Menu

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Open source

Pyroscope configuration parameters

You can configure Pyroscope by using a YAML file or via command-line flags that represent configuration parameters. To specify the YAML file, use the -config.file command-line option. If you specify both the command-line flags and YAML configuration parameters, the command-line flags take precedence over values in a YAML file.

To see the current configuration of any component, go to the /config HTTP API endpoint. Passwords are filtered out of this endpoint.

Parameters are written in YAML format, and brackets indicate that a parameter is optional.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a string
  • <url>: a URL
  • <filepath>: a string containing an absolute or relative path and filename to a file on disk
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <relabel_config>: a Prometheus relabeling configuration
  • <time>: a timestamp, with available formats:
    • 2006-01-20 (midnight, local timezone)
    • 2006-01-20T15:04 (local timezone)
    • RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the YAML configuration file to set values that need to be configurable during deployment. To do this, pass -config.expand-env=true on the command line and use ${VAR}, where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use ${VAR:default_value}, where default_value is the value to use if the environment variable is undefined.

Configuration parameters

yaml
# Comma-separated list of Pyroscope modules to load. The alias 'all' can be used
# in the list to load a number of core modules and will enable single-binary
# mode.
# CLI flag: -target
[target: <string> | default = "all"]

api:
  # base URL for when the server is behind a reverse proxy with a different path
  # CLI flag: -api.base-url
  [base-url: <string> | default = ""]

# The server block configures the HTTP and gRPC server of the launched
# service(s).
[server: <server>]

# The distributor block configures the distributor.
[distributor: <distributor>]

# The querier block configures the querier.
[querier: <querier>]

# The query_frontend block configures the query-frontend.
[frontend: <query_frontend>]

# The frontend_worker block configures the frontend-worker.
[frontend_worker: <frontend_worker>]

limits:
  # Per-tenant ingestion rate limit in sample size per second. Units in MB.
  # CLI flag: -distributor.ingestion-rate-limit-mb
  [ingestion_rate_mb: <float> | default = 4]

  # Per-tenant allowed ingestion burst size (in sample size). Units in MB. The
  # burst size refers to the per-distributor local rate limiter, and should be
  # set at least to the maximum profile size expected in a single push request.
  # CLI flag: -distributor.ingestion-burst-size-mb
  [ingestion_burst_size_mb: <float> | default = 2]

  # Maximum length accepted for label names.
  # CLI flag: -validation.max-length-label-name
  [max_label_name_length: <int> | default = 1024]

  # Maximum length accepted for label value. This setting also applies to the
  # metric name.
  # CLI flag: -validation.max-length-label-value
  [max_label_value_length: <int> | default = 2048]

  # Maximum number of label names per series.
  # CLI flag: -validation.max-label-names-per-series
  [max_label_names_per_series: <int> | default = 30]

  # Maximum size of a profile in bytes. This is based off the uncompressed size.
  # 0 to disable.
  # CLI flag: -validation.max-profile-size-bytes
  [max_profile_size_bytes: <int> | default = 4194304]

  # Maximum number of samples in a profile. 0 to disable.
  # CLI flag: -validation.max-profile-stacktrace-samples
  [max_profile_stacktrace_samples: <int> | default = 16000]

  # Maximum number of labels in a profile sample. 0 to disable.
  # CLI flag: -validation.max-profile-stacktrace-sample-labels
  [max_profile_stacktrace_sample_labels: <int> | default = 100]

  # Maximum depth of a profile stacktrace. Profiles are not rejected instead
  # stacktraces are truncated. 0 to disable.
  # CLI flag: -validation.max-profile-stacktrace-depth
  [max_profile_stacktrace_depth: <int> | default = 1000]

  # Maximum length of a profile symbol value (labels, function names and
  # filenames, etc...). Profiles are not rejected instead symbol values are
  # truncated. 0 to disable.
  # CLI flag: -validation.max-profile-symbol-value-length
  [max_profile_symbol_value_length: <int> | default = 65535]

  # The tenant's shard size used by shuffle-sharding. Must be set both on
  # ingesters and distributors. 0 disables shuffle sharding.
  # CLI flag: -distributor.ingestion-tenant-shard-size
  [ingestion_tenant_shard_size: <int> | default = 0]

  # Maximum number of active series of profiles per tenant, per ingester. 0 to
  # disable.
  # CLI flag: -ingester.max-local-series-per-tenant
  [max_local_series_per_tenant: <int> | default = 0]

  # Maximum number of active series of profiles per tenant, across the cluster.
  # 0 to disable. When the global limit is enabled, each ingester is configured
  # with a dynamic local limit based on the replication factor and the current
  # number of healthy ingesters, and is kept updated whenever the number of
  # ingesters change.
  # CLI flag: -ingester.max-global-series-per-tenant
  [max_global_series_per_tenant: <int> | default = 5000]

  # Limit how far back in profiling data can be queried, up until lookback
  # duration ago. This limit is enforced in the query frontend. If the requested
  # time range is outside the allowed range, the request will not fail, but will
  # be modified to only query data within the allowed time range. 0 to disable,
  # default to 7d.
  # CLI flag: -querier.max-query-lookback
  [max_query_lookback: <duration> | default = 1w]

  # The limit to length of queries. 0 to disable.
  # CLI flag: -querier.max-query-length
  [max_query_length: <duration> | default = 1d]

  # Maximum number of queries that will be scheduled in parallel by the
  # frontend.
  # CLI flag: -querier.max-query-parallelism
  [max_query_parallelism: <int> | default = 0]

  # The tenant's shard size, used when store-gateway sharding is enabled. Value
  # of 0 disables shuffle sharding for the tenant, that is all tenant blocks are
  # sharded across all store-gateway replicas.
  # CLI flag: -store-gateway.tenant-shard-size
  [store_gateway_tenant_shard_size: <int> | default = 0]

  # Split queries by a time interval and execute in parallel. The value 0
  # disables splitting by time
  # CLI flag: -querier.split-queries-by-interval
  [split_queries_by_interval: <duration> | default = 0s]

