Skip to content


Most services do not require configuration, but a couple of them cannot be used if you do not configure them:

  • the SSH channel plugin, used to communicate with execution environments via SSH (you can use agent-based execution environments instead, if you prefer)
  • the S3 publisher plugin and the Local publisher plugin, that require credentials and a hint of where they should publish the results produced by your workflows

You should also choose the services you want to start on a given orchestrator instance. It is a good practice to disable the services you do not need.

Configuration location

On the OpenTestFactory orchestrator distribution, the configuration files are in the /app/conf directory.

There is one main configuration file ({name}.yaml) per service. Some services may use additional configuration files.

Each service has a unique name. The name of the service matches the name of the main configuration file (minus the extension), and this name is also the name you use if you want to disable a service.

There is also a /app/squashtf.yaml instance configuration file which is where you specify your plugins’ location and the services you want to be disabled.

If you use a third-party distribution, those configuration files may be somewhere else. Please refer to your distribution’s documentation for more information.

Instance configuration

The instance configuration file specifies the eventbus to use, the core services location, and the plugins locations.

The default instance configuration file (/app/squashtf.yaml) is as follows:

eventbus: python3 -m opentf.core.eventbus
- ${{ CORE }}/core
- ${{ CORE }}/plugins
- /app/plugins
- dummyee
- HelloWorld
- localpublisher

The ${{ CORE }} variable points to the actual location of the OpenTestFactory orchestrator distribution.


The eventbus section specifies how to start the eventbus. This specification is the command that is used.

The services list specifies the location of the core services. It is a list of directories. The launcher scans those directories in order, looking for service descriptors (service.yaml files).


Adding new plugins

If you want to add additional plugins on your installation, attach a volume and add its mount point in the plugins list. It should be a fully qualified directory path.

You can use the /app/plugins mount point which is empty in the standard distribution.

You may attach more than one volume.

The launcher scans those directories at startup time, looking for plugin descriptors (plugin.yaml files).

Disabling plugins

The disabled section contains a list of plugin names. If a plugin descriptor with a matching name is found, irrespective of the case, it will be skipped.

This section may include names that have no matching plugin descriptors.

Common configuration

Each service configuration file has a set of common elements.

kind: ...Config
current-context: allinone
- context:
    port: ...
    ssl_context: disabled
    - /etc/squashtf/*
    logfile: service.log
    enable_insecure_login: true
      endpoint: https://
      token: reuse
  name: allinone

The apiVersion and kind elements are always present. The version may vary over time and the kind varies per service category.

There is a current-context entry, which is the name of a specified context, and there is a contexts entry, which is a list of contexts.

At least one context must be defined, named allinone. This context is selected by the launcher.

Each context specifies at lease a host and a port. An eventbus entry must also be specified (except for the eventbus service).

context elements

host: a string                               (required)
port: an integer                             (required)
ssl_context: 'adhoc' or 'disabled'           (optional)
trusted_authorities: a list of directories   (optional)
enable_insecure_login: a boolean             (optional, false by default)
insecure_bind_address: a string or a list    (optional)
  • host (required): the host the service will bind to (a hostname or an IP address).
  • port (required): the port the service will listen to (a number).
  • ssl_context (required): either adhoc, a list of two items (certificate file path and private key file path), or disabled (not recommended, will switch to plain HTTP).
  • trusted_authorities (optional): a list of public key files and/or directories containing public key files, used for token validation.
  • enable_insecure_login (optional): allow for insecure (token-less) logins, if set to true (by default, insecure logins are disabled).
  • insecure_bind_address (optional, only used if enable_insecure_login is set to true): insecure logins, if enabled, are only allowed from a given address ( by default).

eventbus elements

This element is present for all services excluding the eventbus service.

token: a string                              (required)
endpoint: a string (an uri)                  (required)
insecure-skip-tls-verify: a boolean          (optional, false by default)
hostname: a string                           (optional)
port: an integer                             (optional)


By default, the eventbus, used by all services, listens on port 38368. If you change this default port, you must adjust the default configuration of all other used services and plugins.

Core services

Some limits and retention periods can be overridden for the core services.



A pool must be specified for the SSH channel plugin. There is no specific configuration for the Agent channel plugin.


Providers plugins support global hooks (hooks defined at the orchestrator level). You may want to define some such hooks, to adjust them to some practices that are specific to your environment but common for all your users. They can also be used to enforce security or monitoring measures.

See “Hooks configuration for provider plugins” for more information.


A set of credentials must be provided for the S3 publisher plugin.