xen-orchestra/packages/xo-server/config.toml

# Vendor config: DO NOT TOUCH!
#
# See sample.config.toml to override.

datadir = '/var/lib/xo-server/data'

# Delay for which a resource is cached
resourceCacheDelay = '5m'

# Should users be created on first sign in?
#
# Necessary for external authentication providers.
createUserOnFirstSignin = true

# XAPI does not support chunked encoding in HTTP requests which is necessary
# when the content length is not know which is the case for many backup related
# operations in XO.
#
# It's possible to work-around this for VHDs  because it's possible to guess
# their size just by looking at the beginning of the stream.
#
# But it is a guess, not a certainty, it depends on how the VHDs are formatted
# by XenServer.
#
# This has been tested for 5 months, therefore it's enabled by default but can
# be disabled specifically for a user if necessary.
guessVhdSizeOnImport = true

# Whether API logs should contains the full request/response on
# errors.
#
# This is disabled by default for performance (lots of data) and
# security concerns (avoiding sensitive data in the logs) but can
# be turned for investigation by the administrator.
verboseApiLogsOnErrors = false

# if no events could be fetched during this delay, the server will be marked as disconnected
xapiMarkDisconnectedDelay = '5 minutes'

# https:#github.com/websockets/ws#websocket-compression
[apiWebSocketOptions]
perMessageDeflate = { threshold = 524288 } # 512kiB

[authentication]
defaultTokenValidity = '30 days'
maxTokenValidity = '0.5 year'

# 2020-09-29
# Helpful to smoothly transition from old to new LDAP plugin implementation
# See https://github.com/vatesfr/xen-orchestra/pull/5279
# This will be removed in 1 year
#
# When a user logs in using an authentication provider, but another user with the
# same username is found in XO:
# - if true: the 2 users will be merged
# - if false: the user will not be able to log in.
mergeProvidersUsers = true

# Default to `maxTokenValidity`
#permanentCookieValidity = '30 days'

# Default to `undefined`, ie as long as the browser is not restarted
#
# https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/Set-Cookie#Session_cookie
#sessionCookieValidity = '10 hours'

# This is the page where unauthenticated users will be redirected to.
#
# For instance, it can be changed to `/signin/saml` if that's the provider that
# should be used by default.
defaultSignInPage = '/signin'

# Minimum delay between two password authentication attempts for a specific user.
#
# This is used to mitigate bruteforce attacks without being visible to users.
throttlingDelay = '2 seconds'

[backups]
disableMergeWorker = false

# Mode to use for newly created backup directories
#
# https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation
dirMode = 0o700
snapshotNameLabelTpl = '[XO Backup {job.name}] {vm.name_label}'

# Delay for which backups listing on a remote is cached
listingDebounce = '1 min'

# settings when using Vhd directories ( s3 , encryption )
# you should use 'none' if your fs is already compressed
# changing this setting will generate new full backups
vhdDirectoryCompression = 'brotli'

# how many block can be merged in parallel per backup running
# increase to increase performance, reduce if you have timeout during merge
mergeBlockConcurrency = 2

# how many block can be uploaded in parallel
# increase to in rease performance, reduce if you have timeout or memory error during transfer
writeBlockConcurrency = 16

# https://github.com/naugtur/blocked-at#params-and-return-value
[blockedAtOptions]
enabled = false
threshold = 1000

# Helmet handles HTTP security via headers
#
# https://helmetjs.github.io/docs/
#[http.helmet.hsts]
#includeSubDomains = false

# Each `http.listen.<name>` entry defines a specific listening configuration for
# the HTTP server.
#
# `<name>` can be freely choosen.
#
# Historically, `http.listen` was an array with the first config for HTTP and
# the second for HTTPS. To avoid breaking existing user configs, this convention
# is kept.
[http.listen.0]
port = 80

# These options are applied to all listen entries.
[http.listenOptions]

# Number of milliseconds allowed to receive the entire request.
#
# The default value changed from no limit to 5 minutes in Node 18.0 to mitigate
# Slowloris attacks.
#
# This breaks a number of XO use cases, for instance uploading a VDI via the
# REST API, therefore it's changed to 1 day.
#
# Completely disabled for now because it appears to be broken:
# https://github.com/nodejs/node/issues/46574
requestTimeout = 0

[http.mounts]
'/' = '../xo-web/dist'

[logs]
# Display all logs matching this filter, regardless of their level
#filter = 'xo:load-balancer'

# Display all logs with level >=, regardless of their namespace
level = 'info'

[logs.transport.console]

[plugins]

[remoteOptions]
mountsDir = '/run/xo-server/mounts'

# timeout in milliseconds (set to 0 to disable)
timeout = 600e3

# see https:#github.com/vatesfr/xen-orchestra/issues/3419
# useSudo = false

[selfService]

# If true, a snapshot of a Self Service VM will consume as much resources as a
# normal VM would
ignoreVmSnapshotResources = false

[xapiOptions]
# The duration XO will wait for a host to be live before assuming it failed to
# restart
restartHostTimeout = '20 minutes'
maxUncoalescedVdis = 1
vdiExportConcurrency = 12
vmEvacuationConcurrency = 3
vmExportConcurrency = 2
vmSnapshotConcurrency = 2

poolMarkingInterval = '6 hours'
poolMarkingMaxAge = '48 hours'
poolMarkingPrefix = 'xo:clientInfo:'

[xo-proxy]
callTimeout = '1 min'

channel = 'xo-proxy-appliance-{xoChannel}'

namespace = 'xoProxyAppliance'

proxyName = 'Proxy {date}'

licenseProductId = 'xo-proxy'

vmName = 'XOA Proxy {date}'

# The duration for which we can wait for the VM networks to be defined
vmNetworksTimeout = '5 min'

vmTag = 'XOA Proxy'

# The duration for which we can wait for the XOA to be upgraded
xoaUpgradeTimeout = '5 min'