# The query_scheduler block configures the query-scheduler.
[query_scheduler: <query_scheduler>]

# The ingester block configures the ingester.
[ingester: <ingester>]

store_gateway:
  # The hash ring configuration.
  sharding_ring:
    # The key-value store used to share the hash ring across multiple instances.
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -store-gateway.sharding-ring.store
      [store: <string> | default = "memberlist"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -store-gateway.sharding-ring.prefix
      [prefix: <string> | default = "collectors/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -store-gateway.sharding-ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -store-gateway.sharding-ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -store-gateway.sharding-ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -store-gateway.sharding-ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -store-gateway.sharding-ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -store-gateway.sharding-ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -store-gateway.sharding-ring.consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -store-gateway.sharding-ring.etcd.endpoints
        [endpoints: <list of strings> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -store-gateway.sharding-ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -store-gateway.sharding-ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas). Allowed
        # values:
        # 
        # Secure Ciphers:
        # - TLS_RSA_WITH_AES_128_CBC_SHA
        # - TLS_RSA_WITH_AES_256_CBC_SHA
        # - TLS_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_AES_128_GCM_SHA256
        # - TLS_AES_256_GCM_SHA384
        # - TLS_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        # 
        # Insecure Ciphers:
        # - TLS_RSA_WITH_RC4_128_SHA
        # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -store-gateway.sharding-ring.etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -store-gateway.sharding-ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -store-gateway.sharding-ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -store-gateway.sharding-ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -store-gateway.sharding-ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -store-gateway.sharding-ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -store-gateway.sharding-ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring. 0 = disabled.
    # CLI flag: -store-gateway.sharding-ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which store-gateways are considered unhealthy
    # within the ring. 0 = never (timeout disabled).
    # CLI flag: -store-gateway.sharding-ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Instance ID to register in the ring.
    # CLI flag: -store-gateway.sharding-ring.instance-id
    [instance_id: <string> | default = "<hostname>"]

    # List of network interface names to look up when finding the instance IP
    # address.
    # CLI flag: -store-gateway.sharding-ring.instance-interface-names
    [instance_interface_names: <list of strings> | default = [<private network interfaces>]]

    # Port to advertise in the ring (defaults to -server.http-listen-port).
    # CLI flag: -store-gateway.sharding-ring.instance-port
    [instance_port: <int> | default = 0]

    # IP address to advertise in the ring. Default is auto-detected.
    # CLI flag: -store-gateway.sharding-ring.instance-addr
    [instance_addr: <string> | default = ""]

    # Enable using a IPv6 instance address. (default false)
    # CLI flag: -store-gateway.sharding-ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

    # The replication factor to use when sharding blocks. This option needs be
    # set both on the store-gateway, querier and ruler when running in
    # microservices mode.
    # CLI flag: -store-gateway.sharding-ring.replication-factor
    [replication_factor: <int> | default = 1]

    # File path where tokens are stored. If empty, tokens are not stored at
    # shutdown and restored at startup.
    # CLI flag: -store-gateway.sharding-ring.tokens-file-path
    [tokens_file_path: <string> | default = ""]

    # True to enable zone-awareness and replicate blocks across different
    # availability zones. This option needs be set both on the store-gateway,
    # querier and ruler when running in microservices mode.
    # CLI flag: -store-gateway.sharding-ring.zone-awareness-enabled
    [zone_awareness_enabled: <boolean> | default = false]

    # Minimum time to wait for ring stability at startup, if set to positive
    # value.
    # CLI flag: -store-gateway.sharding-ring.wait-stability-min-duration
    [wait_stability_min_duration: <duration> | default = 0s]

    # Maximum time to wait for ring stability at startup. If the store-gateway
    # ring keeps changing after this period of time, the store-gateway will
    # start anyway.
    # CLI flag: -store-gateway.sharding-ring.wait-stability-max-duration
    [wait_stability_max_duration: <duration> | default = 5m]

    # The availability zone where this instance is running. Required if
    # zone-awareness is enabled.
    # CLI flag: -store-gateway.sharding-ring.instance-availability-zone
    [instance_availability_zone: <string> | default = ""]

    # Unregister from the ring upon clean shutdown.
    # CLI flag: -store-gateway.sharding-ring.unregister-on-shutdown
    [unregister_on_shutdown: <boolean> | default = true]

  bucket_store:
    # Directory to store synchronized pyroscope block headers. This directory is
    # not required to be persisted between restarts, but it's highly recommended
    # in order to improve the store-gateway startup time.
    # CLI flag: -blocks-storage.bucket-store.sync-dir
    [sync_dir: <string> | default = "./data/pyroscope-sync/"]

    # How frequently to scan the bucket, or to refresh the bucket index (if
    # enabled), in order to look for changes (new blocks shipped by ingesters
    # and blocks deleted by retention or compaction).
    # CLI flag: -blocks-storage.bucket-store.sync-interval
    [sync_interval: <duration> | default = 15m]

    # Maximum number of concurrent tenants synching blocks.
    # CLI flag: -blocks-storage.bucket-store.tenant-sync-concurrency
    [tenant_sync_concurrency: <int> | default = 10]

    # Blocks with minimum time within this duration are ignored, and not loaded
    # by store-gateway. Useful when used together with
    # -querier.query-store-after to prevent loading young blocks, because there
    # are usually many of them (depending on number of ingesters) and they are
    # not yet compacted. Negative values or 0 disable the filter.
    # CLI flag: -blocks-storage.bucket-store.ignore-blocks-within
    [ignore_blocks_within: <duration> | default = 2h]

# The memberlist block configures the Gossip memberlist.
[memberlist: <memberlist>]

pyroscopedb:
  # Directory used for local storage.
  # CLI flag: -pyroscopedb.data-path
  [data_path: <string> | default = "./data"]

  # Upper limit to the duration of a Pyroscope block.
  # CLI flag: -pyroscopedb.max-block-duration
  [max_block_duration: <duration> | default = 3h]

  # How big should a single row group be uncompressed
  # CLI flag: -pyroscopedb.row-group-target-size
  [row_group_target_size: <int> | default = 1342177280]

tracing:
  # Set to false to disable tracing.
  # CLI flag: -tracing.enabled
  [enabled: <boolean> | default = true]

runtime_config:
  # How often to check runtime config files.
  # CLI flag: -runtime-config.reload-period
  [period: <duration> | default = 10s]

  # Comma separated list of yaml files with the configuration that can be
  # updated at runtime. Runtime config files will be merged from left to right.
  # CLI flag: -runtime-config.file
  [file: <string> | default = ""]

storage:
  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem, cos.
  # CLI flag: -storage.backend
  [backend: <string> | default = "filesystem"]

