, "description": "A configuration of the application loaded using `app.file` or `app.module`.", "type": "object" }, "file": { "description": "A path to a Lua file to load an application from.", "type": "string" }, "module": { "description": "A Lua module to load an application from.", "type": "string" } }, "type": "object" }, "audit_log": { "additionalProperties": false, "description": "The `audit_log` section defines configuration parameters related to audit logging.", "properties": { "extract_key": { "default": false, "description": "If set to `true`, the audit subsystem extracts and prints only the primary key instead of full tuples in DML events (`space_insert`, `space_replace`, `space_delete`). Otherwise, full tuples are logged. The option may be useful in case tuples are big.", "type": "boolean" }, "file": { "default": "var/log/{{ instance_name }}/audit.log", "description": "Specify a file for the audit log destination. You can set the `file` type using the audit_log.to option. If you write logs to a file, Tarantool reopens the audit log at SIGHUP.", "type": "string" }, "filter": { "description": "Enable logging for a specified subset of audit events.", "items": { "description": "Specify a subset of audit events to log by providing a value from the allowed list of events or groups.", "enum": [ "audit_enable", "custom", "auth_ok", "auth_fail", "disconnect", "user_create", "user_drop", "role_create", "role_drop", "user_enable", "user_disable", "user_grant_rights", "user_revoke_rights", "role_grant_rights", "role_revoke_rights", "password_change", "access_denied", "eval", "call", "space_select", "space_create", "space_alter", "space_drop", "space_insert", "space_replace", "space_delete", "none", "all", "audit", "auth", "priv", "ddl", "dml", "data_operations", "compatibility" ], "type": "string" }, "type": "array", "uniqueItems": true }, "format": { "default": "json", "description": "Specify a format that is used for the audit log.", "enum": [ "plain", "json", "csv" ], "type": "string" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `audit_log.to` to `pipe`.", "type": "string" }, "spaces": { "default": null, "description": "Specifies spaces for which data operation events (`space_select`, `space_insert`, `space_replace`, `space_delete`) should be logged.\n\nThis option accepts one of the following forms:\n\n- an array of space names;\n- a map where keys are space names and values are audit options.\n\nIf set to box.NULL, the data operation events are logged for all spaces." }, "syslog": { "additionalProperties": false, "description": "This module allows configuring the system logger (syslog) for audit logs in Tarantool. It provides options for specifying the syslog server, facility, and identity for logging messages.", "properties": { "facility": { "default": "local7", "description": "Define the syslog facility, which indicates the type of application generating the log entries (e.g. kernel, user-level, or system daemon). To enable syslog logging, set `audit_log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name to show in logs. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" }, "server": { "default": null, "description": "Set a location for the syslog server. It can be a Unix socket path starting with \"unix:\" or an ipv4 port number. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" } }, "type": "object" }, "to": { "default": "devnull", "description": "Enable audit logging and define the log location.", "enum": [ "devnull", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "compat": { "additionalProperties": false, "description": "These options allow to redefine tarantool behavior in order to correspond to the previous or the next major version.", "properties": { "binary_data_decoding": { "default": "new", "description": "Define how to store binary data fields in Lua after decoding:\n\n- `new` (3.x default): as varbinary object\n- `old` (2.x default): as plain strings", "enum": [ "old", "new" ], "type": "string" }, "box_cfg_replication_sync_timeout": { "default": "new", "description": "Set a default replication sync timeout:\n\n- `new` (3.x default): 0\n- `old` (2.x default): 300 seconds", "enum": [ "old", "new" ], "type": "string" }, "box_consider_system_spaces_synchronous": { "default": "old", "description": "Whether to consider most system spaces as synchronized regardless of the `is_sync` space option:\n\n- `new` (4.x default): System spaces are synchronized when the synchronous queue is claimed (`box.info.synchro.queue.owner ~= 0`), except for `vinyl_defer_delete` (local space) and `sequence_data` (synchronized by synchronous user spaces operations)\n- `old` (3.x default): System spaces are not synchronized unless explicitly marked with the `is_sync` option", "enum": [ "old", "new" ], "type": "string" }, "box_error_serialize_verbose": { "default": "old", "description": "Set the verbosity of error objects serialization:\n\n- `new` (4.x default): serialize the error message together with other potentially useful fields\n- `old` (3.x default): serialize only the error message", "enum": [ "old", "new" ], "type": "string" }, "box_error_unpack_type_and_code": { "default": "old", "description": "Whether to show all the error fields in `box.error.unpack()`:\n\n- `new` (4.x default): do not show `base_type` and `custom_type` fields; do not show the `code` field if it is 0. Note that `base_type` is still accessible for an error object\n- `old` (3.x default): show all fields", "enum": [ "old", "new" ], "type": "string" }, "box_info_cluster_meaning": { "default": "new", "description": "Define the behavior of `box.info.cluster`:\n\n- `new` (3.x default): `box.info.cluster` shows info about the entire cluster, `box.info.replicaset` shows info about the replica set\n- `old` (2.x default): `box.info.cluster` shows info about the replica set", "enum": [ "old", "new" ], "type": "string" }, "box_recovery_triggers_deprecation": { "default": "old", "description": "Whether to trigger space and transactional events during local recovery or join:\n\n- `new` (4.x default): do not trigger events\n- `old` (3.x default): trigger events", "enum": [ "old", "new" ], "type": "string" }, "box_session_push_deprecation": { "default": "old", "description": "Whether to raise errors on attempts to call the deprecated function `box.session.push`:\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): do not raise an error", "enum": [ "old", "new" ], "type": "string" }, "box_space_execute_priv": { "default": "new", "description": "Whether the `execute` privilege can be granted on spaces:\n\n- `new` (3.x default): an error is raised\n- `old` (2.x default): the privilege can be granted with no actual effect", "enum": [ "old", "new" ], "type": "string" }, "box_space_max": { "default": "new", "description": "Set the maximum space identifier (`box.schema.SPACE_MAX`):\n\n- `new` (3.x default): 2147483646\n- `old` (2.x default): 2147483647", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_extension": { "default": "new", "description": "Controls `IPROTO_FEATURE_CALL_RET_TUPLE_EXTENSION` and `IPROTO_FEATURE_CALL_ARG_TUPLE_EXTENSION` feature bits that define tuple encoding in iproto call and eval requests.\n\n- `new` (3.x default): tuples with formats are encoded as `MP_TUPLE`\n- `old` (2.x default): tuples with formats are encoded as `MP_ARRAY`", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_new_vararg": { "default": "new", "description": "Controls how `box.tuple.new` interprets an argument list:\n\n- `new` (3.x default): as a value with a tuple format\n- `old` (2.x default): as an array of tuple fields", "enum": [ "old", "new" ], "type": "string" }, "c_func_iproto_multireturn": { "default": "new", "description": "Controls wrapping of multiple results of a stored C function when returning them via iproto:\n\n- `new` (3.x default): return without wrapping (consistently with a local call via `box.func`)\n- `old` (2.x default): wrap results into a MessagePack array", "enum": [ "old", "new" ], "type": "string" }, "console_session_scope_vars": { "default": "old", "description": "Whether a console session has its own variable scope:\n\n- `new` (4.x default): non-local variable assignments are written to a variable scope attached to the console session\n- `old` (3.x default): all non-local variable assignments from the console are written to globals", "enum": [ "old", "new" ], "type": "string" }, "fiber_channel_close_mode": { "default": "new", "description": "Define the behavior of fiber channels after closing:\n\n- `new` (3.x default): mark the channel read-only\n- `old` (2.x default): destroy the channel object", "enum": [ "old", "new" ], "type": "string" }, "fiber_slice_default": { "default": "new", "description": "Define the maximum fiber execution time without a yield:\n\n- `new` (3.x default): `{warn = 0.5, err = 1.0}`\n- `old` (2.x default): infinity (no warnings or errors raised)", "enum": [ "old", "new" ], "type": "string" }, "json_escape_forward_slash": { "default": "new", "description": "Whether to escape the forward slash symbol \"/\" using a backslash in a `json.encode()` result:\n\n- `new` (3.x default): do not escape the forward slash\n- `old` (2.x default): escape the forward slash", "enum": [ "old", "new" ], "type": "string" }, "replication_synchro_timeout": { "default": "old", "description": "The `compat.replication_synchro_timeout` option controls transaction rollback due to `replication.synchro_timeout`.\n\n- `new` (4.x default): A synchronous transaction can remain in the synchro queue indefinitely until it reaches a quorum of confirmations. `replication.synchro_timeout` is used only to wait confirmation in promote/demote and gc-checkpointing. If some transaction in limbo did not have time to commit within `replication_synchro_timeout`, the corresponding operation: promote/demote or gc-checkpointing can be aborted automatically\n- `old` (3.x default): unconfirmed synchronous transactions are rolled back after a `replication.synchro_timeout`", "enum": [ "old", "new" ], "type": "string" }, "skip_replication_names": { "default": "new", "description": "The `compat.skip_replication_names` option controls whether Tarantool skips instance and replicaset name handling during replication startup.\n\n- `new` (3.x default): Tarantool applies `instance_name` and `replicaset_name` on startup and validates them against the snapshot data.\n- `old` (2.x default): Tarantool skips applying `instance_name` and `replicaset_name` on startup and does not validate them against the snapshot data. This mode is intended for upgrades from Tarantool 2.11, so a Tarantool 3.x+ instance configured via the declarative config can join a 2.11-compatible replicaset where the master snapshot may not contain names.", "enum": [ "old", "new" ], "type": "string" }, "sql_priv": { "default": "new", "description": "Whether to enable access checks for SQL requests over iproto:\n\n- `new` (3.x default): check the user's access permissions\n- `old` (2.x default): allow any user to execute SQL over iproto", "enum": [ "old", "new" ], "type": "string" }, "sql_seq_scan_default": { "default": "new", "description": "Controls the default value of the `sql_seq_scan` session setting:\n\n- `new` (3.x default): false\n- `old` (2.x default): true", "enum": [ "old", "new" ], "type": "string" }, "wal_cleanup_delay_deprecation": { "default": "old", "description": "Whether to use the option 'wal_cleanup_delay':\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): log a deprecation warning", "enum": [ "old", "new" ], "type": "string" }, "yaml_pretty_multiline": { "default": "new", "description": "Whether to encode in block scalar style all multiline strings or ones containing the `\\n\\n` substring:\n\n- `new` (3.x default): all multiline strings\n- `old` (2.x default): only strings containing the `\\n\\n` substring", "enum": [ "old", "new" ], "type": "string" } }, "type": "object" }, "conditional": { "description": "The `conditional` section defines the configuration parts that apply to instances that meet certain conditions.", "items": { "additionalProperties": { "description": "`if` or a cluster configuration field." }, "description": "Contains a part of the cluster configuration that is applied only if the specified conditions are met. Usually used to apply options that exist only on particular tarantool versions.\n\nThe fields in this mapping are the same as in the cluster configuration, except:\n\n- The special `if` field holds the condition.\n\nConditions can include `tarantool_version`, three-digit version literals (`3.2.1`) and support comparison operators (`>`, `<`, `>=`, `<=`, `==`, `!=`), as well as logical operators (`||`, `&&`) and parentheses for grouping.\n\n- Has no `conditional` section.", "type": "object" }, "type": "array" }, "config": { "additionalProperties": false, "description": "The `config` section defines various parameters related to centralized configuration.", "properties": { "context": { "additionalProperties": { "additionalProperties": false, "description": "A context variable definition that specifies how to load it (e.g. from a file or an environment variable).", "properties": { "env": { "description": "The name of an environment variable to load a context variable from. To load a context variable from an environment variable, set `config.context..from` to `env`.", "type": "string" }, "file": { "description": "The path to a file to load a context variable from. To load a configuration value from a file, set `config.context..from` to `file`.", "type": "string" }, "from": { "description": "The type of storage to load a context variable from. There are the following storage types:\n\n- `file`: load a context variable from a file. In this case, you need to specify the path to the file using `config.context..file`\n- `env`: load a context variable from an environment variable. In this case, specify the environment variable name using `config.context..env`", "enum": [ "env", "file" ], "type": "string" }, "rstrip": { "description": "(Optional) Whether to strip whitespace characters and newlines from the end of data.", "type": "boolean" } }, "type": "object" }, "description": "Defines custom variables in the cluster configuration by loading values from an environment variable or a file.", "type": "object" }, "etcd": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized etcd-based storage. If `replication.failover` is set to `supervised`, Tarantool also uses etcd to maintain the state of failover coordinators.", "properties": { "endpoints": { "description": "The list of endpoints used to access an etcd cluster.", "items": { "description": "etcd endpoint.\n\nFor example: `http://localhost:2379`.", "type": "string" }, "type": "array" }, "http": { "additionalProperties": false, "description": "HTTP client options for the etcd-client, used to fetch and subscribe to the cluster configuration stored in etcd.", "properties": { "request": { "additionalProperties": false, "description": "HTTP client request options.", "properties": { "interface": { "description": "Set the interface to use as outgoing network interface for the etcd configuration source.\n\nThe interface can be specified as an interface name, an IP address, or a hostname.\n\nSee https://curl.se/libcurl/c/CURLOPT_INTERFACE.html for details.", "type": "string" }, "timeout": { "description": "A time period required to process an HTTP request to an etcd server: from sending a request to receiving a response.", "type": "number" }, "unix_socket": { "description": "A Unix domain socket used to connect to an etcd server.", "type": "string" }, "verbose": { "description": "Whether to print debugging information about HTTP requests and responses issued by the etcd configuration source.\n\nThe information is written to stderr (disregarding tarantool log configuration). In a typical setup it arrives to journald.\n\nSee https://curl.se/libcurl/c/CURLOPT_VERBOSE.html for details.", "type": "boolean" } }, "type": "object" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "prefix": { "description": "A key prefix used to search a configuration on an etcd server. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "ssl": { "additionalProperties": false, "description": "TLS options.", "properties": { "ca_file": { "description": "A path to a trusted certificate authorities (CA) file.", "type": "string" }, "ca_path": { "description": "A path to a directory holding certificates to verify the peer with.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file.", "type": "string" }, "verify_host": { "description": "Enable verification of the certificate's name (CN) against the specified host.", "type": "boolean" }, "verify_peer": { "description": "Enable verification of the peer's SSL certificate.", "type": "boolean" } }, "type": "object" }, "username": { "description": "A username used for authentication.", "type": "string" }, "watchers": { "additionalProperties": false, "description": "Options for watcher requests: watchcreate, watchwait and watchcancel.", "properties": { "reconnect_max_attempts": { "description": "The maximum number of attempts to reconnect to an etcd server in case of connection failure.", "type": "integer" }, "reconnect_timeout": { "description": "The timeout (in seconds) between attempts to reconnect to an etcd server in case of connection failure.", "type": "number" } }, "type": "object" } }, "type": "object" }, "reload": { "default": "auto", "description": "Specify how the configuration is reloaded. This option accepts the following values:\n\n- `auto`: configuration is reloaded automatically when it is changed.\n- `manual`: configuration should be reloaded manually. In this case, you can reload the configuration in the application code using `config:reload()`.", "enum": [ "auto", "manual" ], "type": "string" }, "storage": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized Tarantool-based storage.", "properties": { "endpoints": { "description": "An array of endpoints used to access a configuration storage. Each endpoint can include the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections", "items": { "additionalProperties": false, "description": "Element that represents a configuration storage endpoint with the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections.", "properties": { "login": { "description": "A username used to connect to the instance.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "uri": { "description": "A URI of the configuration storage's instance.", "type": "string" } }, "type": "object" }, "type": "array" }, "prefix": { "description": "A key prefix used to search a configuration in a centralized configuration storage. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "reconnect_after": { "default": 3, "description": "A number of seconds to wait before reconnecting to a configuration storage.", "type": "number" }, "timeout": { "default": 3, "description": "The interval (in seconds) to perform the status check of a configuration storage.", "type": "number" } }, "type": "object" } }, "type": "object" }, "connpool": { "additionalProperties": false, "description": "The `connpool` section defines configuration parameters related to the Tarantool connection pool that can be used to communicate with other instances within the cluster.", "properties": { "idle_timeout": { "default": 60, "description": "Tarantool connection pool automatically manages connections to the instances and automatically closes the ones that are not needed for a while.\n\nThis option controls a timeout (in seconds) in which the unused connections would be closed.\n\nNote: this option does not affect the connections opened by `connpool.connect()` since in that case, the user has direct access to the connection object.", "type": "number" } }, "type": "object" }, "console": { "additionalProperties": false, "description": "Configure the administrative console. A client to the console is `tt connect`.", "properties": { "enabled": { "default": true, "description": "Whether to listen on the Unix socket provided in the console.socket option.\n\nIf the option is set to `false`, the administrative console is disabled.", "type": "boolean" }, "socket": { "default": "var/run/{{ instance_name }}/tarantool.control", "description": "The Unix socket for the administrative console.\n\nMind the following nuances:\n\n- Only a Unix domain socket is allowed. A TCP socket can't be configured this way.\n- `console.socket` is a file path, without any `unix:` or `unix/:` prefixes.\n- If the file path is a relative path, it is interpreted relative to `process.work_dir`.", "type": "string" } }, "type": "object" }, "credentials": { "additionalProperties": false, "description": "The `credentials` section allows you to create users and grant them the specified privileges.", "properties": { "roles": { "additionalProperties": { "additionalProperties": false, "description": "A role definition.", "properties": { "privileges": { "description": "An array of privileges granted to this role.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user with this role.", "properties": { "functions": { "description": "Registered functions to which user with this role gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user with this role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user with this role can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which user with this role gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which user with this role gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether user with this role can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this role.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of roles that can be granted to users or other roles.", "type": "object" }, "users": { "additionalProperties": { "additionalProperties": false, "description": "User name.", "properties": { "password": { "description": "A user's password.", "type": "string" }, "privileges": { "description": "An array of privileges granted to this user.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user.", "properties": { "functions": { "description": "Registered functions to which this user gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to this user or a user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which this user gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which this user gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether this user can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this user.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of users.", "type": "object" } }, "type": "object" }, "database": { "additionalProperties": false, "description": "The `database` section defines database-specific configuration parameters, such as an instance's read-write mode or transaction isolation level.", "properties": { "hot_standby": { "default": false, "description": "Whether to start the server in the hot standby mode. This mode can be used to provide failover without replication.\n\nNote: `database.hot_standby` has no effect:\n\n- If `wal.mode` is set to none.\n- If `wal.dir_rescan_delay` is set to a large value on macOS or FreeBSD. On these platforms, the hot standby mode is designed so that the loop repeats every `wal.dir_rescan_delay` seconds.\n- For spaces created with engine set to `vinyl`.", "type": "boolean" }, "instance_uuid": { "default": null, "description": "An instance UUID.\n\nBy default, instance UUIDs are generated automatically. `database.instance_uuid` can be used to specify an instance identifier manually.\n\nUUIDs should follow these rules:\n\n- The values must be true unique identifiers, not shared by other instances or replica sets within the common infrastructure.\n- The values must be used consistently, not changed after the initial setup. The initial values are stored in snapshot files and are checked whenever the system is restarted.\n- The values must comply with RFC 4122. The nil UUID is not allowed.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "mode": { "default": null, "description": "An instance's operating mode. This option is in effect if `replication.failover` is set to `off`.\n\nThe following modes are available:\n\n- `rw`: an instance is in read-write mode.\n- `ro`: an instance is in read-only mode.\n\nIf not specified explicitly, the default value depends on the number of instances in a replica set. For a single instance, the `rw` mode is used, while for multiple instances, the `ro` mode is used.", "enum": [ "ro", "rw" ], "type": "string" }, "replicaset_uuid": { "default": null, "description": "A replica set UUID.\n\nBy default, replica set UUIDs are generated automatically. `database.replicaset_uuid` can be used to specify a replica set identifier manually.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "txn_isolation": { "default": "best-effort", "description": "A transaction isolation level.", "enum": [ "read-committed", "read-confirmed", "best-effort" ], "type": "string" }, "txn_synchro_timeout": { "default": 5, "description": "A timeout (in seconds) after which the fiber is detached from synchronous transaction that is currently collecting quorum. After the timeout expires, the transaction is not rolled back but continues to wait for a quorum in background.", "type": "number" }, "txn_timeout": { "default": 3153600000, "description": "A timeout (in seconds) after which the transaction is rolled back.", "type": "number" }, "use_mvcc_engine": { "default": false, "description": "Whether the transactional manager is enabled.", "type": "boolean" } }, "type": "object" }, "failover": { "additionalProperties": false, "description": "The `failover` section defines parameters related to a supervised failover.", "properties": { "call_timeout": { "default": 1, "description": "A call timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "connect_timeout": { "default": 1, "description": "A connection timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "http": { "additionalProperties": false, "description": "The `failover.http` subsection configures HTTP listeners for the failover coordinator API. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose HTTP endpoints that provide monitoring metrics and health checks.", "properties": { "listen": { "description": "A list of HTTP endpoints that should be started for the failover coordinator. Each entry must describe a listener bound to a `localhost:` URI. These endpoints are used to expose metrics and other health check information about the failover coordinator.", "items": { "additionalProperties": false, "description": "This entry configures an individual HTTP listener for the failover coordinator. You can specify the URI and parameters for the listener.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "ssl_verify_client": { "default": "off", "description": "Controls whether the failover coordinator verifies client SSL certificates.\n\nThe option accepts the following values:\n\n- `off` (default): client certificates are not verified.\n- `on`: the server requires and verifies client certificates.\n- `optional`: the server verifies client certificates only if they are provided by the client.", "enum": [ "off", "on", "optional" ], "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "A URI in the `:` format that defines where the failover coordinator listens for HTTP requests.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "IPROTO connection parameters for the failover coordinator. This functionality is available only in Tarantool Enterprise.", "properties": { "ssl": { "additionalProperties": false, "description": "SSL parameters used by the failover coordinator to connect to instances over IPROTO when SSL is enabled. This functionality is available only in Tarantool Enterprise.", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" } }, "type": "object" }, "lease_interval": { "default": 30, "description": "A time interval (in seconds) that specifies how long an instance should be a leader without renew requests from a coordinator. When this interval expires, the leader switches to read-only mode. This action is performed by the instance itself and works even if there is no connectivity between the instance and the coordinator.", "type": "number" }, "log": { "additionalProperties": false, "description": "This section defines configuration parameters related to logging for the supervised failover coordinator.", "properties": { "file": { "description": "Specify a file for failover logs destination. To write logs to a file, you need to set `failover.log.to` to `file`. Otherwise, `failover.log.file` is ignored.", "type": "string" }, "to": { "default": "stderr", "description": "Define the location for failover logs. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream\n- `file`: write logs to a file defined in `failover.log.file`", "enum": [ "stderr", "file" ], "type": "string" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `failover.metrics` subsection configures metrics exporters for the failover coordinator. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose monitoring metrics through various formats like Prometheus, JSON, etc.", "properties": { "exporters": { "description": "A list of endpoints that expose the failover coordinator metrics. Each exporter corresponds to an HTTP endpoint and a specific format for the exported metrics.", "items": { "additionalProperties": false, "description": "This entry configures an individual exporter. You can specify the URI path and the format for the metrics.", "properties": { "format": { "default": "prometheus", "description": "A format of the exported metrics. Supported values are `prometheus`, `zabbix`, `telegraf`, and `json`. Each exporter will serve metrics in the specified format.", "enum": [ "prometheus", "zabbix", "telegraf", "json" ], "type": "string" }, "path": { "description": "A URI path that should be used to serve metrics. For example, `/metrics/prometheus`, `/metrics/json`, etc.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "probe_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a monitoring service of the failover coordinator polls an instance for its status.", "type": "number" }, "renew_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a failover coordinator sends read-write deadline renewals.", "type": "number" }, "replicasets": { "additionalProperties": { "additionalProperties": false, "description": "Failover coordinator options related to a particular replicaset.", "properties": { "learners": { "description": "Specify instances that are ignored by the supervised failover coordinator when selecting a master.\n\nNote: if a learner instance is in RW mode, the coordinator stops the failover process and waits until the instance transitions to RO mode.", "items": { "description": "Array of instance names to be ignored by the supervised failover coordinator when selecting a master.", "type": "string" }, "type": "array" }, "priority": { "additionalProperties": { "description": "A failover priority assigned to the given instance.", "type": "number" }, "description": "Priorities for the supervised failover mode.", "type": "object" }, "synchro_mode": { "default": false, "description": "The coordinator supports two leader appoint modes: one suits better for asynchronous replication, the other one better works for the quorum synchronous replication.\n\nFirst of all, it may be confusing that the synchronous replication is configured per-space in tarantool, but the supervised failover option is per-replicaset.\n\nTechnically a user can enable the synchro mode and mark only some spaces synchronous. However, this setup gives the worst of two worlds:\n\n- Asynchronous transactions are assumed as possibly depending from a result of previously started synchronous ones, so if there are sync transactions in fly, all the async ones are waiting for finishing of the sync ones. This way we sometimes get sync-level latency for async transactions.\n- Async transactions from the old leader, whose result is visible to a client, are not necessarily present in another availability zone. A network partitioning and repairing may lead to conflicting journals and disconnecting of the old leader from the replicaset until manual repairing activities are performed. It means that the autofailover may hurt the redundancy factor. And that happens frequently comparing to the usual async setup due to the stricter conflict detection strategy.\n\nTo sum up: in the mixed setup we pay twice (for async and qsync both -- possible conflicts and increased latency), but it rewards with a kind of 'sometimes you get better latency' comparing to qsync and 'sometimes you have linearizable writes' comparing to async. For most applications it seems worse than fair qsync (with all the spaces marked as synchronous).\n\nIn this description we assume either all asynchronous spaces or all synchronous ones.\n\n`synchro_mode` = `false` handles a replicaset with asynchronous replication: if all the spaces are created without the `is_sync` option. It is default.\n\n`synchro_mode` = `true` handles a replicaset with quorum synchronous replication: if the spaces have the `is_sync` option enabled.\n\nBefore describe how the modes work, let's introduce some terms.\n\nImagine, a network partitioning happens. If the old leader is not reachable from the active coordinator, it is *resigned* (goes to read-only). The coordinator performs the *autofailover*: it *appoints* the new leader (it goes to read-write). The appoint may or may not claim *synchro queue* ownership (to enable processing of synchronous transactions), it may or may not require a *quorum* of replicas to agree about the longest available journal; it depends on the chosen `synchro_mode`.\n\nOnce the connectivity is repaired, the old leader attempts to connect to the replicaset back. It succeeds or fails depending on whether the journals are *diverged* and depending on the *conflict detection* and the *conflict resolution* strategies.\n\nThe following description assumes such a network partitioning, when the old leader lost connectivity with the active coordinator, so the coordinator have to appoint a new leader. The power off or hardware break situations are similar, but the old leader goes back (if it is possible) only when it is repaired. This way we cover wide variety of situations using the network partitioning as an example.\n\nAlso, the active coordinator switch may occur in some network partitioning situations and it adds some delay to resigning and appointing. Other than that the autofailover process remains the same.\n\n`synchro_mode` = `false` works this way:\n\n- The network partitioning may leave the old leader with the journal, where the last transactions are not replicated to the other availability zone. As result, these transactions are not present on the future new leader.\n- The old leader resigns after failover.lease_interval.\n- The new leader is appointed without reaching any quorum of replicas. It works while at least one instance is available.\n- The new leader doesn't claim synchro queue ownership[^1].\n- When the connectivity is repaired, the old leader (read-only now) attempts to replicate the last transactions from the journal to the new leader.\n- If the journals are not diverged, or the conflict is not detected, or all the conflicts are resolved, the old leader successfully connects back to the replicaset. The redundancy is repaired.\n- Otherwise, the replica is disconnected from the replicaset. Some manual actions are needed to extract the conflicting journal entries, apply it to the new leader (if needed) and rebootstrap the old leader (wipe the data directory and start the instance from scratch).\n- The conflict detection strategy is weak[^2]: the only conflicts are attempts to insert the same key into an unique index twice[^3].\n- The conflict resolution is 'just fail' by default, but a user may setup its own conflict resolution triggers (ON CONFLICT or before_replace).\n\n[^1]: It works in assumption that the synchro queue owner has not been claimed before (for example, due to use of `replication.failover` = `election` in the past). It can be verified using `box.info.synchro.queue.owner`: it is expected to be zero. Otherwise, the whole replicaset is in read-only. box.ctl.demote() may repair this situation if it is unintended. [^2]: It is also true only if there is no synchro queue owner. [^3]: It may happen if the client retries a writing operation on the new leader after a failure with the old leader.\n\nTo sum up: here we have asynchronous replication guarantees. Plus autoapply of the journal tail from the old leader that may hurt data consistency. And each autofailover event may decrease the redundancy factor until some complicated manual actions are performed.\n\nThe on conflict triggers (before_replace in the Lua API) may be used to define automatic conflict resolution strategy that eliminates a need for manual action to return the redundancy back.\n\n`synchro_mode` = `true` works this way:\n\n- After the network partitioning, the old leader resigns. It rolls back transactions that are not confirmed by a quorum.\n- The new leader is chosen using a quorum based algorithm and it is guaranteed to have all the quorum approved transactions[^4].\n- N/2+1 available replicas are necessary for a successful appoint. It means that there is more room for the situation, when the whole replicaset is read-only: we can't choose a new leader if we can't reach N/2+1 replicas.\n- The new leader claims synchro queue ownership when becoming a leader[^5].\n- There is no room for a conflict, when the connectivity is repaired: each transaction either approved by the quorum or rolled back[^6].\n- The conflict detection strategy is strict: any divergence in the journals is considered a conflict. However, it shouldn't occur by the construction[^6].\n- The conflict resolution strategy is the same as for `synchro_mode` = `false`.\n\n[^4]: Technically speaking, `synchro_mode` = `true` enables `box.cfg.election_mode` = `manual` on instances. It tunes the `box.ctl.promote()` behavior to check the instance's vclock with a quorum of replicas before actual write itself as the new synchro queue owner. [^5]: By calling `box.ctl.promote()`. [^6]: If all the spaces are `is_sync` = `true`. So, again, mixing of async and sync spaces within one replicaset is not a good idea.\n\nTo sum up: the synchronous replication guarantees are given, which means linearizability for writing operations: once the transaction is confirmed for the client it can be observed even in case of a failure of one availability zone[^7]. The autofailover doesn't hurt redundancy, no manual rebootstrap required. However, if a redundancy factor lowers the N/2+1 bound, the whole replicaset is read-only. A strict conflict detection strategy adds an extra layer of protection against consistency violations.\n\n[^7]: You may also be interested in the txn_isolation = 'linearizable' box.begin/box.atomic option for linearizable reads.\n\nNote that `synchro_mode` = `true` doesn't support a setup with two availability zones for now. You need at least three zones for it. Future tarantool versions may provide the two zones setup support. Stay tuned!", "type": "boolean" } }, "type": "object" }, "description": "Failover coordinator options configured on the per-replicaset basis.", "type": "object" }, "replication_lag_threshold": { "default": 1, "description": "A replication lag threshold (in seconds). If an instance's replication lag exceeds this threshold, the supervised failover coordinator ignores the instance when selecting a new leader if `synchro_mode` is `true` for this replicaset. Default value is 1 second.", "type": "number" }, "stateboard": { "additionalProperties": false, "description": "This options define configuration parameters related to maintaining the state of failover coordinators in a remote etcd-based storage.", "properties": { "enabled": { "default": true, "description": "Enable or disable the failover coordinator stateboard.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored and how quickly a lock expires.\n\nNote `failover.stateboard.keepalive_interval` should be smaller than `failover.lease_interval`. Otherwise, switching of a coordinator causes a replica set leader to go to read-only mode for some time.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a failover coordinator writes its state information to etcd. This option also determines the frequency at which an active coordinator reads new commands from etcd.", "type": "number" } }, "type": "object" } }, "type": "object" }, "feedback": { "additionalProperties": false, "description": "The `feedback` section describes configuration parameters for sending information about a running Tarantool instance to the specified feedback server.", "properties": { "crashinfo": { "default": true, "description": "Whether to send crash information in the case of an instance failure. This information includes:\n\n- General information from the `uname` output.\n- Build information.\n- The crash reason.\n- The stack trace.\n\nTo turn off sending crash information, set this option to `false`.", "type": "boolean" }, "enabled": { "default": true, "description": "Whether to send information about a running instance to the feedback server. To turn off sending feedback, set this option to `false`.", "type": "boolean" }, "host": { "default": "https://feedback.tarantool.io", "description": "The address to which information is sent.", "type": "string" }, "interval": { "default": 3600, "description": "The interval (in seconds) of sending information.", "type": "number" }, "metrics_collect_interval": { "default": 60, "description": "The interval (in seconds) for collecting metrics.", "type": "number" }, "metrics_limit": { "default": 1048576, "description": "The maximum size of memory (in bytes) used to store metrics before sending them to the feedback server. If the size of collected metrics exceeds this value, earlier metrics are dropped.", "type": "integer" }, "send_metrics": { "default": true, "description": "Whether to send metrics to the feedback server. Note that all collected metrics are dropped after sending them to the feedback server.", "type": "boolean" } }, "type": "object" }, "fiber": { "additionalProperties": false, "description": "The `fiber` section describes options related to configuring fibers, yields, and cooperative multitasking.", "properties": { "io_collect_interval": { "default": null, "description": "The time period (in seconds) a fiber sleeps between iterations of the event loop.\n\n`fiber.io_collect_interval` can be used to reduce CPU load in deployments where the number of client connections is large, but requests are not so frequent (for example, each connection issues just a handful of requests per second).", "type": "number" }, "slice": { "additionalProperties": false, "description": "This section describes options related to configuring time periods for fiber slices. See `fiber.set_max_slice` for details and examples.", "properties": { "err": { "default": 1, "description": "Set a time period (in seconds) that specifies the warning slice.", "type": "number" }, "warn": { "default": 0.5, "description": "Set a time period (in seconds) that specifies the error slice.", "type": "number" } }, "type": "object" }, "too_long_threshold": { "default": 0.5, "description": "If processing a request takes longer than the given period (in seconds), the fiber warns about it in the log.\n\n`fiber.too_long_threshold` has effect only if `log.level` is greater than or equal to 4 (`warn`).", "type": "number" }, "top": { "additionalProperties": false, "description": "This section describes options related to configuring the `fiber.top()` function, normally used for debug purposes. `fiber.top()` shows all alive fibers and their CPU consumption.", "properties": { "enabled": { "default": false, "description": "Enable or disable the `fiber.top()` function.\n\nEnabling `fiber.top()` slows down fiber switching by about 15%, so it is disabled by default.", "type": "boolean" } }, "type": "object" }, "tx_user_pool_size": { "default": 768, "description": "Specify the size of the fiber pool used in the TX thread for executing user-defined callbacks pushed via the `tnt_tx_push()` C API function. This pool operates similarly to the fiber pool for handling IProto requests, whose size is defined by `box.cfg.net_msg_max`.\n\nIncrease the pool size if the application requires executing a large number of concurrent callbacks, especially if they involve yielding operations or high transaction loads.\n\nNotes:\n\n- The callbacks are executed in the order they are pushed, but the completion order is undefined for yielding callbacks\n- Mismanaging the pool size or callback rate can lead to unpredictable latency or memory overflows (OOM)", "type": "integer" }, "worker_pool_threads": { "default": 4, "description": "The maximum number of threads to use during execution of certain internal processes (for example, `socket.getaddrinfo()` and `coio_call()`).", "type": "number" } }, "type": "object" }, "flightrec": { "additionalProperties": false, "description": "The flightrec section describes options related to the flight recorder configuration.", "properties": { "enabled": { "default": false, "description": "Enable the flight recorder.", "type": "boolean" }, "logs_log_level": { "default": 6, "description": "Specify the level of detail the log has. The default value is 6 (`VERBOSE`). You can learn more about log levels from the log_level option description. Note that the `flightrec.logs_log_level` value might differ from `log_level`.", "enum": [ 0, 1, 2, 3, 4, 5, 6, 7 ], "type": "integer" }, "logs_max_msg_size": { "default": 4096, "description": "Specify the maximum size (in bytes) of the log message. The log message is truncated if its size exceeds this limit.", "type": "integer" }, "logs_size": { "default": 10485760, "description": "Specify the size (in bytes) of the log storage. You can set this option to 0 to disable the log storage.", "type": "integer" }, "metrics_interval": { "default": 1, "description": "Specify the time interval (in seconds) that defines the frequency of dumping metrics. This value shouldn't exceed `flightrec.metrics_period`.", "type": "number" }, "metrics_period": { "default": 180, "description": "Specify the time period (in seconds) that defines how long metrics are stored from the moment of dump. So, this value defines how much historical metrics data is collected up to the moment of crash. The frequency of metric dumps is defined by `flightrec.metrics_interval`.", "type": "number" }, "requests_max_req_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a request entry. A request entry is truncated if this size is exceeded.", "type": "integer" }, "requests_max_res_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a response entry. A response entry is truncated if this size is exceeded.", "type": "integer" }, "requests_size": { "default": 10485760, "description": "Specify the size (in bytes) of storage for the request and response data. You can set this parameter to 0 to disable a storage of requests and responses.", "type": "integer" } }, "type": "object" }, "groups": { "additionalProperties": { "additionalProperties": false, "description": "A group of replicasets.\n\nThe following rules are applied to group names:\n\n- The maximum number of symbols is 63.\n- Should start with a letter.\n- Can contain lowercase letters (a-z).\n- Can contain digits (0-9).\n- Can contain the following characters: -, _.", "properties": { "app": { "additionalProperties": false, "description": "Using Tarantool as an application server, you can run your own Lua applications. In the `app` section, you can load the application and provide an application configuration in the `app.cfg` section.", "properties": { "cfg": { "additionalProperties": { "description": "Mapping for arbitrary user-defined configuration values, accessible in the application via `config:get('app.cfg')`." }, "description": "A configuration of the application loaded using `app.file` or `app.module`.", "type": "object" }, "file": { "description": "A path to a Lua file to load an application from.", "type": "string" }, "module": { "description": "A Lua module to load an application from.", "type": "string" } }, "type": "object" }, "audit_log": { "additionalProperties": false, "description": "The `audit_log` section defines configuration parameters related to audit logging.", "properties": { "extract_key": { "default": false, "description": "If set to `true`, the audit subsystem extracts and prints only the primary key instead of full tuples in DML events (`space_insert`, `space_replace`, `space_delete`). Otherwise, full tuples are logged. The option may be useful in case tuples are big.", "type": "boolean" }, "file": { "default": "var/log/{{ instance_name }}/audit.log", "description": "Specify a file for the audit log destination. You can set the `file` type using the audit_log.to option. If you write logs to a file, Tarantool reopens the audit log at SIGHUP.", "type": "string" }, "filter": { "description": "Enable logging for a specified subset of audit events.", "items": { "description": "Specify a subset of audit events to log by providing a value from the allowed list of events or groups.", "enum": [ "audit_enable", "custom", "auth_ok", "auth_fail", "disconnect", "user_create", "user_drop", "role_create", "role_drop", "user_enable", "user_disable", "user_grant_rights", "user_revoke_rights", "role_grant_rights", "role_revoke_rights", "password_change", "access_denied", "eval", "call", "space_select", "space_create", "space_alter", "space_drop", "space_insert", "space_replace", "space_delete", "none", "all", "audit", "auth", "priv", "ddl", "dml", "data_operations", "compatibility" ], "type": "string" }, "type": "array", "uniqueItems": true }, "format": { "default": "json", "description": "Specify a format that is used for the audit log.", "enum": [ "plain", "json", "csv" ], "type": "string" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `audit_log.to` to `pipe`.", "type": "string" }, "spaces": { "default": null, "description": "Specifies spaces for which data operation events (`space_select`, `space_insert`, `space_replace`, `space_delete`) should be logged.\n\nThis option accepts one of the following forms:\n\n- an array of space names;\n- a map where keys are space names and values are audit options.\n\nIf set to box.NULL, the data operation events are logged for all spaces." }, "syslog": { "additionalProperties": false, "description": "This module allows configuring the system logger (syslog) for audit logs in Tarantool. It provides options for specifying the syslog server, facility, and identity for logging messages.", "properties": { "facility": { "default": "local7", "description": "Define the syslog facility, which indicates the type of application generating the log entries (e.g. kernel, user-level, or system daemon). To enable syslog logging, set `audit_log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name to show in logs. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" }, "server": { "default": null, "description": "Set a location for the syslog server. It can be a Unix socket path starting with \"unix:\" or an ipv4 port number. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" } }, "type": "object" }, "to": { "default": "devnull", "description": "Enable audit logging and define the log location.", "enum": [ "devnull", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "compat": { "additionalProperties": false, "description": "These options allow to redefine tarantool behavior in order to correspond to the previous or the next major version.", "properties": { "binary_data_decoding": { "default": "new", "description": "Define how to store binary data fields in Lua after decoding:\n\n- `new` (3.x default): as varbinary object\n- `old` (2.x default): as plain strings", "enum": [ "old", "new" ], "type": "string" }, "box_cfg_replication_sync_timeout": { "default": "new", "description": "Set a default replication sync timeout:\n\n- `new` (3.x default): 0\n- `old` (2.x default): 300 seconds", "enum": [ "old", "new" ], "type": "string" }, "box_consider_system_spaces_synchronous": { "default": "old", "description": "Whether to consider most system spaces as synchronized regardless of the `is_sync` space option:\n\n- `new` (4.x default): System spaces are synchronized when the synchronous queue is claimed (`box.info.synchro.queue.owner ~= 0`), except for `vinyl_defer_delete` (local space) and `sequence_data` (synchronized by synchronous user spaces operations)\n- `old` (3.x default): System spaces are not synchronized unless explicitly marked with the `is_sync` option", "enum": [ "old", "new" ], "type": "string" }, "box_error_serialize_verbose": { "default": "old", "description": "Set the verbosity of error objects serialization:\n\n- `new` (4.x default): serialize the error message together with other potentially useful fields\n- `old` (3.x default): serialize only the error message", "enum": [ "old", "new" ], "type": "string" }, "box_error_unpack_type_and_code": { "default": "old", "description": "Whether to show all the error fields in `box.error.unpack()`:\n\n- `new` (4.x default): do not show `base_type` and `custom_type` fields; do not show the `code` field if it is 0. Note that `base_type` is still accessible for an error object\n- `old` (3.x default): show all fields", "enum": [ "old", "new" ], "type": "string" }, "box_info_cluster_meaning": { "default": "new", "description": "Define the behavior of `box.info.cluster`:\n\n- `new` (3.x default): `box.info.cluster` shows info about the entire cluster, `box.info.replicaset` shows info about the replica set\n- `old` (2.x default): `box.info.cluster` shows info about the replica set", "enum": [ "old", "new" ], "type": "string" }, "box_recovery_triggers_deprecation": { "default": "old", "description": "Whether to trigger space and transactional events during local recovery or join:\n\n- `new` (4.x default): do not trigger events\n- `old` (3.x default): trigger events", "enum": [ "old", "new" ], "type": "string" }, "box_session_push_deprecation": { "default": "old", "description": "Whether to raise errors on attempts to call the deprecated function `box.session.push`:\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): do not raise an error", "enum": [ "old", "new" ], "type": "string" }, "box_space_execute_priv": { "default": "new", "description": "Whether the `execute` privilege can be granted on spaces:\n\n- `new` (3.x default): an error is raised\n- `old` (2.x default): the privilege can be granted with no actual effect", "enum": [ "old", "new" ], "type": "string" }, "box_space_max": { "default": "new", "description": "Set the maximum space identifier (`box.schema.SPACE_MAX`):\n\n- `new` (3.x default): 2147483646\n- `old` (2.x default): 2147483647", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_extension": { "default": "new", "description": "Controls `IPROTO_FEATURE_CALL_RET_TUPLE_EXTENSION` and `IPROTO_FEATURE_CALL_ARG_TUPLE_EXTENSION` feature bits that define tuple encoding in iproto call and eval requests.\n\n- `new` (3.x default): tuples with formats are encoded as `MP_TUPLE`\n- `old` (2.x default): tuples with formats are encoded as `MP_ARRAY`", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_new_vararg": { "default": "new", "description": "Controls how `box.tuple.new` interprets an argument list:\n\n- `new` (3.x default): as a value with a tuple format\n- `old` (2.x default): as an array of tuple fields", "enum": [ "old", "new" ], "type": "string" }, "c_func_iproto_multireturn": { "default": "new", "description": "Controls wrapping of multiple results of a stored C function when returning them via iproto:\n\n- `new` (3.x default): return without wrapping (consistently with a local call via `box.func`)\n- `old` (2.x default): wrap results into a MessagePack array", "enum": [ "old", "new" ], "type": "string" }, "console_session_scope_vars": { "default": "old", "description": "Whether a console session has its own variable scope:\n\n- `new` (4.x default): non-local variable assignments are written to a variable scope attached to the console session\n- `old` (3.x default): all non-local variable assignments from the console are written to globals", "enum": [ "old", "new" ], "type": "string" }, "fiber_channel_close_mode": { "default": "new", "description": "Define the behavior of fiber channels after closing:\n\n- `new` (3.x default): mark the channel read-only\n- `old` (2.x default): destroy the channel object", "enum": [ "old", "new" ], "type": "string" }, "fiber_slice_default": { "default": "new", "description": "Define the maximum fiber execution time without a yield:\n\n- `new` (3.x default): `{warn = 0.5, err = 1.0}`\n- `old` (2.x default): infinity (no warnings or errors raised)", "enum": [ "old", "new" ], "type": "string" }, "json_escape_forward_slash": { "default": "new", "description": "Whether to escape the forward slash symbol \"/\" using a backslash in a `json.encode()` result:\n\n- `new` (3.x default): do not escape the forward slash\n- `old` (2.x default): escape the forward slash", "enum": [ "old", "new" ], "type": "string" }, "replication_synchro_timeout": { "default": "old", "description": "The `compat.replication_synchro_timeout` option controls transaction rollback due to `replication.synchro_timeout`.\n\n- `new` (4.x default): A synchronous transaction can remain in the synchro queue indefinitely until it reaches a quorum of confirmations. `replication.synchro_timeout` is used only to wait confirmation in promote/demote and gc-checkpointing. If some transaction in limbo did not have time to commit within `replication_synchro_timeout`, the corresponding operation: promote/demote or gc-checkpointing can be aborted automatically\n- `old` (3.x default): unconfirmed synchronous transactions are rolled back after a `replication.synchro_timeout`", "enum": [ "old", "new" ], "type": "string" }, "skip_replication_names": { "default": "new", "description": "The `compat.skip_replication_names` option controls whether Tarantool skips instance and replicaset name handling during replication startup.\n\n- `new` (3.x default): Tarantool applies `instance_name` and `replicaset_name` on startup and validates them against the snapshot data.\n- `old` (2.x default): Tarantool skips applying `instance_name` and `replicaset_name` on startup and does not validate them against the snapshot data. This mode is intended for upgrades from Tarantool 2.11, so a Tarantool 3.x+ instance configured via the declarative config can join a 2.11-compatible replicaset where the master snapshot may not contain names.", "enum": [ "old", "new" ], "type": "string" }, "sql_priv": { "default": "new", "description": "Whether to enable access checks for SQL requests over iproto:\n\n- `new` (3.x default): check the user's access permissions\n- `old` (2.x default): allow any user to execute SQL over iproto", "enum": [ "old", "new" ], "type": "string" }, "sql_seq_scan_default": { "default": "new", "description": "Controls the default value of the `sql_seq_scan` session setting:\n\n- `new` (3.x default): false\n- `old` (2.x default): true", "enum": [ "old", "new" ], "type": "string" }, "wal_cleanup_delay_deprecation": { "default": "old", "description": "Whether to use the option 'wal_cleanup_delay':\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): log a deprecation warning", "enum": [ "old", "new" ], "type": "string" }, "yaml_pretty_multiline": { "default": "new", "description": "Whether to encode in block scalar style all multiline strings or ones containing the `\\n\\n` substring:\n\n- `new` (3.x default): all multiline strings\n- `old` (2.x default): only strings containing the `\\n\\n` substring", "enum": [ "old", "new" ], "type": "string" } }, "type": "object" }, "config": { "additionalProperties": false, "description": "The `config` section defines various parameters related to centralized configuration.", "properties": { "context": { "additionalProperties": { "additionalProperties": false, "description": "A context variable definition that specifies how to load it (e.g. from a file or an environment variable).", "properties": { "env": { "description": "The name of an environment variable to load a context variable from. To load a context variable from an environment variable, set `config.context..from` to `env`.", "type": "string" }, "file": { "description": "The path to a file to load a context variable from. To load a configuration value from a file, set `config.context..from` to `file`.", "type": "string" }, "from": { "description": "The type of storage to load a context variable from. There are the following storage types:\n\n- `file`: load a context variable from a file. In this case, you need to specify the path to the file using `config.context..file`\n- `env`: load a context variable from an environment variable. In this case, specify the environment variable name using `config.context..env`", "enum": [ "env", "file" ], "type": "string" }, "rstrip": { "description": "(Optional) Whether to strip whitespace characters and newlines from the end of data.", "type": "boolean" } }, "type": "object" }, "description": "Defines custom variables in the cluster configuration by loading values from an environment variable or a file.", "type": "object" }, "etcd": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized etcd-based storage. If `replication.failover` is set to `supervised`, Tarantool also uses etcd to maintain the state of failover coordinators.", "properties": { "endpoints": { "description": "The list of endpoints used to access an etcd cluster.", "items": { "description": "etcd endpoint.\n\nFor example: `http://localhost:2379`.", "type": "string" }, "type": "array" }, "http": { "additionalProperties": false, "description": "HTTP client options for the etcd-client, used to fetch and subscribe to the cluster configuration stored in etcd.", "properties": { "request": { "additionalProperties": false, "description": "HTTP client request options.", "properties": { "interface": { "description": "Set the interface to use as outgoing network interface for the etcd configuration source.\n\nThe interface can be specified as an interface name, an IP address, or a hostname.\n\nSee https://curl.se/libcurl/c/CURLOPT_INTERFACE.html for details.", "type": "string" }, "timeout": { "description": "A time period required to process an HTTP request to an etcd server: from sending a request to receiving a response.", "type": "number" }, "unix_socket": { "description": "A Unix domain socket used to connect to an etcd server.", "type": "string" }, "verbose": { "description": "Whether to print debugging information about HTTP requests and responses issued by the etcd configuration source.\n\nThe information is written to stderr (disregarding tarantool log configuration). In a typical setup it arrives to journald.\n\nSee https://curl.se/libcurl/c/CURLOPT_VERBOSE.html for details.", "type": "boolean" } }, "type": "object" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "prefix": { "description": "A key prefix used to search a configuration on an etcd server. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "ssl": { "additionalProperties": false, "description": "TLS options.", "properties": { "ca_file": { "description": "A path to a trusted certificate authorities (CA) file.", "type": "string" }, "ca_path": { "description": "A path to a directory holding certificates to verify the peer with.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file.", "type": "string" }, "verify_host": { "description": "Enable verification of the certificate's name (CN) against the specified host.", "type": "boolean" }, "verify_peer": { "description": "Enable verification of the peer's SSL certificate.", "type": "boolean" } }, "type": "object" }, "username": { "description": "A username used for authentication.", "type": "string" }, "watchers": { "additionalProperties": false, "description": "Options for watcher requests: watchcreate, watchwait and watchcancel.", "properties": { "reconnect_max_attempts": { "description": "The maximum number of attempts to reconnect to an etcd server in case of connection failure.", "type": "integer" }, "reconnect_timeout": { "description": "The timeout (in seconds) between attempts to reconnect to an etcd server in case of connection failure.", "type": "number" } }, "type": "object" } }, "type": "object" }, "reload": { "default": "auto", "description": "Specify how the configuration is reloaded. This option accepts the following values:\n\n- `auto`: configuration is reloaded automatically when it is changed.\n- `manual`: configuration should be reloaded manually. In this case, you can reload the configuration in the application code using `config:reload()`.", "enum": [ "auto", "manual" ], "type": "string" }, "storage": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized Tarantool-based storage.", "properties": { "endpoints": { "description": "An array of endpoints used to access a configuration storage. Each endpoint can include the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections", "items": { "additionalProperties": false, "description": "Element that represents a configuration storage endpoint with the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections.", "properties": { "login": { "description": "A username used to connect to the instance.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "uri": { "description": "A URI of the configuration storage's instance.", "type": "string" } }, "type": "object" }, "type": "array" }, "prefix": { "description": "A key prefix used to search a configuration in a centralized configuration storage. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "reconnect_after": { "default": 3, "description": "A number of seconds to wait before reconnecting to a configuration storage.", "type": "number" }, "timeout": { "default": 3, "description": "The interval (in seconds) to perform the status check of a configuration storage.", "type": "number" } }, "type": "object" } }, "type": "object" }, "connpool": { "additionalProperties": false, "description": "The `connpool` section defines configuration parameters related to the Tarantool connection pool that can be used to communicate with other instances within the cluster.", "properties": { "idle_timeout": { "default": 60, "description": "Tarantool connection pool automatically manages connections to the instances and automatically closes the ones that are not needed for a while.\n\nThis option controls a timeout (in seconds) in which the unused connections would be closed.\n\nNote: this option does not affect the connections opened by `connpool.connect()` since in that case, the user has direct access to the connection object.", "type": "number" } }, "type": "object" }, "console": { "additionalProperties": false, "description": "Configure the administrative console. A client to the console is `tt connect`.", "properties": { "enabled": { "default": true, "description": "Whether to listen on the Unix socket provided in the console.socket option.\n\nIf the option is set to `false`, the administrative console is disabled.", "type": "boolean" }, "socket": { "default": "var/run/{{ instance_name }}/tarantool.control", "description": "The Unix socket for the administrative console.\n\nMind the following nuances:\n\n- Only a Unix domain socket is allowed. A TCP socket can't be configured this way.\n- `console.socket` is a file path, without any `unix:` or `unix/:` prefixes.\n- If the file path is a relative path, it is interpreted relative to `process.work_dir`.", "type": "string" } }, "type": "object" }, "credentials": { "additionalProperties": false, "description": "The `credentials` section allows you to create users and grant them the specified privileges.", "properties": { "roles": { "additionalProperties": { "additionalProperties": false, "description": "A role definition.", "properties": { "privileges": { "description": "An array of privileges granted to this role.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user with this role.", "properties": { "functions": { "description": "Registered functions to which user with this role gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user with this role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user with this role can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which user with this role gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which user with this role gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether user with this role can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this role.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of roles that can be granted to users or other roles.", "type": "object" }, "users": { "additionalProperties": { "additionalProperties": false, "description": "User name.", "properties": { "password": { "description": "A user's password.", "type": "string" }, "privileges": { "description": "An array of privileges granted to this user.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user.", "properties": { "functions": { "description": "Registered functions to which this user gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to this user or a user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which this user gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which this user gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether this user can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this user.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of users.", "type": "object" } }, "type": "object" }, "database": { "additionalProperties": false, "description": "The `database` section defines database-specific configuration parameters, such as an instance's read-write mode or transaction isolation level.", "properties": { "hot_standby": { "default": false, "description": "Whether to start the server in the hot standby mode. This mode can be used to provide failover without replication.\n\nNote: `database.hot_standby` has no effect:\n\n- If `wal.mode` is set to none.\n- If `wal.dir_rescan_delay` is set to a large value on macOS or FreeBSD. On these platforms, the hot standby mode is designed so that the loop repeats every `wal.dir_rescan_delay` seconds.\n- For spaces created with engine set to `vinyl`.", "type": "boolean" }, "instance_uuid": { "default": null, "description": "An instance UUID.\n\nBy default, instance UUIDs are generated automatically. `database.instance_uuid` can be used to specify an instance identifier manually.\n\nUUIDs should follow these rules:\n\n- The values must be true unique identifiers, not shared by other instances or replica sets within the common infrastructure.\n- The values must be used consistently, not changed after the initial setup. The initial values are stored in snapshot files and are checked whenever the system is restarted.\n- The values must comply with RFC 4122. The nil UUID is not allowed.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "mode": { "default": null, "description": "An instance's operating mode. This option is in effect if `replication.failover` is set to `off`.\n\nThe following modes are available:\n\n- `rw`: an instance is in read-write mode.\n- `ro`: an instance is in read-only mode.\n\nIf not specified explicitly, the default value depends on the number of instances in a replica set. For a single instance, the `rw` mode is used, while for multiple instances, the `ro` mode is used.", "enum": [ "ro", "rw" ], "type": "string" }, "replicaset_uuid": { "default": null, "description": "A replica set UUID.\n\nBy default, replica set UUIDs are generated automatically. `database.replicaset_uuid` can be used to specify a replica set identifier manually.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "txn_isolation": { "default": "best-effort", "description": "A transaction isolation level.", "enum": [ "read-committed", "read-confirmed", "best-effort" ], "type": "string" }, "txn_synchro_timeout": { "default": 5, "description": "A timeout (in seconds) after which the fiber is detached from synchronous transaction that is currently collecting quorum. After the timeout expires, the transaction is not rolled back but continues to wait for a quorum in background.", "type": "number" }, "txn_timeout": { "default": 3153600000, "description": "A timeout (in seconds) after which the transaction is rolled back.", "type": "number" }, "use_mvcc_engine": { "default": false, "description": "Whether the transactional manager is enabled.", "type": "boolean" } }, "type": "object" }, "failover": { "additionalProperties": false, "description": "The `failover` section defines parameters related to a supervised failover.", "properties": { "call_timeout": { "default": 1, "description": "A call timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "connect_timeout": { "default": 1, "description": "A connection timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "http": { "additionalProperties": false, "description": "The `failover.http` subsection configures HTTP listeners for the failover coordinator API. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose HTTP endpoints that provide monitoring metrics and health checks.", "properties": { "listen": { "description": "A list of HTTP endpoints that should be started for the failover coordinator. Each entry must describe a listener bound to a `localhost:` URI. These endpoints are used to expose metrics and other health check information about the failover coordinator.", "items": { "additionalProperties": false, "description": "This entry configures an individual HTTP listener for the failover coordinator. You can specify the URI and parameters for the listener.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "ssl_verify_client": { "default": "off", "description": "Controls whether the failover coordinator verifies client SSL certificates.\n\nThe option accepts the following values:\n\n- `off` (default): client certificates are not verified.\n- `on`: the server requires and verifies client certificates.\n- `optional`: the server verifies client certificates only if they are provided by the client.", "enum": [ "off", "on", "optional" ], "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "A URI in the `:` format that defines where the failover coordinator listens for HTTP requests.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "IPROTO connection parameters for the failover coordinator. This functionality is available only in Tarantool Enterprise.", "properties": { "ssl": { "additionalProperties": false, "description": "SSL parameters used by the failover coordinator to connect to instances over IPROTO when SSL is enabled. This functionality is available only in Tarantool Enterprise.", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" } }, "type": "object" }, "lease_interval": { "default": 30, "description": "A time interval (in seconds) that specifies how long an instance should be a leader without renew requests from a coordinator. When this interval expires, the leader switches to read-only mode. This action is performed by the instance itself and works even if there is no connectivity between the instance and the coordinator.", "type": "number" }, "log": { "additionalProperties": false, "description": "This section defines configuration parameters related to logging for the supervised failover coordinator.", "properties": { "file": { "description": "Specify a file for failover logs destination. To write logs to a file, you need to set `failover.log.to` to `file`. Otherwise, `failover.log.file` is ignored.", "type": "string" }, "to": { "default": "stderr", "description": "Define the location for failover logs. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream\n- `file`: write logs to a file defined in `failover.log.file`", "enum": [ "stderr", "file" ], "type": "string" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `failover.metrics` subsection configures metrics exporters for the failover coordinator. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose monitoring metrics through various formats like Prometheus, JSON, etc.", "properties": { "exporters": { "description": "A list of endpoints that expose the failover coordinator metrics. Each exporter corresponds to an HTTP endpoint and a specific format for the exported metrics.", "items": { "additionalProperties": false, "description": "This entry configures an individual exporter. You can specify the URI path and the format for the metrics.", "properties": { "format": { "default": "prometheus", "description": "A format of the exported metrics. Supported values are `prometheus`, `zabbix`, `telegraf`, and `json`. Each exporter will serve metrics in the specified format.", "enum": [ "prometheus", "zabbix", "telegraf", "json" ], "type": "string" }, "path": { "description": "A URI path that should be used to serve metrics. For example, `/metrics/prometheus`, `/metrics/json`, etc.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "probe_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a monitoring service of the failover coordinator polls an instance for its status.", "type": "number" }, "renew_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a failover coordinator sends read-write deadline renewals.", "type": "number" }, "replicasets": { "additionalProperties": { "additionalProperties": false, "description": "Failover coordinator options related to a particular replicaset.", "properties": { "learners": { "description": "Specify instances that are ignored by the supervised failover coordinator when selecting a master.\n\nNote: if a learner instance is in RW mode, the coordinator stops the failover process and waits until the instance transitions to RO mode.", "items": { "description": "Array of instance names to be ignored by the supervised failover coordinator when selecting a master.", "type": "string" }, "type": "array" }, "priority": { "additionalProperties": { "description": "A failover priority assigned to the given instance.", "type": "number" }, "description": "Priorities for the supervised failover mode.", "type": "object" }, "synchro_mode": { "default": false, "description": "The coordinator supports two leader appoint modes: one suits better for asynchronous replication, the other one better works for the quorum synchronous replication.\n\nFirst of all, it may be confusing that the synchronous replication is configured per-space in tarantool, but the supervised failover option is per-replicaset.\n\nTechnically a user can enable the synchro mode and mark only some spaces synchronous. However, this setup gives the worst of two worlds:\n\n- Asynchronous transactions are assumed as possibly depending from a result of previously started synchronous ones, so if there are sync transactions in fly, all the async ones are waiting for finishing of the sync ones. This way we sometimes get sync-level latency for async transactions.\n- Async transactions from the old leader, whose result is visible to a client, are not necessarily present in another availability zone. A network partitioning and repairing may lead to conflicting journals and disconnecting of the old leader from the replicaset until manual repairing activities are performed. It means that the autofailover may hurt the redundancy factor. And that happens frequently comparing to the usual async setup due to the stricter conflict detection strategy.\n\nTo sum up: in the mixed setup we pay twice (for async and qsync both -- possible conflicts and increased latency), but it rewards with a kind of 'sometimes you get better latency' comparing to qsync and 'sometimes you have linearizable writes' comparing to async. For most applications it seems worse than fair qsync (with all the spaces marked as synchronous).\n\nIn this description we assume either all asynchronous spaces or all synchronous ones.\n\n`synchro_mode` = `false` handles a replicaset with asynchronous replication: if all the spaces are created without the `is_sync` option. It is default.\n\n`synchro_mode` = `true` handles a replicaset with quorum synchronous replication: if the spaces have the `is_sync` option enabled.\n\nBefore describe how the modes work, let's introduce some terms.\n\nImagine, a network partitioning happens. If the old leader is not reachable from the active coordinator, it is *resigned* (goes to read-only). The coordinator performs the *autofailover*: it *appoints* the new leader (it goes to read-write). The appoint may or may not claim *synchro queue* ownership (to enable processing of synchronous transactions), it may or may not require a *quorum* of replicas to agree about the longest available journal; it depends on the chosen `synchro_mode`.\n\nOnce the connectivity is repaired, the old leader attempts to connect to the replicaset back. It succeeds or fails depending on whether the journals are *diverged* and depending on the *conflict detection* and the *conflict resolution* strategies.\n\nThe following description assumes such a network partitioning, when the old leader lost connectivity with the active coordinator, so the coordinator have to appoint a new leader. The power off or hardware break situations are similar, but the old leader goes back (if it is possible) only when it is repaired. This way we cover wide variety of situations using the network partitioning as an example.\n\nAlso, the active coordinator switch may occur in some network partitioning situations and it adds some delay to resigning and appointing. Other than that the autofailover process remains the same.\n\n`synchro_mode` = `false` works this way:\n\n- The network partitioning may leave the old leader with the journal, where the last transactions are not replicated to the other availability zone. As result, these transactions are not present on the future new leader.\n- The old leader resigns after failover.lease_interval.\n- The new leader is appointed without reaching any quorum of replicas. It works while at least one instance is available.\n- The new leader doesn't claim synchro queue ownership[^1].\n- When the connectivity is repaired, the old leader (read-only now) attempts to replicate the last transactions from the journal to the new leader.\n- If the journals are not diverged, or the conflict is not detected, or all the conflicts are resolved, the old leader successfully connects back to the replicaset. The redundancy is repaired.\n- Otherwise, the replica is disconnected from the replicaset. Some manual actions are needed to extract the conflicting journal entries, apply it to the new leader (if needed) and rebootstrap the old leader (wipe the data directory and start the instance from scratch).\n- The conflict detection strategy is weak[^2]: the only conflicts are attempts to insert the same key into an unique index twice[^3].\n- The conflict resolution is 'just fail' by default, but a user may setup its own conflict resolution triggers (ON CONFLICT or before_replace).\n\n[^1]: It works in assumption that the synchro queue owner has not been claimed before (for example, due to use of `replication.failover` = `election` in the past). It can be verified using `box.info.synchro.queue.owner`: it is expected to be zero. Otherwise, the whole replicaset is in read-only. box.ctl.demote() may repair this situation if it is unintended. [^2]: It is also true only if there is no synchro queue owner. [^3]: It may happen if the client retries a writing operation on the new leader after a failure with the old leader.\n\nTo sum up: here we have asynchronous replication guarantees. Plus autoapply of the journal tail from the old leader that may hurt data consistency. And each autofailover event may decrease the redundancy factor until some complicated manual actions are performed.\n\nThe on conflict triggers (before_replace in the Lua API) may be used to define automatic conflict resolution strategy that eliminates a need for manual action to return the redundancy back.\n\n`synchro_mode` = `true` works this way:\n\n- After the network partitioning, the old leader resigns. It rolls back transactions that are not confirmed by a quorum.\n- The new leader is chosen using a quorum based algorithm and it is guaranteed to have all the quorum approved transactions[^4].\n- N/2+1 available replicas are necessary for a successful appoint. It means that there is more room for the situation, when the whole replicaset is read-only: we can't choose a new leader if we can't reach N/2+1 replicas.\n- The new leader claims synchro queue ownership when becoming a leader[^5].\n- There is no room for a conflict, when the connectivity is repaired: each transaction either approved by the quorum or rolled back[^6].\n- The conflict detection strategy is strict: any divergence in the journals is considered a conflict. However, it shouldn't occur by the construction[^6].\n- The conflict resolution strategy is the same as for `synchro_mode` = `false`.\n\n[^4]: Technically speaking, `synchro_mode` = `true` enables `box.cfg.election_mode` = `manual` on instances. It tunes the `box.ctl.promote()` behavior to check the instance's vclock with a quorum of replicas before actual write itself as the new synchro queue owner. [^5]: By calling `box.ctl.promote()`. [^6]: If all the spaces are `is_sync` = `true`. So, again, mixing of async and sync spaces within one replicaset is not a good idea.\n\nTo sum up: the synchronous replication guarantees are given, which means linearizability for writing operations: once the transaction is confirmed for the client it can be observed even in case of a failure of one availability zone[^7]. The autofailover doesn't hurt redundancy, no manual rebootstrap required. However, if a redundancy factor lowers the N/2+1 bound, the whole replicaset is read-only. A strict conflict detection strategy adds an extra layer of protection against consistency violations.\n\n[^7]: You may also be interested in the txn_isolation = 'linearizable' box.begin/box.atomic option for linearizable reads.\n\nNote that `synchro_mode` = `true` doesn't support a setup with two availability zones for now. You need at least three zones for it. Future tarantool versions may provide the two zones setup support. Stay tuned!", "type": "boolean" } }, "type": "object" }, "description": "Failover coordinator options configured on the per-replicaset basis.", "type": "object" }, "replication_lag_threshold": { "default": 1, "description": "A replication lag threshold (in seconds). If an instance's replication lag exceeds this threshold, the supervised failover coordinator ignores the instance when selecting a new leader if `synchro_mode` is `true` for this replicaset. Default value is 1 second.", "type": "number" }, "stateboard": { "additionalProperties": false, "description": "This options define configuration parameters related to maintaining the state of failover coordinators in a remote etcd-based storage.", "properties": { "enabled": { "default": true, "description": "Enable or disable the failover coordinator stateboard.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored and how quickly a lock expires.\n\nNote `failover.stateboard.keepalive_interval` should be smaller than `failover.lease_interval`. Otherwise, switching of a coordinator causes a replica set leader to go to read-only mode for some time.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a failover coordinator writes its state information to etcd. This option also determines the frequency at which an active coordinator reads new commands from etcd.", "type": "number" } }, "type": "object" } }, "type": "object" }, "feedback": { "additionalProperties": false, "description": "The `feedback` section describes configuration parameters for sending information about a running Tarantool instance to the specified feedback server.", "properties": { "crashinfo": { "default": true, "description": "Whether to send crash information in the case of an instance failure. This information includes:\n\n- General information from the `uname` output.\n- Build information.\n- The crash reason.\n- The stack trace.\n\nTo turn off sending crash information, set this option to `false`.", "type": "boolean" }, "enabled": { "default": true, "description": "Whether to send information about a running instance to the feedback server. To turn off sending feedback, set this option to `false`.", "type": "boolean" }, "host": { "default": "https://feedback.tarantool.io", "description": "The address to which information is sent.", "type": "string" }, "interval": { "default": 3600, "description": "The interval (in seconds) of sending information.", "type": "number" }, "metrics_collect_interval": { "default": 60, "description": "The interval (in seconds) for collecting metrics.", "type": "number" }, "metrics_limit": { "default": 1048576, "description": "The maximum size of memory (in bytes) used to store metrics before sending them to the feedback server. If the size of collected metrics exceeds this value, earlier metrics are dropped.", "type": "integer" }, "send_metrics": { "default": true, "description": "Whether to send metrics to the feedback server. Note that all collected metrics are dropped after sending them to the feedback server.", "type": "boolean" } }, "type": "object" }, "fiber": { "additionalProperties": false, "description": "The `fiber` section describes options related to configuring fibers, yields, and cooperative multitasking.", "properties": { "io_collect_interval": { "default": null, "description": "The time period (in seconds) a fiber sleeps between iterations of the event loop.\n\n`fiber.io_collect_interval` can be used to reduce CPU load in deployments where the number of client connections is large, but requests are not so frequent (for example, each connection issues just a handful of requests per second).", "type": "number" }, "slice": { "additionalProperties": false, "description": "This section describes options related to configuring time periods for fiber slices. See `fiber.set_max_slice` for details and examples.", "properties": { "err": { "default": 1, "description": "Set a time period (in seconds) that specifies the warning slice.", "type": "number" }, "warn": { "default": 0.5, "description": "Set a time period (in seconds) that specifies the error slice.", "type": "number" } }, "type": "object" }, "too_long_threshold": { "default": 0.5, "description": "If processing a request takes longer than the given period (in seconds), the fiber warns about it in the log.\n\n`fiber.too_long_threshold` has effect only if `log.level` is greater than or equal to 4 (`warn`).", "type": "number" }, "top": { "additionalProperties": false, "description": "This section describes options related to configuring the `fiber.top()` function, normally used for debug purposes. `fiber.top()` shows all alive fibers and their CPU consumption.", "properties": { "enabled": { "default": false, "description": "Enable or disable the `fiber.top()` function.\n\nEnabling `fiber.top()` slows down fiber switching by about 15%, so it is disabled by default.", "type": "boolean" } }, "type": "object" }, "tx_user_pool_size": { "default": 768, "description": "Specify the size of the fiber pool used in the TX thread for executing user-defined callbacks pushed via the `tnt_tx_push()` C API function. This pool operates similarly to the fiber pool for handling IProto requests, whose size is defined by `box.cfg.net_msg_max`.\n\nIncrease the pool size if the application requires executing a large number of concurrent callbacks, especially if they involve yielding operations or high transaction loads.\n\nNotes:\n\n- The callbacks are executed in the order they are pushed, but the completion order is undefined for yielding callbacks\n- Mismanaging the pool size or callback rate can lead to unpredictable latency or memory overflows (OOM)", "type": "integer" }, "worker_pool_threads": { "default": 4, "description": "The maximum number of threads to use during execution of certain internal processes (for example, `socket.getaddrinfo()` and `coio_call()`).", "type": "number" } }, "type": "object" }, "flightrec": { "additionalProperties": false, "description": "The flightrec section describes options related to the flight recorder configuration.", "properties": { "enabled": { "default": false, "description": "Enable the flight recorder.", "type": "boolean" }, "logs_log_level": { "default": 6, "description": "Specify the level of detail the log has. The default value is 6 (`VERBOSE`). You can learn more about log levels from the log_level option description. Note that the `flightrec.logs_log_level` value might differ from `log_level`.", "enum": [ 0, 1, 2, 3, 4, 5, 6, 7 ], "type": "integer" }, "logs_max_msg_size": { "default": 4096, "description": "Specify the maximum size (in bytes) of the log message. The log message is truncated if its size exceeds this limit.", "type": "integer" }, "logs_size": { "default": 10485760, "description": "Specify the size (in bytes) of the log storage. You can set this option to 0 to disable the log storage.", "type": "integer" }, "metrics_interval": { "default": 1, "description": "Specify the time interval (in seconds) that defines the frequency of dumping metrics. This value shouldn't exceed `flightrec.metrics_period`.", "type": "number" }, "metrics_period": { "default": 180, "description": "Specify the time period (in seconds) that defines how long metrics are stored from the moment of dump. So, this value defines how much historical metrics data is collected up to the moment of crash. The frequency of metric dumps is defined by `flightrec.metrics_interval`.", "type": "number" }, "requests_max_req_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a request entry. A request entry is truncated if this size is exceeded.", "type": "integer" }, "requests_max_res_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a response entry. A response entry is truncated if this size is exceeded.", "type": "integer" }, "requests_size": { "default": 10485760, "description": "Specify the size (in bytes) of storage for the request and response data. You can set this parameter to 0 to disable a storage of requests and responses.", "type": "integer" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "The iproto section is used to configure parameters related to communicating to and between cluster instances.", "properties": { "advertise": { "additionalProperties": false, "description": "URIs for cluster members and external clients to let them know where to connect.", "properties": { "client": { "default": null, "description": "A URI used to advertise the current instance to clients.\n\nThe iproto.advertise.client option accepts a URI in the following formats:\n\n- An address: `host:port`.\n- A Unix domain socket: `unix/:`.\n\nNote that this option doesn't allow to set a username and password. If a remote client needs this information, it should be delivered outside of the cluster configuration.", "type": "string" }, "peer": { "additionalProperties": false, "description": "Settings used to advertise the current instance to other cluster members. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "Settings used to advertise the current instance to a router and rebalancer. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" } }, "type": "object" }, "listen": { "default": null, "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).", "items": { "additionalProperties": false, "description": "Iproto listening socket definition.\n\nAllows to set an URI (`unix/:` or `host:port`) and SSL parameters. Minimal example: `{uri: 127.0.0.1:3301}`.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).\n\nNote: the `iproto.listen.*.uri` string can't contain a login or a password, it has no sense for a listening socket.\n\nThe query-parameter form of setting SSL options is forbidden in the URI string. Use the `iproto.listen.*.params` for them.", "type": "string" } }, "type": "object" }, "type": "array" }, "net_msg_max": { "default": 768, "description": "To handle messages, Tarantool allocates fibers. To prevent fiber overhead from affecting the whole system, Tarantool restricts how many messages the fibers handle, so that some pending requests are blocked.\n\n- On powerful systems, increase `net_msg_max`, and the scheduler starts processing pending requests immediately.\n- On weaker systems, decrease `net_msg_max`, and the overhead may decrease. However, this may take some time because the scheduler must wait until already-running requests finish.\n\nWhen `net_msg_max` is reached, Tarantool suspends processing of incoming packages until it has processed earlier messages. This is not a direct restriction of the number of fibers that handle network messages, rather it is a system-wide restriction of channel bandwidth. This in turn restricts the number of incoming network messages that the transaction processor thread handles, and therefore indirectly affects the fibers that handle network messages.", "type": "integer" }, "readahead": { "default": 16320, "description": "The size of the read-ahead buffer associated with a client connection. The larger the buffer, the more memory an active connection consumes, and the more requests can be read from the operating system buffer in a single system call.\n\nThe recommendation is to make sure that the buffer can contain at least a few dozen requests. Therefore, if a typical tuple in a request is large, e.g. a few kilobytes or even megabytes, the read-ahead buffer size should be increased. If batched request processing is not used, it's prudent to leave this setting at its default.", "type": "integer" }, "ssl": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections. These parameters would be used to set up SSL IProto sockets and to connect to other instances which require certificate authority (CA).", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" }, "threads": { "default": 1, "description": "The number of network threads. There can be unusual workloads where the network thread is 100% loaded and the transaction processor thread is not, so the network thread is a bottleneck. In that case, set `iproto_threads` to 2 or more. The operating system kernel determines which connection goes to which thread.", "type": "integer" } }, "type": "object" }, "isolated": { "default": false, "description": "Temporarily isolate an instance to perform replicaset repairing activities, such as debugging a problem on the isolated instance without affecting the non-isolated part or extracting data from the isolated instance to apply on the non-isolated part of the replicaset.\n\nEffects of isolation:\n\n- The instance stops listening for new IProto connections.\n- All current IProto connections are dropped.\n- The instance switches to read-only mode.\n- The instance disconnects from all replication upstreams.\n- Other replicaset members exclude the isolated instance from their replication upstreams.\n\nNote: the isolated instance can't be bootstrapped (a local snapshot is required to start).", "type": "boolean" }, "labels": { "additionalProperties": { "description": "A value of the label with the specified name.", "type": "string" }, "description": "The `labels` section allows adding custom attributes to the instance. The keys and values are strings.", "type": "object" }, "log": { "additionalProperties": false, "description": "The `log` section defines configuration parameters related to logging. To handle logging in your application, use the log module.", "properties": { "file": { "default": "var/log/{{ instance_name }}/tarantool.log", "description": "Specify a file for logs destination. To write logs to a file, you need to set `log.to` to file. Otherwise, `log.file` is ignored.", "type": "string" }, "format": { "default": "plain", "description": "Specify a format that is used for a log entry. The following formats are supported:\n\n- `plain`: a log entry is formatted as plain text.\n- `json`: a log entry is formatted as JSON and includes additional fields.", "enum": [ "plain", "json" ], "type": "string" }, "level": { "default": 5, "description": "Specify the level of detail logs have. There are the following levels:\n\n- 0: `fatal`\n- 1: `syserror`\n- 2: `error`\n- 3: `crit`\n- 4: `warn`\n- 5: `info`\n- 6: `verbose`\n- 7: `debug`\n\nBy setting log.level, you can enable logging of all events with severities above or equal to the given level.", "enum": [ 0, "fatal", 1, "syserror", 2, "error", 3, "crit", 4, "warn", 5, "info", 6, "verbose", 7, "debug" ], "type": [ "string", "number" ] }, "modules": { "additionalProperties": { "description": "The log level.\n\nFor example: you have module placed by the following path: `test/module.lua`. To configure logging levels, you need to provide module names corresponding to paths to these modules: `test.module: 'verbose'`.", "type": [ "string", "number" ] }, "default": null, "description": "Configure the specified log levels (`log.level`) for different modules.\n\nYou can specify a logging level for the following module types:\n\n- Modules (files) that use the default logger.\n- Modules that use custom loggers created using the `log.new()` function.\n- The tarantool module that enables you to configure the logging level for Tarantool core messages. Specifically, it configures the logging level for messages logged from non-Lua code, including C modules.", "type": "object" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `log.to` to `pipe`.", "type": "string" }, "syslog": { "additionalProperties": false, "description": "Syslog configurations parameters. To write logs to syslog, you need to set `log.to` to `syslog`.", "properties": { "facility": { "default": "local7", "description": "Specify the syslog facility to be used when syslog is enabled. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name used to identify Tarantool messages in syslog logs. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "server": { "default": null, "description": "Set a location of a syslog server. This option accepts one of the following values:\n\n- An address. Example: `127.0.0.1:514`.\n- A Unix socket path starting with `unix:`. Examples: `unix:/dev/log` on Linux or `unix:/var/run/syslog` on macOS.\n\nTo write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" } }, "type": "object" }, "to": { "default": "stderr", "description": "Define a location Tarantool sends logs to. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream.\n- `file`: write logs to a file.\n- `pipe`: start a program and write logs to its standard input.\n- `syslog`: write logs to a system logger.", "enum": [ "stderr", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "lua": { "additionalProperties": false, "description": "This section defines configuration parameters related to Lua within Tarantool.", "properties": { "memory": { "default": 2147483648, "description": "Define amount of memory available to Lua in bytes. Default is 2GB, with a minimum of 256MB.\n\nThe limit can be adjusted dynamically if the new value is greater than the used memory amount. Otherwise, a restart is required for changes to take effect.", "type": "integer" } }, "type": "object" }, "memtx": { "additionalProperties": false, "description": "This section is used to configure parameters related to the memtx engine.", "properties": { "allocator": { "default": "small", "description": "Specify the allocator that manages memory for memtx tuples. Possible values:\n\n- `system` - the memory is allocated as needed, checking that the quota is not exceeded. The allocator is based on the `malloc` function.