1# Configuration flags 2 3etcd is configurable through a configuration file, various command-line flags, and environment variables. 4 5A reusable configuration file is a YAML file made with name and value of one or more command-line flags described below. In order to use this file, specify the file path as a value to the `--config-file` flag. The [sample configuration file][sample-config-file] can be used as a starting point to create a new configuration file as needed. 6 7Options set on the command line take precedence over those from the environment. If a configuration file is provided, other command line flags and environment variables will be ignored. 8For example, `etcd --config-file etcd.conf.yml.sample --data-dir /tmp` will ignore the `--data-dir` flag. 9 10The format of environment variable for flag `--my-flag` is `ETCD_MY_FLAG`. It applies to all flags. 11 12The [official etcd ports][iana-ports] are 2379 for client requests and 2380 for peer communication. The etcd ports can be set to accept TLS traffic, non-TLS traffic, or both TLS and non-TLS traffic. 13 14To start etcd automatically using custom settings at startup in Linux, using a [systemd][systemd-intro] unit is highly recommended. 15 16## Member flags 17 18### --name 19+ Human-readable name for this member. 20+ default: "default" 21+ env variable: ETCD_NAME 22+ This value is referenced as this node's own entries listed in the `--initial-cluster` flag (e.g., `default=http://localhost:2380`). This needs to match the key used in the flag if using [static bootstrapping][build-cluster]. When using discovery, each member must have a unique name. `Hostname` or `machine-id` can be a good choice. 23 24### --data-dir 25+ Path to the data directory. 26+ default: "${name}.etcd" 27+ env variable: ETCD_DATA_DIR 28 29### --wal-dir 30+ Path to the dedicated wal directory. If this flag is set, etcd will write the WAL files to the walDir rather than the dataDir. This allows a dedicated disk to be used, and helps avoid io competition between logging and other IO operations. 31+ default: "" 32+ env variable: ETCD_WAL_DIR 33 34### --snapshot-count 35+ Number of committed transactions to trigger a snapshot to disk. 36+ default: "100000" 37+ env variable: ETCD_SNAPSHOT_COUNT 38 39### --heartbeat-interval 40+ Time (in milliseconds) of a heartbeat interval. 41+ default: "100" 42+ env variable: ETCD_HEARTBEAT_INTERVAL 43 44### --election-timeout 45+ Time (in milliseconds) for an election to timeout. See [Documentation/tuning.md][tuning] for details. 46+ default: "1000" 47+ env variable: ETCD_ELECTION_TIMEOUT 48 49### --listen-peer-urls 50+ List of URLs to listen on for peer traffic. This flag tells the etcd to accept incoming requests from its peers on the specified scheme://IP:port combinations. Scheme can be either http or https.If 0.0.0.0 is specified as the IP, etcd listens to the given port on all interfaces. If an IP address is given as well as a port, etcd will listen on the given port and interface. Multiple URLs may be used to specify a number of addresses and ports to listen on. The etcd will respond to requests from any of the listed addresses and ports. 51+ default: "http://localhost:2380" 52+ env variable: ETCD_LISTEN_PEER_URLS 53+ example: "http://10.0.0.1:2380" 54+ invalid example: "http://example.com:2380" (domain name is invalid for binding) 55 56### --listen-client-urls 57+ List of URLs to listen on for client traffic. This flag tells the etcd to accept incoming requests from the clients on the specified scheme://IP:port combinations. Scheme can be either http or https. If 0.0.0.0 is specified as the IP, etcd listens to the given port on all interfaces. If an IP address is given as well as a port, etcd will listen on the given port and interface. Multiple URLs may be used to specify a number of addresses and ports to listen on. The etcd will respond to requests from any of the listed addresses and ports. 