  # The s3_backend block configures the connection to Amazon S3 object storage
  # backend.
  [s3: <s3_storage_backend>]

  # The gcs_backend block configures the connection to Google Cloud Storage
  # object storage backend.
  [gcs: <gcs_storage_backend>]

  # The azure_storage_backend block configures the connection to Azure object
  # storage backend.
  [azure: <azure_storage_backend>]

  # The swift_storage_backend block configures the connection to OpenStack
  # Object Storage (Swift) object storage backend.
  [swift: <swift_storage_backend>]

  cos:
    # COS bucket name
    # CLI flag: -storage.cos.bucket
    [bucket: <string> | default = ""]

    # COS region name
    # CLI flag: -storage.cos.region
    [region: <string> | default = ""]

    # COS app id
    # CLI flag: -storage.cos.app-id
    [app_id: <string> | default = ""]

    # COS storage endpoint
    # CLI flag: -storage.cos.endpoint
    [endpoint: <string> | default = ""]

    # COS secret key
    # CLI flag: -storage.cos.secret-key
    [secret_key: <string> | default = ""]

    # COS secret id
    # CLI flag: -storage.cos.secret-id
    [secret_id: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -storage.cos.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -storage.cos.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to COS via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -storage.cos.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -storage.cos.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -storage.cos.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -storage.cos.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -storage.cos.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -storage.cos.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  # The filesystem_storage_backend block configures the usage of local file
  # system as object storage backend.
  [filesystem: <filesystem_storage_backend>]

  # Prefix for all objects stored in the backend storage. For simplicity, it may
  # only contain digits and English alphabet letters.
  # CLI flag: -storage.storage-prefix
  [storage_prefix: <string> | default = ""]

self_profiling:
  # When running in single binary (--target=all) Pyroscope will push (Go SDK)
  # profiles to itself. Set to true to disable self-profiling.
  # CLI flag: -self-profiling.disable-push
  [disable_push: <boolean> | default = false]

  # CLI flag: -self-profiling.mutex-profile-fraction
  [mutex_profile_fraction: <int> | default = 5]

  # CLI flag: -self-profiling.block-profile-rate
  [block_profile_rate: <int> | default = 5]

# When set to true, incoming HTTP requests must specify tenant ID in HTTP
# X-Scope-OrgId header. When set to false, tenant ID anonymous is used instead.
# CLI flag: -auth.multitenancy-enabled
[multitenancy_enabled: <boolean> | default = false]

analytics:
  # Enable anonymous usage reporting.
  # CLI flag: -usage-stats.enabled
  [reporting_enabled: <boolean> | default = true]

server

The server block configures the HTTP and gRPC server of the launched service(s).

yaml
# HTTP server listen network, default tcp
# CLI flag: -server.http-listen-network
[http_listen_network: <string> | default = "tcp"]

# HTTP server listen address.
# CLI flag: -server.http-listen-address
[http_listen_address: <string> | default = ""]

# HTTP server listen port.
# CLI flag: -server.http-listen-port
[http_listen_port: <int> | default = 4040]

# Maximum number of simultaneous http connections, <=0 to disable
# CLI flag: -server.http-conn-limit
[http_listen_conn_limit: <int> | default = 0]

# gRPC server listen network
# CLI flag: -server.grpc-listen-network
[grpc_listen_network: <string> | default = "tcp"]

# gRPC server listen address.
# CLI flag: -server.grpc-listen-address
[grpc_listen_address: <string> | default = ""]

# gRPC server listen port.
# CLI flag: -server.grpc-listen-port
[grpc_listen_port: <int> | default = 9095]

# Maximum number of simultaneous grpc connections, <=0 to disable
# CLI flag: -server.grpc-conn-limit
[grpc_listen_conn_limit: <int> | default = 0]

# Comma-separated list of cipher suites to use. If blank, the default Go cipher
# suites is used.
# CLI flag: -server.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# Minimum TLS version to use. Allowed values: VersionTLS10, VersionTLS11,
# VersionTLS12, VersionTLS13. If blank, the Go TLS minimum version is used.
# CLI flag: -server.tls-min-version
[tls_min_version: <string> | default = ""]

http_tls_config:
  # Server TLS certificate. This configuration parameter is YAML only.
  [cert: <string> | default = ""]

  # Server TLS key. This configuration parameter is YAML only.
  [key: <string> | default = ""]

  # Root certificate authority used to verify client certificates. This
  # configuration parameter is YAML only.
  [client_ca: <string> | default = ""]

  # HTTP server cert path.
  # CLI flag: -server.http-tls-cert-path
  [cert_file: <string> | default = ""]

  # HTTP server key path.
  # CLI flag: -server.http-tls-key-path
  [key_file: <string> | default = ""]

  # HTTP TLS Client Auth type.
  # CLI flag: -server.http-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # HTTP TLS Client CA path.
  # CLI flag: -server.http-tls-ca-path
  [client_ca_file: <string> | default = ""]

grpc_tls_config:
  # Server TLS certificate. This configuration parameter is YAML only.
  [cert: <string> | default = ""]

  # Server TLS key. This configuration parameter is YAML only.
  [key: <string> | default = ""]

  # Root certificate authority used to verify client certificates. This
  # configuration parameter is YAML only.
  [client_ca: <string> | default = ""]

  # GRPC TLS server cert path.
  # CLI flag: -server.grpc-tls-cert-path
  [cert_file: <string> | default = ""]

  # GRPC TLS server key path.
  # CLI flag: -server.grpc-tls-key-path
  [key_file: <string> | default = ""]

  # GRPC TLS Client Auth type.
  # CLI flag: -server.grpc-tls-client-auth
  [client_auth_type: <string> | default = ""]

  # GRPC TLS Client CA path.
  # CLI flag: -server.grpc-tls-ca-path
  [client_ca_file: <string> | default = ""]

# Register the intrumentation handlers (/metrics etc).
# CLI flag: -server.register-instrumentation
[register_instrumentation: <boolean> | default = true]

# Timeout for graceful shutdowns
# CLI flag: -server.graceful-shutdown-timeout
[graceful_shutdown_timeout: <duration> | default = 30s]

# Read timeout for HTTP server
# CLI flag: -server.http-read-timeout
[http_server_read_timeout: <duration> | default = 30s]

