The Central Configuration is where all global settings for a Domino installation are listed. ` . Go to Admin portal. . Click Advanced > Central Config. . On the Configuration Management page, you can:
-
Click an existing record to edit its attributes.
-
Click Add Record to create a new setting. If no record is created in the application, the system uses the default value.
You must restart the Domino services for changes to take effect.
These options relate to the Keycloak authentication service.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| Enables Domino organization membership to synchronize with SAML identity provider attributes so that membership can be managed by the identity provider. | |
| ||
| Enables Domino’s user roles to synchronize with SAML identity provider attributes so that user role management can be managed by the identity provider. See Admin roles assignments through users role SAML attributes. | |
| ||
| If See Roles for more information. | |
| ||
| Enables Domino organization membership to synchronize with SAML identity provider attributes so that membership can be managed by the identity provider. | |
These options relate to the Domino builder.
The Domino builder is a container that runs as a Kubernetes job to build the Docker images for Domino environments and Model APIs.
This container is deployed to a node labeled with a configurable Kubernetes label (defaults to domino/build-node=TRUE) whenever a user triggers an environment or model build.
| Key | Default | Description |
|---|---|---|
| ||
200 CPU shares | If If you want to leave the build operation unlimited, delete the default value.
This setting corresponds to the See here for valid values. | |
| ||
2 (2147483647) GB | If If you want to leave the build operation unlimited, delete the default value.
This setting corresponds to the See here for valid values. | |
| ||
ifeval::[4.5 >= 4.2]gi
| Controls whether Domino will use the V2 image builder or V1 image builder. This is a Domino service that creates environment revisions and Model API version Docker images. If you change the setting, you must restart the Nucleus services to apply RabbitMQ queue changes. | |
These options relate to the compute grid.
They are available in namespace common and must be recorded with no name.
| Key | Default | Description |
|---|---|---|
| ||
| Sets the client_body_max_size property for the nginx reverse proxy in workspace pods. Note | |
| ||
| Controls how often the garbage collector runs to delete old or excess persistent volumes. | |
| ||
None | Setting a value in minutes here will cause persistent volumes older than that to be automatically deleted by the garbage collector. | |
| ||
| Maximum number of idle persistent volumes to keep. Idle volumes in excess of this number will be deleted by the garbage collector. | |
| ||
| Kubernetes storage class that will be used to dynamically provision persistent volumes. This is set initially to the value of | |
| ||
| Size in GB of compute grid persistent volumes. This is the total amount of disk space available to users in runs and workspaces. | |
| ||
| This is the maximum number of executions each user will be allowed to run concurrently. If a user attempts to start additional executions in excess of this those executions will be queued until some of the user’s other executions finish. | |
These options customize MongoDB connections.
| Key | Default | Description |
|---|---|---|
| ||
| The maximum number of threads allowed to wait for a MongoDB connection. The | |
These options relate to email notifications from Domino.
They are available in namespace common and must be recorded with no name.
| Key | Default | Description |
|---|---|---|
| ||
None | Hostname of SMTP relay to use for sending emails from Domino. | |
| ||
None | Username to use for authenticating to the SMTP host. | |
| ||
| Port to use for connecting to SMTP host. | |
| ||
| Whether the SMTP host uses SSL. | |
These options relate to Domino Environments.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| If set to | |
| ||
| Docker image URI for the initial default environment. | |
| ||
Domino Analytics Distribution Py3.6 R3.6 | Name of the initial default environment. | |
These options relate to the file contents download API endpoint.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| Set to | |
| ||
None | Set to | |
These options relate to the Domino Image Builder v2 and v3.
Use the Image Builder to create new environment revision and Model API version Docker images.
To satisfy requirements around heightened security and support for non-Docker container runtimes (such as cri-o for OpenShift), the Image Builder uses an open-source image building engine named Buildkit and wraps in a suitable fashion for Domino’s use.
The Image Builder acts as a controller, built around the Kubernetes operator pattern in which it acts on custom resources (ContainerImageBuild) using standard CRUD actions.
Key | Default | Description |
| ||
| The external Docker registry URI to pull Domino base images from. | |
| ||
| The K8s secret containing credentials for authentication to an external Docker registry. | |
| ||
<Domino Compute Namespace> | The namespace where the external Docker registry secret is located. | |
| ||
None | Sets a hard upper limit on the object size of created environment revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
None | Sets a hard upper limit on the object size of created Model API revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
| Sets a hard upper limit on the vCPU required for image builds. Takes kubernetes quantities as arguments. | |
| ||
| Sets a hard upper limit on the memory required for image builds. Takes kubernetes quantities as arguments | |
These options relate to long-running workspace sessions.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| Defines how long a workspace must run in seconds before the workspace is classified as 'long-running' and begins to generate notifications or becomes subject to automatic shutdown. | |
| ||
| Set to | |
| ||
| Set to | |
| ||
| Maximum time (in seconds) that a user can set as the period between receiving long-running notification emails. Note | |
| ||
| Set to | |
| ||
| Set to | |
| ||
| Longest time in seconds a long-running workspace will be allowed to continue before automatic shutdown. Users cannot set their automatic shutdown timer to be longer than this. | |
These options relate to Model APIs.