58+ default: "http://localhost:2379" 59+ env variable: ETCD_LISTEN_CLIENT_URLS 60+ example: "http://10.0.0.1:2379" 61+ invalid example: "http://example.com:2379" (domain name is invalid for binding) 62 63### --max-snapshots 64+ Maximum number of snapshot files to retain (0 is unlimited) 65+ default: 5 66+ env variable: ETCD_MAX_SNAPSHOTS 67+ The default for users on Windows is unlimited, and manual purging down to 5 (or some preference for safety) is recommended. 68 69### --max-wals 70+ Maximum number of wal files to retain (0 is unlimited) 71+ default: 5 72+ env variable: ETCD_MAX_WALS 73+ The default for users on Windows is unlimited, and manual purging down to 5 (or some preference for safety) is recommended. 74 75### --cors 76+ Comma-separated white list of origins for CORS (cross-origin resource sharing). 77+ default: "" 78+ env variable: ETCD_CORS 79 80### --quota-backend-bytes 81+ Raise alarms when backend size exceeds the given quota (0 defaults to low space quota). 82+ default: 0 83+ env variable: ETCD_QUOTA_BACKEND_BYTES 84 85### --max-txn-ops 86+ Maximum number of operations permitted in a transaction. 87+ default: 128 88+ env variable: ETCD_MAX_TXN_OPS 89 90### --max-request-bytes 91+ Maximum client request size in bytes the server will accept. 92+ default: 1572864 93+ env variable: ETCD_MAX_REQUEST_BYTES 94 95### --grpc-keepalive-min-time 96+ Minimum duration interval that a client should wait before pinging server. 97+ default: 5s 98+ env variable: ETCD_GRPC_KEEPALIVE_MIN_TIME 99 100### --grpc-keepalive-interval 101+ Frequency duration of server-to-client ping to check if a connection is alive (0 to disable). 102+ default: 2h 103+ env variable: ETCD_GRPC_KEEPALIVE_INTERVAL 104 105### --grpc-keepalive-timeout 106+ Additional duration of wait before closing a non-responsive connection (0 to disable). 107+ default: 20s 108+ env variable: ETCD_GRPC_KEEPALIVE_TIMEOUT 109 110## Clustering flags 111 112`--initial` prefix flags are used in bootstrapping ([static bootstrap][build-cluster], [discovery-service bootstrap][discovery] or [runtime reconfiguration][reconfig]) a new member, and ignored when restarting an existing member. 113 114`--discovery` prefix flags need to be set when using [discovery service][discovery]. 115 116### --initial-advertise-peer-urls 117 118+ List of this member's peer URLs to advertise to the rest of the cluster. These addresses are used for communicating etcd data around the cluster. At least one must be routable to all cluster members. These URLs can contain domain names. 119+ default: "http://localhost:2380" 120+ env variable: ETCD_INITIAL_ADVERTISE_PEER_URLS 121+ example: "http://example.com:2380, http://10.0.0.1:2380" 122 123### --initial-cluster 124+ Initial cluster configuration for bootstrapping. 125+ default: "default=http://localhost:2380" 126+ env variable: ETCD_INITIAL_CLUSTER 127+ The key is the value of the `--name` flag for each node provided. The default uses `default` for the key because this is the default for the `--name` flag. 128 129### --initial-cluster-state 130+ Initial cluster state ("new" or "existing"). Set to `new` for all members present during initial static or DNS bootstrapping. If this option is set to `existing`, etcd will attempt to join the existing cluster. If the wrong value is set, etcd will attempt to start but fail safely. 131+ default: "new" 132+ env variable: ETCD_INITIAL_CLUSTER_STATE 133 134[static bootstrap]: clustering.md#static 135 136### --initial-cluster-token 137+ Initial cluster token for the etcd cluster during bootstrap. 138+ default: "etcd-cluster" 139+ env variable: ETCD_INITIAL_CLUSTER_TOKEN 140 141### --advertise-client-urls 142+ List of this member's client URLs to advertise to the rest of the cluster. These URLs can contain domain names. 143+ default: "http://localhost:2379" 144+ env variable: ETCD_ADVERTISE_CLIENT_URLS 145+ example: "http://example.com:2379, http://10.0.0.1:2379" 146+ Be careful if advertising URLs such as http://localhost:2379 from a cluster member and are using the proxy feature of etcd. This will cause loops, because the proxy will be forwarding requests to itself until its resources (memory, file descriptors) are eventually depleted. 