# Write timeout for HTTP server
# CLI flag: -server.http-write-timeout
[http_server_write_timeout: <duration> | default = 30s]

# Idle timeout for HTTP server
# CLI flag: -server.http-idle-timeout
[http_server_idle_timeout: <duration> | default = 2m]

# Limit on the size of a gRPC message this server can receive (bytes).
# CLI flag: -server.grpc-max-recv-msg-size-bytes
[grpc_server_max_recv_msg_size: <int> | default = 4194304]

# Limit on the size of a gRPC message this server can send (bytes).
# CLI flag: -server.grpc-max-send-msg-size-bytes
[grpc_server_max_send_msg_size: <int> | default = 4194304]

# Limit on the number of concurrent streams for gRPC calls (0 = unlimited)
# CLI flag: -server.grpc-max-concurrent-streams
[grpc_server_max_concurrent_streams: <int> | default = 100]

# The duration after which an idle connection should be closed. Default:
# infinity
# CLI flag: -server.grpc.keepalive.max-connection-idle
[grpc_server_max_connection_idle: <duration> | default = 2562047h47m16.854775807s]

# The duration for the maximum amount of time a connection may exist before it
# will be closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age
[grpc_server_max_connection_age: <duration> | default = 2562047h47m16.854775807s]

# An additive period after max-connection-age after which the connection will be
# forcibly closed. Default: infinity
# CLI flag: -server.grpc.keepalive.max-connection-age-grace
[grpc_server_max_connection_age_grace: <duration> | default = 2562047h47m16.854775807s]

# Duration after which a keepalive probe is sent in case of no activity over the
# connection., Default: 2h
# CLI flag: -server.grpc.keepalive.time
[grpc_server_keepalive_time: <duration> | default = 2h]

# After having pinged for keepalive check, the duration after which an idle
# connection should be closed, Default: 20s
# CLI flag: -server.grpc.keepalive.timeout
[grpc_server_keepalive_timeout: <duration> | default = 20s]

# Minimum amount of time a client should wait before sending a keepalive ping.
# If client sends keepalive ping more often, server will send GOAWAY and close
# the connection.
# CLI flag: -server.grpc.keepalive.min-time-between-pings
[grpc_server_min_time_between_pings: <duration> | default = 5m]

# If true, server allows keepalive pings even when there are no active
# streams(RPCs). If false, and client sends ping when there are no active
# streams, server will send GOAWAY and close the connection.
# CLI flag: -server.grpc.keepalive.ping-without-stream-allowed
[grpc_server_ping_without_stream_allowed: <boolean> | default = false]

# Output log messages in the given format. Valid formats: [logfmt, json]
# CLI flag: -log.format
[log_format: <string> | default = "logfmt"]

# Only log messages with the given severity or above. Valid levels: [debug,
# info, warn, error]
# CLI flag: -log.level
[log_level: <string> | default = "info"]

# Optionally log the source IPs.
# CLI flag: -server.log-source-ips-enabled
[log_source_ips_enabled: <boolean> | default = false]

# Header field storing the source IPs. Only used if
# server.log-source-ips-enabled is true. If not set the default Forwarded,
# X-Real-IP and X-Forwarded-For headers are used
# CLI flag: -server.log-source-ips-header
[log_source_ips_header: <string> | default = ""]

# Regex for matching the source IPs. Only used if server.log-source-ips-enabled
# is true. If not set the default Forwarded, X-Real-IP and X-Forwarded-For
# headers are used
# CLI flag: -server.log-source-ips-regex
[log_source_ips_regex: <string> | default = ""]

# Optionally log request headers.
# CLI flag: -server.log-request-headers
[log_request_headers: <boolean> | default = false]

# Optionally log requests at info level instead of debug level. Applies to
# request headers as well if server.log-request-headers is enabled.
# CLI flag: -server.log-request-at-info-level-enabled
[log_request_at_info_level_enabled: <boolean> | default = false]

# Comma separated list of headers to exclude from loggin. Only used if
# server.log-request-headers is true.
# CLI flag: -server.log-request-headers-exclude-list
[log_request_exclude_headers_list: <string> | default = ""]

# Base path to serve all API routes from (e.g. /v1/)
# CLI flag: -server.path-prefix
[http_path_prefix: <string> | default = ""]

distributor

The distributor block configures the distributor.

yaml
# Timeout when pushing data to ingester.
# CLI flag: -distributor.push.timeout
[pushtimeout: <duration> | default = 5s]

pool_config:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -distributor.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -distributor.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

  # Timeout for ingester client healthcheck RPCs.
  # CLI flag: -distributor.health-check-timeout
  [remote_timeout: <duration> | default = 5s]

ingester

The ingester block configures the ingester.

yaml
lifecycler:
  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -ring.prefix
      [prefix: <string> | default = "collectors/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -etcd.endpoints
        [endpoints: <list of strings> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas). Allowed
        # values:
        # 
        # Secure Ciphers:
        # - TLS_RSA_WITH_AES_128_CBC_SHA
        # - TLS_RSA_WITH_AES_256_CBC_SHA
        # - TLS_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_AES_128_GCM_SHA256
        # - TLS_AES_256_GCM_SHA384
        # - TLS_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        # - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        # 
        # Insecure Ciphers:
        # - TLS_RSA_WITH_RC4_128_SHA
        # - TLS_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_RSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_RC4_128_SHA
        # - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
        # - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
        # - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        # CLI flag: -etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # The heartbeat timeout after which ingesters are skipped for reads/writes.
    # 0 = never (timeout disabled).
    # CLI flag: -ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # The number of ingesters to write to and read from.
    # CLI flag: -distributor.replication-factor
    [replication_factor: <int> | default = 1]

    # True to enable the zone-awareness and replicate ingested samples across
    # different availability zones.
    # CLI flag: -distributor.zone-awareness-enabled
    [zone_awareness_enabled: <boolean> | default = false]

    # Comma-separated list of zones to exclude from the ring. Instances in
    # excluded zones will be filtered out from the ring.
    # CLI flag: -distributor.excluded-zones
    [excluded_zones: <string> | default = ""]

  # Number of tokens for each ingester.
  # CLI flag: -ingester.num-tokens
  [num_tokens: <int> | default = 128]

  # Period at which to heartbeat to consul. 0 = disabled.
  # CLI flag: -ingester.heartbeat-period
  [heartbeat_period: <duration> | default = 5s]

