From c0936ac2183bec1a374d0b20cffef265b6f5fab9 Mon Sep 17 00:00:00 2001 From: Ben Ye Date: Sun, 26 Feb 2023 21:27:26 -0800 Subject: [PATCH 1/4] add limit for store gateway downloaded bytes Signed-off-by: Ben Ye --- pkg/storegateway/bucket_stores.go | 12 ++++++++++- pkg/util/validation/limits.go | 10 +++++++++- pkg/util/validation/limits_test.go | 32 ++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/pkg/storegateway/bucket_stores.go b/pkg/storegateway/bucket_stores.go index 2be473f76ec..191488c7065 100644 --- a/pkg/storegateway/bucket_stores.go +++ b/pkg/storegateway/bucket_stores.go @@ -492,7 +492,7 @@ func (u *BucketStores) getOrCreateStore(userID string) (*store.BucketStore, erro u.syncDirForUser(userID), newChunksLimiterFactory(u.limits, userID), newSeriesLimiterFactory(u.limits, userID), - store.NewBytesLimiterFactory(0), + newBytesLimiterFactory(u.limits, userID), u.partitioner, u.cfg.BucketStore.BlockSyncConcurrency, false, // No need to enable backward compatibility with Thanos pre 0.8.0 queriers @@ -637,3 +637,13 @@ func newSeriesLimiterFactory(limits *validation.Overrides, userID string) store. } } } + +func newBytesLimiterFactory(limits *validation.Overrides, userID string) store.BytesLimiterFactory { + return func(failedCounter prometheus.Counter) store.BytesLimiter { + // Since limit overrides could be live reloaded, we have to get the current user's limit + // each time a new limiter is instantiated. + return &limiter{ + limiter: store.NewLimiter(uint64(limits.MaxDownloadedBytesPerRequest(userID)), failedCounter), + } + } +} diff --git a/pkg/util/validation/limits.go b/pkg/util/validation/limits.go index 39e49b2bed1..31b69e7dba1 100644 --- a/pkg/util/validation/limits.go +++ b/pkg/util/validation/limits.go @@ -95,7 +95,8 @@ type Limits struct { RulerMaxRuleGroupsPerTenant int `yaml:"ruler_max_rule_groups_per_tenant" json:"ruler_max_rule_groups_per_tenant"` // Store-gateway. - StoreGatewayTenantShardSize int `yaml:"store_gateway_tenant_shard_size" json:"store_gateway_tenant_shard_size"` + StoreGatewayTenantShardSize int `yaml:"store_gateway_tenant_shard_size" json:"store_gateway_tenant_shard_size"` + MaxDownloadedBytesPerRequest int `yaml:"max_downloaded_bytes_per_request" json:"max_downloaded_bytes_per_request"` // Compactor. CompactorBlocksRetentionPeriod model.Duration `yaml:"compactor_blocks_retention_period" json:"compactor_blocks_retention_period"` @@ -182,6 +183,7 @@ func (l *Limits) RegisterFlags(f *flag.FlagSet) { // Store-gateway. f.IntVar(&l.StoreGatewayTenantShardSize, "store-gateway.tenant-shard-size", 0, "The default tenant's shard size when the shuffle-sharding strategy is used. Must be set when the store-gateway sharding is enabled with the shuffle-sharding strategy. When this setting is specified in the per-tenant overrides, a value of 0 disables shuffle sharding for the tenant.") + f.IntVar(&l.MaxDownloadedBytesPerRequest, "store-gateway.max-downloaded-bytes-per-request", 0, "The maximum number of data bytes to download per gRPC request in Store Gateway, including Series/LabelNames/LabelValues requests. 0 to disable.") // Alertmanager. f.Var(&l.AlertmanagerReceiversBlockCIDRNetworks, "alertmanager.receivers-firewall-block-cidr-networks", "Comma-separated list of network CIDRs to block in Alertmanager receiver integrations.") @@ -430,6 +432,12 @@ func (o *Overrides) MaxFetchedDataBytesPerQuery(userID string) int { return o.GetOverridesForUser(userID).MaxFetchedDataBytesPerQuery } +// MaxDownloadedBytesPerRequest returns the maximum number of bytes to download for each gRPC request in Store Gateway, +// including any data fetched from cache or object storage. +func (o *Overrides) MaxDownloadedBytesPerRequest(userID string) int { + return o.GetOverridesForUser(userID).MaxDownloadedBytesPerRequest +} + // MaxQueryLookback returns the max lookback period of queries. func (o *Overrides) MaxQueryLookback(userID string) time.Duration { return time.Duration(o.GetOverridesForUser(userID).MaxQueryLookback) diff --git a/pkg/util/validation/limits_test.go b/pkg/util/validation/limits_test.go index 62b56c6cb2e..5e794676917 100644 --- a/pkg/util/validation/limits_test.go +++ b/pkg/util/validation/limits_test.go @@ -564,3 +564,35 @@ tenant2: require.Equal(t, 3, ov.MaxExemplars("tenant2")) require.Equal(t, 5, ov.MaxExemplars("tenant3")) } + +func TestMaxDownloadedBytesPerRequestOverridesPerTenant(t *testing.T) { + SetDefaultLimitsForYAMLUnmarshalling(Limits{ + MaxLabelNameLength: 100, + }) + + baseYAML := ` +max_downloaded_bytes_per_request: 5` + overridesYAML := ` +tenant1: + max_downloaded_bytes_per_request: 1 +tenant2: + max_downloaded_bytes_per_request: 3 +` + + l := Limits{} + err := yaml.UnmarshalStrict([]byte(baseYAML), &l) + require.NoError(t, err) + + overrides := map[string]*Limits{} + err = yaml.Unmarshal([]byte(overridesYAML), &overrides) + require.NoError(t, err, "parsing overrides") + + tl := newMockTenantLimits(overrides) + + ov, err := NewOverrides(l, tl) + require.NoError(t, err) + + require.Equal(t, 1, ov.MaxDownloadedBytesPerRequest("tenant1")) + require.Equal(t, 3, ov.MaxDownloadedBytesPerRequest("tenant2")) + require.Equal(t, 5, ov.MaxDownloadedBytesPerRequest("tenant3")) +} From 40fc49df34a2f5ae9f81b7e91abbbcdb91676e5b Mon Sep 17 00:00:00 2001 From: Ben Ye Date: Mon, 27 Feb 2023 06:33:17 +0000 Subject: [PATCH 2/4] update docs Signed-off-by: Ben Ye --- docs/configuration/config-file-reference.md | 1004 +++++++++++++++++++ 1 file changed, 1004 insertions(+) diff --git a/docs/configuration/config-file-reference.md b/docs/configuration/config-file-reference.md index 6f1d8b4b310..6085579bbdf 100644 --- a/docs/configuration/config-file-reference.md +++ b/docs/configuration/config-file-reference.md @@ -737,6 +737,1010 @@ local: [path: | default = ""] ``` +### `storage_config` + +The `storage_config` configures the storage type Cortex uses. + +```yaml +# The storage engine to use: blocks is the only supported option today. +# CLI flag: -store.engine +[engine: | default = "blocks"] +``` + +### `flusher_config` + +The `flusher_config` configures the WAL flusher target, used to manually run one-time flushes when scaling down ingesters. + +```yaml +# Stop Cortex after flush has finished. If false, Cortex process will keep +# running, doing nothing. +# CLI flag: -flusher.exit-after-flush +[exit_after_flush: | default = true] +``` + +### `ingester_client_config` + +The `ingester_client_config` configures how the Cortex distributors connect to the ingesters. + +```yaml +grpc_client_config: + # gRPC client max receive message size (bytes). + # CLI flag: -ingester.client.grpc-max-recv-msg-size + [max_recv_msg_size: | default = 104857600] + + # gRPC client max send message size (bytes). + # CLI flag: -ingester.client.grpc-max-send-msg-size + [max_send_msg_size: | default = 16777216] + + # Use compression when sending messages. Supported values are: 'gzip', + # 'snappy', 'zstd' and '' (disable compression) + # CLI flag: -ingester.client.grpc-compression + [grpc_compression: | default = ""] + + # Rate limit for gRPC client; 0 means disabled. + # CLI flag: -ingester.client.grpc-client-rate-limit + [rate_limit: | default = 0] + + # Rate limit burst for gRPC client. + # CLI flag: -ingester.client.grpc-client-rate-limit-burst + [rate_limit_burst: | default = 0] + + # Enable backoff and retry when we hit ratelimits. + # CLI flag: -ingester.client.backoff-on-ratelimits + [backoff_on_ratelimits: | default = false] + + backoff_config: + # Minimum delay when backing off. + # CLI flag: -ingester.client.backoff-min-period + [min_period: | default = 100ms] + + # Maximum delay when backing off. + # CLI flag: -ingester.client.backoff-max-period + [max_period: | default = 10s] + + # Number of times to backoff and retry before failing. + # CLI flag: -ingester.client.backoff-retries + [max_retries: | default = 10] + + # Enable TLS in the GRPC client. This flag needs to be enabled when any other + # TLS flag is set. If set to false, insecure connection to gRPC server will be + # used. + # CLI flag: -ingester.client.tls-enabled + [tls_enabled: | default = false] + + # Path to the client certificate file, which will be used for authenticating + # with the server. Also requires the key path to be configured. + # CLI flag: -ingester.client.tls-cert-path + [tls_cert_path: | default = ""] + + # Path to the key file for the client certificate. Also requires the client + # certificate to be configured. + # CLI flag: -ingester.client.tls-key-path + [tls_key_path: | default = ""] + + # Path to the CA certificates file to validate server certificate against. If + # not set, the host's root CA certificates are used. + # CLI flag: -ingester.client.tls-ca-path + [tls_ca_path: | default = ""] + + # Override the expected name on the server certificate. + # CLI flag: -ingester.client.tls-server-name + [tls_server_name: | default = ""] + + # Skip validating server certificate. + # CLI flag: -ingester.client.tls-insecure-skip-verify + [tls_insecure_skip_verify: | default = false] +``` + +### `frontend_worker_config` + +The `frontend_worker_config` configures the worker - running within the Cortex querier - picking up and executing queries enqueued by the query-frontend or query-scheduler. + +```yaml +# Address of query frontend service, in host:port format. If +# -querier.scheduler-address is set as well, querier will use scheduler instead. +# Only one of -querier.frontend-address or -querier.scheduler-address can be +# set. If neither is set, queries are only received via HTTP endpoint. +# CLI flag: -querier.frontend-address +[frontend_address: | default = ""] + +# Hostname (and port) of scheduler that querier will periodically resolve, +# connect to and receive queries from. Only one of -querier.frontend-address or +# -querier.scheduler-address can be set. If neither is set, queries are only +# received via HTTP endpoint. +# CLI flag: -querier.scheduler-address +[scheduler_address: | default = ""] + +# How often to query DNS for query-frontend or query-scheduler address. +# CLI flag: -querier.dns-lookup-period +[dns_lookup_duration: | default = 10s] + +# Number of simultaneous queries to process per query-frontend or +# query-scheduler. +# CLI flag: -querier.worker-parallelism +[parallelism: | default = 10] + +# Force worker concurrency to match the -querier.max-concurrent option. +# Overrides querier.worker-parallelism. +# CLI flag: -querier.worker-match-max-concurrent +[match_max_concurrent: | default = false] + +# Querier ID, sent to frontend service to identify requests from the same +# querier. Defaults to hostname. +# CLI flag: -querier.id +[id: | default = ""] + +grpc_client_config: + # gRPC client max receive message size (bytes). + # CLI flag: -querier.frontend-client.grpc-max-recv-msg-size + [max_recv_msg_size: | default = 104857600] + + # gRPC client max send message size (bytes). + # CLI flag: -querier.frontend-client.grpc-max-send-msg-size + [max_send_msg_size: | default = 16777216] + + # Use compression when sending messages. Supported values are: 'gzip', + # 'snappy', 'zstd' and '' (disable compression) + # CLI flag: -querier.frontend-client.grpc-compression + [grpc_compression: | default = ""] + + # Rate limit for gRPC client; 0 means disabled. + # CLI flag: -querier.frontend-client.grpc-client-rate-limit + [rate_limit: | default = 0] + + # Rate limit burst for gRPC client. + # CLI flag: -querier.frontend-client.grpc-client-rate-limit-burst + [rate_limit_burst: | default = 0] + + # Enable backoff and retry when we hit ratelimits. + # CLI flag: -querier.frontend-client.backoff-on-ratelimits + [backoff_on_ratelimits: | default = false] + + backoff_config: + # Minimum delay when backing off. + # CLI flag: -querier.frontend-client.backoff-min-period + [min_period: | default = 100ms] + + # Maximum delay when backing off. + # CLI flag: -querier.frontend-client.backoff-max-period + [max_period: | default = 10s] + + # Number of times to backoff and retry before failing. + # CLI flag: -querier.frontend-client.backoff-retries + [max_retries: | default = 10] + + # Enable TLS in the GRPC client. This flag needs to be enabled when any other + # TLS flag is set. If set to false, insecure connection to gRPC server will be + # used. + # CLI flag: -querier.frontend-client.tls-enabled + [tls_enabled: | default = false] + + # Path to the client certificate file, which will be used for authenticating + # with the server. Also requires the key path to be configured. + # CLI flag: -querier.frontend-client.tls-cert-path + [tls_cert_path: | default = ""] + + # Path to the key file for the client certificate. Also requires the client + # certificate to be configured. + # CLI flag: -querier.frontend-client.tls-key-path + [tls_key_path: | default = ""] + + # Path to the CA certificates file to validate server certificate against. If + # not set, the host's root CA certificates are used. + # CLI flag: -querier.frontend-client.tls-ca-path + [tls_ca_path: | default = ""] + + # Override the expected name on the server certificate. + # CLI flag: -querier.frontend-client.tls-server-name + [tls_server_name: | default = ""] + + # Skip validating server certificate. + # CLI flag: -querier.frontend-client.tls-insecure-skip-verify + [tls_insecure_skip_verify: | default = false] +``` + +### `etcd_config` + +The `etcd_config` configures the etcd client. The supported CLI flags `` used to reference this config block are: + +- _no prefix_ +- `alertmanager.sharding-ring` +- `compactor.ring` +- `distributor.ha-tracker` +- `distributor.ring` +- `ruler.ring` +- `store-gateway.sharding-ring` + +  + +```yaml +# The etcd endpoints to connect to. +# CLI flag: -.etcd.endpoints +[endpoints: | default = []] + +# The dial timeout for the etcd connection. +# CLI flag: -.etcd.dial-timeout +[dial_timeout: | default = 10s] + +# The maximum number of retries to do for failed ops. +# CLI flag: -.etcd.max-retries +[max_retries: | default = 10] + +# Enable TLS. +# CLI flag: -.etcd.tls-enabled +[tls_enabled: | default = false] + +# Path to the client certificate file, which will be used for authenticating +# with the server. Also requires the key path to be configured. +# CLI flag: -.etcd.tls-cert-path +[tls_cert_path: | default = ""] + +# Path to the key file for the client certificate. Also requires the client +# certificate to be configured. +# CLI flag: -.etcd.tls-key-path +[tls_key_path: | default = ""] + +# Path to the CA certificates file to validate server certificate against. If +# not set, the host's root CA certificates are used. +# CLI flag: -.etcd.tls-ca-path +[tls_ca_path: | default = ""] + +# Override the expected name on the server certificate. +# CLI flag: -.etcd.tls-server-name +[tls_server_name: | default = ""] + +# Skip validating server certificate. +# CLI flag: -.etcd.tls-insecure-skip-verify +[tls_insecure_skip_verify: | default = false] + +# Etcd username. +# CLI flag: -.etcd.username +[username: | default = ""] + +# Etcd password. +# CLI flag: -.etcd.password +[password: | default = ""] +``` + +### `consul_config` + +The `consul_config` configures the consul client. The supported CLI flags `` used to reference this config block are: + +- _no prefix_ +- `alertmanager.sharding-ring` +- `compactor.ring` +- `distributor.ha-tracker` +- `distributor.ring` +- `ruler.ring` +- `store-gateway.sharding-ring` + +  + +```yaml +# Hostname and port of Consul. +# CLI flag: -.consul.hostname +[host: | default = "localhost:8500"] + +# ACL Token used to interact with Consul. +# CLI flag: -.consul.acl-token +[acl_token: | default = ""] + +# HTTP timeout when talking to Consul +# CLI flag: -.consul.client-timeout +[http_client_timeout: | default = 20s] + +# Enable consistent reads to Consul. +# CLI flag: -.consul.consistent-reads +[consistent_reads: | default = false] + +# Rate limit when watching key or prefix in Consul, in requests per second. 0 +# disables the rate limit. +# CLI flag: -.consul.watch-rate-limit +[watch_rate_limit: | default = 1] + +# Burst size used in rate limit. Values less than 1 are treated as 1. +# CLI flag: -.consul.watch-burst-size +[watch_burst_size: | default = 1] +``` + +### `memberlist_config` + +The `memberlist_config` configures the Gossip memberlist. + +```yaml +# Name of the node in memberlist cluster. Defaults to hostname. +# CLI flag: -memberlist.nodename +[node_name: | default = ""] + +# Add random suffix to the node name. +# CLI flag: -memberlist.randomize-node-name +[randomize_node_name: | default = true] + +# The timeout for establishing a connection with a remote node, and for +# read/write operations. +# CLI flag: -memberlist.stream-timeout +[stream_timeout: | default = 10s] + +# Multiplication factor used when sending out messages (factor * log(N+1)). +# CLI flag: -memberlist.retransmit-factor +[retransmit_factor: | default = 4] + +# How often to use pull/push sync. +# CLI flag: -memberlist.pullpush-interval +[pull_push_interval: | default = 30s] + +# How often to gossip. +# CLI flag: -memberlist.gossip-interval +[gossip_interval: | default = 200ms] + +# How many nodes to gossip to. +# CLI flag: -memberlist.gossip-nodes +[gossip_nodes: | default = 3] + +# How long to keep gossiping to dead nodes, to give them chance to refute their +# death. +# CLI flag: -memberlist.gossip-to-dead-nodes-time +[gossip_to_dead_nodes_time: | default = 30s] + +# How soon can dead node's name be reclaimed with new address. 0 to disable. +# CLI flag: -memberlist.dead-node-reclaim-time +[dead_node_reclaim_time: | default = 0s] + +# Enable message compression. This can be used to reduce bandwidth usage at the +# cost of slightly more CPU utilization. +# CLI flag: -memberlist.compression-enabled +[compression_enabled: | default = true] + +# Gossip address to advertise to other members in the cluster. Used for NAT +# traversal. +# CLI flag: -memberlist.advertise-addr +[advertise_addr: | default = ""] + +# Gossip port to advertise to other members in the cluster. Used for NAT +# traversal. +# CLI flag: -memberlist.advertise-port +[advertise_port: | default = 7946] + +# Other cluster members to join. Can be specified multiple times. It can be an +# IP, hostname or an entry specified in the DNS Service Discovery format. +# CLI flag: -memberlist.join +[join_members: | default = []] + +# Min backoff duration to join other cluster members. +# CLI flag: -memberlist.min-join-backoff +[min_join_backoff: | default = 1s] + +# Max backoff duration to join other cluster members. +# CLI flag: -memberlist.max-join-backoff +[max_join_backoff: | default = 1m] + +# Max number of retries to join other cluster members. +# CLI flag: -memberlist.max-join-retries +[max_join_retries: | default = 10] + +# If this node fails to join memberlist cluster, abort. +# CLI flag: -memberlist.abort-if-join-fails +[abort_if_cluster_join_fails: | default = true] + +# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix +# the cluster split issue, and is harmless otherwise. For example when using +# only few components as a seed nodes (via -memberlist.join), then it's +# recommended to use rejoin. If -memberlist.join points to dynamic service that +# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin +# is not needed. +# CLI flag: -memberlist.rejoin-interval +[rejoin_interval: | default = 0s] + +# How long to keep LEFT ingesters in the ring. +# CLI flag: -memberlist.left-ingesters-timeout +[left_ingesters_timeout: | default = 5m] + +# Timeout for leaving memberlist cluster. +# CLI flag: -memberlist.leave-timeout +[leave_timeout: | default = 5s] + +# How much space to use for keeping received and sent messages in memory for +# troubleshooting (two buffers). 