// Code generated by lxd-metadata; DO NOT EDIT.

<!-- config group cluster-cluster start -->
```{config:option} scheduler.instance cluster-cluster
:defaultdesc: "`all`"
:shortdesc: "Controls how instances are scheduled to run on this member"
:type: "string"
Possible values are `all`, `manual`, and `group`. See
{ref}`clustering-instance-placement` for more information.
```

```{config:option} user.* cluster-cluster
:shortdesc: "Free form user key/value storage"
:type: "string"
User keys can be used in search.
```

<!-- config group cluster-cluster end -->
<!-- config group device-disk-device-conf start -->
```{config:option} boot.priority device-disk-device-conf
:condition: "virtual machine"
:required: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value indicates a higher boot precedence for the disk device.
This is useful for prioritizing boot sources like ISO-backed disks.
```

```{config:option} ceph.cluster_name device-disk-device-conf
:defaultdesc: "`ceph`"
:required: "for Ceph or CephFS sources"
:shortdesc: "Cluster name of the Ceph cluster"
:type: "string"

```

```{config:option} ceph.user_name device-disk-device-conf
:defaultdesc: "`admin`"
:required: "for Ceph or CephFS sources"
:shortdesc: "User name of the Ceph cluster"
:type: "string"

```

```{config:option} initial.* device-disk-device-conf
:required: "no"
:shortdesc: "Initial volume configuration"
:type: "n/a"
Initial volume configuration allows setting unique configurations independent of the default storage pool settings.
See {ref}`devices-disk-initial-config` for more information.
```

```{config:option} io.bus device-disk-device-conf
:condition: "virtual machine"
:defaultdesc: "`virtio-scsi`"
:required: "no"
:shortdesc: "Bus for the device"
:type: "string"
Possible values are `virtio-scsi`, `virtio-blk` or `nvme`.
```

```{config:option} io.cache device-disk-device-conf
:condition: "virtual machine"
:defaultdesc: "`none`"
:required: "no"
:shortdesc: "Caching mode for the device"
:type: "string"
Possible values are `none`, `writeback`, or `unsafe`.
```

```{config:option} io.threads device-disk-device-conf
:condition: "virtual machine"
:defaultdesc: "`0`"
:required: "no"
:shortdesc: "Thread pool for virtiofs file system shares"
:type: "integer"
This option controls the `virtiofsd` thread pool size, which can help improve I/O performance. Only applies to virtiofs file system shares.
In {config:option}`project-restricted:restricted` projects, it can only be used when {config:option}`project-restricted:restricted.virtual-machines.lowlevel` is set to `allow`.
```

```{config:option} limits.max device-disk-device-conf
:required: "no"
:shortdesc: "I/O limit in byte/s or IOPS for both read and write"
:type: "string"
This option is the same as setting both {config:option}`device-disk-device-conf:limits.read` and {config:option}`device-disk-device-conf:limits.write`.

You can specify a value in byte/s (various suffixes supported, see {ref}`instances-limit-units`) or in IOPS (must be suffixed with `iops`).
See also {ref}`storage-configure-io`.

```

```{config:option} limits.read device-disk-device-conf
:required: "no"
:shortdesc: "Read I/O limit in byte/s or IOPS"
:type: "string"
You can specify a value in byte/s (various suffixes supported, see {ref}`instances-limit-units`) or in IOPS (must be suffixed with `iops`).
See also {ref}`storage-configure-io`.
```

```{config:option} limits.write device-disk-device-conf
:required: "no"
:shortdesc: "Write I/O limit in byte/s or IOPS"
:type: "string"
You can specify a value in byte/s (various suffixes supported, see {ref}`instances-limit-units`) or in IOPS (must be suffixed with `iops`).
See also {ref}`storage-configure-io`.
```

```{config:option} path device-disk-device-conf
:condition: "container"
:required: "yes"
:shortdesc: "Mount path"
:type: "string"
This option specifies the path inside the container where the disk will be mounted.
```

```{config:option} pool device-disk-device-conf
:condition: "storage volumes managed by LXD"
:required: "no"
:shortdesc: "Storage pool to which the disk device belongs"
:type: "string"

```

```{config:option} propagation device-disk-device-conf
:defaultdesc: "`private`"
:required: "no"
:shortdesc: "How a bind-mount is shared between the instance and the host"
:type: "string"
Possible values are `private` (the default), `shared`, `slave`, `unbindable`, `rshared`, `rslave`, `runbindable`, `rprivate`.
See the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation.

```

```{config:option} raw.mount.options device-disk-device-conf
:required: "no"
:shortdesc: "File system specific mount options"
:type: "string"

```

```{config:option} readonly device-disk-device-conf
:defaultdesc: "`false`"
:required: "no"
:shortdesc: "Whether to make the mount read-only"
:type: "bool"

```

```{config:option} recursive device-disk-device-conf
:defaultdesc: "`false`"
:required: "no"
:shortdesc: "Whether to recursively mount the source path"
:type: "bool"

```

```{config:option} required device-disk-device-conf
:defaultdesc: "`true`"
:required: "no"
:shortdesc: "Whether to fail if the source doesn’t exist"
:type: "bool"

```

```{config:option} shift device-disk-device-conf
:condition: "container"
:defaultdesc: "`false`"
:required: "no"
:shortdesc: "Whether to set up a UID/GID shifting overlay"
:type: "bool"
If enabled, this option sets up a shifting overlay to translate the source UID/GID to match the container instance.
```

```{config:option} size device-disk-device-conf
:required: "no"
:shortdesc: "Disk size"
:type: "string"
This option is supported only for the rootfs (`/`).

Specify a value in bytes (various suffixes supported, see {ref}`instances-limit-units`).
```

```{config:option} size.state device-disk-device-conf
:condition: "virtual machine"
:required: "no"
:shortdesc: "Size of the file-system volume used for saving runtime state"
:type: "string"
This option is similar to {config:option}`device-disk-device-conf:size`, but applies to the file-system volume used for saving the runtime state in VMs.
```

```{config:option} source device-disk-device-conf
:required: "yes"
:shortdesc: "Source of a file system or block device"
:type: "string"
See {ref}`devices-disk-types` for details.

```

```{config:option} source.snapshot device-disk-device-conf
:required: "no"
:shortdesc: "`source` snapshot name"
:type: "string"
Snapshot of the volume given by `source`.
```

```{config:option} source.type device-disk-device-conf
:defaultdesc: "`custom`"
:required: "no"
:shortdesc: "Type of the backing storage volume"
:type: "string"
Possible values are `custom` (the default) or `virtual-machine`. This
key is only valid when `source` is the name of a storage volume.
```

<!-- config group device-disk-device-conf end -->
<!-- config group device-gpu-mdev-device-conf start -->
```{config:option} id device-gpu-mdev-device-conf
:shortdesc: "DRM card ID of the GPU device"
:type: "string"

```

```{config:option} mdev device-gpu-mdev-device-conf
:defaultdesc: "`0`"
:required: "yes"
:shortdesc: "The `mdev` profile to use"
:type: "string"
For example: `i915-GVTg_V5_4`
```

```{config:option} pci device-gpu-mdev-device-conf
:shortdesc: "PCI address of the GPU device"
:type: "string"

```

```{config:option} productid device-gpu-mdev-device-conf
:shortdesc: "Product ID of the GPU device"
:type: "string"

```

```{config:option} vendorid device-gpu-mdev-device-conf
:shortdesc: "Vendor ID of the GPU device"
:type: "string"

```

<!-- config group device-gpu-mdev-device-conf end -->
<!-- config group device-gpu-mig-device-conf start -->
```{config:option} id device-gpu-mig-device-conf
:shortdesc: "DRM card ID of the GPU device"
:type: "string"

```

```{config:option} mig.ci device-gpu-mig-device-conf
:shortdesc: "Existing MIG compute instance ID"
:type: "integer"

```

```{config:option} mig.gi device-gpu-mig-device-conf
:shortdesc: "Existing MIG GPU instance ID"
:type: "integer"

```

```{config:option} mig.uuid device-gpu-mig-device-conf
:shortdesc: "Existing MIG device UUID"
:type: "string"
You can omit the `MIG-` prefix when specifying this option.
```

```{config:option} pci device-gpu-mig-device-conf
:shortdesc: "PCI address of the GPU device"
:type: "string"

```

```{config:option} productid device-gpu-mig-device-conf
:shortdesc: "Product ID of the GPU device"
:type: "string"

```

```{config:option} vendorid device-gpu-mig-device-conf
:shortdesc: "Vendor ID of the GPU device"
:type: "string"

```

<!-- config group device-gpu-mig-device-conf end -->
<!-- config group device-gpu-physical-device-conf start -->
```{config:option} gid device-gpu-physical-device-conf
:condition: "container"
:defaultdesc: "`0`"
:shortdesc: "GID of the device owner in the container"
:type: "integer"

```

```{config:option} id device-gpu-physical-device-conf
:shortdesc: "ID of the GPU device"
:type: "string"
The ID can either be the DRM card ID of the GPU device (container or VM) or a fully-qualified Container Device Interface (CDI) name (container only).
Here are some examples of fully-qualified CDI names:

- `nvidia.com/gpu=0`: Instructs LXD to operate a discrete GPU (dGPU) pass-through of brand NVIDIA with the first discovered GPU on your system. You can use the `nvidia-smi` tool on your host to find out which identifier to use.
- `nvidia.com/gpu=1833c8b5-9aa0-5382-b784-68b7e77eb185`: Instructs LXD to operate a discrete GPU (dGPU) pass-through of brand NVIDIA with a given GPU unique identifier. This identifier should also appear with `nvidia-smi -L`.
- `nvidia.com/igpu=all`: Instructs LXD to pass all the host integrated GPUs (iGPU) of brand NVIDIA. The concept of an index does not currently map to iGPUs. It is possible to list them with the `nvidia-smi -L` command. A special `nvgpu` mention should appear in the generated list to indicate a device to be an iGPU.
- `nvidia.com/gpu=all`: Instructs LXD to pass all the host GPUs of brand NVIDIA through to the container.
```

```{config:option} mode device-gpu-physical-device-conf
:condition: "container"
:defaultdesc: "`0660`"
:shortdesc: "Mode of the device in the container"
:type: "integer"

```

```{config:option} pci device-gpu-physical-device-conf
:shortdesc: "PCI address of the GPU device"
:type: "string"

```

```{config:option} productid device-gpu-physical-device-conf
:shortdesc: "Product ID of the GPU device"
:type: "string"

```

```{config:option} uid device-gpu-physical-device-conf
:condition: "container"
:defaultdesc: "`0`"
:shortdesc: "UID of the device owner in the container"
:type: "integer"

```

```{config:option} vendorid device-gpu-physical-device-conf
:shortdesc: "Vendor ID of the GPU device"
:type: "string"

```

<!-- config group device-gpu-physical-device-conf end -->
<!-- config group device-gpu-sriov-device-conf start -->
```{config:option} id device-gpu-sriov-device-conf
:shortdesc: "DRM card ID of the parent GPU device"
:type: "string"

```

```{config:option} pci device-gpu-sriov-device-conf
:shortdesc: "PCI address of the parent GPU device"
:type: "string"

```

```{config:option} productid device-gpu-sriov-device-conf
:shortdesc: "Product ID of the parent GPU device"
:type: "string"

```

```{config:option} vendorid device-gpu-sriov-device-conf
:shortdesc: "Vendor ID of the parent GPU device"
:type: "string"

```

<!-- config group device-gpu-sriov-device-conf end -->
<!-- config group device-infiniband-device-conf start -->
```{config:option} hwaddr device-infiniband-device-conf
:defaultdesc: "randomly assigned"
:required: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"
 You can specify either the full 20-byte variant or the short 8-byte variant (which will modify only the last 8 bytes of the parent device).
```

```{config:option} mtu device-infiniband-device-conf
:defaultdesc: "parent MTU"
:required: "no"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-infiniband-device-conf
:defaultdesc: "kernel assigned"
:required: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} nictype device-infiniband-device-conf
:required: "yes"
:shortdesc: "Device type"
:type: "string"
Possible values are `physical` and `sriov`.
```

```{config:option} parent device-infiniband-device-conf
:required: "yes"
:shortdesc: "The name of the host device or bridge"
:type: "string"

```

<!-- config group device-infiniband-device-conf end -->
<!-- config group device-nic-bridged-device-conf start -->
```{config:option} boot.priority device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} host_name device-nic-bridged-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the host"
:type: "string"

```

```{config:option} hwaddr device-nic-bridged-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} ipv4.address device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv4 address to assign to the instance through DHCP"
:type: "string"
Set this option to `none` to restrict all IPv4 traffic when {config:option}`device-nic-bridged-device-conf:security.ipv4_filtering` is set.
```

```{config:option} ipv4.routes device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv4 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv4 static routes for this NIC to add on the host.
```

```{config:option} ipv4.routes.external device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv4 static routes to route to NIC"
:type: "string"
Specify a comma-delimited list of IPv4 static routes to route to the NIC and publish on the uplink network (BGP).
```

```{config:option} ipv6.address device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv6 address to assign to the instance through DHCP"
:type: "string"
Set this option to `none` to restrict all IPv6 traffic when {config:option}`device-nic-bridged-device-conf:security.ipv6_filtering` is set.
```

```{config:option} ipv6.routes device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv6 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv6 static routes for this NIC to add on the host.
```

```{config:option} ipv6.routes.external device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "IPv6 static routes to route to NIC"
:type: "string"
Specify a comma-delimited list of IPv6 static routes to route to the NIC and publish on the uplink network (BGP).
```

```{config:option} limits.egress device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "I/O limit for outgoing traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.ingress device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "I/O limit for incoming traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.max device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "I/O limit for both incoming and outgoing traffic"
:type: "string"
This option is the same as setting both {config:option}`device-nic-bridged-device-conf:limits.ingress` and {config:option}`device-nic-bridged-device-conf:limits.egress`.

Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.priority device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "`skb->priority` value for outgoing traffic"
:type: "integer"
The `skb->priority` value for outgoing traffic is used by the kernel queuing discipline (qdisc) to prioritize network packets.
Specify the value as a 32-bit unsigned integer.

The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`.
Consult the kernel qdisc documentation before setting this value.
```

```{config:option} maas.subnet.ipv4 device-nic-bridged-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv4 subnet to register the instance in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 device-nic-bridged-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv6 subnet to register the instance in"
:type: "string"

```

```{config:option} mtu device-nic-bridged-device-conf
:defaultdesc: "parent MTU"
:managed: "yes"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-bridged-device-conf
:defaultdesc: "kernel assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} network device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "Managed network to link the device to"
:type: "string"
You can specify this option instead of specifying the `nictype` directly.
```

```{config:option} parent device-nic-bridged-device-conf
:managed: "yes"
:required: "if specifying the `nictype` directly"
:shortdesc: "Name of the host device"
:type: "string"

```

```{config:option} queue.tx.length device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "Transmit queue length for the NIC"
:type: "integer"

```

```{config:option} security.ipv4_filtering device-nic-bridged-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to prevent the instance from spoofing an IPv4 address"
:type: "bool"
Set this option to `true` to prevent the instance from spoofing another instance’s IPv4 address.
This option enables {config:option}`device-nic-bridged-device-conf:security.mac_filtering`.
```

```{config:option} security.ipv6_filtering device-nic-bridged-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to prevent the instance from spoofing an IPv6 address"
:type: "bool"
Set this option to `true` to prevent the instance from spoofing another instance’s IPv6 address.
This option enables {config:option}`device-nic-bridged-device-conf:security.mac_filtering`.
```

```{config:option} security.mac_filtering device-nic-bridged-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to prevent the instance from spoofing a MAC address"
:type: "bool"
Set this option to `true` to prevent the instance from spoofing another instance’s MAC address.
```

```{config:option} security.port_isolation device-nic-bridged-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to respect port isolation"
:type: "bool"
Set this option to `true` to prevent the NIC from communicating with other NICs in the network that have port isolation enabled.
```

```{config:option} vlan device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "VLAN ID to use for non-tagged traffic"
:type: "integer"
Set this option to `none` to remove the port from the default VLAN.
```

```{config:option} vlan.tagged device-nic-bridged-device-conf
:managed: "no"
:shortdesc: "VLAN IDs or VLAN ranges to join for tagged traffic"
:type: "integer"
Specify the VLAN IDs or ranges as a comma-delimited list.
```

<!-- config group device-nic-bridged-device-conf end -->
<!-- config group device-nic-ipvlan-device-conf start -->
```{config:option} gvrp device-nic-ipvlan-device-conf
:defaultdesc: "`false`"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} hwaddr device-nic-ipvlan-device-conf
:defaultdesc: "randomly assigned"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} ipv4.address device-nic-ipvlan-device-conf
:shortdesc: "IPv4 static addresses to add to the instance"
:type: "string"
Specify a comma-delimited list of IPv4 static addresses to add to the instance.
In `l2` mode, you can specify them as CIDR values or singular addresses using a subnet of `/24`.
```

```{config:option} ipv4.gateway device-nic-ipvlan-device-conf
:defaultdesc: "`auto` (`l3s`), `-` (`l2`)"
:shortdesc: "IPv4 gateway"
:type: "string"
In `l3s` mode, the option specifies whether to add an automatic default IPv4 gateway.
Possible values are `auto` and `none`.

In `l2` mode, this option specifies the IPv4 address of the gateway.
```

```{config:option} ipv4.host_table device-nic-ipvlan-device-conf
:shortdesc: "Custom policy routing table ID to add IPv4 static routes to"
:type: "integer"
The custom policy routing table is in addition to the main routing table.
```

```{config:option} ipv6.address device-nic-ipvlan-device-conf
:shortdesc: "IPv6 static addresses to add to the instance"
:type: "string"
Specify a comma-delimited list of IPv6 static addresses to add to the instance.
In `l2` mode, you can specify them as CIDR values or singular addresses using a subnet of `/64`.
```

```{config:option} ipv6.gateway device-nic-ipvlan-device-conf
:defaultdesc: "`auto` (`l3s`), `-` (`l2`)"
:shortdesc: "IPv6 gateway"
:type: "string"
In `l3s` mode, the option specifies whether to add an automatic default IPv6 gateway.
Possible values are `auto` and `none`.

In `l2` mode, this option specifies the IPv6 address of the gateway.
```

```{config:option} ipv6.host_table device-nic-ipvlan-device-conf
:shortdesc: "Custom policy routing table ID to add IPv6 static routes to"
:type: "integer"
The custom policy routing table is in addition to the main routing table.
```

```{config:option} mode device-nic-ipvlan-device-conf
:defaultdesc: "`l3s`"
:shortdesc: "IPVLAN mode"
:type: "string"
Possible values are `l2` and `l3s`.
```

```{config:option} mtu device-nic-ipvlan-device-conf
:defaultdesc: "parent MTU"
:shortdesc: "The MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-ipvlan-device-conf
:defaultdesc: "kernel assigned"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} parent device-nic-ipvlan-device-conf
:required: "yes"
:shortdesc: "Name of the host device"
:type: "string"

```

```{config:option} vlan device-nic-ipvlan-device-conf
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group device-nic-ipvlan-device-conf end -->
<!-- config group device-nic-macvlan-device-conf start -->
```{config:option} boot.priority device-nic-macvlan-device-conf
:managed: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} gvrp device-nic-macvlan-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} hwaddr device-nic-macvlan-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} maas.subnet.ipv4 device-nic-macvlan-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv4 subnet to register the instance in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 device-nic-macvlan-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv6 subnet to register the instance in"
:type: "string"

```

```{config:option} mtu device-nic-macvlan-device-conf
:defaultdesc: "parent MTU"
:managed: "yes"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-macvlan-device-conf
:defaultdesc: "kernel assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} network device-nic-macvlan-device-conf
:managed: "no"
:shortdesc: "Managed network to link the device to"
:type: "string"
You can specify this option instead of specifying the `nictype` directly.
```

```{config:option} parent device-nic-macvlan-device-conf
:managed: "yes"
:required: "if specifying the `nictype` directly"
:shortdesc: "Name of the host device"
:type: "string"

```

```{config:option} vlan device-nic-macvlan-device-conf
:managed: "no"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group device-nic-macvlan-device-conf end -->
<!-- config group device-nic-ovn-device-conf start -->
```{config:option} acceleration device-nic-ovn-device-conf
:defaultdesc: "`none`"
:managed: "no"
:shortdesc: "Enable hardware offloading"
:type: "string"
Possible values are `none`, `sriov`, or `vdpa`.
See {ref}`devices-nic-hw-acceleration` for more information.
```

```{config:option} boot.priority device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} host_name device-nic-ovn-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the host"
:type: "string"

```

```{config:option} hwaddr device-nic-ovn-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} ipv4.address device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv4 address to assign to the instance through DHCP"
:type: "string"

```

```{config:option} ipv4.routes device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv4 static routes to route for the NIC"
:type: "string"
Specify a comma-delimited list of IPv4 static routes to route for this NIC.
```

```{config:option} ipv4.routes.external device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv4 static routes to route to NIC"
:type: "string"
Specify a comma-delimited list of IPv4 static routes to route to the NIC and publish on the uplink network.
```

```{config:option} ipv6.address device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv6 address to assign to the instance through DHCP"
:type: "string"