\n- `small` - a slab allocator. The allocator repeatedly uses a memory block to allocate objects of the same type. Note that this allocator is prone to unresolvable fragmentation on specific workloads, so you can switch to `system` in such cases.", "enum": [ "small", "system" ], "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "Size of the largest allocation unit for the memtx storage engine in bytes. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 268435456, "description": "The amount of memory in bytes that Tarantool allocates to store tuples. When the limit is reached, `INSERT` and `UPDATE` requests fail with the `ER_MEMORY_ISSUE` error. The server does not go beyond the `memtx.memory` limit to allocate tuples, but there is additional memory used to store indexes and connection information.", "type": "integer" }, "min_tuple_size": { "default": 16, "description": "Size of the smallest allocation unit in bytes. It can be decreased if most of the tuples are very small.", "type": "integer" }, "slab_alloc_factor": { "default": 1.05, "description": "The multiplier for computing the sizes of memory chunks that tuples are stored in. A lower value may result in less wasted memory depending on the total amount of memory available and the distribution of item sizes.", "type": "number" }, "slab_alloc_granularity": { "default": 8, "description": "Specify the granularity in bytes of memory allocation in the small allocator. The `memtx.slab_alloc_granularity` value should meet the following conditions:\n\n- The value is a power of two.\n- The value is greater than or equal to 4.\n\nBelow are few recommendations on how to adjust the `memtx.slab_alloc_granularity option`:\n\n- If the tuples in space are small and have about the same size, set the option to 4 bytes to save memory.\n- If the tuples are different-sized, increase the option value to allocate tuples from the same `mempool` (memory pool).", "type": "integer" }, "sort_threads": { "default": null, "description": "The number of threads from the thread pool used to sort keys of secondary indexes on loading a `memtx` database. The minimum value is 1, the maximum value is 256. The default is to use all available cores.", "type": "integer" }, "use_sort_data": { "default": false, "description": "Whether to use the O(n) secondary key sort using additional snapshot data (if the latter is available) and write the data during `box.snapshot()`.", "type": "boolean" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `metrics` section provides the ability to collect and expose Tarantool metrics (e.g. network, cpu, memtx and others).", "properties": { "exclude": { "description": "An array containing groups of metrics to turn off. The array can contain the same values as the `exclude` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "include": { "description": "An array containing groups of metrics to turn on. The array can contain the same values as the `include` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "labels": { "additionalProperties": { "description": "Label value.", "type": "string" }, "description": "Global labels to be added to every observation.", "type": "object" } }, "type": "object" }, "process": { "additionalProperties": false, "description": "The `process` section defines configuration parameters of the Tarantool process in the system.", "properties": { "background": { "default": false, "description": "Run the server as a daemon process.\n\nIf this option is set to true, Tarantool log location defined by the `log.to` option should be set to file, pipe, or syslog - anything other than stderr, the default, because a daemon process is detached from a terminal and it can't write to the terminal's stderr.\n\nWarn: Do not enable the background mode for applications intended to run by the tt utility.", "type": "boolean" }, "coredump": { "default": false, "description": "Create coredump files.\n\nUsually, an administrator needs to call `ulimit -c unlimited` (or set corresponding options in systemd's unit file) before running a Tarantool process to get core dumps. If `process.coredump` is enabled, Tarantool sets the corresponding resource limit by itself and the administrator doesn't need to call `ulimit -c unlimited` (see man 3 setrlimit).\n\nThis option also sets the state of the `dumpable` attribute, which is enabled by default, but may be dropped in some circumstances (according to man 2 prctl, see PR_SET_DUMPABLE).", "type": "boolean" }, "pid_file": { "default": "var/run/{{ instance_name }}/tarantool.pid", "description": "Store the process id in this file.\n\nThis option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "strip_core": { "default": true, "description": "Whether coredump files should not include memory allocated for tuples - this memory can be large if Tarantool runs under heavy load. Setting to `true` means \"do not include\".", "type": "boolean" }, "title": { "default": "tarantool - {{ instance_name }}", "description": "Add the given string to the server's process title (it is shown in the COMMAND column for the Linux commands `ps -ef` and `top -c`).", "type": "string" }, "username": { "default": null, "description": "The name of the system user to switch to after start.", "type": "string" }, "work_dir": { "default": null, "description": "A directory where Tarantool working files will be stored (database files, logs, a PID file, a console Unix socket, and other files if an application generates them in the current directory). The server instance switches to `process.work_dir` with chdir(2) after start.\n\nIf set as a relative file path, it is relative to the current working directory, from where Tarantool is started. If not specified, defaults to the current working directory.\n\nOther directory and file parameters, if set as relative paths, are interpreted as relative to `process.work_dir`, for example, directories for storing snapshots and write-ahead logs.", "type": "string" } }, "type": "object" }, "quiver": { "additionalProperties": false, "description": "This section defines configuration parameters related to the quiver storage engine.", "properties": { "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where quiver files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "memory": { "default": 134217728, "description": "The maximum size of in-memory buffers used for accumulating write requests. The quiver engine decides when it should start dumping in-memory buffers to disk depending on this parameter.", "type": "integer" }, "run_size": { "default": 16777216, "description": "The maximum size of a run file, in bytes. When the quiver engine dumps in-memory buffers to disk, it splits the output stream into files depending on this parameter.", "type": "integer" } }, "type": "object" }, "replicasets": { "additionalProperties": { "additionalProperties": false, "description": "A replica set definition.\n\nNote that the rules applied to a replica set name are the same as for groups. Learn more in `groups.`.", "properties": { "app": { "additionalProperties": false, "description": "Using Tarantool as an application server, you can run your own Lua applications. In the `app` section, you can load the application and provide an application configuration in the `app.cfg` section.", "properties": { "cfg": { "additionalProperties": { "description": "Mapping for arbitrary user-defined configuration values, accessible in the application via `config:get('app.cfg')`." }, "description": "A configuration of the application loaded using `app.file` or `app.module`.", "type": "object" }, "file": { "description": "A path to a Lua file to load an application from.", "type": "string" }, "module": { "description": "A Lua module to load an application from.", "type": "string" } }, "type": "object" }, "audit_log": { "additionalProperties": false, "description": "The `audit_log` section defines configuration parameters related to audit logging.", "properties": { "extract_key": { "default": false, "description": "If set to `true`, the audit subsystem extracts and prints only the primary key instead of full tuples in DML events (`space_insert`, `space_replace`, `space_delete`). Otherwise, full tuples are logged. The option may be useful in case tuples are big.", "type": "boolean" }, "file": { "default": "var/log/{{ instance_name }}/audit.log", "description": "Specify a file for the audit log destination. You can set the `file` type using the audit_log.to option. If you write logs to a file, Tarantool reopens the audit log at SIGHUP.", "type": "string" }, "filter": { "description": "Enable logging for a specified subset of audit events.", "items": { "description": "Specify a subset of audit events to log by providing a value from the allowed list of events or groups.", "enum": [ "audit_enable", "custom", "auth_ok", "auth_fail", "disconnect", "user_create", "user_drop", "role_create", "role_drop", "user_enable", "user_disable", "user_grant_rights", "user_revoke_rights", "role_grant_rights", "role_revoke_rights", "password_change", "access_denied", "eval", "call", "space_select", "space_create", "space_alter", "space_drop", "space_insert", "space_replace", "space_delete", "none", "all", "audit", "auth", "priv", "ddl", "dml", "data_operations", "compatibility" ], "type": "string" }, "type": "array", "uniqueItems": true }, "format": { "default": "json", "description": "Specify a format that is used for the audit log.", "enum": [ "plain", "json", "csv" ], "type": "string" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `audit_log.to` to `pipe`.", "type": "string" }, "spaces": { "default": null, "description": "Specifies spaces for which data operation events (`space_select`, `space_insert`, `space_replace`, `space_delete`) should be logged.\n\nThis option accepts one of the following forms:\n\n- an array of space names;\n- a map where keys are space names and values are audit options.\n\nIf set to box.NULL, the data operation events are logged for all spaces." }, "syslog": { "additionalProperties": false, "description": "This module allows configuring the system logger (syslog) for audit logs in Tarantool. It provides options for specifying the syslog server, facility, and identity for logging messages.", "properties": { "facility": { "default": "local7", "description": "Define the syslog facility, which indicates the type of application generating the log entries (e.g. kernel, user-level, or system daemon). To enable syslog logging, set `audit_log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name to show in logs. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" }, "server": { "default": null, "description": "Set a location for the syslog server. It can be a Unix socket path starting with \"unix:\" or an ipv4 port number. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" } }, "type": "object" }, "to": { "default": "devnull", "description": "Enable audit logging and define the log location.", "enum": [ "devnull", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "bootstrap_leader": { "description": "A bootstrap leader for a replica set. To specify a bootstrap leader manually, you need to set `replication.bootstrap_strategy` to `config`.", "type": "string" }, "compat": { "additionalProperties": false, "description": "These options allow to redefine tarantool behavior in order to correspond to the previous or the next major version.", "properties": { "binary_data_decoding": { "default": "new", "description": "Define how to store binary data fields in Lua after decoding:\n\n- `new` (3.x default): as varbinary object\n- `old` (2.x default): as plain strings", "enum": [ "old", "new" ], "type": "string" }, "box_cfg_replication_sync_timeout": { "default": "new", "description": "Set a default replication sync timeout:\n\n- `new` (3.x default): 0\n- `old` (2.x default): 300 seconds", "enum": [ "old", "new" ], "type": "string" }, "box_consider_system_spaces_synchronous": { "default": "old", "description": "Whether to consider most system spaces as synchronized regardless of the `is_sync` space option:\n\n- `new` (4.x default): System spaces are synchronized when the synchronous queue is claimed (`box.info.synchro.queue.owner ~= 0`), except for `vinyl_defer_delete` (local space) and `sequence_data` (synchronized by synchronous user spaces operations)\n- `old` (3.x default): System spaces are not synchronized unless explicitly marked with the `is_sync` option", "enum": [ "old", "new" ], "type": "string" }, "box_error_serialize_verbose": { "default": "old", "description": "Set the verbosity of error objects serialization:\n\n- `new` (4.x default): serialize the error message together with other potentially useful fields\n- `old` (3.x default): serialize only the error message", "enum": [ "old", "new" ], "type": "string" }, "box_error_unpack_type_and_code": { "default": "old", "description": "Whether to show all the error fields in `box.error.unpack()`:\n\n- `new` (4.x default): do not show `base_type` and `custom_type` fields; do not show the `code` field if it is 0. Note that `base_type` is still accessible for an error object\n- `old` (3.x default): show all fields", "enum": [ "old", "new" ], "type": "string" }, "box_info_cluster_meaning": { "default": "new", "description": "Define the behavior of `box.info.cluster`:\n\n- `new` (3.x default): `box.info.cluster` shows info about the entire cluster, `box.info.replicaset` shows info about the replica set\n- `old` (2.x default): `box.info.cluster` shows info about the replica set", "enum": [ "old", "new" ], "type": "string" }, "box_recovery_triggers_deprecation": { "default": "old", "description": "Whether to trigger space and transactional events during local recovery or join:\n\n- `new` (4.x default): do not trigger events\n- `old` (3.x default): trigger events", "enum": [ "old", "new" ], "type": "string" }, "box_session_push_deprecation": { "default": "old", "description": "Whether to raise errors on attempts to call the deprecated function `box.session.push`:\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): do not raise an error", "enum": [ "old", "new" ], "type": "string" }, "box_space_execute_priv": { "default": "new", "description": "Whether the `execute` privilege can be granted on spaces:\n\n- `new` (3.x default): an error is raised\n- `old` (2.x default): the privilege can be granted with no actual effect", "enum": [ "old", "new" ], "type": "string" }, "box_space_max": { "default": "new", "description": "Set the maximum space identifier (`box.schema.SPACE_MAX`):\n\n- `new` (3.x default): 2147483646\n- `old` (2.x default): 2147483647", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_extension": { "default": "new", "description": "Controls `IPROTO_FEATURE_CALL_RET_TUPLE_EXTENSION` and `IPROTO_FEATURE_CALL_ARG_TUPLE_EXTENSION` feature bits that define tuple encoding in iproto call and eval requests.\n\n- `new` (3.x default): tuples with formats are encoded as `MP_TUPLE`\n- `old` (2.x default): tuples with formats are encoded as `MP_ARRAY`", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_new_vararg": { "default": "new", "description": "Controls how `box.tuple.new` interprets an argument list:\n\n- `new` (3.x default): as a value with a tuple format\n- `old` (2.x default): as an array of tuple fields", "enum": [ "old", "new" ], "type": "string" }, "c_func_iproto_multireturn": { "default": "new", "description": "Controls wrapping of multiple results of a stored C function when returning them via iproto:\n\n- `new` (3.x default): return without wrapping (consistently with a local call via `box.func`)\n- `old` (2.x default): wrap results into a MessagePack array", "enum": [ "old", "new" ], "type": "string" }, "console_session_scope_vars": { "default": "old", "description": "Whether a console session has its own variable scope:\n\n- `new` (4.x default): non-local variable assignments are written to a variable scope attached to the console session\n- `old` (3.x default): all non-local variable assignments from the console are written to globals", "enum": [ "old", "new" ], "type": "string" }, "fiber_channel_close_mode": { "default": "new", "description": "Define the behavior of fiber channels after closing:\n\n- `new` (3.x default): mark the channel read-only\n- `old` (2.x default): destroy the channel object", "enum": [ "old", "new" ], "type": "string" }, "fiber_slice_default": { "default": "new", "description": "Define the maximum fiber execution time without a yield:\n\n- `new` (3.x default): `{warn = 0.5, err = 1.0}`\n- `old` (2.x default): infinity (no warnings or errors raised)", "enum": [ "old", "new" ], "type": "string" }, "json_escape_forward_slash": { "default": "new", "description": "Whether to escape the forward slash symbol \"/\" using a backslash in a `json.encode()` result:\n\n- `new` (3.x default): do not escape the forward slash\n- `old` (2.x default): escape the forward slash", "enum": [ "old", "new" ], "type": "string" }, "replication_synchro_timeout": { "default": "old", "description": "The `compat.replication_synchro_timeout` option controls transaction rollback due to `replication.synchro_timeout`.\n\n- `new` (4.x default): A synchronous transaction can remain in the synchro queue indefinitely until it reaches a quorum of confirmations. `replication.synchro_timeout` is used only to wait confirmation in promote/demote and gc-checkpointing. If some transaction in limbo did not have time to commit within `replication_synchro_timeout`, the corresponding operation: promote/demote or gc-checkpointing can be aborted automatically\n- `old` (3.x default): unconfirmed synchronous transactions are rolled back after a `replication.synchro_timeout`", "enum": [ "old", "new" ], "type": "string" }, "skip_replication_names": { "default": "new", "description": "The `compat.skip_replication_names` option controls whether Tarantool skips instance and replicaset name handling during replication startup.\n\n- `new` (3.x default): Tarantool applies `instance_name` and `replicaset_name` on startup and validates them against the snapshot data.\n- `old` (2.x default): Tarantool skips applying `instance_name` and `replicaset_name` on startup and does not validate them against the snapshot data. This mode is intended for upgrades from Tarantool 2.11, so a Tarantool 3.x+ instance configured via the declarative config can join a 2.11-compatible replicaset where the master snapshot may not contain names.", "enum": [ "old", "new" ], "type": "string" }, "sql_priv": { "default": "new", "description": "Whether to enable access checks for SQL requests over iproto:\n\n- `new` (3.x default): check the user's access permissions\n- `old` (2.x default): allow any user to execute SQL over iproto", "enum": [ "old", "new" ], "type": "string" }, "sql_seq_scan_default": { "default": "new", "description": "Controls the default value of the `sql_seq_scan` session setting:\n\n- `new` (3.x default): false\n- `old` (2.x default): true", "enum": [ "old", "new" ], "type": "string" }, "wal_cleanup_delay_deprecation": { "default": "old", "description": "Whether to use the option 'wal_cleanup_delay':\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): log a deprecation warning", "enum": [ "old", "new" ], "type": "string" }, "yaml_pretty_multiline": { "default": "new", "description": "Whether to encode in block scalar style all multiline strings or ones containing the `\\n\\n` substring:\n\n- `new` (3.x default): all multiline strings\n- `old` (2.x default): only strings containing the `\\n\\n` substring", "enum": [ "old", "new" ], "type": "string" } }, "type": "object" }, "config": { "additionalProperties": false, "description": "The `config` section defines various parameters related to centralized configuration.", "properties": { "context": { "additionalProperties": { "additionalProperties": false, "description": "A context variable definition that specifies how to load it (e.g. from a file or an environment variable).", "properties": { "env": { "description": "The name of an environment variable to load a context variable from. To load a context variable from an environment variable, set `config.context..from` to `env`.", "type": "string" }, "file": { "description": "The path to a file to load a context variable from. To load a configuration value from a file, set `config.context..from` to `file`.", "type": "string" }, "from": { "description": "The type of storage to load a context variable from. There are the following storage types:\n\n- `file`: load a context variable from a file. In this case, you need to specify the path to the file using `config.context..file`\n- `env`: load a context variable from an environment variable. In this case, specify the environment variable name using `config.context..env`", "enum": [ "env", "file" ], "type": "string" }, "rstrip": { "description": "(Optional) Whether to strip whitespace characters and newlines from the end of data.", "type": "boolean" } }, "type": "object" }, "description": "Defines custom variables in the cluster configuration by loading values from an environment variable or a file.", "type": "object" }, "etcd": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized etcd-based storage. If `replication.failover` is set to `supervised`, Tarantool also uses etcd to maintain the state of failover coordinators.", "properties": { "endpoints": { "description": "The list of endpoints used to access an etcd cluster.", "items": { "description": "etcd endpoint.\n\nFor example: `http://localhost:2379`.", "type": "string" }, "type": "array" }, "http": { "additionalProperties": false, "description": "HTTP client options for the etcd-client, used to fetch and subscribe to the cluster configuration stored in etcd.", "properties": { "request": { "additionalProperties": false, "description": "HTTP client request options.", "properties": { "interface": { "description": "Set the interface to use as outgoing network interface for the etcd configuration source.\n\nThe interface can be specified as an interface name, an IP address, or a hostname.\n\nSee https://curl.se/libcurl/c/CURLOPT_INTERFACE.html for details.", "type": "string" }, "timeout": { "description": "A time period required to process an HTTP request to an etcd server: from sending a request to receiving a response.", "type": "number" }, "unix_socket": { "description": "A Unix domain socket used to connect to an etcd server.", "type": "string" }, "verbose": { "description": "Whether to print debugging information about HTTP requests and responses issued by the etcd configuration source.\n\nThe information is written to stderr (disregarding tarantool log configuration). In a typical setup it arrives to journald.\n\nSee https://curl.se/libcurl/c/CURLOPT_VERBOSE.html for details.", "type": "boolean" } }, "type": "object" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "prefix": { "description": "A key prefix used to search a configuration on an etcd server. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "ssl": { "additionalProperties": false, "description": "TLS options.", "properties": { "ca_file": { "description": "A path to a trusted certificate authorities (CA) file.", "type": "string" }, "ca_path": { "description": "A path to a directory holding certificates to verify the peer with.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file.", "type": "string" }, "verify_host": { "description": "Enable verification of the certificate's name (CN) against the specified host.", "type": "boolean" }, "verify_peer": { "description": "Enable verification of the peer's SSL certificate.", "type": "boolean" } }, "type": "object" }, "username": { "description": "A username used for authentication.", "type": "string" }, "watchers": { "additionalProperties": false, "description": "Options for watcher requests: watchcreate, watchwait and watchcancel.", "properties": { "reconnect_max_attempts": { "description": "The maximum number of attempts to reconnect to an etcd server in case of connection failure.", "type": "integer" }, "reconnect_timeout": { "description": "The timeout (in seconds) between attempts to reconnect to an etcd server in case of connection failure.", "type": "number" } }, "type": "object" } }, "type": "object" }, "reload": { "default": "auto", "description": "Specify how the configuration is reloaded. This option accepts the following values:\n\n- `auto`: configuration is reloaded automatically when it is changed.\n- `manual`: configuration should be reloaded manually. In this case, you can reload the configuration in the application code using `config:reload()`.", "enum": [ "auto", "manual" ], "type": "string" }, "storage": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized Tarantool-based storage.", "properties": { "endpoints": { "description": "An array of endpoints used to access a configuration storage. Each endpoint can include the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections", "items": { "additionalProperties": false, "description": "Element that represents a configuration storage endpoint with the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections.", "properties": { "login": { "description": "A username used to connect to the instance.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "uri": { "description": "A URI of the configuration storage's instance.", "type": "string" } }, "type": "object" }, "type": "array" }, "prefix": { "description": "A key prefix used to search a configuration in a centralized configuration storage. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "reconnect_after": { "default": 3, "description": "A number of seconds to wait before reconnecting to a configuration storage.", "type": "number" }, "timeout": { "default": 3, "description": "The interval (in seconds) to perform the status check of a configuration storage.", "type": "number" } }, "type": "object" } }, "type": "object" }, "connpool": { "additionalProperties": false, "description": "The `connpool` section defines configuration parameters related to the Tarantool connection pool that can be used to communicate with other instances within the cluster.", "properties": { "idle_timeout": { "default": 60, "description": "Tarantool connection pool automatically manages connections to the instances and automatically closes the ones that are not needed for a while.\n\nThis option controls a timeout (in seconds) in which the unused connections would be closed.\n\nNote: this option does not affect the connections opened by `connpool.connect()` since in that case, the user has direct access to the connection object.", "type": "number" } }, "type": "object" }, "console": { "additionalProperties": false, "description": "Configure the administrative console. A client to the console is `tt connect`.", "properties": { "enabled": { "default": true, "description": "Whether to listen on the Unix socket provided in the console.socket option.\n\nIf the option is set to `false`, the administrative console is disabled.", "type": "boolean" }, "socket": { "default": "var/run/{{ instance_name }}/tarantool.control", "description": "The Unix socket for the administrative console.\n\nMind the following nuances:\n\n- Only a Unix domain socket is allowed. A TCP socket can't be configured this way.\n- `console.socket` is a file path, without any `unix:` or `unix/:` prefixes.\n- If the file path is a relative path, it is interpreted relative to `process.work_dir`.", "type": "string" } }, "type": "object" }, "credentials": { "additionalProperties": false, "description": "The `credentials` section allows you to create users and grant them the specified privileges.", "properties": { "roles": { "additionalProperties": { "additionalProperties": false, "description": "A role definition.", "properties": { "privileges": { "description": "An array of privileges granted to this role.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user with this role.", "properties": { "functions": { "description": "Registered functions to which user with this role gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user with this role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user with this role can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which user with this role gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which user with this role gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether user with this role can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this role.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of roles that can be granted to users or other roles.", "type": "object" }, "users": { "additionalProperties": { "additionalProperties": false, "description": "User name.", "properties": { "password": { "description": "A user's password.", "type": "string" }, "privileges": { "description": "An array of privileges granted to this user.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user.", "properties": { "functions": { "description": "Registered functions to which this user gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to this user or a user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which this user gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which this user gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether this user can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this user.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of users.", "type": "object" } }, "type": "object" }, "database": { "additionalProperties": false, "description": "The `database` section defines database-specific configuration parameters, such as an instance's read-write mode or transaction isolation level.", "properties": { "hot_standby": { "default": false, "description": "Whether to start the server in the hot standby mode. This mode can be used to provide failover without replication.\n\nNote: `database.hot_standby` has no effect:\n\n- If `wal.mode` is set to none.\n- If `wal.dir_rescan_delay` is set to a large value on macOS or FreeBSD. On these platforms, the hot standby mode is designed so that the loop repeats every `wal.dir_rescan_delay` seconds.\n- For spaces created with engine set to `vinyl`.", "type": "boolean" }, "instance_uuid": { "default": null, "description": "An instance UUID.\n\nBy default, instance UUIDs are generated automatically. `database.instance_uuid` can be used to specify an instance identifier manually.\n\nUUIDs should follow these rules:\n\n- The values must be true unique identifiers, not shared by other instances or replica sets within the common infrastructure.\n- The values must be used consistently, not changed after the initial setup. The initial values are stored in snapshot files and are checked whenever the system is restarted.\n- The values must comply with RFC 4122. The nil UUID is not allowed.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "mode": { "default": null, "description": "An instance's operating mode. This option is in effect if `replication.failover` is set to `off`.\n\nThe following modes are available:\n\n- `rw`: an instance is in read-write mode.\n- `ro`: an instance is in read-only mode.\n\nIf not specified explicitly, the default value depends on the number of instances in a replica set. For a single instance, the `rw` mode is used, while for multiple instances, the `ro` mode is used.", "enum": [ "ro", "rw" ], "type": "string" }, "replicaset_uuid": { "default": null, "description": "A replica set UUID.\n\nBy default, replica set UUIDs are generated automatically. `database.replicaset_uuid` can be used to specify a replica set identifier manually.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "txn_isolation": { "default": "best-effort", "description": "A transaction isolation level.", "enum": [ "read-committed", "read-confirmed", "best-effort" ], "type": "string" }, "txn_synchro_timeout": { "default": 5, "description": "A timeout (in seconds) after which the fiber is detached from synchronous transaction that is currently collecting quorum. After the timeout expires, the transaction is not rolled back but continues to wait for a quorum in background.", "type": "number" }, "txn_timeout": { "default": 3153600000, "description": "A timeout (in seconds) after which the transaction is rolled back.", "type": "number" }, "use_mvcc_engine": { "default": false, "description": "Whether the transactional manager is enabled.", "type": "boolean" } }, "type": "object" }, "failover": { "additionalProperties": false, "description": "The `failover` section defines parameters related to a supervised failover.", "properties": { "call_timeout": { "default": 1, "description": "A call timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "connect_timeout": { "default": 1, "description": "A connection timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "http": { "additionalProperties": false, "description": "The `failover.http` subsection configures HTTP listeners for the failover coordinator API. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose HTTP endpoints that provide monitoring metrics and health checks.", "properties": { "listen": { "description": "A list of HTTP endpoints that should be started for the failover coordinator. Each entry must describe a listener bound to a `localhost:` URI. These endpoints are used to expose metrics and other health check information about the failover coordinator.", "items": { "additionalProperties": false, "description": "This entry configures an individual HTTP listener for the failover coordinator. You can specify the URI and parameters for the listener.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "ssl_verify_client": { "default": "off", "description": "Controls whether the failover coordinator verifies client SSL certificates.\n\nThe option accepts the following values:\n\n- `off` (default): client certificates are not verified.\n- `on`: the server requires and verifies client certificates.\n- `optional`: the server verifies client certificates only if they are provided by the client.", "enum": [ "off", "on", "optional" ], "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "A URI in the `:` format that defines where the failover coordinator listens for HTTP requests.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "IPROTO connection parameters for the failover coordinator. This functionality is available only in Tarantool Enterprise.", "properties": { "ssl": { "additionalProperties": false, "description": "SSL parameters used by the failover coordinator to connect to instances over IPROTO when SSL is enabled. This functionality is available only in Tarantool Enterprise.", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" } }, "type": "object" }, "lease_interval": { "default": 30, "description": "A time interval (in seconds) that specifies how long an instance should be a leader without renew requests from a coordinator. When this interval expires, the leader switches to read-only mode. This action is performed by the instance itself and works even if there is no connectivity between the instance and the coordinator.", "type": "number" }, "log": { "additionalProperties": false, "description": "This section defines configuration parameters related to logging for the supervised failover coordinator.", "properties": { "file": { "description": "Specify a file for failover logs destination. To write logs to a file, you need to set `failover.log.to` to `file`. Otherwise, `failover.log.file` is ignored.", "type": "string" }, "to": { "default": "stderr", "description": "Define the location for failover logs. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream\n- `file`: write logs to a file defined in `failover.log.file`", "enum": [ "stderr", "file" ], "type": "string" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `failover.metrics` subsection configures metrics exporters for the failover coordinator. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose monitoring metrics through various formats like Prometheus, JSON, etc.", "properties": { "exporters": { "description": "A list of endpoints that expose the failover coordinator metrics. Each exporter corresponds to an HTTP endpoint and a specific format for the exported metrics.", "items": { "additionalProperties": false, "description": "This entry configures an individual exporter. You can specify the URI path and the format for the metrics.", "properties": { "format": { "default": "prometheus", "description": "A format of the exported metrics. Supported values are `prometheus`, `zabbix`, `telegraf`, and `json`. Each exporter will serve metrics in the specified format.", "enum": [ "prometheus", "zabbix", "telegraf", "json" ], "type": "string" }, "path": { "description": "A URI path that should be used to serve metrics. For example, `/metrics/prometheus`, `/metrics/json`, etc.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "probe_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a monitoring service of the failover coordinator polls an instance for its status.", "type": "number" }, "renew_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a failover coordinator sends read-write deadline renewals.", "type": "number" }, "replicasets": { "additionalProperties": { "additionalProperties": false, "description": "Failover coordinator options related to a particular replicaset.", "properties": { "learners": { "description": "Specify instances that are ignored by the supervised failover coordinator when selecting a master.\n\nNote: if a learner instance is in RW mode, the coordinator stops the failover process and waits until the instance transitions to RO mode.", "items": { "description": "Array of instance names to be ignored by the supervised failover coordinator when selecting a master.", "type": "string" }, "type": "array" }, "priority": { "additionalProperties": { "description": "A failover priority assigned to the given instance.", "type": "number" }, "description": "Priorities for the supervised failover mode.", "type": "object" }, "synchro_mode": { "default": false, "description": "The coordinator supports two leader appoint modes: one suits better for asynchronous replication, the other one better works for the quorum synchronous replication.\n\nFirst of all, it may be confusing that the synchronous replication is configured per-space in tarantool, but the supervised failover option is per-replicaset.\n\nTechnically a user can enable the synchro mode and mark only some spaces synchronous. However, this setup gives the worst of two worlds:\n\n- Asynchronous transactions are assumed as possibly depending from a result of previously started synchronous ones, so if there are sync transactions in fly, all the async ones are waiting for finishing of the sync ones. This way we sometimes get sync-level latency for async transactions.\n- Async transactions from the old leader, whose result is visible to a client, are not necessarily present in another availability zone. A network partitioning and repairing may lead to conflicting journals and disconnecting of the old leader from the replicaset until manual repairing activities are performed. It means that the autofailover may hurt the redundancy factor. And that happens frequently comparing to the usual async setup due to the stricter conflict detection strategy.\n\nTo sum up: in the mixed setup we pay twice (for async and qsync both -- possible conflicts and increased latency), but it rewards with a kind of 'sometimes you get better latency' comparing to qsync and 'sometimes you have linearizable writes' comparing to async. For most applications it seems worse than fair qsync (with all the spaces marked as synchronous).\n\nIn this description we assume either all asynchronous spaces or all synchronous ones.\n\n`synchro_mode` = `false` handles a replicaset with asynchronous replication: if all the spaces are created without the `is_sync` option. It is default.\n\n`synchro_mode` = `true` handles a replicaset with quorum synchronous replication: if the spaces have the `is_sync` option enabled.\n\nBefore describe how the modes work, let's introduce some terms.\n\nImagine, a network partitioning happens. If the old leader is not reachable from the active coordinator, it is *resigned* (goes to read-only). The coordinator performs the *autofailover*: it *appoints* the new leader (it goes to read-write). The appoint may or may not claim *synchro queue* ownership (to enable processing of synchronous transactions), it may or may not require a *quorum* of replicas to agree about the longest available journal; it depends on the chosen `synchro_mode`.\n\nOnce the connectivity is repaired, the old leader attempts to connect to the replicaset back. It succeeds or fails depending on whether the journals are *diverged* and depending on the *conflict detection* and the *conflict resolution* strategies.\n\nThe following description assumes such a network partitioning, when the old leader lost connectivity with the active coordinator, so the coordinator have to appoint a new leader. The power off or hardware break situations are similar, but the old leader goes back (if it is possible) only when it is repaired. This way we cover wide variety of situations using the network partitioning as an example.\n\nAlso, the active coordinator switch may occur in some network partitioning situations and it adds some delay to resigning and appointing. Other than that the autofailover process remains the same.\n\n`synchro_mode` = `false` works this way:\n\n- The network partitioning may leave the old leader with the journal, where the last transactions are not replicated to the other availability zone. As result, these transactions are not present on the future new leader.\n- The old leader resigns after failover.lease_interval.\n- The new leader is appointed without reaching any quorum of replicas. It works while at least one instance is available.\n- The new leader doesn't claim synchro queue ownership[^1].\n- When the connectivity is repaired, the old leader (read-only now) attempts to replicate the last transactions from the journal to the new leader.\n- If the journals are not diverged, or the conflict is not detected, or all the conflicts are resolved, the old leader successfully connects back to the replicaset. The redundancy is repaired.\n- Otherwise, the replica is disconnected from the replicaset. Some manual actions are needed to extract the conflicting journal entries, apply it to the new leader (if needed) and rebootstrap the old leader (wipe the data directory and start the instance from scratch).\n- The conflict detection strategy is weak[^2]: the only conflicts are attempts to insert the same key into an unique index twice[^3].\n- The conflict resolution is 'just fail' by default, but a user may setup its own conflict resolution triggers (ON CONFLICT or before_replace).\n\n[^1]: It works in assumption that the synchro queue owner has not been claimed before (for example, due to use of `replication.failover` = `election` in the past). It can be verified using `box.info.synchro.queue.owner`: it is expected to be zero. Otherwise, the whole replicaset is in read-only. box.ctl.demote() may repair this situation if it is unintended. [^2]: It is also true only if there is no synchro queue owner. [^3]: It may happen if the client retries a writing operation on the new leader after a failure with the old leader.\n\nTo sum up: here we have asynchronous replication guarantees. Plus autoapply of the journal tail from the old leader that may hurt data consistency. And each autofailover event may decrease the redundancy factor until some complicated manual actions are performed.\n\nThe on conflict triggers (before_replace in the Lua API) may be used to define automatic conflict resolution strategy that eliminates a need for manual action to return the redundancy back.\n\n`synchro_mode` = `true` works this way:\n\n- After the network partitioning, the old leader resigns. It rolls back transactions that are not confirmed by a quorum.\n- The new leader is chosen using a quorum based algorithm and it is guaranteed to have all the quorum approved transactions[^4].\n- N/2+1 available replicas are necessary for a successful appoint. It means that there is more room for the situation, when the whole replicaset is read-only: we can't choose a new leader if we can't reach N/2+1 replicas.\n- The new leader claims synchro queue ownership when becoming a leader[^5].\n- There is no room for a conflict, when the connectivity is repaired: each transaction either approved by the quorum or rolled back[^6].\n- The conflict detection strategy is strict: any divergence in the journals is considered a conflict. However, it shouldn't occur by the construction[^6].\n- The conflict resolution strategy is the same as for `synchro_mode` = `false`.\n\n[^4]: Technically speaking, `synchro_mode` = `true` enables `box.cfg.election_mode` = `manual` on instances. It tunes the `box.ctl.promote()` behavior to check the instance's vclock with a quorum of replicas before actual write itself as the new synchro queue owner. [^5]: By calling `box.ctl.promote()`. [^6]: If all the spaces are `is_sync` = `true`. So, again, mixing of async and sync spaces within one replicaset is not a good idea.\n\nTo sum up: the synchronous replication guarantees are given, which means linearizability for writing operations: once the transaction is confirmed for the client it can be observed even in case of a failure of one availability zone[^7]. The autofailover doesn't hurt redundancy, no manual rebootstrap required. However, if a redundancy factor lowers the N/2+1 bound, the whole replicaset is read-only. A strict conflict detection strategy adds an extra layer of protection against consistency violations.\n\n[^7]: You may also be interested in the txn_isolation = 'linearizable' box.begin/box.atomic option for linearizable reads.\n\nNote that `synchro_mode` = `true` doesn't support a setup with two availability zones for now. You need at least three zones for it. Future tarantool versions may provide the two zones setup support. Stay tuned!", "type": "boolean" } }, "type": "object" }, "description": "Failover coordinator options configured on the per-replicaset basis.", "type": "object" }, "replication_lag_threshold": { "default": 1, "description": "A replication lag threshold (in seconds). If an instance's replication lag exceeds this threshold, the supervised failover coordinator ignores the instance when selecting a new leader if `synchro_mode` is `true` for this replicaset. Default value is 1 second.", "type": "number" }, "stateboard": { "additionalProperties": false, "description": "This options define configuration parameters related to maintaining the state of failover coordinators in a remote etcd-based storage.", "properties": { "enabled": { "default": true, "description": "Enable or disable the failover coordinator stateboard.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored and how quickly a lock expires.\n\nNote `failover.stateboard.keepalive_interval` should be smaller than `failover.lease_interval`. Otherwise, switching of a coordinator causes a replica set leader to go to read-only mode for some time.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a failover coordinator writes its state information to etcd. This option also determines the frequency at which an active coordinator reads new commands from etcd.", "type": "number" } }, "type": "object" } }, "type": "object" }, "feedback": { "additionalProperties": false, "description": "The `feedback` section describes configuration parameters for sending information about a running Tarantool instance to the specified feedback server.", "properties": { "crashinfo": { "default": true, "description": "Whether to send crash information in the case of an instance failure. This information includes:\n\n- General information from the `uname` output.\n- Build information.\n- The crash reason.\n- The stack trace.\n\nTo turn off sending crash information, set this option to `false`.", "type": "boolean" }, "enabled": { "default": true, "description": "Whether to send information about a running instance to the feedback server. To turn off sending feedback, set this option to `false`.", "type": "boolean" }, "host": { "default": "https://feedback.tarantool.io", "description": "The address to which information is sent.", "type": "string" }, "interval": { "default": 3600, "description": "The interval (in seconds) of sending information.", "type": "number" }, "metrics_collect_interval": { "default": 60, "description": "The interval (in seconds) for collecting metrics.", "type": "number" }, "metrics_limit": { "default": 1048576, "description": "The maximum size of memory (in bytes) used to store metrics before sending them to the feedback server. If the size of collected metrics exceeds this value, earlier metrics are dropped.", "type": "integer" }, "send_metrics": { "default": true, "description": "Whether to send metrics to the feedback server. Note that all collected metrics are dropped after sending them to the feedback server.", "type": "boolean" } }, "type": "object" }, "fiber": { "additionalProperties": false, "description": "The `fiber` section describes options related to configuring fibers, yields, and cooperative multitasking.", "properties": { "io_collect_interval": { "default": null, "description": "The time period (in seconds) a fiber sleeps between iterations of the event loop.\n\n`fiber.io_collect_interval` can be used to reduce CPU load in deployments where the number of client connections is large, but requests are not so frequent (for example, each connection issues just a handful of requests per second).", "type": "number" }, "slice": { "additionalProperties": false, "description": "This section describes options related to configuring time periods for fiber slices. See `fiber.set_max_slice` for details and examples.", "properties": { "err": { "default": 1, "description": "Set a time period (in seconds) that specifies the warning slice.", "type": "number" }, "warn": { "default": 0.5, "description": "Set a time period (in seconds) that specifies the error slice.", "type": "number" } }, "type": "object" }, "too_long_threshold": { "default": 0.5, "description": "If processing a request takes longer than the given period (in seconds), the fiber warns about it in the log.\n\n`fiber.too_long_threshold` has effect only if `log.level` is greater than or equal to 4 (`warn`).", "type": "number" }, "top": { "additionalProperties": false, "description": "This section describes options related to configuring the `fiber.top()` function, normally used for debug purposes. `fiber.top()` shows all alive fibers and their CPU consumption.", "properties": { "enabled": { "default": false, "description": "Enable or disable the `fiber.top()` function.\n\nEnabling `fiber.top()` slows down fiber switching by about 15%, so it is disabled by default.", "type": "boolean" } }, "type": "object" }, "tx_user_pool_size": { "default": 768, "description": "Specify the size of the fiber pool used in the TX thread for executing user-defined callbacks pushed via the `tnt_tx_push()` C API function. This pool operates similarly to the fiber pool for handling IProto requests, whose size is defined by `box.cfg.net_msg_max`.\n\nIncrease the pool size if the application requires executing a large number of concurrent callbacks, especially if they involve yielding operations or high transaction loads.