The Central Configuration is where all global settings for a Domino installation are listed.
-
Go to the Admin portal.
-
Click Advanced > Central Config.
-
On the Configuration Management page, you can:
-
Click an existing record to edit its attributes.
-
Click Add Record to create a new setting. If no record is created in the application, the system uses the default value.
You must restart the Domino services for changes to take effect. To do this, click here to restart services.
-
These options relate to the Keycloak authentication service.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Enables Domino organization membership to synchronize with SAML identity provider attributes so that membership can be managed by the identity provider. | |
| ||
| Enables Domino’s user roles to synchronize with SAML identity provider attributes so that user role management can be managed by the identity provider. | |
| ||
| If See Roles for more information. |
These options relate to authorization and user roles.
Key | Default | Description | ||
---|---|---|---|---|
| ||||
| The port on which the API proxy operates. Do not change this value.
| |||
| ||||
| If | |||
| ||||
| If | |||
| ||||
| If |
Domino can store long-term, unstructured data in blob storage buckets.
Key | Default | Description |
---|---|---|
| ||
"" | Determines the DFS storage host for the deployment.
For example if set to |
S3 storage options
These options relate to Domino File System support for AWS S3 storage. This is available for AWS deployments only.
Key | Default | Description |
---|---|---|
| ||
| The timeout duration for a connection from the connection manager. | |
| ||
| The timeout duration for the connection to S3 storage. | |
| ||
| Configures the S3 client to use path-style access for all requests. | |
| ||
"" | Required: Name of the S3 bucket in which you want to store blobs. | |
| ||
"" | Prefix that is added to the container name. The user can set this, but this prefix must also be on the container in S3. | |
| ||
"" | Suffix that is added to the container name. The user can set this, but this suffix must also be on the container in S3. | |
| ||
"" | Overrides the S3 client endpoint. | |
| ||
| Determines the pool size of max blobs to transfer concurrently. | |
| ||
"" | Carried over from the S3 settings. | |
| ||
"" | The region of the S3 account. | |
| ||
| The timeout duration to access the S3 blob store through a signed URL. This pertains to the CLI only. | |
| ||
| The timeout duration for packets to reach the server. | |
| ||
"" | The KMS key ID for use with server-side encryption. |
These options relate to the Domino builder.
The Domino builder is a container that runs as a Kubernetes job to build the Docker images for Domino environments and Model APIs.
This container is deployed to a node labeled with a configurable Kubernetes label (defaults to domino/build-node=TRUE
) whenever a user triggers an environment or model build.
Key | Default | Description |
---|---|---|
| ||
200 CPU shares | If If you want to leave the build operation unlimited, delete the default value.
This setting corresponds to the See here for valid values. | |
| ||
2 (2147483647) GB | If If you want to leave the build operation unlimited, delete the default value.
This setting corresponds to the See here for valid values. | |
| ||
| Node label key that the selector in the pod specification for the builder job will target. This field is only applicable in ImageBuilderV1, which is not the default. | |
| ||
| Node label value that the selector in the pod specification for the builder job will target. If you change this setting, the build nodes need that new k/v string applied. | |
| ||
| The builder job mounts the host Docker socket to execute builds. This should point to a path on the builder nodes where a Docker socket file can be mounted as part of the builder job pod specification. | |
| ||
| The external Docker registry URI to pull Domino base images from. | |
| ||
| The K8s secret containing credentials for authentication to an external Docker registry. | |
| ||
<Domino Compute Namespace> | The namespace where the external Docker registry secret is located. | |
| ||
None | Sets a hard upper limit on the object size of created environment revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
None | Sets a hard upper limit on the object size of created Model API revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
| Sets a hard upper limit on the vCPU required for image builds. Takes kubernetes quantities as arguments. | |
| ||
| Sets a hard upper limit on the memory required for image builds. Takes kubernetes quantities as arguments | |
| ||
| Controls whether Domino will use the V2 image builder or V1 image builder. This is a Domino service that creates environment revisions and Model API version Docker images. If you change the setting, you must restart the Nucleus services to apply RabbitMQ queue changes. |
Key | Default | Description |
---|---|---|
| ||
| The length of time from which the feature flag information is requested to the next time they will be retrieved from the server. |
These settings are related to the ability to enable auto-scaling of Spark, Ray, and Dask on-demand clusters.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
None | Target CPU utilization percentage when scale up of clusters should trigger. If not set, the Kubernetes default of 80% is used. | |
| ||
None | Target memory utilization percentage when scale up of clusters should trigger. This setting requires Kubernetes 1.18 or above. | |
| ||
None | Scale down stabilization window. This setting requires Kubernetes 1.18 or above. On lower versions, 300 seconds will apply. |
The following table describes the interaction of the auto-scaling settings.