```

```{config:option} ipv6.routes device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv6 static routes to route to the NIC"
:type: "string"
Specify a comma-delimited list of IPv6 static routes to route to the NIC.
```

```{config:option} ipv6.routes.external device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "IPv6 static routes to route to NIC"
:type: "string"
Specify a comma-delimited list of IPv6 static routes to route to the NIC and publish on the uplink network.
```

```{config:option} name device-nic-ovn-device-conf
:defaultdesc: "kernel assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} nested device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "Parent NIC name to nest this NIC under"
:type: "string"
See also {config:option}`device-nic-ovn-device-conf:vlan`.
```

```{config:option} network device-nic-ovn-device-conf
:managed: "yes"
:required: "yes"
:shortdesc: "Managed network to link the device to"
:type: "string"

```

```{config:option} security.acls device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "Network ACLs to apply"
:type: "string"
Specify a comma-separated list
```

```{config:option} security.acls.default.egress.action device-nic-ovn-device-conf
:defaultdesc: "`reject`"
:managed: "no"
:shortdesc: "Default action to use for egress traffic"
:type: "string"
The specified action is used for all egress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.egress.logged device-nic-ovn-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to log egress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} security.acls.default.ingress.action device-nic-ovn-device-conf
:defaultdesc: "`reject`"
:managed: "no"
:shortdesc: "Default action to use for ingress traffic"
:type: "string"
The specified action is used for all ingress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.ingress.logged device-nic-ovn-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to log ingress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} vlan device-nic-ovn-device-conf
:managed: "no"
:shortdesc: "VLAN ID to use when nesting"
:type: "integer"
See also {config:option}`device-nic-ovn-device-conf:nested`.
```

<!-- config group device-nic-ovn-device-conf end -->
<!-- config group device-nic-p2p-device-conf start -->
```{config:option} boot.priority device-nic-p2p-device-conf
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} host_name device-nic-p2p-device-conf
:defaultdesc: "randomly assigned"
:shortdesc: "Name of the interface inside the host"
:type: "string"

```

```{config:option} hwaddr device-nic-p2p-device-conf
:defaultdesc: "randomly assigned"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} ipv4.routes device-nic-p2p-device-conf
:shortdesc: "IPv4 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv4 static routes for this NIC to add on the host.
```

```{config:option} ipv6.routes device-nic-p2p-device-conf
:shortdesc: "IPv6 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv6 static routes for this NIC to add on the host.
```

```{config:option} limits.egress device-nic-p2p-device-conf
:shortdesc: "I/O limit for outgoing traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.ingress device-nic-p2p-device-conf
:shortdesc: "I/O limit for incoming traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.max device-nic-p2p-device-conf
:shortdesc: "I/O limit for both incoming and outgoing traffic"
:type: "string"
This option is the same as setting both {config:option}`device-nic-bridged-device-conf:limits.ingress` and {config:option}`device-nic-bridged-device-conf:limits.egress`.

Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.priority device-nic-p2p-device-conf
:shortdesc: "`skb->priority` value for outgoing traffic"
:type: "integer"
The `skb->priority` value for outgoing traffic is used by the kernel queuing discipline (qdisc) to prioritize network packets.
Specify the value as a 32-bit unsigned integer.

The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`.
Consult the kernel qdisc documentation before setting this value.
```

```{config:option} mtu device-nic-p2p-device-conf
:defaultdesc: "kernel assigned"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-p2p-device-conf
:defaultdesc: "kernel assigned"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} queue.tx.length device-nic-p2p-device-conf
:shortdesc: "Transmit queue length for the NIC"
:type: "integer"

```

<!-- config group device-nic-p2p-device-conf end -->
<!-- config group device-nic-physical-device-conf start -->
```{config:option} boot.priority device-nic-physical-device-conf
:managed: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} gvrp device-nic-physical-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} hwaddr device-nic-physical-device-conf
:condition: "container"
:defaultdesc: "parent MAC address"
:managed: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} maas.subnet.ipv4 device-nic-physical-device-conf
:managed: "no"
:shortdesc: "MAAS IPv4 subnet to register the instance in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 device-nic-physical-device-conf
:managed: "no"
:shortdesc: "MAAS IPv6 subnet to register the instance in"
:type: "string"

```

```{config:option} mtu device-nic-physical-device-conf
:condition: "container"
:defaultdesc: "parent MTU"
:managed: "no"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-physical-device-conf
:defaultdesc: "kernel assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} network device-nic-physical-device-conf
:managed: "no"
:shortdesc: "Managed network to link the device to"
:type: "string"
You can specify this option instead of specifying the `nictype` directly.
```

```{config:option} parent device-nic-physical-device-conf
:managed: "yes"
:required: "if specifying the `nictype` directly"
:shortdesc: "Name of the host device"
:type: "string"

```

```{config:option} vlan device-nic-physical-device-conf
:condition: "container"
:managed: "no"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group device-nic-physical-device-conf end -->
<!-- config group device-nic-routed-device-conf start -->
```{config:option} gvrp device-nic-routed-device-conf
:defaultdesc: "`false`"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} host_name device-nic-routed-device-conf
:defaultdesc: "randomly assigned"
:shortdesc: "Name of the interface inside the host"
:type: "string"

```

```{config:option} hwaddr device-nic-routed-device-conf
:defaultdesc: "randomly assigned"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} ipv4.address device-nic-routed-device-conf
:shortdesc: "IPv4 static addresses to add to the instance"
:type: "string"
Specify a comma-delimited list of IPv4 static addresses to add to the instance.
```

```{config:option} ipv4.gateway device-nic-routed-device-conf
:defaultdesc: "`auto`"
:shortdesc: "Whether to add an automatic default IPv4 gateway"
:type: "string"
Possible values are `auto` and `none`.
```

```{config:option} ipv4.host_address device-nic-routed-device-conf
:defaultdesc: "`169.254.0.1`"
:shortdesc: "IPv4 address to add to the host-side `veth` interface"
:type: "string"

```

```{config:option} ipv4.host_table device-nic-routed-device-conf
:shortdesc: "Custom policy routing table ID to add IPv4 static routes to"
:type: "integer"
The custom policy routing table is in addition to the main routing table.
```

```{config:option} ipv4.neighbor_probe device-nic-routed-device-conf
:defaultdesc: "`true`"
:shortdesc: "Whether to probe the parent network for IPv4 address availability"
:type: "bool"

```

```{config:option} ipv4.routes device-nic-routed-device-conf
:shortdesc: "IPv4 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv4 static routes for this NIC to add on the host (without L2 ARP/NDP proxy).
```

```{config:option} ipv6.address device-nic-routed-device-conf
:shortdesc: "IPv6 static addresses to add to the instance"
:type: "string"
Specify a comma-delimited list of IPv6 static addresses to add to the instance.
```

```{config:option} ipv6.gateway device-nic-routed-device-conf
:defaultdesc: "`auto`"
:shortdesc: "Whether to add an automatic default IPv6 gateway"
:type: "string"
Possible values are `auto` and `none`.
```

```{config:option} ipv6.host_address device-nic-routed-device-conf
:defaultdesc: "`fe80::1`"
:shortdesc: "IPv6 address to add to the host-side `veth` interface"
:type: "string"

```

```{config:option} ipv6.host_table device-nic-routed-device-conf
:shortdesc: "Custom policy routing table ID to add IPv6 static routes to"
:type: "integer"
The custom policy routing table is in addition to the main routing table.
```

```{config:option} ipv6.neighbor_probe device-nic-routed-device-conf
:defaultdesc: "`true`"
:shortdesc: "Whether to probe the parent network for IPv6 address availability"
:type: "bool"

```

```{config:option} ipv6.routes device-nic-routed-device-conf
:shortdesc: "IPv6 static routes for the NIC to add on the host"
:type: "string"
Specify a comma-delimited list of IPv6 static routes for this NIC to add on the host (without L2 ARP/NDP proxy).
```

```{config:option} limits.egress device-nic-routed-device-conf
:shortdesc: "I/O limit for outgoing traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.ingress device-nic-routed-device-conf
:shortdesc: "I/O limit for incoming traffic"
:type: "string"
Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.max device-nic-routed-device-conf
:shortdesc: "I/O limit for both incoming and outgoing traffic"
:type: "string"
This option is the same as setting both {config:option}`device-nic-bridged-device-conf:limits.ingress` and {config:option}`device-nic-bridged-device-conf:limits.egress`.

Specify the limit in bit/s. Various suffixes are supported (see {ref}`instances-limit-units`).
```

```{config:option} limits.priority device-nic-routed-device-conf
:shortdesc: "`skb->priority` value for outgoing traffic"
:type: "integer"
The `skb->priority` value for outgoing traffic is used by the kernel queuing discipline (qdisc) to prioritize network packets.
Specify the value as a 32-bit unsigned integer.

The effect of this value depends on the particular qdisc implementation, for example, `SKBPRIO` or `QFQ`.
Consult the kernel qdisc documentation before setting this value.
```

```{config:option} mtu device-nic-routed-device-conf
:defaultdesc: "parent MTU"
:shortdesc: "The MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-routed-device-conf
:defaultdesc: "kernel assigned"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} parent device-nic-routed-device-conf
:shortdesc: "Name of the host device to join the instance to"
:type: "string"

```

```{config:option} queue.tx.length device-nic-routed-device-conf
:shortdesc: "Transmit queue length for the NIC"
:type: "integer"

```

```{config:option} vlan device-nic-routed-device-conf
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group device-nic-routed-device-conf end -->
<!-- config group device-nic-sriov-device-conf start -->
```{config:option} boot.priority device-nic-sriov-device-conf
:managed: "no"
:shortdesc: "Boot priority for VMs"
:type: "integer"
A higher value for this option means that the VM boots first.
```

```{config:option} hwaddr device-nic-sriov-device-conf
:defaultdesc: "randomly assigned"
:managed: "no"
:shortdesc: "MAC address of the new interface"
:type: "string"

```

```{config:option} maas.subnet.ipv4 device-nic-sriov-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv4 subnet to register the instance in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 device-nic-sriov-device-conf
:managed: "yes"
:shortdesc: "MAAS IPv6 subnet to register the instance in"
:type: "string"

```

```{config:option} mtu device-nic-sriov-device-conf
:defaultdesc: "kernel assigned"
:managed: "yes"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} name device-nic-sriov-device-conf
:defaultdesc: "kernel assigned"
:managed: "no"
:shortdesc: "Name of the interface inside the instance"
:type: "string"

```

```{config:option} network device-nic-sriov-device-conf
:managed: "no"
:shortdesc: "Managed network to link the device to"
:type: "string"
You can specify this option instead of specifying the `nictype` directly.
```

```{config:option} parent device-nic-sriov-device-conf
:managed: "yes"
:required: "if specifying the `nictype` directly"
:shortdesc: "Name of the host device"
:type: "string"

```

```{config:option} security.mac_filtering device-nic-sriov-device-conf
:defaultdesc: "`false`"
:managed: "no"
:shortdesc: "Whether to prevent the instance from spoofing a MAC address"
:type: "bool"
Set this option to `true` to prevent the instance from spoofing another instance’s MAC address.
```

```{config:option} vlan device-nic-sriov-device-conf
:managed: "no"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group device-nic-sriov-device-conf end -->
<!-- config group device-pci-device-conf start -->
```{config:option} address device-pci-device-conf
:required: "yes"
:shortdesc: "PCI address of the device"
:type: "string"

```

<!-- config group device-pci-device-conf end -->
<!-- config group device-proxy-device-conf start -->
```{config:option} bind device-proxy-device-conf
:defaultdesc: "`host`"
:required: "no"
:shortdesc: "Which side to bind on"
:type: "string"
Possible values are `host` and `instance`.
```

```{config:option} connect device-proxy-device-conf
:required: "yes"
:shortdesc: "Address and port to connect to"
:type: "string"
Use the following format to specify the address and port: `<type>:<addr>:<port>[-<port>][,<port>]`
```

```{config:option} gid device-proxy-device-conf
:defaultdesc: "`0`"
:required: "no"
:shortdesc: "GID of the owner of the listening Unix socket"
:type: "integer"

```

```{config:option} listen device-proxy-device-conf
:required: "yes"
:shortdesc: "Address and port to bind and listen"
:type: "string"
Use the following format to specify the address and port: `<type>:<addr>:<port>[-<port>][,<port>]`
```

```{config:option} mode device-proxy-device-conf
:defaultdesc: "`0644`"
:required: "no"
:shortdesc: "Mode for the listening Unix socket"
:type: "integer"

```

```{config:option} nat device-proxy-device-conf
:defaultdesc: "`false`"
:required: "no"
:shortdesc: "Whether to optimize proxying via NAT"
:type: "bool"
This option requires that the instance NIC has a static IP address.
```

```{config:option} proxy_protocol device-proxy-device-conf
:defaultdesc: "`false`"
:required: "no"
:shortdesc: "Whether to use the HAProxy PROXY protocol"
:type: "bool"
This option specifies whether to use the HAProxy PROXY protocol to transmit sender information.
```

```{config:option} security.gid device-proxy-device-conf
:defaultdesc: "`0`"
:required: "no"
:shortdesc: "What GID to drop privilege to"
:type: "integer"

```

```{config:option} security.uid device-proxy-device-conf
:defaultdesc: "`0`"
:required: "no"
:shortdesc: "What UID to drop privilege to"
:type: "integer"

```

```{config:option} uid device-proxy-device-conf
:defaultdesc: "`0`"
:required: "no"
:shortdesc: "UID of the owner of the listening Unix socket"
:type: "integer"

```

<!-- config group device-proxy-device-conf end -->
<!-- config group device-tpm-device-conf start -->
```{config:option} path device-tpm-device-conf
:required: "for containers"
:shortdesc: "Path inside the container"
:type: "string"
For example: `/dev/tpm0`
```

```{config:option} pathrm device-tpm-device-conf
:required: "for containers"
:shortdesc: "Resource manager path inside the container"
:type: "string"
For example: `/dev/tpmrm0`
```

<!-- config group device-tpm-device-conf end -->
<!-- config group device-unix-block-device-conf start -->
```{config:option} gid device-unix-block-device-conf
:defaultdesc: "`0`"
:shortdesc: "GID of the device owner in the container"
:type: "integer"

```

```{config:option} major device-unix-block-device-conf
:defaultdesc: "device on host"
:shortdesc: "Device major number"
:type: "integer"

```

```{config:option} minor device-unix-block-device-conf
:defaultdesc: "device on host"
:shortdesc: "Device minor number"
:type: "integer"

```

```{config:option} mode device-unix-block-device-conf
:defaultdesc: "`0660`"
:shortdesc: "Mode of the device in the container"
:type: "integer"

```

```{config:option} path device-unix-block-device-conf
:required: "either `source` or `path` must be set"
:shortdesc: "Path inside the container"
:type: "string"

```

```{config:option} required device-unix-block-device-conf
:defaultdesc: "`true`"
:shortdesc: "Whether this device is required to start the container"
:type: "bool"
See {ref}`devices-unix-block-hotplugging` for more information.
```

```{config:option} source device-unix-block-device-conf
:required: "either `source` or `path` must be set"
:shortdesc: "Path on the host"
:type: "string"

```

```{config:option} uid device-unix-block-device-conf
:defaultdesc: "`0`"
:shortdesc: "UID of the device owner in the container"
:type: "integer"

```

<!-- config group device-unix-block-device-conf end -->
<!-- config group device-unix-char-device-conf start -->
```{config:option} gid device-unix-char-device-conf
:defaultdesc: "`0`"
:shortdesc: "GID of the device owner in the container"
:type: "integer"

```

```{config:option} major device-unix-char-device-conf
:defaultdesc: "device on host"
:shortdesc: "Device major number"
:type: "integer"

```

```{config:option} minor device-unix-char-device-conf
:defaultdesc: "device on host"
:shortdesc: "Device minor number"
:type: "integer"

```

```{config:option} mode device-unix-char-device-conf
:defaultdesc: "`0660`"
:shortdesc: "Mode of the device in the container"
:type: "integer"

```

```{config:option} path device-unix-char-device-conf
:required: "either `source` or `path` must be set"
:shortdesc: "Path inside the container"
:type: "string"

```

```{config:option} required device-unix-char-device-conf
:defaultdesc: "`true`"
:shortdesc: "Whether this device is required to start the container"
:type: "bool"
See {ref}`devices-unix-char-hotplugging` for more information.
```

```{config:option} source device-unix-char-device-conf
:required: "either `source` or `path` must be set"
:shortdesc: "Path on the host"
:type: "string"

```

```{config:option} uid device-unix-char-device-conf
:defaultdesc: "`0`"
:shortdesc: "UID of the device owner in the container"
:type: "integer"

```

<!-- config group device-unix-char-device-conf end -->
<!-- config group device-unix-hotplug-device-conf start -->
```{config:option} gid device-unix-hotplug-device-conf
:defaultdesc: "`0`"
:shortdesc: "GID of the device owner in the container"
:type: "integer"

```

```{config:option} mode device-unix-hotplug-device-conf
:defaultdesc: "`0660`"
:shortdesc: "Mode of the device in the container"
:type: "integer"

```

```{config:option} ownership.inherit device-unix-hotplug-device-conf
:defaultdesc: "`false`"
:shortdesc: "Whether this device inherits ownership (GID and/or UID) from the host"
:type: "bool"

```

```{config:option} productid device-unix-hotplug-device-conf
:shortdesc: "Product ID of the Unix device"
:type: "string"

```

```{config:option} required device-unix-hotplug-device-conf
:defaultdesc: "`false`"
:shortdesc: "Whether this device is required to start the container"
:type: "bool"
The default is `false`, which means that all devices can be hotplugged.
```

```{config:option} subsystem device-unix-hotplug-device-conf
:shortdesc: "Subsystem of the Unix device"
:type: "string"

```

```{config:option} uid device-unix-hotplug-device-conf
:defaultdesc: "`0`"
:shortdesc: "UID of the device owner in the container"
:type: "integer"

```

```{config:option} vendorid device-unix-hotplug-device-conf
:shortdesc: "Vendor ID of the Unix device"
:type: "string"

```

<!-- config group device-unix-hotplug-device-conf end -->
<!-- config group device-unix-usb-device-conf start -->
```{config:option} busnum device-unix-usb-device-conf
:shortdesc: "The bus number of which the USB device is attached"
:type: "int"

```

```{config:option} devnum device-unix-usb-device-conf
:shortdesc: "The device number of the USB device"
:type: "int"

```

```{config:option} gid device-unix-usb-device-conf
:condition: "container"
:defaultdesc: "`0`"
:shortdesc: "GID of the device owner in the instance"
:type: "integer"

```

```{config:option} mode device-unix-usb-device-conf
:condition: "container"
:defaultdesc: "`0660`"
:shortdesc: "Mode of the device in the instance"
:type: "integer"

```

```{config:option} productid device-unix-usb-device-conf
:shortdesc: "Product ID of the USB device"
:type: "string"

```

```{config:option} required device-unix-usb-device-conf
:defaultdesc: "`false`"
:shortdesc: "Whether this device is required to start the instance"
:type: "bool"
The default is `false`, which means that all devices can be hotplugged.
```

```{config:option} serial device-unix-usb-device-conf
:shortdesc: "The serial number of the USB device"
:type: "string"

```

```{config:option} uid device-unix-usb-device-conf
:condition: "container"
:defaultdesc: "`0`"
:shortdesc: "UID of the device owner in the instance"
:type: "integer"

```

```{config:option} vendorid device-unix-usb-device-conf
:shortdesc: "Vendor ID of the USB device"
:type: "string"

```

<!-- config group device-unix-usb-device-conf end -->
<!-- config group instance-boot start -->
```{config:option} boot.autostart instance-boot
:liveupdate: "no"
:shortdesc: "Whether to always start the instance when LXD starts"
:type: "bool"
If set to `true`, the instance will always be auto-started, unless `security.protection.start` is also enabled.
If set to `false`, the instance will not be started on LXD start up.
If this option is not set, the instance will be restored to its last known state.
```

```{config:option} boot.autostart.delay instance-boot
:defaultdesc: "`0`"
:liveupdate: "no"
:shortdesc: "Delay after starting the instance"
:type: "integer"
The number of seconds to wait after the instance started before starting the next one.
```

```{config:option} boot.autostart.priority instance-boot
:defaultdesc: "`0`"
:liveupdate: "no"
:shortdesc: "What order to start the instances in"
:type: "integer"
The instance with the highest value is started first.
```

```{config:option} boot.debug_edk2 instance-boot
:shortdesc: "Enable debug version of the `edk2`"
:type: "bool"
The instance should use a debug version of the `edk2`.
A log file can be found in `$LXD_DIR/logs/<instance_name>/edk2.log`.
```

```{config:option} boot.host_shutdown_timeout instance-boot
:defaultdesc: "`30`"
:liveupdate: "yes"
:shortdesc: "How long to wait for the instance to shut down"
:type: "integer"
Number of seconds to wait for the instance to shut down before it is force-stopped.
```

```{config:option} boot.stop.priority instance-boot
:defaultdesc: "`0`"
:liveupdate: "no"
:shortdesc: "What order to shut down the instances in"
:type: "integer"
The instance with the highest value is shut down first.
```

<!-- config group instance-boot end -->
<!-- config group instance-cloud-init start -->
```{config:option} cloud-init.network-config instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`DHCP on eth0`"
:liveupdate: "no"
:shortdesc: "Network configuration for `cloud-init`"
:type: "string"
The content is used as seed value for `cloud-init`.
```