  # Heartbeat timeout after which instance is assumed to be unhealthy. 0 =
  # disabled.
  # CLI flag: -ingester.heartbeat-timeout
  [heartbeat_timeout: <duration> | default = 1m]

  # Observe tokens after generating to resolve collisions. Useful when using
  # gossiping ring.
  # CLI flag: -ingester.observe-period
  [observe_period: <duration> | default = 0s]

  # Period to wait for a claim from another member; will join automatically
  # after this.
  # CLI flag: -ingester.join-after
  [join_after: <duration> | default = 0s]

  # Minimum duration to wait after the internal readiness checks have passed but
  # before succeeding the readiness endpoint. This is used to slowdown
  # deployment controllers (eg. Kubernetes) after an instance is ready and
  # before they proceed with a rolling update, to give the rest of the cluster
  # instances enough time to receive ring updates.
  # CLI flag: -ingester.min-ready-duration
  [min_ready_duration: <duration> | default = 15s]

  # Name of network interface to read address from.
  # CLI flag: -ingester.lifecycler.interface
  [interface_names: <list of strings> | default = [<private network interfaces>]]

  # Enable IPv6 support. Required to make use of IP addresses from IPv6
  # interfaces.
  # CLI flag: -ingester.enable-inet6
  [enable_inet6: <boolean> | default = false]

  # Duration to sleep for before exiting, to ensure metrics are scraped.
  # CLI flag: -ingester.final-sleep
  [final_sleep: <duration> | default = 0s]

  # File path where tokens are stored. If empty, tokens are not stored at
  # shutdown and restored at startup.
  # CLI flag: -ingester.tokens-file-path
  [tokens_file_path: <string> | default = ""]

  # The availability zone where this instance is running.
  # CLI flag: -ingester.availability-zone
  [availability_zone: <string> | default = ""]

  # Unregister from the ring upon clean shutdown. It can be useful to disable
  # for rolling restarts with consistent naming in conjunction with
  # -distributor.extend-writes=false.
  # CLI flag: -ingester.unregister-on-shutdown
  [unregister_on_shutdown: <boolean> | default = true]

  # When enabled the readiness probe succeeds only after all instances are
  # ACTIVE and healthy in the ring, otherwise only the instance itself is
  # checked. This option should be disabled if in your cluster multiple
  # instances can be rolled out simultaneously, otherwise rolling updates may be
  # slowed down.
  # CLI flag: -ingester.readiness-check-ring-health
  [readiness_check_ring_health: <boolean> | default = true]

  # IP address to advertise in the ring.
  # CLI flag: -ingester.lifecycler.addr
  [address: <string> | default = ""]

  # port to advertise in consul (defaults to server.grpc-listen-port).
  # CLI flag: -ingester.lifecycler.port
  [port: <int> | default = 0]

  # ID to register in the ring.
  # CLI flag: -ingester.lifecycler.ID
  [id: <string> | default = "<hostname>"]

querier

The querier block configures the querier.

yaml
pool_config:
  # How frequently to clean up clients for ingesters that have gone away.
  # CLI flag: -querier.client-cleanup-period
  [client_cleanup_period: <duration> | default = 15s]

  # Run a health check on each ingester client during periodic cleanup.
  # CLI flag: -querier.health-check-ingesters
  [health_check_ingesters: <boolean> | default = true]

  # Timeout for ingester client healthcheck RPCs.
  # CLI flag: -querier.health-check-timeout
  [remote_timeout: <duration> | default = 5s]

# The time after which a metric should be queried from storage and not just
# ingesters. 0 means all queries are sent to store. If this option is enabled,
# the time range of the query sent to the store-gateway will be manipulated to
# ensure the query end is not more recent than 'now - query-store-after'.
# CLI flag: -querier.query-store-after
[query_store_after: <duration> | default = 4h]

query_frontend

The query_frontend block configures the query-frontend.

yaml
# Number of concurrent workers forwarding queries to single query-scheduler.
# CLI flag: -query-frontend.scheduler-worker-concurrency
[scheduler_worker_concurrency: <int> | default = 5]

# Configures the gRPC client used to communicate between the query-frontends and
# the query-schedulers.
# The CLI flags prefix for this block configuration is:
# query-frontend.grpc-client-config
[grpc_client_config: <grpc_client>]

# List of network interface names to look up when finding the instance IP
# address. This address is sent to query-scheduler and querier, which uses it to
# send the query response back to query-frontend.
# CLI flag: -query-frontend.instance-interface-names
[instance_interface_names: <list of strings> | default = [<private network interfaces>]]

# IP address to advertise to the querier (via scheduler) (default is
# auto-detected from network interfaces).
# CLI flag: -query-frontend.instance-addr
[address: <string> | default = ""]

frontend_worker

The frontend_worker block configures the frontend-worker.

yaml
# Querier ID, sent to the query-frontend to identify requests from the same
# querier. Defaults to hostname.
# CLI flag: -querier.id
[id: <string> | default = ""]

# Configures the gRPC client used to communicate between the queriers and the
# query-frontends / query-schedulers.
# The CLI flags prefix for this block configuration is: querier.frontend-client
[grpc_client_config: <grpc_client>]

# The maximum number of concurrent queries allowed.
# CLI flag: -querier.max-concurrent
[max_concurrent: <int> | default = 4]

query_scheduler

The query_scheduler block configures the query-scheduler.

yaml
# Maximum number of outstanding requests per tenant per query-scheduler.
# In-flight requests above this limit will fail with HTTP response status code
# 429.
# CLI flag: -query-scheduler.max-outstanding-requests-per-tenant
[max_outstanding_requests_per_tenant: <int> | default = 100]

# If a querier disconnects without sending notification about graceful shutdown,
# the query-scheduler will keep the querier in the tenant's shard until the
# forget delay has passed. This feature is useful to reduce the blast radius
# when shuffle-sharding is enabled.
# CLI flag: -query-scheduler.querier-forget-delay
[querier_forget_delay: <duration> | default = 0s]

# This configures the gRPC client used to report errors back to the
# query-frontend.
# The CLI flags prefix for this block configuration is:
# query-scheduler.grpc-client-config
[grpc_client_config: <grpc_client>]