147 148### --discovery 149+ Discovery URL used to bootstrap the cluster. 150+ default: "" 151+ env variable: ETCD_DISCOVERY 152 153### --discovery-srv 154+ DNS srv domain used to bootstrap the cluster. 155+ default: "" 156+ env variable: ETCD_DISCOVERY_SRV 157 158### --discovery-fallback 159+ Expected behavior ("exit" or "proxy") when discovery services fails. "proxy" supports v2 API only. 160+ default: "proxy" 161+ env variable: ETCD_DISCOVERY_FALLBACK 162 163### --discovery-proxy 164+ HTTP proxy to use for traffic to discovery service. 165+ default: "" 166+ env variable: ETCD_DISCOVERY_PROXY 167 168### --strict-reconfig-check 169+ Reject reconfiguration requests that would cause quorum loss. 170+ default: false 171+ env variable: ETCD_STRICT_RECONFIG_CHECK 172 173### --auto-compaction-retention 174+ Auto compaction retention for mvcc key value store in hour. 0 means disable auto compaction. 175+ default: 0 176+ env variable: ETCD_AUTO_COMPACTION_RETENTION 177 178### --auto-compaction-mode 179+ Interpret 'auto-compaction-retention' one of: periodic|revision. 'periodic' for duration based retention, defaulting to hours if no time unit is provided (e.g. '5m'). 'revision' for revision number based retention. 180+ default: periodic 181+ env variable: ETCD_AUTO_COMPACTION_MODE 182 183### --enable-v2 184+ Accept etcd V2 client requests 185+ default: true 186+ env variable: ETCD_ENABLE_V2 187 188## Proxy flags 189 190`--proxy` prefix flags configures etcd to run in [proxy mode][proxy]. "proxy" supports v2 API only. 191 192### --proxy 193+ Proxy mode setting ("off", "readonly" or "on"). 194+ default: "off" 195+ env variable: ETCD_PROXY 196 197### --proxy-failure-wait 198+ Time (in milliseconds) an endpoint will be held in a failed state before being reconsidered for proxied requests. 199+ default: 5000 200+ env variable: ETCD_PROXY_FAILURE_WAIT 201 202### --proxy-refresh-interval 203+ Time (in milliseconds) of the endpoints refresh interval. 204+ default: 30000 205+ env variable: ETCD_PROXY_REFRESH_INTERVAL 206 207### --proxy-dial-timeout 208+ Time (in milliseconds) for a dial to timeout or 0 to disable the timeout 209+ default: 1000 210+ env variable: ETCD_PROXY_DIAL_TIMEOUT 211 212### --proxy-write-timeout 213+ Time (in milliseconds) for a write to timeout or 0 to disable the timeout. 214+ default: 5000 215+ env variable: ETCD_PROXY_WRITE_TIMEOUT 216 217### --proxy-read-timeout 218+ Time (in milliseconds) for a read to timeout or 0 to disable the timeout. 219+ Don't change this value if using watches because use long polling requests. 220+ default: 0 221+ env variable: ETCD_PROXY_READ_TIMEOUT 222 223## Security flags 224 225The security flags help to [build a secure etcd cluster][security]. 226 227### --ca-file 228 229**DEPRECATED** 230 231+ Path to the client server TLS CA file. `--ca-file ca.crt` could be replaced by `--trusted-ca-file ca.crt --client-cert-auth` and etcd will perform the same. 232+ default: "" 233+ env variable: ETCD_CA_FILE 234 235### --cert-file 236+ Path to the client server TLS cert file. 237+ default: "" 238+ env variable: ETCD_CERT_FILE 239 240### --key-file 241+ Path to the client server TLS key file. 242+ default: "" 243+ env variable: ETCD_KEY_FILE 244 245### --client-cert-auth 246+ Enable client cert authentication. 247+ default: false 248+ env variable: ETCD_CLIENT_CERT_AUTH 249 250### --client-crl-file 251+ Path to the client certificate revocation list file. 252+ default: "" 253+ env variable: ETCD_CLIENT_CRL_FILE 254 255### --trusted-ca-file 256+ Path to the client server TLS trusted CA cert file. 257+ default: "" 258+ env variable: ETCD_TRUSTED_CA_FILE 259 260### --auto-tls 261+ Client TLS using generated certificates 262+ default: false 263+ env variable: ETCD_AUTO_TLS 264 265### --peer-ca-file 266 267**DEPRECATED** 268 269+ Path to the peer server TLS CA file. `--peer-ca-file ca.crt` could be replaced by `--peer-trusted-ca-file ca.crt --peer-client-cert-auth` and etcd will perform the same. 270+ default: "" 271+ env variable: ETCD_PEER_CA_FILE 272 273### --peer-cert-file 274+ Path to the peer server TLS cert file. This is the cert for peer-to-peer traffic, used both for server and client. 