```{config:option} cloud-init.ssh-keys.KEYNAME instance-cloud-init
:condition: "If supported by image"
:liveupdate: "no"
:shortdesc: "Additional SSH key to be injected on the instance by `cloud-init`"
:type: "string"
Represents an additional SSH public key to be merged into existing `cloud-init` seed data
and injected into an instance. Has the format `{user}:{key}`, where {user} is a Linux username and
{key} can be either a pure SSH public key or an import ID for a key hosted elsewhere.
// For example: `root:gh:githubUser`, `myUser:ssh-keyAlg publicKeyHash`
```

```{config:option} cloud-init.user-data instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`#cloud-config`"
:liveupdate: "no"
:shortdesc: "User data for `cloud-init`"
:type: "string"
The content is used as seed value for `cloud-init`.
```

```{config:option} cloud-init.vendor-data instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`#cloud-config`"
:liveupdate: "no"
:shortdesc: "Vendor data for `cloud-init`"
:type: "string"
The content is used as seed value for `cloud-init`.
```

```{config:option} user.network-config instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`DHCP on eth0`"
:liveupdate: "no"
:shortdesc: "Legacy version of `cloud-init.network-config`"
:type: "string"

```

```{config:option} user.user-data instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`#cloud-config`"
:liveupdate: "no"
:shortdesc: "Legacy version of `cloud-init.user-data`"
:type: "string"

```

```{config:option} user.vendor-data instance-cloud-init
:condition: "If supported by image"
:defaultdesc: "`#cloud-config`"
:liveupdate: "no"
:shortdesc: "Legacy version of `cloud-init.vendor-data`"
:type: "string"

```

<!-- config group instance-cloud-init end -->
<!-- config group instance-migration start -->
```{config:option} migration.incremental.memory instance-migration
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "yes"
:shortdesc: "Whether to use incremental memory transfer"
:type: "bool"
Using incremental memory transfer of the instance's memory can reduce downtime.
```

```{config:option} migration.incremental.memory.goal instance-migration
:condition: "container"
:defaultdesc: "`70`"
:liveupdate: "yes"
:shortdesc: "Percentage of memory to have in sync before stopping the instance"
:type: "integer"

```

```{config:option} migration.incremental.memory.iterations instance-migration
:condition: "container"
:defaultdesc: "`10`"
:liveupdate: "yes"
:shortdesc: "Maximum number of transfer operations to go through before stopping the instance"
:type: "integer"

```

```{config:option} migration.stateful instance-migration
:condition: "virtual machine"
:defaultdesc: "`false` or value from profiles or `instances.migration.stateful` (if set)"
:liveupdate: "no"
:shortdesc: "Whether to allow for stateful stop/start and snapshots"
:type: "bool"
Enabling this option prevents the use of some features that are incompatible with it.
```

<!-- config group instance-migration end -->
<!-- config group instance-miscellaneous start -->
```{config:option} agent.nic_config instance-miscellaneous
:condition: "virtual machine"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to use the name and MTU of the default network interfaces"
:type: "bool"
When set to true, the name and MTU of the default network interfaces inside the virtual machine will match those of the instance devices.
```

```{config:option} cluster.evacuate instance-miscellaneous
:defaultdesc: "`auto`"
:liveupdate: "no"
:shortdesc: "What to do when evacuating the instance"
:type: "string"
The `cluster.evacuate` provides control over how instances are handled when a cluster member is being evacuated.

Available Modes:
  - `auto` *(default)*: The system will automatically decide the best evacuation method based on the instance's type and configured devices:
    + If any device is not suitable for migration, the instance will not be migrated (only stopped).
    + Live migration will be used only for virtual machines with the `migration.stateful` setting enabled and for which all its devices can be migrated as well.
  - `live-migrate`: Instances are live-migrated to another node. This means the instance remains running and operational during the migration process, ensuring minimal disruption.
  - `migrate`: In this mode, instances are migrated to another node in the cluster. The migration process will not be live, meaning there will be a brief downtime for the instance during the migration.
  -  `stop`: Instances are not migrated. Instead, they are stopped on the current node.

See {ref}`cluster-evacuate` for more information.
```

```{config:option} linux.kernel_modules instance-miscellaneous
:condition: "container"
:liveupdate: "yes"
:shortdesc: "Kernel modules to load or allow loading"
:type: "string"
Specify the kernel modules as a comma-separated list.

The modules are loaded before the instance starts, or they can be loaded by a privileged user if {config:option}`instance-miscellaneous:linux.kernel_modules.load` is set to `ondemand`.
```

```{config:option} linux.kernel_modules.load instance-miscellaneous
:condition: "container"
:defaultdesc: "`boot`"
:liveupdate: "no"
:shortdesc: "How to load kernel modules"
:type: "string"
This option specifies how to load the kernel modules that are specified in {config:option}`instance-miscellaneous:linux.kernel_modules`.
Possible values are `boot` (load the modules when booting the container) and `ondemand` (intercept the `finit_modules()` syscall and allow a privileged user in the container's user namespace to load the modules).
```

```{config:option} linux.sysctl.* instance-miscellaneous
:condition: "container"
:liveupdate: "no"
:shortdesc: "Override for the corresponding `sysctl` setting in the container"
:type: "string"

```

```{config:option} ubuntu_pro.guest_attach instance-miscellaneous
:liveupdate: "no"
:shortdesc: "Whether to auto-attach Ubuntu Pro."
:type: "string"
Indicate whether the guest should auto-attach Ubuntu Pro at start up.

See {ref}`instances-ubuntu-pro-attach` for more information.
```

```{config:option} user.* instance-miscellaneous
:liveupdate: "no"
:shortdesc: "Free-form user key/value storage"
:type: "string"
User keys can be used in search.
```

<!-- config group instance-miscellaneous end -->
<!-- config group instance-nvidia start -->
```{config:option} nvidia.driver.capabilities instance-nvidia
:condition: "container"
:defaultdesc: "`compute,utility`"
:liveupdate: "no"
:shortdesc: "What driver capabilities the instance needs"
:type: "string"
The specified driver capabilities are used to set `libnvidia-container NVIDIA_DRIVER_CAPABILITIES`.
```

```{config:option} nvidia.require.cuda instance-nvidia
:condition: "container"
:liveupdate: "no"
:shortdesc: "Required CUDA version"
:type: "string"
The specified version expression is used to set `libnvidia-container NVIDIA_REQUIRE_CUDA`.
```

```{config:option} nvidia.require.driver instance-nvidia
:condition: "container"
:liveupdate: "no"
:shortdesc: "Required driver version"
:type: "string"
The specified version expression is used to set `libnvidia-container NVIDIA_REQUIRE_DRIVER`.
```

```{config:option} nvidia.runtime instance-nvidia
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to pass the host NVIDIA and CUDA runtime libraries into the instance"
:type: "bool"

```

<!-- config group instance-nvidia end -->
<!-- config group instance-raw start -->
```{config:option} raw.apparmor instance-raw
:liveupdate: "yes"
:shortdesc: "AppArmor profile entries"
:type: "blob"
The specified entries are appended to the generated profile.
```

```{config:option} raw.idmap instance-raw
:condition: "unprivileged container"
:liveupdate: "no"
:shortdesc: "Raw idmap configuration"
:type: "blob"
For example: `both 1000 1000`
```

```{config:option} raw.lxc instance-raw
:condition: "container"
:liveupdate: "no"
:shortdesc: "Raw LXC configuration to be appended to the generated one"
:type: "blob"

```

```{config:option} raw.qemu instance-raw
:condition: "virtual machine"
:liveupdate: "no"
:shortdesc: "Raw QEMU configuration to be appended to the generated command line"
:type: "blob"

```

```{config:option} raw.qemu.conf instance-raw
:condition: "virtual machine"
:liveupdate: "no"
:shortdesc: "Addition/override to the generated `qemu.conf` file"
:type: "blob"
See {ref}`instance-options-qemu` for more information.
```

```{config:option} raw.seccomp instance-raw
:condition: "container"
:liveupdate: "no"
:shortdesc: "Raw Seccomp configuration"
:type: "blob"

```

<!-- config group instance-raw end -->
<!-- config group instance-resource-limits start -->
```{config:option} limits.cpu instance-resource-limits
:defaultdesc: "1 (VMs)"
:liveupdate: "yes"
:shortdesc: "Which CPUs to expose to the instance"
:type: "string"
A number or a specific range of CPUs to expose to the instance.

See {ref}`instance-options-limits-cpu` for more information.
```

```{config:option} limits.cpu.allowance instance-resource-limits
:condition: "container"
:defaultdesc: "100%"
:liveupdate: "yes"
:shortdesc: "How much of the CPU can be used"
:type: "string"
To control how much of the CPU can be used, specify either a percentage (`50%`) for a soft limit
or a chunk of time (`25ms/100ms`) for a hard limit.

See {ref}`instance-options-limits-cpu-container` for more information.
```

```{config:option} limits.cpu.nodes instance-resource-limits
:liveupdate: "yes"
:shortdesc: "Which NUMA nodes to place the instance CPUs on"
:type: "string"
A comma-separated list of NUMA node IDs or ranges to place the instance CPUs on.

See {ref}`instance-options-limits-cpu-container` for more information.
```

```{config:option} limits.cpu.pin_strategy instance-resource-limits
:condition: "virtual machine"
:defaultdesc: "`none`"
:liveupdate: "no"
:shortdesc: "VM CPU auto pinning strategy"
:type: "string"
Specify the strategy for VM CPU auto pinning.
Possible values: `none` (disables CPU auto pinning) and `auto` (enables CPU auto pinning).

See {ref}`instance-options-limits-cpu-vm` for more information.
```

```{config:option} limits.cpu.priority instance-resource-limits
:condition: "container"
:defaultdesc: "`10` (maximum)"
:liveupdate: "yes"
:shortdesc: "CPU scheduling priority compared to other instances"
:type: "integer"
When overcommitting resources, specify the CPU scheduling priority compared to other instances that share the same CPUs.
Specify an integer between 0 and 10.

See {ref}`instance-options-limits-cpu-container` for more information.
```

```{config:option} limits.disk.priority instance-resource-limits
:defaultdesc: "`5` (medium)"
:liveupdate: "yes"
:shortdesc: "Priority of the instance's I/O requests"
:type: "integer"
Controls how much priority to give to the instance's I/O requests when under load.

Specify an integer between 0 and 10.
```

```{config:option} limits.hugepages.1GB instance-resource-limits
:condition: "container"
:liveupdate: "yes"
:shortdesc: "Limit for the number of 1 GB huge pages"
:type: "string"
Fixed value (in bytes) to limit the number of 1 GB huge pages.
Various suffixes are supported (see {ref}`instances-limit-units`).

See {ref}`instance-options-limits-hugepages` for more information.
```

```{config:option} limits.hugepages.1MB instance-resource-limits
:condition: "container"
:liveupdate: "yes"
:shortdesc: "Limit for the number of 1 MB huge pages"
:type: "string"
Fixed value (in bytes) to limit the number of 1 MB huge pages.
Various suffixes are supported (see {ref}`instances-limit-units`).

See {ref}`instance-options-limits-hugepages` for more information.
```

```{config:option} limits.hugepages.2MB instance-resource-limits
:condition: "container"
:liveupdate: "yes"
:shortdesc: "Limit for the number of 2 MB huge pages"
:type: "string"
Fixed value (in bytes) to limit the number of 2 MB huge pages.
Various suffixes are supported (see {ref}`instances-limit-units`).

See {ref}`instance-options-limits-hugepages` for more information.
```

```{config:option} limits.hugepages.64KB instance-resource-limits
:condition: "container"
:liveupdate: "yes"
:shortdesc: "Limit for the number of 64 KB huge pages"
:type: "string"
Fixed value (in bytes) to limit the number of 64 KB huge pages.
Various suffixes are supported (see {ref}`instances-limit-units`).

See {ref}`instance-options-limits-hugepages` for more information.
```

```{config:option} limits.memory instance-resource-limits
:defaultdesc: "`1GiB` (VMs)"
:liveupdate: "yes"
:shortdesc: "Usage limit for the host's memory"
:type: "string"
Percentage of the host's memory or a fixed value in bytes.
Various suffixes are supported.

See {ref}`instances-limit-units` for details.
```

```{config:option} limits.memory.enforce instance-resource-limits
:condition: "container"
:defaultdesc: "`hard`"
:liveupdate: "yes"
:shortdesc: "Whether the memory limit is `hard` or `soft`"
:type: "string"
If the instance's memory limit is `hard`, the instance cannot exceed its limit.
If it is `soft`, the instance can exceed its memory limit when extra host memory is available.
```

```{config:option} limits.memory.hugepages instance-resource-limits
:condition: "virtual machine"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to back the instance using huge pages"
:type: "bool"
If this option is set to `false`, regular system memory is used.
```

```{config:option} limits.memory.swap instance-resource-limits
:condition: "container"
:defaultdesc: "`true`"
:liveupdate: "yes"
:shortdesc: "Whether to encourage/discourage swapping less used pages for this instance"
:type: "bool"

```

```{config:option} limits.memory.swap.priority instance-resource-limits
:condition: "container"
:defaultdesc: "`10` (maximum)"
:liveupdate: "yes"
:shortdesc: "Prevents the instance from being swapped to disk"
:type: "integer"
Specify an integer between 0 and 10.
The higher the value, the less likely the instance is to be swapped to disk.
```

```{config:option} limits.processes instance-resource-limits
:condition: "container"
:defaultdesc: "empty"
:liveupdate: "yes"
:shortdesc: "Maximum number of processes that can run in the instance"
:type: "integer"
If left empty, no limit is set.
```

<!-- config group instance-resource-limits end -->
<!-- config group instance-security start -->
```{config:option} security.agent.metrics instance-security
:condition: "virtual machine"
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "Whether the `lxd-agent` is queried for state information and metrics"
:type: "bool"

```

```{config:option} security.csm instance-security
:condition: "virtual machine"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to use a firmware that supports UEFI-incompatible operating systems"
:type: "bool"
When enabling this option, set {config:option}`instance-security:security.secureboot` to `false`.
```

```{config:option} security.delegate_bpf instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to enable eBPF delegation using BPF Token mechanism"
:type: "bool"
This option enables BPF functionality delegation mechanism (using BPF Token).

Note: `security.delegate_bpf.cmd_types`, `security.delegate_bpf.map_types`,
`security.delegate_bpf.prog_types`, `security.delegate_bpf.attach_types`
need to be configured depending on BPF workload in the container.

See {ref}`bpf-delegation-token` for more information.

```

```{config:option} security.delegate_bpf.attach_types instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Which eBPF attach types to allow with delegation mechanism"
:type: "bool"
Which eBPF program attachment types to allow with delegation mechanism. Syntax follows
a kernel one for `delegate_attachs` bpffs mount option.
A number (bitmask) or `:`-separated list of attachment types to allow can be specified.
For example, `cgroup_inet_ingress` allows `BPF_CGROUP_INET_INGRESS` attachment type.
```

```{config:option} security.delegate_bpf.cmd_types instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Which eBPF commands to allow with delegation mechanism"
:type: "bool"
Which eBPF commands to allow with delegation mechanism. Syntax follows a kernel one for `delegate_cmds`
bpffs mount option. A number (bitmask) or `:`-separated list of commands to allow can be specified.
For example, `prog_load:map_create` allows eBPF programs loading and eBPF maps creation.
Notice: `security.delegate_bpf.prog_types` and `security.delegate_bpf.map_types` still need to
be configured accordingly.
```

```{config:option} security.delegate_bpf.map_types instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Which eBPF maps to allow with delegation mechanism"
:type: "bool"
Which eBPF maps to allow with delegation mechanism. Syntax follows a kernel one for `delegate_maps`
bpffs mount option. A number (bitmask) or `:`-separated list of map types to allow can be specified.
For example, `ringbuf` allows `BPF_MAP_TYPE_RINGBUF` map.
```

```{config:option} security.delegate_bpf.prog_types instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Which eBPF program types to allow with delegation mechanism"
:type: "bool"
Which eBPF program types to allow with delegation mechanism. Syntax follows a kernel one for `delegate_progs`
bpffs mount option. A number (bitmask) or `:`-separated list of program types to allow can be specified.
For example, `socket_filter` allows `BPF_PROG_TYPE_SOCKET_FILTER` program type.
```

```{config:option} security.devlxd instance-security
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "Whether `/dev/lxd` is present in the instance"
:type: "bool"
See {ref}`dev-lxd` for more information.
```

```{config:option} security.devlxd.images instance-security
:defaultdesc: "`false`"
:liveupdate: "yes"
:shortdesc: "Controls the availability of the `/1.0/images` API over `devlxd`"
:type: "bool"

```

```{config:option} security.idmap.base instance-security
:condition: "unprivileged container"
:liveupdate: "no"
:shortdesc: "The base host ID to use for the allocation"
:type: "integer"
Setting this option overrides auto-detection.
```

```{config:option} security.idmap.isolated instance-security
:condition: "unprivileged container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to use a unique idmap for this instance"
:type: "bool"
If specified, the idmap used for this instance is unique among instances that have this option set.
```

```{config:option} security.idmap.size instance-security
:condition: "unprivileged container"
:liveupdate: "no"
:shortdesc: "The size of the idmap to use"
:type: "integer"

```

```{config:option} security.nesting instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "yes"
:shortdesc: "Whether to support running LXD (nested) inside the instance"
:type: "bool"

```

```{config:option} security.privileged instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to run the instance in privileged mode"
:type: "bool"
See {ref}`container-security` for more information.
```

```{config:option} security.protection.delete instance-security
:defaultdesc: "`false`"
:liveupdate: "container"
:shortdesc: "Whether to prevent the instance from being deleted"
:type: "bool"

```

```{config:option} security.protection.shift instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "yes"
:shortdesc: "Whether to protect the file system from being UID/GID shifted"
:type: "bool"
Set this option to `true` to prevent the instance's file system from being UID/GID shifted on startup.
```

```{config:option} security.protection.start instance-security
:defaultdesc: "`false`"
:liveupdate: "container"
:shortdesc: "Whether to prevent the instance from being started"
:type: "bool"

```

```{config:option} security.secureboot instance-security
:condition: "virtual machine"
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "Whether UEFI secure boot is enabled with the default Microsoft keys"
:type: "bool"
When disabling this option, consider enabling {config:option}`instance-security:security.csm`.
```

```{config:option} security.sev instance-security
:condition: "virtual machine"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether AMD SEV (Secure Encrypted Virtualization) is enabled for this VM"
:type: "bool"

```

```{config:option} security.sev.policy.es instance-security
:condition: "virtual machine"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether AMD SEV-ES (SEV Encrypted State) is enabled for this VM"
:type: "bool"

```

```{config:option} security.sev.session.data instance-security
:condition: "virtual machine"
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "The guest owner's `base64`-encoded session blob"
:type: "string"

```

```{config:option} security.sev.session.dh instance-security
:condition: "virtual machine"
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "The guest owner's `base64`-encoded Diffie-Hellman key"
:type: "string"

```

```{config:option} security.syscalls.allow instance-security
:condition: "container"
:liveupdate: "no"
:shortdesc: "List of syscalls to allow"
:type: "string"
A `\n`-separated list of syscalls to allow.
This list must be mutually exclusive with `security.syscalls.deny*`.
```

```{config:option} security.syscalls.deny instance-security
:condition: "container"
:liveupdate: "no"
:shortdesc: "List of syscalls to deny"
:type: "string"
A `\n`-separated list of syscalls to deny.
This list must be mutually exclusive with `security.syscalls.allow`.
```

```{config:option} security.syscalls.deny_compat instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to block `compat_*` syscalls (`x86_64` only)"
:type: "bool"
On `x86_64`, this option controls whether to block `compat_*` syscalls.
On other architectures, the option is ignored.
```

```{config:option} security.syscalls.deny_default instance-security
:condition: "container"
:defaultdesc: "`true`"
:liveupdate: "no"
:shortdesc: "Whether to enable the default syscall deny"
:type: "bool"

```

```{config:option} security.syscalls.intercept.bpf instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `bpf()` system call"
:type: "bool"

```

```{config:option} security.syscalls.intercept.bpf.devices instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to allow BPF programs"
:type: "bool"
This option controls whether to allow BPF programs for the devices cgroup in the unified hierarchy to be loaded.
```

```{config:option} security.syscalls.intercept.mknod instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `mknod` and `mknodat` system calls"
:type: "bool"
These system calls allow creation of a limited subset of char/block devices.
```

```{config:option} security.syscalls.intercept.mount instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `mount` system call"
:type: "bool"

```

```{config:option} security.syscalls.intercept.mount.allowed instance-security
:condition: "container"
:liveupdate: "yes"
:shortdesc: "File systems that can be mounted"
:type: "string"
Specify a comma-separated list of file systems that are safe to mount for processes inside the instance.
```

```{config:option} security.syscalls.intercept.mount.fuse instance-security
:condition: "container"
:liveupdate: "yes"
:shortdesc: "File system that should be redirected to FUSE implementation"
:type: "string"
Specify the mounts of a given file system that should be redirected to their FUSE implementation (for example, `ext4=fuse2fs`).
```

```{config:option} security.syscalls.intercept.mount.shift instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "yes"
:shortdesc: "Whether to use idmapped mounts for syscall interception"
:type: "bool"

```

```{config:option} security.syscalls.intercept.sched_setscheduler instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `sched_setscheduler` system call"
:type: "bool"
This system call allows increasing process priority.
```

```{config:option} security.syscalls.intercept.setxattr instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `setxattr` system call"
:type: "bool"
This system call allows setting a limited subset of restricted extended attributes.
```

```{config:option} security.syscalls.intercept.sysinfo instance-security
:condition: "container"
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to handle the `sysinfo` system call"
:type: "bool"
This system call can be used to get cgroup-based resource usage information.
```

<!-- config group instance-security end -->
<!-- config group instance-snapshots start -->
```{config:option} snapshots.expiry instance-snapshots
:liveupdate: "no"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern instance-snapshots
:defaultdesc: "`snap%d`"
:liveupdate: "no"
:shortdesc: "Template for the snapshot name"
:type: "string"
Specify a Pongo2 template string that represents the snapshot name.
This template is used for scheduled snapshots and for unnamed snapshots.