targetCpuUtilizationPercent | targetMemoryUtilizationPercent | behavior |
---|---|---|
Not set | Not set | The default Kubernetes setting of 80% CPU utilization applies. |
| Not set |
|
Not set |
| CPU utilization is not considered. |
|
| Scaling will trigger based on reaching either |
For more information on compute cluster auto-scaling, you can see the Kubernetes HPA documentation.
These options relate to the compute grid.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description | ||
---|---|---|---|---|
| ||||
| If | |||
| ||||
| How often the garbage collector runs to manage the size of the memory for the event history in MongoDB. | |||
| ||||
| Sets the client_body_max_size property for the nginx reverse proxy in workspace pods.
| |||
| ||||
| The timeout for waiting to connect to the Nginx proxy server running in the run pod. You must use finite duration syntax to configure the time. For example, 30s for 30 seconds, 5m for 5 minutes, and 1h for 1 hour. See the Architecture documentation for application services. | |||
| ||||
| The timeout for waiting to read data from the Nginx proxy server running in the run pod. You must use finite duration syntax to configure the time. For example, 30s for 30 seconds, 5m for 5 minutes, and 1h for 1 hour. See the Architecture documentation for application services. | |||
| ||||
| Controls how often the garbage collector runs to delete old or excess persistent volumes. | |||
| ||||
| Setting a value here will cause persistent volumes older than that to be automatically deleted by the garbage collector. | |||
| ||||
| Maximum number of idle persistent volumes to keep. Idle volumes in excess of this number will be deleted by the garbage collector. | |||
| ||||
| Kubernetes storage class that will be used to dynamically provision persistent volumes. This is set initially to the value of | |||
| ||||
| Size in GB of compute grid persistent volumes. This is the total amount of disk space available to users in runs and workspaces. | |||
| ||||
| The number of seconds an execution pod in a deploying state will wait before timing out. | |||
| ||||
| The number of seconds an execution pod that cannot be assigned due to execution quota limitations will wait for resources to become available before timing out. | |||
| ||||
| The number of seconds an execution pod in a preparing state will wait before timing out. | |||
| ||||
| This is the maximum number of executions each user will be allowed to run concurrently. If a user attempts to start additional executions in excess of this those executions will be queued until some of the user’s other executions finish. | |||
| ||||
| The maximum number of executions that can be queued per user. If a user tries to queue more than this, the excess executions will fail. | |||
| ||||
| The maximum total number of executions that can be queued across all users. If users try to queue more than this, the excess executions will fail. |
Use the Custom certificates to configure Domino to connect to external services.
Key | Default | Description |
---|---|---|
| ||
| Contents of the custom certificates bundle. Values are concatenated certificates in PEM format1 |
(1) The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:
-----BEGIN CERTIFICATE—--
-----END CERTIFICATE—--
The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates.
These options customize MongoDB connections.