0 to disable. +# CLI flag: -memberlist.message-history-buffer-bytes +[message_history_buffer_bytes: | default = 0] + +# IP address to listen on for gossip messages. Multiple addresses may be +# specified. Defaults to 0.0.0.0 +# CLI flag: -memberlist.bind-addr +[bind_addr: | default = []] + +# Port to listen on for gossip messages. +# CLI flag: -memberlist.bind-port +[bind_port: | default = 7946] + +# Timeout used when connecting to other nodes to send packet. +# CLI flag: -memberlist.packet-dial-timeout +[packet_dial_timeout: | default = 5s] + +# Timeout for writing 'packet' data. +# CLI flag: -memberlist.packet-write-timeout +[packet_write_timeout: | default = 5s] + +# Enable TLS on the memberlist transport layer. +# CLI flag: -memberlist.tls-enabled +[tls_enabled: | default = false] + +# Path to the client certificate file, which will be used for authenticating +# with the server. Also requires the key path to be configured. +# CLI flag: -memberlist.tls-cert-path +[tls_cert_path: | default = ""] + +# Path to the key file for the client certificate. Also requires the client +# certificate to be configured. +# CLI flag: -memberlist.tls-key-path +[tls_key_path: | default = ""] + +# Path to the CA certificates file to validate server certificate against. If +# not set, the host's root CA certificates are used. +# CLI flag: -memberlist.tls-ca-path +[tls_ca_path: | default = ""] + +# Override the expected name on the server certificate. +# CLI flag: -memberlist.tls-server-name +[tls_server_name: | default = ""] + +# Skip validating server certificate. +# CLI flag: -memberlist.tls-insecure-skip-verify +[tls_insecure_skip_verify: | default = false] +``` + +### `limits_config` + +The `limits_config` configures default and per-tenant limits imposed by Cortex services (ie. distributor, ingester, ...). + +```yaml +# Per-user ingestion rate limit in samples per second. +# CLI flag: -distributor.ingestion-rate-limit +[ingestion_rate: | default = 25000] + +# Whether the ingestion rate limit should be applied individually to each +# distributor instance (local), or evenly shared across the cluster (global). +# CLI flag: -distributor.ingestion-rate-limit-strategy +[ingestion_rate_strategy: | default = "local"] + +# Per-user allowed ingestion burst size (in number of samples). +# CLI flag: -distributor.ingestion-burst-size +[ingestion_burst_size: | default = 50000] + +# Flag to enable, for all users, handling of samples with external labels +# identifying replicas in an HA Prometheus setup. +# CLI flag: -distributor.ha-tracker.enable-for-all-users +[accept_ha_samples: | default = false] + +# Prometheus label to look for in samples to identify a Prometheus HA cluster. +# CLI flag: -distributor.ha-tracker.cluster +[ha_cluster_label: | default = "cluster"] + +# Prometheus label to look for in samples to identify a Prometheus HA replica. +# CLI flag: -distributor.ha-tracker.replica +[ha_replica_label: | default = "__replica__"] + +# Maximum number of clusters that HA tracker will keep track of for single user. +# 0 to disable the limit. +# CLI flag: -distributor.ha-tracker.max-clusters +[ha_max_clusters: | default = 0] + +# This flag can be used to specify label names that to drop during sample +# ingestion within the distributor and can be repeated in order to drop multiple +# labels. +# CLI flag: -distributor.drop-label +[drop_labels: | default = []] + +# Maximum length accepted for label names +# CLI flag: -validation.max-length-label-name +[max_label_name_length: | default = 1024] + +# Maximum length accepted for label value. This setting also applies to the +# metric name +# CLI flag: -validation.max-length-label-value +[max_label_value_length: | default = 2048] + +# Maximum number of label names per series. +# CLI flag: -validation.max-label-names-per-series +[max_label_names_per_series: | default = 30] + +# Maximum combined size in bytes of all labels and label values accepted for a +# series. 0 to disable the limit. +# CLI flag: -validation.max-labels-size-bytes +[max_labels_size_bytes: | default = 0] + +# Maximum length accepted for metric metadata. Metadata refers to Metric Name, +# HELP and UNIT. +# CLI flag: -validation.max-metadata-length +[max_metadata_length: | default = 1024] + +# Reject old samples. +# CLI flag: -validation.reject-old-samples +[reject_old_samples: | default = false] + +# Maximum accepted sample age before rejecting. +# CLI flag: -validation.reject-old-samples.max-age +[reject_old_samples_max_age: | default = 2w] + +# Duration which table will be created/deleted before/after it's needed; we +# won't accept sample from before this time. +# CLI flag: -validation.create-grace-period +[creation_grace_period: | default = 10m] + +# Enforce every metadata has a metric name. +# CLI flag: -validation.enforce-metadata-metric-name +[enforce_metadata_metric_name: | default = true] + +# Enforce every sample has a metric name. +# CLI flag: -validation.enforce-metric-name +[enforce_metric_name: | default = true] + +# The default tenant's shard size when the shuffle-sharding strategy is used. +# Must be set both on ingesters and distributors. When this setting is specified +# in the per-tenant overrides, a value of 0 disables shuffle sharding for the +# tenant. +# CLI flag: -distributor.ingestion-tenant-shard-size +[ingestion_tenant_shard_size: | default = 0] + +# List of metric relabel configurations. Note that in most situations, it is +# more effective to use metrics relabeling directly in the Prometheus server, +# e.g. remote_write.write_relabel_configs. +[metric_relabel_configs: | default = ] + +# Enables support for exemplars in TSDB and sets the maximum number that will be +# stored. less than zero means disabled. If the value is set to zero, cortex +# will fallback to blocks-storage.tsdb.max-exemplars value. +# CLI flag: -ingester.max-exemplars +[max_exemplars: | default = 0] + +# The maximum number of series for which a query can fetch samples from each +# ingester. This limit is enforced only in the ingesters (when querying samples +# not flushed to the storage yet) and it's a per-instance limit. This limit is +# ignored when running the Cortex blocks storage. When running Cortex with +# blocks storage use -querier.max-fetched-series-per-query limit instead. +# CLI flag: -ingester.max-series-per-query +[max_series_per_query: | default = 100000] + +# The maximum number of active series per user, per ingester. 0 to disable. +# CLI flag: -ingester.max-series-per-user +[max_series_per_user: | default = 5000000] + +# The maximum number of active series per metric name, per ingester. 0 to +# disable. +# CLI flag: -ingester.max-series-per-metric +[max_series_per_metric: | default = 50000] + +# The maximum number of active series per user, across the cluster before +# replication. 0 to disable. Supported only if -distributor.shard-by-all-labels +# is true. +# CLI flag: -ingester.max-global-series-per-user +[max_global_series_per_user: | default = 0] + +# The maximum number of active series per metric name, across the cluster before +# replication. 0 to disable. +# CLI flag: -ingester.max-global-series-per-metric +[max_global_series_per_metric: | default = 0] + +# The maximum number of active metrics with metadata per user, per ingester. 0 +# to disable. +# CLI flag: -ingester.max-metadata-per-user +[max_metadata_per_user: | default = 8000] + +# The maximum number of metadata per metric, per ingester. 0 to disable. +# CLI flag: -ingester.max-metadata-per-metric +[max_metadata_per_metric: | default = 10] + +# The maximum number of active metrics with metadata per user, across the +# cluster. 0 to disable. Supported only if -distributor.shard-by-all-labels is +# true. +# CLI flag: -ingester.max-global-metadata-per-user +[max_global_metadata_per_user: | default = 0] + +# The maximum number of metadata per metric, across the cluster. 0 to disable. +# CLI flag: -ingester.max-global-metadata-per-metric +[max_global_metadata_per_metric: | default = 0] + +# Maximum number of chunks that can be fetched in a single query from ingesters +# and long-term storage. This limit is enforced in the querier, ruler and +# store-gateway. 0 to disable. +# CLI flag: -querier.max-fetched-chunks-per-query +[max_fetched_chunks_per_query: | default = 2000000] + +# The maximum number of unique series for which a query can fetch samples from +# each ingesters and blocks storage. This limit is enforced in the querier, +# ruler and store-gateway. 0 to disable +# CLI flag: -querier.max-fetched-series-per-query +[max_fetched_series_per_query: | default = 0] + +# Deprecated (user max-fetched-data-bytes-per-query instead): The maximum size +# of all chunks in bytes that a query can fetch from each ingester and storage. +# This limit is enforced in the querier, ruler and store-gateway. 0 to disable. +# CLI flag: -querier.max-fetched-chunk-bytes-per-query +[max_fetched_chunk_bytes_per_query: | default = 0] + +# The maximum combined size of all data that a query can fetch from each +# ingester and storage. This limit is enforced in the querier and ruler for +# `query`, `query_range` and `series` APIs. 0 to disable. +# CLI flag: -querier.max-fetched-data-bytes-per-query +[max_fetched_data_bytes_per_query: | default = 0] + +# Limit how long back data (series and metadata) can be queried, up until +# duration ago. This limit is enforced in the query-frontend, querier +# and ruler. If the requested time range is outside the allowed range, the +# request will not fail but will be manipulated to only query data within the +# allowed time range. 0 to disable. +# CLI flag: -querier.max-query-lookback +[max_query_lookback: | default = 0s] + +# Limit the query time range (end - start time). This limit is enforced in the +# query-frontend (on the received query) and in the querier (on the query +# possibly split by the query-frontend). 0 to disable. +# CLI flag: -store.max-query-length +[max_query_length: | default = 0s] + +# Maximum number of split queries will be scheduled in parallel by the frontend. +# CLI flag: -querier.max-query-parallelism +[max_query_parallelism: | default = 14] + +# Most recent allowed cacheable result per-tenant, to prevent caching very +# recent results that might still be in flux. +# CLI flag: -frontend.max-cache-freshness +[max_cache_freshness: | default = 1m] + +# Maximum number of queriers that can handle requests for a single tenant. If +# set to 0 or value higher than number of available queriers, *all* queriers +# will handle requests for the tenant. Each frontend (or query-scheduler, if +# used) will select the same set of queriers for the same tenant (given that all +# queriers are connected to all frontends / query-schedulers). This option only +# works with queriers connecting to the query-frontend / query-scheduler, not +# when using downstream URL. +# CLI flag: -frontend.max-queriers-per-tenant +[max_queriers_per_tenant: | default = 0] + +# Maximum number of outstanding requests per tenant per request queue (either +# query frontend or query scheduler); requests beyond this error with HTTP 429. +# CLI flag: -frontend.max-outstanding-requests-per-tenant +[max_outstanding_requests_per_tenant: | default = 100] + +# Duration to delay the evaluation of rules to ensure the underlying metrics +# have been pushed to Cortex. +# CLI flag: -ruler.evaluation-delay-duration +[ruler_evaluation_delay_duration: | default = 0s] + +# The default tenant's shard size when the shuffle-sharding strategy is used by +# ruler. When this setting is specified in the per-tenant overrides, a value of +# 0 disables shuffle sharding for the tenant. +# CLI flag: -ruler.tenant-shard-size +[ruler_tenant_shard_size: | default = 0] + +# Maximum number of rules per rule group per-tenant. 