See {ref}`instance-options-snapshots-names` for more information.
```

```{config:option} snapshots.schedule instance-snapshots
:defaultdesc: "empty"
:liveupdate: "no"
:shortdesc: "Schedule for automatic instance snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots.

```

```{config:option} snapshots.schedule.stopped instance-snapshots
:defaultdesc: "`false`"
:liveupdate: "no"
:shortdesc: "Whether to automatically snapshot stopped instances"
:type: "bool"

```

<!-- config group instance-snapshots end -->
<!-- config group instance-volatile start -->
```{config:option} volatile.<name>.apply_quota instance-volatile
:shortdesc: "Disk quota"
:type: "string"
The disk quota is applied the next time the instance starts.
```

```{config:option} volatile.<name>.ceph_rbd instance-volatile
:shortdesc: "RBD device path for Ceph disk devices"
:type: "string"

```

```{config:option} volatile.<name>.host_name instance-volatile
:shortdesc: "Network device name on the host"
:type: "string"

```

```{config:option} volatile.<name>.hwaddr instance-volatile
:shortdesc: "Network device MAC address"
:type: "string"
The network device MAC address is used when no `hwaddr` property is set on the device itself.
```

```{config:option} volatile.<name>.last_state.created instance-volatile
:shortdesc: "Whether the network device physical device was created"
:type: "string"
Possible values are `true` or `false`.
```

```{config:option} volatile.<name>.last_state.hwaddr instance-volatile
:shortdesc: "Network device original MAC"
:type: "string"
The original MAC that was used when moving a physical device into an instance.
```

```{config:option} volatile.<name>.last_state.mtu instance-volatile
:shortdesc: "Network device original MTU"
:type: "string"
The original MTU that was used when moving a physical device into an instance.
```

```{config:option} volatile.<name>.last_state.vdpa.name instance-volatile
:shortdesc: "VDPA device name"
:type: "string"
The VDPA device name used when moving a VDPA device file descriptor into an instance.
```

```{config:option} volatile.<name>.last_state.vf.hwaddr instance-volatile
:shortdesc: "SR-IOV virtual function original MAC"
:type: "string"
The original MAC used when moving a VF into an instance.
```

```{config:option} volatile.<name>.last_state.vf.id instance-volatile
:shortdesc: "SR-IOV virtual function ID"
:type: "string"
The ID used when moving a VF into an instance.
```

```{config:option} volatile.<name>.last_state.vf.spoofcheck instance-volatile
:shortdesc: "SR-IOV virtual function original spoof check setting"
:type: "string"
The original spoof check setting used when moving a VF into an instance.
```

```{config:option} volatile.<name>.last_state.vf.vlan instance-volatile
:shortdesc: "SR-IOV virtual function original VLAN"
:type: "string"
The original VLAN used when moving a VF into an instance.
```

```{config:option} volatile.apply_nvram instance-volatile
:shortdesc: "Whether to regenerate VM NVRAM the next time the instance starts"
:type: "bool"

```

```{config:option} volatile.apply_template instance-volatile
:shortdesc: "Template hook"
:type: "string"
The template with the given name is triggered upon next startup.
```

```{config:option} volatile.base_image instance-volatile
:shortdesc: "Hash of the base image"
:type: "string"
The hash of the image that the instance was created from (empty if the instance was not created from an image).
```

```{config:option} volatile.cloud-init.instance-id instance-volatile
:shortdesc: "`instance-id` (UUID) exposed to `cloud-init`"
:type: "string"

```

```{config:option} volatile.evacuate.origin instance-volatile
:shortdesc: "The origin of the evacuated instance"
:type: "string"
The cluster member that the instance lived on before evacuation.
```

```{config:option} volatile.idmap.base instance-volatile
:condition: "container"
:shortdesc: "The first ID in the container's primary idmap range"
:type: "integer"

```

```{config:option} volatile.idmap.current instance-volatile
:condition: "container"
:shortdesc: "The idmap currently in use by the container"
:type: "string"

```

```{config:option} volatile.idmap.next instance-volatile
:condition: "container"
:shortdesc: "The idmap to use the next time the container starts"
:type: "string"

```

```{config:option} volatile.last_state.idmap instance-volatile
:condition: "container"
:shortdesc: "On-disk UID/GID map for the container's rootfs"
:type: "string"
The UID/GID map that has been applied to the container's underlying storage.
This is usually set for containers created on older kernels that don't
support idmapped mounts.
```

```{config:option} volatile.last_state.power instance-volatile
:shortdesc: "Instance state as of last host shutdown"
:type: "string"

```

```{config:option} volatile.uuid instance-volatile
:shortdesc: "Instance UUID"
:type: "string"
The instance UUID is globally unique across all servers and projects.
```

```{config:option} volatile.uuid.generation instance-volatile
:shortdesc: "Instance generation UUID"
:type: "string"
The instance generation UUID changes whenever the instance's place in time moves backwards.
It is globally unique across all servers and projects.
```

```{config:option} volatile.vsock_id instance-volatile
:shortdesc: "Instance `vsock ID` used as of last start"
:type: "string"

```

<!-- config group instance-volatile end -->
<!-- config group instance-property-instance-conf start -->
```{config:option} architecture instance-property-instance-conf
:readonly: "no"
:shortdesc: "Instance architecture"
:type: "string"

```

```{config:option} name instance-property-instance-conf
:readonly: "yes"
:shortdesc: "Instance name"
:type: "string"
See {ref}`instance-name-requirements`.
```

<!-- config group instance-property-instance-conf end -->
<!-- config group network-acl-acl-properties start -->
```{config:option} config network-acl-acl-properties
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string set"
The only supported keys are `user.*` custom keys.
```

```{config:option} description network-acl-acl-properties
:required: "no"
:shortdesc: "Description of the network ACL"
:type: "string"

```

```{config:option} egress network-acl-acl-properties
:required: "no"
:shortdesc: "Egress traffic rules"
:type: "rule list"

```

```{config:option} ingress network-acl-acl-properties
:required: "no"
:shortdesc: "Ingress traffic rules"
:type: "rule list"

```

```{config:option} name network-acl-acl-properties
:required: "yes"
:shortdesc: "Unique name of the network ACL in the project"
:type: "string"

```

<!-- config group network-acl-acl-properties end -->
<!-- config group network-acl-rule-properties start -->
```{config:option} action network-acl-rule-properties
:required: "yes"
:shortdesc: "Action to take for matching traffic"
:type: "string"
Possible values are `allow`, `reject`, and `drop`.
```

```{config:option} description network-acl-rule-properties
:required: "no"
:shortdesc: "Description of the rule"
:type: "string"

```

```{config:option} destination network-acl-rule-properties
:required: "no"
:shortdesc: "Comma-separated list of destinations"
:type: "string"
Destinations can be specified as CIDR or IP ranges, destination subject name selectors (for egress rules), or be left empty for any.
```

```{config:option} destination_port network-acl-rule-properties
:required: "no"
:shortdesc: "Destination ports or port ranges"
:type: "string"
This option is valid only if the protocol is `udp` or `tcp`.
Specify a comma-separated list of ports or port ranges (start-end inclusive), or leave the value empty for any.
```

```{config:option} icmp_code network-acl-rule-properties
:required: "no"
:shortdesc: "ICMP message code"
:type: "string"
This option is valid only if the protocol is `icmp4` or `icmp6`.
Specify the ICMP code number, or leave the value empty for any.
```

```{config:option} icmp_type network-acl-rule-properties
:required: "no"
:shortdesc: "Type of ICMP message"
:type: "string"
This option is valid only if the protocol is `icmp4` or `icmp6`.
Specify the ICMP type number, or leave the value empty for any.
```

```{config:option} protocol network-acl-rule-properties
:required: "no"
:shortdesc: "Protocol to match"
:type: "string"
Possible values are `icmp4`, `icmp6`, `tcp`, and `udp`.
Leave the value empty to match any protocol.
```

```{config:option} source network-acl-rule-properties
:required: "no"
:shortdesc: "Comma-separated list of sources"
:type: "string"
Sources can be specified as CIDR or IP ranges, source subject name selectors (for ingress rules), or be left empty for any.
```

```{config:option} source_port network-acl-rule-properties
:required: "no"
:shortdesc: "Source ports or port ranges"
:type: "string"
This option is valid only if the protocol is `udp` or `tcp`.
Specify a comma-separated list of ports or port ranges (start-end inclusive), or leave the value empty for any.
```

```{config:option} state network-acl-rule-properties
:defaultdesc: "`enabled`"
:required: "yes"
:shortdesc: "State of the rule"
:type: "string"
Possible values are `enabled`, `disabled`, and `logged`.
```

<!-- config group network-acl-rule-properties end -->
<!-- config group network-bridge-network-conf start -->
```{config:option} bgp.ipv4.nexthop network-bridge-network-conf
:condition: "BGP server"
:defaultdesc: "local address"
:scope: "local"
:shortdesc: "Override the IPv4 next-hop for advertised prefixes"
:type: "string"

```

```{config:option} bgp.ipv6.nexthop network-bridge-network-conf
:condition: "BGP server"
:defaultdesc: "local address"
:scope: "local"
:shortdesc: "Override the IPv6 next-hop for advertised prefixes"
:type: "string"

```

```{config:option} bgp.peers.NAME.address network-bridge-network-conf
:condition: "BGP server"
:scope: "global"
:shortdesc: "Peer address (IPv4 or IPv6)"
:type: "string"

```

```{config:option} bgp.peers.NAME.asn network-bridge-network-conf
:condition: "BGP server"
:scope: "global"
:shortdesc: "Peer AS number"
:type: "integer"

```

```{config:option} bgp.peers.NAME.holdtime network-bridge-network-conf
:condition: "BGP server"
:defaultdesc: "`180`"
:required: "no"
:scope: "global"
:shortdesc: "Peer session hold time"
:type: "integer"
Specify the hold time in seconds.
```

```{config:option} bgp.peers.NAME.password network-bridge-network-conf
:condition: "BGP server"
:defaultdesc: "(no password)"
:required: "no"
:scope: "global"
:shortdesc: "Peer session password"
:type: "string"

```

```{config:option} bridge.driver network-bridge-network-conf
:defaultdesc: "`native`"
:scope: "global"
:shortdesc: "Bridge driver"
:type: "string"
Possible values are `native` and `openvswitch`.
```

```{config:option} bridge.external_interfaces network-bridge-network-conf
:scope: "local"
:shortdesc: "Unconfigured network interfaces to include in the bridge"
:type: "string"
Specify a comma-separated list of unconfigured network interfaces to include in the bridge.
```

```{config:option} bridge.hwaddr network-bridge-network-conf
:scope: "global"
:shortdesc: "MAC address for the bridge"
:type: "string"

```

```{config:option} bridge.mode network-bridge-network-conf
:defaultdesc: "`standard`"
:scope: "global"
:shortdesc: "Bridge operation mode"
:type: "string"
Possible values are `standard` and `fan`.
```

```{config:option} bridge.mtu network-bridge-network-conf
:defaultdesc: "`1500` if `bridge.mode=standard`, `1480` if `bridge.mode=fan` and `fan.type=ipip`, or `1450` if `bridge.mode=fan` and `fan.type=vxlan`"
:scope: "global"
:shortdesc: "Bridge MTU"
:type: "integer"
The default value varies depending on whether the bridge uses a tunnel or a fan setup.
```

```{config:option} dns.domain network-bridge-network-conf
:defaultdesc: "`lxd`"
:scope: "global"
:shortdesc: "Domain to advertise to DHCP clients and use for DNS resolution"
:type: "string"

```

```{config:option} dns.mode network-bridge-network-conf
:defaultdesc: "`managed`"
:scope: "global"
:shortdesc: "DNS registration mode"
:type: "string"
Possible values are `none` for no DNS record, `managed` for LXD-generated static records, and `dynamic` for client-generated records.
```

```{config:option} dns.search network-bridge-network-conf
:defaultdesc: "`dns.domain` value"
:scope: "global"
:shortdesc: "Full domain search list"
:type: "string"
Specify a comma-separated list of domains.
```

```{config:option} dns.zone.forward network-bridge-network-conf
:scope: "global"
:shortdesc: "DNS zone names for forward DNS records"
:type: "string"
Specify a comma-separated list of DNS zone names.
```

```{config:option} dns.zone.reverse.ipv4 network-bridge-network-conf
:scope: "global"
:shortdesc: "DNS zone name for IPv4 reverse DNS records"
:type: "string"

```

```{config:option} dns.zone.reverse.ipv6 network-bridge-network-conf
:scope: "global"
:shortdesc: "DNS zone name for IPv6 reverse DNS records"
:type: "string"

```

```{config:option} fan.overlay_subnet network-bridge-network-conf
:condition: "fan mode"
:defaultdesc: "`240.0.0.0/8`"
:scope: "global"
:shortdesc: "Subnet to use as the overlay for the FAN"
:type: "string"
Use CIDR notation.
```

```{config:option} fan.type network-bridge-network-conf
:condition: "fan mode"
:defaultdesc: "`vxlan`"
:scope: "global"
:shortdesc: "Tunneling type for the FAN"
:type: "string"
Possible values are `vxlan` and `ipip`.
```

```{config:option} fan.underlay_subnet network-bridge-network-conf
:condition: "fan mode"
:defaultdesc: "initial value on creation: `auto`"
:scope: "global"
:shortdesc: "Subnet to use as the underlay for the FAN"
:type: "string"
Use CIDR notation.

You can set the option to `auto` to use the default gateway subnet.
```

```{config:option} ipv4.address network-bridge-network-conf
:condition: "standard mode"
:defaultdesc: "initial value on creation: `auto`"
:scope: "global"
:shortdesc: "IPv4 address for the bridge"
:type: "string"
Use CIDR notation.

You can set the option to `none` to turn off IPv4, or to `auto` to generate a new random unused subnet.
```

```{config:option} ipv4.dhcp network-bridge-network-conf
:condition: "IPv4 address"
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to allocate IPv4 addresses using DHCP"
:type: "bool"

```

```{config:option} ipv4.dhcp.expiry network-bridge-network-conf
:condition: "IPv4 DHCP"
:defaultdesc: "`1h`"
:scope: "global"
:shortdesc: "When to expire DHCP leases"
:type: "string"

```

```{config:option} ipv4.dhcp.gateway network-bridge-network-conf
:condition: "IPv4 DHCP"
:defaultdesc: "IPv4 address"
:scope: "global"
:shortdesc: "Address of the gateway for the IPv4 subnet"
:type: "string"

```

```{config:option} ipv4.dhcp.ranges network-bridge-network-conf
:condition: "IPv4 DHCP"
:defaultdesc: "all addresses"
:scope: "global"
:shortdesc: "IPv4 ranges to use for DHCP"
:type: "string"
Specify a comma-separated list of IPv4 ranges in FIRST-LAST format.
```

```{config:option} ipv4.firewall network-bridge-network-conf
:condition: "IPv4 address"
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to generate filtering firewall rules for this network"
:type: "bool"

```

```{config:option} ipv4.nat network-bridge-network-conf
:condition: "IPv4 address"
:defaultdesc: "`false` (initial value on creation if `ipv4.address` is set to `auto`: `true`)"
:scope: "global"
:shortdesc: "Whether to use NAT for IPv4"
:type: "bool"

```

```{config:option} ipv4.nat.address network-bridge-network-conf
:condition: "IPv4 address"
:scope: "global"
:shortdesc: "Source address used for outbound traffic from the bridge"
:type: "string"

```

```{config:option} ipv4.nat.order network-bridge-network-conf
:condition: "IPv4 address"
:defaultdesc: "`before`"
:scope: "global"
:shortdesc: "Where to add the required NAT rules"
:type: "string"
Set this option to `before` to add the NAT rules before any pre-existing rules, or to `after` to add them after the pre-existing rules.
```

```{config:option} ipv4.ovn.ranges network-bridge-network-conf
:scope: "global"
:shortdesc: "IPv4 ranges to use for child OVN network routers"
:type: "string"
Specify a comma-separated list of IPv4 ranges in FIRST-LAST format.
```

```{config:option} ipv4.routes network-bridge-network-conf
:condition: "IPv4 address"
:scope: "global"
:shortdesc: "Additional IPv4 CIDR subnets to route to the bridge"
:type: "string"
Specify a comma-separated list of IPv4 CIDR subnets.
```

```{config:option} ipv4.routing network-bridge-network-conf
:condition: "IPv4 address"
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to route IPv4 traffic in and out of the bridge"
:type: "bool"

```

```{config:option} ipv6.address network-bridge-network-conf
:condition: "standard mode"
:defaultdesc: "initial value on creation: `auto`"
:scope: "global"
:shortdesc: "IPv6 address for the bridge"
:type: "string"
Use CIDR notation.

You can set the option to `none` to turn off IPv6, or to `auto` to generate a new random unused subnet.
```

```{config:option} ipv6.dhcp network-bridge-network-conf
:condition: "IPv6 address"
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to provide additional network configuration over DHCP"
:type: "bool"

```

```{config:option} ipv6.dhcp.expiry network-bridge-network-conf
:condition: "IPv6 DHCP"
:defaultdesc: "`1h`"
:scope: "global"
:shortdesc: "When to expire DHCP leases"
:type: "string"

```

```{config:option} ipv6.dhcp.ranges network-bridge-network-conf
:condition: "IPv6 stateful DHCP"
:defaultdesc: "all addresses"
:scope: "global"
:shortdesc: "IPv6 ranges to use for DHCP"
:type: "string"
Specify a comma-separated list of IPv6 ranges in FIRST-LAST format.
```

```{config:option} ipv6.dhcp.stateful network-bridge-network-conf
:condition: "IPv6 DHCP"
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to allocate IPv6 addresses using DHCP"
:type: "bool"

```

```{config:option} ipv6.firewall network-bridge-network-conf
:condition: "IPv6 DHCP"
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to generate filtering firewall rules for this network"
:type: "bool"

```

```{config:option} ipv6.nat network-bridge-network-conf
:condition: "IPv6 address"
:defaultdesc: "`false` (initial value on creation if `ipv6.address` is set to `auto`: `true`)"
:scope: "global"
:shortdesc: "Whether to use NAT for IPv6"
:type: "bool"

```

```{config:option} ipv6.nat.address network-bridge-network-conf
:condition: "IPv6 address"
:scope: "global"
:shortdesc: "Source address used for outbound traffic from the bridge"
:type: "string"

```

```{config:option} ipv6.nat.order network-bridge-network-conf
:condition: "IPv6 address"
:defaultdesc: "`before`"
:scope: "global"
:shortdesc: "Where to add the required NAT rules"
:type: "string"
Set this option to `before` to add the NAT rules before any pre-existing rules, or to `after` to add them after the pre-existing rules.
```

```{config:option} ipv6.ovn.ranges network-bridge-network-conf
:scope: "global"
:shortdesc: "IPv6 ranges to use for child OVN network routers"
:type: "string"
Specify a comma-separated list of IPv6 ranges in FIRST-LAST format.
```

```{config:option} ipv6.routes network-bridge-network-conf
:condition: "IPv6 address"
:scope: "global"
:shortdesc: "Additional IPv6 CIDR subnets to route to the bridge"
:type: "string"
Specify a comma-separated list of IPv6 CIDR subnets.
```

```{config:option} ipv6.routing network-bridge-network-conf
:condition: "IPv6 address"
:scope: "global"
:shortdesc: "Whether to route IPv6 traffic in and out of the bridge"
:type: "bool"

```

```{config:option} maas.subnet.ipv4 network-bridge-network-conf
:condition: "IPv4 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv4 subnet to register instances in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 network-bridge-network-conf
:condition: "IPv6 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv6 subnet to register instances in"
:type: "string"

```

```{config:option} raw.dnsmasq network-bridge-network-conf
:scope: "global"
:shortdesc: "Additional `dnsmasq` configuration to append to the configuration file"
:type: "string"

```

```{config:option} security.acls network-bridge-network-conf
:scope: "global"
:shortdesc: "Network ACLs to apply to NICs connected to this network"
:type: "string"
Specify a comma-separated list of network ACLs.