They are available in namespace common and must be recorded with no name.
| Key | Default | Description |
|---|---|---|
| ||
| Default number of instances per Model used for Model API scaling. | |
| ||
| Maximum number of instances per Model used for Model API scaling. | |
| ||
| Key used in Kubernetes label node selector for Model API pods. | |
| ||
| Value used in Kubernetes label node selector for Model API pods. | |
These options relate to the on-demand Spark clusters.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| Frequency in seconds to run status checks on on-demand Spark clusters. | |
| ||
| File system path on which Spark worker storage is mounted. | |
| ||
None | Option to supply alternative default configuration directory for on-demand Spark clusters. | |
| ||
| Minimum amount of memory in MiB to use for Spark worker overhead. | |
| ||
| Spark worker overhead scaling factor. | |
| ||
None | Set to | |
The following configuration settings are used for caching.
| Key | Default | Description |
|---|---|---|
| ||
| Use this key to modify the period (in months) of historical data that the Control Center uses. You might have to change this value to less than Caution | |
| ||
| Specifies how often the cache is refreshed in minutes. This cache is used in the Control Center and improves performance. However, if the cache is refreshed every 30 minutes some recent data will not be included in the reports. | |
These options relate to project visibility settings.
They are available in namespace common and must be recorded with no name.
Key | Default | Description |
| ||
| If set to | |
| ||
| Controls the default visibility setting for new projects. Options are | |
These options relate to the User Activity Reports.
| Key | Default | Description |
|---|---|---|
| ||
| Sets the default recipient for the User Activity Report. To access this report, go to Admin > Advanced > User Activity Report. | |
| ||
| When | |
| ||
| Specifies the number of days to report for recent activity in the User Activity Reports. For example, the default value includes activity within the past 30 days in the Recent Activity section. See License usage reporting. | |
| ||
| Defines the frequency for automatically scheduled User Activity Reports. The default cron string value is set to daily at 02:00. | |
| ||
Empty | Identifies a comma-separated list of email addresses that receive automatic scheduled User Activity Reports. This is not shown in the Central Configuration unless it is set explicitly. Example values are: email1@domain.com, email2@domain.com. See License usage reporting. | |
IFrame Security
Web apps in Domino are served in HTML inline frames, also known as “iframes”. To improve iframe security, a “sandbox” attribute can be set for iframe elements. When this attribute is set, extra security restrictions are applied to the iframes serving web apps in Domino, like blocking cross-origin requests, form submissions, script executions, and much more.
In Domino, this “sandbox” attribute can be toggled with the ShortLived.iFrameSecurityEnabled feature flag.
Setting this flag to “TRUE” will apply the sandbox attribute to the iframe and apply the extra security restrictions.
If the flag is set to “FALSE”, no security restrictions will be applied to the iframe.
By default, in Domino 4.4.1 the ShortLived.iFrameSecurityEnabled flag is set to FALSE.
Content Security Policies
A content security policy allows Domino web apps to access specific, whitelisted external resources. Any request made to non-whitelisted external resources, however, will be blocked.
In Domino, you can toggle this feature with the EnableContentSecurityPolicyforApps feature flag.
Setting this flag to “TRUE” will block requests to all non-whitelisted resources and allow requests to whitelisted resources.
Setting this flag to “FALSE” will allow all requests to resources (that is, no blocking of any kind).
By default, in Domino 4.4.1 the EnableContentSecurityPolicyforApps is set to FALSE.
The keys and default values associated with this feature flag are listed in the table below.
Key | Default | Description |
| ||
| Allows images to be inserted directly into a webapp using a | |
| ||
| Whitelists the URLs of the scripts that the demo Apps in the | |
| ||
| Allows apps to define their own styles with | |
| ||
| Allows the app to use WebSockets, which use URLs that begin with | |
To whitelist a resource:
-
Go to Configuration Management (that is, Central Config) in your Domino admin settings.
-
Click Add Record.
-
Set the key to
com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList. -
Set the value to
ws:followed by the URL of the resource you’d like to whitelist (that is,ws: https://foobar.buz.bax/). You must work with your team to figure out which URLs have to be whitelisted. For more details, see: Content Security Policies for Web Apps. -
Save the record and restart Domino services.
IFrame Security in combination with Content Security Policies
In Domino 4.4.1, the ShortLived.iFrameSecurityEnabled and EnableContentSecurityPolicyforApps feature flags coexist.
The matrix below describes the blocking behavior for requests based on both feature flags.
|
Important
|
The IFrame feature flag will be deprecated in future versions of Domino. Domino recommends implementing web app security using content security policies instead. |
| ShortLived.iFrameSecurityEnabled = FALSE | ShortLived.iFrameSecurityEnabled = TRUE | |
|---|---|---|
EnableContent SecurityPolicyForApps = FALSE | No blocking occurs. All requests to external resources are allowed. | All requests from web apps to external resources are blocked. |
EnableContent SecurityPolicyForApps = TRUE | Only requests to whitelisted external resources are allowed. All other requests to external resources are blocked. | All requests from web apps to external resources are blocked. |
These options relate to Domino workspaces.
Key | Default | Description |
| ||
| Controls default allocated persistent volume size for a new workspace. | |
| ||
| Controls min allocated persistent volume size for a new workspace. | |
| ||
| Controls max allocated persistent volume size for a new workspace. | |
| ||
| Sets a limit on the number of provisioned workspaces per user per project. | |
| ||
| Sets a limit on the number of provisioned workspaces per user across all projects. | |
| ||
| Sets a limit on the number of provisioned workspaces across the whole Domino. | |
| ||
| Sets a limit on the total volume size of all provisioned workspaces across the whole Domino combined. | |
| ||
| The number of seconds the frontend waits after the workspace stops before making the delete request to the backend. This allows for enough time after workspace stop for the workspace’s persistent volume to be released. If users frequently receive an error after trying a delete, then this value should be increased. | |
| ||
| Whether to capture snapshots of workspace persistent volumes. | |
| ||
| How often to delete all but the X most recent snapshots. Where X is a number defined by | |
| ||
| The number of snapshots to retain. All older snapshots beyond this limit will be deleted during a periodic cleanup. | |