0 to disable. +# CLI flag: -ruler.max-rules-per-rule-group +[ruler_max_rules_per_rule_group: | default = 0] + +# Maximum number of rule groups per-tenant. 0 to disable. +# CLI flag: -ruler.max-rule-groups-per-tenant +[ruler_max_rule_groups_per_tenant: | default = 0] + +# The default tenant's shard size when the shuffle-sharding strategy is used. +# Must be set when the store-gateway sharding is enabled with the +# shuffle-sharding strategy. When this setting is specified in the per-tenant +# overrides, a value of 0 disables shuffle sharding for the tenant. +# CLI flag: -store-gateway.tenant-shard-size +[store_gateway_tenant_shard_size: | default = 0] + +# The maximum number of data bytes to download per gRPC request in Store +# Gateway, including Series/LabelNames/LabelValues requests. 0 to disable. +# CLI flag: -store-gateway.max-downloaded-bytes-per-request +[max_downloaded_bytes_per_request: | default = 0] + +# Delete blocks containing samples older than the specified retention period. 0 +# to disable. +# CLI flag: -compactor.blocks-retention-period +[compactor_blocks_retention_period: | default = 0s] + +# The default tenant's shard size when the shuffle-sharding strategy is used by +# the compactor. When this setting is specified in the per-tenant overrides, a +# value of 0 disables shuffle sharding for the tenant. +# CLI flag: -compactor.tenant-shard-size +[compactor_tenant_shard_size: | default = 0] + +# S3 server-side encryption type. Required to enable server-side encryption +# overrides for a specific tenant. If not set, the default S3 client settings +# are used. +[s3_sse_type: | default = ""] + +# S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not +# set. +[s3_sse_kms_key_id: | default = ""] + +# S3 server-side encryption KMS encryption context. If unset and the key ID +# override is set, the encryption context will not be provided to S3. Ignored if +# the SSE type override is not set. +[s3_sse_kms_encryption_context: | default = ""] + +# Comma-separated list of network CIDRs to block in Alertmanager receiver +# integrations. +# CLI flag: -alertmanager.receivers-firewall-block-cidr-networks +[alertmanager_receivers_firewall_block_cidr_networks: | default = ""] + +# True to block private and local addresses in Alertmanager receiver +# integrations. It blocks private addresses defined by RFC 1918 (IPv4 +# addresses) and RFC 4193 (IPv6 addresses), as well as loopback, local unicast +# and local multicast addresses. +# CLI flag: -alertmanager.receivers-firewall-block-private-addresses +[alertmanager_receivers_firewall_block_private_addresses: | default = false] + +# Per-user rate limit for sending notifications from Alertmanager in +# notifications/sec. 0 = rate limit disabled. Negative value = no notifications +# are allowed. +# CLI flag: -alertmanager.notification-rate-limit +[alertmanager_notification_rate_limit: | default = 0] + +# Per-integration notification rate limits. Value is a map, where each key is +# integration name and value is a rate-limit (float). On command line, this map +# is given in JSON format. Rate limit has the same meaning as +# -alertmanager.notification-rate-limit, but only applies for specific +# integration. Allowed integration names: webhook, email, pagerduty, opsgenie, +# wechat, slack, victorops, pushover, sns. +# CLI flag: -alertmanager.notification-rate-limit-per-integration +[alertmanager_notification_rate_limit_per_integration: | default = {}] + +# Maximum size of configuration file for Alertmanager that tenant can upload via +# Alertmanager API. 0 = no limit. +# CLI flag: -alertmanager.max-config-size-bytes +[alertmanager_max_config_size_bytes: | default = 0] + +# Maximum number of templates in tenant's Alertmanager configuration uploaded +# via Alertmanager API. 0 = no limit. +# CLI flag: -alertmanager.max-templates-count +[alertmanager_max_templates_count: | default = 0] + +# Maximum size of single template in tenant's Alertmanager configuration +# uploaded via Alertmanager API. 0 = no limit. +# CLI flag: -alertmanager.max-template-size-bytes +[alertmanager_max_template_size_bytes: | default = 0] + +# Maximum number of aggregation groups in Alertmanager's dispatcher that a +# tenant can have. Each active aggregation group uses single goroutine. When the +# limit is reached, dispatcher will not dispatch alerts that belong to +# additional aggregation groups, but existing groups will keep working properly. +# 0 = no limit. +# CLI flag: -alertmanager.max-dispatcher-aggregation-groups +[alertmanager_max_dispatcher_aggregation_groups: | default = 0] + +# Maximum number of alerts that a single user can have. Inserting more alerts +# will fail with a log message and metric increment. 0 = no limit. +# CLI flag: -alertmanager.max-alerts-count +[alertmanager_max_alerts_count: | default = 0] + +# Maximum total size of alerts that a single user can have, alert size is the +# sum of the bytes of its labels, annotations and generatorURL. Inserting more +# alerts will fail with a log message and metric increment. 0 = no limit. +# CLI flag: -alertmanager.max-alerts-size-bytes +[alertmanager_max_alerts_size_bytes: | default = 0] +``` + +### `redis_config` + +The `redis_config` configures the Redis backend cache. + +```yaml +# Redis Server endpoint to use for caching. A comma-separated list of endpoints +# for Redis Cluster or Redis Sentinel. If empty, no redis will be used. +# CLI flag: -frontend.redis.endpoint +[endpoint: | default = ""] + +# Redis Sentinel master name. An empty string for Redis Server or Redis Cluster. +# CLI flag: -frontend.redis.master-name +[master_name: | default = ""] + +# Maximum time to wait before giving up on redis requests. +# CLI flag: -frontend.redis.timeout +[timeout: | default = 500ms] + +# How long keys stay in the redis. +# CLI flag: -frontend.redis.expiration +[expiration: | default = 0s] + +# Database index. +# CLI flag: -frontend.redis.db +[db: | default = 0] + +# Maximum number of connections in the pool. +# CLI flag: -frontend.redis.pool-size +[pool_size: | default = 0] + +# Password to use when connecting to redis. +# CLI flag: -frontend.redis.password +[password: | default = ""] + +# Enable connecting to redis with TLS. +# CLI flag: -frontend.redis.tls-enabled +[tls_enabled: | default = false] + +# Skip validating server certificate. +# CLI flag: -frontend.redis.tls-insecure-skip-verify +[tls_insecure_skip_verify: | default = false] + +# Close connections after remaining idle for this duration. If the value is +# zero, then idle connections are not closed. +# CLI flag: -frontend.redis.idle-timeout +[idle_timeout: | default = 0s] + +# Close connections older than this duration. If the value is zero, then the +# pool does not close connections based on age. +# CLI flag: -frontend.redis.max-connection-age +[max_connection_age: | default = 0s] +``` + +### `memcached_config` + +The `memcached_config` block configures how data is stored in Memcached (ie. expiration). + +```yaml +# How long keys stay in the memcache. +# CLI flag: -frontend.memcached.expiration +[expiration: | default = 0s] + +# How many keys to fetch in each batch. +# CLI flag: -frontend.memcached.batchsize +[batch_size: | default = 1024] + +# Maximum active requests to memcache. +# CLI flag: -frontend.memcached.parallelism +[parallelism: | default = 100] +``` + +### `memcached_client_config` + +The `memcached_client_config` configures the client used to connect to Memcached. + +```yaml +# Hostname for memcached service to use. If empty and if addresses is unset, no +# memcached will be used. +# CLI flag: -frontend.memcached.hostname +[host: | default = ""] + +# SRV service used to discover memcache servers. +# CLI flag: -frontend.memcached.service +[service: | default = "memcached"] + +# EXPERIMENTAL: Comma separated addresses list in DNS Service Discovery format: +# https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery +# CLI flag: -frontend.memcached.addresses +[addresses: | default = ""] + +# Maximum time to wait before giving up on memcached requests. +# CLI flag: -frontend.memcached.timeout +[timeout: | default = 100ms] + +# Maximum number of idle connections in pool. +# CLI flag: -frontend.memcached.max-idle-conns +[max_idle_conns: | default = 16] + +# The maximum size of an item stored in memcached. Bigger items are not stored. +# If set to 0, no maximum size is enforced. +# CLI flag: -frontend.memcached.max-item-size +[max_item_size: | default = 0] + +# Period with which to poll DNS for memcache servers. +# CLI flag: -frontend.memcached.update-interval +[update_interval: | default = 1m] + +# Use consistent hashing to distribute to memcache servers. +# CLI flag: -frontend.memcached.consistent-hash +[consistent_hash: | default = true] + +# Trip circuit-breaker after this number of consecutive dial failures (if zero +# then circuit-breaker is disabled). +# CLI flag: -frontend.memcached.circuit-breaker-consecutive-failures +[circuit_breaker_consecutive_failures: | default = 10] + +# Duration circuit-breaker remains open after tripping (if zero then 60 seconds +# is used). +# CLI flag: -frontend.memcached.circuit-breaker-timeout +[circuit_breaker_timeout: | default = 10s] + +# Reset circuit-breaker counts after this long (if zero then never reset). +# CLI flag: -frontend.memcached.circuit-breaker-interval +[circuit_breaker_interval: | default = 10s] +``` + +### `fifo_cache_config` + +The `fifo_cache_config` configures the local in-memory cache. + +```yaml +# Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be +# applied. +# CLI flag: -frontend.fifocache.max-size-bytes +[max_size_bytes: | default = ""] + +# Maximum number of entries in the cache. +# CLI flag: -frontend.fifocache.max-size-items +[max_size_items: | default = 0] + +# The expiry duration for the cache. +# CLI flag: -frontend.fifocache.duration +[validity: | default = 0s] + +# Deprecated (use max-size-items or max-size-bytes instead): The number of +# entries to cache. +# CLI flag: -frontend.fifocache.size +[size: | default = 0] +``` + +### `configs_config` + +The `configs_config` configures the Cortex Configs DB and API. + +```yaml +database: + # URI where the database can be found (for dev you can use memory://) + # CLI flag: -configs.database.uri + [uri: | default = "postgres://postgres@configs-db.weave.local/configs?sslmode=disable"] + + # Path