Also see {ref}`network-acls-bridge-limitations`.
```

```{config:option} security.acls.default.egress.action network-bridge-network-conf
:condition: "`security.acls`"
:scope: "global"
:shortdesc: "Default action to use for egress traffic"
:type: "string"
The specified action is used for all egress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.egress.logged network-bridge-network-conf
:condition: "`security.acls`"
:scope: "global"
:shortdesc: "Whether to log egress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} security.acls.default.ingress.action network-bridge-network-conf
:condition: "`security.acls`"
:scope: "global"
:shortdesc: "Default action to use for ingress traffic"
:type: "string"
The specified action is used for all ingress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.ingress.logged network-bridge-network-conf
:condition: "`security.acls`"
:scope: "global"
:shortdesc: "Whether to log ingress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} tunnel.NAME.group network-bridge-network-conf
:condition: "`vxlan`"
:shortdesc: "Multicast address for `vxlan`"
:type: "string"
This address is used if {config:option}`network-bridge-network-conf:tunnel.NAME.local` and {config:option}`network-bridge-network-conf:tunnel.NAME.remote` aren’t set.
```

```{config:option} tunnel.NAME.id network-bridge-network-conf
:condition: "`vxlan`"
:shortdesc: "Specific tunnel ID to use for the `vxlan` tunnel"
:type: "integer"

```

```{config:option} tunnel.NAME.interface network-bridge-network-conf
:condition: "`vxlan`"
:shortdesc: "Specific host interface to use for the tunnel"
:type: "string"

```

```{config:option} tunnel.NAME.local network-bridge-network-conf
:condition: "`gre` or `vxlan`"
:required: "not required for multicast `vxlan`"
:shortdesc: "Local address for the tunnel"
:type: "string"

```

```{config:option} tunnel.NAME.port network-bridge-network-conf
:condition: "`vxlan`"
:defaultdesc: "`0`"
:shortdesc: "Specific port to use for the `vxlan` tunnel"
:type: "integer"

```

```{config:option} tunnel.NAME.protocol network-bridge-network-conf
:condition: "standard mode"
:shortdesc: "Tunneling protocol"
:type: "string"
Possible values are `vxlan` and `gre`.
```

```{config:option} tunnel.NAME.remote network-bridge-network-conf
:condition: "`gre` or `vxlan`"
:required: "not required for multicast `vxlan`"
:shortdesc: "Remote address for the tunnel"
:type: "string"

```

```{config:option} tunnel.NAME.ttl network-bridge-network-conf
:condition: "`vxlan`"
:defaultdesc: "`1`"
:shortdesc: "Specific TTL to use for multicast routing topologies"
:type: "string"

```

```{config:option} user.* network-bridge-network-conf
:scope: "global"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

<!-- config group network-bridge-network-conf end -->
<!-- config group network-forward-forward-properties start -->
```{config:option} config network-forward-forward-properties
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string set"
The only supported keys are `target_address` and `user.*` custom keys.

The `target_address` key is for the default target address of the network forward.
It must be an IP address within the subnet of the network the forward belongs to.
```

```{config:option} description network-forward-forward-properties
:required: "yes"
:shortdesc: "Description of the network forward"
:type: "string"

```

```{config:option} listen_address network-forward-forward-properties
:required: "no"
:shortdesc: "IP address to listen on"
:type: "string"
See {ref}`network-forwards-listen-addresses`.
```

```{config:option} ports network-forward-forward-properties
:required: "no"
:shortdesc: "List of port specifications"
:type: "port list"
See {ref}`network-forwards-port-specifications`.
```

<!-- config group network-forward-forward-properties end -->
<!-- config group network-forward-port-properties start -->
```{config:option} description network-forward-port-properties
:required: "no"
:shortdesc: "Description of the port or ports"
:type: "string"

```

```{config:option} listen_port network-forward-port-properties
:required: "yes"
:shortdesc: "Listen port or ports"
:type: "string"
For example: `80,90-100`
```

```{config:option} protocol network-forward-port-properties
:required: "yes"
:shortdesc: "Protocol for the port or ports"
:type: "string"
 Possible values are `tcp` and `udp`.
```

```{config:option} target_address network-forward-port-properties
:required: "yes"
:shortdesc: "IP address to forward to"
:type: "string"
This `target_address` must be within the subnet of the network the forward belongs to.
Also, it must be different from the forward’s default target address.
```

```{config:option} target_port network-forward-port-properties
:defaultdesc: "same as `listen_port`"
:required: "no"
:shortdesc: "Target port or ports"
:type: "string"
For example: `70,80-90` or `90`
```

<!-- config group network-forward-port-properties end -->
<!-- config group network-load-balancer-load-balancer-backend-properties start -->
```{config:option} description network-load-balancer-load-balancer-backend-properties
:required: "no"
:shortdesc: "Description of the backend"
:type: "string"

```

```{config:option} name network-load-balancer-load-balancer-backend-properties
:required: "yes"
:shortdesc: "Name of the backend"
:type: "string"

```

```{config:option} target_address network-load-balancer-load-balancer-backend-properties
:required: "yes"
:shortdesc: "IP address to forward to"
:type: "string"

```

```{config:option} target_port network-load-balancer-load-balancer-backend-properties
:defaultdesc: "same as {config:option}`network-load-balancer-load-balancer-port-properties:listen_port`"
:required: "no"
:shortdesc: "Target port or ports"
:type: "string"
For example: `70,80-90` or `90`
```

<!-- config group network-load-balancer-load-balancer-backend-properties end -->
<!-- config group network-load-balancer-load-balancer-port-properties start -->
```{config:option} description network-load-balancer-load-balancer-port-properties
:required: "no"
:shortdesc: "Description of the port or ports"
:type: "string"

```

```{config:option} listen_port network-load-balancer-load-balancer-port-properties
:required: "yes"
:shortdesc: "Listen port or ports"
:type: "string"
For example: `80,90-100`
```

```{config:option} protocol network-load-balancer-load-balancer-port-properties
:required: "yes"
:shortdesc: "Protocol for the port or ports"
:type: "string"
Possible values are `tcp` and `udp`.
```

```{config:option} target_backend network-load-balancer-load-balancer-port-properties
:required: "yes"
:shortdesc: "Backend name or names to forward to"
:type: "backend list"

```

<!-- config group network-load-balancer-load-balancer-port-properties end -->
<!-- config group network-load-balancer-load-balancer-properties start -->
```{config:option} backends network-load-balancer-load-balancer-properties
:required: "no"
:shortdesc: "List of backend specifications"
:type: "backend list"
See {ref}`network-load-balancers-backend-specifications`.
```

```{config:option} config network-load-balancer-load-balancer-properties
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string set"
The only supported keys are `user.*` custom keys.
```

```{config:option} description network-load-balancer-load-balancer-properties
:required: "no"
:shortdesc: "Description of the network load balancer"
:type: "string"

```

```{config:option} listen_address network-load-balancer-load-balancer-properties
:required: "no"
:shortdesc: "IP address to listen on"
:type: "string"

```

```{config:option} ports network-load-balancer-load-balancer-properties
:required: "no"
:shortdesc: "List of port specifications"
:type: "port list"
See {ref}`network-load-balancers-port-specifications`.
```

<!-- config group network-load-balancer-load-balancer-properties end -->
<!-- config group network-macvlan-network-conf start -->
```{config:option} gvrp network-macvlan-network-conf
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} maas.subnet.ipv4 network-macvlan-network-conf
:condition: "IPv4 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv4 subnet to register instances in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 network-macvlan-network-conf
:condition: "IPv4 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv6 subnet to register instances in"
:type: "string"

```

```{config:option} mtu network-macvlan-network-conf
:scope: "global"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} parent network-macvlan-network-conf
:scope: "local"
:shortdesc: "Parent interface to create `macvlan` NICs on"
:type: "string"

```

```{config:option} user.* network-macvlan-network-conf
:scope: "global"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

```{config:option} vlan network-macvlan-network-conf
:scope: "global"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group network-macvlan-network-conf end -->
<!-- config group network-ovn-network-conf start -->
```{config:option} bridge.hwaddr network-ovn-network-conf
:shortdesc: "MAC address for the bridge"
:type: "string"

```

```{config:option} bridge.mtu network-ovn-network-conf
:defaultdesc: "`1442`"
:shortdesc: "Bridge MTU"
:type: "integer"
The default value allows the host to host Geneve tunnels.
```

```{config:option} dns.domain network-ovn-network-conf
:defaultdesc: "`lxd`"
:shortdesc: "Domain to advertise to DHCP clients and use for DNS resolution"
:type: "string"

```

```{config:option} dns.search network-ovn-network-conf
:defaultdesc: "`dns.domain` value"
:shortdesc: "Full domain search list"
:type: "string"
Specify a comma-separated list of domains.
```

```{config:option} dns.zone.forward network-ovn-network-conf
:shortdesc: "DNS zone names for forward DNS records"
:type: "string"
Specify a comma-separated list of DNS zone names.
```

```{config:option} dns.zone.reverse.ipv4 network-ovn-network-conf
:shortdesc: "DNS zone name for IPv4 reverse DNS records"
:type: "string"

```

```{config:option} dns.zone.reverse.ipv6 network-ovn-network-conf
:shortdesc: "DNS zone name for IPv6 reverse DNS records"
:type: "string"

```

```{config:option} ipv4.address network-ovn-network-conf
:condition: "standard mode"
:defaultdesc: "initial value on creation: `auto`"
:shortdesc: "IPv4 address for the OVN network"
:type: "string"
Use CIDR notation.

You can set the option to `none` to turn off IPv4, or to `auto` to generate a new random unused subnet.
```

```{config:option} ipv4.dhcp network-ovn-network-conf
:condition: "IPv4 address"
:defaultdesc: "`true`"
:shortdesc: "Whether to allocate IPv4 addresses using DHCP"
:type: "bool"

```

```{config:option} ipv4.l3only network-ovn-network-conf
:condition: "IPv4 address"
:defaultdesc: "`false`"
:shortdesc: "Whether to enable layer 3 only mode for IPv4"
:type: "bool"

```

```{config:option} ipv4.nat network-ovn-network-conf
:condition: "IPv4 address"
:defaultdesc: "`false` (initial value on creation if `ipv4.address` is set to `auto`: `true`)"
:shortdesc: "Whether to use NAT for IPv4"
:type: "bool"

```

```{config:option} ipv4.nat.address network-ovn-network-conf
:condition: "IPv4 address; requires uplink `ovn.ingress_mode=routed`"
:shortdesc: "Source address used for outbound traffic from the network"
:type: "string"

```

```{config:option} ipv6.address network-ovn-network-conf
:condition: "standard mode"
:defaultdesc: "initial value on creation: `auto`"
:shortdesc: "IPv6 address for the OVN network"
:type: "string"
Use CIDR notation.

You can set the option to `none` to turn off IPv6, or to `auto` to generate a new random unused subnet.
```

```{config:option} ipv6.dhcp network-ovn-network-conf
:condition: "IPv6 address"
:defaultdesc: "`true`"
:shortdesc: "Whether to provide additional network configuration over DHCP"
:type: "bool"

```

```{config:option} ipv6.dhcp.stateful network-ovn-network-conf
:condition: "IPv6 DHCP"
:defaultdesc: "`false`"
:shortdesc: "Whether to allocate IPv6 addresses using DHCP"
:type: "bool"

```

```{config:option} ipv6.l3only network-ovn-network-conf
:condition: "IPv6 DHCP stateful"
:defaultdesc: "`false`"
:shortdesc: "Whether to enable layer 3 only mode for IPv6"
:type: "bool"

```

```{config:option} ipv6.nat network-ovn-network-conf
:condition: "IPv6 address"
:defaultdesc: "`false` (initial value on creation if `ipv6.address` is set to `auto`: `true`)"
:shortdesc: "Whether to use NAT for IPv6"
:type: "bool"

```

```{config:option} ipv6.nat.address network-ovn-network-conf
:condition: "IPv6 address; requires uplink `ovn.ingress_mode=routed`"
:shortdesc: "Source address used for outbound traffic from the network"
:type: "string"

```

```{config:option} network network-ovn-network-conf
:shortdesc: "Uplink network to use for external network access"
:type: "string"

```

```{config:option} security.acls network-ovn-network-conf
:shortdesc: "Network ACLs to apply to NICs connected to this network"
:type: "string"
Specify a comma-separated list of network ACLs.
```

```{config:option} security.acls.default.egress.action network-ovn-network-conf
:condition: "`security.acls`"
:defaultdesc: "`reject`"
:shortdesc: "Default action to use for egress traffic"
:type: "string"
The specified action is used for all egress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.egress.logged network-ovn-network-conf
:condition: "`security.acls`"
:defaultdesc: "`false`"
:shortdesc: "Whether to log egress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} security.acls.default.ingress.action network-ovn-network-conf
:condition: "`security.acls`"
:defaultdesc: "`reject`"
:shortdesc: "Default action to use for ingress traffic"
:type: "string"
The specified action is used for all ingress traffic that doesn’t match any ACL rule.
```

```{config:option} security.acls.default.ingress.logged network-ovn-network-conf
:condition: "`security.acls`"
:defaultdesc: "`false`"
:shortdesc: "Whether to log ingress traffic that doesn’t match any ACL rule"
:type: "bool"

```

```{config:option} user.* network-ovn-network-conf
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

<!-- config group network-ovn-network-conf end -->
<!-- config group network-peering-peering-properties start -->
```{config:option} config network-peering-peering-properties
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string set"
The only supported keys are `user.*` custom keys.
```

```{config:option} description network-peering-peering-properties
:required: "no"
:shortdesc: "Description of the network peering"
:type: "string"

```

```{config:option} name network-peering-peering-properties
:required: "yes"
:shortdesc: "Name of the network peering on the local network"
:type: "string"

```

```{config:option} status network-peering-peering-properties
:required: "--"
:shortdesc: "Status indicating if pending or created"
:type: "string"
Indicates if mutual peering exists with the target network.
This property is read-only and cannot be updated.
```

```{config:option} target_network network-peering-peering-properties
:required: "yes"
:shortdesc: "Which network to create a peering with"
:type: "string"
This option must be set at create time.
```

```{config:option} target_project network-peering-peering-properties
:required: "yes"
:shortdesc: "Which project the target network exists in"
:type: "string"
This option must be set at create time.
```

<!-- config group network-peering-peering-properties end -->
<!-- config group network-physical-network-conf start -->
```{config:option} bgp.peers.NAME.address network-physical-network-conf
:condition: "BGP server"
:scope: "global"
:shortdesc: "Peer address for use by `ovn` downstream networks"
:type: "string"
The address can be IPv4 or IPv6.
```

```{config:option} bgp.peers.NAME.asn network-physical-network-conf
:condition: "BGP server"
:scope: "global"
:shortdesc: "Peer AS number for use by `ovn` downstream networks"
:type: "integer"

```

```{config:option} bgp.peers.NAME.holdtime network-physical-network-conf
:condition: "BGP server"
:defaultdesc: "`180`"
:required: "no"
:scope: "global"
:shortdesc: "Peer session hold time"
:type: "integer"
Specify the peer session hold time in seconds.
```

```{config:option} bgp.peers.NAME.password network-physical-network-conf
:condition: "BGP server"
:defaultdesc: "(no password)"
:required: "no"
:scope: "global"
:shortdesc: "Peer session password for use by `ovn` downstream networks"
:type: "string"

```

```{config:option} dns.nameservers network-physical-network-conf
:condition: "standard mode"
:scope: "global"
:shortdesc: "DNS server IPs on physical network"
:type: "string"
Specify a list of DNS server IPs.
```

```{config:option} gvrp network-physical-network-conf
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to use GARP VLAN Registration Protocol"
:type: "bool"
This option specifies whether to register the VLAN using the GARP VLAN Registration Protocol.
```

```{config:option} ipv4.gateway network-physical-network-conf
:condition: "standard mode"
:scope: "global"
:shortdesc: "IPv4 address for the gateway and network"
:type: "string"
Use CIDR notation.
```

```{config:option} ipv4.ovn.ranges network-physical-network-conf
:scope: "global"
:shortdesc: "IPv4 ranges to use for child OVN network routers"
:type: "string"
Specify a comma-separated list of IPv4 ranges in FIRST-LAST format.
```

```{config:option} ipv4.routes network-physical-network-conf
:condition: "IPv4 address"
:scope: "global"
:shortdesc: "Additional IPv4 CIDR subnets"
:type: "string"
Specify a comma-separated list of IPv4 CIDR subnets that can be used with child OVN network forwarders, load-balancers and {config:option}`device-nic-ovn-device-conf:ipv4.routes.external` setting.
```

```{config:option} ipv4.routes.anycast network-physical-network-conf
:condition: "IPv4 address"
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to allow IPv4 routes on multiple networks/NICs"
:type: "bool"
If set to `true`, this option allows the overlapping routes to be used on multiple networks/NICs at the same time.
```

```{config:option} ipv6.gateway network-physical-network-conf
:condition: "standard mode"
:scope: "global"
:shortdesc: "IPv6 address for the gateway and network"
:type: "string"
Use CIDR notation.
```

```{config:option} ipv6.ovn.ranges network-physical-network-conf
:scope: "global"
:shortdesc: "IPv6 ranges to use for child OVN network routers"
:type: "string"
Specify a comma-separated list of IPv6 ranges in FIRST-LAST format.
```

```{config:option} ipv6.routes network-physical-network-conf
:condition: "IPv6 address"
:scope: "global"
:shortdesc: "Additional IPv6 CIDR subnets"
:type: "string"
Specify a comma-separated list of IPv6 CIDR subnets that can be used with child OVN network forwarders, load-balancers and {config:option}`device-nic-ovn-device-conf:ipv6.routes.external` setting.
```

```{config:option} ipv6.routes.anycast network-physical-network-conf
:condition: "IPv6 address"
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to allow IPv6 routes on multiple networks/NICs"
:type: "bool"
If set to `true`, this option allows the overlapping routes to be used on multiple networks/NICs at the same time.
```

```{config:option} maas.subnet.ipv4 network-physical-network-conf
:condition: "IPv4 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv4 subnet to register instances in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 network-physical-network-conf
:condition: "IPv6 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv6 subnet to register instances in"
:type: "string"

```

```{config:option} mtu network-physical-network-conf
:scope: "global"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} ovn.ingress_mode network-physical-network-conf
:condition: "standard mode"
:defaultdesc: "`l2proxy`"
:scope: "global"
:shortdesc: "How OVN NIC external IPs are advertised on uplink network"
:type: "string"
Possible values are `l2proxy` (proxy ARP/NDP) and `routed`.
```

```{config:option} parent network-physical-network-conf
:scope: "local"
:shortdesc: "Existing interface to use for network"
:type: "string"

```

```{config:option} user.* network-physical-network-conf
:scope: "global"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

```{config:option} vlan network-physical-network-conf
:scope: "global"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group network-physical-network-conf end -->
<!-- config group network-sriov-network-conf start -->
```{config:option} maas.subnet.ipv4 network-sriov-network-conf
:condition: "IPv4 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv4 subnet to register instances in"
:type: "string"

```

```{config:option} maas.subnet.ipv6 network-sriov-network-conf
:condition: "IPv6 address; using the `network` property on the NIC"
:scope: "global"
:shortdesc: "MAAS IPv6 subnet to register instances in"
:type: "string"

```

```{config:option} mtu network-sriov-network-conf
:scope: "global"
:shortdesc: "MTU of the new interface"
:type: "integer"

```

```{config:option} parent network-sriov-network-conf
:scope: "local"
:shortdesc: "Parent interface to create `sriov` NICs on"
:type: "string"

```

```{config:option} user.* network-sriov-network-conf
:scope: "global"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

```{config:option} vlan network-sriov-network-conf
:scope: "global"
:shortdesc: "VLAN ID to attach to"
:type: "integer"

```

<!-- config group network-sriov-network-conf end -->
<!-- config group network-zone-config-options start -->
```{config:option} dns.nameservers network-zone-config-options
:required: "no"
:shortdesc: "Comma-separated list of DNS server FQDNs (for NS records)"
:type: "string set"

```

```{config:option} network.nat network-zone-config-options
:defaultdesc: "true"
:required: "no"
:shortdesc: "Whether to generate records for NAT-ed subnets"
:type: "bool"

```

```{config:option} peers.NAME.address network-zone-config-options
:required: "no"
:shortdesc: "IP address of a DNS server"
:type: "string"

```

```{config:option} peers.NAME.key network-zone-config-options
:required: "no"
:shortdesc: "TSIG key for the server"
:type: "string"

```

```{config:option} user.* network-zone-config-options
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

<!-- config group network-zone-config-options end -->
<!-- config group network-zone-record-properties start -->
```{config:option} config network-zone-record-properties
:required: "no"
:shortdesc: "User-provided free-form key/value pairs"
:type: "string set"
The only supported keys are `user.*` custom keys.
```

```{config:option} description network-zone-record-properties
:required: "no"
:shortdesc: "Description of the record"
:type: "string"

```

```{config:option} entries network-zone-record-properties
:required: "no"
:shortdesc: "List of DNS entries"
:type: "entry list"

```

```{config:option} name network-zone-record-properties
:required: "yes"
:shortdesc: "Unique name of the record"
:type: "string"

```

<!-- config group network-zone-record-properties end -->
<!-- config group project-features start -->
```{config:option} features.images project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`true`"
:shortdesc: "Whether to use a separate set of images for the project"
:type: "bool"
This setting applies to both images and image aliases.
```

```{config:option} features.networks project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`false`"
:shortdesc: "Whether to use a separate set of networks for the project"
:type: "bool"

```

```{config:option} features.networks.zones project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`false`"
:shortdesc: "Whether to use a separate set of network zones for the project"
:type: "bool"

```

```{config:option} features.profiles project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`true`"
:shortdesc: "Whether to use a separate set of profiles for the project"
:type: "bool"

```

```{config:option} features.storage.buckets project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`true`"
:shortdesc: "Whether to use a separate set of storage buckets for the project"
:type: "bool"

```

```{config:option} features.storage.volumes project-features
:defaultdesc: "`false`"
:initialvaluedesc: "`true`"
:shortdesc: "Whether to use a separate set of storage volumes for the project"
:type: "bool"

```

<!-- config group project-features end -->
<!-- config group project-limits start -->
```{config:option} limits.containers project-limits
:shortdesc: "Maximum number of containers that can be created in the project"
:type: "integer"

```

```{config:option} limits.cpu project-limits
:shortdesc: "Maximum number of CPUs to use in the project"
:type: "integer"
This value is the maximum value for the sum of the individual {config:option}`instance-resource-limits:limits.cpu` configurations set on the instances of the project.
```

```{config:option} limits.disk project-limits
:shortdesc: "Maximum disk space used by the project"
:type: "string"
This value is the maximum value of the aggregate disk space used by all instance volumes, custom volumes, and images of the project.
```

```{config:option} limits.disk.pool.POOL_NAME project-limits
:shortdesc: "Maximum disk space used by the project on this pool"
:type: "string"
This value is the maximum value of the aggregate disk
space used by all instance volumes, custom volumes, and images of the
project on this specific storage pool.