Key | Default | Description |
---|---|---|
| ||
| Domino recommends consulting your Domino representative before changing this key. Sets the time (in milliseconds) after which the user object is retrieved from the MongoDB rather than from the cache. | |
| ||
| Deprecated. Set to | |
| ||
| Do not change the value of this key. The name of the MongoDB collection that stores central configuration data set at initial deployment. | |
| ||
Empty | Deprecated. The URI for an external MongoDB used to store Domino metadata. | |
| ||
| Sets the initial backoff duration for any database operation retries that use an exponential backoff algorithm with the MongoDB. | |
| ||
| Sets the maximum attempts for MongoDB operation retries with exponential backoff. | |
| ||
| Indicates whether MongoDB operations will be retried with exponential backoff or not. Values are | |
| ||
| Specifies whether the enter organization’s Mongo collection is cached in memory to improve performance in the Domino application. | |
| ||
| Specifies the cache lifetime (in milliseconds) for | |
| ||
| The maximum number of threads allowed to wait for a MongoDB connection. |
These options relate to Domino API.
Key | Default | Description |
---|---|---|
| ||
| When | |
| ||
N/A | Typically set at deployment, the Superuser’s API key is used for interactions between Domino components. Contact your Domino representative if you need assistance. | |
| ||
N/A | Typically set at deployment, the Superuser’s username is used for interactions between Domino components. Contact your Domino representative if you need assistance. |
These options relate to Domino CLI.
Key | Default | Description |
---|---|---|
| ||
N/A | Identifies what will handle requests to S3. If set to S3, then the Domino CLI will interact directly with S3. If set to API, then the CLI will interact with the Domino instance, and Domino will then interact with S3. | |
| ||
| Used to separately host the Domino Command Line Interface (CLI). An example of when this might be used is when a critical fix is needed before the next Domino upgrade. |
These options relate to email notifications from Domino.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
N/A | Deprecated. Set this value in Domino’s administrator application. To configure the email address from which to get notifications, go to Admin > Advanced > Email Settings and complete the Notifications FROM Address field. | |
| ||
| When | |
| ||
| Deprecated. If you want to set SMTP to bypass password authentication, go to Admin > Advanced > Email Settings and select SMTP. Then, select the No Password check box. | |
| ||
| Deprecated. If you want to set SMTP to bypass user authentication, go to Admin > Advanced > Email Settings and select SMTP. Then, select the No Username check box. | |
| ||
N/A | Deprecated. Go to Admin > Advanced > Email Settings and select the transport type as SES, SMTP, or Logging. | |
| ||
| Enable email notifications for the runs which resulted in errors or warnings. | |
| ||
None | Hostname of SMTP relay to use for sending emails from Domino. | |
| ||
None | Username to use for authenticating to the SMTP host. | |
| ||
| Port to use for connecting to SMTP host. | |
| ||
| Whether the SMTP host uses SSL. | |
| ||
| Enable email notifications for the runs which resulted in errors or warnings. | |
| ||
| Comma-separated list of email recipients who should get the error notifications. The placeholder value | |
| ||
| Comma-separated list of email recipients who should get the warning notifications. The placeholder value |
These options relate to Domino Environments.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| If set to | |
| ||
| Docker image URI for the initial default environment. | |
| ||
Domino Analytics Distribution Py3.6 R3.6 | Name of the initial default environment. |
These options relate to the file contents download API endpoint.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Set to | |
| ||
None | Set to |
These options relate to the Domino ImageBuilder V2 and V3.
Use the ImageBuilder to create new environment revision and Model API version Docker images.
To satisfy requirements around heightened security and support for non-Docker container runtimes (such as cri-o for OpenShift), the ImageBuilder uses an open-source image building engine named Buildkit and wraps in a suitable fashion for Domino’s use.
The ImageBuilder acts as a controller, built around the Kubernetes operator pattern in which it acts on custom resources (ContainerImageBuild
) using standard CRUD actions.