where the database migration files can be found + # CLI flag: -configs.database.migrations-dir + [migrations_dir: | default = ""] + + # File containing password (username goes in URI) + # CLI flag: -configs.database.password-file + [password_file: | default = ""] + +api: + notifications: + # Disable Email notifications for Alertmanager. + # CLI flag: -configs.notifications.disable-email + [disable_email: | default = false] + + # Disable WebHook notifications for Alertmanager. + # CLI flag: -configs.notifications.disable-webhook + [disable_webhook: | default = false] +``` + +### `configstore_config` + +The `configstore_config` configures the config database storing rules and alerts, and is used by the Cortex alertmanager. The supported CLI flags `` used to reference this config block are: + +- `alertmanager-storage` +- `ruler-storage` + +  + +```yaml +# URL of configs API server. +# CLI flag: -.configs.url +[configs_api_url: | default = ] + +# Timeout for requests to Weave Cloud configs service. +# CLI flag: -.configs.client-timeout +[client_timeout: | default = 5s] + +# Path to the client certificate file, which will be used for authenticating +# with the server. Also requires the key path to be configured. +# CLI flag: -.configs.tls-cert-path +[tls_cert_path: | default = ""] + +# Path to the key file for the client certificate. Also requires the client +# certificate to be configured. +# CLI flag: -.configs.tls-key-path +[tls_key_path: | default = ""] + +# Path to the CA certificates file to validate server certificate against. If +# not set, the host's root CA certificates are used. +# CLI flag: -.configs.tls-ca-path +[tls_ca_path: | default = ""] + +# Override the expected name on the server certificate. +# CLI flag: -.configs.tls-server-name +[tls_server_name: | default = ""] + +# Skip validating server certificate. +# CLI flag: -.configs.tls-insecure-skip-verify +[tls_insecure_skip_verify: | default = false] +``` + ### `blocks_storage_config` The `blocks_storage_config` configures the blocks storage. From 59f058dc9de075d04aa34417573081e2e595522a Mon Sep 17 00:00:00 2001 From: Ben Ye Date: Wed, 26 Apr 2023 21:53:53 +0000 Subject: [PATCH 3/4] update docs Signed-off-by: Ben Ye --- docs/configuration/config-file-reference.md | 1009 +------------------ 1 file changed, 5 insertions(+), 1004 deletions(-) diff --git a/docs/configuration/config-file-reference.md b/docs/configuration/config-file-reference.md index 6085579bbdf..5b6fa996a92 100644 --- a/docs/configuration/config-file-reference.md +++ b/docs/configuration/config-file-reference.md @@ -737,1010 +737,6 @@ local: [path: | default = ""] ``` -### `storage_config` - -The `storage_config` configures the storage type Cortex uses. - -```yaml -# The storage engine to use: blocks is the only supported option today. -# CLI flag: -store.engine -[engine: | default = "blocks"] -``` - -### `flusher_config` - -The `flusher_config` configures the WAL flusher target, used to manually run one-time flushes when scaling down ingesters. - -```yaml -# Stop Cortex after flush has finished. If false, Cortex process will keep -# running, doing nothing. -# CLI flag: -flusher.exit-after-flush -[exit_after_flush: | default = true] -``` - -### `ingester_client_config` - -The `ingester_client_config` configures how the Cortex distributors connect to the ingesters. - -```yaml -grpc_client_config: - # gRPC client max receive message size (bytes). - # CLI flag: -ingester.client.grpc-max-recv-msg-size - [max_recv_msg_size: | default = 104857600] - - # gRPC client max send message size (bytes). - # CLI flag: -ingester.client.grpc-max-send-msg-size - [max_send_msg_size: | default = 16777216] - - # Use compression when sending messages. Supported values are: 'gzip', - # 'snappy', 'zstd' and '' (disable compression) - # CLI flag: -ingester.client.grpc-compression - [grpc_compression: | default = ""] - - # Rate limit for gRPC client; 0 means disabled. - # CLI flag: -ingester.client.grpc-client-rate-limit - [rate_limit: | default = 0] - - # Rate limit burst for gRPC client. - # CLI flag: -ingester.client.grpc-client-rate-limit-burst - [rate_limit_burst: | default = 0] - - # Enable backoff and retry when we hit ratelimits. - # CLI flag: -ingester.client.backoff-on-ratelimits - [backoff_on_ratelimits: | default = false] - - backoff_config: - # Minimum delay when backing off. - # CLI flag: -ingester.client.backoff-min-period - [min_period: | default = 100ms] - - # Maximum delay when backing off. - # CLI flag: -ingester.client.backoff-max-period - [max_period: | default = 10s] - - # Number of times to backoff and retry before failing. - # CLI flag: -ingester.client.backoff-retries - [max_retries: | default = 10] - - # Enable TLS in the GRPC client. This flag needs to be enabled when any other - # TLS flag is set. If set to false, insecure connection to gRPC server will be - # used. - # CLI flag: -ingester.client.tls-enabled - [tls_enabled: | default = false] - - # Path to the client certificate file, which will be used for authenticating - # with the server. Also requires the key path to be configured. - # CLI flag: -ingester.client.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key file for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -ingester.client.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates file to validate server certificate against. If - # not set, the host's root CA certificates are used. - # CLI flag: -ingester.client.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -ingester.client.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -ingester.client.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] -``` - -### `frontend_worker_config` - -The `frontend_worker_config` configures the worker - running within the Cortex querier - picking up and executing queries enqueued by the query-frontend or query-scheduler. - -```yaml -# Address of query frontend service, in host:port format. If -# -querier.scheduler-address is set as well, querier will use scheduler instead. -# Only one of -querier.frontend-address or -querier.scheduler-address can be -# set. If neither is set, queries are only received via HTTP endpoint. -# CLI flag: -querier.frontend-address -[frontend_address: | default = ""] - -# Hostname (and port) of scheduler that querier will periodically resolve, -# connect to and receive queries from. Only one of -querier.frontend-address or -# -querier.scheduler-address can be set. If neither is set, queries are only -# received via HTTP endpoint. -# CLI flag: -querier.scheduler-address -[scheduler_address: | default = ""] - -# How often to query DNS for query-frontend or query-scheduler address. -# CLI flag: -querier.dns-lookup-period -[dns_lookup_duration: | default = 10s] - -# Number of simultaneous queries to process per query-frontend or -# query-scheduler. -# CLI flag: -querier.worker-parallelism -[parallelism: | default = 10] - -# Force worker concurrency to match the -querier.max-concurrent option. -# Overrides querier.worker-parallelism. -# CLI flag: -querier.worker-match-max-concurrent -[match_max_concurrent: | default = false] - -# Querier ID, sent to frontend service to identify requests from the same -# querier. Defaults to hostname. -# CLI flag: -querier.id -[id: | default = ""] - -grpc_client_config: - # gRPC client max receive message size (bytes). - # CLI flag: -querier.frontend-client.grpc-max-recv-msg-size - [max_recv_msg_size: | default = 104857600] - - # gRPC client max send message size (bytes). - # CLI flag: -querier.frontend-client.grpc-max-send-msg-size - [max_send_msg_size: | default = 16777216] - - # Use compression when sending messages. Supported values are: 'gzip', - # 'snappy', 'zstd' and '' (disable compression) - # CLI flag: -querier.frontend-client.grpc-compression - [grpc_compression: | default = ""] - - # Rate limit for gRPC client; 0 means disabled. - # CLI flag: -querier.frontend-client.grpc-client-rate-limit - [rate_limit: | default = 0] - - # Rate limit burst for gRPC client. - # CLI flag: -querier.frontend-client.grpc-client-rate-limit-burst - [rate_limit_burst: | default = 0] - - # Enable backoff and retry when we hit ratelimits. - # CLI flag: -querier.frontend-client.backoff-on-ratelimits - [backoff_on_ratelimits: | default = false] - - backoff_config: - # Minimum delay when backing off. - # CLI flag: -querier.frontend-client.backoff-min-period - [min_period: | default = 100ms] - - # Maximum delay when backing off. - # CLI flag: -querier.frontend-client.backoff-max-period - [max_period: | default = 10s] - - # Number of times to backoff and retry before failing. - # CLI flag: -querier.frontend-client.backoff-retries - [max_retries: | default = 10] - - # Enable TLS in the GRPC client. This flag needs to be enabled when any other - # TLS flag is set. If set to false, insecure connection to gRPC server will be - # used. - # CLI flag: -querier.frontend-client.tls-enabled - [tls_enabled: | default = false] - - # Path to the client certificate file, which will be used for authenticating - # with the server. Also requires the key path to be configured. - # CLI flag: -querier.frontend-client.tls-cert-path - [tls_cert_path: | default = ""] - - # Path to the key file for the client certificate. Also requires the client - # certificate to be configured. - # CLI flag: -querier.frontend-client.tls-key-path - [tls_key_path: | default = ""] - - # Path to the CA certificates file to validate server certificate against. If - # not set, the host's root CA certificates are used. - # CLI flag: -querier.frontend-client.tls-ca-path - [tls_ca_path: | default = ""] - - # Override the expected name on the server certificate. - # CLI flag: -querier.frontend-client.tls-server-name - [tls_server_name: | default = ""] - - # Skip validating server certificate. - # CLI flag: -querier.frontend-client.tls-insecure-skip-verify - [tls_insecure_skip_verify: | default = false] -``` - -### `etcd_config` - -The `etcd_config` configures the etcd client. The supported CLI flags `` used to reference this config block are: - -- _no prefix_ -- `alertmanager.sharding-ring` -- `compactor.ring` -- `distributor.ha-tracker` -- `distributor.ring` -- `ruler.ring` -- `store-gateway.sharding-ring` - -  - -```yaml -# The etcd endpoints to connect to. -# CLI flag: -.etcd.endpoints -[endpoints: | default = []] - -# The dial timeout for the etcd connection. -# CLI flag: -.etcd.dial-timeout -[dial_timeout: | default = 10s] - -# The maximum number of retries to do for failed ops. -# CLI flag: -.etcd.max-retries -[max_retries: | default = 10] - -# Enable TLS. -# CLI flag: -.etcd.tls-enabled -[tls_enabled: | default = false] - -# Path to the client certificate file, which will be used for authenticating -# with the server. Also requires the key path to be configured. -# CLI flag: -.etcd.