\n\nNotes:\n\n- The callbacks are executed in the order they are pushed, but the completion order is undefined for yielding callbacks\n- Mismanaging the pool size or callback rate can lead to unpredictable latency or memory overflows (OOM)", "type": "integer" }, "worker_pool_threads": { "default": 4, "description": "The maximum number of threads to use during execution of certain internal processes (for example, `socket.getaddrinfo()` and `coio_call()`).", "type": "number" } }, "type": "object" }, "flightrec": { "additionalProperties": false, "description": "The flightrec section describes options related to the flight recorder configuration.", "properties": { "enabled": { "default": false, "description": "Enable the flight recorder.", "type": "boolean" }, "logs_log_level": { "default": 6, "description": "Specify the level of detail the log has. The default value is 6 (`VERBOSE`). You can learn more about log levels from the log_level option description. Note that the `flightrec.logs_log_level` value might differ from `log_level`.", "enum": [ 0, 1, 2, 3, 4, 5, 6, 7 ], "type": "integer" }, "logs_max_msg_size": { "default": 4096, "description": "Specify the maximum size (in bytes) of the log message. The log message is truncated if its size exceeds this limit.", "type": "integer" }, "logs_size": { "default": 10485760, "description": "Specify the size (in bytes) of the log storage. You can set this option to 0 to disable the log storage.", "type": "integer" }, "metrics_interval": { "default": 1, "description": "Specify the time interval (in seconds) that defines the frequency of dumping metrics. This value shouldn't exceed `flightrec.metrics_period`.", "type": "number" }, "metrics_period": { "default": 180, "description": "Specify the time period (in seconds) that defines how long metrics are stored from the moment of dump. So, this value defines how much historical metrics data is collected up to the moment of crash. The frequency of metric dumps is defined by `flightrec.metrics_interval`.", "type": "number" }, "requests_max_req_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a request entry. A request entry is truncated if this size is exceeded.", "type": "integer" }, "requests_max_res_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a response entry. A response entry is truncated if this size is exceeded.", "type": "integer" }, "requests_size": { "default": 10485760, "description": "Specify the size (in bytes) of storage for the request and response data. You can set this parameter to 0 to disable a storage of requests and responses.", "type": "integer" } }, "type": "object" }, "instances": { "additionalProperties": { "additionalProperties": false, "description": "An instance definition.", "properties": { "app": { "additionalProperties": false, "description": "Using Tarantool as an application server, you can run your own Lua applications. In the `app` section, you can load the application and provide an application configuration in the `app.cfg` section.", "properties": { "cfg": { "additionalProperties": { "description": "Mapping for arbitrary user-defined configuration values, accessible in the application via `config:get('app.cfg')`." }, "description": "A configuration of the application loaded using `app.file` or `app.module`.", "type": "object" }, "file": { "description": "A path to a Lua file to load an application from.", "type": "string" }, "module": { "description": "A Lua module to load an application from.", "type": "string" } }, "type": "object" }, "audit_log": { "additionalProperties": false, "description": "The `audit_log` section defines configuration parameters related to audit logging.", "properties": { "extract_key": { "default": false, "description": "If set to `true`, the audit subsystem extracts and prints only the primary key instead of full tuples in DML events (`space_insert`, `space_replace`, `space_delete`). Otherwise, full tuples are logged. The option may be useful in case tuples are big.", "type": "boolean" }, "file": { "default": "var/log/{{ instance_name }}/audit.log", "description": "Specify a file for the audit log destination. You can set the `file` type using the audit_log.to option. If you write logs to a file, Tarantool reopens the audit log at SIGHUP.", "type": "string" }, "filter": { "description": "Enable logging for a specified subset of audit events.", "items": { "description": "Specify a subset of audit events to log by providing a value from the allowed list of events or groups.", "enum": [ "audit_enable", "custom", "auth_ok", "auth_fail", "disconnect", "user_create", "user_drop", "role_create", "role_drop", "user_enable", "user_disable", "user_grant_rights", "user_revoke_rights", "role_grant_rights", "role_revoke_rights", "password_change", "access_denied", "eval", "call", "space_select", "space_create", "space_alter", "space_drop", "space_insert", "space_replace", "space_delete", "none", "all", "audit", "auth", "priv", "ddl", "dml", "data_operations", "compatibility" ], "type": "string" }, "type": "array", "uniqueItems": true }, "format": { "default": "json", "description": "Specify a format that is used for the audit log.", "enum": [ "plain", "json", "csv" ], "type": "string" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `audit_log.to` to `pipe`.", "type": "string" }, "spaces": { "default": null, "description": "Specifies spaces for which data operation events (`space_select`, `space_insert`, `space_replace`, `space_delete`) should be logged.\n\nThis option accepts one of the following forms:\n\n- an array of space names;\n- a map where keys are space names and values are audit options.\n\nIf set to box.NULL, the data operation events are logged for all spaces." }, "syslog": { "additionalProperties": false, "description": "This module allows configuring the system logger (syslog) for audit logs in Tarantool. It provides options for specifying the syslog server, facility, and identity for logging messages.", "properties": { "facility": { "default": "local7", "description": "Define the syslog facility, which indicates the type of application generating the log entries (e.g. kernel, user-level, or system daemon). To enable syslog logging, set `audit_log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name to show in logs. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" }, "server": { "default": null, "description": "Set a location for the syslog server. It can be a Unix socket path starting with \"unix:\" or an ipv4 port number. You can enable logging to a system logger using the `audit_log.to` option.", "type": "string" } }, "type": "object" }, "to": { "default": "devnull", "description": "Enable audit logging and define the log location.", "enum": [ "devnull", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "compat": { "additionalProperties": false, "description": "These options allow to redefine tarantool behavior in order to correspond to the previous or the next major version.", "properties": { "binary_data_decoding": { "default": "new", "description": "Define how to store binary data fields in Lua after decoding:\n\n- `new` (3.x default): as varbinary object\n- `old` (2.x default): as plain strings", "enum": [ "old", "new" ], "type": "string" }, "box_cfg_replication_sync_timeout": { "default": "new", "description": "Set a default replication sync timeout:\n\n- `new` (3.x default): 0\n- `old` (2.x default): 300 seconds", "enum": [ "old", "new" ], "type": "string" }, "box_consider_system_spaces_synchronous": { "default": "old", "description": "Whether to consider most system spaces as synchronized regardless of the `is_sync` space option:\n\n- `new` (4.x default): System spaces are synchronized when the synchronous queue is claimed (`box.info.synchro.queue.owner ~= 0`), except for `vinyl_defer_delete` (local space) and `sequence_data` (synchronized by synchronous user spaces operations)\n- `old` (3.x default): System spaces are not synchronized unless explicitly marked with the `is_sync` option", "enum": [ "old", "new" ], "type": "string" }, "box_error_serialize_verbose": { "default": "old", "description": "Set the verbosity of error objects serialization:\n\n- `new` (4.x default): serialize the error message together with other potentially useful fields\n- `old` (3.x default): serialize only the error message", "enum": [ "old", "new" ], "type": "string" }, "box_error_unpack_type_and_code": { "default": "old", "description": "Whether to show all the error fields in `box.error.unpack()`:\n\n- `new` (4.x default): do not show `base_type` and `custom_type` fields; do not show the `code` field if it is 0. Note that `base_type` is still accessible for an error object\n- `old` (3.x default): show all fields", "enum": [ "old", "new" ], "type": "string" }, "box_info_cluster_meaning": { "default": "new", "description": "Define the behavior of `box.info.cluster`:\n\n- `new` (3.x default): `box.info.cluster` shows info about the entire cluster, `box.info.replicaset` shows info about the replica set\n- `old` (2.x default): `box.info.cluster` shows info about the replica set", "enum": [ "old", "new" ], "type": "string" }, "box_recovery_triggers_deprecation": { "default": "old", "description": "Whether to trigger space and transactional events during local recovery or join:\n\n- `new` (4.x default): do not trigger events\n- `old` (3.x default): trigger events", "enum": [ "old", "new" ], "type": "string" }, "box_session_push_deprecation": { "default": "old", "description": "Whether to raise errors on attempts to call the deprecated function `box.session.push`:\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): do not raise an error", "enum": [ "old", "new" ], "type": "string" }, "box_space_execute_priv": { "default": "new", "description": "Whether the `execute` privilege can be granted on spaces:\n\n- `new` (3.x default): an error is raised\n- `old` (2.x default): the privilege can be granted with no actual effect", "enum": [ "old", "new" ], "type": "string" }, "box_space_max": { "default": "new", "description": "Set the maximum space identifier (`box.schema.SPACE_MAX`):\n\n- `new` (3.x default): 2147483646\n- `old` (2.x default): 2147483647", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_extension": { "default": "new", "description": "Controls `IPROTO_FEATURE_CALL_RET_TUPLE_EXTENSION` and `IPROTO_FEATURE_CALL_ARG_TUPLE_EXTENSION` feature bits that define tuple encoding in iproto call and eval requests.\n\n- `new` (3.x default): tuples with formats are encoded as `MP_TUPLE`\n- `old` (2.x default): tuples with formats are encoded as `MP_ARRAY`", "enum": [ "old", "new" ], "type": "string" }, "box_tuple_new_vararg": { "default": "new", "description": "Controls how `box.tuple.new` interprets an argument list:\n\n- `new` (3.x default): as a value with a tuple format\n- `old` (2.x default): as an array of tuple fields", "enum": [ "old", "new" ], "type": "string" }, "c_func_iproto_multireturn": { "default": "new", "description": "Controls wrapping of multiple results of a stored C function when returning them via iproto:\n\n- `new` (3.x default): return without wrapping (consistently with a local call via `box.func`)\n- `old` (2.x default): wrap results into a MessagePack array", "enum": [ "old", "new" ], "type": "string" }, "console_session_scope_vars": { "default": "old", "description": "Whether a console session has its own variable scope:\n\n- `new` (4.x default): non-local variable assignments are written to a variable scope attached to the console session\n- `old` (3.x default): all non-local variable assignments from the console are written to globals", "enum": [ "old", "new" ], "type": "string" }, "fiber_channel_close_mode": { "default": "new", "description": "Define the behavior of fiber channels after closing:\n\n- `new` (3.x default): mark the channel read-only\n- `old` (2.x default): destroy the channel object", "enum": [ "old", "new" ], "type": "string" }, "fiber_slice_default": { "default": "new", "description": "Define the maximum fiber execution time without a yield:\n\n- `new` (3.x default): `{warn = 0.5, err = 1.0}`\n- `old` (2.x default): infinity (no warnings or errors raised)", "enum": [ "old", "new" ], "type": "string" }, "json_escape_forward_slash": { "default": "new", "description": "Whether to escape the forward slash symbol \"/\" using a backslash in a `json.encode()` result:\n\n- `new` (3.x default): do not escape the forward slash\n- `old` (2.x default): escape the forward slash", "enum": [ "old", "new" ], "type": "string" }, "replication_synchro_timeout": { "default": "old", "description": "The `compat.replication_synchro_timeout` option controls transaction rollback due to `replication.synchro_timeout`.\n\n- `new` (4.x default): A synchronous transaction can remain in the synchro queue indefinitely until it reaches a quorum of confirmations. `replication.synchro_timeout` is used only to wait confirmation in promote/demote and gc-checkpointing. If some transaction in limbo did not have time to commit within `replication_synchro_timeout`, the corresponding operation: promote/demote or gc-checkpointing can be aborted automatically\n- `old` (3.x default): unconfirmed synchronous transactions are rolled back after a `replication.synchro_timeout`", "enum": [ "old", "new" ], "type": "string" }, "skip_replication_names": { "default": "new", "description": "The `compat.skip_replication_names` option controls whether Tarantool skips instance and replicaset name handling during replication startup.\n\n- `new` (3.x default): Tarantool applies `instance_name` and `replicaset_name` on startup and validates them against the snapshot data.\n- `old` (2.x default): Tarantool skips applying `instance_name` and `replicaset_name` on startup and does not validate them against the snapshot data. This mode is intended for upgrades from Tarantool 2.11, so a Tarantool 3.x+ instance configured via the declarative config can join a 2.11-compatible replicaset where the master snapshot may not contain names.", "enum": [ "old", "new" ], "type": "string" }, "sql_priv": { "default": "new", "description": "Whether to enable access checks for SQL requests over iproto:\n\n- `new` (3.x default): check the user's access permissions\n- `old` (2.x default): allow any user to execute SQL over iproto", "enum": [ "old", "new" ], "type": "string" }, "sql_seq_scan_default": { "default": "new", "description": "Controls the default value of the `sql_seq_scan` session setting:\n\n- `new` (3.x default): false\n- `old` (2.x default): true", "enum": [ "old", "new" ], "type": "string" }, "wal_cleanup_delay_deprecation": { "default": "old", "description": "Whether to use the option 'wal_cleanup_delay':\n\n- `new` (4.x default): raise an error\n- `old` (3.x default): log a deprecation warning", "enum": [ "old", "new" ], "type": "string" }, "yaml_pretty_multiline": { "default": "new", "description": "Whether to encode in block scalar style all multiline strings or ones containing the `\\n\\n` substring:\n\n- `new` (3.x default): all multiline strings\n- `old` (2.x default): only strings containing the `\\n\\n` substring", "enum": [ "old", "new" ], "type": "string" } }, "type": "object" }, "config": { "additionalProperties": false, "description": "The `config` section defines various parameters related to centralized configuration.", "properties": { "context": { "additionalProperties": { "additionalProperties": false, "description": "A context variable definition that specifies how to load it (e.g. from a file or an environment variable).", "properties": { "env": { "description": "The name of an environment variable to load a context variable from. To load a context variable from an environment variable, set `config.context..from` to `env`.", "type": "string" }, "file": { "description": "The path to a file to load a context variable from. To load a configuration value from a file, set `config.context..from` to `file`.", "type": "string" }, "from": { "description": "The type of storage to load a context variable from. There are the following storage types:\n\n- `file`: load a context variable from a file. In this case, you need to specify the path to the file using `config.context..file`\n- `env`: load a context variable from an environment variable. In this case, specify the environment variable name using `config.context..env`", "enum": [ "env", "file" ], "type": "string" }, "rstrip": { "description": "(Optional) Whether to strip whitespace characters and newlines from the end of data.", "type": "boolean" } }, "type": "object" }, "description": "Defines custom variables in the cluster configuration by loading values from an environment variable or a file.", "type": "object" }, "etcd": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized etcd-based storage. If `replication.failover` is set to `supervised`, Tarantool also uses etcd to maintain the state of failover coordinators.", "properties": { "endpoints": { "description": "The list of endpoints used to access an etcd cluster.", "items": { "description": "etcd endpoint.\n\nFor example: `http://localhost:2379`.", "type": "string" }, "type": "array" }, "http": { "additionalProperties": false, "description": "HTTP client options for the etcd-client, used to fetch and subscribe to the cluster configuration stored in etcd.", "properties": { "request": { "additionalProperties": false, "description": "HTTP client request options.", "properties": { "interface": { "description": "Set the interface to use as outgoing network interface for the etcd configuration source.\n\nThe interface can be specified as an interface name, an IP address, or a hostname.\n\nSee https://curl.se/libcurl/c/CURLOPT_INTERFACE.html for details.", "type": "string" }, "timeout": { "description": "A time period required to process an HTTP request to an etcd server: from sending a request to receiving a response.", "type": "number" }, "unix_socket": { "description": "A Unix domain socket used to connect to an etcd server.", "type": "string" }, "verbose": { "description": "Whether to print debugging information about HTTP requests and responses issued by the etcd configuration source.\n\nThe information is written to stderr (disregarding tarantool log configuration). In a typical setup it arrives to journald.\n\nSee https://curl.se/libcurl/c/CURLOPT_VERBOSE.html for details.", "type": "boolean" } }, "type": "object" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "prefix": { "description": "A key prefix used to search a configuration on an etcd server. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "ssl": { "additionalProperties": false, "description": "TLS options.", "properties": { "ca_file": { "description": "A path to a trusted certificate authorities (CA) file.", "type": "string" }, "ca_path": { "description": "A path to a directory holding certificates to verify the peer with.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file.", "type": "string" }, "verify_host": { "description": "Enable verification of the certificate's name (CN) against the specified host.", "type": "boolean" }, "verify_peer": { "description": "Enable verification of the peer's SSL certificate.", "type": "boolean" } }, "type": "object" }, "username": { "description": "A username used for authentication.", "type": "string" }, "watchers": { "additionalProperties": false, "description": "Options for watcher requests: watchcreate, watchwait and watchcancel.", "properties": { "reconnect_max_attempts": { "description": "The maximum number of attempts to reconnect to an etcd server in case of connection failure.", "type": "integer" }, "reconnect_timeout": { "description": "The timeout (in seconds) between attempts to reconnect to an etcd server in case of connection failure.", "type": "number" } }, "type": "object" } }, "type": "object" }, "reload": { "default": "auto", "description": "Specify how the configuration is reloaded. This option accepts the following values:\n\n- `auto`: configuration is reloaded automatically when it is changed.\n- `manual`: configuration should be reloaded manually. In this case, you can reload the configuration in the application code using `config:reload()`.", "enum": [ "auto", "manual" ], "type": "string" }, "storage": { "additionalProperties": false, "description": "This section describes options related to providing connection settings to a centralized Tarantool-based storage.", "properties": { "endpoints": { "description": "An array of endpoints used to access a configuration storage. Each endpoint can include the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections", "items": { "additionalProperties": false, "description": "Element that represents a configuration storage endpoint with the following fields:\n\n- `uri`: a URI of the configuration storage's instance.\n- `login`: a username used to connect to the instance.\n- `password`: a password used for authentication.\n- `params`: SSL parameters required for encrypted connections.", "properties": { "login": { "description": "A username used to connect to the instance.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "A password used for authentication.", "type": "string" }, "uri": { "description": "A URI of the configuration storage's instance.", "type": "string" } }, "type": "object" }, "type": "array" }, "prefix": { "description": "A key prefix used to search a configuration in a centralized configuration storage. Tarantool searches keys by the following path: `/config/*`. Note that `` should start with a slash (`/`).", "type": "string" }, "reconnect_after": { "default": 3, "description": "A number of seconds to wait before reconnecting to a configuration storage.", "type": "number" }, "timeout": { "default": 3, "description": "The interval (in seconds) to perform the status check of a configuration storage.", "type": "number" } }, "type": "object" } }, "type": "object" }, "connpool": { "additionalProperties": false, "description": "The `connpool` section defines configuration parameters related to the Tarantool connection pool that can be used to communicate with other instances within the cluster.", "properties": { "idle_timeout": { "default": 60, "description": "Tarantool connection pool automatically manages connections to the instances and automatically closes the ones that are not needed for a while.\n\nThis option controls a timeout (in seconds) in which the unused connections would be closed.\n\nNote: this option does not affect the connections opened by `connpool.connect()` since in that case, the user has direct access to the connection object.", "type": "number" } }, "type": "object" }, "console": { "additionalProperties": false, "description": "Configure the administrative console. A client to the console is `tt connect`.", "properties": { "enabled": { "default": true, "description": "Whether to listen on the Unix socket provided in the console.socket option.\n\nIf the option is set to `false`, the administrative console is disabled.", "type": "boolean" }, "socket": { "default": "var/run/{{ instance_name }}/tarantool.control", "description": "The Unix socket for the administrative console.\n\nMind the following nuances:\n\n- Only a Unix domain socket is allowed. A TCP socket can't be configured this way.\n- `console.socket` is a file path, without any `unix:` or `unix/:` prefixes.\n- If the file path is a relative path, it is interpreted relative to `process.work_dir`.", "type": "string" } }, "type": "object" }, "credentials": { "additionalProperties": false, "description": "The `credentials` section allows you to create users and grant them the specified privileges.", "properties": { "roles": { "additionalProperties": { "additionalProperties": false, "description": "A role definition.", "properties": { "privileges": { "description": "An array of privileges granted to this role.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user with this role.", "properties": { "functions": { "description": "Registered functions to which user with this role gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user with this role has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user with this role can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which user with this role gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which user with this role gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether user with this role can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this role.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of roles that can be granted to users or other roles.", "type": "object" }, "users": { "additionalProperties": { "additionalProperties": false, "description": "User name.", "properties": { "password": { "description": "A user's password.", "type": "string" }, "privileges": { "description": "An array of privileges granted to this user.", "items": { "additionalProperties": false, "description": "Privileges that can be granted to a user.", "properties": { "functions": { "description": "Registered functions to which this user gets the specified permissions.", "items": { "description": "Function name.", "type": "string" }, "type": "array" }, "lua_call": { "description": "Defines the Lua functions that the user has permission to call. This field accepts a special value, `all`, which grants the privilege to use any global non-built-in Lua functions.", "items": { "description": "Lua function name.", "type": "string" }, "type": "array" }, "lua_eval": { "description": "Whether this user can execute arbitrary Lua code.", "type": "boolean" }, "permissions": { "description": "Permissions assigned to this user or a user with this role.", "items": { "description": "Permission name.", "enum": [ "read", "write", "execute", "create", "alter", "drop", "usage", "session" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sequences": { "description": "Sequences to which this user gets the specified permissions.", "items": { "description": "Sequence name.", "type": "string" }, "type": "array" }, "spaces": { "description": "Spaces to which this user gets the specified permissions.", "items": { "description": "Space name.", "type": "string" }, "type": "array" }, "sql": { "description": "Whether this user can execute an arbitrary SQL expression.", "items": { "description": "SQL expression name.\n\nOnly `all` is allowed for now.", "enum": [ "all" ], "type": "string" }, "type": "array" }, "universe": { "description": "Grants global permissions across all object types in the database, including:\n\n- `read`: Read any object\n- `write`: Modify any object\n- `execute`: Execute functions or code\n- `session`: Connect via IPROTO\n- `usage`: Use granted privileges\n- `create`: Create users, roles, objects\n- `drop`: Remove users, roles, objects\n- `alter`: Modify settings or objects", "type": "boolean" } }, "type": "object" }, "type": "array" }, "roles": { "description": "An array of roles granted to this user.", "items": { "description": "Role name.", "type": "string" }, "type": "array" } }, "type": "object" }, "description": "An array of users.", "type": "object" } }, "type": "object" }, "database": { "additionalProperties": false, "description": "The `database` section defines database-specific configuration parameters, such as an instance's read-write mode or transaction isolation level.", "properties": { "hot_standby": { "default": false, "description": "Whether to start the server in the hot standby mode. This mode can be used to provide failover without replication.\n\nNote: `database.hot_standby` has no effect:\n\n- If `wal.mode` is set to none.\n- If `wal.dir_rescan_delay` is set to a large value on macOS or FreeBSD. On these platforms, the hot standby mode is designed so that the loop repeats every `wal.dir_rescan_delay` seconds.\n- For spaces created with engine set to `vinyl`.", "type": "boolean" }, "instance_uuid": { "default": null, "description": "An instance UUID.\n\nBy default, instance UUIDs are generated automatically. `database.instance_uuid` can be used to specify an instance identifier manually.\n\nUUIDs should follow these rules:\n\n- The values must be true unique identifiers, not shared by other instances or replica sets within the common infrastructure.\n- The values must be used consistently, not changed after the initial setup. The initial values are stored in snapshot files and are checked whenever the system is restarted.\n- The values must comply with RFC 4122. The nil UUID is not allowed.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "mode": { "default": null, "description": "An instance's operating mode. This option is in effect if `replication.failover` is set to `off`.\n\nThe following modes are available:\n\n- `rw`: an instance is in read-write mode.\n- `ro`: an instance is in read-only mode.\n\nIf not specified explicitly, the default value depends on the number of instances in a replica set. For a single instance, the `rw` mode is used, while for multiple instances, the `ro` mode is used.", "enum": [ "ro", "rw" ], "type": "string" }, "replicaset_uuid": { "default": null, "description": "A replica set UUID.\n\nBy default, replica set UUIDs are generated automatically. `database.replicaset_uuid` can be used to specify a replica set identifier manually.\n\nNote: when upgrading from 2.x, `instance_uuid` and `replicaset_uuid` must be explicitly set in the configuration until the database schema upgrade is completed. After a full upgrade, these UUIDs can be removed from the configuration.", "type": "string" }, "txn_isolation": { "default": "best-effort", "description": "A transaction isolation level.", "enum": [ "read-committed", "read-confirmed", "best-effort" ], "type": "string" }, "txn_synchro_timeout": { "default": 5, "description": "A timeout (in seconds) after which the fiber is detached from synchronous transaction that is currently collecting quorum. After the timeout expires, the transaction is not rolled back but continues to wait for a quorum in background.", "type": "number" }, "txn_timeout": { "default": 3153600000, "description": "A timeout (in seconds) after which the transaction is rolled back.", "type": "number" }, "use_mvcc_engine": { "default": false, "description": "Whether the transactional manager is enabled.", "type": "boolean" } }, "type": "object" }, "failover": { "additionalProperties": false, "description": "The `failover` section defines parameters related to a supervised failover.", "properties": { "call_timeout": { "default": 1, "description": "A call timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "connect_timeout": { "default": 1, "description": "A connection timeout (in seconds) for connections used by monitoring and autofailover components.", "type": "number" }, "http": { "additionalProperties": false, "description": "The `failover.http` subsection configures HTTP listeners for the failover coordinator API. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose HTTP endpoints that provide monitoring metrics and health checks.", "properties": { "listen": { "description": "A list of HTTP endpoints that should be started for the failover coordinator. Each entry must describe a listener bound to a `localhost:` URI. These endpoints are used to expose metrics and other health check information about the failover coordinator.", "items": { "additionalProperties": false, "description": "This entry configures an individual HTTP listener for the failover coordinator. You can specify the URI and parameters for the listener.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "ssl_verify_client": { "default": "off", "description": "Controls whether the failover coordinator verifies client SSL certificates.\n\nThe option accepts the following values:\n\n- `off` (default): client certificates are not verified.\n- `on`: the server requires and verifies client certificates.\n- `optional`: the server verifies client certificates only if they are provided by the client.", "enum": [ "off", "on", "optional" ], "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "A URI in the `:` format that defines where the failover coordinator listens for HTTP requests.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "IPROTO connection parameters for the failover coordinator. This functionality is available only in Tarantool Enterprise.", "properties": { "ssl": { "additionalProperties": false, "description": "SSL parameters used by the failover coordinator to connect to instances over IPROTO when SSL is enabled. This functionality is available only in Tarantool Enterprise.", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" } }, "type": "object" }, "lease_interval": { "default": 30, "description": "A time interval (in seconds) that specifies how long an instance should be a leader without renew requests from a coordinator. When this interval expires, the leader switches to read-only mode. This action is performed by the instance itself and works even if there is no connectivity between the instance and the coordinator.", "type": "number" }, "log": { "additionalProperties": false, "description": "This section defines configuration parameters related to logging for the supervised failover coordinator.", "properties": { "file": { "description": "Specify a file for failover logs destination. To write logs to a file, you need to set `failover.log.to` to `file`. Otherwise, `failover.log.file` is ignored.", "type": "string" }, "to": { "default": "stderr", "description": "Define the location for failover logs. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream\n- `file`: write logs to a file defined in `failover.log.file`", "enum": [ "stderr", "file" ], "type": "string" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `failover.metrics` subsection configures metrics exporters for the failover coordinator. This functionality is available only in Tarantool Enterprise. It allows the failover coordinator to expose monitoring metrics through various formats like Prometheus, JSON, etc.", "properties": { "exporters": { "description": "A list of endpoints that expose the failover coordinator metrics. Each exporter corresponds to an HTTP endpoint and a specific format for the exported metrics.", "items": { "additionalProperties": false, "description": "This entry configures an individual exporter. You can specify the URI path and the format for the metrics.", "properties": { "format": { "default": "prometheus", "description": "A format of the exported metrics. Supported values are `prometheus`, `zabbix`, `telegraf`, and `json`. Each exporter will serve metrics in the specified format.", "enum": [ "prometheus", "zabbix", "telegraf", "json" ], "type": "string" }, "path": { "description": "A URI path that should be used to serve metrics. For example, `/metrics/prometheus`, `/metrics/json`, etc.", "type": "string" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "probe_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a monitoring service of the failover coordinator polls an instance for its status.", "type": "number" }, "renew_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how often a failover coordinator sends read-write deadline renewals.", "type": "number" }, "replicasets": { "additionalProperties": { "additionalProperties": false, "description": "Failover coordinator options related to a particular replicaset.", "properties": { "learners": { "description": "Specify instances that are ignored by the supervised failover coordinator when selecting a master.\n\nNote: if a learner instance is in RW mode, the coordinator stops the failover process and waits until the instance transitions to RO mode.", "items": { "description": "Array of instance names to be ignored by the supervised failover coordinator when selecting a master.", "type": "string" }, "type": "array" }, "priority": { "additionalProperties": { "description": "A failover priority assigned to the given instance.", "type": "number" }, "description": "Priorities for the supervised failover mode.", "type": "object" }, "synchro_mode": { "default": false, "description": "The coordinator supports two leader appoint modes: one suits better for asynchronous replication, the other one better works for the quorum synchronous replication.\n\nFirst of all, it may be confusing that the synchronous replication is configured per-space in tarantool, but the supervised failover option is per-replicaset.\n\nTechnically a user can enable the synchro mode and mark only some spaces synchronous. However, this setup gives the worst of two worlds:\n\n- Asynchronous transactions are assumed as possibly depending from a result of previously started synchronous ones, so if there are sync transactions in fly, all the async ones are waiting for finishing of the sync ones. This way we sometimes get sync-level latency for async transactions.\n- Async transactions from the old leader, whose result is visible to a client, are not necessarily present in another availability zone. A network partitioning and repairing may lead to conflicting journals and disconnecting of the old leader from the replicaset until manual repairing activities are performed. It means that the autofailover may hurt the redundancy factor. And that happens frequently comparing to the usual async setup due to the stricter conflict detection strategy.\n\nTo sum up: in the mixed setup we pay twice (for async and qsync both -- possible conflicts and increased latency), but it rewards with a kind of 'sometimes you get better latency' comparing to qsync and 'sometimes you have linearizable writes' comparing to async. For most applications it seems worse than fair qsync (with all the spaces marked as synchronous).\n\nIn this description we assume either all asynchronous spaces or all synchronous ones.\n\n`synchro_mode` = `false` handles a replicaset with asynchronous replication: if all the spaces are created without the `is_sync` option. It is default.\n\n`synchro_mode` = `true` handles a replicaset with quorum synchronous replication: if the spaces have the `is_sync` option enabled.\n\nBefore describe how the modes work, let's introduce some terms.\n\nImagine, a network partitioning happens. If the old leader is not reachable from the active coordinator, it is *resigned* (goes to read-only). The coordinator performs the *autofailover*: it *appoints* the new leader (it goes to read-write). The appoint may or may not claim *synchro queue* ownership (to enable processing of synchronous transactions), it may or may not require a *quorum* of replicas to agree about the longest available journal; it depends on the chosen `synchro_mode`.\n\nOnce the connectivity is repaired, the old leader attempts to connect to the replicaset back. It succeeds or fails depending on whether the journals are *diverged* and depending on the *conflict detection* and the *conflict resolution* strategies.\n\nThe following description assumes such a network partitioning, when the old leader lost connectivity with the active coordinator, so the coordinator have to appoint a new leader. The power off or hardware break situations are similar, but the old leader goes back (if it is possible) only when it is repaired. This way we cover wide variety of situations using the network partitioning as an example.\n\nAlso, the active coordinator switch may occur in some network partitioning situations and it adds some delay to resigning and appointing. Other than that the autofailover process remains the same.\n\n`synchro_mode` = `false` works this way:\n\n- The network partitioning may leave the old leader with the journal, where the last transactions are not replicated to the other availability zone. As result, these transactions are not present on the future new leader.\n- The old leader resigns after failover.lease_interval.\n- The new leader is appointed without reaching any quorum of replicas. It works while at least one instance is available.\n- The new leader doesn't claim synchro queue ownership[^1].\n- When the connectivity is repaired, the old leader (read-only now) attempts to replicate the last transactions from the journal to the new leader.\n- If the journals are not diverged, or the conflict is not detected, or all the conflicts are resolved, the old leader successfully connects back to the replicaset. The redundancy is repaired.\n- Otherwise, the replica is disconnected from the replicaset. Some manual actions are needed to extract the conflicting journal entries, apply it to the new leader (if needed) and rebootstrap the old leader (wipe the data directory and start the instance from scratch).\n- The conflict detection strategy is weak[^2]: the only conflicts are attempts to insert the same key into an unique index twice[^3].\n- The conflict resolution is 'just fail' by default, but a user may setup its own conflict resolution triggers (ON CONFLICT or before_replace).\n\n[^1]: It works in assumption that the synchro queue owner has not been claimed before (for example, due to use of `replication.failover` = `election` in the past). It can be verified using `box.info.synchro.queue.owner`: it is expected to be zero. Otherwise, the whole replicaset is in read-only. box.ctl.demote() may repair this situation if it is unintended. [^2]: It is also true only if there is no synchro queue owner. [^3]: It may happen if the client retries a writing operation on the new leader after a failure with the old leader.\n\nTo sum up: here we have asynchronous replication guarantees. Plus autoapply of the journal tail from the old leader that may hurt data consistency. And each autofailover event may decrease the redundancy factor until some complicated manual actions are performed.\n\nThe on conflict triggers (before_replace in the Lua API) may be used to define automatic conflict resolution strategy that eliminates a need for manual action to return the redundancy back.\n\n`synchro_mode` = `true` works this way:\n\n- After the network partitioning, the old leader resigns. It rolls back transactions that are not confirmed by a quorum.\n- The new leader is chosen using a quorum based algorithm and it is guaranteed to have all the quorum approved transactions[^4].\n- N/2+1 available replicas are necessary for a successful appoint. It means that there is more room for the situation, when the whole replicaset is read-only: we can't choose a new leader if we can't reach N/2+1 replicas.\n- The new leader claims synchro queue ownership when becoming a leader[^5].\n- There is no room for a conflict, when the connectivity is repaired: each transaction either approved by the quorum or rolled back[^6].\n- The conflict detection strategy is strict: any divergence in the journals is considered a conflict. However, it shouldn't occur by the construction[^6].\n- The conflict resolution strategy is the same as for `synchro_mode` = `false`.\n\n[^4]: Technically speaking, `synchro_mode` = `true` enables `box.cfg.election_mode` = `manual` on instances. It tunes the `box.ctl.promote()` behavior to check the instance's vclock with a quorum of replicas before actual write itself as the new synchro queue owner. [^5]: By calling `box.ctl.promote()`. [^6]: If all the spaces are `is_sync` = `true`. So, again, mixing of async and sync spaces within one replicaset is not a good idea.\n\nTo sum up: the synchronous replication guarantees are given, which means linearizability for writing operations: once the transaction is confirmed for the client it can be observed even in case of a failure of one availability zone[^7]. The autofailover doesn't hurt redundancy, no manual rebootstrap required. However, if a redundancy factor lowers the N/2+1 bound, the whole replicaset is read-only. A strict conflict detection strategy adds an extra layer of protection against consistency violations.\n\n[^7]: You may also be interested in the txn_isolation = 'linearizable' box.begin/box.atomic option for linearizable reads.\n\nNote that `synchro_mode` = `true` doesn't support a setup with two availability zones for now. You need at least three zones for it. Future tarantool versions may provide the two zones setup support. Stay tuned!", "type": "boolean" } }, "type": "object" }, "description": "Failover coordinator options configured on the per-replicaset basis.", "type": "object" }, "replication_lag_threshold": { "default": 1, "description": "A replication lag threshold (in seconds). If an instance's replication lag exceeds this threshold, the supervised failover coordinator ignores the instance when selecting a new leader if `synchro_mode` is `true` for this replicaset. Default value is 1 second.", "type": "number" }, "stateboard": { "additionalProperties": false, "description": "This options define configuration parameters related to maintaining the state of failover coordinators in a remote etcd-based storage.", "properties": { "enabled": { "default": true, "description": "Enable or disable the failover coordinator stateboard.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored and how quickly a lock expires.\n\nNote `failover.stateboard.keepalive_interval` should be smaller than `failover.lease_interval`. Otherwise, switching of a coordinator causes a replica set leader to go to read-only mode for some time.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a failover coordinator writes its state information to etcd. This option also determines the frequency at which an active coordinator reads new commands from etcd.", "type": "number" } }, "type": "object" } }, "type": "object" }, "feedback": { "additionalProperties": false, "description": "The `feedback` section describes configuration parameters for sending information about a running Tarantool instance to the specified feedback server.", "properties": { "crashinfo": { "default": true, "description": "Whether to send crash information in the case of an instance failure. This information includes:\n\n- General information from the `uname` output.\n- Build information.\n- The crash reason.\n- The stack trace.\n\nTo turn off sending crash information, set this option to `false`.", "type": "boolean" }, "enabled": { "default": true, "description": "Whether to send information about a running instance to the feedback server. To turn off sending feedback, set this option to `false`.", "type": "boolean" }, "host": { "default": "https://feedback.tarantool.io", "description": "The address to which information is sent.", "type": "string" }, "interval": { "default": 3600, "description": "The interval (in seconds) of sending information.", "type": "number" }, "metrics_collect_interval": { "default": 60, "description": "The interval (in seconds) for collecting metrics.", "type": "number" }, "metrics_limit": { "default": 1048576, "description": "The maximum size of memory (in bytes) used to store metrics before sending them to the feedback server. If the size of collected metrics exceeds this value, earlier metrics are dropped.", "type": "integer" }, "send_metrics": { "default": true, "description": "Whether to send metrics to the feedback server. Note that all collected metrics are dropped after sending them to the feedback server.", "type": "boolean" } }, "type": "object" }, "fiber": { "additionalProperties": false, "description": "The `fiber` section describes options related to configuring fibers, yields, and cooperative multitasking.", "properties": { "io_collect_interval": { "default": null, "description": "The time period (in seconds) a fiber sleeps between iterations of the event loop.\n\n`fiber.io_collect_interval` can be used to reduce CPU load in deployments where the number of client connections is large, but requests are not so frequent (for example, each connection issues just a handful of requests per second).", "type": "number" }, "slice": { "additionalProperties": false, "description": "This section describes options related to configuring time periods for fiber slices. See `fiber.set_max_slice` for details and examples.", "properties": { "err": { "default": 1, "description": "Set a time period (in seconds) that specifies the warning slice.", "type": "number" }, "warn": { "default": 0.5, "description": "Set a time period (in seconds) that specifies the error slice.", "type": "number" } }, "type": "object" }, "too_long_threshold": { "default": 0.5, "description": "If processing a request takes longer than the given period (in seconds), the fiber warns about it in the log.\n\n`fiber.too_long_threshold` has effect only if `log.level` is greater than or equal to 4 (`warn`).", "type": "number" }, "top": { "additionalProperties": false, "description": "This section describes options related to configuring the `fiber.top()` function, normally used for debug purposes. `fiber.top()` shows all alive fibers and their CPU consumption.", "properties": { "enabled": { "default": false, "description": "Enable or disable the `fiber.top()` function.\n\nEnabling `fiber.top()` slows down fiber switching by about 15%, so it is disabled by default.", "type": "boolean" } }, "type": "object" }, "tx_user_pool_size": { "default": 768, "description": "Specify the size of the fiber pool used in the TX thread for executing user-defined callbacks pushed via the `tnt_tx_push()` C API function. This pool operates similarly to the fiber pool for handling IProto requests, whose size is defined by `box.cfg.net_msg_max`.\n\nIncrease the pool size if the application requires executing a large number of concurrent callbacks, especially if they involve yielding operations or high transaction loads.\n\nNotes:\n\n- The callbacks are executed in the order they are pushed, but the completion order is undefined for yielding callbacks\n- Mismanaging the pool size or callback rate can lead to unpredictable latency or memory overflows (OOM)", "type": "integer" }, "worker_pool_threads": { "default": 4, "description": "The maximum number of threads to use during execution of certain internal processes (for example, `socket.getaddrinfo()` and `coio_call()`).", "type": "number" } }, "type": "object" }, "flightrec": { "additionalProperties": false, "description": "The flightrec section describes options related to the flight recorder configuration.", "properties": { "enabled": { "default": false, "description": "Enable the flight recorder.", "type": "boolean" }, "logs_log_level": { "default": 6, "description": "Specify the level of detail the log has. The default value is 6 (`VERBOSE`). You can learn more about log levels from the log_level option description. Note that the `flightrec.logs_log_level` value might differ from `log_level`.", "enum": [ 0, 1, 2, 3, 4, 5, 6, 7 ], "type": "integer" }, "logs_max_msg_size": { "default": 4096, "description": "Specify the maximum size (in bytes) of the log message. The log message is truncated if its size exceeds this limit.", "type": "integer" }, "logs_size": { "default": 10485760, "description": "Specify the size (in bytes) of the log storage. You can set this option to 0 to disable the log storage.", "type": "integer" }, "metrics_interval": { "default": 1, "description": "Specify the time interval (in seconds) that defines the frequency of dumping metrics. This value shouldn't exceed `flightrec.metrics_period`.", "type": "number" }, "metrics_period": { "default": 180, "description": "Specify the time period (in seconds) that defines how long metrics are stored from the moment of dump. So, this value defines how much historical metrics data is collected up to the moment of crash. The frequency of metric dumps is defined by `flightrec.metrics_interval`.", "type": "number" }, "requests_max_req_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a request entry. A request entry is truncated if this size is exceeded.", "type": "integer" }, "requests_max_res_size": { "default": 16384, "description": "Specify the maximum size (in bytes) of a response entry. A response entry is truncated if this size is exceeded.", "type": "integer" }, "requests_size": { "default": 10485760, "description": "Specify the size (in bytes) of storage for the request and response data. You can set this parameter to 0 to disable a storage of requests and responses.", "type": "integer" } }, "type": "object" }, "iproto": { "additionalProperties": false, "description": "The iproto section is used to configure parameters related to communicating to and between cluster instances.", "properties": { "advertise": { "additionalProperties": false, "description": "URIs for cluster members and external clients to let them know where to connect.", "properties": { "client": { "default": null, "description": "A URI used to advertise the current instance to clients.