# The maximum number of query-scheduler instances to use, regardless how many
# replicas are running. This option can be set only when
# -query-scheduler.service-discovery-mode is set to 'ring'. 0 to use all
# available query-scheduler instances.
# CLI flag: -query-scheduler.max-used-instances
[max_used_instances: <int> | default = 0]

grpc_client

The grpc_client block configures the gRPC client used to communicate between two Pyroscope components. The supported CLI flags <prefix> used to reference this configuration block are:

  • querier.frontend-client
  • query-frontend.grpc-client-config
  • query-scheduler.grpc-client-config

 

yaml
# gRPC client max receive message size (bytes).
# CLI flag: -<prefix>.grpc-max-recv-msg-size
[max_recv_msg_size: <int> | default = 104857600]

# gRPC client max send message size (bytes).
# CLI flag: -<prefix>.grpc-max-send-msg-size
[max_send_msg_size: <int> | default = 104857600]

# Use compression when sending messages. Supported values are: 'gzip', 'snappy'
# and '' (disable compression)
# CLI flag: -<prefix>.grpc-compression
[grpc_compression: <string> | default = ""]

# Rate limit for gRPC client; 0 means disabled.
# CLI flag: -<prefix>.grpc-client-rate-limit
[rate_limit: <float> | default = 0]

# Rate limit burst for gRPC client.
# CLI flag: -<prefix>.grpc-client-rate-limit-burst
[rate_limit_burst: <int> | default = 0]

# Enable backoff and retry when we hit rate limits.
# CLI flag: -<prefix>.backoff-on-ratelimits
[backoff_on_ratelimits: <boolean> | default = false]

backoff_config:
  # Minimum delay when backing off.
  # CLI flag: -<prefix>.backoff-min-period
  [min_period: <duration> | default = 100ms]

  # Maximum delay when backing off.
  # CLI flag: -<prefix>.backoff-max-period
  [max_period: <duration> | default = 10s]

  # Number of times to backoff and retry before failing.
  # CLI flag: -<prefix>.backoff-retries
  [max_retries: <int> | default = 10]

# Initial stream window size. Values less than the default are not supported and
# are ignored. Setting this to a value other than the default disables the BDP
# estimator.
# CLI flag: -<prefix>.initial-stream-window-size
[initial_stream_window_size: <int> | default = 63KiB1023B]

# Initial connection window size. Values less than the default are not supported
# and are ignored. Setting this to a value other than the default disables the
# BDP estimator.
# CLI flag: -<prefix>.initial-connection-window-size
[initial_connection_window_size: <int> | default = 63KiB1023B]

# Enable TLS in the gRPC client. This flag needs to be enabled when any other
# TLS flag is set. If set to false, insecure connection to gRPC server will be
# used.
# CLI flag: -<prefix>.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate, which will be used for authenticating with the
# server. Also requires the key path to be configured.
# CLI flag: -<prefix>.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -<prefix>.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates to validate server certificate against. If not
# set, the host's root CA certificates are used.
# CLI flag: -<prefix>.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -<prefix>.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -<prefix>.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# Override the default cipher suite list (separated by commas). Allowed values:
# 
# Secure Ciphers:
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -<prefix>.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# Override the default minimum TLS version. Allowed values: VersionTLS10,
# VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -<prefix>.tls-min-version
[tls_min_version: <string> | default = ""]

# The maximum amount of time to establish a connection. A value of 0 means
# default gRPC client connect timeout and backoff.
# CLI flag: -<prefix>.connect-timeout
[connect_timeout: <duration> | default = 5s]

# Initial backoff delay after first connection failure. Only relevant if
# ConnectTimeout > 0.
# CLI flag: -<prefix>.connect-backoff-base-delay
[connect_backoff_base_delay: <duration> | default = 1s]

# Maximum backoff delay when establishing a connection. Only relevant if
# ConnectTimeout > 0.
# CLI flag: -<prefix>.connect-backoff-max-delay
[connect_backoff_max_delay: <duration> | default = 5s]

memberlist

The memberlist block configures the Gossip memberlist.

yaml
# Name of the node in memberlist cluster. Defaults to hostname.
# CLI flag: -memberlist.nodename
[node_name: <string> | default = ""]

# Add random suffix to the node name.
# CLI flag: -memberlist.randomize-node-name
[randomize_node_name: <boolean> | default = true]

# The timeout for establishing a connection with a remote node, and for
# read/write operations.
# CLI flag: -memberlist.stream-timeout
[stream_timeout: <duration> | default = 10s]

# Multiplication factor used when sending out messages (factor * log(N+1)).
# CLI flag: -memberlist.retransmit-factor
[retransmit_factor: <int> | default = 4]

# How often to use pull/push sync.
# CLI flag: -memberlist.pullpush-interval
[pull_push_interval: <duration> | default = 30s]

# How often to gossip.
# CLI flag: -memberlist.gossip-interval
[gossip_interval: <duration> | default = 200ms]

# How many nodes to gossip to.
# CLI flag: -memberlist.gossip-nodes
[gossip_nodes: <int> | default = 3]

# How long to keep gossiping to dead nodes, to give them chance to refute their
# death.
# CLI flag: -memberlist.gossip-to-dead-nodes-time
[gossip_to_dead_nodes_time: <duration> | default = 30s]

# How soon can dead node's name be reclaimed with new address. 0 to disable.
# CLI flag: -memberlist.dead-node-reclaim-time
[dead_node_reclaim_time: <duration> | default = 0s]

# Enable message compression. This can be used to reduce bandwidth usage at the
# cost of slightly more CPU utilization.
# CLI flag: -memberlist.compression-enabled
[compression_enabled: <boolean> | default = true]

# Gossip address to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-addr
[advertise_addr: <string> | default = ""]

# Gossip port to advertise to other members in the cluster. Used for NAT
# traversal.
# CLI flag: -memberlist.advertise-port
[advertise_port: <int> | default = 7946]

# The cluster label is an optional string to include in outbound packets and
# gossip streams. Other members in the memberlist cluster will discard any
# message whose label doesn't match the configured one, unless the
# 'cluster-label-verification-disabled' configuration option is set to true.
# CLI flag: -memberlist.cluster-label
[cluster_label: <string> | default = ""]

# When true, memberlist doesn't verify that inbound packets and gossip streams
# have the cluster label matching the configured one. This verification should
# be disabled while rolling out the change to the configured cluster label in a
# live memberlist cluster.
# CLI flag: -memberlist.cluster-label-verification-disabled
[cluster_label_verification_disabled: <boolean> | default = false]