When set to 0, the pool is excluded from storage pool list for
the project.
```

```{config:option} limits.instances project-limits
:shortdesc: "Maximum number of instances that can be created in the project"
:type: "integer"

```

```{config:option} limits.memory project-limits
:shortdesc: "Usage limit for the host's memory for the project"
:type: "string"
The value is the maximum value for the sum of the individual {config:option}`instance-resource-limits:limits.memory` configurations set on the instances of the project.
```

```{config:option} limits.networks project-limits
:shortdesc: "Maximum number of networks that the project can have"
:type: "integer"

```

```{config:option} limits.networks.uplink_ips.ipv4.NETWORK_NAME project-limits
:shortdesc: "Quota of IPv4 addresses from a specified uplink network that can be used by entities in this project"
:type: "string"
Maximum number of IPv4 addresses that this project can consume from the specified uplink network.
This number of IPs can be consumed by networks, forwards and load balancers in this project.

```

```{config:option} limits.networks.uplink_ips.ipv6.NETWORK_NAME project-limits
:shortdesc: "Quota of IPv6 addresses from a specified uplink network that can be used by entities in this project"
:type: "string"
Maximum number of IPv6 addresses that this project can consume from the specified uplink network.
This number of IPs can be consumed by networks, forwards and load balancers in this project.

```

```{config:option} limits.processes project-limits
:shortdesc: "Maximum number of processes within the project"
:type: "integer"
This value is the maximum value for the sum of the individual {config:option}`instance-resource-limits:limits.processes` configurations set on the instances of the project.
```

```{config:option} limits.virtual-machines project-limits
:shortdesc: "Maximum number of VMs that can be created in the project"
:type: "integer"

```

<!-- config group project-limits end -->
<!-- config group project-restricted start -->
```{config:option} restricted project-restricted
:defaultdesc: "`false`"
:shortdesc: "Whether to block access to security-sensitive features"
:type: "bool"
This option must be enabled to allow the `restricted.*` keys to take effect.
To temporarily remove the restrictions, you can disable this option instead of clearing the related keys.
```

```{config:option} restricted.backups project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent creating instance or volume backups"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.cluster.groups project-restricted
:shortdesc: "Cluster groups that can be targeted"
:type: "string"
If specified, this option prevents targeting cluster groups other than the provided ones.
```

```{config:option} restricted.cluster.target project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent targeting of cluster members"
:type: "string"
Possible values are `allow` or `block`.
When set to `allow`, this option allows targeting of cluster members (either directly or via a group) when creating or moving instances.
```

```{config:option} restricted.containers.interception project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using system call interception options"
:type: "string"
Possible values are `allow`, `block`, or `full`.
When set to `allow`, interception options that are usually safe are allowed.
File system mounting remains blocked.
```

```{config:option} restricted.containers.lowlevel project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using low-level container options"
:type: "string"
Possible values are `allow` or `block`.
When set to `allow`, low-level container options like {config:option}`instance-raw:raw.lxc`, {config:option}`instance-raw:raw.idmap`, `volatile.*`, etc. can be used.
```

```{config:option} restricted.containers.nesting project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent running nested LXD"
:type: "string"
Possible values are `allow` or `block`.
When set to `allow`, {config:option}`instance-security:security.nesting` can be set to `true` for an instance.
```

```{config:option} restricted.containers.privilege project-restricted
:defaultdesc: "`unprivileged`"
:shortdesc: "Which settings for privileged containers to prevent"
:type: "string"
Possible values are `unprivileged`, `isolated`, and `allow`.

- When set to `unpriviliged`, this option prevents setting {config:option}`instance-security:security.privileged` to `true`.
- When set to `isolated`, this option prevents setting {config:option}`instance-security:security.privileged` to `true` and forces using a unique idmap per container using {config:option}`instance-security:security.idmap.isolated` set to `true`.
- When set to `allow`, there is no restriction.
```

````{config:option} restricted.devices.disk project-restricted
:defaultdesc: "`managed`"
:shortdesc: "Which disk devices can be used"
:type: "string"
Possible values are `allow`, `block`, or `managed`.

- When set to `block`, this option prevents using all disk devices except the root one.
- When set to `managed`, this option allows using disk devices only if `pool=` is set.
- When set to `allow`, there is no restriction on which disk devices can be used.

  ```{important}
  When allowing all disk devices, make sure to set
  {config:option}`project-restricted:restricted.devices.disk.paths` to a list of
  path prefixes that you want to allow.
  If you do not restrict the allowed paths, users can attach any disk device, including
  shifted devices (`disk` devices with [`shift`](devices-disk-options) set to `true`),
  which can be used to gain root access to the system.
  ```
````

```{config:option} restricted.devices.disk.paths project-restricted
:shortdesc: "Which `source` can be used for `disk` devices"
:type: "string"
If {config:option}`project-restricted:restricted.devices.disk` is set to `allow`, this option controls which `source` can be used for `disk` devices.
Specify a comma-separated list of path prefixes that restrict the `source` setting.
If this option is left empty, all paths are allowed.
```

```{config:option} restricted.devices.gpu project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `gpu`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.infiniband project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `infiniband`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.nic project-restricted
:defaultdesc: "`managed`"
:shortdesc: "Which network devices can be used"
:type: "string"
Possible values are `allow`, `block`, or `managed`.

- When set to `block`, this option prevents using all network devices.
- When set to `managed`, this option allows using network devices only if `network=` is set.
- When set to `allow`, there is no restriction on which network devices can be used.
```

```{config:option} restricted.devices.pci project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `pci`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.proxy project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `proxy`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.unix-block project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `unix-block`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.unix-char project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `unix-char`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.unix-hotplug project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `unix-hotplug`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.devices.usb project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using devices of type `usb`"
:type: "string"
Possible values are `allow` or `block`.
```

```{config:option} restricted.idmap.gid project-restricted
:shortdesc: "Which host GID ranges are allowed in `raw.idmap`"
:type: "string"
This option specifies the host GID ranges that are allowed in the instance's {config:option}`instance-raw:raw.idmap` setting.
```

```{config:option} restricted.idmap.uid project-restricted
:shortdesc: "Which host UID ranges are allowed in `raw.idmap`"
:type: "string"
This option specifies the host UID ranges that are allowed in the instance's {config:option}`instance-raw:raw.idmap` setting.
```

```{config:option} restricted.networks.access project-restricted
:shortdesc: "Which network names are allowed for use in this project"
:type: "string"
Specify a comma-delimited list of network names that are allowed for use in this project.
If this option is not set, all networks are accessible.

Note that this setting depends on the {config:option}`project-restricted:restricted.devices.nic` setting.
```

```{config:option} restricted.networks.subnets project-restricted
:defaultdesc: "`block`"
:shortdesc: "Which network subnets are allocated for use in this project"
:type: "string"
Specify a comma-delimited list of CIDR network routes from the uplink network's {config:option}`network-physical-network-conf:ipv4.routes` {config:option}`network-physical-network-conf:ipv6.routes` that are allowed for use in this project.
Use the form `<uplink>:<subnet>`.

Example value: `lxdbr0:192.0.168.0/24,lxdbr0:10.1.19.5/32`
```

```{config:option} restricted.networks.uplinks project-restricted
:defaultdesc: "`block`"
:shortdesc: "Which network names can be used as uplink in this project"
:type: "string"
Specify a comma-delimited list of network names that can be used as uplink for networks in this project.
```

```{config:option} restricted.networks.zones project-restricted
:defaultdesc: "`block`"
:shortdesc: "Which network zones can be used in this project"
:type: "string"
Specify a comma-delimited list of network zones that can be used (or something under them) in this project.
```

```{config:option} restricted.snapshots project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent creating instance or volume snapshots"
:type: "string"

```

```{config:option} restricted.virtual-machines.lowlevel project-restricted
:defaultdesc: "`block`"
:shortdesc: "Whether to prevent using low-level VM options"
:type: "string"
Possible values are `allow` or `block`.
When set to `allow`, low-level VM options like {config:option}`instance-raw:raw.qemu`, `volatile.*`, etc. can be used.
```

<!-- config group project-restricted end -->
<!-- config group project-specific start -->
```{config:option} backups.compression_algorithm project-specific
:shortdesc: "Compression algorithm to use for backups"
:type: "string"
Specify which compression algorithm to use for backups in this project.
Possible values are `bzip2`, `gzip`, `lzma`, `xz`, or `none`.
```

```{config:option} images.auto_update_cached project-specific
:shortdesc: "Whether to automatically update cached images in the project"
:type: "bool"

```

```{config:option} images.auto_update_interval project-specific
:shortdesc: "Interval at which to look for updates to cached images"
:type: "integer"
Specify the interval in hours.
To disable looking for updates to cached images, set this option to `0`.
```

```{config:option} images.compression_algorithm project-specific
:shortdesc: "Compression algorithm to use for new images in the project"
:type: "string"
Possible values are `bzip2`, `gzip`, `lzma`, `xz`, or `none`.
```

```{config:option} images.default_architecture project-specific
:shortdesc: "Default architecture to use in a mixed-architecture cluster"
:type: "string"

```

```{config:option} images.remote_cache_expiry project-specific
:shortdesc: "When an unused cached remote image is flushed in the project"
:type: "integer"
Specify the number of days after which the unused cached image expires.
```

```{config:option} user.* project-specific
:shortdesc: "User-provided free-form key/value pairs"
:type: "string"

```

<!-- config group project-specific end -->
<!-- config group server-acme start -->
```{config:option} acme.agree_tos server-acme
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Agree to ACME terms of service"
:type: "bool"

```

```{config:option} acme.ca_url server-acme
:defaultdesc: "`https://acme-v02.api.letsencrypt.org/directory`"
:scope: "global"
:shortdesc: "URL to the directory resource of the ACME service"
:type: "string"

```

```{config:option} acme.domain server-acme
:scope: "global"
:shortdesc: "Domain for which the certificate is issued"
:type: "string"

```

```{config:option} acme.email server-acme
:scope: "global"
:shortdesc: "Email address used for the account registration"
:type: "string"

```

<!-- config group server-acme end -->
<!-- config group server-cluster start -->
```{config:option} cluster.healing_threshold server-cluster
:defaultdesc: "`0`"
:scope: "global"
:shortdesc: "Threshold when to evacuate an offline cluster member"
:type: "integer"
Specify the number of seconds after which an offline cluster member is to be evacuated.
To disable evacuating offline members, set this option to `0`.
```

```{config:option} cluster.https_address server-cluster
:scope: "local"
:shortdesc: "Address to use for clustering traffic"
:type: "string"
See {ref}`cluster-https-address`.
```

```{config:option} cluster.images_minimal_replica server-cluster
:defaultdesc: "`3`"
:scope: "global"
:shortdesc: "Number of cluster members that replicate an image"
:type: "integer"
Specify the minimal number of cluster members that keep a copy of a particular image.
Set this option to `1` for no replication, or to `-1` to replicate images on all members.
```

```{config:option} cluster.join_token_expiry server-cluster
:defaultdesc: "`3H`"
:scope: "global"
:shortdesc: "Time after which a cluster join token expires"
:type: "string"

```

```{config:option} cluster.max_standby server-cluster
:defaultdesc: "`2`"
:scope: "global"
:shortdesc: "Number of database stand-by members"
:type: "integer"
Specify the maximum number of cluster members that are assigned the database stand-by role.
This must be a number between `0` and `5`.
```

```{config:option} cluster.max_voters server-cluster
:defaultdesc: "`3`"
:scope: "global"
:shortdesc: "Number of database voter members"
:type: "integer"
Specify the maximum number of cluster members that are assigned the database voter role.
This must be an odd number >= `3`.
```

```{config:option} cluster.offline_threshold server-cluster
:defaultdesc: "`20`"
:scope: "global"
:shortdesc: "Threshold when an unresponsive member is considered offline"
:type: "integer"
Specify the number of seconds after which an unresponsive member is considered offline.
```

<!-- config group server-cluster end -->
<!-- config group server-core start -->
```{config:option} core.bgp_address server-core
:scope: "local"
:shortdesc: "Address to bind the BGP server to"
:type: "string"
See {ref}`network-bgp`.
```

```{config:option} core.bgp_asn server-core
:scope: "global"
:shortdesc: "BGP Autonomous System Number for the local server"
:type: "string"

```

```{config:option} core.bgp_routerid server-core
:scope: "local"
:shortdesc: "A unique identifier for the BGP server"
:type: "string"
The identifier must be formatted as an IPv4 address.
```

```{config:option} core.debug_address server-core
:scope: "local"
:shortdesc: "Address to bind the [`pprof`](https://pkg.go.dev/net/http/pprof) debug server to (HTTP)"
:type: "string"

```

```{config:option} core.dns_address server-core
:scope: "local"
:shortdesc: "Address to bind the authoritative DNS server to"
:type: "string"
See {ref}`network-dns-server`.
```

```{config:option} core.https_address server-core
:scope: "local"
:shortdesc: "Address to bind for the remote API (HTTPS)"
:type: "string"
See {ref}`server-expose`.
```

```{config:option} core.https_allowed_credentials server-core
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to set `Access-Control-Allow-Credentials`"
:type: "bool"
If enabled, the `Access-Control-Allow-Credentials` HTTP header value is set to `true`.
```

```{config:option} core.https_allowed_headers server-core
:scope: "global"
:shortdesc: "`Access-Control-Allow-Headers` HTTP header value"
:type: "string"

```

```{config:option} core.https_allowed_methods server-core
:scope: "global"
:shortdesc: "`Access-Control-Allow-Methods` HTTP header value"
:type: "string"

```

```{config:option} core.https_allowed_origin server-core
:scope: "global"
:shortdesc: "`Access-Control-Allow-Origin` HTTP header value"
:type: "string"

```

```{config:option} core.https_trusted_proxy server-core
:scope: "global"
:shortdesc: "Trusted servers to provide the client's address"
:type: "string"
Specify a comma-separated list of IP addresses of trusted servers that provide the client's address through the proxy connection header.
```

```{config:option} core.metrics_address server-core
:scope: "local"
:shortdesc: "Address to bind the metrics server to (HTTPS)"
:type: "string"
See {ref}`metrics`.
```

```{config:option} core.metrics_authentication server-core
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to enforce authentication on the metrics endpoint"
:type: "bool"

```

```{config:option} core.proxy_http server-core
:scope: "global"
:shortdesc: "HTTP proxy to use"
:type: "string"
If this option is not specified, LXD falls back to the `HTTP_PROXY` environment variable (if set).
```

```{config:option} core.proxy_https server-core
:scope: "global"
:shortdesc: "HTTPS proxy to use"
:type: "string"
If this option is not specified, LXD falls back to the `HTTPS_PROXY` environment variable (if set).
```

```{config:option} core.proxy_ignore_hosts server-core
:scope: "global"
:shortdesc: "Hosts that don't need the proxy"
:type: "string"
Specify this option in a similar format to `NO_PROXY` (for example, `1.2.3.4,1.2.3.5`)

If this option is not specified, LXD falls back to the `NO_PROXY` environment variable (if set).
```

```{config:option} core.remote_token_expiry server-core
:defaultdesc: "no expiry"
:scope: "global"
:shortdesc: "Time after which a remote add token expires"
:type: "string"

```

```{config:option} core.shutdown_timeout server-core
:defaultdesc: "`5`"
:scope: "global"
:shortdesc: "How long to wait before shutdown"
:type: "integer"
Specify the number of minutes to wait for running operations to complete before the LXD server shuts down.
```

```{config:option} core.storage_buckets_address server-core
:scope: "local"
:shortdesc: "Address to bind the storage object server to (HTTPS)"
:type: "string"
See {ref}`howto-storage-buckets`.
```

```{config:option} core.syslog_socket server-core
:defaultdesc: "`false`"
:scope: "local"
:shortdesc: "Whether to enable the syslog unixgram socket listener"
:type: "bool"
Set this option to `true` to enable the syslog unixgram socket to receive log messages from external processes.
```

```{config:option} core.trust_ca_certificates server-core
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Whether to automatically trust clients signed by the CA"
:type: "bool"

```

```{config:option} core.trust_password server-core
:scope: "global"
:shortdesc: "Password to be provided by clients to set up a trust"
:type: "string"

```

<!-- config group server-core end -->
<!-- config group server-images start -->
```{config:option} images.auto_update_cached server-images
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to automatically update cached images"
:type: "bool"

```

```{config:option} images.auto_update_interval server-images
:defaultdesc: "`6`"
:scope: "global"
:shortdesc: "Interval at which to look for updates to cached images"
:type: "integer"
Specify the interval in hours.
To disable looking for updates to cached images, set this option to `0`.
```

```{config:option} images.compression_algorithm server-images
:defaultdesc: "`gzip`"
:scope: "global"
:shortdesc: "Compression algorithm to use for new images"
:type: "string"
Possible values are `bzip2`, `gzip`, `lzma`, `xz`, or `none`.
```

```{config:option} images.default_architecture server-images
:shortdesc: "Default architecture to use in a mixed-architecture cluster"
:type: "string"

```

```{config:option} images.remote_cache_expiry server-images
:defaultdesc: "`10`"
:scope: "global"
:shortdesc: "When an unused cached remote image is flushed"
:type: "integer"
Specify the number of days after which the unused cached image expires.
```

<!-- config group server-images end -->
<!-- config group server-loki start -->
```{config:option} loki.api.ca_cert server-loki
:scope: "global"
:shortdesc: "CA certificate for the Loki server"
:type: "string"

```

```{config:option} loki.api.url server-loki
:scope: "global"
:shortdesc: "URL to the Loki server"
:type: "string"
Specify the protocol, name or IP and port. For example `https://loki.example.com:3100`. LXD will automatically add the `/loki/api/v1/push` suffix so there's no need to add it here.
```

```{config:option} loki.auth.password server-loki
:scope: "global"
:shortdesc: "Password used for Loki authentication"
:type: "string"

```

```{config:option} loki.auth.username server-loki
:scope: "global"
:shortdesc: "User name used for Loki authentication"
:type: "string"

```

```{config:option} loki.instance server-loki
:defaultdesc: "Local server host name or cluster member name"
:scope: "global"
:shortdesc: "Name to use as the instance field in Loki events."
:type: "string"
This allows replacing the default instance value (server host name) by a more relevant value like a cluster identifier.
```

```{config:option} loki.labels server-loki
:scope: "global"
:shortdesc: "Labels for a Loki log entry"
:type: "string"
Specify a comma-separated list of values that should be used as labels for a Loki log entry.
```

```{config:option} loki.loglevel server-loki
:defaultdesc: "`info`"
:scope: "global"
:shortdesc: "Minimum log level to send to the Loki server"
:type: "string"

```

```{config:option} loki.types server-loki
:defaultdesc: "`lifecycle,logging`"
:scope: "global"
:shortdesc: "Events to send to the Loki server"
:type: "string"
Specify a comma-separated list of events to send to the Loki server.
The events can be any combination of `lifecycle`, `logging`, and `ovn`.
```

<!-- config group server-loki end -->
<!-- config group server-miscellaneous start -->
```{config:option} backups.compression_algorithm server-miscellaneous
:defaultdesc: "`gzip`"
:scope: "global"
:shortdesc: "Compression algorithm to use for backups"
:type: "string"
Possible values are `bzip2`, `gzip`, `lzma`, `xz`, or `none`.
```

```{config:option} instances.migration.stateful server-miscellaneous
:scope: "global"
:shortdesc: "Whether to set `migration.stateful` to `true` for the instances"
:type: "bool"
You can override this setting for relevant instances, either in the instance-specific configuration or through a profile.
```

```{config:option} instances.nic.host_name server-miscellaneous
:defaultdesc: "`random`"
:scope: "global"
:shortdesc: "How to set the host name for a NIC"
:type: "string"
Possible values are `random` and `mac`.