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key file for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -.etcd.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates file to validate server certificate against. If -# not set, the host's root CA certificates are used. -# CLI flag: -.etcd.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -.etcd.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -.etcd.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] - -# Etcd username. -# CLI flag: -.etcd.username -[username: | default = ""] - -# Etcd password. -# CLI flag: -.etcd.password -[password: | default = ""] -``` - -### `consul_config` - -The `consul_config` configures the consul client. The supported CLI flags `` used to reference this config block are: - -- _no prefix_ -- `alertmanager.sharding-ring` -- `compactor.ring` -- `distributor.ha-tracker` -- `distributor.ring` -- `ruler.ring` -- `store-gateway.sharding-ring` - -  - -```yaml -# Hostname and port of Consul. -# CLI flag: -.consul.hostname -[host: | default = "localhost:8500"] - -# ACL Token used to interact with Consul. -# CLI flag: -.consul.acl-token -[acl_token: | default = ""] - -# HTTP timeout when talking to Consul -# CLI flag: -.consul.client-timeout -[http_client_timeout: | default = 20s] - -# Enable consistent reads to Consul. -# CLI flag: -.consul.consistent-reads -[consistent_reads: | default = false] - -# Rate limit when watching key or prefix in Consul, in requests per second. 0 -# disables the rate limit. -# CLI flag: -.consul.watch-rate-limit -[watch_rate_limit: | default = 1] - -# Burst size used in rate limit. Values less than 1 are treated as 1. -# CLI flag: -.consul.watch-burst-size -[watch_burst_size: | default = 1] -``` - -### `memberlist_config` - -The `memberlist_config` configures the Gossip memberlist. - -```yaml -# Name of the node in memberlist cluster. Defaults to hostname. -# CLI flag: -memberlist.nodename -[node_name: | default = ""] - -# Add random suffix to the node name. -# CLI flag: -memberlist.randomize-node-name -[randomize_node_name: | default = true] - -# The timeout for establishing a connection with a remote node, and for -# read/write operations. -# CLI flag: -memberlist.stream-timeout -[stream_timeout: | default = 10s] - -# Multiplication factor used when sending out messages (factor * log(N+1)). -# CLI flag: -memberlist.retransmit-factor -[retransmit_factor: | default = 4] - -# How often to use pull/push sync. -# CLI flag: -memberlist.pullpush-interval -[pull_push_interval: | default = 30s] - -# How often to gossip. -# CLI flag: -memberlist.gossip-interval -[gossip_interval: | default = 200ms] - -# How many nodes to gossip to. -# CLI flag: -memberlist.gossip-nodes -[gossip_nodes: | default = 3] - -# How long to keep gossiping to dead nodes, to give them chance to refute their -# death. -# CLI flag: -memberlist.gossip-to-dead-nodes-time -[gossip_to_dead_nodes_time: | default = 30s] - -# How soon can dead node's name be reclaimed with new address. 0 to disable. -# CLI flag: -memberlist.dead-node-reclaim-time -[dead_node_reclaim_time: | default = 0s] - -# Enable message compression. This can be used to reduce bandwidth usage at the -# cost of slightly more CPU utilization. -# CLI flag: -memberlist.compression-enabled -[compression_enabled: | default = true] - -# Gossip address to advertise to other members in the cluster. Used for NAT -# traversal. -# CLI flag: -memberlist.advertise-addr -[advertise_addr: | default = ""] - -# Gossip port to advertise to other members in the cluster. Used for NAT -# traversal. -# CLI flag: -memberlist.advertise-port -[advertise_port: | default = 7946] - -# Other cluster members to join. Can be specified multiple times. It can be an -# IP, hostname or an entry specified in the DNS Service Discovery format. -# CLI flag: -memberlist.join -[join_members: | default = []] - -# Min backoff duration to join other cluster members. -# CLI flag: -memberlist.min-join-backoff -[min_join_backoff: | default = 1s] - -# Max backoff duration to join other cluster members. -# CLI flag: -memberlist.max-join-backoff -[max_join_backoff: | default = 1m] - -# Max number of retries to join other cluster members. -# CLI flag: -memberlist.max-join-retries -[max_join_retries: | default = 10] - -# If this node fails to join memberlist cluster, abort. -# CLI flag: -memberlist.abort-if-join-fails -[abort_if_cluster_join_fails: | default = true] - -# If not 0, how often to rejoin the cluster. Occasional rejoin can help to fix -# the cluster split issue, and is harmless otherwise. For example when using -# only few components as a seed nodes (via -memberlist.join), then it's -# recommended to use rejoin. If -memberlist.join points to dynamic service that -# resolves to all gossiping nodes (eg. Kubernetes headless service), then rejoin -# is not needed. -# CLI flag: -memberlist.rejoin-interval -[rejoin_interval: | default = 0s] - -# How long to keep LEFT ingesters in the ring. -# CLI flag: -memberlist.left-ingesters-timeout -[left_ingesters_timeout: | default = 5m] - -# Timeout for leaving memberlist cluster. -# CLI flag: -memberlist.leave-timeout -[leave_timeout: | default = 5s] - -# How much space to use for keeping received and sent messages in memory for -# troubleshooting (two buffers). 0 to disable. -# CLI flag: -memberlist.message-history-buffer-bytes -[message_history_buffer_bytes: | default = 0] - -# IP address to listen on for gossip messages. Multiple addresses may be -# specified. Defaults to 0.0.0.0 -# CLI flag: -memberlist.bind-addr -[bind_addr: | default = []] - -# Port to listen on for gossip messages. -# CLI flag: -memberlist.bind-port -[bind_port: | default = 7946] - -# Timeout used when connecting to other nodes to send packet. -# CLI flag: -memberlist.packet-dial-timeout -[packet_dial_timeout: | default = 5s] - -# Timeout for writing 'packet' data. -# CLI flag: -memberlist.packet-write-timeout -[packet_write_timeout: | default = 5s] - -# Enable TLS on the memberlist transport layer. -# CLI flag: -memberlist.tls-enabled -[tls_enabled: | default = false] - -# Path to the client certificate file, which will be used for authenticating -# with the server. Also requires the key path to be configured. -# CLI flag: -memberlist.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key file for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -memberlist.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates file to validate server certificate against. If -# not set, the host's root CA certificates are used. -# CLI flag: -memberlist.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -memberlist.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -memberlist.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] -``` - -### `limits_config` - -The `limits_config` configures default and per-tenant limits imposed by Cortex services (ie. distributor, ingester, ...). - -```yaml -# Per-user ingestion rate limit in samples per second. -# CLI flag: -distributor.ingestion-rate-limit -[ingestion_rate: | default = 25000] - -# Whether the ingestion rate limit should be applied individually to each -# distributor instance (local), or evenly shared across the cluster (global). -# CLI flag: -distributor.ingestion-rate-limit-strategy -[ingestion_rate_strategy: | default = "local"] - -# Per-user allowed ingestion burst size (in number of samples). -# CLI flag: -distributor.ingestion-burst-size -[ingestion_burst_size: | default = 50000] - -# Flag to enable, for all users, handling of samples with external labels -# identifying replicas in an HA Prometheus setup. -# CLI flag: -distributor.ha-tracker.enable-for-all-users -[accept_ha_samples: | default = false] - -# Prometheus label to look for in samples to identify a Prometheus HA cluster. -# CLI flag: -distributor.ha-tracker.cluster -[ha_cluster_label: | default = "cluster"] - -# Prometheus label to look for in samples to identify a Prometheus HA replica. -# CLI flag: -distributor.ha-tracker.replica -[ha_replica_label: | default = "__replica__"] - -# Maximum number of clusters that HA tracker will keep track of for single user. -# 0 to disable the limit. -# CLI flag: -distributor.ha-tracker.max-clusters -[ha_max_clusters: | default = 0] - -# This flag can be used to specify label names that to drop during sample -# ingestion within the distributor and can be repeated in order to drop multiple -# labels. -# CLI flag: -distributor.drop-label -[drop_labels: | default = []] - -# Maximum length accepted for label names -# CLI flag: -validation.max-length-label-name -[max_label_name_length: | default = 1024] - -# Maximum length accepted for label value. This setting also applies to the -# metric name -# CLI flag: -validation.max-length-label-value -[max_label_value_length: | default = 2048] - -# Maximum number of label names per series. -# CLI flag: -validation.max-label-names-per-series -[max_label_names_per_series: | default = 30] - -# Maximum combined size in bytes of all labels and label values accepted for a -# series. 