\n\nThe iproto.advertise.client option accepts a URI in the following formats:\n\n- An address: `host:port`.\n- A Unix domain socket: `unix/:`.\n\nNote that this option doesn't allow to set a username and password. If a remote client needs this information, it should be delivered outside of the cluster configuration.", "type": "string" }, "peer": { "additionalProperties": false, "description": "Settings used to advertise the current instance to other cluster members. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "Settings used to advertise the current instance to a router and rebalancer. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" } }, "type": "object" }, "listen": { "default": null, "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).", "items": { "additionalProperties": false, "description": "Iproto listening socket definition.\n\nAllows to set an URI (`unix/:` or `host:port`) and SSL parameters. Minimal example: `{uri: 127.0.0.1:3301}`.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).\n\nNote: the `iproto.listen.*.uri` string can't contain a login or a password, it has no sense for a listening socket.\n\nThe query-parameter form of setting SSL options is forbidden in the URI string. Use the `iproto.listen.*.params` for them.", "type": "string" } }, "type": "object" }, "type": "array" }, "net_msg_max": { "default": 768, "description": "To handle messages, Tarantool allocates fibers. To prevent fiber overhead from affecting the whole system, Tarantool restricts how many messages the fibers handle, so that some pending requests are blocked.\n\n- On powerful systems, increase `net_msg_max`, and the scheduler starts processing pending requests immediately.\n- On weaker systems, decrease `net_msg_max`, and the overhead may decrease. However, this may take some time because the scheduler must wait until already-running requests finish.\n\nWhen `net_msg_max` is reached, Tarantool suspends processing of incoming packages until it has processed earlier messages. This is not a direct restriction of the number of fibers that handle network messages, rather it is a system-wide restriction of channel bandwidth. This in turn restricts the number of incoming network messages that the transaction processor thread handles, and therefore indirectly affects the fibers that handle network messages.", "type": "integer" }, "readahead": { "default": 16320, "description": "The size of the read-ahead buffer associated with a client connection. The larger the buffer, the more memory an active connection consumes, and the more requests can be read from the operating system buffer in a single system call.\n\nThe recommendation is to make sure that the buffer can contain at least a few dozen requests. Therefore, if a typical tuple in a request is large, e.g. a few kilobytes or even megabytes, the read-ahead buffer size should be increased. If batched request processing is not used, it's prudent to leave this setting at its default.", "type": "integer" }, "ssl": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections. These parameters would be used to set up SSL IProto sockets and to connect to other instances which require certificate authority (CA).", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" }, "threads": { "default": 1, "description": "The number of network threads. There can be unusual workloads where the network thread is 100% loaded and the transaction processor thread is not, so the network thread is a bottleneck. In that case, set `iproto_threads` to 2 or more. The operating system kernel determines which connection goes to which thread.", "type": "integer" } }, "type": "object" }, "isolated": { "default": false, "description": "Temporarily isolate an instance to perform replicaset repairing activities, such as debugging a problem on the isolated instance without affecting the non-isolated part or extracting data from the isolated instance to apply on the non-isolated part of the replicaset.\n\nEffects of isolation:\n\n- The instance stops listening for new IProto connections.\n- All current IProto connections are dropped.\n- The instance switches to read-only mode.\n- The instance disconnects from all replication upstreams.\n- Other replicaset members exclude the isolated instance from their replication upstreams.\n\nNote: the isolated instance can't be bootstrapped (a local snapshot is required to start).", "type": "boolean" }, "labels": { "additionalProperties": { "description": "A value of the label with the specified name.", "type": "string" }, "description": "The `labels` section allows adding custom attributes to the instance. The keys and values are strings.", "type": "object" }, "log": { "additionalProperties": false, "description": "The `log` section defines configuration parameters related to logging. To handle logging in your application, use the log module.", "properties": { "file": { "default": "var/log/{{ instance_name }}/tarantool.log", "description": "Specify a file for logs destination. To write logs to a file, you need to set `log.to` to file. Otherwise, `log.file` is ignored.", "type": "string" }, "format": { "default": "plain", "description": "Specify a format that is used for a log entry. The following formats are supported:\n\n- `plain`: a log entry is formatted as plain text.\n- `json`: a log entry is formatted as JSON and includes additional fields.", "enum": [ "plain", "json" ], "type": "string" }, "level": { "default": 5, "description": "Specify the level of detail logs have. There are the following levels:\n\n- 0: `fatal`\n- 1: `syserror`\n- 2: `error`\n- 3: `crit`\n- 4: `warn`\n- 5: `info`\n- 6: `verbose`\n- 7: `debug`\n\nBy setting log.level, you can enable logging of all events with severities above or equal to the given level.", "enum": [ 0, "fatal", 1, "syserror", 2, "error", 3, "crit", 4, "warn", 5, "info", 6, "verbose", 7, "debug" ], "type": [ "string", "number" ] }, "modules": { "additionalProperties": { "description": "The log level.\n\nFor example: you have module placed by the following path: `test/module.lua`. To configure logging levels, you need to provide module names corresponding to paths to these modules: `test.module: 'verbose'`.", "type": [ "string", "number" ] }, "default": null, "description": "Configure the specified log levels (`log.level`) for different modules.\n\nYou can specify a logging level for the following module types:\n\n- Modules (files) that use the default logger.\n- Modules that use custom loggers created using the `log.new()` function.\n- The tarantool module that enables you to configure the logging level for Tarantool core messages. Specifically, it configures the logging level for messages logged from non-Lua code, including C modules.", "type": "object" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `log.to` to `pipe`.", "type": "string" }, "syslog": { "additionalProperties": false, "description": "Syslog configurations parameters. To write logs to syslog, you need to set `log.to` to `syslog`.", "properties": { "facility": { "default": "local7", "description": "Specify the syslog facility to be used when syslog is enabled. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name used to identify Tarantool messages in syslog logs. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "server": { "default": null, "description": "Set a location of a syslog server. This option accepts one of the following values:\n\n- An address. Example: `127.0.0.1:514`.\n- A Unix socket path starting with `unix:`. Examples: `unix:/dev/log` on Linux or `unix:/var/run/syslog` on macOS.\n\nTo write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" } }, "type": "object" }, "to": { "default": "stderr", "description": "Define a location Tarantool sends logs to. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream.\n- `file`: write logs to a file.\n- `pipe`: start a program and write logs to its standard input.\n- `syslog`: write logs to a system logger.", "enum": [ "stderr", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "lua": { "additionalProperties": false, "description": "This section defines configuration parameters related to Lua within Tarantool.", "properties": { "memory": { "default": 2147483648, "description": "Define amount of memory available to Lua in bytes. Default is 2GB, with a minimum of 256MB.\n\nThe limit can be adjusted dynamically if the new value is greater than the used memory amount. Otherwise, a restart is required for changes to take effect.", "type": "integer" } }, "type": "object" }, "memtx": { "additionalProperties": false, "description": "This section is used to configure parameters related to the memtx engine.", "properties": { "allocator": { "default": "small", "description": "Specify the allocator that manages memory for memtx tuples. Possible values:\n\n- `system` - the memory is allocated as needed, checking that the quota is not exceeded. The allocator is based on the `malloc` function.\n- `small` - a slab allocator. The allocator repeatedly uses a memory block to allocate objects of the same type. Note that this allocator is prone to unresolvable fragmentation on specific workloads, so you can switch to `system` in such cases.", "enum": [ "small", "system" ], "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "Size of the largest allocation unit for the memtx storage engine in bytes. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 268435456, "description": "The amount of memory in bytes that Tarantool allocates to store tuples. When the limit is reached, `INSERT` and `UPDATE` requests fail with the `ER_MEMORY_ISSUE` error. The server does not go beyond the `memtx.memory` limit to allocate tuples, but there is additional memory used to store indexes and connection information.", "type": "integer" }, "min_tuple_size": { "default": 16, "description": "Size of the smallest allocation unit in bytes. It can be decreased if most of the tuples are very small.", "type": "integer" }, "slab_alloc_factor": { "default": 1.05, "description": "The multiplier for computing the sizes of memory chunks that tuples are stored in. A lower value may result in less wasted memory depending on the total amount of memory available and the distribution of item sizes.", "type": "number" }, "slab_alloc_granularity": { "default": 8, "description": "Specify the granularity in bytes of memory allocation in the small allocator. The `memtx.slab_alloc_granularity` value should meet the following conditions:\n\n- The value is a power of two.\n- The value is greater than or equal to 4.\n\nBelow are few recommendations on how to adjust the `memtx.slab_alloc_granularity option`:\n\n- If the tuples in space are small and have about the same size, set the option to 4 bytes to save memory.\n- If the tuples are different-sized, increase the option value to allocate tuples from the same `mempool` (memory pool).", "type": "integer" }, "sort_threads": { "default": null, "description": "The number of threads from the thread pool used to sort keys of secondary indexes on loading a `memtx` database. The minimum value is 1, the maximum value is 256. The default is to use all available cores.", "type": "integer" }, "use_sort_data": { "default": false, "description": "Whether to use the O(n) secondary key sort using additional snapshot data (if the latter is available) and write the data during `box.snapshot()`.", "type": "boolean" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `metrics` section provides the ability to collect and expose Tarantool metrics (e.g. network, cpu, memtx and others).", "properties": { "exclude": { "description": "An array containing groups of metrics to turn off. The array can contain the same values as the `exclude` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "include": { "description": "An array containing groups of metrics to turn on. The array can contain the same values as the `include` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "labels": { "additionalProperties": { "description": "Label value.", "type": "string" }, "description": "Global labels to be added to every observation.", "type": "object" } }, "type": "object" }, "process": { "additionalProperties": false, "description": "The `process` section defines configuration parameters of the Tarantool process in the system.", "properties": { "background": { "default": false, "description": "Run the server as a daemon process.\n\nIf this option is set to true, Tarantool log location defined by the `log.to` option should be set to file, pipe, or syslog - anything other than stderr, the default, because a daemon process is detached from a terminal and it can't write to the terminal's stderr.\n\nWarn: Do not enable the background mode for applications intended to run by the tt utility.", "type": "boolean" }, "coredump": { "default": false, "description": "Create coredump files.\n\nUsually, an administrator needs to call `ulimit -c unlimited` (or set corresponding options in systemd's unit file) before running a Tarantool process to get core dumps. If `process.coredump` is enabled, Tarantool sets the corresponding resource limit by itself and the administrator doesn't need to call `ulimit -c unlimited` (see man 3 setrlimit).\n\nThis option also sets the state of the `dumpable` attribute, which is enabled by default, but may be dropped in some circumstances (according to man 2 prctl, see PR_SET_DUMPABLE).", "type": "boolean" }, "pid_file": { "default": "var/run/{{ instance_name }}/tarantool.pid", "description": "Store the process id in this file.\n\nThis option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "strip_core": { "default": true, "description": "Whether coredump files should not include memory allocated for tuples - this memory can be large if Tarantool runs under heavy load. Setting to `true` means \"do not include\".", "type": "boolean" }, "title": { "default": "tarantool - {{ instance_name }}", "description": "Add the given string to the server's process title (it is shown in the COMMAND column for the Linux commands `ps -ef` and `top -c`).", "type": "string" }, "username": { "default": null, "description": "The name of the system user to switch to after start.", "type": "string" }, "work_dir": { "default": null, "description": "A directory where Tarantool working files will be stored (database files, logs, a PID file, a console Unix socket, and other files if an application generates them in the current directory). The server instance switches to `process.work_dir` with chdir(2) after start.\n\nIf set as a relative file path, it is relative to the current working directory, from where Tarantool is started. If not specified, defaults to the current working directory.\n\nOther directory and file parameters, if set as relative paths, are interpreted as relative to `process.work_dir`, for example, directories for storing snapshots and write-ahead logs.", "type": "string" } }, "type": "object" }, "quiver": { "additionalProperties": false, "description": "This section defines configuration parameters related to the quiver storage engine.", "properties": { "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where quiver files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "memory": { "default": 134217728, "description": "The maximum size of in-memory buffers used for accumulating write requests. The quiver engine decides when it should start dumping in-memory buffers to disk depending on this parameter.", "type": "integer" }, "run_size": { "default": 16777216, "description": "The maximum size of a run file, in bytes. When the quiver engine dumps in-memory buffers to disk, it splits the output stream into files depending on this parameter.", "type": "integer" } }, "type": "object" }, "replication": { "additionalProperties": false, "description": "This section defines configuration parameters related to replication.", "properties": { "anon": { "default": false, "description": "Whether to make the current instance act as an anonymous replica. Anonymous replicas are read-only and can be used, for example, for backups.\n\nTo make the specified instance act as an anonymous replica, set `replication.anon` to `true`.\n\nAnonymous replicas are not displayed in the `box.info.replication` section. You can check their status using `box.info.replication_anon()`.\n\nWhile anonymous replicas are read-only, you can write data to replication-local and temporary spaces (created with `is_local = true` and `temporary = true`, respectively). Given that changes to replication-local spaces are allowed, an anonymous replica might increase the 0 component of the vclock value.\n\nHere are the limitations of having anonymous replicas in a replica set:\n\n- A replica set must contain at least one non-anonymous instance.\n- An anonymous replica can't be configured as a writable instance by setting database.mode to rw or making it a leader using `.leader.`\n- If `replication.failover` is set to election, an anonymous replica can have `replication.election_mode` set to `off` only.\n- If `replication.failover` is set to `supervised`, an external failover coordinator doesn't consider anonymous replicas when selecting a bootstrap or replica set leader.", "type": "boolean" }, "anon_ttl": { "default": 3600, "description": "Time-to-live (in seconds) of disconnected anonymous replicas (see `replication.anon` for the definition of anonymous replica). If an anonymous replica hasn't been in touch for longer than `replication.anon_ttl`, it is removed from the instance.", "type": "number" }, "autoexpel": { "additionalProperties": false, "description": "Automatically expel instances.\n\nThe option is useful for management of dynamic clusters using the YAML configuration. The option allows to automatically expel instances that are removed from the YAML configuration.\n\nOnly instances whose names start from the given prefix are taken into account, all the others are ignored. Also, instances without a persistent name set are ignored too.\n\nIf an instance is in read-write mode and has a latest database schema, it performs expelling of the instances:\n\n- with the given prefix, *and*\n- not present in the YAML configuration.\n\nThe expelling process the usual one: deletion from the `_cluster` system space.\n\nThe autoexpel logic works on startup and reacts on the reconfiguration and the `box.status` watcher event. If a new instance is joined and neither of these two events occur, autoexpel does not perform any actions on it. In other words, it doesn't forbid joining of an instance that met the autoexpel criterion.\n\nThe option is allowed on the `replicaset`, `group` and `global` levels, but forbidden on the `instance` level of the cluster configuration.", "properties": { "by": { "description": "The autoexpel criterion: it defines how to determine that an instance is part of the cluster configuration and is not an external service that uses the replication channel (such as a CDC tool).\n\nNow, only `replication.autoexpel.by` = `prefix` criterion is supported. A user have to set it explicitly.\n\nIn future we can provide other criteria and set one of them as default.", "enum": [ "prefix" ], "type": "string" }, "enabled": { "default": false, "description": "Determines, whether the autoexpelling logic is enabled at all. If the option is set, `replication.autoexpel.by` and `replication.autoexpel.prefix` are required.", "type": "boolean" }, "prefix": { "description": "Defines a pattern for instance names that are considered a part of the cluster (not some external services).\n\nFor example, if all the instances in the cluster configuration are prefixed with the replica set name, one can use `replication.autoexpel.prefix` = '{{ replicaset_name }}'`.\n\nIf all the instances follow the `i-\\d\\d\\d` pattern, the option can be set to `i-`.", "type": "string" } }, "type": "object" }, "bootstrap_strategy": { "default": "auto", "description": "Specifies a strategy used to bootstrap a replica set. The following strategies are available:\n\n- `auto`: a node doesn't boot if half or more of the other nodes in a replica set are not connected. For example, if a replica set contains 2 or 3 nodes, a node requires 2 connected instances. In the case of 4 or 5 nodes, at least 3 connected instances are required. Moreover, a bootstrap leader fails to boot unless every connected node has chosen it as a bootstrap leader.\n- `config`: use the specified node to bootstrap a replica set. To specify the bootstrap leader, use the `.bootstrap_leader` option.\n- `supervised`: a bootstrap leader isn't chosen automatically but should be appointed using `box.ctl.make_bootstrap_leader()` on the desired node. The bootstrap leader management is in the user's responsibility unless the failover coordinator is in use (replication.failover = supervised).\n- `native`: the bootstrap leader management is performed by config's code in sync with the RO/RW management (the algorithm depends on replication.failover). If replication.failover = supervised, then the failover coordinator manages the bootstrap leader.\n\nThis strategy is similar to `auto` from the user perspective: everything is handled by tarantool (or coordinator) on its own. However, it is based on the modern `supervised` strategy, which allows to overcome some limitations. - `legacy` (deprecated since 2.11.0): a node requires the `replication_connect_quorum` number of other nodes to be connected. This option is added to keep the compatibility with the current versions of Cartridge and might be removed in the future.\n\nNote: when using bootstrap strategies `supervised` or `native` with a supervised failover (see `replication.failover` configuration option) Tarantool automatically grants the guest user privileges allowing to execute the internal `failover.execute` call for performing the initial cluster bootstrap.", "enum": [ "auto", "config", "supervised", "native", "legacy" ], "type": "string" }, "connect_timeout": { "default": 30, "description": "A timeout (in seconds) a replica waits when trying to connect to a master in a cluster.\n\nThis parameter is different from replication.timeout, which a master uses to disconnect a replica when the master receives no acknowledgments of heartbeat messages.", "type": "number" }, "election_fencing_mode": { "default": "soft", "description": "Specifies the leader fencing mode that affects the leader election process. When the parameter is set to soft or strict, the leader resigns its leadership if it has less than replication.synchro_quorum of alive connections to the cluster nodes. The resigning leader receives the status of a follower in the current election term and becomes read-only.\n\n- In `soft` mode, a connection is considered dead if there are no responses for 4 * `replication.timeout` seconds both on the current leader and the followers.\n- In `strict` mode, a connection is considered dead if there are no responses for 2 * `replication.timeout` seconds on the current leader and 4 * `replication.timeout` seconds on the followers. This improves the chances that there is only one leader at any time.\n\nFencing applies to the instances that have the `replication.election_mode` set to `candidate` or `manual`. To turn off leader fencing, set `election_fencing_mode` to off.", "enum": [ "off", "soft", "strict" ], "type": "string" }, "election_mode": { "default": null, "description": "A role of a replica set node in the leader election process.\n\nThe possible values are:\n\n- `off`: a node doesn't participate in the election activities.\n- `voter`: a node can participate in the election process but can't be a leader.\n- `candidate`: a node should be able to become a leader.\n- `manual`: allow to control which instance is the leader explicitly instead of relying on automated leader election. By default, the instance acts like a voter - it is read-only and may vote for other candidate instances. Once `box.ctl.promote()` is called, the instance becomes a candidate and starts a new election round. If the instance wins the elections, it becomes a leader but won't participate in any new elections.", "enum": [ "off", "voter", "manual", "candidate" ], "type": "string" }, "election_timeout": { "default": 5, "description": "Specifies the timeout (in seconds) between election rounds in the leader election process if the previous round ended up with a split vote.\n\nIt is quite big, and for most of the cases, it can be lowered to 300-400 ms.\n\nTo avoid the split vote repeat, the timeout is randomized on each node during every new election, from 100% to 110% of the original timeout value. For example, if the timeout is 300 ms and there are 3 nodes started the election simultaneously in the same term, they can set their election timeouts to 300, 310, and 320 respectively, or to 305, 302, and 324, and so on. In that way, the votes will never be split because the election on different nodes won't be restarted simultaneously.", "type": "number" }, "failover": { "default": "off", "description": "A failover mode used to take over a master role when the current master instance fails. The following modes are available:\n\n- `off`: Leadership in a replica set is controlled using the `database.mode` option. In this case, you can set the `database.mode` option to rw on all instances in a replica set to make a master-master configuration.\n- `manual`: Leadership in a replica set is controlled using the `.leader` option. In this case, a master-master configuration is forbidden.\n- `election`: Automated leader election is used to control leadership in a replica set.\n- `supervised`: (Enterprise Edition only) Leadership in a replica set is controlled using an external failover coordinator.\n\nNotes:\n\nIn the `off` mode, the default `database.mode` is determined as follows: `rw` if there is onecinstance in a replica set; `ro` if there are several instances.\n\nIn the `manual` mode, the `database.mode` option cannot be set explicitly. The leader is configured in the read-write mode, all the other instances are read-only.\n\nIn the `election` mode and the `supervised` mode, `database.mode` and `.leader` shouldn't be set explicitly.", "enum": [ "off", "manual", "election", "supervised" ], "type": "string" }, "linearizable_quorum": { "default": "N - Q + 1", "description": "A number of replicas to synchronize with before performing linearizable transaction.\n\nLinearizable transactions guarantee that if a write operation completes before a read operation begins, then this read will always observe the effects of that write. To ensure this, the node executing a linearizable transaction must obtain information from enough remote peers to determine the most up-to-date state of the replica set. That number of peers can be configured with this option.\n\nBy default, the linearizable quorum is evaluated dynamically as `N - Q + 1`, where: `N` - the current number of registered replicas in the replica set, `Q` - the current value of `replication.synchro_quorum`.\n\nThis default guarantees quorum intersection between synchronous writes and linearizable reads (`R + Q = N + 1`), which is a fundamental requirement for linearizability.\n\nNote: To begin a linearizable transaction, the MVCC must be enabled and `txn_isolation` must be set to `linearizable`, the transaction can only perform requests to synchronous, local or temporary spaces.", "type": [ "string", "number" ] }, "peers": { "default": null, "description": "URIs of instances that constitute a replica set. These URIs are used by an instance to connect to another instance as a replica.\n\nAlternatively, you can use iproto.advertise.peer to specify a URI used to advertise the current instance to other cluster members.", "items": { "description": "Specifies the URI of the instance.\n\nFor example: `replicator:topsecret@127.0.0.1:3301`.", "type": "string" }, "type": "array" }, "reconnect_timeout": { "default": null, "description": "The timeout (in seconds) between attempts to reconnect to a master in case of connection failure. Default is box.NULL. If the option is set to box.NULL, then it equals to replication_timeout.", "type": "number" }, "skip_conflict": { "default": false, "description": "By default, if a replica adds a unique key that another replica has added, replication stops with the `ER_TUPLE_FOUND` error. If `replication.skip_conflict` is set to `true`, such errors are ignored.", "type": "boolean" }, "sync_lag": { "default": 10, "description": "The maximum delay (in seconds) between the time when data is written to the master and the time when it is written to a replica.\n\nIf a replica should remain in the synched status disregarding of the network delay, set this option to a large value.", "type": "number" }, "sync_timeout": { "default": null, "description": "The timeout (in seconds) that a node waits when trying to sync with other nodes in a replica set after connecting or during a configuration update. This could fail indefinitely if `replication.sync_lag` is smaller than network latency, or if the replica cannot keep pace with master updates. If `replication.sync_timeout` expires, the replica enters `orphan` status.", "type": "number" }, "synchro_queue_max_size": { "default": 16777216, "description": "Puts a limit on the number of transactions in the master synchronous queue.\n\n`replication.synchro_queue_max_size` is measured in number of bytes to be written (0 means unlimited, which was the default behaviour before). This option affects only the behavior of the master, and defaults to 16 megabytes.\n\nNow that `replication.synchro_queue_max_size` is set on the master node, tarantool will discard new transactions that try to queue after the limit is reached. If a transaction had to be discarded, user will get an error message \"The synchronous transaction queue is full\".\n\nThis limitation does not apply during the recovery process.", "type": "integer" }, "synchro_quorum": { "default": "N / 2 + 1", "description": "A number of replicas that should confirm the receipt of a synchronous transaction before it can finish its commit.\n\nThis option supports dynamic evaluation of the quorum number. For example, the default value is `N / 2 + 1` where `N` is the current number of replicas registered in a replica set. Once any replicas are added or removed, the expression is re-evaluated automatically.\n\nNote that the default value (`at least 50% of the replica set size + 1`) guarantees data reliability. Using a value less than the canonical one might lead to unexpected results, including a split-brain.\n\n`replication.synchro_quorum` is not used on replicas. If the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": [ "string", "number" ] }, "synchro_timeout": { "default": 5, "description": "For synchronous replication only. Specify how many seconds to wait for a synchronous transaction quorum replication until it is declared failed and is rolled back.\n\nIt is not used on replicas, so if the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": "number" }, "threads": { "default": 1, "description": "The number of threads spawned to decode the incoming replication data.\n\nIn most cases, one thread is enough for all incoming data. Possible values range from 1 to 1000. If there are multiple replication threads, connections to serve are distributed evenly between the threads.", "type": "integer" }, "timeout": { "default": 1, "description": "A time interval (in seconds) used by a master to send heartbeat requests to a replica when there are no updates to send to this replica. For each request, a replica should return a heartbeat acknowledgment.\n\nIf a master or replica gets no heartbeat message for `4 * replication.timeout` seconds, a connection is dropped and a replica tries to reconnect to the master.", "type": "number" } }, "type": "object" }, "roles": { "description": "Specify the roles of an instance. To specify a role's configuration, use the roles_cfg option.", "items": { "description": "The name of a role, corresponding to the module name used in the `require` call to load the role.", "type": "string" }, "type": "array" }, "roles_cfg": { "additionalProperties": { "description": "Configuration of the given role." }, "description": "Specify a role's configuration. This option accepts a role name as the key and a role's configuration as the value. To specify the roles of an instance, use the roles option.", "type": "object" }, "security": { "additionalProperties": false, "description": "This section defines configuration parameters related to various security settings.", "properties": { "auth_delay": { "default": 0, "description": "Specify a period of time (in seconds) that a specific user should wait for the next attempt after failed authentication.\n\nThe `security.auth_retries` option lets a client try to authenticate the specified number of times before `security.auth_delay` is enforced.", "type": "number" }, "auth_retries": { "default": 0, "description": "Specify the maximum number of authentication retries allowed before `security.auth_delay` is enforced. The default value is 0, which means `security.auth_delay` is enforced after the first failed authentication attempt.\n\nThe retry counter is reset after `security.auth_delay` seconds since the first failed attempt. For example, if a client tries to authenticate fewer than `security.auth_retries` times within `security.auth_delay` seconds, no authentication delay is enforced. The retry counter is also reset after any successful authentication attempt.", "type": "integer" }, "auth_type": { "default": "chap-sha1", "description": "Specify a protocol used to authenticate users. The possible values are:\n\n- `chap-sha1`: use the CHAP protocol with SHA-1 hashing applied to passwords.\n- `pap-sha256`: use PAP authentication with the SHA256 hashing algorithm.\n\nNote that CHAP stores password hashes in the `_user` space unsalted. If an attacker gains access to the database, they may crack a password, for example, using a rainbow table. For PAP, a password is salted with a user-unique salt before saving it in the database, which keeps the database protected from cracking using a rainbow table.", "enum": [ "chap-sha1", "pap-sha256" ], "type": "string" }, "disable_guest": { "default": false, "description": "If `true`, turn off access over remote connections from unauthenticated or guest users. This option affects connections between cluster members and `net.box` connections.", "type": "boolean" }, "password_enforce_digits": { "default": false, "description": "If true, a password should contain digits (0-9).", "type": "boolean" }, "password_enforce_lowercase": { "default": false, "description": "If true, a password should contain lowercase letters (a-z).", "type": "boolean" }, "password_enforce_specialchars": { "default": false, "description": "If true, a password should contain at least one special character (such as &|?!@$).", "type": "boolean" }, "password_enforce_uppercase": { "default": false, "description": "If true, a password should contain uppercase letters (A-Z).", "type": "boolean" }, "password_history_length": { "default": 0, "description": "Specify the number of unique new user passwords before an old password can be reused. Note tarantool uses the auth_history field in the `box.space._user` system space to store user passwords.", "type": "integer" }, "password_lifetime_days": { "default": 0, "description": "Specify the maximum period of time (in days) a user can use the same password. When this period ends, a user gets the \"Password expired\" error on a login attempt. To restore access for such users, use `box.schema.user.passwd`.", "type": "integer" }, "password_min_length": { "default": 0, "description": "Specify the minimum number of characters for a password.", "type": "integer" }, "secure_erasing": { "default": false, "description": "If `true`, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible. The option applies to both `.xlog` and `.snap` files as well as Vinyl data files.", "type": "boolean" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "This section defines configuration parameters related to sharding.", "properties": { "bucket_count": { "default": 3000, "description": "The total number of buckets in a cluster.", "type": "integer" }, "connection_outdate_delay": { "description": "Time to outdate old objects on reload.", "type": "number" }, "discovery_mode": { "default": "on", "description": "A mode of the background discovery fiber used by the router to find buckets.", "enum": [ "on", "off", "once" ], "type": "string" }, "failover_ping_timeout": { "default": 5, "description": "The timeout (in seconds) after which a node is considered unavailable if there are no responses during this period. The failover fiber is used to detect if a node is down.", "type": "number" }, "lock": { "description": "Whether a replica set is locked. A locked replica set cannot receive new buckets nor migrate its own buckets.", "type": "boolean" }, "rebalancer_disbalance_threshold": { "default": 1, "description": "The maximum bucket disbalance threshold (in percent). The disbalance is calculated for each replica set using the following formula:\n\n`|etalon_bucket_count - real_bucket_count| / etalon_bucket_count * 100`", "type": "number" }, "rebalancer_max_receiving": { "default": 100, "description": "The maximum number of buckets that can be received in parallel by a single replica set. This number must be limited because the rebalancer sends a large number of buckets from the existing replica sets to the newly added one. This produces a heavy load on the new replica set.", "type": "integer" }, "rebalancer_max_sending": { "default": 1, "description": "The degree of parallelism for parallel rebalancing.", "type": "integer" }, "rebalancer_mode": { "default": "auto", "description": "Configure how a rebalancer is selected:\n\n- `auto` (default): if there are no replica sets with the rebalancer sharding role (`sharding.roles`), a replica set with the rebalancer is selected automatically among all replica sets.\n- `manual`: one of the replica sets should have the rebalancer sharding role. The rebalancer is in this replica set.\n- `off`: rebalancing is turned off regardless of whether a replica set with the rebalancer sharding role exists or not.", "enum": [ "manual", "auto", "off" ], "type": "string" }, "roles": { "description": "Roles of a replica set in regard to sharding. A replica set can have the following roles:\n\n- `router`: a replica set acts as a router.\n- `storage`: a replica set acts as a storage.\n- `rebalancer`: a replica set acts as a rebalancer.\n\nThe rebalancer role is optional. If it is not specified, a rebalancer is selected automatically from the master instances of replica sets.\n\nThere can be at most one replica set with the rebalancer role. Additionally, this replica set should have a `storage` role.", "items": { "description": "Sharding role: router, storage or rebalancer.", "enum": [ "router", "storage", "rebalancer" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sched_move_quota": { "default": 1, "description": "A scheduler's bucket move quota used by the rebalancer.\n\n`sched_move_quota` defines how many bucket moves can be done in a row if there are pending storage refs. Then, bucket moves are blocked and a router continues making map-reduce requests.", "type": "number" }, "sched_ref_quota": { "default": 300, "description": "A scheduler's storage ref quota used by a router's map-reduce API. For example, the `vshard.router.map_callrw()` function implements consistent map-reduce over the entire cluster.\n\n`sched_ref_quota` defines how many storage refs, therefore map-reduce requests, can be executed on the storage in a row if there are pending bucket moves. Then, storage refs are blocked and the rebalancer continues bucket moves.", "type": "number" }, "shard_index": { "default": "bucket_id", "description": "The name or ID of a TREE index over the bucket id. Spaces without this index do not participate in a sharded Tarantool cluster and can be used as regular spaces if needed. It is necessary to specify the first part of the index, other parts are optional.", "type": "string" }, "sync_timeout": { "default": 1, "description": "The timeout to wait for synchronization of the old master with replicas before demotion. Used when switching a master or when manually calling the `sync()` function.", "type": "number" }, "weight": { "default": 1, "description": "The relative amount of data that a replica set can store.", "type": "number" }, "zone": { "description": "A zone that can be set for routers and replicas. This allows sending read-only requests not only to a master instance but to any available replica that is the nearest to the router.", "type": "integer" } }, "type": "object" }, "snapshot": { "additionalProperties": false, "description": "This section defines configuration parameters related to the snapshot files.", "properties": { "by": { "additionalProperties": false, "description": "An object containing configuration options that specify the conditions under which automatic snapshots are created by the checkpoint daemon. This includes settings like `interval` for time-based snapshots and `wal_size` for snapshots triggered when the total size of WAL files exceeds a certain threshold.", "properties": { "interval": { "default": 3600, "description": "The interval in seconds between actions by the checkpoint daemon. If the option is set to a value greater than zero, and there is activity that causes change to a database, then the checkpoint daemon calls `box.snapshot()` every `snapshot.by.interval` seconds, creating a new snapshot file each time. If the option is set to zero, the checkpoint daemon is disabled.", "type": "number" }, "wal_size": { "default": 1e+18, "description": "The threshold for the total size in bytes for all WAL files created since the last snapshot taken. Once the configured threshold is exceeded, the WAL thread notifies the checkpoint daemon that it must make a new snapshot and delete old WAL files.", "type": "integer" } }, "type": "object" }, "count": { "default": 2, "description": "The maximum number of snapshots that are stored in the `snapshot.dir` directory. If the number of snapshots after creating a new one exceeds this value, the Tarantool garbage collector deletes old snapshots. If `snapshot.count` is set to zero, the garbage collector does not delete old snapshots.", "type": "integer" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where memtx stores snapshot (`.snap`) files. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, snapshots and WAL files are stored in the same directory. However, you can set different values for the `snapshot.dir` and `wal.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "snap_io_rate_limit": { "default": null, "description": "Reduce the throttling effect of `box.snapshot()` on `INSERT/UPDATE/DELETE` performance by setting a limit on how many megabytes per second it can write to disk. The same can be achieved by splitting `wal.dir` and `snapshot.dir` locations and moving snapshots to a separate disk. The limit also affects what `box.stat.vinyl().regulator` may show for the write rate of dumps to `.run` and `.index` files.", "type": "number" } }, "type": "object" }, "sql": { "additionalProperties": false, "description": "This section defines configuration parameters related to SQL.", "properties": { "cache_size": { "default": 5242880, "description": "The maximum cache size (in bytes) for all SQL prepared statements. To see the actual cache size, use `box.info.sql().cache.size`.", "type": "integer" } }, "type": "object" }, "stateboard": { "additionalProperties": false, "description": "These options define configuration parameters related to the stateboard service allowing Tarantool instances to report their state into some extra key-value storage (e.g. etcd or Tarantool config.storage).\n\nAn instance with an enabled stateboard reports its status to `/state/by-name/{{ instance_name }}` where prefix is received from the `config.*.prefix` option. The provided information is in YAML format with the following fields:\n\n- `hostname` (`string`): hostname.\n- `pid` (`integer`): Tarantool process ID.\n- `mode` (`'ro'` or `'rw'`): instance mode (see `box.info.ro`).\n- `ro_reason` (`string`): the reason why the instance is read-only (see `box.info.ro_reason`).\n- `status` (`string`): instance status (see `box.info.status` for possible values and their description).", "properties": { "enabled": { "default": false, "description": "Enable or disable the stateboard service.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a Tarantool instance writes its state information to the stateboard.", "type": "number" } }, "type": "object" }, "threads": { "additionalProperties": false, "description": "The `threads` section defines configuration parameters related to application threads.", "properties": { "groups": { "description": "An array of thread groups.", "items": { "additionalProperties": false, "description": "Thread group definition.", "properties": { "name": { "description": "Thread group name.\n\nEach thread group must have a unique name. The name \"tx\" must not be used because it is reserved for the main thread.", "type": "string" }, "size": { "description": "Number of threads in the group.", "type": "integer" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "vinyl": { "additionalProperties": false, "description": "This section defines configuration parameters related to the vinyl storage engine.", "properties": { "bloom_fpr": { "default": 0.05, "description": "A bloom filter's false positive rate - the suitable probability of the bloom filter to give a wrong result. The `vinyl.bloom_fpr` setting is a default value for the bloom_fpr option passed to `space_object:create_index()`.", "type": "number" }, "cache": { "default": 134217728, "description": "The cache size for the vinyl storage engine. The cache can be resized dynamically.", "type": "integer" }, "defer_deletes": { "default": false, "description": "Enable the deferred DELETE optimization in vinyl. It was disabled by default since Tarantool version 2.10 to avoid possible performance degradation of secondary index reads.", "type": "boolean" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where vinyl files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "The size of the largest allocation unit, for the vinyl storage engine. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 134217728, "description": "The maximum number of in-memory bytes that vinyl uses.", "type": "integer" }, "page_size": { "default": 8192, "description": "The page size. A page is a read/write unit for vinyl disk operations. The `vinyl.page_size` setting is a default value for the page_size option passed to `space_object:create_index()`.", "type": "integer" }, "range_size": { "default": null, "description": "The default maximum range size for a vinyl index, in bytes. The maximum range size affects the decision of whether to split a range.\n\nIf `vinyl.range_size` is specified (but the value is not null or 0), then it is used as the default value for the range_size option passed to `space_object:create_index()`.\n\nIf `vinyl.range_size` is not specified (or is explicitly set to null or 0), and `range_size` is not specified when the index is created, then Tarantool sets a value later depending on performance considerations. To see the actual value, use `index_object:stat().range_size`.", "type": "integer" }, "read_threads": { "default": 1, "description": "The maximum number of read threads that vinyl can use for concurrent operations, such as I/O and compression.", "type": "integer" }, "run_count_per_level": { "default": 2, "description": "The maximum number of runs per level in the vinyl LSM tree. If this number is exceeded, a new level is created. The `vinyl.run_count_per_level` setting is a default value for the run_count_per_level option passed to `space_object:create_index()`.", "type": "integer" }, "run_size_ratio": { "default": 3.5, "description": "The ratio between the sizes of different levels in the LSM tree. The `vinyl.run_size_ratio` setting is a default value for the run_size_ratio option passed to `space_object:create_index()`.", "type": "number" }, "timeout": { "default": 60, "description": "The vinyl storage engine has a scheduler that performs compaction. When vinyl is low on available memory, the compaction scheduler may be unable to keep up with incoming update requests. In that situation, queries may time out after vinyl.timeout seconds. This should rarely occur, since normally vinyl throttles inserts when it is running low on compaction bandwidth. Compaction can also be initiated manually with `index_object:compact()`.", "type": "number" }, "write_threads": { "default": 4, "description": "The maximum number of write threads that vinyl can use for some concurrent operations, such as I/O and compression.", "type": "integer" } }, "type": "object" }, "wal": { "additionalProperties": false, "description": "This section defines configuration parameters related to write-ahead log.", "properties": { "cleanup_delay": { "description": "The delay in seconds used to prevent the Tarantool garbage collector from immediately removing write-ahead log files after a node restart. This delay eliminates possible erroneous situations when the master deletes WALs needed by replicas after restart. As a consequence, replicas sync with the master faster after its restart and don't need to download all the data again. Once all the nodes in the replica set are up and running, a scheduled garbage collection is started again even if `wal.cleanup_delay` has not expired.", "type": "number" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where write-ahead log (`.xlog`) files are stored. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, WAL files and snapshots are stored in the same directory. However, you can set different values for the `wal.dir` and `snapshot.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "dir_rescan_delay": { "default": 2, "description": "The time interval in seconds between periodic scans of the write-ahead-log file directory, when checking for changes to write-ahead-log files for the sake of replication or hot standby.", "type": "number" }, "ext": { "additionalProperties": false, "default": null, "description": "This section describes options related to WAL extensions.", "properties": { "new": { "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "spaces": { "additionalProperties": { "additionalProperties": false, "description": "Per-space WAL extensions configuration.", "properties": { "new": { "default": false, "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "default": false, "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" } }, "type": "object" }, "description": "Enable or disable storing an old and new tuple in the WAL record for a given space explicitly. The configuration for specific spaces has priority over the configuration in the `wal.ext.new` and `wal.ext.old` options.\n\nThe option is a key-value pair:\n\n- The key is a space name (string).