If set to `random`, use the random host interface name as the host name.
If set to `mac`, generate a host name in the form `lxd<mac_address>` (MAC without leading two digits).
```

```{config:option} instances.placement.scriptlet server-miscellaneous
:scope: "global"
:shortdesc: "Instance placement scriptlet for automatic instance placement"
:type: "string"
When using custom automatic instance placement logic, this option stores the scriptlet.
See {ref}`clustering-instance-placement-scriptlet` for more information.
```

```{config:option} maas.api.key server-miscellaneous
:scope: "global"
:shortdesc: "API key to manage MAAS"
:type: "string"

```

```{config:option} maas.api.url server-miscellaneous
:scope: "global"
:shortdesc: "URL of the MAAS server"
:type: "string"

```

```{config:option} maas.machine server-miscellaneous
:defaultdesc: "host name"
:scope: "local"
:shortdesc: "Name of this LXD host in MAAS"
:type: "string"

```

```{config:option} network.ovn.ca_cert server-miscellaneous
:defaultdesc: "Content of `/etc/ovn/ovn-central.crt` if present"
:scope: "global"
:shortdesc: "OVN SSL certificate authority"
:type: "string"

```

```{config:option} network.ovn.client_cert server-miscellaneous
:defaultdesc: "Content of `/etc/ovn/cert_host` if present"
:scope: "global"
:shortdesc: "OVN SSL client certificate"
:type: "string"

```

```{config:option} network.ovn.client_key server-miscellaneous
:defaultdesc: "Content of `/etc/ovn/key_host` if present"
:scope: "global"
:shortdesc: "OVN SSL client key"
:type: "string"

```

```{config:option} network.ovn.integration_bridge server-miscellaneous
:defaultdesc: "`br-int`"
:scope: "global"
:shortdesc: "OVS integration bridge to use for OVN networks"
:type: "string"

```

```{config:option} network.ovn.northbound_connection server-miscellaneous
:defaultdesc: "`unix:/var/run/ovn/ovnnb_db.sock`"
:scope: "global"
:shortdesc: "OVN northbound database connection string"
:type: "string"

```

```{config:option} storage.backups_volume server-miscellaneous
:scope: "local"
:shortdesc: "Volume to use to store backup tarballs"
:type: "string"
Specify the volume using the syntax `POOL/VOLUME`.
```

```{config:option} storage.images_volume server-miscellaneous
:scope: "local"
:shortdesc: "Volume to use to store the image tarballs"
:type: "string"
Specify the volume using the syntax `POOL/VOLUME`.
```

<!-- config group server-miscellaneous end -->
<!-- config group server-oidc start -->
```{config:option} oidc.audience server-oidc
:scope: "global"
:shortdesc: "Expected audience value for the application"
:type: "string"
This value is required by some providers.
```

```{config:option} oidc.client.id server-oidc
:scope: "global"
:shortdesc: "OpenID Connect client ID"
:type: "string"

```

```{config:option} oidc.client.secret server-oidc
:scope: "global"
:shortdesc: "OpenID Connect client secret"
:type: "string"

```

```{config:option} oidc.groups.claim server-oidc
:scope: "global"
:shortdesc: "A claim used for mapping identity provider groups to LXD groups."
:type: "string"
Specify a custom token claim to denote groups defined at the identity provider.
The contents of this claim can be mapped to LXD groups for managing access control.
The value of the claim is expected to be a JSON string array.
```

```{config:option} oidc.issuer server-oidc
:scope: "global"
:shortdesc: "OpenID Connect Discovery URL for the provider"
:type: "string"

```

```{config:option} oidc.scopes server-oidc
:scope: "global"
:shortdesc: "Space-separated list of OpenID Connect scopes"
:type: "space-delimited string"
A list of OpenID Connect scopes to request from the identity provider.
This must include the `openid` and `email` scopes.
The remaining optional scopes are `offline_access` and `profile`.
If you remove the `offline_access` scope, users might be required to log in more frequently.
If you remove the `profile` scope, user information may not be displayed in LXD UI (or in `lxc auth identity` commands).
You may add additional scopes if this is required by your identity provider, or if necessary for configuration of {ref}`identity provider groups <identity-provider-groups>`.
```

<!-- config group server-oidc end -->
<!-- config group storage-btrfs-bucket-conf start -->
```{config:option} size storage-btrfs-bucket-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "local"
:shortdesc: "Size/quota of the storage bucket"
:type: "string"

```

<!-- config group storage-btrfs-bucket-conf end -->
<!-- config group storage-btrfs-pool-conf start -->
```{config:option} btrfs.mount_options storage-btrfs-pool-conf
:defaultdesc: "`user_subvol_rm_allowed`"
:scope: "global"
:shortdesc: "Mount options for block devices"
:type: "string"

```

```{config:option} size storage-btrfs-pool-conf
:defaultdesc: "auto (20% of free disk space, >= 5 GiB and <= 30 GiB)"
:scope: "local"
:shortdesc: "Size of the storage pool (for loop-based pools)"
:type: "string"
When creating loop-based pools, specify the size in bytes ({ref}`suffixes <instances-limit-units>` are supported).
You can increase the size to grow the storage pool.

The default (`auto`) creates a storage pool that uses 20% of the free disk space,
with a minimum of 5 GiB and a maximum of 30 GiB.
```

```{config:option} source storage-btrfs-pool-conf
:scope: "local"
:shortdesc: "Path to an existing block device, loop file, or Btrfs subvolume"
:type: "string"

```

```{config:option} source.wipe storage-btrfs-pool-conf
:defaultdesc: "`false`"
:scope: "local"
:shortdesc: "Whether to wipe the block device before creating the pool"
:type: "bool"
Set this option to `true` to wipe the block device specified in `source`
prior to creating the storage pool.
```

<!-- config group storage-btrfs-pool-conf end -->
<!-- config group storage-btrfs-volume-conf start -->
```{config:option} security.shared storage-btrfs-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-btrfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-btrfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-btrfs-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-btrfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-btrfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-btrfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-btrfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-btrfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-btrfs-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-btrfs-volume-conf end -->
<!-- config group storage-ceph-pool-conf start -->
```{config:option} ceph.cluster_name storage-ceph-pool-conf
:defaultdesc: "`ceph`"
:scope: "global"
:shortdesc: "Name of the Ceph cluster in which to create new storage pools"
:type: "string"

```

```{config:option} ceph.osd.data_pool_name storage-ceph-pool-conf
:scope: "global"
:shortdesc: "Name of the OSD data pool"
:type: "string"

```

```{config:option} ceph.osd.pg_num storage-ceph-pool-conf
:defaultdesc: "`32`"
:scope: "global"
:shortdesc: "Number of placement groups for the OSD storage pool"
:type: "string"

```

```{config:option} ceph.osd.pool_name storage-ceph-pool-conf
:defaultdesc: "name of the pool"
:scope: "global"
:shortdesc: "Name of the OSD storage pool"
:type: "string"

```

```{config:option} ceph.osd.pool_size storage-ceph-pool-conf
:defaultdesc: "`3`"
:shortdesc: "Number of RADOS object replicas. Set to 1 for no replication."
:type: "string"
This option specifies the name for the file metadata OSD pool that should be used when
creating a file system automatically.
```

```{config:option} ceph.rbd.clone_copy storage-ceph-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use RBD lightweight clones"
:type: "bool"
Enable this option to use RBD lightweight clones rather than full dataset copies.
```

```{config:option} ceph.rbd.du storage-ceph-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use RBD `du`"
:type: "bool"
This option specifies whether to use RBD `du` to obtain disk usage data for stopped instances.
```

```{config:option} ceph.rbd.features storage-ceph-pool-conf
:defaultdesc: "`layering`"
:scope: "global"
:shortdesc: "Comma-separated list of RBD features to enable on the volumes"
:type: "string"

```

```{config:option} ceph.user.name storage-ceph-pool-conf
:defaultdesc: "`admin`"
:scope: "global"
:shortdesc: "The Ceph user to use when creating storage pools and volumes"
:type: "string"

```

```{config:option} source storage-ceph-pool-conf
:scope: "local"
:shortdesc: "Existing OSD storage pool to use"
:type: "string"

```

```{config:option} volatile.pool.pristine storage-ceph-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether the pool was empty on creation time"
:type: "string"

```

<!-- config group storage-ceph-pool-conf end -->
<!-- config group storage-ceph-volume-conf start -->
```{config:option} block.filesystem storage-ceph-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.filesystem`"
:scope: "global"
:shortdesc: "File system of the storage volume"
:type: "string"
Valid options are: `btrfs`, `ext4`, `xfs`
If not set, `ext4` is assumed.
```

```{config:option} block.mount_options storage-ceph-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.mount_options`"
:scope: "global"
:shortdesc: "Mount options for block-backed file system volumes"
:type: "string"

```

```{config:option} security.shared storage-ceph-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-ceph-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-ceph-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-ceph-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-ceph-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-ceph-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-ceph-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-ceph-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-ceph-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-ceph-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-ceph-volume-conf end -->
<!-- config group storage-cephfs-pool-conf start -->
```{config:option} cephfs.cluster_name storage-cephfs-pool-conf
:defaultdesc: "`ceph`"
:scope: "global"
:shortdesc: "Name of the Ceph cluster that contains the CephFS file system"
:type: "string"

```

```{config:option} cephfs.create_missing storage-cephfs-pool-conf
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Automatically create the CephFS file system"
:type: "bool"
Use this option if the CephFS file system does not exist yet.
LXD will then automatically create the file system and the missing data and metadata OSD pools.
```

```{config:option} cephfs.data_pool storage-cephfs-pool-conf
:scope: "global"
:shortdesc: "Data OSD pool name"
:type: "string"
This option specifies the name for the data OSD pool that should be used when creating
a file system automatically.
```

```{config:option} cephfs.fscache storage-cephfs-pool-conf
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Enable use of kernel `fscache` and `cachefilesd`"
:type: "bool"

```

```{config:option} cephfs.meta_pool storage-cephfs-pool-conf
:scope: "global"
:shortdesc: "Metadata OSD pool name"
:type: "string"
This option specifies the name for the file metadata OSD pool that should be used when
creating a file system automatically.
```

```{config:option} cephfs.osd_pg_num storage-cephfs-pool-conf
:scope: "global"
:shortdesc: "Number of placement groups when creating missing OSD pools"
:type: "string"
This option specifies the number of OSD pool placement groups (`pg_num`) to use
when creating a missing OSD pool.
```

```{config:option} cephfs.osd_pool_size storage-cephfs-pool-conf
:defaultdesc: "`3`"
:shortdesc: "Number of RADOS object replicas. Set to 1 for no replication."
:type: "string"
This option specifies the number of OSD pool replicas to use
when creating an OSD pool.
```

```{config:option} cephfs.path storage-cephfs-pool-conf
:defaultdesc: "`/`"
:scope: "global"
:shortdesc: "The base path for the CephFS mount"
:type: "string"

```

```{config:option} cephfs.user.name storage-cephfs-pool-conf
:defaultdesc: "`admin`"
:scope: "global"
:shortdesc: "The Ceph user to use"
:type: "string"

```

```{config:option} source storage-cephfs-pool-conf
:scope: "local"
:shortdesc: "Existing CephFS file system or file system path to use"
:type: "string"

```

```{config:option} volatile.pool.pristine storage-cephfs-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether the CephFS file system was empty on creation time"
:type: "string"

```

<!-- config group storage-cephfs-pool-conf end -->
<!-- config group storage-cephfs-volume-conf start -->
```{config:option} security.shifted storage-cephfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-cephfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-cephfs-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-cephfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-cephfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-cephfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-cephfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-cephfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-cephfs-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-cephfs-volume-conf end -->
<!-- config group storage-cephobject-bucket-conf start -->
```{config:option} size storage-cephobject-bucket-conf
:scope: "local"
:shortdesc: "Quota of the storage bucket"
:type: "string"

```

<!-- config group storage-cephobject-bucket-conf end -->
<!-- config group storage-cephobject-pool-conf start -->
```{config:option} cephobject.bucket.name_prefix storage-cephobject-pool-conf
:scope: "global"
:shortdesc: "Prefix to add to bucket names in Ceph"
:type: "string"

```

```{config:option} cephobject.cluster_name storage-cephobject-pool-conf
:scope: "global"
:shortdesc: "The Ceph cluster to use"
:type: "string"

```

```{config:option} cephobject.radosgw.endpoint storage-cephobject-pool-conf
:scope: "global"
:shortdesc: "URL of the `radosgw` gateway process"
:type: "string"

```

```{config:option} cephobject.radosgw.endpoint_cert_file storage-cephobject-pool-conf
:scope: "global"
:shortdesc: "TLS client certificate to use for endpoint communication"
:type: "string"
Specify the path to the file that contains the TLS client certificate.
```

```{config:option} cephobject.user.name storage-cephobject-pool-conf
:defaultdesc: "`admin`"
:scope: "global"
:shortdesc: "The Ceph user to use"
:type: "string"

```

```{config:option} volatile.pool.pristine storage-cephobject-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether the `radosgw` `lxd-admin` user existed at creation time"
:type: "string"

```

<!-- config group storage-cephobject-pool-conf end -->
<!-- config group storage-dir-pool-conf start -->
```{config:option} rsync.bwlimit storage-dir-pool-conf
:defaultdesc: "`0` (no limit)"
:scope: "global"
:shortdesc: "Upper limit on the socket I/O for `rsync`"
:type: "string"
When `rsync` must be used to transfer storage entities, this option specifies the upper limit
to be placed on the socket I/O.
```

```{config:option} rsync.compression storage-dir-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use compression while migrating storage pools"
:type: "bool"

```

```{config:option} source storage-dir-pool-conf
:scope: "local"
:shortdesc: "Path to an existing directory"
:type: "string"

```

<!-- config group storage-dir-pool-conf end -->
<!-- config group storage-dir-volume-conf start -->
```{config:option} security.shared storage-dir-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-dir-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-dir-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-dir-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-dir-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-dir-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-dir-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-dir-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-dir-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-dir-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-dir-volume-conf end -->
<!-- config group storage-lvm-bucket-conf start -->
```{config:option} size storage-lvm-bucket-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "local"
:shortdesc: "Size/quota of the storage bucket"
:type: "string"

```

<!-- config group storage-lvm-bucket-conf end -->
<!-- config group storage-lvm-pool-conf start -->
```{config:option} lvm.thinpool_metadata_size storage-lvm-pool-conf
:defaultdesc: "`0` (auto)"
:scope: "global"
:shortdesc: "The size of the thin pool metadata volume"
:type: "string"
By default, LVM calculates an appropriate size.
```

```{config:option} lvm.thinpool_name storage-lvm-pool-conf
:defaultdesc: "`LXDThinPool`"
:scope: "local"
:shortdesc: "Thin pool where volumes are created"
:type: "string"

```

```{config:option} lvm.use_thinpool storage-lvm-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether the storage pool uses a thin pool for logical volumes"
:type: "bool"

```

```{config:option} lvm.vg.force_reuse storage-lvm-pool-conf
:defaultdesc: "`false`"
:scope: "global"
:shortdesc: "Force using an existing non-empty volume group"
:type: "bool"

```

```{config:option} lvm.vg_name storage-lvm-pool-conf
:defaultdesc: "name of the pool"
:scope: "local"
:shortdesc: "Name of the volume group to create"
:type: "string"

```

```{config:option} rsync.bwlimit storage-lvm-pool-conf
:defaultdesc: "`0` (no limit)"
:scope: "global"
:shortdesc: "Upper limit on the socket I/O for `rsync`"
:type: "string"
When `rsync` must be used to transfer storage entities, this option specifies the upper limit
to be placed on the socket I/O.
```

```{config:option} rsync.compression storage-lvm-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use compression while migrating storage pools"
:type: "bool"

```

```{config:option} size storage-lvm-pool-conf
:defaultdesc: "auto (20% of free disk space, >= 5 GiB and <= 30 GiB)"
:scope: "local"
:shortdesc: "Size of the storage pool (for loop-based pools)"
:type: "string"
When creating loop-based pools, specify the size in bytes ({ref}`suffixes <instances-limit-units>` are supported).
You can increase the size to grow the storage pool.

The default (`auto`) creates a storage pool that uses 20% of the free disk space,
with a minimum of 5 GiB and a maximum of 30 GiB.
```

```{config:option} source storage-lvm-pool-conf
:scope: "local"
:shortdesc: "Path to an existing block device, loop file, or LVM volume group"
:type: "string"

```

```{config:option} source.wipe storage-lvm-pool-conf
:defaultdesc: "`false`"
:scope: "local"
:shortdesc: "Whether to wipe the block device before creating the pool"
:type: "bool"
Set this option to `true` to wipe the block device specified in `source`
prior to creating the storage pool.
```

<!-- config group storage-lvm-pool-conf end -->
<!-- config group storage-lvm-volume-conf start -->
```{config:option} block.filesystem storage-lvm-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.filesystem`"
:scope: "global"
:shortdesc: "File system of the storage volume"
:type: "string"
Valid options are: `btrfs`, `ext4`, `xfs`
If not set, `ext4` is assumed.
```

```{config:option} block.mount_options storage-lvm-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.mount_options`"
:scope: "global"
:shortdesc: "Mount options for block-backed file system volumes"
:type: "string"

```

```{config:option} lvm.stripes storage-lvm-volume-conf
:defaultdesc: "same as `volume.lvm.stripes`"
:scope: "global"
:shortdesc: "Number of stripes to use for new volumes (or thin pool volume)"
:type: "string"

```

```{config:option} lvm.stripes.size storage-lvm-volume-conf
:defaultdesc: "same as `volume.lvm.stripes.size`"
:scope: "global"
:shortdesc: "Size of stripes to use"
:type: "string"
The size must be at least 4096 bytes, and a multiple of 512 bytes.
```

```{config:option} security.shared storage-lvm-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-lvm-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-lvm-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-lvm-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-lvm-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-lvm-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-lvm-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-lvm-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-lvm-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-lvm-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-lvm-volume-conf end -->
<!-- config group storage-powerflex-pool-conf start -->
```{config:option} powerflex.clone_copy storage-powerflex-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use non-sparse copies for snapshots"
:type: "bool"
If this option is set to `true`, PowerFlex makes a non-sparse copy when creating a snapshot of an instance or custom volume.
See {ref}`storage-powerflex-limitations` for more information.
```

```{config:option} powerflex.domain storage-powerflex-pool-conf
:scope: "global"
:shortdesc: "Name of the PowerFlex protection domain"
:type: "string"
This option is required only if {config:option}`storage-powerflex-pool-conf:powerflex.pool` is specified using its name.
```

```{config:option} powerflex.gateway storage-powerflex-pool-conf
:scope: "global"
:shortdesc: "Address of the PowerFlex Gateway"
:type: "string"

```

```{config:option} powerflex.gateway.verify storage-powerflex-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to verify the PowerFlex Gateway's certificate"
:type: "bool"

```

```{config:option} powerflex.mode storage-powerflex-pool-conf
:defaultdesc: "the discovered mode"
:scope: "global"
:shortdesc: "How volumes are mapped to the local server"
:type: "string"
The mode gets discovered automatically if the system provides the necessary kernel modules.
This can be either `nvme` or `sdc`.
```

```{config:option} powerflex.pool storage-powerflex-pool-conf
:scope: "global"
:shortdesc: "ID of the PowerFlex storage pool"
:type: "string"
If you want to specify the storage pool via its name, also set {config:option}`storage-powerflex-pool-conf:powerflex.domain`.
```

```{config:option} powerflex.sdt storage-powerflex-pool-conf
:scope: "global"
:shortdesc: "Comma separated list of PowerFlex NVMe/TCP SDTs"
:type: "string"

```

```{config:option} powerflex.user.name storage-powerflex-pool-conf
:defaultdesc: "`admin`"
:scope: "global"
:shortdesc: "User for PowerFlex Gateway authentication"
:type: "string"
Must have at least SystemAdmin role to give LXD full control over managed storage pools.
```

```{config:option} powerflex.user.password storage-powerflex-pool-conf
:scope: "global"
:shortdesc: "Password for PowerFlex Gateway authentication"
:type: "string"

```

```{config:option} rsync.bwlimit storage-powerflex-pool-conf
:defaultdesc: "`0` (no limit)"
:scope: "global"
:shortdesc: "Upper limit on the socket I/O for `rsync`"
:type: "string"
When `rsync` must be used to transfer storage entities, this option specifies the upper limit
to be placed on the socket I/O.
```

```{config:option} rsync.compression storage-powerflex-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use compression while migrating storage pools"
:type: "bool"

```

```{config:option} volume.size storage-powerflex-pool-conf
:defaultdesc: "`8GiB`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"
The size must be in multiples of 8 GiB.
See {ref}`storage-powerflex-limitations` for more information.
```

<!-- config group storage-powerflex-pool-conf end -->
<!-- config group storage-powerflex-volume-conf start -->
```{config:option} block.filesystem storage-powerflex-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.filesystem`"
:scope: "global"
:shortdesc: "File system of the storage volume"
:type: "string"
Valid options are: `btrfs`, `ext4`, `xfs`
If not set, `ext4` is assumed.
```

```{config:option} block.mount_options storage-powerflex-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.mount_options`"
:scope: "global"
:shortdesc: "Mount options for block-backed file system volumes"
:type: "string"