0 to disable the limit. -# CLI flag: -validation.max-labels-size-bytes -[max_labels_size_bytes: | default = 0] - -# Maximum length accepted for metric metadata. Metadata refers to Metric Name, -# HELP and UNIT. -# CLI flag: -validation.max-metadata-length -[max_metadata_length: | default = 1024] - -# Reject old samples. -# CLI flag: -validation.reject-old-samples -[reject_old_samples: | default = false] - -# Maximum accepted sample age before rejecting. -# CLI flag: -validation.reject-old-samples.max-age -[reject_old_samples_max_age: | default = 2w] - -# Duration which table will be created/deleted before/after it's needed; we -# won't accept sample from before this time. -# CLI flag: -validation.create-grace-period -[creation_grace_period: | default = 10m] - -# Enforce every metadata has a metric name. -# CLI flag: -validation.enforce-metadata-metric-name -[enforce_metadata_metric_name: | default = true] - -# Enforce every sample has a metric name. -# CLI flag: -validation.enforce-metric-name -[enforce_metric_name: | default = true] - -# The default tenant's shard size when the shuffle-sharding strategy is used. -# Must be set both on ingesters and distributors. When this setting is specified -# in the per-tenant overrides, a value of 0 disables shuffle sharding for the -# tenant. -# CLI flag: -distributor.ingestion-tenant-shard-size -[ingestion_tenant_shard_size: | default = 0] - -# List of metric relabel configurations. Note that in most situations, it is -# more effective to use metrics relabeling directly in the Prometheus server, -# e.g. remote_write.write_relabel_configs. -[metric_relabel_configs: | default = ] - -# Enables support for exemplars in TSDB and sets the maximum number that will be -# stored. less than zero means disabled. If the value is set to zero, cortex -# will fallback to blocks-storage.tsdb.max-exemplars value. -# CLI flag: -ingester.max-exemplars -[max_exemplars: | default = 0] - -# The maximum number of series for which a query can fetch samples from each -# ingester. This limit is enforced only in the ingesters (when querying samples -# not flushed to the storage yet) and it's a per-instance limit. This limit is -# ignored when running the Cortex blocks storage. When running Cortex with -# blocks storage use -querier.max-fetched-series-per-query limit instead. -# CLI flag: -ingester.max-series-per-query -[max_series_per_query: | default = 100000] - -# The maximum number of active series per user, per ingester. 0 to disable. -# CLI flag: -ingester.max-series-per-user -[max_series_per_user: | default = 5000000] - -# The maximum number of active series per metric name, per ingester. 0 to -# disable. -# CLI flag: -ingester.max-series-per-metric -[max_series_per_metric: | default = 50000] - -# The maximum number of active series per user, across the cluster before -# replication. 0 to disable. Supported only if -distributor.shard-by-all-labels -# is true. -# CLI flag: -ingester.max-global-series-per-user -[max_global_series_per_user: | default = 0] - -# The maximum number of active series per metric name, across the cluster before -# replication. 0 to disable. -# CLI flag: -ingester.max-global-series-per-metric -[max_global_series_per_metric: | default = 0] - -# The maximum number of active metrics with metadata per user, per ingester. 0 -# to disable. -# CLI flag: -ingester.max-metadata-per-user -[max_metadata_per_user: | default = 8000] - -# The maximum number of metadata per metric, per ingester. 0 to disable. -# CLI flag: -ingester.max-metadata-per-metric -[max_metadata_per_metric: | default = 10] - -# The maximum number of active metrics with metadata per user, across the -# cluster. 0 to disable. Supported only if -distributor.shard-by-all-labels is -# true. -# CLI flag: -ingester.max-global-metadata-per-user -[max_global_metadata_per_user: | default = 0] - -# The maximum number of metadata per metric, across the cluster. 0 to disable. -# CLI flag: -ingester.max-global-metadata-per-metric -[max_global_metadata_per_metric: | default = 0] - -# Maximum number of chunks that can be fetched in a single query from ingesters -# and long-term storage. This limit is enforced in the querier, ruler and -# store-gateway. 0 to disable. -# CLI flag: -querier.max-fetched-chunks-per-query -[max_fetched_chunks_per_query: | default = 2000000] - -# The maximum number of unique series for which a query can fetch samples from -# each ingesters and blocks storage. This limit is enforced in the querier, -# ruler and store-gateway. 0 to disable -# CLI flag: -querier.max-fetched-series-per-query -[max_fetched_series_per_query: | default = 0] - -# Deprecated (user max-fetched-data-bytes-per-query instead): The maximum size -# of all chunks in bytes that a query can fetch from each ingester and storage. -# This limit is enforced in the querier, ruler and store-gateway. 0 to disable. -# CLI flag: -querier.max-fetched-chunk-bytes-per-query -[max_fetched_chunk_bytes_per_query: | default = 0] - -# The maximum combined size of all data that a query can fetch from each -# ingester and storage. This limit is enforced in the querier and ruler for -# `query`, `query_range` and `series` APIs. 0 to disable. -# CLI flag: -querier.max-fetched-data-bytes-per-query -[max_fetched_data_bytes_per_query: | default = 0] - -# Limit how long back data (series and metadata) can be queried, up until -# duration ago. This limit is enforced in the query-frontend, querier -# and ruler. If the requested time range is outside the allowed range, the -# request will not fail but will be manipulated to only query data within the -# allowed time range. 0 to disable. -# CLI flag: -querier.max-query-lookback -[max_query_lookback: | default = 0s] - -# Limit the query time range (end - start time). This limit is enforced in the -# query-frontend (on the received query) and in the querier (on the query -# possibly split by the query-frontend). 0 to disable. -# CLI flag: -store.max-query-length -[max_query_length: | default = 0s] - -# Maximum number of split queries will be scheduled in parallel by the frontend. -# CLI flag: -querier.max-query-parallelism -[max_query_parallelism: | default = 14] - -# Most recent allowed cacheable result per-tenant, to prevent caching very -# recent results that might still be in flux. -# CLI flag: -frontend.max-cache-freshness -[max_cache_freshness: | default = 1m] - -# Maximum number of queriers that can handle requests for a single tenant. If -# set to 0 or value higher than number of available queriers, *all* queriers -# will handle requests for the tenant. Each frontend (or query-scheduler, if -# used) will select the same set of queriers for the same tenant (given that all -# queriers are connected to all frontends / query-schedulers). This option only -# works with queriers connecting to the query-frontend / query-scheduler, not -# when using downstream URL. -# CLI flag: -frontend.max-queriers-per-tenant -[max_queriers_per_tenant: | default = 0] - -# Maximum number of outstanding requests per tenant per request queue (either -# query frontend or query scheduler); requests beyond this error with HTTP 429. -# CLI flag: -frontend.max-outstanding-requests-per-tenant -[max_outstanding_requests_per_tenant: | default = 100] - -# Duration to delay the evaluation of rules to ensure the underlying metrics -# have been pushed to Cortex. -# CLI flag: -ruler.evaluation-delay-duration -[ruler_evaluation_delay_duration: | default = 0s] - -# The default tenant's shard size when the shuffle-sharding strategy is used by -# ruler. When this setting is specified in the per-tenant overrides, a value of -# 0 disables shuffle sharding for the tenant. -# CLI flag: -ruler.tenant-shard-size -[ruler_tenant_shard_size: | default = 0] - -# Maximum number of rules per rule group per-tenant. 0 to disable. -# CLI flag: -ruler.max-rules-per-rule-group -[ruler_max_rules_per_rule_group: | default = 0] - -# Maximum number of rule groups per-tenant. 0 to disable. -# CLI flag: -ruler.max-rule-groups-per-tenant -[ruler_max_rule_groups_per_tenant: | default = 0] - -# The default tenant's shard size when the shuffle-sharding strategy is used. -# Must be set when the store-gateway sharding is enabled with the -# shuffle-sharding strategy. When this setting is specified in the per-tenant -# overrides, a value of 0 disables shuffle sharding for the tenant. -# CLI flag: -store-gateway.tenant-shard-size -[store_gateway_tenant_shard_size: | default = 0] - -# The maximum number of data bytes to download per gRPC request in Store -# Gateway, including Series/LabelNames/LabelValues requests. 0 to disable. -# CLI flag: -store-gateway.max-downloaded-bytes-per-request -[max_downloaded_bytes_per_request: | default = 0] - -# Delete blocks containing samples older than the specified retention period. 0 -# to disable. -# CLI flag: -compactor.blocks-retention-period -[compactor_blocks_retention_period: | default = 0s] - -# The default tenant's shard size when the shuffle-sharding strategy is used by -# the compactor. When this setting is specified in the per-tenant overrides, a -# value of 0 disables shuffle sharding for the tenant. -# CLI flag: -compactor.tenant-shard-size -[compactor_tenant_shard_size: | default = 0] - -# S3 server-side encryption type. Required to enable server-side encryption -# overrides for a specific tenant. If not set, the default S3 client settings -# are used. -[s3_sse_type: | default = ""] - -# S3 server-side encryption KMS Key ID. Ignored if the SSE type override is not -# set. -[s3_sse_kms_key_id: | default = ""] - -# S3 server-side encryption KMS encryption context. If unset and the key ID -# override is set, the encryption context will not be provided to S3. Ignored if -# the SSE type override is not set. -[s3_sse_kms_encryption_context: | default = ""] - -# Comma-separated list of network CIDRs to block in Alertmanager receiver -# integrations. -# CLI flag: -alertmanager.receivers-firewall-block-cidr-networks -[alertmanager_receivers_firewall_block_cidr_networks: | default = ""] - -# True to block private and local addresses in Alertmanager receiver -# integrations. It blocks private addresses defined by RFC 1918 (IPv4 -# addresses) and RFC 4193 (IPv6 addresses), as well as loopback, local unicast -# and local multicast addresses. -# CLI flag: -alertmanager.receivers-firewall-block-private-addresses -[alertmanager_receivers_firewall_block_private_addresses: | default = false] - -# Per-user rate limit for sending notifications from Alertmanager in -# notifications/sec. 0 = rate limit disabled. Negative value = no notifications -# are allowed. -# CLI flag: -alertmanager.notification-rate-limit -[alertmanager_notification_rate_limit: | default = 0] - -# Per-integration notification rate limits. Value is a map, where each key is -# integration name and value is a rate-limit (float). On command line, this map -# is given in JSON format. Rate limit has the same meaning as -# -alertmanager.notification-rate-limit, but only applies for specific -# integration. Allowed integration names: webhook, email, pagerduty, opsgenie, -# wechat, slack, victorops, pushover, sns. -# CLI flag: -alertmanager.notification-rate-limit-per-integration -[alertmanager_notification_rate_limit_per_integration: | default = {}] - -# Maximum size of configuration file for Alertmanager that tenant can upload via -# Alertmanager API. 0 = no limit. -# CLI flag: -alertmanager.max-config-size-bytes -[alertmanager_max_config_size_bytes: | default = 0] - -# Maximum number of templates in tenant's Alertmanager configuration uploaded -# via Alertmanager API. 0 = no limit. -# CLI flag: -alertmanager.max-templates-count -[alertmanager_max_templates_count: | default = 0] - -# Maximum size of single template in tenant's Alertmanager configuration -# uploaded via Alertmanager API. 0 = no limit. -# CLI flag: -alertmanager.max-template-size-bytes -[alertmanager_max_template_size_bytes: | default = 0] - -# Maximum number of aggregation groups in Alertmanager's dispatcher that a -# tenant can have. Each active aggregation group uses single goroutine. When the -# limit is reached, dispatcher will not dispatch alerts that belong to -# additional aggregation groups, but existing groups will keep working properly. -# 0 = no limit. -# CLI flag: -alertmanager.max-dispatcher-aggregation-groups -[alertmanager_max_dispatcher_aggregation_groups: | default = 0] - -# Maximum number of alerts that a single user can have. Inserting more alerts -# will fail with a log message and metric increment. 