\n- The value is a table that includes two optional boolean options: `old` and `new`. The format and the default value of these options are described in `wal.ext.old` and `wal.ext.new`.", "type": "object" } }, "type": "object" }, "max_size": { "default": 268435456, "description": "The maximum number of bytes in a single write-ahead log file. When a request would cause an `.xlog` file to become larger than `wal.max_size`, Tarantool creates a new WAL file.", "type": "integer" }, "mode": { "default": "write", "description": "Specify fiber-WAL-disk synchronization mode as:\n\n- `none`: write-ahead log is not maintained. A node with `wal.mode` set to `none` can't be a replication master.\n- `write`: fibers wait for their data to be written to the write-ahead log (no `fsync(2)`).\n- `fsync`: fibers wait for their data, `fsync(2)` follows each `write(2)`.", "enum": [ "none", "write", "fsync" ], "type": "string" }, "queue_max_size": { "default": 16777216, "description": "The size of the queue in bytes used by a replica to submit new transactions to a write-ahead log (WAL). This option helps limit the rate at which a replica submits transactions to the WAL. Limiting the queue size might be useful when a replica is trying to sync with a master and reads new transactions faster than writing them to the WAL.", "type": "integer" }, "retention_period": { "default": 0, "description": "The delay in seconds used to prevent the Tarantool garbage collector from removing a write-ahead log file after it has been closed. If a node is restarted, `wal.retention_period` counts down from the last modification time of the write-ahead log file.\n\nThe garbage collector doesn't track write-ahead logs that are to be relayed to anonymous replicas, such as:\n\n- Anonymous replicas added as a part of a cluster configuration (see `replication.anon`).\n- CDC (Change Data Capture) that retrieves data using anonymous replication.\n\nIn case of a replica or CDC downtime, the required write-ahead logs can be removed. As a result, such a replica needs to be rebootstrapped. You can use wal.retention_period to prevent such issues.\n\nNote that `wal.cleanup_delay` option also sets the delay used to prevent the Tarantool garbage collector from removing write-ahead logs. The difference is that the garbage collector doesn't take into account `wal.cleanup_delay` if all the nodes in the replica set are up and running, which may lead to the removal of the required write-ahead logs.", "type": "number" } }, "type": "object" } }, "type": "object" }, "description": "Instances that belong to this replica set.", "type": "object" }, "iproto": { "additionalProperties": false, "description": "The iproto section is used to configure parameters related to communicating to and between cluster instances.", "properties": { "advertise": { "additionalProperties": false, "description": "URIs for cluster members and external clients to let them know where to connect.", "properties": { "client": { "default": null, "description": "A URI used to advertise the current instance to clients.\n\nThe iproto.advertise.client option accepts a URI in the following formats:\n\n- An address: `host:port`.\n- A Unix domain socket: `unix/:`.\n\nNote that this option doesn't allow to set a username and password. If a remote client needs this information, it should be delivered outside of the cluster configuration.", "type": "string" }, "peer": { "additionalProperties": false, "description": "Settings used to advertise the current instance to other cluster members. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "Settings used to advertise the current instance to a router and rebalancer. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" } }, "type": "object" }, "listen": { "default": null, "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).", "items": { "additionalProperties": false, "description": "Iproto listening socket definition.\n\nAllows to set an URI (`unix/:` or `host:port`) and SSL parameters. Minimal example: `{uri: 127.0.0.1:3301}`.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).\n\nNote: the `iproto.listen.*.uri` string can't contain a login or a password, it has no sense for a listening socket.\n\nThe query-parameter form of setting SSL options is forbidden in the URI string. Use the `iproto.listen.*.params` for them.", "type": "string" } }, "type": "object" }, "type": "array" }, "net_msg_max": { "default": 768, "description": "To handle messages, Tarantool allocates fibers. To prevent fiber overhead from affecting the whole system, Tarantool restricts how many messages the fibers handle, so that some pending requests are blocked.\n\n- On powerful systems, increase `net_msg_max`, and the scheduler starts processing pending requests immediately.\n- On weaker systems, decrease `net_msg_max`, and the overhead may decrease. However, this may take some time because the scheduler must wait until already-running requests finish.\n\nWhen `net_msg_max` is reached, Tarantool suspends processing of incoming packages until it has processed earlier messages. This is not a direct restriction of the number of fibers that handle network messages, rather it is a system-wide restriction of channel bandwidth. This in turn restricts the number of incoming network messages that the transaction processor thread handles, and therefore indirectly affects the fibers that handle network messages.", "type": "integer" }, "readahead": { "default": 16320, "description": "The size of the read-ahead buffer associated with a client connection. The larger the buffer, the more memory an active connection consumes, and the more requests can be read from the operating system buffer in a single system call.\n\nThe recommendation is to make sure that the buffer can contain at least a few dozen requests. Therefore, if a typical tuple in a request is large, e.g. a few kilobytes or even megabytes, the read-ahead buffer size should be increased. If batched request processing is not used, it's prudent to leave this setting at its default.", "type": "integer" }, "ssl": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections. These parameters would be used to set up SSL IProto sockets and to connect to other instances which require certificate authority (CA).", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" }, "threads": { "default": 1, "description": "The number of network threads. There can be unusual workloads where the network thread is 100% loaded and the transaction processor thread is not, so the network thread is a bottleneck. In that case, set `iproto_threads` to 2 or more. The operating system kernel determines which connection goes to which thread.", "type": "integer" } }, "type": "object" }, "isolated": { "default": false, "description": "Temporarily isolate an instance to perform replicaset repairing activities, such as debugging a problem on the isolated instance without affecting the non-isolated part or extracting data from the isolated instance to apply on the non-isolated part of the replicaset.\n\nEffects of isolation:\n\n- The instance stops listening for new IProto connections.\n- All current IProto connections are dropped.\n- The instance switches to read-only mode.\n- The instance disconnects from all replication upstreams.\n- Other replicaset members exclude the isolated instance from their replication upstreams.\n\nNote: the isolated instance can't be bootstrapped (a local snapshot is required to start).", "type": "boolean" }, "labels": { "additionalProperties": { "description": "A value of the label with the specified name.", "type": "string" }, "description": "The `labels` section allows adding custom attributes to the instance. The keys and values are strings.", "type": "object" }, "leader": { "description": "A replica set leader. This option can be used to set a replica set leader when manual `replication.failover` is used.\n\nTo perform controlled failover, `.leader` can be temporarily removed or set to null.", "type": "string" }, "log": { "additionalProperties": false, "description": "The `log` section defines configuration parameters related to logging. To handle logging in your application, use the log module.", "properties": { "file": { "default": "var/log/{{ instance_name }}/tarantool.log", "description": "Specify a file for logs destination. To write logs to a file, you need to set `log.to` to file. Otherwise, `log.file` is ignored.", "type": "string" }, "format": { "default": "plain", "description": "Specify a format that is used for a log entry. The following formats are supported:\n\n- `plain`: a log entry is formatted as plain text.\n- `json`: a log entry is formatted as JSON and includes additional fields.", "enum": [ "plain", "json" ], "type": "string" }, "level": { "default": 5, "description": "Specify the level of detail logs have. There are the following levels:\n\n- 0: `fatal`\n- 1: `syserror`\n- 2: `error`\n- 3: `crit`\n- 4: `warn`\n- 5: `info`\n- 6: `verbose`\n- 7: `debug`\n\nBy setting log.level, you can enable logging of all events with severities above or equal to the given level.", "enum": [ 0, "fatal", 1, "syserror", 2, "error", 3, "crit", 4, "warn", 5, "info", 6, "verbose", 7, "debug" ], "type": [ "string", "number" ] }, "modules": { "additionalProperties": { "description": "The log level.\n\nFor example: you have module placed by the following path: `test/module.lua`. To configure logging levels, you need to provide module names corresponding to paths to these modules: `test.module: 'verbose'`.", "type": [ "string", "number" ] }, "default": null, "description": "Configure the specified log levels (`log.level`) for different modules.\n\nYou can specify a logging level for the following module types:\n\n- Modules (files) that use the default logger.\n- Modules that use custom loggers created using the `log.new()` function.\n- The tarantool module that enables you to configure the logging level for Tarantool core messages. Specifically, it configures the logging level for messages logged from non-Lua code, including C modules.", "type": "object" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `log.to` to `pipe`.", "type": "string" }, "syslog": { "additionalProperties": false, "description": "Syslog configurations parameters. To write logs to syslog, you need to set `log.to` to `syslog`.", "properties": { "facility": { "default": "local7", "description": "Specify the syslog facility to be used when syslog is enabled. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name used to identify Tarantool messages in syslog logs. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "server": { "default": null, "description": "Set a location of a syslog server. This option accepts one of the following values:\n\n- An address. Example: `127.0.0.1:514`.\n- A Unix socket path starting with `unix:`. Examples: `unix:/dev/log` on Linux or `unix:/var/run/syslog` on macOS.\n\nTo write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" } }, "type": "object" }, "to": { "default": "stderr", "description": "Define a location Tarantool sends logs to. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream.\n- `file`: write logs to a file.\n- `pipe`: start a program and write logs to its standard input.\n- `syslog`: write logs to a system logger.", "enum": [ "stderr", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "lua": { "additionalProperties": false, "description": "This section defines configuration parameters related to Lua within Tarantool.", "properties": { "memory": { "default": 2147483648, "description": "Define amount of memory available to Lua in bytes. Default is 2GB, with a minimum of 256MB.\n\nThe limit can be adjusted dynamically if the new value is greater than the used memory amount. Otherwise, a restart is required for changes to take effect.", "type": "integer" } }, "type": "object" }, "memtx": { "additionalProperties": false, "description": "This section is used to configure parameters related to the memtx engine.", "properties": { "allocator": { "default": "small", "description": "Specify the allocator that manages memory for memtx tuples. Possible values:\n\n- `system` - the memory is allocated as needed, checking that the quota is not exceeded. The allocator is based on the `malloc` function.\n- `small` - a slab allocator. The allocator repeatedly uses a memory block to allocate objects of the same type. Note that this allocator is prone to unresolvable fragmentation on specific workloads, so you can switch to `system` in such cases.", "enum": [ "small", "system" ], "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "Size of the largest allocation unit for the memtx storage engine in bytes. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 268435456, "description": "The amount of memory in bytes that Tarantool allocates to store tuples. When the limit is reached, `INSERT` and `UPDATE` requests fail with the `ER_MEMORY_ISSUE` error. The server does not go beyond the `memtx.memory` limit to allocate tuples, but there is additional memory used to store indexes and connection information.", "type": "integer" }, "min_tuple_size": { "default": 16, "description": "Size of the smallest allocation unit in bytes. It can be decreased if most of the tuples are very small.", "type": "integer" }, "slab_alloc_factor": { "default": 1.05, "description": "The multiplier for computing the sizes of memory chunks that tuples are stored in. A lower value may result in less wasted memory depending on the total amount of memory available and the distribution of item sizes.", "type": "number" }, "slab_alloc_granularity": { "default": 8, "description": "Specify the granularity in bytes of memory allocation in the small allocator. The `memtx.slab_alloc_granularity` value should meet the following conditions:\n\n- The value is a power of two.\n- The value is greater than or equal to 4.\n\nBelow are few recommendations on how to adjust the `memtx.slab_alloc_granularity option`:\n\n- If the tuples in space are small and have about the same size, set the option to 4 bytes to save memory.\n- If the tuples are different-sized, increase the option value to allocate tuples from the same `mempool` (memory pool).", "type": "integer" }, "sort_threads": { "default": null, "description": "The number of threads from the thread pool used to sort keys of secondary indexes on loading a `memtx` database. The minimum value is 1, the maximum value is 256. The default is to use all available cores.", "type": "integer" }, "use_sort_data": { "default": false, "description": "Whether to use the O(n) secondary key sort using additional snapshot data (if the latter is available) and write the data during `box.snapshot()`.", "type": "boolean" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `metrics` section provides the ability to collect and expose Tarantool metrics (e.g. network, cpu, memtx and others).", "properties": { "exclude": { "description": "An array containing groups of metrics to turn off. The array can contain the same values as the `exclude` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "include": { "description": "An array containing groups of metrics to turn on. The array can contain the same values as the `include` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "labels": { "additionalProperties": { "description": "Label value.", "type": "string" }, "description": "Global labels to be added to every observation.", "type": "object" } }, "type": "object" }, "process": { "additionalProperties": false, "description": "The `process` section defines configuration parameters of the Tarantool process in the system.", "properties": { "background": { "default": false, "description": "Run the server as a daemon process.\n\nIf this option is set to true, Tarantool log location defined by the `log.to` option should be set to file, pipe, or syslog - anything other than stderr, the default, because a daemon process is detached from a terminal and it can't write to the terminal's stderr.\n\nWarn: Do not enable the background mode for applications intended to run by the tt utility.", "type": "boolean" }, "coredump": { "default": false, "description": "Create coredump files.\n\nUsually, an administrator needs to call `ulimit -c unlimited` (or set corresponding options in systemd's unit file) before running a Tarantool process to get core dumps. If `process.coredump` is enabled, Tarantool sets the corresponding resource limit by itself and the administrator doesn't need to call `ulimit -c unlimited` (see man 3 setrlimit).\n\nThis option also sets the state of the `dumpable` attribute, which is enabled by default, but may be dropped in some circumstances (according to man 2 prctl, see PR_SET_DUMPABLE).", "type": "boolean" }, "pid_file": { "default": "var/run/{{ instance_name }}/tarantool.pid", "description": "Store the process id in this file.\n\nThis option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "strip_core": { "default": true, "description": "Whether coredump files should not include memory allocated for tuples - this memory can be large if Tarantool runs under heavy load. Setting to `true` means \"do not include\".", "type": "boolean" }, "title": { "default": "tarantool - {{ instance_name }}", "description": "Add the given string to the server's process title (it is shown in the COMMAND column for the Linux commands `ps -ef` and `top -c`).", "type": "string" }, "username": { "default": null, "description": "The name of the system user to switch to after start.", "type": "string" }, "work_dir": { "default": null, "description": "A directory where Tarantool working files will be stored (database files, logs, a PID file, a console Unix socket, and other files if an application generates them in the current directory). The server instance switches to `process.work_dir` with chdir(2) after start.\n\nIf set as a relative file path, it is relative to the current working directory, from where Tarantool is started. If not specified, defaults to the current working directory.\n\nOther directory and file parameters, if set as relative paths, are interpreted as relative to `process.work_dir`, for example, directories for storing snapshots and write-ahead logs.", "type": "string" } }, "type": "object" }, "quiver": { "additionalProperties": false, "description": "This section defines configuration parameters related to the quiver storage engine.", "properties": { "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where quiver files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "memory": { "default": 134217728, "description": "The maximum size of in-memory buffers used for accumulating write requests. The quiver engine decides when it should start dumping in-memory buffers to disk depending on this parameter.", "type": "integer" }, "run_size": { "default": 16777216, "description": "The maximum size of a run file, in bytes. When the quiver engine dumps in-memory buffers to disk, it splits the output stream into files depending on this parameter.", "type": "integer" } }, "type": "object" }, "replication": { "additionalProperties": false, "description": "This section defines configuration parameters related to replication.", "properties": { "anon": { "default": false, "description": "Whether to make the current instance act as an anonymous replica. Anonymous replicas are read-only and can be used, for example, for backups.\n\nTo make the specified instance act as an anonymous replica, set `replication.anon` to `true`.\n\nAnonymous replicas are not displayed in the `box.info.replication` section. You can check their status using `box.info.replication_anon()`.\n\nWhile anonymous replicas are read-only, you can write data to replication-local and temporary spaces (created with `is_local = true` and `temporary = true`, respectively). Given that changes to replication-local spaces are allowed, an anonymous replica might increase the 0 component of the vclock value.\n\nHere are the limitations of having anonymous replicas in a replica set:\n\n- A replica set must contain at least one non-anonymous instance.\n- An anonymous replica can't be configured as a writable instance by setting database.mode to rw or making it a leader using `.leader.`\n- If `replication.failover` is set to election, an anonymous replica can have `replication.election_mode` set to `off` only.\n- If `replication.failover` is set to `supervised`, an external failover coordinator doesn't consider anonymous replicas when selecting a bootstrap or replica set leader.", "type": "boolean" }, "anon_ttl": { "default": 3600, "description": "Time-to-live (in seconds) of disconnected anonymous replicas (see `replication.anon` for the definition of anonymous replica). If an anonymous replica hasn't been in touch for longer than `replication.anon_ttl`, it is removed from the instance.", "type": "number" }, "autoexpel": { "additionalProperties": false, "description": "Automatically expel instances.\n\nThe option is useful for management of dynamic clusters using the YAML configuration. The option allows to automatically expel instances that are removed from the YAML configuration.\n\nOnly instances whose names start from the given prefix are taken into account, all the others are ignored. Also, instances without a persistent name set are ignored too.\n\nIf an instance is in read-write mode and has a latest database schema, it performs expelling of the instances:\n\n- with the given prefix, *and*\n- not present in the YAML configuration.\n\nThe expelling process the usual one: deletion from the `_cluster` system space.\n\nThe autoexpel logic works on startup and reacts on the reconfiguration and the `box.status` watcher event. If a new instance is joined and neither of these two events occur, autoexpel does not perform any actions on it. In other words, it doesn't forbid joining of an instance that met the autoexpel criterion.\n\nThe option is allowed on the `replicaset`, `group` and `global` levels, but forbidden on the `instance` level of the cluster configuration.", "properties": { "by": { "description": "The autoexpel criterion: it defines how to determine that an instance is part of the cluster configuration and is not an external service that uses the replication channel (such as a CDC tool).\n\nNow, only `replication.autoexpel.by` = `prefix` criterion is supported. A user have to set it explicitly.\n\nIn future we can provide other criteria and set one of them as default.", "enum": [ "prefix" ], "type": "string" }, "enabled": { "default": false, "description": "Determines, whether the autoexpelling logic is enabled at all. If the option is set, `replication.autoexpel.by` and `replication.autoexpel.prefix` are required.", "type": "boolean" }, "prefix": { "description": "Defines a pattern for instance names that are considered a part of the cluster (not some external services).\n\nFor example, if all the instances in the cluster configuration are prefixed with the replica set name, one can use `replication.autoexpel.prefix` = '{{ replicaset_name }}'`.\n\nIf all the instances follow the `i-\\d\\d\\d` pattern, the option can be set to `i-`.", "type": "string" } }, "type": "object" }, "bootstrap_strategy": { "default": "auto", "description": "Specifies a strategy used to bootstrap a replica set. The following strategies are available:\n\n- `auto`: a node doesn't boot if half or more of the other nodes in a replica set are not connected. For example, if a replica set contains 2 or 3 nodes, a node requires 2 connected instances. In the case of 4 or 5 nodes, at least 3 connected instances are required. Moreover, a bootstrap leader fails to boot unless every connected node has chosen it as a bootstrap leader.\n- `config`: use the specified node to bootstrap a replica set. To specify the bootstrap leader, use the `.bootstrap_leader` option.\n- `supervised`: a bootstrap leader isn't chosen automatically but should be appointed using `box.ctl.make_bootstrap_leader()` on the desired node. The bootstrap leader management is in the user's responsibility unless the failover coordinator is in use (replication.failover = supervised).\n- `native`: the bootstrap leader management is performed by config's code in sync with the RO/RW management (the algorithm depends on replication.failover). If replication.failover = supervised, then the failover coordinator manages the bootstrap leader.\n\nThis strategy is similar to `auto` from the user perspective: everything is handled by tarantool (or coordinator) on its own. However, it is based on the modern `supervised` strategy, which allows to overcome some limitations. - `legacy` (deprecated since 2.11.0): a node requires the `replication_connect_quorum` number of other nodes to be connected. This option is added to keep the compatibility with the current versions of Cartridge and might be removed in the future.\n\nNote: when using bootstrap strategies `supervised` or `native` with a supervised failover (see `replication.failover` configuration option) Tarantool automatically grants the guest user privileges allowing to execute the internal `failover.execute` call for performing the initial cluster bootstrap.", "enum": [ "auto", "config", "supervised", "native", "legacy" ], "type": "string" }, "connect_timeout": { "default": 30, "description": "A timeout (in seconds) a replica waits when trying to connect to a master in a cluster.\n\nThis parameter is different from replication.timeout, which a master uses to disconnect a replica when the master receives no acknowledgments of heartbeat messages.", "type": "number" }, "election_fencing_mode": { "default": "soft", "description": "Specifies the leader fencing mode that affects the leader election process. When the parameter is set to soft or strict, the leader resigns its leadership if it has less than replication.synchro_quorum of alive connections to the cluster nodes. The resigning leader receives the status of a follower in the current election term and becomes read-only.\n\n- In `soft` mode, a connection is considered dead if there are no responses for 4 * `replication.timeout` seconds both on the current leader and the followers.\n- In `strict` mode, a connection is considered dead if there are no responses for 2 * `replication.timeout` seconds on the current leader and 4 * `replication.timeout` seconds on the followers. This improves the chances that there is only one leader at any time.\n\nFencing applies to the instances that have the `replication.election_mode` set to `candidate` or `manual`. To turn off leader fencing, set `election_fencing_mode` to off.", "enum": [ "off", "soft", "strict" ], "type": "string" }, "election_mode": { "default": null, "description": "A role of a replica set node in the leader election process.\n\nThe possible values are:\n\n- `off`: a node doesn't participate in the election activities.\n- `voter`: a node can participate in the election process but can't be a leader.\n- `candidate`: a node should be able to become a leader.\n- `manual`: allow to control which instance is the leader explicitly instead of relying on automated leader election. By default, the instance acts like a voter - it is read-only and may vote for other candidate instances. Once `box.ctl.promote()` is called, the instance becomes a candidate and starts a new election round. If the instance wins the elections, it becomes a leader but won't participate in any new elections.", "enum": [ "off", "voter", "manual", "candidate" ], "type": "string" }, "election_timeout": { "default": 5, "description": "Specifies the timeout (in seconds) between election rounds in the leader election process if the previous round ended up with a split vote.\n\nIt is quite big, and for most of the cases, it can be lowered to 300-400 ms.\n\nTo avoid the split vote repeat, the timeout is randomized on each node during every new election, from 100% to 110% of the original timeout value. For example, if the timeout is 300 ms and there are 3 nodes started the election simultaneously in the same term, they can set their election timeouts to 300, 310, and 320 respectively, or to 305, 302, and 324, and so on. In that way, the votes will never be split because the election on different nodes won't be restarted simultaneously.", "type": "number" }, "failover": { "default": "off", "description": "A failover mode used to take over a master role when the current master instance fails. The following modes are available:\n\n- `off`: Leadership in a replica set is controlled using the `database.mode` option. In this case, you can set the `database.mode` option to rw on all instances in a replica set to make a master-master configuration.\n- `manual`: Leadership in a replica set is controlled using the `.leader` option. In this case, a master-master configuration is forbidden.\n- `election`: Automated leader election is used to control leadership in a replica set.\n- `supervised`: (Enterprise Edition only) Leadership in a replica set is controlled using an external failover coordinator.\n\nNotes:\n\nIn the `off` mode, the default `database.mode` is determined as follows: `rw` if there is onecinstance in a replica set; `ro` if there are several instances.\n\nIn the `manual` mode, the `database.mode` option cannot be set explicitly. The leader is configured in the read-write mode, all the other instances are read-only.\n\nIn the `election` mode and the `supervised` mode, `database.mode` and `.leader` shouldn't be set explicitly.", "enum": [ "off", "manual", "election", "supervised" ], "type": "string" }, "linearizable_quorum": { "default": "N - Q + 1", "description": "A number of replicas to synchronize with before performing linearizable transaction.\n\nLinearizable transactions guarantee that if a write operation completes before a read operation begins, then this read will always observe the effects of that write. To ensure this, the node executing a linearizable transaction must obtain information from enough remote peers to determine the most up-to-date state of the replica set. That number of peers can be configured with this option.\n\nBy default, the linearizable quorum is evaluated dynamically as `N - Q + 1`, where: `N` - the current number of registered replicas in the replica set, `Q` - the current value of `replication.synchro_quorum`.\n\nThis default guarantees quorum intersection between synchronous writes and linearizable reads (`R + Q = N + 1`), which is a fundamental requirement for linearizability.\n\nNote: To begin a linearizable transaction, the MVCC must be enabled and `txn_isolation` must be set to `linearizable`, the transaction can only perform requests to synchronous, local or temporary spaces.", "type": [ "string", "number" ] }, "peers": { "default": null, "description": "URIs of instances that constitute a replica set. These URIs are used by an instance to connect to another instance as a replica.\n\nAlternatively, you can use iproto.advertise.peer to specify a URI used to advertise the current instance to other cluster members.", "items": { "description": "Specifies the URI of the instance.\n\nFor example: `replicator:topsecret@127.0.0.1:3301`.", "type": "string" }, "type": "array" }, "reconnect_timeout": { "default": null, "description": "The timeout (in seconds) between attempts to reconnect to a master in case of connection failure. Default is box.NULL. If the option is set to box.NULL, then it equals to replication_timeout.", "type": "number" }, "skip_conflict": { "default": false, "description": "By default, if a replica adds a unique key that another replica has added, replication stops with the `ER_TUPLE_FOUND` error. If `replication.skip_conflict` is set to `true`, such errors are ignored.", "type": "boolean" }, "sync_lag": { "default": 10, "description": "The maximum delay (in seconds) between the time when data is written to the master and the time when it is written to a replica.\n\nIf a replica should remain in the synched status disregarding of the network delay, set this option to a large value.", "type": "number" }, "sync_timeout": { "default": null, "description": "The timeout (in seconds) that a node waits when trying to sync with other nodes in a replica set after connecting or during a configuration update. This could fail indefinitely if `replication.sync_lag` is smaller than network latency, or if the replica cannot keep pace with master updates. If `replication.sync_timeout` expires, the replica enters `orphan` status.", "type": "number" }, "synchro_queue_max_size": { "default": 16777216, "description": "Puts a limit on the number of transactions in the master synchronous queue.\n\n`replication.synchro_queue_max_size` is measured in number of bytes to be written (0 means unlimited, which was the default behaviour before). This option affects only the behavior of the master, and defaults to 16 megabytes.\n\nNow that `replication.synchro_queue_max_size` is set on the master node, tarantool will discard new transactions that try to queue after the limit is reached. If a transaction had to be discarded, user will get an error message \"The synchronous transaction queue is full\".\n\nThis limitation does not apply during the recovery process.", "type": "integer" }, "synchro_quorum": { "default": "N / 2 + 1", "description": "A number of replicas that should confirm the receipt of a synchronous transaction before it can finish its commit.\n\nThis option supports dynamic evaluation of the quorum number. For example, the default value is `N / 2 + 1` where `N` is the current number of replicas registered in a replica set. Once any replicas are added or removed, the expression is re-evaluated automatically.\n\nNote that the default value (`at least 50% of the replica set size + 1`) guarantees data reliability. Using a value less than the canonical one might lead to unexpected results, including a split-brain.\n\n`replication.synchro_quorum` is not used on replicas. If the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": [ "string", "number" ] }, "synchro_timeout": { "default": 5, "description": "For synchronous replication only. Specify how many seconds to wait for a synchronous transaction quorum replication until it is declared failed and is rolled back.\n\nIt is not used on replicas, so if the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": "number" }, "threads": { "default": 1, "description": "The number of threads spawned to decode the incoming replication data.\n\nIn most cases, one thread is enough for all incoming data. Possible values range from 1 to 1000. If there are multiple replication threads, connections to serve are distributed evenly between the threads.", "type": "integer" }, "timeout": { "default": 1, "description": "A time interval (in seconds) used by a master to send heartbeat requests to a replica when there are no updates to send to this replica. For each request, a replica should return a heartbeat acknowledgment.\n\nIf a master or replica gets no heartbeat message for `4 * replication.timeout` seconds, a connection is dropped and a replica tries to reconnect to the master.", "type": "number" } }, "type": "object" }, "roles": { "description": "Specify the roles of an instance. To specify a role's configuration, use the roles_cfg option.", "items": { "description": "The name of a role, corresponding to the module name used in the `require` call to load the role.", "type": "string" }, "type": "array" }, "roles_cfg": { "additionalProperties": { "description": "Configuration of the given role." }, "description": "Specify a role's configuration. This option accepts a role name as the key and a role's configuration as the value. To specify the roles of an instance, use the roles option.", "type": "object" }, "security": { "additionalProperties": false, "description": "This section defines configuration parameters related to various security settings.", "properties": { "auth_delay": { "default": 0, "description": "Specify a period of time (in seconds) that a specific user should wait for the next attempt after failed authentication.\n\nThe `security.auth_retries` option lets a client try to authenticate the specified number of times before `security.auth_delay` is enforced.", "type": "number" }, "auth_retries": { "default": 0, "description": "Specify the maximum number of authentication retries allowed before `security.auth_delay` is enforced. The default value is 0, which means `security.auth_delay` is enforced after the first failed authentication attempt.\n\nThe retry counter is reset after `security.auth_delay` seconds since the first failed attempt. For example, if a client tries to authenticate fewer than `security.auth_retries` times within `security.auth_delay` seconds, no authentication delay is enforced. The retry counter is also reset after any successful authentication attempt.", "type": "integer" }, "auth_type": { "default": "chap-sha1", "description": "Specify a protocol used to authenticate users. The possible values are:\n\n- `chap-sha1`: use the CHAP protocol with SHA-1 hashing applied to passwords.\n- `pap-sha256`: use PAP authentication with the SHA256 hashing algorithm.\n\nNote that CHAP stores password hashes in the `_user` space unsalted. If an attacker gains access to the database, they may crack a password, for example, using a rainbow table. For PAP, a password is salted with a user-unique salt before saving it in the database, which keeps the database protected from cracking using a rainbow table.", "enum": [ "chap-sha1", "pap-sha256" ], "type": "string" }, "disable_guest": { "default": false, "description": "If `true`, turn off access over remote connections from unauthenticated or guest users. This option affects connections between cluster members and `net.box` connections.", "type": "boolean" }, "password_enforce_digits": { "default": false, "description": "If true, a password should contain digits (0-9).", "type": "boolean" }, "password_enforce_lowercase": { "default": false, "description": "If true, a password should contain lowercase letters (a-z).", "type": "boolean" }, "password_enforce_specialchars": { "default": false, "description": "If true, a password should contain at least one special character (such as &|?!@$).", "type": "boolean" }, "password_enforce_uppercase": { "default": false, "description": "If true, a password should contain uppercase letters (A-Z).", "type": "boolean" }, "password_history_length": { "default": 0, "description": "Specify the number of unique new user passwords before an old password can be reused. Note tarantool uses the auth_history field in the `box.space._user` system space to store user passwords.", "type": "integer" }, "password_lifetime_days": { "default": 0, "description": "Specify the maximum period of time (in days) a user can use the same password. When this period ends, a user gets the \"Password expired\" error on a login attempt. To restore access for such users, use `box.schema.user.passwd`.", "type": "integer" }, "password_min_length": { "default": 0, "description": "Specify the minimum number of characters for a password.", "type": "integer" }, "secure_erasing": { "default": false, "description": "If `true`, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible. The option applies to both `.xlog` and `.snap` files as well as Vinyl data files.", "type": "boolean" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "This section defines configuration parameters related to sharding.", "properties": { "bucket_count": { "default": 3000, "description": "The total number of buckets in a cluster.", "type": "integer" }, "connection_outdate_delay": { "description": "Time to outdate old objects on reload.", "type": "number" }, "discovery_mode": { "default": "on", "description": "A mode of the background discovery fiber used by the router to find buckets.", "enum": [ "on", "off", "once" ], "type": "string" }, "failover_ping_timeout": { "default": 5, "description": "The timeout (in seconds) after which a node is considered unavailable if there are no responses during this period. The failover fiber is used to detect if a node is down.", "type": "number" }, "lock": { "description": "Whether a replica set is locked. A locked replica set cannot receive new buckets nor migrate its own buckets.", "type": "boolean" }, "rebalancer_disbalance_threshold": { "default": 1, "description": "The maximum bucket disbalance threshold (in percent). The disbalance is calculated for each replica set using the following formula:\n\n`|etalon_bucket_count - real_bucket_count| / etalon_bucket_count * 100`", "type": "number" }, "rebalancer_max_receiving": { "default": 100, "description": "The maximum number of buckets that can be received in parallel by a single replica set. This number must be limited because the rebalancer sends a large number of buckets from the existing replica sets to the newly added one. This produces a heavy load on the new replica set.", "type": "integer" }, "rebalancer_max_sending": { "default": 1, "description": "The degree of parallelism for parallel rebalancing.", "type": "integer" }, "rebalancer_mode": { "default": "auto", "description": "Configure how a rebalancer is selected:\n\n- `auto` (default): if there are no replica sets with the rebalancer sharding role (`sharding.roles`), a replica set with the rebalancer is selected automatically among all replica sets.\n- `manual`: one of the replica sets should have the rebalancer sharding role. The rebalancer is in this replica set.\n- `off`: rebalancing is turned off regardless of whether a replica set with the rebalancer sharding role exists or not.", "enum": [ "manual", "auto", "off" ], "type": "string" }, "roles": { "description": "Roles of a replica set in regard to sharding. A replica set can have the following roles:\n\n- `router`: a replica set acts as a router.\n- `storage`: a replica set acts as a storage.\n- `rebalancer`: a replica set acts as a rebalancer.\n\nThe rebalancer role is optional. If it is not specified, a rebalancer is selected automatically from the master instances of replica sets.\n\nThere can be at most one replica set with the rebalancer role. Additionally, this replica set should have a `storage` role.", "items": { "description": "Sharding role: router, storage or rebalancer.", "enum": [ "router", "storage", "rebalancer" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sched_move_quota": { "default": 1, "description": "A scheduler's bucket move quota used by the rebalancer.\n\n`sched_move_quota` defines how many bucket moves can be done in a row if there are pending storage refs. Then, bucket moves are blocked and a router continues making map-reduce requests.", "type": "number" }, "sched_ref_quota": { "default": 300, "description": "A scheduler's storage ref quota used by a router's map-reduce API. For example, the `vshard.router.map_callrw()` function implements consistent map-reduce over the entire cluster.\n\n`sched_ref_quota` defines how many storage refs, therefore map-reduce requests, can be executed on the storage in a row if there are pending bucket moves. Then, storage refs are blocked and the rebalancer continues bucket moves.", "type": "number" }, "shard_index": { "default": "bucket_id", "description": "The name or ID of a TREE index over the bucket id. Spaces without this index do not participate in a sharded Tarantool cluster and can be used as regular spaces if needed. It is necessary to specify the first part of the index, other parts are optional.", "type": "string" }, "sync_timeout": { "default": 1, "description": "The timeout to wait for synchronization of the old master with replicas before demotion. Used when switching a master or when manually calling the `sync()` function.", "type": "number" }, "weight": { "default": 1, "description": "The relative amount of data that a replica set can store.", "type": "number" }, "zone": { "description": "A zone that can be set for routers and replicas. This allows sending read-only requests not only to a master instance but to any available replica that is the nearest to the router.", "type": "integer" } }, "type": "object" }, "snapshot": { "additionalProperties": false, "description": "This section defines configuration parameters related to the snapshot files.", "properties": { "by": { "additionalProperties": false, "description": "An object containing configuration options that specify the conditions under which automatic snapshots are created by the checkpoint daemon. This includes settings like `interval` for time-based snapshots and `wal_size` for snapshots triggered when the total size of WAL files exceeds a certain threshold.", "properties": { "interval": { "default": 3600, "description": "The interval in seconds between actions by the checkpoint daemon. If the option is set to a value greater than zero, and there is activity that causes change to a database, then the checkpoint daemon calls `box.snapshot()` every `snapshot.by.interval` seconds, creating a new snapshot file each time. If the option is set to zero, the checkpoint daemon is disabled.", "type": "number" }, "wal_size": { "default": 1e+18, "description": "The threshold for the total size in bytes for all WAL files created since the last snapshot taken. Once the configured threshold is exceeded, the WAL thread notifies the checkpoint daemon that it must make a new snapshot and delete old WAL files.", "type": "integer" } }, "type": "object" }, "count": { "default": 2, "description": "The maximum number of snapshots that are stored in the `snapshot.dir` directory. If the number of snapshots after creating a new one exceeds this value, the Tarantool garbage collector deletes old snapshots. If `snapshot.count` is set to zero, the garbage collector does not delete old snapshots.", "type": "integer" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where memtx stores snapshot (`.snap`) files. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, snapshots and WAL files are stored in the same directory. However, you can set different values for the `snapshot.dir` and `wal.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "snap_io_rate_limit": { "default": null, "description": "Reduce the throttling effect of `box.snapshot()` on `INSERT/UPDATE/DELETE` performance by setting a limit on how many megabytes per second it can write to disk. The same can be achieved by splitting `wal.dir` and `snapshot.dir` locations and moving snapshots to a separate disk. The limit also affects what `box.stat.vinyl().regulator` may show for the write rate of dumps to `.run` and `.index` files.", "type": "number" } }, "type": "object" }, "sql": { "additionalProperties": false, "description": "This section defines configuration parameters related to SQL.", "properties": { "cache_size": { "default": 5242880, "description": "The maximum cache size (in bytes) for all SQL prepared statements. To see the actual cache size, use `box.info.sql().cache.size`.", "type": "integer" } }, "type": "object" }, "stateboard": { "additionalProperties": false, "description": "These options define configuration parameters related to the stateboard service allowing Tarantool instances to report their state into some extra key-value storage (e.g. etcd or Tarantool config.storage).\n\nAn instance with an enabled stateboard reports its status to `/state/by-name/{{ instance_name }}` where prefix is received from the `config.*.prefix` option. The provided information is in YAML format with the following fields:\n\n- `hostname` (`string`): hostname.\n- `pid` (`integer`): Tarantool process ID.\n- `mode` (`'ro'` or `'rw'`): instance mode (see `box.info.ro`).\n- `ro_reason` (`string`): the reason why the instance is read-only (see `box.info.ro_reason`).\n- `status` (`string`): instance status (see `box.info.status` for possible values and their description).", "properties": { "enabled": { "default": false, "description": "Enable or disable the stateboard service.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a Tarantool instance writes its state information to the stateboard.", "type": "number" } }, "type": "object" }, "threads": { "additionalProperties": false, "description": "The `threads` section defines configuration parameters related to application threads.", "properties": { "groups": { "description": "An array of thread groups.", "items": { "additionalProperties": false, "description": "Thread group definition.", "properties": { "name": { "description": "Thread group name.\n\nEach thread group must have a unique name. The name \"tx\" must not be used because it is reserved for the main thread.", "type": "string" }, "size": { "description": "Number of threads in the group.", "type": "integer" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "vinyl": { "additionalProperties": false, "description": "This section defines configuration parameters related to the vinyl storage engine.", "properties": { "bloom_fpr": { "default": 0.05, "description": "A bloom filter's false positive rate - the suitable probability of the bloom filter to give a wrong result. The `vinyl.bloom_fpr` setting is a default value for the bloom_fpr option passed to `space_object:create_index()`.", "type": "number" }, "cache": { "default": 134217728, "description": "The cache size for the vinyl storage engine. The cache can be resized dynamically.", "type": "integer" }, "defer_deletes": { "default": false, "description": "Enable the deferred DELETE optimization in vinyl. It was disabled by default since Tarantool version 2.10 to avoid possible performance degradation of secondary index reads.", "type": "boolean" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where vinyl files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "The size of the largest allocation unit, for the vinyl storage engine. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 134217728, "description": "The maximum number of in-memory bytes that vinyl uses.", "type": "integer" }, "page_size": { "default": 8192, "description": "The page size. A page is a read/write unit for vinyl disk operations. The `vinyl.page_size` setting is a default value for the page_size option passed to `space_object:create_index()`.", "type": "integer" }, "range_size": { "default": null, "description": "The default maximum range size for a vinyl index, in bytes. The maximum range size affects the decision of whether to split a range.\n\nIf `vinyl.range_size` is specified (but the value is not null or 0), then it is used as the default value for the range_size option passed to `space_object:create_index()`.\n\nIf `vinyl.range_size` is not specified (or is explicitly set to null or 0), and `range_size` is not specified when the index is created, then Tarantool sets a value later depending on performance considerations. To see the actual value, use `index_object:stat().range_size`.", "type": "integer" }, "read_threads": { "default": 1, "description": "The maximum number of read threads that vinyl can use for concurrent operations, such as I/O and compression.", "type": "integer" }, "run_count_per_level": { "default": 2, "description": "The maximum number of runs per level in the vinyl LSM tree. If this number is exceeded, a new level is created. The `vinyl.run_count_per_level` setting is a default value for the run_count_per_level option passed to `space_object:create_index()`.", "type": "integer" }, "run_size_ratio": { "default": 3.5, "description": "The ratio between the sizes of different levels in the LSM tree. The `vinyl.run_size_ratio` setting is a default value for the run_size_ratio option passed to `space_object:create_index()`.", "type": "number" }, "timeout": { "default": 60, "description": "The vinyl storage engine has a scheduler that performs compaction. When vinyl is low on available memory, the compaction scheduler may be unable to keep up with incoming update requests. In that situation, queries may time out after vinyl.timeout seconds. This should rarely occur, since normally vinyl throttles inserts when it is running low on compaction bandwidth. Compaction can also be initiated manually with `index_object:compact()`.", "type": "number" }, "write_threads": { "default": 4, "description": "The maximum number of write threads that vinyl can use for some concurrent operations, such as I/O and compression.", "type": "integer" } }, "type": "object" }, "wal": { "additionalProperties": false, "description": "This section defines configuration parameters related to write-ahead log.", "properties": { "cleanup_delay": { "description": "The delay in seconds used to prevent the Tarantool garbage collector from immediately removing write-ahead log files after a node restart. This delay eliminates possible erroneous situations when the master deletes WALs needed by replicas after restart. As a consequence, replicas sync with the master faster after its restart and don't need to download all the data again. Once all the nodes in the replica set are up and running, a scheduled garbage collection is started again even if `wal.cleanup_delay` has not expired.", "type": "number" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where write-ahead log (`.xlog`) files are stored. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, WAL files and snapshots are stored in the same directory. However, you can set different values for the `wal.dir` and `snapshot.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "dir_rescan_delay": { "default": 2, "description": "The time interval in seconds between periodic scans of the write-ahead-log file directory, when checking for changes to write-ahead-log files for the sake of replication or hot standby.", "type": "number" }, "ext": { "additionalProperties": false, "default": null, "description": "This section describes options related to WAL extensions.", "properties": { "new": { "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "spaces": { "additionalProperties": { "additionalProperties": false, "description": "Per-space WAL extensions configuration.", "properties": { "new": { "default": false, "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "default": false, "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" } }, "type": "object" }, "description": "Enable or disable storing an old and new tuple in the WAL record for a given space explicitly. The configuration for specific spaces has priority over the configuration in the `wal.ext.new` and `wal.ext.old` options.\n\nThe option is a key-value pair:\n\n- The key is a space name (string).\n- The value is a table that includes two optional boolean options: `old` and `new`. The format and the default value of these options are described in `wal.ext.old` and `wal.ext.new`.", "type": "object" } }, "type": "object" }, "max_size": { "default": 268435456, "description": "The maximum number of bytes in a single write-ahead log file. When a request would cause an `.xlog` file to become larger than `wal.max_size`, Tarantool creates a new WAL file.", "type": "integer" }, "mode": { "default": "write", "description": "Specify fiber-WAL-disk synchronization mode as:\n\n- `none`: write-ahead log is not maintained. A node with `wal.mode` set to `none` can't be a replication master.\n- `write`: fibers wait for their data to be written to the write-ahead log (no `fsync(2)`).\n- `fsync`: fibers wait for their data, `fsync(2)` follows each `write(2)`.", "enum": [ "none", "write", "fsync" ], "type": "string" }, "queue_max_size": { "default": 16777216, "description": "The size of the queue in bytes used by a replica to submit new transactions to a write-ahead log (WAL). This option helps limit the rate at which a replica submits transactions to the WAL. Limiting the queue size might be useful when a replica is trying to sync with a master and reads new transactions faster than writing them to the WAL.", "type": "integer" }, "retention_period": { "default": 0, "description": "The delay in seconds used to prevent the Tarantool garbage collector from removing a write-ahead log file after it has been closed. If a node is restarted, `wal.retention_period` counts down from the last modification time of the write-ahead log file.\n\nThe garbage collector doesn't track write-ahead logs that are to be relayed to anonymous replicas, such as:\n\n- Anonymous replicas added as a part of a cluster configuration (see `replication.anon`).\n- CDC (Change Data Capture) that retrieves data using anonymous replication.\n\nIn case of a replica or CDC downtime, the required write-ahead logs can be removed. As a result, such a replica needs to be rebootstrapped. You can use wal.retention_period to prevent such issues.\n\nNote that `wal.cleanup_delay` option also sets the delay used to prevent the Tarantool garbage collector from removing write-ahead logs. The difference is that the garbage collector doesn't take into account `wal.cleanup_delay` if all the nodes in the replica set are up and running, which may lead to the removal of the required write-ahead logs.", "type": "number" } }, "type": "object" } }, "type": "object" }, "description": "Replica sets that belong to this group.", "type": "object" }, "replication": { "additionalProperties": false, "description": "This section defines configuration parameters related to replication.", "properties": { "anon": { "default": false, "description": "Whether to make the current instance act as an anonymous replica. Anonymous replicas are read-only and can be used, for example, for backups.\n\nTo make the specified instance act as an anonymous replica, set `replication.anon` to `true`.\n\nAnonymous replicas are not displayed in the `box.info.replication` section. You can check their status using `box.info.replication_anon()`.\n\nWhile anonymous replicas are read-only, you can write data to replication-local and temporary spaces (created with `is_local = true` and `temporary = true`, respectively). Given that changes to replication-local spaces are allowed, an anonymous replica might increase the 0 component of the vclock value.\n\nHere are the limitations of having anonymous replicas in a replica set:\n\n- A replica set must contain at least one non-anonymous instance.\n- An anonymous replica can't be configured as a writable instance by setting database.mode to rw or making it a leader using `.leader.`\n- If `replication.failover` is set to election, an anonymous replica can have `replication.election_mode` set to `off` only.\n- If `replication.failover` is set to `supervised`, an external failover coordinator doesn't consider anonymous replicas when selecting a bootstrap or replica set leader.", "type": "boolean" }, "anon_ttl": { "default": 3600, "description": "Time-to-live (in seconds) of disconnected anonymous replicas (see `replication.anon` for the definition of anonymous replica). If an anonymous replica hasn't been in touch for longer than `replication.anon_ttl`, it is removed from the instance.", "type": "number" }, "autoexpel": { "additionalProperties": false, "description": "Automatically expel instances.\n\nThe option is useful for management of dynamic clusters using the YAML configuration. The option allows to automatically expel instances that are removed from the YAML configuration.\n\nOnly instances whose names start from the given prefix are taken into account, all the others are ignored. Also, instances without a persistent name set are ignored too.\n\nIf an instance is in read-write mode and has a latest database schema, it performs expelling of the instances:\n\n- with the given prefix, *and*\n- not present in the YAML configuration.\n\nThe expelling process the usual one: deletion from the `_cluster` system space.\n\nThe autoexpel logic works on startup and reacts on the reconfiguration and the `box.status` watcher event. If a new instance is joined and neither of these two events occur, autoexpel does not perform any actions on it. In other words, it doesn't forbid joining of an instance that met the autoexpel criterion.\n\nThe option is allowed on the `replicaset`, `group` and `global` levels, but forbidden on the `instance` level of the cluster configuration.", "properties": { "by": { "description": "The autoexpel criterion: it defines how to determine that an instance is part of the cluster configuration and is not an external service that uses the replication channel (such as a CDC tool).\n\nNow, only `replication.autoexpel.by` = `prefix` criterion is supported. A user have to set it explicitly.\n\nIn future we can provide other criteria and set one of them as default.", "enum": [ "prefix" ], "type": "string" }, "enabled": { "default": false, "description": "Determines, whether the autoexpelling logic is enabled at all. If the option is set, `replication.autoexpel.by` and `replication.autoexpel.prefix` are required.", "type": "boolean" }, "prefix": { "description": "Defines a pattern for instance names that are considered a part of the cluster (not some external services).\n\nFor example, if all the instances in the cluster configuration are prefixed with the replica set name, one can use `replication.autoexpel.prefix` = '{{ replicaset_name }}'`.\n\nIf all the instances follow the `i-\\d\\d\\d` pattern, the option can be set to `i-`.", "type": "string" } }, "type": "object" }, "bootstrap_strategy": { "default": "auto", "description": "Specifies a strategy used to bootstrap a replica set. The following strategies are available:\n\n- `auto`: a node doesn't boot if half or more of the other nodes in a replica set are not connected. For example, if a replica set contains 2 or 3 nodes, a node requires 2 connected instances. In the case of 4 or 5 nodes, at least 3 connected instances are required. Moreover, a bootstrap leader fails to boot unless every connected node has chosen it as a bootstrap leader.\n- `config`: use the specified node to bootstrap a replica set. To specify the bootstrap leader, use the `.bootstrap_leader` option.\n- `supervised`: a bootstrap leader isn't chosen automatically but should be appointed using `box.ctl.make_bootstrap_leader()` on the desired node. The bootstrap leader management is in the user's responsibility unless the failover coordinator is in use (replication.failover = supervised).\n- `native`: the bootstrap leader management is performed by config's code in sync with the RO/RW management (the algorithm depends on replication.failover). If replication.failover = supervised, then the failover coordinator manages the bootstrap leader.\n\nThis strategy is similar to `auto` from the user perspective: everything is handled by tarantool (or coordinator) on its own. However, it is based on the modern `supervised` strategy, which allows to overcome some limitations. - `legacy` (deprecated since 2.11.0): a node requires the `replication_connect_quorum` number of other nodes to be connected. This option is added to keep the compatibility with the current versions of Cartridge and might be removed in the future.\n\nNote: when using bootstrap strategies `supervised` or `native` with a supervised failover (see `replication.failover` configuration option) Tarantool automatically grants the guest user privileges allowing to execute the internal `failover.execute` call for performing the initial cluster bootstrap.", "enum": [ "auto", "config", "supervised", "native", "legacy" ], "type": "string" }, "connect_timeout": { "default": 30, "description": "A timeout (in seconds) a replica waits when trying to connect to a master in a cluster.\n\nThis parameter is different from replication.timeout, which a master uses to disconnect a replica when the master receives no acknowledgments of heartbeat messages.", "type": "number" }, "election_fencing_mode": { "default": "soft", "description": "Specifies the leader fencing mode that affects the leader election process. When the parameter is set to soft or strict, the leader resigns its leadership if it has less than replication.synchro_quorum of alive connections to the cluster nodes. The resigning leader receives the status of a follower in the current election term and becomes read-only.\n\n- In `soft` mode, a connection is considered dead if there are no responses for 4 * `replication.timeout` seconds both on the current leader and the followers.\n- In `strict` mode, a connection is considered dead if there are no responses for 2 * `replication.timeout` seconds on the current leader and 4 * `replication.timeout` seconds on the followers. This improves the chances that there is only one leader at any time.\n\nFencing applies to the instances that have the `replication.election_mode` set to `candidate` or `manual`. To turn off leader fencing, set `election_fencing_mode` to off.", "enum": [ "off", "soft", "strict" ], "type": "string" }, "election_mode": { "default": null, "description": "A role of a replica set node in the leader election process.\n\nThe possible values are:\n\n- `off`: a node doesn't participate in the election activities.\n- `voter`: a node can participate in the election process but can't be a leader.\n- `candidate`: a node should be able to become a leader.\n- `manual`: allow to control which instance is the leader explicitly instead of relying on automated leader election. By default, the instance acts like a voter - it is read-only and may vote for other candidate instances. Once `box.ctl.promote()` is called, the instance becomes a candidate and starts a new election round. If the instance wins the elections, it becomes a leader but won't participate in any new elections.", "enum": [ "off", "voter", "manual", "candidate" ], "type": "string" }, "election_timeout": { "default": 5, "description": "Specifies the timeout (in seconds) between election rounds in the leader election process if the previous round ended up with a split vote.\n\nIt is quite big, and for most of the cases, it can be lowered to 300-400 ms.\n\nTo avoid the split vote repeat, the timeout is randomized on each node during every new election, from 100% to 110% of the original timeout value. For example, if the timeout is 300 ms and there are 3 nodes started the election simultaneously in the same term, they can set their election timeouts to 300, 310, and 320 respectively, or to 305, 302, and 324, and so on. In that way, the votes will never be split because the election on different nodes won't be restarted simultaneously.", "type": "number" }, "failover": { "default": "off", "description": "A failover mode used to take over a master role when the current master instance fails. The following modes are available:\n\n- `off`: Leadership in a replica set is controlled using the `database.mode` option. In this case, you can set the `database.mode` option to rw on all instances in a replica set to make a master-master configuration.\n- `manual`: Leadership in a replica set is controlled using the `.leader` option. In this case, a master-master configuration is forbidden.\n- `election`: Automated leader election is used to control leadership in a replica set.\n- `supervised`: (Enterprise Edition only) Leadership in a replica set is controlled using an external failover coordinator.\n\nNotes:\n\nIn the `off` mode, the default `database.mode` is determined as follows: `rw` if there is onecinstance in a replica set; `ro` if there are several instances.\n\nIn the `manual` mode, the `database.mode` option cannot be set explicitly. The leader is configured in the read-write mode, all the other instances are read-only.\n\nIn the `election` mode and the `supervised` mode, `database.mode` and `.leader` shouldn't be set explicitly.", "enum": [ "off", "manual", "election", "supervised" ], "type": "string" }, "linearizable_quorum": { "default": "N - Q + 1", "description": "A number of replicas to synchronize with before performing linearizable transaction.\n\nLinearizable transactions guarantee that if a write operation completes before a read operation begins, then this read will always observe the effects of that write. To ensure this, the node executing a linearizable transaction must obtain information from enough remote peers to determine the most up-to-date state of the replica set. That number of peers can be configured with this option.\n\nBy default, the linearizable quorum is evaluated dynamically as `N - Q + 1`, where: `N` - the current number of registered replicas in the replica set, `Q` - the current value of `replication.synchro_quorum`.\n\nThis default guarantees quorum intersection between synchronous writes and linearizable reads (`R + Q = N + 1`), which is a fundamental requirement for linearizability.\n\nNote: To begin a linearizable transaction, the MVCC must be enabled and `txn_isolation` must be set to `linearizable`, the transaction can only perform requests to synchronous, local or temporary spaces.", "type": [ "string", "number" ] }, "peers": { "default": null, "description": "URIs of instances that constitute a replica set. These URIs are used by an instance to connect to another instance as a replica.\n\nAlternatively, you can use iproto.advertise.peer to specify a URI used to advertise the current instance to other cluster members.", "items": { "description": "Specifies the URI of the instance.\n\nFor example: `replicator:topsecret@127.0.0.1:3301`.", "type": "string" }, "type": "array" }, "reconnect_timeout": { "default": null, "description": "The timeout (in seconds) between attempts to reconnect to a master in case of connection failure. Default is box.NULL. If the option is set to box.NULL, then it equals to replication_timeout.", "type": "number" }, "skip_conflict": { "default": false, "description": "By default, if a replica adds a unique key that another replica has added, replication stops with the `ER_TUPLE_FOUND` error. If `replication.skip_conflict` is set to `true`, such errors are ignored.", "type": "boolean" }, "sync_lag": { "default": 10, "description": "The maximum delay (in seconds) between the time when data is written to the master and the time when it is written to a replica.\n\nIf a replica should remain in the synched status disregarding of the network delay, set this option to a large value.", "type": "number" }, "sync_timeout": { "default": null, "description": "The timeout (in seconds) that a node waits when trying to sync with other nodes in a replica set after connecting or during a configuration update. This could fail indefinitely if `replication.sync_lag` is smaller than network latency, or if the replica cannot keep pace with master updates. If `replication.sync_timeout` expires, the replica enters `orphan` status.", "type": "number" }, "synchro_queue_max_size": { "default": 16777216, "description": "Puts a limit on the number of transactions in the master synchronous queue.\n\n`replication.synchro_queue_max_size` is measured in number of bytes to be written (0 means unlimited, which was the default behaviour before). This option affects only the behavior of the master, and defaults to 16 megabytes.\n\nNow that `replication.synchro_queue_max_size` is set on the master node, tarantool will discard new transactions that try to queue after the limit is reached. If a transaction had to be discarded, user will get an error message \"The synchronous transaction queue is full\".\n\nThis limitation does not apply during the recovery process.", "type": "integer" }, "synchro_quorum": { "default": "N / 2 + 1", "description": "A number of replicas that should confirm the receipt of a synchronous transaction before it can finish its commit.\n\nThis option supports dynamic evaluation of the quorum number. For example, the default value is `N / 2 + 1` where `N` is the current number of replicas registered in a replica set. Once any replicas are added or removed, the expression is re-evaluated automatically.\n\nNote that the default value (`at least 50% of the replica set size + 1`) guarantees data reliability. Using a value less than the canonical one might lead to unexpected results, including a split-brain.\n\n`replication.synchro_quorum` is not used on replicas. If the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": [ "string", "number" ] }, "synchro_timeout": { "default": 5, "description": "For synchronous replication only. Specify how many seconds to wait for a synchronous transaction quorum replication until it is declared failed and is rolled back.\n\nIt is not used on replicas, so if the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": "number" }, "threads": { "default": 1, "description": "The number of threads spawned to decode the incoming replication data.\n\nIn most cases, one thread is enough for all incoming data. Possible values range from 1 to 1000. If there are multiple replication threads, connections to serve are distributed evenly between the threads.", "type": "integer" }, "timeout": { "default": 1, "description": "A time interval (in seconds) used by a master to send heartbeat requests to a replica when there are no updates to send to this replica. For each request, a replica should return a heartbeat acknowledgment.\n\nIf a master or replica gets no heartbeat message for `4 * replication.timeout` seconds, a connection is dropped and a replica tries to reconnect to the master.", "type": "number" } }, "type": "object" }, "roles": { "description": "Specify the roles of an instance. To specify a role's configuration, use the roles_cfg option.", "items": { "description": "The name of a role, corresponding to the module name used in the `require` call to load the role.", "type": "string" }, "type": "array" }, "roles_cfg": { "additionalProperties": { "description": "Configuration of the given role." }, "description": "Specify a role's configuration. This option accepts a role name as the key and a role's configuration as the value. To specify the roles of an instance, use the roles option.", "type": "object" }, "security": { "additionalProperties": false, "description": "This section defines configuration parameters related to various security settings.", "properties": { "auth_delay": { "default": 0, "description": "Specify a period of time (in seconds) that a specific user should wait for the next attempt after failed authentication.\n\nThe `security.auth_retries` option lets a client try to authenticate the specified number of times before `security.auth_delay` is enforced.", "type": "number" }, "auth_retries": { "default": 0, "description": "Specify the maximum number of authentication retries allowed before `security.auth_delay` is enforced. The default value is 0, which means `security.auth_delay` is enforced after the first failed authentication attempt.\n\nThe retry counter is reset after `security.auth_delay` seconds since the first failed attempt. For example, if a client tries to authenticate fewer than `security.auth_retries` times within `security.auth_delay` seconds, no authentication delay is enforced. The retry counter is also reset after any successful authentication attempt.", "type": "integer" }, "auth_type": { "default": "chap-sha1", "description": "Specify a protocol used to authenticate users. The possible values are:\n\n- `chap-sha1`: use the CHAP protocol with SHA-1 hashing applied to passwords.\n- `pap-sha256`: use PAP authentication with the SHA256 hashing algorithm.\n\nNote that CHAP stores password hashes in the `_user` space unsalted. If an attacker gains access to the database, they may crack a password, for example, using a rainbow table. For PAP, a password is salted with a user-unique salt before saving it in the database, which keeps the database protected from cracking using a rainbow table.", "enum": [ "chap-sha1", "pap-sha256" ], "type": "string" }, "disable_guest": { "default": false, "description": "If `true`, turn off access over remote connections from unauthenticated or guest users. This option affects connections between cluster members and `net.box` connections.", "type": "boolean" }, "password_enforce_digits": { "default": false, "description": "If true, a password should contain digits (0-9).", "type": "boolean" }, "password_enforce_lowercase": { "default": false, "description": "If true, a password should contain lowercase letters (a-z).", "type": "boolean" }, "password_enforce_specialchars": { "default": false, "description": "If true, a password should contain at least one special character (such as &|?!@$).", "type": "boolean" }, "password_enforce_uppercase": { "default": false, "description": "If true, a password should contain uppercase letters (A-Z).", "type": "boolean" }, "password_history_length": { "default": 0, "description": "Specify the number of unique new user passwords before an old password can be reused. Note tarantool uses the auth_history field in the `box.space._user` system space to store user passwords.", "type": "integer" }, "password_lifetime_days": { "default": 0, "description": "Specify the maximum period of time (in days) a user can use the same password. When this period ends, a user gets the \"Password expired\" error on a login attempt. To restore access for such users, use `box.schema.user.passwd`.", "type": "integer" }, "password_min_length": { "default": 0, "description": "Specify the minimum number of characters for a password.", "type": "integer" }, "secure_erasing": { "default": false, "description": "If `true`, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible. The option applies to both `.xlog` and `.snap` files as well as Vinyl data files.", "type": "boolean" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "This section defines configuration parameters related to sharding.", "properties": { "bucket_count": { "default": 3000, "description": "The total number of buckets in a cluster.", "type": "integer" }, "connection_outdate_delay": { "description": "Time to outdate old objects on reload.", "type": "number" }, "discovery_mode": { "default": "on", "description": "A mode of the background discovery fiber used by the router to find buckets.", "enum": [ "on", "off", "once" ], "type": "string" }, "failover_ping_timeout": { "default": 5, "description": "The timeout (in seconds) after which a node is considered unavailable if there are no responses during this period. The failover fiber is used to detect if a node is down.", "type": "number" }, "lock": { "description": "Whether a replica set is locked. A locked replica set cannot receive new buckets nor migrate its own buckets.", "type": "boolean" }, "rebalancer_disbalance_threshold": { "default": 1, "description": "The maximum bucket disbalance threshold (in percent). The disbalance is calculated for each replica set using the following formula:\n\n`|etalon_bucket_count - real_bucket_count| / etalon_bucket_count * 100`", "type": "number" }, "rebalancer_max_receiving": { "default": 100, "description": "The maximum number of buckets that can be received in parallel by a single replica set. This number must be limited because the rebalancer sends a large number of buckets from the existing replica sets to the newly added one. This produces a heavy load on the new replica set.", "type": "integer" }, "rebalancer_max_sending": { "default": 1, "description": "The degree of parallelism for parallel rebalancing.", "type": "integer" }, "rebalancer_mode": { "default": "auto", "description": "Configure how a rebalancer is selected:\n\n- `auto` (default): if there are no replica sets with the rebalancer sharding role (`sharding.roles`), a replica set with the rebalancer is selected automatically among all replica sets.\n- `manual`: one of the replica sets should have the rebalancer sharding role. The rebalancer is in this replica set.\n- `off`: rebalancing is turned off regardless of whether a replica set with the rebalancer sharding role exists or not.", "enum": [ "manual", "auto", "off" ], "type": "string" }, "roles": { "description": "Roles of a replica set in regard to sharding. A replica set can have the following roles:\n\n- `router`: a replica set acts as a router.\n- `storage`: a replica set acts as a storage.\n- `rebalancer`: a replica set acts as a rebalancer.\n\nThe rebalancer role is optional. If it is not specified, a rebalancer is selected automatically from the master instances of replica sets.\n\nThere can be at most one replica set with the rebalancer role. Additionally, this replica set should have a `storage` role.", "items": { "description": "Sharding role: router, storage or rebalancer.", "enum": [ "router", "storage", "rebalancer" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sched_move_quota": { "default": 1, "description": "A scheduler's bucket move quota used by the rebalancer.\n\n`sched_move_quota` defines how many bucket moves can be done in a row if there are pending storage refs. Then, bucket moves are blocked and a router continues making map-reduce requests.", "type": "number" }, "sched_ref_quota": { "default": 300, "description": "A scheduler's storage ref quota used by a router's map-reduce API. For example, the `vshard.router.map_callrw()` function implements consistent map-reduce over the entire cluster.\n\n`sched_ref_quota` defines how many storage refs, therefore map-reduce requests, can be executed on the storage in a row if there are pending bucket moves. Then, storage refs are blocked and the rebalancer continues bucket moves.", "type": "number" }, "shard_index": { "default": "bucket_id", "description": "The name or ID of a TREE index over the bucket id. Spaces without this index do not participate in a sharded Tarantool cluster and can be used as regular spaces if needed. It is necessary to specify the first part of the index, other parts are optional.", "type": "string" }, "sync_timeout": { "default": 1, "description": "The timeout to wait for synchronization of the old master with replicas before demotion. Used when switching a master or when manually calling the `sync()` function.", "type": "number" }, "weight": { "default": 1, "description": "The relative amount of data that a replica set can store.", "type": "number" }, "zone": { "description": "A zone that can be set for routers and replicas. This allows sending read-only requests not only to a master instance but to any available replica that is the nearest to the router.", "type": "integer" } }, "type": "object" }, "snapshot": { "additionalProperties": false, "description": "This section defines configuration parameters related to the snapshot files.", "properties": { "by": { "additionalProperties": false, "description": "An object containing configuration options that specify the conditions under which automatic snapshots are created by the checkpoint daemon. This includes settings like `interval` for time-based snapshots and `wal_size` for snapshots triggered when the total size of WAL files exceeds a certain threshold.", "properties": { "interval": { "default": 3600, "description": "The interval in seconds between actions by the checkpoint daemon. If the option is set to a value greater than zero, and there is activity that causes change to a database, then the checkpoint daemon calls `box.snapshot()` every `snapshot.by.interval` seconds, creating a new snapshot file each time. If the option is set to zero, the checkpoint daemon is disabled.", "type": "number" }, "wal_size": { "default": 1e+18, "description": "The threshold for the total size in bytes for all WAL files created since the last snapshot taken. Once the configured threshold is exceeded, the WAL thread notifies the checkpoint daemon that it must make a new snapshot and delete old WAL files.", "type": "integer" } }, "type": "object" }, "count": { "default": 2, "description": "The maximum number of snapshots that are stored in the `snapshot.dir` directory. If the number of snapshots after creating a new one exceeds this value, the Tarantool garbage collector deletes old snapshots. If `snapshot.count` is set to zero, the garbage collector does not delete old snapshots.", "type": "integer" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where memtx stores snapshot (`.snap`) files. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, snapshots and WAL files are stored in the same directory. However, you can set different values for the `snapshot.dir` and `wal.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "snap_io_rate_limit": { "default": null, "description": "Reduce the throttling effect of `box.snapshot()` on `INSERT/UPDATE/DELETE` performance by setting a limit on how many megabytes per second it can write to disk. The same can be achieved by splitting `wal.dir` and `snapshot.dir` locations and moving snapshots to a separate disk. The limit also affects what `box.stat.vinyl().regulator` may show for the write rate of dumps to `.run` and `.index` files.", "type": "number" } }, "type": "object" }, "sql": { "additionalProperties": false, "description": "This section defines configuration parameters related to SQL.", "properties": { "cache_size": { "default": 5242880, "description": "The maximum cache size (in bytes) for all SQL prepared statements. To see the actual cache size, use `box.info.sql().cache.size`.", "type": "integer" } }, "type": "object" }, "stateboard": { "additionalProperties": false, "description": "These options define configuration parameters related to the stateboard service allowing Tarantool instances to report their state into some extra key-value storage (e.g. etcd or Tarantool config.storage).\n\nAn instance with an enabled stateboard reports its status to `/state/by-name/{{ instance_name }}` where prefix is received from the `config.*.prefix` option. The provided information is in YAML format with the following fields:\n\n- `hostname` (`string`): hostname.\n- `pid` (`integer`): Tarantool process ID.\n- `mode` (`'ro'` or `'rw'`): instance mode (see `box.info.ro`).\n- `ro_reason` (`string`): the reason why the instance is read-only (see `box.info.ro_reason`).\n- `status` (`string`): instance status (see `box.info.status` for possible values and their description).", "properties": { "enabled": { "default": false, "description": "Enable or disable the stateboard service.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a Tarantool instance writes its state information to the stateboard.", "type": "number" } }, "type": "object" }, "threads": { "additionalProperties": false, "description": "The `threads` section defines configuration parameters related to application threads.", "properties": { "groups": { "description": "An array of thread groups.", "items": { "additionalProperties": false, "description": "Thread group definition.", "properties": { "name": { "description": "Thread group name.\n\nEach thread group must have a unique name. The name \"tx\" must not be used because it is reserved for the main thread.", "type": "string" }, "size": { "description": "Number of threads in the group.", "type": "integer" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "vinyl": { "additionalProperties": false, "description": "This section defines configuration parameters related to the vinyl storage engine.", "properties": { "bloom_fpr": { "default": 0.05, "description": "A bloom filter's false positive rate - the suitable probability of the bloom filter to give a wrong result. The `vinyl.bloom_fpr` setting is a default value for the bloom_fpr option passed to `space_object:create_index()`.", "type": "number" }, "cache": { "default": 134217728, "description": "The cache size for the vinyl storage engine. The cache can be resized dynamically.", "type": "integer" }, "defer_deletes": { "default": false, "description": "Enable the deferred DELETE optimization in vinyl. It was disabled by default since Tarantool version 2.10 to avoid possible performance degradation of secondary index reads.", "type": "boolean" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where vinyl files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "The size of the largest allocation unit, for the vinyl storage engine. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 134217728, "description": "The maximum number of in-memory bytes that vinyl uses.", "type": "integer" }, "page_size": { "default": 8192, "description": "The page size. A page is a read/write unit for vinyl disk operations. The `vinyl.page_size` setting is a default value for the page_size option passed to `space_object:create_index()`.", "type": "integer" }, "range_size": { "default": null, "description": "The default maximum range size for a vinyl index, in bytes. The maximum range size affects the decision of whether to split a range.\n\nIf `vinyl.range_size` is specified (but the value is not null or 0), then it is used as the default value for the range_size option passed to `space_object:create_index()`.\n\nIf `vinyl.range_size` is not specified (or is explicitly set to null or 0), and `range_size` is not specified when the index is created, then Tarantool sets a value later depending on performance considerations. To see the actual value, use `index_object:stat().range_size`.", "type": "integer" }, "read_threads": { "default": 1, "description": "The maximum number of read threads that vinyl can use for concurrent operations, such as I/O and compression.", "type": "integer" }, "run_count_per_level": { "default": 2, "description": "The maximum number of runs per level in the vinyl LSM tree. If this number is exceeded, a new level is created. The `vinyl.run_count_per_level` setting is a default value for the run_count_per_level option passed to `space_object:create_index()`.", "type": "integer" }, "run_size_ratio": { "default": 3.5, "description": "The ratio between the sizes of different levels in the LSM tree. The `vinyl.run_size_ratio` setting is a default value for the run_size_ratio option passed to `space_object:create_index()`.", "type": "number" }, "timeout": { "default": 60, "description": "The vinyl storage engine has a scheduler that performs compaction. When vinyl is low on available memory, the compaction scheduler may be unable to keep up with incoming update requests. In that situation, queries may time out after vinyl.timeout seconds. This should rarely occur, since normally vinyl throttles inserts when it is running low on compaction bandwidth. Compaction can also be initiated manually with `index_object:compact()`.", "type": "number" }, "write_threads": { "default": 4, "description": "The maximum number of write threads that vinyl can use for some concurrent operations, such as I/O and compression.", "type": "integer" } }, "type": "object" }, "wal": { "additionalProperties": false, "description": "This section defines configuration parameters related to write-ahead log.", "properties": { "cleanup_delay": { "description": "The delay in seconds used to prevent the Tarantool garbage collector from immediately removing write-ahead log files after a node restart. This delay eliminates possible erroneous situations when the master deletes WALs needed by replicas after restart. As a consequence, replicas sync with the master faster after its restart and don't need to download all the data again. Once all the nodes in the replica set are up and running, a scheduled garbage collection is started again even if `wal.cleanup_delay` has not expired.", "type": "number" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where write-ahead log (`.xlog`) files are stored. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, WAL files and snapshots are stored in the same directory. However, you can set different values for the `wal.dir` and `snapshot.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "dir_rescan_delay": { "default": 2, "description": "The time interval in seconds between periodic scans of the write-ahead-log file directory, when checking for changes to write-ahead-log files for the sake of replication or hot standby.", "type": "number" }, "ext": { "additionalProperties": false, "default": null, "description": "This section describes options related to WAL extensions.", "properties": { "new": { "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "spaces": { "additionalProperties": { "additionalProperties": false, "description": "Per-space WAL extensions configuration.", "properties": { "new": { "default": false, "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "default": false, "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" } }, "type": "object" }, "description": "Enable or disable storing an old and new tuple in the WAL record for a given space explicitly. The configuration for specific spaces has priority over the configuration in the `wal.ext.new` and `wal.ext.old` options.\n\nThe option is a key-value pair:\n\n- The key is a space name (string).\n- The value is a table that includes two optional boolean options: `old` and `new`. The format and the default value of these options are described in `wal.ext.old` and `wal.ext.new`.", "type": "object" } }, "type": "object" }, "max_size": { "default": 268435456, "description": "The maximum number of bytes in a single write-ahead log file. When a request would cause an `.xlog` file to become larger than `wal.max_size`, Tarantool creates a new WAL file.", "type": "integer" }, "mode": { "default": "write", "description": "Specify fiber-WAL-disk synchronization mode as:\n\n- `none`: write-ahead log is not maintained. A node with `wal.mode` set to `none` can't be a replication master.\n- `write`: fibers wait for their data to be written to the write-ahead log (no `fsync(2)`).\n- `fsync`: fibers wait for their data, `fsync(2)` follows each `write(2)`.", "enum": [ "none", "write", "fsync" ], "type": "string" }, "queue_max_size": { "default": 16777216, "description": "The size of the queue in bytes used by a replica to submit new transactions to a write-ahead log (WAL). This option helps limit the rate at which a replica submits transactions to the WAL. Limiting the queue size might be useful when a replica is trying to sync with a master and reads new transactions faster than writing them to the WAL.", "type": "integer" }, "retention_period": { "default": 0, "description": "The delay in seconds used to prevent the Tarantool garbage collector from removing a write-ahead log file after it has been closed. If a node is restarted, `wal.retention_period` counts down from the last modification time of the write-ahead log file.\n\nThe garbage collector doesn't track write-ahead logs that are to be relayed to anonymous replicas, such as:\n\n- Anonymous replicas added as a part of a cluster configuration (see `replication.anon`).\n- CDC (Change Data Capture) that retrieves data using anonymous replication.\n\nIn case of a replica or CDC downtime, the required write-ahead logs can be removed. As a result, such a replica needs to be rebootstrapped. You can use wal.retention_period to prevent such issues.\n\nNote that `wal.cleanup_delay` option also sets the delay used to prevent the Tarantool garbage collector from removing write-ahead logs. The difference is that the garbage collector doesn't take into account `wal.cleanup_delay` if all the nodes in the replica set are up and running, which may lead to the removal of the required write-ahead logs.", "type": "number" } }, "type": "object" } }, "type": "object" }, "description": "This section provides the ability to define the full topology of a Tarantool cluster.", "type": "object" }, "include": { "description": "A list of paths to include in the cluster configuration. The paths are included in the order they are specified in the list.", "items": { "description": "An absolute or relative path to a config file to be included, or a wildcard pattern. Relative path are considered relative to the file, where they are included.", "type": "string" }, "type": "array" }, "iproto": { "additionalProperties": false, "description": "The iproto section is used to configure parameters related to communicating to and between cluster instances.", "properties": { "advertise": { "additionalProperties": false, "description": "URIs for cluster members and external clients to let them know where to connect.", "properties": { "client": { "default": null, "description": "A URI used to advertise the current instance to clients.\n\nThe iproto.advertise.client option accepts a URI in the following formats:\n\n- An address: `host:port`.\n- A Unix domain socket: `unix/:`.\n\nNote that this option doesn't allow to set a username and password. If a remote client needs this information, it should be delivered outside of the cluster configuration.", "type": "string" }, "peer": { "additionalProperties": false, "description": "Settings used to advertise the current instance to other cluster members. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "Settings used to advertise the current instance to a router and rebalancer. The format of these settings is described in `iproto.advertise..*`.", "properties": { "login": { "description": "(Optional) A username used to connect to the current instance. If a username is not set, the guest user is used.", "type": "string" }, "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "password": { "description": "(Optional) A password for the specified user. If a login is specified but a password is missing, it is taken from the user's credentials.", "type": "string" }, "uri": { "description": "(Optional) A URI used to advertise the current instance. By default, the URI defined in iproto.listen is used to advertise the current instance.", "type": "string" } }, "type": "object" } }, "type": "object" }, "listen": { "default": null, "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).", "items": { "additionalProperties": false, "description": "Iproto listening socket definition.\n\nAllows to set an URI (`unix/:` or `host:port`) and SSL parameters. Minimal example: `{uri: 127.0.0.1:3301}`.", "properties": { "params": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections.", "properties": { "ssl_ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ssl_ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert_file": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ssl_ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key_file": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ssl_ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key_file`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key_file` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" }, "transport": { "description": "Allows you to enable traffic encryption for client-server communications over binary connections. In a Tarantool cluster, one instance might act as the server that accepts connections from other instances and the client that connects to other instances.\n\n`.params.transport` accepts one of the following values:\n\n- `plain` (default): turn off traffic encryption,\n- `ssl`: encrypt traffic by using the TLS 1.2 protocol (EE only).", "enum": [ "plain", "ssl" ], "type": "string" } }, "type": "object" }, "uri": { "description": "An array of URIs used to listen for incoming requests. If required, you can enable SSL for specific URIs by providing additional parameters (`iproto.listen.*.params`).\n\nNote: the `iproto.listen.*.uri` string can't contain a login or a password, it has no sense for a listening socket.\n\nThe query-parameter form of setting SSL options is forbidden in the URI string. Use the `iproto.listen.*.params` for them.", "type": "string" } }, "type": "object" }, "type": "array" }, "net_msg_max": { "default": 768, "description": "To handle messages, Tarantool allocates fibers. To prevent fiber overhead from affecting the whole system, Tarantool restricts how many messages the fibers handle, so that some pending requests are blocked.\n\n- On powerful systems, increase `net_msg_max`, and the scheduler starts processing pending requests immediately.\n- On weaker systems, decrease `net_msg_max`, and the overhead may decrease. However, this may take some time because the scheduler must wait until already-running requests finish.\n\nWhen `net_msg_max` is reached, Tarantool suspends processing of incoming packages until it has processed earlier messages. This is not a direct restriction of the number of fibers that handle network messages, rather it is a system-wide restriction of channel bandwidth. This in turn restricts the number of incoming network messages that the transaction processor thread handles, and therefore indirectly affects the fibers that handle network messages.", "type": "integer" }, "readahead": { "default": 16320, "description": "The size of the read-ahead buffer associated with a client connection. The larger the buffer, the more memory an active connection consumes, and the more requests can be read from the operating system buffer in a single system call.\n\nThe recommendation is to make sure that the buffer can contain at least a few dozen requests. Therefore, if a typical tuple in a request is large, e.g. a few kilobytes or even megabytes, the read-ahead buffer size should be increased. If batched request processing is not used, it's prudent to leave this setting at its default.", "type": "integer" }, "ssl": { "additionalProperties": false, "description": "SSL parameters required for encrypted connections. These parameters would be used to set up SSL IProto sockets and to connect to other instances which require certificate authority (CA).", "properties": { "ca_file": { "description": "(Optional) A path to a trusted certificate authorities (CA) file. If not set, the peer won't be checked for authenticity.\n\nBoth a server and a client can use the ca_file parameter:\n\n- If it's on the server side, the server verifies the client.\n- If it's on the client side, the client verifies the server.\n- If both sides have the CA files, the server and the client verify each other.", "type": "string" }, "ssl_cert": { "description": "A path to an SSL certificate file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the ca_file parameter is set for a server; otherwise, optional.", "type": "string" }, "ssl_ciphers": { "description": "(Optional) A colon-separated (:) list of SSL cipher suites the connection can use. Note that the list is not validated: if a cipher suite is unknown, Tarantool ignores it, doesn't establish the connection, and writes to the log that no shared cipher was found.", "type": "string" }, "ssl_key": { "description": "A path to a private SSL key file:\n\n- For a server, it's mandatory.\n- For a client, it's mandatory if the `ca_file` parameter is set for a server; otherwise, optional.\n\nIf the private key is encrypted, provide a password for it in the `ssl_password` or `ssl_password_file` parameter", "type": "string" }, "ssl_password": { "description": "(Optional) A password for an encrypted private SSL key provided using `ssl_key`. Alternatively, the password can be provided in `ssl_password_file`.\n\nTarantool applies the `ssl_password` and `ssl_password_file` parameters in the following order:\n\n- If `ssl_password` is provided, Tarantool tries to decrypt the private key with it.\n- If `ssl_password` is incorrect or isn't provided, Tarantool tries all passwords from `ssl_password_file` one by one in the order they are written.\n- If `ssl_password` and all passwords from `ssl_password_file` are incorrect, or none of them is provided, Tarantool treats the private key as unencrypted.", "type": "string" }, "ssl_password_file": { "description": "(Optional) A text file with one or more passwords for encrypted private SSL keys provided using `ssl_key` (each on a separate line). Alternatively, the password can be provided in `ssl_password`.", "type": "string" } }, "type": "object" }, "threads": { "default": 1, "description": "The number of network threads. There can be unusual workloads where the network thread is 100% loaded and the transaction processor thread is not, so the network thread is a bottleneck. In that case, set `iproto_threads` to 2 or more. The operating system kernel determines which connection goes to which thread.", "type": "integer" } }, "type": "object" }, "isolated": { "default": false, "description": "Temporarily isolate an instance to perform replicaset repairing activities, such as debugging a problem on the isolated instance without affecting the non-isolated part or extracting data from the isolated instance to apply on the non-isolated part of the replicaset.