275+ default: "" 276+ env variable: ETCD_PEER_CERT_FILE 277 278### --peer-key-file 279+ Path to the peer server TLS key file. This is the key for peer-to-peer traffic, used both for server and client. 280+ default: "" 281+ env variable: ETCD_PEER_KEY_FILE 282 283### --peer-client-cert-auth 284+ Enable peer client cert authentication. 285+ default: false 286+ env variable: ETCD_PEER_CLIENT_CERT_AUTH 287 288### --peer-crl-file 289+ Path to the peer certificate revocation list file. 290+ default: "" 291+ env variable: ETCD_PEER_CRL_FILE 292 293### --peer-trusted-ca-file 294+ Path to the peer server TLS trusted CA file. 295+ default: "" 296+ env variable: ETCD_PEER_TRUSTED_CA_FILE 297 298### --peer-auto-tls 299+ Peer TLS using generated certificates 300+ default: false 301+ env variable: ETCD_PEER_AUTO_TLS 302 303### --peer-cert-allowed-cn 304+ Allowed CommonName for inter peer authentication. 305+ default: none 306+ env variable: ETCD_PEER_CERT_ALLOWED_CN 307 308## Logging flags 309 310### --debug 311+ Drop the default log level to DEBUG for all subpackages. 312+ default: false (INFO for all packages) 313+ env variable: ETCD_DEBUG 314 315### --log-package-levels 316+ Set individual etcd subpackages to specific log levels. An example being `etcdserver=WARNING,security=DEBUG` 317+ default: "" (INFO for all packages) 318+ env variable: ETCD_LOG_PACKAGE_LEVELS 319 320## Unsafe flags 321 322Please be CAUTIOUS when using unsafe flags because it will break the guarantees given by the consensus protocol. 323For example, it may panic if other members in the cluster are still alive. 324Follow the instructions when using these flags. 325 326### --force-new-cluster 327+ Force to create a new one-member cluster. It commits configuration changes forcing to remove all existing members in the cluster and add itself. It needs to be set to [restore a backup][restore]. 328+ default: false 329+ env variable: ETCD_FORCE_NEW_CLUSTER 330 331## Miscellaneous flags 332 333### --version 334+ Print the version and exit. 335+ default: false 336 337### --config-file 338+ Load server configuration from a file. 339+ default: "" 340+ example: [sample configuration file][sample-config-file] 341 342## Profiling flags 343 344### --enable-pprof 345+ Enable runtime profiling data via HTTP server. Address is at client URL + "/debug/pprof/" 346+ default: false 347 348### --metrics 349+ Set level of detail for exported metrics, specify 'extensive' to include histogram metrics. 350+ default: basic 351 352### --listen-metrics-urls 353+ List of URLs to listen on for metrics. 354+ default: "" 355 356## Auth flags 357 358### --auth-token 359+ Specify a token type and token specific options, especially for JWT. Its format is "type,var1=val1,var2=val2,...". Possible type is 'simple' or 'jwt'. Possible variables are 'sign-method' for specifying a sign method of jwt (its possible values are 'ES256', 'ES384', 'ES512', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'PS256', 'PS384', or 'PS512'), 'pub-key' for specifying a path to a public key for verifying jwt, and 'priv-key' for specifying a path to a private key for signing jwt. 360+ Example option of JWT: '--auth-token jwt,pub-key=app.rsa.pub,priv-key=app.rsa,sign-method=RS512' 361+ default: "simple" 362 363## Experimental flags 364 365### --experimental-corrupt-check-time 366+ Duration of time between cluster corruption check passes 367+ default: 0s 368 369[build-cluster]: clustering.md#static 370[reconfig]: runtime-configuration.md 371[discovery]: clustering.md#discovery 372[iana-ports]: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt 373[proxy]: ../v2/proxy.md 374[restore]: ../v2/admin_guide.md#restoring-a-backup 375[security]: security.md 376[systemd-intro]: http://freedesktop.org/wiki/Software/systemd/ 377[tuning]: ../tuning.md#time-parameters 378[sample-config-file]: ../../etcd.conf.yml.sample 379