```

```{config:option} block.type storage-powerflex-volume-conf
:defaultdesc: "same as `volume.block.type` or `thick`"
:scope: "global"
:shortdesc: "Whether to create a `thin` or `thick` provisioned volume"
:type: "string"

```

```{config:option} security.shared storage-powerflex-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-powerflex-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-powerflex-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-powerflex-volume-conf
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"
The size must be in multiples of 8 GiB.
See {ref}`storage-powerflex-limitations` for more information.
```

```{config:option} snapshots.expiry storage-powerflex-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-powerflex-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-powerflex-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-powerflex-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-powerflex-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-powerflex-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-powerflex-volume-conf end -->
<!-- config group storage-pure-pool-conf start -->
```{config:option} pure.api.token storage-pure-pool-conf
:shortdesc: "API authorization token for Pure Storage gateway"
:type: "string"
API authorization token for Pure Storage gateway. Must have array_admin role to give LXD full control over managed storage pools (Pure Storage pods).
```

```{config:option} pure.gateway storage-pure-pool-conf
:shortdesc: "Address of the Pure Storage gateway"
:type: "string"

```

```{config:option} pure.gateway.verify storage-pure-pool-conf
:defaultdesc: "`true`"
:shortdesc: "Whether to verify the Pure Storage gateway's certificate"
:type: "bool"

```

```{config:option} pure.mode storage-pure-pool-conf
:defaultdesc: "the discovered mode"
:shortdesc: "How volumes are mapped to the local server"
:type: "string"
The mode to use to map Pure Storage volumes to the local server.
Supported values are `iscsi` and `nvme`.
```

```{config:option} pure.target storage-pure-pool-conf
:defaultdesc: "the discovered mode"
:shortdesc: "List of target addresses."
:type: "string"
A comma-separated list of target addresses. If empty, LXD discovers and connects to all available targets. Otherwise, it only connects to the specified addresses.
```

```{config:option} volume.size storage-pure-pool-conf
:defaultdesc: "`10GiB`"
:shortdesc: "Size/quota of the storage volume"
:type: "string"
Default Pure Storage volume size rounded to 512B. The minimum size is 1MiB.
```

<!-- config group storage-pure-pool-conf end -->
<!-- config group storage-pure-volume-conf start -->
```{config:option} block.filesystem storage-pure-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.filesystem`"
:shortdesc: "File system of the storage volume"
:type: "string"
Valid options are: `btrfs`, `ext4`, `xfs`
If not set, `ext4` is assumed.
```

```{config:option} block.mount_options storage-pure-volume-conf
:condition: "block-based volume with content type `filesystem`"
:defaultdesc: "same as `volume.block.mount_options`"
:shortdesc: "Mount options for block-backed file system volumes"
:type: "string"

```

```{config:option} size storage-pure-volume-conf
:defaultdesc: "same as `volume.size`"
:shortdesc: "Size/quota of the storage volume"
:type: "string"
Default Pure Storage volume size rounded to 512B. The minimum size is 1MiB.
```

```{config:option} snapshots.expiry storage-pure-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-pure-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-pure-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.uuid storage-pure-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

<!-- config group storage-pure-volume-conf end -->
<!-- config group storage-zfs-bucket-conf start -->
```{config:option} size storage-zfs-bucket-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "local"
:shortdesc: "Size/quota of the storage bucket"
:type: "string"

```

<!-- config group storage-zfs-bucket-conf end -->
<!-- config group storage-zfs-pool-conf start -->
```{config:option} size storage-zfs-pool-conf
:defaultdesc: "auto (20% of free disk space, >= 5 GiB and <= 30 GiB)"
:scope: "local"
:shortdesc: "Size of the storage pool (for loop-based pools)"
:type: "string"
When creating loop-based pools, specify the size in bytes ({ref}`suffixes <instances-limit-units>` are supported).
You can increase the size to grow the storage pool.

The default (`auto`) creates a storage pool that uses 20% of the free disk space,
with a minimum of 5 GiB and a maximum of 30 GiB.
```

```{config:option} source storage-zfs-pool-conf
:scope: "local"
:shortdesc: "Path to an existing block device, loop file, or ZFS dataset/pool"
:type: "string"

```

```{config:option} source.wipe storage-zfs-pool-conf
:defaultdesc: "`false`"
:scope: "local"
:shortdesc: "Whether to wipe the block device before creating the pool"
:type: "bool"
Set this option to `true` to wipe the block device specified in `source`
prior to creating the storage pool.
```

```{config:option} zfs.clone_copy storage-zfs-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to use ZFS lightweight clones"
:type: "string"
Set this option to `true` or `false` to enable or disable using ZFS lightweight clones rather
than full dataset copies.
Set the option to `rebase` to copy based on the initial image.
```

```{config:option} zfs.export storage-zfs-pool-conf
:defaultdesc: "`true`"
:scope: "global"
:shortdesc: "Whether to export the zpool when an unmount is being performed"
:type: "bool"

```

```{config:option} zfs.pool_name storage-zfs-pool-conf
:defaultdesc: "name of the pool"
:scope: "local"
:shortdesc: "Name of the zpool"
:type: "string"

```

<!-- config group storage-zfs-pool-conf end -->
<!-- config group storage-zfs-volume-conf start -->
```{config:option} block.filesystem storage-zfs-volume-conf
:condition: "block-based volume with content type `filesystem` (`zfs.block_mode` enabled)"
:defaultdesc: "same as `volume.block.filesystem`"
:scope: "global"
:shortdesc: "File system of the storage volume"
:type: "string"
Valid options are: `btrfs`, `ext4`, `xfs`
If not set, `ext4` is assumed.
```

```{config:option} block.mount_options storage-zfs-volume-conf
:condition: "block-based volume with content type `filesystem` (`zfs.block_mode` enabled)"
:defaultdesc: "same as `volume.block.mount_options`"
:scope: "global"
:shortdesc: "Mount options for block-backed file system volumes"
:type: "string"

```

```{config:option} security.shared storage-zfs-volume-conf
:condition: "virtual-machine or custom block volume"
:defaultdesc: "same as `volume.security.shared` or `false`"
:scope: "global"
:shortdesc: "Enable volume sharing"
:type: "bool"
Enabling this option allows sharing the volume across multiple instances despite the possibility of data loss.

```

```{config:option} security.shifted storage-zfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.shifted` or `false`"
:scope: "global"
:shortdesc: "Enable ID shifting overlay"
:type: "bool"
Enabling this option allows attaching the volume to multiple isolated instances.
```

```{config:option} security.unmapped storage-zfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.security.unmappped` or `false`"
:scope: "global"
:shortdesc: "Disable ID mapping for the volume"
:type: "bool"

```

```{config:option} size storage-zfs-volume-conf
:condition: "appropriate driver"
:defaultdesc: "same as `volume.size`"
:scope: "global"
:shortdesc: "Size/quota of the storage volume"
:type: "string"

```

```{config:option} snapshots.expiry storage-zfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.expiry`"
:scope: "global"
:shortdesc: "When snapshots are to be deleted"
:type: "string"
Specify an expression like `1M 2H 3d 4w 5m 6y`.
```

```{config:option} snapshots.pattern storage-zfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `volume.snapshots.pattern` or `snap%d`"
:scope: "global"
:shortdesc: "Template for the snapshot name"
:type: "string"
You can specify a naming template that is used for scheduled snapshots and unnamed snapshots.

The `snapshots.pattern` option takes a Pongo2 template string to format the snapshot name.

To add a time stamp to the snapshot name, use the Pongo2 context variable `creation_date`.
Make sure to format the date in your template string to avoid forbidden characters in the snapshot name.
For example, set `snapshots.pattern` to `{{ creation_date|date:'2006-01-02_15-04-05' }}` to name the snapshots after their time of creation, down to the precision of a second.

Another way to avoid name collisions is to use the placeholder `%d` in the pattern.
For the first snapshot, the placeholder is replaced with `0`.
For subsequent snapshots, the existing snapshot names are taken into account to find the highest number at the placeholder's position.
This number is then incremented by one for the new name.
```

```{config:option} snapshots.schedule storage-zfs-volume-conf
:condition: "custom volume"
:defaultdesc: "same as `snapshots.schedule`"
:scope: "global"
:shortdesc: "Schedule for automatic volume snapshots"
:type: "string"
Specify either a cron expression (`<minute> <hour> <dom> <month> <dow>`), a comma-separated list of schedule aliases (`@hourly`, `@daily`, `@midnight`, `@weekly`, `@monthly`, `@annually`, `@yearly`), or leave empty to disable automatic snapshots (the default).
```

```{config:option} volatile.idmap.last storage-zfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.idmap.next storage-zfs-volume-conf
:condition: "filesystem"
:shortdesc: "JSON-serialized UID/GID map that has been applied to the volume"
:type: "string"

```

```{config:option} volatile.uuid storage-zfs-volume-conf
:defaultdesc: "random UUID"
:scope: "global"
:shortdesc: "The volume's UUID"
:type: "string"

```

```{config:option} zfs.block_mode storage-zfs-volume-conf
:defaultdesc: "same as `volume.zfs.block_mode`"
:scope: "global"
:shortdesc: "Whether to use a formatted `zvol` rather than a dataset"
:type: "bool"
`zfs.block_mode` can be set only for custom storage volumes.
To enable ZFS block mode for all storage volumes in the pool, including instance volumes,
use `volume.zfs.block_mode`.
```

```{config:option} zfs.blocksize storage-zfs-volume-conf
:defaultdesc: "same as `volume.zfs.blocksize`"
:scope: "global"
:shortdesc: "Size of the ZFS block"
:type: "string"
The size must be between 512 bytes and 16 MiB and must be a power of 2.
For a block volume, a maximum value of 128 KiB will be used even if a higher value is set.

Depending on the value of {config:option}`storage-zfs-volume-conf:zfs.block_mode`,
the specified size is used to set either `volblocksize` or `recordsize` in ZFS.
```

```{config:option} zfs.delegate storage-zfs-volume-conf
:condition: "ZFS 2.2 or higher"
:defaultdesc: "same as `volume.zfs.delegate`"
:scope: "global"
:shortdesc: "Whether to delegate the ZFS dataset"
:type: "bool"
This option controls whether to delegate the ZFS dataset and anything underneath it to the
container or containers that use it. When used in conjunction with
{config:option}`instance-security:security.nesting`, this allows
using the `zfs` command in the container.
```

```{config:option} zfs.remove_snapshots storage-zfs-volume-conf
:defaultdesc: "same as `volume.zfs.remove_snapshots` or `false`"
:scope: "global"
:shortdesc: "Remove snapshots as needed"
:type: "bool"

```

```{config:option} zfs.reserve_space storage-zfs-volume-conf
:defaultdesc: "same as `volume.zfs.reserve_space` or `false`"
:scope: "global"
:shortdesc: "Use `reservation`/`refreservation` along with `quota`/`refquota`"
:type: "bool"

```

```{config:option} zfs.use_refquota storage-zfs-volume-conf
:defaultdesc: "same as `volume.zfs.use_refquota` or `false`"
:scope: "global"
:shortdesc: "Use `refquota` instead of `quota` for space"
:type: "bool"

```

<!-- config group storage-zfs-volume-conf end -->
<!-- entity group certificate start -->
`can_view`
: Grants permission to view the certificate.

`can_edit`
: Grants permission to edit the certificate.

`can_delete`
: Grants permission to delete the certificate.


<!-- entity group certificate end -->
<!-- entity group group start -->
`can_view`
: Grants permission to view the group. Identities can always view groups that they are a member of.

`can_edit`
: Grants permission to edit the group.

`can_delete`
: Grants permission to delete the group.


<!-- entity group group end -->
<!-- entity group identity start -->
`can_view`
: Grants permission to view the identity.

`can_edit`
: Grants permission to edit the identity.

`can_delete`
: Grants permission to delete the identity.


<!-- entity group identity end -->
<!-- entity group identity_provider_group start -->
`can_view`
: Grants permission to view the identity provider group.

`can_edit`
: Grants permission to edit the identity provider group.

`can_delete`
: Grants permission to delete the identity provider group.


<!-- entity group identity_provider_group end -->
<!-- entity group image start -->
`can_edit`
: Grants permission to edit the image.

`can_delete`
: Grants permission to delete the image.

`can_view`
: Grants permission to view the image.


<!-- entity group image end -->
<!-- entity group image_alias start -->
`can_edit`
: Grants permission to edit the image alias.

`can_delete`
: Grants permission to delete the image alias.

`can_view`
: Grants permission to view the image alias.


<!-- entity group image_alias end -->
<!-- entity group instance start -->
`user`
: Grants permission to view the instance, to access files, and to start a terminal or console session.

`operator`
: Grants permission to view the instance, to access files, start a terminal or console session, and to manage snapshots and backups.

`can_edit`
: Grants permission to edit the instance.

`can_delete`
: Grants permission to delete the instance.

`can_view`
: Grants permission to view the instance and any snapshots or backups it might have.

`can_update_state`
: Grants permission to change the instance state.

`can_manage_snapshots`
: Grants permission to create and delete snapshots of the instance.

`can_manage_backups`
: Grants permission to create and delete backups of the instance.

`can_connect_sftp`
: Grants permission to get an SFTP client for the instance.

`can_access_files`
: Grants permission to push or pull files into or out of the instance.

`can_access_console`
: Grants permission to start a console session.

`can_exec`
: Grants permission to start a terminal session.


<!-- entity group instance end -->
<!-- entity group network start -->
`can_edit`
: Grants permission to edit the network.

`can_delete`
: Grants permission to delete the network.

`can_view`
: Grants permission to view the network.


<!-- entity group network end -->
<!-- entity group network_acl start -->
`can_edit`
: Grants permission to edit the network ACL.

`can_delete`
: Grants permission to delete the network ACL.

`can_view`
: Grants permission to view the network ACL.


<!-- entity group network_acl end -->
<!-- entity group network_zone start -->
`can_edit`
: Grants permission to edit the network zone.

`can_delete`
: Grants permission to delete the network zone.

`can_view`
: Grants permission to view the network zone.


<!-- entity group network_zone end -->
<!-- entity group profile start -->
`can_edit`
: Grants permission to edit the profile.

`can_delete`
: Grants permission to delete the profile.

`can_view`
: Grants permission to view the profile.


<!-- entity group profile end -->
<!-- entity group project start -->
`operator`
: Grants permission to create, view, edit, and delete all resources belonging to the project, but does not grant permission to edit the project configuration itself.

`viewer`
: Grants permission to view all resources belonging to the project.

`can_view`
: Grants permission to view the project.

`can_edit`
: Grants permission to edit the project.

`can_delete`
: Grants permission to delete the project.

`image_manager`
: Grants permission to create, view, edit, and delete all images belonging to the project.

`can_create_images`
: Grants permission to create images.

`can_view_images`
: Grants permission to view images.

`can_edit_images`
: Grants permission to edit images.

`can_delete_images`
: Grants permission to delete images.

`image_alias_manager`
: Grants permission to create, view, edit, and delete all image aliases belonging to the project.

`can_create_image_aliases`
: Grants permission to create image aliases.

`can_view_image_aliases`
: Grants permission to view image aliases.

`can_edit_image_aliases`
: Grants permission to edit image aliases.

`can_delete_image_aliases`
: Grants permission to delete image aliases.

`instance_manager`
: Grants permission to create, view, edit, and delete all instances belonging to the project.

`can_create_instances`
: Grants permission to create instances.

`can_view_instances`
: Grants permission to view instances.

`can_edit_instances`
: Grants permission to edit instances.

`can_delete_instances`
: Grants permission to delete instances.

`can_operate_instances`
: Grants permission to view instances, manage their state, manage their snapshots and backups, start terminal or console sessions, and access their files.

`network_manager`
: Grants permission to create, view, edit, and delete all networks belonging to the project.

`can_create_networks`
: Grants permission to create networks.

`can_view_networks`
: Grants permission to view networks.

`can_edit_networks`
: Grants permission to edit networks.

`can_delete_networks`
: Grants permission to delete networks.

`network_acl_manager`
: Grants permission to create, view, edit, and delete all network ACLs belonging to the project.

`can_create_network_acls`
: Grants permission to create network ACLs.

`can_view_network_acls`
: Grants permission to view network ACLs.

`can_edit_network_acls`
: Grants permission to edit network ACLs.

`can_delete_network_acls`
: Grants permission to delete network ACLs.

`network_zone_manager`
: Grants permission to create, view, edit, and delete all network zones belonging to the project.

`can_create_network_zones`
: Grants permission to create network zones.

`can_view_network_zones`
: Grants permission to view network zones.

`can_edit_network_zones`
: Grants permission to edit network zones.

`can_delete_network_zones`
: Grants permission to delete network zones.

`profile_manager`
: Grants permission to create, view, edit, and delete all profiles belonging to the project.

`can_create_profiles`
: Grants permission to create profiles.

`can_view_profiles`
: Grants permission to view profiles.

`can_edit_profiles`
: Grants permission to edit profiles.

`can_delete_profiles`
: Grants permission to delete profiles.

`storage_volume_manager`
: Grants permission to create, view, edit, and delete all storage volumes belonging to the project.

`can_create_storage_volumes`
: Grants permission to create storage volumes.

`can_view_storage_volumes`
: Grants permission to view storage volumes.

`can_edit_storage_volumes`
: Grants permission to edit storage volumes.

`can_delete_storage_volumes`
: Grants permission to delete storage volumes.

`storage_bucket_manager`
: Grants permission to create, view, edit, and delete all storage buckets belonging to the project.

`can_create_storage_buckets`
: Grants permission to create storage buckets.

`can_view_storage_buckets`
: Grants permission to view storage buckets.

`can_edit_storage_buckets`
: Grants permission to edit storage buckets.

`can_delete_storage_buckets`
: Grants permission to delete storage buckets.

`can_view_operations`
: Grants permission to view operations relating to the project.

`can_view_events`
: Grants permission to view events relating to the project.

`can_view_metrics`
: Grants permission to view project level metrics.


<!-- entity group project end -->
<!-- entity group server start -->
`admin`
: Grants full access to LXD as if via Unix socket.

`viewer`
: Grants access to view all resources in the LXD server.

`can_edit`
: Grants permission to edit server configuration, to edit cluster member configuration, to update the state of a cluster member, to create, edit, and delete cluster groups, to update cluster member certificates, and to edit or delete warnings.

`permission_manager`
: Grants permission to view permissions, to create, edit, and delete identities, to view, create, edit, and delete authorization groups, and to view, create, edit, and delete identity provider groups. Note that clients with this permission are able to elevate their own privileges.

`can_view_permissions`
: Grants permission to view permissions.

`can_create_identities`
: Grants permission to create identities.

`can_view_identities`
: Grants permission to view identities.

`can_edit_identities`
: Grants permission to edit identities.

`can_delete_identities`
: Grants permission to delete identities.

`can_create_groups`
: Grants permission to create authorization groups.

`can_view_groups`
: Grants permission to view authorization groups.

`can_edit_groups`
: Grants permission to edit authorization groups.

`can_delete_groups`
: Grants permission to delete authorization groups.

`can_create_identity_provider_groups`
: Grants permission to create identity provider groups.

`can_view_identity_provider_groups`
: Grants permission to view identity provider groups.

`can_edit_identity_provider_groups`
: Grants permission to edit identity provider groups.

`can_delete_identity_provider_groups`
: Grants permission to delete identity provider groups.

`storage_pool_manager`
: Grants permission to create, edit, and delete storage pools.

`can_create_storage_pools`
: Grants permission to create storage pools.

`can_edit_storage_pools`
: Grants permission to edit storage pools.

`can_delete_storage_pools`
: Grants permission to delete storage pools.

`project_manager`
: Grants permission to create, view, edit, and delete projects, and to create, view, edit, and delete resources belonging to any project.

`can_create_projects`
: Grants permission to create projects.

`can_view_projects`
: Grants permission to view projects, and all resources within those projects.

`can_edit_projects`
: Grants permission to edit projects, and all resources within those projects.

`can_delete_projects`
: Grants permission to delete projects.

`can_override_cluster_target_restriction`
: If a project is configured with `restricted.cluster.target`, clients with this permission can override the restriction.

`can_view_privileged_events`
: Grants permission to view privileged event types, such as logging events.

`can_view_resources`
: Grants permission to view server and storage pool resource usage information.

`can_view_metrics`
: Grants permission to view all server and project level metrics.

`can_view_warnings`
: Grants permission to view warnings.

`can_view_unmanaged_networks`
: Grants permission to view unmanaged networks on the LXD host machines.


<!-- entity group server end -->
<!-- entity group storage_bucket start -->
`can_edit`
: Grants permission to edit the storage bucket.

`can_delete`
: Grants permission to delete the storage bucket.

`can_view`
: Grants permission to view the storage bucket.


<!-- entity group storage_bucket end -->
<!-- entity group storage_pool start -->
`can_edit`
: Grants permission to edit the storage pool.

`can_delete`
: Grants permission to delete the storage pool.


<!-- entity group storage_pool end -->
<!-- entity group storage_volume start -->
`can_edit`
: Grants permission to edit the storage volume.

`can_delete`
: Grants permission to delete the storage volume.

`can_view`
: Grants permission to view the storage volume and any snapshots or backups it might have.

`can_manage_snapshots`
: Grants permission to create and delete snapshots of the storage volume.

`can_manage_backups`
: Grants permission to create and delete backups of the storage volume.


<!-- entity group storage_volume end -->