# Other cluster members to join. Can be specified multiple times. It can be an
# IP, hostname or an entry specified in the DNS Service Discovery format.
# CLI flag: -memberlist.join
[join_members: <list of strings> | default = []]

# Min backoff duration to join other cluster members.
# CLI flag: -memberlist.min-join-backoff
[min_join_backoff: <duration> | default = 1s]

# Max backoff duration to join other cluster members.
# CLI flag: -memberlist.max-join-backoff
[max_join_backoff: <duration> | default = 1m]

# Max number of retries to join other cluster members.
# CLI flag: -memberlist.max-join-retries
[max_join_retries: <int> | default = 10]

# If this node fails to join memberlist cluster, abort.
# CLI flag: -memberlist.abort-if-join-fails
[abort_if_cluster_join_fails: <boolean> | default = false]

# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix
# the cluster split issue, and is harmless otherwise. For example when using
# only few components as a seed nodes (via -memberlist.join), then it's
# recommended to use rejoin. If -memberlist.join points to dynamic service that
# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin
# is not needed.
# CLI flag: -memberlist.rejoin-interval
[rejoin_interval: <duration> | default = 0s]

# How long to keep LEFT ingesters in the ring.
# CLI flag: -memberlist.left-ingesters-timeout
[left_ingesters_timeout: <duration> | default = 5m]

# Timeout for leaving memberlist cluster.
# CLI flag: -memberlist.leave-timeout
[leave_timeout: <duration> | default = 20s]

# How much space to use for keeping received and sent messages in memory for
# troubleshooting (two buffers). 0 to disable.
# CLI flag: -memberlist.message-history-buffer-bytes
[message_history_buffer_bytes: <int> | default = 0]

# IP address to listen on for gossip messages. Multiple addresses may be
# specified. Defaults to 0.0.0.0
# CLI flag: -memberlist.bind-addr
[bind_addr: <list of strings> | default = []]

# Port to listen on for gossip messages.
# CLI flag: -memberlist.bind-port
[bind_port: <int> | default = 7946]

# Timeout used when connecting to other nodes to send packet.
# CLI flag: -memberlist.packet-dial-timeout
[packet_dial_timeout: <duration> | default = 2s]

# Timeout for writing 'packet' data.
# CLI flag: -memberlist.packet-write-timeout
[packet_write_timeout: <duration> | default = 5s]

# Enable TLS on the memberlist transport layer.
# CLI flag: -memberlist.tls-enabled
[tls_enabled: <boolean> | default = false]

# Path to the client certificate, which will be used for authenticating with the
# server. Also requires the key path to be configured.
# CLI flag: -memberlist.tls-cert-path
[tls_cert_path: <string> | default = ""]

# Path to the key for the client certificate. Also requires the client
# certificate to be configured.
# CLI flag: -memberlist.tls-key-path
[tls_key_path: <string> | default = ""]

# Path to the CA certificates to validate server certificate against. If not
# set, the host's root CA certificates are used.
# CLI flag: -memberlist.tls-ca-path
[tls_ca_path: <string> | default = ""]

# Override the expected name on the server certificate.
# CLI flag: -memberlist.tls-server-name
[tls_server_name: <string> | default = ""]

# Skip validating server certificate.
# CLI flag: -memberlist.tls-insecure-skip-verify
[tls_insecure_skip_verify: <boolean> | default = false]

# Override the default cipher suite list (separated by commas). Allowed values:
# 
# Secure Ciphers:
# - TLS_RSA_WITH_AES_128_CBC_SHA
# - TLS_RSA_WITH_AES_256_CBC_SHA
# - TLS_RSA_WITH_AES_128_GCM_SHA256
# - TLS_RSA_WITH_AES_256_GCM_SHA384
# - TLS_AES_128_GCM_SHA256
# - TLS_AES_256_GCM_SHA384
# - TLS_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
# 
# Insecure Ciphers:
# - TLS_RSA_WITH_RC4_128_SHA
# - TLS_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_RSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_RC4_128_SHA
# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
# CLI flag: -memberlist.tls-cipher-suites
[tls_cipher_suites: <string> | default = ""]

# Override the default minimum TLS version. Allowed values: VersionTLS10,
# VersionTLS11, VersionTLS12, VersionTLS13
# CLI flag: -memberlist.tls-min-version
[tls_min_version: <string> | default = ""]

s3_storage_backend

The s3_backend block configures the connection to Amazon S3 object storage backend.

yaml
# The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
# https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
# S3-compatible service in hostname:port format.
# CLI flag: -storage.s3.endpoint
[endpoint: <string> | default = ""]

# S3 region. If unset, the client will issue a S3 GetBucketLocation API call to
# autodetect it.
# CLI flag: -storage.s3.region
[region: <string> | default = ""]

# S3 bucket name
# CLI flag: -storage.s3.bucket-name
[bucket_name: <string> | default = ""]

# S3 secret access key
# CLI flag: -storage.s3.secret-access-key
[secret_access_key: <string> | default = ""]

# S3 access key ID
# CLI flag: -storage.s3.access-key-id
[access_key_id: <string> | default = ""]

# If enabled, use http:// for the S3 endpoint instead of https://. This could be
# useful in local dev/test environments while using an S3-compatible backend
# storage, like Minio.
# CLI flag: -storage.s3.insecure
[insecure: <boolean> | default = false]

# The signature version to use for authenticating against S3. Supported values
# are: v4, v2.
# CLI flag: -storage.s3.signature-version
[signature_version: <string> | default = "v4"]

sse:
  # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
  # CLI flag: -storage.s3.sse.type
  [type: <string> | default = ""]

  # KMS Key ID used to encrypt objects in S3
  # CLI flag: -storage.s3.sse.kms-key-id
  [kms_key_id: <string> | default = ""]

  # KMS Encryption Context used for object encryption. It expects JSON formatted
  # string.
  # CLI flag: -storage.s3.sse.kms-encryption-context
  [kms_encryption_context: <string> | default = ""]

http:
  # The time an idle connection will remain idle before closing.
  # CLI flag: -storage.s3.http.idle-conn-timeout
  [idle_conn_timeout: <duration> | default = 1m30s]