0 = no limit. -# CLI flag: -alertmanager.max-alerts-count -[alertmanager_max_alerts_count: | default = 0] - -# Maximum total size of alerts that a single user can have, alert size is the -# sum of the bytes of its labels, annotations and generatorURL. Inserting more -# alerts will fail with a log message and metric increment. 0 = no limit. -# CLI flag: -alertmanager.max-alerts-size-bytes -[alertmanager_max_alerts_size_bytes: | default = 0] -``` - -### `redis_config` - -The `redis_config` configures the Redis backend cache. - -```yaml -# Redis Server endpoint to use for caching. A comma-separated list of endpoints -# for Redis Cluster or Redis Sentinel. If empty, no redis will be used. -# CLI flag: -frontend.redis.endpoint -[endpoint: | default = ""] - -# Redis Sentinel master name. An empty string for Redis Server or Redis Cluster. -# CLI flag: -frontend.redis.master-name -[master_name: | default = ""] - -# Maximum time to wait before giving up on redis requests. -# CLI flag: -frontend.redis.timeout -[timeout: | default = 500ms] - -# How long keys stay in the redis. -# CLI flag: -frontend.redis.expiration -[expiration: | default = 0s] - -# Database index. -# CLI flag: -frontend.redis.db -[db: | default = 0] - -# Maximum number of connections in the pool. -# CLI flag: -frontend.redis.pool-size -[pool_size: | default = 0] - -# Password to use when connecting to redis. -# CLI flag: -frontend.redis.password -[password: | default = ""] - -# Enable connecting to redis with TLS. -# CLI flag: -frontend.redis.tls-enabled -[tls_enabled: | default = false] - -# Skip validating server certificate. -# CLI flag: -frontend.redis.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] - -# Close connections after remaining idle for this duration. If the value is -# zero, then idle connections are not closed. -# CLI flag: -frontend.redis.idle-timeout -[idle_timeout: | default = 0s] - -# Close connections older than this duration. If the value is zero, then the -# pool does not close connections based on age. -# CLI flag: -frontend.redis.max-connection-age -[max_connection_age: | default = 0s] -``` - -### `memcached_config` - -The `memcached_config` block configures how data is stored in Memcached (ie. expiration). - -```yaml -# How long keys stay in the memcache. -# CLI flag: -frontend.memcached.expiration -[expiration: | default = 0s] - -# How many keys to fetch in each batch. -# CLI flag: -frontend.memcached.batchsize -[batch_size: | default = 1024] - -# Maximum active requests to memcache. -# CLI flag: -frontend.memcached.parallelism -[parallelism: | default = 100] -``` - -### `memcached_client_config` - -The `memcached_client_config` configures the client used to connect to Memcached. - -```yaml -# Hostname for memcached service to use. If empty and if addresses is unset, no -# memcached will be used. -# CLI flag: -frontend.memcached.hostname -[host: | default = ""] - -# SRV service used to discover memcache servers. -# CLI flag: -frontend.memcached.service -[service: | default = "memcached"] - -# EXPERIMENTAL: Comma separated addresses list in DNS Service Discovery format: -# https://cortexmetrics.io/docs/configuration/arguments/#dns-service-discovery -# CLI flag: -frontend.memcached.addresses -[addresses: | default = ""] - -# Maximum time to wait before giving up on memcached requests. -# CLI flag: -frontend.memcached.timeout -[timeout: | default = 100ms] - -# Maximum number of idle connections in pool. -# CLI flag: -frontend.memcached.max-idle-conns -[max_idle_conns: | default = 16] - -# The maximum size of an item stored in memcached. Bigger items are not stored. -# If set to 0, no maximum size is enforced. -# CLI flag: -frontend.memcached.max-item-size -[max_item_size: | default = 0] - -# Period with which to poll DNS for memcache servers. -# CLI flag: -frontend.memcached.update-interval -[update_interval: | default = 1m] - -# Use consistent hashing to distribute to memcache servers. -# CLI flag: -frontend.memcached.consistent-hash -[consistent_hash: | default = true] - -# Trip circuit-breaker after this number of consecutive dial failures (if zero -# then circuit-breaker is disabled). -# CLI flag: -frontend.memcached.circuit-breaker-consecutive-failures -[circuit_breaker_consecutive_failures: | default = 10] - -# Duration circuit-breaker remains open after tripping (if zero then 60 seconds -# is used). -# CLI flag: -frontend.memcached.circuit-breaker-timeout -[circuit_breaker_timeout: | default = 10s] - -# Reset circuit-breaker counts after this long (if zero then never reset). -# CLI flag: -frontend.memcached.circuit-breaker-interval -[circuit_breaker_interval: | default = 10s] -``` - -### `fifo_cache_config` - -The `fifo_cache_config` configures the local in-memory cache. - -```yaml -# Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be -# applied. -# CLI flag: -frontend.fifocache.max-size-bytes -[max_size_bytes: | default = ""] - -# Maximum number of entries in the cache. -# CLI flag: -frontend.fifocache.max-size-items -[max_size_items: | default = 0] - -# The expiry duration for the cache. -# CLI flag: -frontend.fifocache.duration -[validity: | default = 0s] - -# Deprecated (use max-size-items or max-size-bytes instead): The number of -# entries to cache. -# CLI flag: -frontend.fifocache.size -[size: | default = 0] -``` - -### `configs_config` - -The `configs_config` configures the Cortex Configs DB and API. - -```yaml -database: - # URI where the database can be found (for dev you can use memory://) - # CLI flag: -configs.database.uri - [uri: | default = "postgres://postgres@configs-db.weave.local/configs?sslmode=disable"] - - # Path where the database migration files can be found - # CLI flag: -configs.database.migrations-dir - [migrations_dir: | default = ""] - - # File containing password (username goes in URI) - # CLI flag: -configs.database.password-file - [password_file: | default = ""] - -api: - notifications: - # Disable Email notifications for Alertmanager. - # CLI flag: -configs.notifications.disable-email - [disable_email: | default = false] - - # Disable WebHook notifications for Alertmanager. - # CLI flag: -configs.notifications.disable-webhook - [disable_webhook: | default = false] -``` - -### `configstore_config` - -The `configstore_config` configures the config database storing rules and alerts, and is used by the Cortex alertmanager. The supported CLI flags `` used to reference this config block are: - -- `alertmanager-storage` -- `ruler-storage` - -  - -```yaml -# URL of configs API server. -# CLI flag: -.configs.url -[configs_api_url: | default = ] - -# Timeout for requests to Weave Cloud configs service. -# CLI flag: -.configs.client-timeout -[client_timeout: | default = 5s] - -# Path to the client certificate file, which will be used for authenticating -# with the server. Also requires the key path to be configured. -# CLI flag: -.configs.tls-cert-path -[tls_cert_path: | default = ""] - -# Path to the key file for the client certificate. Also requires the client -# certificate to be configured. -# CLI flag: -.configs.tls-key-path -[tls_key_path: | default = ""] - -# Path to the CA certificates file to validate server certificate against. If -# not set, the host's root CA certificates are used. -# CLI flag: -.configs.tls-ca-path -[tls_ca_path: | default = ""] - -# Override the expected name on the server certificate. -# CLI flag: -.configs.tls-server-name -[tls_server_name: | default = ""] - -# Skip validating server certificate. -# CLI flag: -.configs.tls-insecure-skip-verify -[tls_insecure_skip_verify: | default = false] -``` - ### `blocks_storage_config` The `blocks_storage_config` configures the blocks storage. @@ -3954,6 +2950,11 @@ The `limits_config` configures default and per-tenant limits imposed by Cortex s # CLI flag: -store-gateway.tenant-shard-size [store_gateway_tenant_shard_size: | default = 0] +# The maximum number of data bytes to download per gRPC request in Store +# Gateway, including Series/LabelNames/LabelValues requests. 0 to disable. +# CLI flag: -store-gateway.max-downloaded-bytes-per-request +[max_downloaded_bytes_per_request: | default = 0] + # Delete blocks containing samples older than the specified retention period. 0 # to disable. # CLI flag: -compactor.blocks-retention-period From 57f11f69f5304a2a4f7b5929af686986772f05bf Mon Sep 17 00:00:00 2001 From: Ben Ye Date: Wed, 26 Apr 2023 15:03:13 -0700 Subject: [PATCH 4/4] update changelog Signed-off-by: Ben Ye --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18e93b23798..cb7b42bf8a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## master / unreleased * [CHANGE] Alertmanager: Validating new fields on the PagerDuty AM config. #5290 * [CHANGE] Ingester: Creating label `native-histogram-sample` on the `cortex_discarded_samples_total` to keep track of discarded native histogram samples. #5289 +* [FEATURE] Store Gateway: Add `max_downloaded_bytes_per_request` to limit max bytes to download per store gateway request. * [BUGFIX] Ruler: Validate if rule group can be safely converted back to rule group yaml from protobuf message #5265 * [BUGFIX] Querier: Convert gRPC `ResourceExhausted` status code from store gateway to 422 limit error. #5286 * [BUGFIX] Alertmanager: Route web-ui requests to the alertmanager distributor when sharding is enabled. #5293