\n\nEffects of isolation:\n\n- The instance stops listening for new IProto connections.\n- All current IProto connections are dropped.\n- The instance switches to read-only mode.\n- The instance disconnects from all replication upstreams.\n- Other replicaset members exclude the isolated instance from their replication upstreams.\n\nNote: the isolated instance can't be bootstrapped (a local snapshot is required to start).", "type": "boolean" }, "labels": { "additionalProperties": { "description": "A value of the label with the specified name.", "type": "string" }, "description": "The `labels` section allows adding custom attributes to the instance. The keys and values are strings.", "type": "object" }, "log": { "additionalProperties": false, "description": "The `log` section defines configuration parameters related to logging. To handle logging in your application, use the log module.", "properties": { "file": { "default": "var/log/{{ instance_name }}/tarantool.log", "description": "Specify a file for logs destination. To write logs to a file, you need to set `log.to` to file. Otherwise, `log.file` is ignored.", "type": "string" }, "format": { "default": "plain", "description": "Specify a format that is used for a log entry. The following formats are supported:\n\n- `plain`: a log entry is formatted as plain text.\n- `json`: a log entry is formatted as JSON and includes additional fields.", "enum": [ "plain", "json" ], "type": "string" }, "level": { "default": 5, "description": "Specify the level of detail logs have. There are the following levels:\n\n- 0: `fatal`\n- 1: `syserror`\n- 2: `error`\n- 3: `crit`\n- 4: `warn`\n- 5: `info`\n- 6: `verbose`\n- 7: `debug`\n\nBy setting log.level, you can enable logging of all events with severities above or equal to the given level.", "enum": [ 0, "fatal", 1, "syserror", 2, "error", 3, "crit", 4, "warn", 5, "info", 6, "verbose", 7, "debug" ], "type": [ "string", "number" ] }, "modules": { "additionalProperties": { "description": "The log level.\n\nFor example: you have module placed by the following path: `test/module.lua`. To configure logging levels, you need to provide module names corresponding to paths to these modules: `test.module: 'verbose'`.", "type": [ "string", "number" ] }, "default": null, "description": "Configure the specified log levels (`log.level`) for different modules.\n\nYou can specify a logging level for the following module types:\n\n- Modules (files) that use the default logger.\n- Modules that use custom loggers created using the `log.new()` function.\n- The tarantool module that enables you to configure the logging level for Tarantool core messages. Specifically, it configures the logging level for messages logged from non-Lua code, including C modules.", "type": "object" }, "nonblock": { "default": false, "description": "Specify the logging behavior if the system is not ready to write. If set to `true`, Tarantool does not block during logging if the system is non-writable and writes a message instead. Using this value may improve logging performance at the cost of losing some log messages.", "type": "boolean" }, "pipe": { "default": null, "description": "Start a program and write logs to its standard input (`stdin`). To send logs to a program's standard input, you need to set `log.to` to `pipe`.", "type": "string" }, "syslog": { "additionalProperties": false, "description": "Syslog configurations parameters. To write logs to syslog, you need to set `log.to` to `syslog`.", "properties": { "facility": { "default": "local7", "description": "Specify the syslog facility to be used when syslog is enabled. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "identity": { "default": "tarantool", "description": "Specify an application name used to identify Tarantool messages in syslog logs. To write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" }, "server": { "default": null, "description": "Set a location of a syslog server. This option accepts one of the following values:\n\n- An address. Example: `127.0.0.1:514`.\n- A Unix socket path starting with `unix:`. Examples: `unix:/dev/log` on Linux or `unix:/var/run/syslog` on macOS.\n\nTo write logs to syslog, you need to set `log.to` to `syslog`.", "type": "string" } }, "type": "object" }, "to": { "default": "stderr", "description": "Define a location Tarantool sends logs to. This option accepts the following values:\n\n- `stderr`: write logs to the standard error stream.\n- `file`: write logs to a file.\n- `pipe`: start a program and write logs to its standard input.\n- `syslog`: write logs to a system logger.", "enum": [ "stderr", "file", "pipe", "syslog" ], "type": "string" } }, "type": "object" }, "lua": { "additionalProperties": false, "description": "This section defines configuration parameters related to Lua within Tarantool.", "properties": { "memory": { "default": 2147483648, "description": "Define amount of memory available to Lua in bytes. Default is 2GB, with a minimum of 256MB.\n\nThe limit can be adjusted dynamically if the new value is greater than the used memory amount. Otherwise, a restart is required for changes to take effect.", "type": "integer" } }, "type": "object" }, "memtx": { "additionalProperties": false, "description": "This section is used to configure parameters related to the memtx engine.", "properties": { "allocator": { "default": "small", "description": "Specify the allocator that manages memory for memtx tuples. Possible values:\n\n- `system` - the memory is allocated as needed, checking that the quota is not exceeded. The allocator is based on the `malloc` function.\n- `small` - a slab allocator. The allocator repeatedly uses a memory block to allocate objects of the same type. Note that this allocator is prone to unresolvable fragmentation on specific workloads, so you can switch to `system` in such cases.", "enum": [ "small", "system" ], "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "Size of the largest allocation unit for the memtx storage engine in bytes. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 268435456, "description": "The amount of memory in bytes that Tarantool allocates to store tuples. When the limit is reached, `INSERT` and `UPDATE` requests fail with the `ER_MEMORY_ISSUE` error. The server does not go beyond the `memtx.memory` limit to allocate tuples, but there is additional memory used to store indexes and connection information.", "type": "integer" }, "min_tuple_size": { "default": 16, "description": "Size of the smallest allocation unit in bytes. It can be decreased if most of the tuples are very small.", "type": "integer" }, "slab_alloc_factor": { "default": 1.05, "description": "The multiplier for computing the sizes of memory chunks that tuples are stored in. A lower value may result in less wasted memory depending on the total amount of memory available and the distribution of item sizes.", "type": "number" }, "slab_alloc_granularity": { "default": 8, "description": "Specify the granularity in bytes of memory allocation in the small allocator. The `memtx.slab_alloc_granularity` value should meet the following conditions:\n\n- The value is a power of two.\n- The value is greater than or equal to 4.\n\nBelow are few recommendations on how to adjust the `memtx.slab_alloc_granularity option`:\n\n- If the tuples in space are small and have about the same size, set the option to 4 bytes to save memory.\n- If the tuples are different-sized, increase the option value to allocate tuples from the same `mempool` (memory pool).", "type": "integer" }, "sort_threads": { "default": null, "description": "The number of threads from the thread pool used to sort keys of secondary indexes on loading a `memtx` database. The minimum value is 1, the maximum value is 256. The default is to use all available cores.", "type": "integer" }, "use_sort_data": { "default": false, "description": "Whether to use the O(n) secondary key sort using additional snapshot data (if the latter is available) and write the data during `box.snapshot()`.", "type": "boolean" } }, "type": "object" }, "metrics": { "additionalProperties": false, "description": "The `metrics` section provides the ability to collect and expose Tarantool metrics (e.g. network, cpu, memtx and others).", "properties": { "exclude": { "description": "An array containing groups of metrics to turn off. The array can contain the same values as the `exclude` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "include": { "description": "An array containing groups of metrics to turn on. The array can contain the same values as the `include` configuration parameter passed to `metrics.cfg()`.", "items": { "description": "A name of a group of metrics.", "enum": [ "all", "network", "operations", "system", "replicas", "info", "slab", "runtime", "memory", "spaces", "fibers", "cpu", "vinyl", "memtx", "luajit", "clock", "event_loop", "cpu_extended", "schema" ], "type": "string" }, "type": "array", "uniqueItems": true }, "labels": { "additionalProperties": { "description": "Label value.", "type": "string" }, "description": "Global labels to be added to every observation.", "type": "object" } }, "type": "object" }, "process": { "additionalProperties": false, "description": "The `process` section defines configuration parameters of the Tarantool process in the system.", "properties": { "background": { "default": false, "description": "Run the server as a daemon process.\n\nIf this option is set to true, Tarantool log location defined by the `log.to` option should be set to file, pipe, or syslog - anything other than stderr, the default, because a daemon process is detached from a terminal and it can't write to the terminal's stderr.\n\nWarn: Do not enable the background mode for applications intended to run by the tt utility.", "type": "boolean" }, "coredump": { "default": false, "description": "Create coredump files.\n\nUsually, an administrator needs to call `ulimit -c unlimited` (or set corresponding options in systemd's unit file) before running a Tarantool process to get core dumps. If `process.coredump` is enabled, Tarantool sets the corresponding resource limit by itself and the administrator doesn't need to call `ulimit -c unlimited` (see man 3 setrlimit).\n\nThis option also sets the state of the `dumpable` attribute, which is enabled by default, but may be dropped in some circumstances (according to man 2 prctl, see PR_SET_DUMPABLE).", "type": "boolean" }, "pid_file": { "default": "var/run/{{ instance_name }}/tarantool.pid", "description": "Store the process id in this file.\n\nThis option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "strip_core": { "default": true, "description": "Whether coredump files should not include memory allocated for tuples - this memory can be large if Tarantool runs under heavy load. Setting to `true` means \"do not include\".", "type": "boolean" }, "title": { "default": "tarantool - {{ instance_name }}", "description": "Add the given string to the server's process title (it is shown in the COMMAND column for the Linux commands `ps -ef` and `top -c`).", "type": "string" }, "username": { "default": null, "description": "The name of the system user to switch to after start.", "type": "string" }, "work_dir": { "default": null, "description": "A directory where Tarantool working files will be stored (database files, logs, a PID file, a console Unix socket, and other files if an application generates them in the current directory). The server instance switches to `process.work_dir` with chdir(2) after start.\n\nIf set as a relative file path, it is relative to the current working directory, from where Tarantool is started. If not specified, defaults to the current working directory.\n\nOther directory and file parameters, if set as relative paths, are interpreted as relative to `process.work_dir`, for example, directories for storing snapshots and write-ahead logs.", "type": "string" } }, "type": "object" }, "quiver": { "additionalProperties": false, "description": "This section defines configuration parameters related to the quiver storage engine.", "properties": { "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where quiver files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "memory": { "default": 134217728, "description": "The maximum size of in-memory buffers used for accumulating write requests. The quiver engine decides when it should start dumping in-memory buffers to disk depending on this parameter.", "type": "integer" }, "run_size": { "default": 16777216, "description": "The maximum size of a run file, in bytes. When the quiver engine dumps in-memory buffers to disk, it splits the output stream into files depending on this parameter.", "type": "integer" } }, "type": "object" }, "replication": { "additionalProperties": false, "description": "This section defines configuration parameters related to replication.", "properties": { "anon": { "default": false, "description": "Whether to make the current instance act as an anonymous replica. Anonymous replicas are read-only and can be used, for example, for backups.\n\nTo make the specified instance act as an anonymous replica, set `replication.anon` to `true`.\n\nAnonymous replicas are not displayed in the `box.info.replication` section. You can check their status using `box.info.replication_anon()`.\n\nWhile anonymous replicas are read-only, you can write data to replication-local and temporary spaces (created with `is_local = true` and `temporary = true`, respectively). Given that changes to replication-local spaces are allowed, an anonymous replica might increase the 0 component of the vclock value.\n\nHere are the limitations of having anonymous replicas in a replica set:\n\n- A replica set must contain at least one non-anonymous instance.\n- An anonymous replica can't be configured as a writable instance by setting database.mode to rw or making it a leader using `.leader.`\n- If `replication.failover` is set to election, an anonymous replica can have `replication.election_mode` set to `off` only.\n- If `replication.failover` is set to `supervised`, an external failover coordinator doesn't consider anonymous replicas when selecting a bootstrap or replica set leader.", "type": "boolean" }, "anon_ttl": { "default": 3600, "description": "Time-to-live (in seconds) of disconnected anonymous replicas (see `replication.anon` for the definition of anonymous replica). If an anonymous replica hasn't been in touch for longer than `replication.anon_ttl`, it is removed from the instance.", "type": "number" }, "autoexpel": { "additionalProperties": false, "description": "Automatically expel instances.\n\nThe option is useful for management of dynamic clusters using the YAML configuration. The option allows to automatically expel instances that are removed from the YAML configuration.\n\nOnly instances whose names start from the given prefix are taken into account, all the others are ignored. Also, instances without a persistent name set are ignored too.\n\nIf an instance is in read-write mode and has a latest database schema, it performs expelling of the instances:\n\n- with the given prefix, *and*\n- not present in the YAML configuration.\n\nThe expelling process the usual one: deletion from the `_cluster` system space.\n\nThe autoexpel logic works on startup and reacts on the reconfiguration and the `box.status` watcher event. If a new instance is joined and neither of these two events occur, autoexpel does not perform any actions on it. In other words, it doesn't forbid joining of an instance that met the autoexpel criterion.\n\nThe option is allowed on the `replicaset`, `group` and `global` levels, but forbidden on the `instance` level of the cluster configuration.", "properties": { "by": { "description": "The autoexpel criterion: it defines how to determine that an instance is part of the cluster configuration and is not an external service that uses the replication channel (such as a CDC tool).\n\nNow, only `replication.autoexpel.by` = `prefix` criterion is supported. A user have to set it explicitly.\n\nIn future we can provide other criteria and set one of them as default.", "enum": [ "prefix" ], "type": "string" }, "enabled": { "default": false, "description": "Determines, whether the autoexpelling logic is enabled at all. If the option is set, `replication.autoexpel.by` and `replication.autoexpel.prefix` are required.", "type": "boolean" }, "prefix": { "description": "Defines a pattern for instance names that are considered a part of the cluster (not some external services).\n\nFor example, if all the instances in the cluster configuration are prefixed with the replica set name, one can use `replication.autoexpel.prefix` = '{{ replicaset_name }}'`.\n\nIf all the instances follow the `i-\\d\\d\\d` pattern, the option can be set to `i-`.", "type": "string" } }, "type": "object" }, "bootstrap_strategy": { "default": "auto", "description": "Specifies a strategy used to bootstrap a replica set. The following strategies are available:\n\n- `auto`: a node doesn't boot if half or more of the other nodes in a replica set are not connected. For example, if a replica set contains 2 or 3 nodes, a node requires 2 connected instances. In the case of 4 or 5 nodes, at least 3 connected instances are required. Moreover, a bootstrap leader fails to boot unless every connected node has chosen it as a bootstrap leader.\n- `config`: use the specified node to bootstrap a replica set. To specify the bootstrap leader, use the `.bootstrap_leader` option.\n- `supervised`: a bootstrap leader isn't chosen automatically but should be appointed using `box.ctl.make_bootstrap_leader()` on the desired node. The bootstrap leader management is in the user's responsibility unless the failover coordinator is in use (replication.failover = supervised).\n- `native`: the bootstrap leader management is performed by config's code in sync with the RO/RW management (the algorithm depends on replication.failover). If replication.failover = supervised, then the failover coordinator manages the bootstrap leader.\n\nThis strategy is similar to `auto` from the user perspective: everything is handled by tarantool (or coordinator) on its own. However, it is based on the modern `supervised` strategy, which allows to overcome some limitations. - `legacy` (deprecated since 2.11.0): a node requires the `replication_connect_quorum` number of other nodes to be connected. This option is added to keep the compatibility with the current versions of Cartridge and might be removed in the future.\n\nNote: when using bootstrap strategies `supervised` or `native` with a supervised failover (see `replication.failover` configuration option) Tarantool automatically grants the guest user privileges allowing to execute the internal `failover.execute` call for performing the initial cluster bootstrap.", "enum": [ "auto", "config", "supervised", "native", "legacy" ], "type": "string" }, "connect_timeout": { "default": 30, "description": "A timeout (in seconds) a replica waits when trying to connect to a master in a cluster.\n\nThis parameter is different from replication.timeout, which a master uses to disconnect a replica when the master receives no acknowledgments of heartbeat messages.", "type": "number" }, "election_fencing_mode": { "default": "soft", "description": "Specifies the leader fencing mode that affects the leader election process. When the parameter is set to soft or strict, the leader resigns its leadership if it has less than replication.synchro_quorum of alive connections to the cluster nodes. The resigning leader receives the status of a follower in the current election term and becomes read-only.\n\n- In `soft` mode, a connection is considered dead if there are no responses for 4 * `replication.timeout` seconds both on the current leader and the followers.\n- In `strict` mode, a connection is considered dead if there are no responses for 2 * `replication.timeout` seconds on the current leader and 4 * `replication.timeout` seconds on the followers. This improves the chances that there is only one leader at any time.\n\nFencing applies to the instances that have the `replication.election_mode` set to `candidate` or `manual`. To turn off leader fencing, set `election_fencing_mode` to off.", "enum": [ "off", "soft", "strict" ], "type": "string" }, "election_mode": { "default": null, "description": "A role of a replica set node in the leader election process.\n\nThe possible values are:\n\n- `off`: a node doesn't participate in the election activities.\n- `voter`: a node can participate in the election process but can't be a leader.\n- `candidate`: a node should be able to become a leader.\n- `manual`: allow to control which instance is the leader explicitly instead of relying on automated leader election. By default, the instance acts like a voter - it is read-only and may vote for other candidate instances. Once `box.ctl.promote()` is called, the instance becomes a candidate and starts a new election round. If the instance wins the elections, it becomes a leader but won't participate in any new elections.", "enum": [ "off", "voter", "manual", "candidate" ], "type": "string" }, "election_timeout": { "default": 5, "description": "Specifies the timeout (in seconds) between election rounds in the leader election process if the previous round ended up with a split vote.\n\nIt is quite big, and for most of the cases, it can be lowered to 300-400 ms.\n\nTo avoid the split vote repeat, the timeout is randomized on each node during every new election, from 100% to 110% of the original timeout value. For example, if the timeout is 300 ms and there are 3 nodes started the election simultaneously in the same term, they can set their election timeouts to 300, 310, and 320 respectively, or to 305, 302, and 324, and so on. In that way, the votes will never be split because the election on different nodes won't be restarted simultaneously.", "type": "number" }, "failover": { "default": "off", "description": "A failover mode used to take over a master role when the current master instance fails. The following modes are available:\n\n- `off`: Leadership in a replica set is controlled using the `database.mode` option. In this case, you can set the `database.mode` option to rw on all instances in a replica set to make a master-master configuration.\n- `manual`: Leadership in a replica set is controlled using the `.leader` option. In this case, a master-master configuration is forbidden.\n- `election`: Automated leader election is used to control leadership in a replica set.\n- `supervised`: (Enterprise Edition only) Leadership in a replica set is controlled using an external failover coordinator.\n\nNotes:\n\nIn the `off` mode, the default `database.mode` is determined as follows: `rw` if there is onecinstance in a replica set; `ro` if there are several instances.\n\nIn the `manual` mode, the `database.mode` option cannot be set explicitly. The leader is configured in the read-write mode, all the other instances are read-only.\n\nIn the `election` mode and the `supervised` mode, `database.mode` and `.leader` shouldn't be set explicitly.", "enum": [ "off", "manual", "election", "supervised" ], "type": "string" }, "linearizable_quorum": { "default": "N - Q + 1", "description": "A number of replicas to synchronize with before performing linearizable transaction.\n\nLinearizable transactions guarantee that if a write operation completes before a read operation begins, then this read will always observe the effects of that write. To ensure this, the node executing a linearizable transaction must obtain information from enough remote peers to determine the most up-to-date state of the replica set. That number of peers can be configured with this option.\n\nBy default, the linearizable quorum is evaluated dynamically as `N - Q + 1`, where: `N` - the current number of registered replicas in the replica set, `Q` - the current value of `replication.synchro_quorum`.\n\nThis default guarantees quorum intersection between synchronous writes and linearizable reads (`R + Q = N + 1`), which is a fundamental requirement for linearizability.\n\nNote: To begin a linearizable transaction, the MVCC must be enabled and `txn_isolation` must be set to `linearizable`, the transaction can only perform requests to synchronous, local or temporary spaces.", "type": [ "string", "number" ] }, "peers": { "default": null, "description": "URIs of instances that constitute a replica set. These URIs are used by an instance to connect to another instance as a replica.\n\nAlternatively, you can use iproto.advertise.peer to specify a URI used to advertise the current instance to other cluster members.", "items": { "description": "Specifies the URI of the instance.\n\nFor example: `replicator:topsecret@127.0.0.1:3301`.", "type": "string" }, "type": "array" }, "reconnect_timeout": { "default": null, "description": "The timeout (in seconds) between attempts to reconnect to a master in case of connection failure. Default is box.NULL. If the option is set to box.NULL, then it equals to replication_timeout.", "type": "number" }, "skip_conflict": { "default": false, "description": "By default, if a replica adds a unique key that another replica has added, replication stops with the `ER_TUPLE_FOUND` error. If `replication.skip_conflict` is set to `true`, such errors are ignored.", "type": "boolean" }, "sync_lag": { "default": 10, "description": "The maximum delay (in seconds) between the time when data is written to the master and the time when it is written to a replica.\n\nIf a replica should remain in the synched status disregarding of the network delay, set this option to a large value.", "type": "number" }, "sync_timeout": { "default": null, "description": "The timeout (in seconds) that a node waits when trying to sync with other nodes in a replica set after connecting or during a configuration update. This could fail indefinitely if `replication.sync_lag` is smaller than network latency, or if the replica cannot keep pace with master updates. If `replication.sync_timeout` expires, the replica enters `orphan` status.", "type": "number" }, "synchro_queue_max_size": { "default": 16777216, "description": "Puts a limit on the number of transactions in the master synchronous queue.\n\n`replication.synchro_queue_max_size` is measured in number of bytes to be written (0 means unlimited, which was the default behaviour before). This option affects only the behavior of the master, and defaults to 16 megabytes.\n\nNow that `replication.synchro_queue_max_size` is set on the master node, tarantool will discard new transactions that try to queue after the limit is reached. If a transaction had to be discarded, user will get an error message \"The synchronous transaction queue is full\".\n\nThis limitation does not apply during the recovery process.", "type": "integer" }, "synchro_quorum": { "default": "N / 2 + 1", "description": "A number of replicas that should confirm the receipt of a synchronous transaction before it can finish its commit.\n\nThis option supports dynamic evaluation of the quorum number. For example, the default value is `N / 2 + 1` where `N` is the current number of replicas registered in a replica set. Once any replicas are added or removed, the expression is re-evaluated automatically.\n\nNote that the default value (`at least 50% of the replica set size + 1`) guarantees data reliability. Using a value less than the canonical one might lead to unexpected results, including a split-brain.\n\n`replication.synchro_quorum` is not used on replicas. If the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": [ "string", "number" ] }, "synchro_timeout": { "default": 5, "description": "For synchronous replication only. Specify how many seconds to wait for a synchronous transaction quorum replication until it is declared failed and is rolled back.\n\nIt is not used on replicas, so if the master fails, the pending synchronous transactions will be kept waiting on the replicas until a new master is elected.", "type": "number" }, "threads": { "default": 1, "description": "The number of threads spawned to decode the incoming replication data.\n\nIn most cases, one thread is enough for all incoming data. Possible values range from 1 to 1000. If there are multiple replication threads, connections to serve are distributed evenly between the threads.", "type": "integer" }, "timeout": { "default": 1, "description": "A time interval (in seconds) used by a master to send heartbeat requests to a replica when there are no updates to send to this replica. For each request, a replica should return a heartbeat acknowledgment.\n\nIf a master or replica gets no heartbeat message for `4 * replication.timeout` seconds, a connection is dropped and a replica tries to reconnect to the master.", "type": "number" } }, "type": "object" }, "roles": { "description": "Specify the roles of an instance. To specify a role's configuration, use the roles_cfg option.", "items": { "description": "The name of a role, corresponding to the module name used in the `require` call to load the role.", "type": "string" }, "type": "array" }, "roles_cfg": { "additionalProperties": { "description": "Configuration of the given role." }, "description": "Specify a role's configuration. This option accepts a role name as the key and a role's configuration as the value. To specify the roles of an instance, use the roles option.", "type": "object" }, "security": { "additionalProperties": false, "description": "This section defines configuration parameters related to various security settings.", "properties": { "auth_delay": { "default": 0, "description": "Specify a period of time (in seconds) that a specific user should wait for the next attempt after failed authentication.\n\nThe `security.auth_retries` option lets a client try to authenticate the specified number of times before `security.auth_delay` is enforced.", "type": "number" }, "auth_retries": { "default": 0, "description": "Specify the maximum number of authentication retries allowed before `security.auth_delay` is enforced. The default value is 0, which means `security.auth_delay` is enforced after the first failed authentication attempt.\n\nThe retry counter is reset after `security.auth_delay` seconds since the first failed attempt. For example, if a client tries to authenticate fewer than `security.auth_retries` times within `security.auth_delay` seconds, no authentication delay is enforced. The retry counter is also reset after any successful authentication attempt.", "type": "integer" }, "auth_type": { "default": "chap-sha1", "description": "Specify a protocol used to authenticate users. The possible values are:\n\n- `chap-sha1`: use the CHAP protocol with SHA-1 hashing applied to passwords.\n- `pap-sha256`: use PAP authentication with the SHA256 hashing algorithm.\n\nNote that CHAP stores password hashes in the `_user` space unsalted. If an attacker gains access to the database, they may crack a password, for example, using a rainbow table. For PAP, a password is salted with a user-unique salt before saving it in the database, which keeps the database protected from cracking using a rainbow table.", "enum": [ "chap-sha1", "pap-sha256" ], "type": "string" }, "disable_guest": { "default": false, "description": "If `true`, turn off access over remote connections from unauthenticated or guest users. This option affects connections between cluster members and `net.box` connections.", "type": "boolean" }, "password_enforce_digits": { "default": false, "description": "If true, a password should contain digits (0-9).", "type": "boolean" }, "password_enforce_lowercase": { "default": false, "description": "If true, a password should contain lowercase letters (a-z).", "type": "boolean" }, "password_enforce_specialchars": { "default": false, "description": "If true, a password should contain at least one special character (such as &|?!@$).", "type": "boolean" }, "password_enforce_uppercase": { "default": false, "description": "If true, a password should contain uppercase letters (A-Z).", "type": "boolean" }, "password_history_length": { "default": 0, "description": "Specify the number of unique new user passwords before an old password can be reused. Note tarantool uses the auth_history field in the `box.space._user` system space to store user passwords.", "type": "integer" }, "password_lifetime_days": { "default": 0, "description": "Specify the maximum period of time (in days) a user can use the same password. When this period ends, a user gets the \"Password expired\" error on a login attempt. To restore access for such users, use `box.schema.user.passwd`.", "type": "integer" }, "password_min_length": { "default": 0, "description": "Specify the minimum number of characters for a password.", "type": "integer" }, "secure_erasing": { "default": false, "description": "If `true`, forces Tarantool to overwrite a data file a few times before deletion to render recovery of a deleted file impossible. The option applies to both `.xlog` and `.snap` files as well as Vinyl data files.", "type": "boolean" } }, "type": "object" }, "sharding": { "additionalProperties": false, "description": "This section defines configuration parameters related to sharding.", "properties": { "bucket_count": { "default": 3000, "description": "The total number of buckets in a cluster.", "type": "integer" }, "connection_outdate_delay": { "description": "Time to outdate old objects on reload.", "type": "number" }, "discovery_mode": { "default": "on", "description": "A mode of the background discovery fiber used by the router to find buckets.", "enum": [ "on", "off", "once" ], "type": "string" }, "failover_ping_timeout": { "default": 5, "description": "The timeout (in seconds) after which a node is considered unavailable if there are no responses during this period. The failover fiber is used to detect if a node is down.", "type": "number" }, "lock": { "description": "Whether a replica set is locked. A locked replica set cannot receive new buckets nor migrate its own buckets.", "type": "boolean" }, "rebalancer_disbalance_threshold": { "default": 1, "description": "The maximum bucket disbalance threshold (in percent). The disbalance is calculated for each replica set using the following formula:\n\n`|etalon_bucket_count - real_bucket_count| / etalon_bucket_count * 100`", "type": "number" }, "rebalancer_max_receiving": { "default": 100, "description": "The maximum number of buckets that can be received in parallel by a single replica set. This number must be limited because the rebalancer sends a large number of buckets from the existing replica sets to the newly added one. This produces a heavy load on the new replica set.", "type": "integer" }, "rebalancer_max_sending": { "default": 1, "description": "The degree of parallelism for parallel rebalancing.", "type": "integer" }, "rebalancer_mode": { "default": "auto", "description": "Configure how a rebalancer is selected:\n\n- `auto` (default): if there are no replica sets with the rebalancer sharding role (`sharding.roles`), a replica set with the rebalancer is selected automatically among all replica sets.\n- `manual`: one of the replica sets should have the rebalancer sharding role. The rebalancer is in this replica set.\n- `off`: rebalancing is turned off regardless of whether a replica set with the rebalancer sharding role exists or not.", "enum": [ "manual", "auto", "off" ], "type": "string" }, "roles": { "description": "Roles of a replica set in regard to sharding. A replica set can have the following roles:\n\n- `router`: a replica set acts as a router.\n- `storage`: a replica set acts as a storage.\n- `rebalancer`: a replica set acts as a rebalancer.\n\nThe rebalancer role is optional. If it is not specified, a rebalancer is selected automatically from the master instances of replica sets.\n\nThere can be at most one replica set with the rebalancer role. Additionally, this replica set should have a `storage` role.", "items": { "description": "Sharding role: router, storage or rebalancer.", "enum": [ "router", "storage", "rebalancer" ], "type": "string" }, "type": "array", "uniqueItems": true }, "sched_move_quota": { "default": 1, "description": "A scheduler's bucket move quota used by the rebalancer.\n\n`sched_move_quota` defines how many bucket moves can be done in a row if there are pending storage refs. Then, bucket moves are blocked and a router continues making map-reduce requests.", "type": "number" }, "sched_ref_quota": { "default": 300, "description": "A scheduler's storage ref quota used by a router's map-reduce API. For example, the `vshard.router.map_callrw()` function implements consistent map-reduce over the entire cluster.\n\n`sched_ref_quota` defines how many storage refs, therefore map-reduce requests, can be executed on the storage in a row if there are pending bucket moves. Then, storage refs are blocked and the rebalancer continues bucket moves.", "type": "number" }, "shard_index": { "default": "bucket_id", "description": "The name or ID of a TREE index over the bucket id. Spaces without this index do not participate in a sharded Tarantool cluster and can be used as regular spaces if needed. It is necessary to specify the first part of the index, other parts are optional.", "type": "string" }, "sync_timeout": { "default": 1, "description": "The timeout to wait for synchronization of the old master with replicas before demotion. Used when switching a master or when manually calling the `sync()` function.", "type": "number" }, "weight": { "default": 1, "description": "The relative amount of data that a replica set can store.", "type": "number" }, "zone": { "description": "A zone that can be set for routers and replicas. This allows sending read-only requests not only to a master instance but to any available replica that is the nearest to the router.", "type": "integer" } }, "type": "object" }, "snapshot": { "additionalProperties": false, "description": "This section defines configuration parameters related to the snapshot files.", "properties": { "by": { "additionalProperties": false, "description": "An object containing configuration options that specify the conditions under which automatic snapshots are created by the checkpoint daemon. This includes settings like `interval` for time-based snapshots and `wal_size` for snapshots triggered when the total size of WAL files exceeds a certain threshold.", "properties": { "interval": { "default": 3600, "description": "The interval in seconds between actions by the checkpoint daemon. If the option is set to a value greater than zero, and there is activity that causes change to a database, then the checkpoint daemon calls `box.snapshot()` every `snapshot.by.interval` seconds, creating a new snapshot file each time. If the option is set to zero, the checkpoint daemon is disabled.", "type": "number" }, "wal_size": { "default": 1e+18, "description": "The threshold for the total size in bytes for all WAL files created since the last snapshot taken. Once the configured threshold is exceeded, the WAL thread notifies the checkpoint daemon that it must make a new snapshot and delete old WAL files.", "type": "integer" } }, "type": "object" }, "count": { "default": 2, "description": "The maximum number of snapshots that are stored in the `snapshot.dir` directory. If the number of snapshots after creating a new one exceeds this value, the Tarantool garbage collector deletes old snapshots. If `snapshot.count` is set to zero, the garbage collector does not delete old snapshots.", "type": "integer" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where memtx stores snapshot (`.snap`) files. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, snapshots and WAL files are stored in the same directory. However, you can set different values for the `snapshot.dir` and `wal.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "snap_io_rate_limit": { "default": null, "description": "Reduce the throttling effect of `box.snapshot()` on `INSERT/UPDATE/DELETE` performance by setting a limit on how many megabytes per second it can write to disk. The same can be achieved by splitting `wal.dir` and `snapshot.dir` locations and moving snapshots to a separate disk. The limit also affects what `box.stat.vinyl().regulator` may show for the write rate of dumps to `.run` and `.index` files.", "type": "number" } }, "type": "object" }, "sql": { "additionalProperties": false, "description": "This section defines configuration parameters related to SQL.", "properties": { "cache_size": { "default": 5242880, "description": "The maximum cache size (in bytes) for all SQL prepared statements. To see the actual cache size, use `box.info.sql().cache.size`.", "type": "integer" } }, "type": "object" }, "stateboard": { "additionalProperties": false, "description": "These options define configuration parameters related to the stateboard service allowing Tarantool instances to report their state into some extra key-value storage (e.g. etcd or Tarantool config.storage).\n\nAn instance with an enabled stateboard reports its status to `/state/by-name/{{ instance_name }}` where prefix is received from the `config.*.prefix` option. The provided information is in YAML format with the following fields:\n\n- `hostname` (`string`): hostname.\n- `pid` (`integer`): Tarantool process ID.\n- `mode` (`'ro'` or `'rw'`): instance mode (see `box.info.ro`).\n- `ro_reason` (`string`): the reason why the instance is read-only (see `box.info.ro_reason`).\n- `status` (`string`): instance status (see `box.info.status` for possible values and their description).", "properties": { "enabled": { "default": false, "description": "Enable or disable the stateboard service.", "type": "boolean" }, "keepalive_interval": { "default": 10, "description": "A time interval (in seconds) that specifies how long a transient state information is stored.", "type": "number" }, "renew_interval": { "default": 2, "description": "A time interval (in seconds) that specifies how often a Tarantool instance writes its state information to the stateboard.", "type": "number" } }, "type": "object" }, "threads": { "additionalProperties": false, "description": "The `threads` section defines configuration parameters related to application threads.", "properties": { "groups": { "description": "An array of thread groups.", "items": { "additionalProperties": false, "description": "Thread group definition.", "properties": { "name": { "description": "Thread group name.\n\nEach thread group must have a unique name. The name \"tx\" must not be used because it is reserved for the main thread.", "type": "string" }, "size": { "description": "Number of threads in the group.", "type": "integer" } }, "type": "object" }, "type": "array" } }, "type": "object" }, "vinyl": { "additionalProperties": false, "description": "This section defines configuration parameters related to the vinyl storage engine.", "properties": { "bloom_fpr": { "default": 0.05, "description": "A bloom filter's false positive rate - the suitable probability of the bloom filter to give a wrong result. The `vinyl.bloom_fpr` setting is a default value for the bloom_fpr option passed to `space_object:create_index()`.", "type": "number" }, "cache": { "default": 134217728, "description": "The cache size for the vinyl storage engine. The cache can be resized dynamically.", "type": "integer" }, "defer_deletes": { "default": false, "description": "Enable the deferred DELETE optimization in vinyl. It was disabled by default since Tarantool version 2.10 to avoid possible performance degradation of secondary index reads.", "type": "boolean" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where vinyl files or subdirectories will be stored. This option may contain a relative file path. In this case, it is interpreted as relative to `process.work_dir`.", "type": "string" }, "max_tuple_size": { "default": 1048576, "description": "The size of the largest allocation unit, for the vinyl storage engine. It can be increased if it is necessary to store large tuples.", "type": "integer" }, "memory": { "default": 134217728, "description": "The maximum number of in-memory bytes that vinyl uses.", "type": "integer" }, "page_size": { "default": 8192, "description": "The page size. A page is a read/write unit for vinyl disk operations. The `vinyl.page_size` setting is a default value for the page_size option passed to `space_object:create_index()`.", "type": "integer" }, "range_size": { "default": null, "description": "The default maximum range size for a vinyl index, in bytes. The maximum range size affects the decision of whether to split a range.\n\nIf `vinyl.range_size` is specified (but the value is not null or 0), then it is used as the default value for the range_size option passed to `space_object:create_index()`.\n\nIf `vinyl.range_size` is not specified (or is explicitly set to null or 0), and `range_size` is not specified when the index is created, then Tarantool sets a value later depending on performance considerations. To see the actual value, use `index_object:stat().range_size`.", "type": "integer" }, "read_threads": { "default": 1, "description": "The maximum number of read threads that vinyl can use for concurrent operations, such as I/O and compression.", "type": "integer" }, "run_count_per_level": { "default": 2, "description": "The maximum number of runs per level in the vinyl LSM tree. If this number is exceeded, a new level is created. The `vinyl.run_count_per_level` setting is a default value for the run_count_per_level option passed to `space_object:create_index()`.", "type": "integer" }, "run_size_ratio": { "default": 3.5, "description": "The ratio between the sizes of different levels in the LSM tree. The `vinyl.run_size_ratio` setting is a default value for the run_size_ratio option passed to `space_object:create_index()`.", "type": "number" }, "timeout": { "default": 60, "description": "The vinyl storage engine has a scheduler that performs compaction. When vinyl is low on available memory, the compaction scheduler may be unable to keep up with incoming update requests. In that situation, queries may time out after vinyl.timeout seconds. This should rarely occur, since normally vinyl throttles inserts when it is running low on compaction bandwidth. Compaction can also be initiated manually with `index_object:compact()`.", "type": "number" }, "write_threads": { "default": 4, "description": "The maximum number of write threads that vinyl can use for some concurrent operations, such as I/O and compression.", "type": "integer" } }, "type": "object" }, "wal": { "additionalProperties": false, "description": "This section defines configuration parameters related to write-ahead log.", "properties": { "cleanup_delay": { "description": "The delay in seconds used to prevent the Tarantool garbage collector from immediately removing write-ahead log files after a node restart. This delay eliminates possible erroneous situations when the master deletes WALs needed by replicas after restart. As a consequence, replicas sync with the master faster after its restart and don't need to download all the data again. Once all the nodes in the replica set are up and running, a scheduled garbage collection is started again even if `wal.cleanup_delay` has not expired.", "type": "number" }, "dir": { "default": "var/lib/{{ instance_name }}", "description": "A directory where write-ahead log (`.xlog`) files are stored. A relative path in this option is interpreted as relative to `process.work_dir`.\n\nBy default, WAL files and snapshots are stored in the same directory. However, you can set different values for the `wal.dir` and `snapshot.dir` options to store them on different physical disks for performance matters.", "type": "string" }, "dir_rescan_delay": { "default": 2, "description": "The time interval in seconds between periodic scans of the write-ahead-log file directory, when checking for changes to write-ahead-log files for the sake of replication or hot standby.", "type": "number" }, "ext": { "additionalProperties": false, "default": null, "description": "This section describes options related to WAL extensions.", "properties": { "new": { "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "spaces": { "additionalProperties": { "additionalProperties": false, "description": "Per-space WAL extensions configuration.", "properties": { "new": { "default": false, "description": "Enable storing a new tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" }, "old": { "default": false, "description": "Enable storing an old tuple for each CRUD operation performed. The option is in effect for all spaces. To adjust the option for specific spaces, use the `wal.ext.spaces` option.", "type": "boolean" } }, "type": "object" }, "description": "Enable or disable storing an old and new tuple in the WAL record for a given space explicitly. The configuration for specific spaces has priority over the configuration in the `wal.ext.new` and `wal.ext.old` options.\n\nThe option is a key-value pair:\n\n- The key is a space name (string).\n- The value is a table that includes two optional boolean options: `old` and `new`. The format and the default value of these options are described in `wal.ext.old` and `wal.ext.new`.", "type": "object" } }, "type": "object" }, "max_size": { "default": 268435456, "description": "The maximum number of bytes in a single write-ahead log file. When a request would cause an `.xlog` file to become larger than `wal.max_size`, Tarantool creates a new WAL file.", "type": "integer" }, "mode": { "default": "write", "description": "Specify fiber-WAL-disk synchronization mode as:\n\n- `none`: write-ahead log is not maintained. A node with `wal.mode` set to `none` can't be a replication master.\n- `write`: fibers wait for their data to be written to the write-ahead log (no `fsync(2)`).\n- `fsync`: fibers wait for their data, `fsync(2)` follows each `write(2)`.", "enum": [ "none", "write", "fsync" ], "type": "string" }, "queue_max_size": { "default": 16777216, "description": "The size of the queue in bytes used by a replica to submit new transactions to a write-ahead log (WAL). This option helps limit the rate at which a replica submits transactions to the WAL. Limiting the queue size might be useful when a replica is trying to sync with a master and reads new transactions faster than writing them to the WAL.", "type": "integer" }, "retention_period": { "default": 0, "description": "The delay in seconds used to prevent the Tarantool garbage collector from removing a write-ahead log file after it has been closed. If a node is restarted, `wal.retention_period` counts down from the last modification time of the write-ahead log file.\n\nThe garbage collector doesn't track write-ahead logs that are to be relayed to anonymous replicas, such as:\n\n- Anonymous replicas added as a part of a cluster configuration (see `replication.anon`).\n- CDC (Change Data Capture) that retrieves data using anonymous replication.\n\nIn case of a replica or CDC downtime, the required write-ahead logs can be removed. As a result, such a replica needs to be rebootstrapped. You can use wal.retention_period to prevent such issues.\n\nNote that `wal.cleanup_delay` option also sets the delay used to prevent the Tarantool garbage collector from removing write-ahead logs. The difference is that the garbage collector doesn't take into account `wal.cleanup_delay` if all the nodes in the replica set are up and running, which may lead to the removal of the required write-ahead logs.", "type": "number" } }, "type": "object" } }, "type": "object" }