  # The amount of time the client will wait for a servers response headers.
  # CLI flag: -storage.s3.http.response-header-timeout
  [response_header_timeout: <duration> | default = 2m]

  # If the client connects to S3 via HTTPS and this option is enabled, the
  # client will accept any certificate and hostname.
  # CLI flag: -storage.s3.http.insecure-skip-verify
  [insecure_skip_verify: <boolean> | default = false]

  # Maximum time to wait for a TLS handshake. 0 means no limit.
  # CLI flag: -storage.s3.tls-handshake-timeout
  [tls_handshake_timeout: <duration> | default = 10s]

  # The time to wait for a server's first response headers after fully writing
  # the request headers if the request has an Expect header. 0 to send the
  # request body immediately.
  # CLI flag: -storage.s3.expect-continue-timeout
  [expect_continue_timeout: <duration> | default = 1s]

  # Maximum number of idle (keep-alive) connections across all hosts. 0 means no
  # limit.
  # CLI flag: -storage.s3.max-idle-connections
  [max_idle_connections: <int> | default = 100]

  # Maximum number of idle (keep-alive) connections to keep per-host. If 0, a
  # built-in default value is used.
  # CLI flag: -storage.s3.max-idle-connections-per-host
  [max_idle_connections_per_host: <int> | default = 100]

  # Maximum number of connections per host. 0 means no limit.
  # CLI flag: -storage.s3.max-connections-per-host
  [max_connections_per_host: <int> | default = 0]

gcs_storage_backend

The gcs_backend block configures the connection to Google Cloud Storage object storage backend.

yaml
# GCS bucket name
# CLI flag: -storage.gcs.bucket-name
[bucket_name: <string> | default = ""]

# JSON either from a Google Developers Console client_credentials.json file, or
# a Google Developers service account key. Needs to be valid JSON, not a
# filesystem path. If empty, fallback to Google default logic:
# 1. A JSON file whose path is specified by the GOOGLE_APPLICATION_CREDENTIALS
# environment variable. For workload identity federation, refer to
# https://cloud.google.com/iam/docs/how-to#using-workload-identity-federation on
# how to generate the JSON configuration file for on-prem/non-Google cloud
# platforms.
# 2. A JSON file in a location known to the gcloud command-line tool:
# $HOME/.config/gcloud/application_default_credentials.json.
# 3. On Google Compute Engine it fetches credentials from the metadata server.
# CLI flag: -storage.gcs.service-account
[service_account: <string> | default = ""]

azure_storage_backend

The azure_storage_backend block configures the connection to Azure object storage backend.

yaml
# Azure storage account name
# CLI flag: -storage.azure.account-name
[account_name: <string> | default = ""]

# Azure storage account key
# CLI flag: -storage.azure.account-key
[account_key: <string> | default = ""]

# Azure storage container name
# CLI flag: -storage.azure.container-name
[container_name: <string> | default = ""]

# Azure storage endpoint suffix without schema. The account name will be
# prefixed to this value to create the FQDN. If set to empty string, default
# endpoint suffix is used.
# CLI flag: -storage.azure.endpoint-suffix
[endpoint_suffix: <string> | default = ""]

# Number of retries for recoverable errors
# CLI flag: -storage.azure.max-retries
[max_retries: <int> | default = 20]

# User assigned identity. If empty, then System assigned identity is used.
# CLI flag: -storage.azure.user-assigned-id
[user_assigned_id: <string> | default = ""]

swift_storage_backend

The swift_storage_backend block configures the connection to OpenStack Object Storage (Swift) object storage backend.

yaml
# OpenStack Swift authentication API version. 0 to autodetect.
# CLI flag: -storage.swift.auth-version
[auth_version: <int> | default = 0]

# OpenStack Swift authentication URL
# CLI flag: -storage.swift.auth-url
[auth_url: <string> | default = ""]

# OpenStack Swift username.
# CLI flag: -storage.swift.username
[username: <string> | default = ""]

# OpenStack Swift user's domain name.
# CLI flag: -storage.swift.user-domain-name
[user_domain_name: <string> | default = ""]

# OpenStack Swift user's domain ID.
# CLI flag: -storage.swift.user-domain-id
[user_domain_id: <string> | default = ""]

# OpenStack Swift user ID.
# CLI flag: -storage.swift.user-id
[user_id: <string> | default = ""]

# OpenStack Swift API key.
# CLI flag: -storage.swift.password
[password: <string> | default = ""]

# OpenStack Swift user's domain ID.
# CLI flag: -storage.swift.domain-id
[domain_id: <string> | default = ""]

# OpenStack Swift user's domain name.
# CLI flag: -storage.swift.domain-name
[domain_name: <string> | default = ""]

# OpenStack Swift project ID (v2,v3 auth only).
# CLI flag: -storage.swift.project-id
[project_id: <string> | default = ""]

# OpenStack Swift project name (v2,v3 auth only).
# CLI flag: -storage.swift.project-name
[project_name: <string> | default = ""]

# ID of the OpenStack Swift project's domain (v3 auth only), only needed if it
# differs the from user domain.
# CLI flag: -storage.swift.project-domain-id
[project_domain_id: <string> | default = ""]

# Name of the OpenStack Swift project's domain (v3 auth only), only needed if it
# differs from the user domain.
# CLI flag: -storage.swift.project-domain-name
[project_domain_name: <string> | default = ""]

# OpenStack Swift Region to use (v2,v3 auth only).
# CLI flag: -storage.swift.region-name
[region_name: <string> | default = ""]

# Name of the OpenStack Swift container to put chunks in.
# CLI flag: -storage.swift.container-name
[container_name: <string> | default = ""]

# Max retries on requests error.
# CLI flag: -storage.swift.max-retries
[max_retries: <int> | default = 3]

# Time after which a connection attempt is aborted.
# CLI flag: -storage.swift.connect-timeout
[connect_timeout: <duration> | default = 10s]

# Time after which an idle request is aborted. The timeout watchdog is reset
# each time some data is received, so the timeout triggers after X time no data
# is received on a request.
# CLI flag: -storage.swift.request-timeout
[request_timeout: <duration> | default = 5s]

filesystem_storage_backend

The filesystem_storage_backend block configures the usage of local file system as object storage backend.

yaml
# Local filesystem storage directory.
# CLI flag: -storage.filesystem.dir
[dir: <string> | default = ""]