Key | Default | Description |
---|---|---|
| ||
| The external Docker registry URI to pull Domino base images from. | |
| ||
| The K8s secret containing credentials for authentication to an external Docker registry. | |
| ||
<Domino Compute Namespace> | The namespace where the external Docker registry secret is located. | |
| ||
None | Sets a hard upper limit on the object size of created environment revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
None | Sets a hard upper limit on the object size of created Model API revisions in the internal Docker registry. Takes arguments in the form: | |
| ||
| Sets a hard upper limit on the vCPU required for image builds. Takes kubernetes quantities as arguments. | |
| ||
| Sets a hard upper limit on the memory required for image builds. Takes kubernetes quantities as arguments |
These options relate to long-running workspace sessions and long-running jobs.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description | ||
---|---|---|---|---|
| ||||
| Defines how long a workspace must run in seconds before the workspace is classified as 'long-running' and begins to generate notifications or becomes subject to automatic shutdown. | |||
| ||||
| Set to | |||
| ||||
| Set to | |||
| ||||
| Maximum time (in seconds) that a user can set as the period between receiving long-running notification emails.
|
These options relate to long-running workspace sessions.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Set to | |
| ||
| Set to | |
| ||
| Longest time in seconds a long-running workspace will be allowed to continue before automatic shutdown. Users cannot set their automatic shutdown timer to be longer than this. |
These options relate to Model APIs.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Default number of instances per Model used for Model API scaling. | |
| ||
| Maximum number of instances per Model used for Model API scaling. | |
| ||
| Key used in Kubernetes label node selector for Model API pods. | |
| ||
| Value used in Kubernetes label node selector for Model API pods. | |
| ||
| The uWSGI worker count. This scales all Python Model APIs by setting the degree of parallelism. | |
| ||
| The maximum size, after truncation, of the JSON representation of Model API requests and responses that are written to stdout. |
These options customize how prediction data is captured for monitoring:
Data retention and deletion options
Key | Default | Description |
---|---|---|
| ||
30 | Retention of the parquet files (in number of days) before they get deleted to free up space. | |
| ||
autodelete | Key of the {key: value} pair used to select a file for auto-deletion | |
| ||
TRUE | Value of the {key: value} pair used to select a file for auto-deletion | |
| ||
1 | Grace period to keep the source raw log files post processing |
Model API-specific options
Key | Default | Description | ||
---|---|---|---|---|
| ||||
shared-$stage-compute (Same as domino filecache) | PVC name for storing prediction data. | |||
| ||||
/domino/shared | PVC mount point for storing prediction data. | |||
| ||||
scratch | PVC sub mount point. | |||
| ||||
Supplied from Domino Charts | Fluent-bit image. | |||
| ||||
Supplied from Domino Charts | Logrotate image. | |||
| ||||
Supplied from Domino Charts | The secret for the ingress route for Model API publishing.
|
Cohort Analysis options
Key | Default | Description |
---|---|---|
| ||
DominoActionableInsights | The name of the project for Actionable Insights. | |
| ||
DominoActionableInsightsDataset | The name of the dataset for Actionable Insights. | |
| ||
Environment ID for the Actionable Insights Job. If not defined | ||
| ||
Environment ID for the Actionable Insights Spark Cluster. If not defined | ||
| ||
small-k8s | Hardware Tier ID for the Actionable Insights Job. | |
| ||
medium-k8s | Hardware Tier ID for the Actionable Insights Spark Master. | |
| ||
medium-k8s | Hardware Tier ID for the Actionable Insights Spark Workers. | |
| ||
2 | Number of workers for the Spark cluster. |
The ShortLived.EnableUserNotifications
feature flag enables the Notifications feature.
This means that it shows the following:
-
Notifications page for Administrators where they can create and manage notifications.
-
Notifications icon and indicator to identify the criticality of the notifications in the navigation pane.
-
Notifications page where users can view their notifications.
If this flag is turned off, all these items are hidden.
See Event Notifications in the User Guide and Notifications in this Admin Guide.
Key | Default | Description |
---|---|---|
| ||
| Frequency with which notifications will be checked for automatic expiry ( | |
| ||
| Enables the job that expires notifications. Notifications without a set end time are expired based on the setting in | |
| ||
| Sets an expiration time (in days) for notifications without an end date. | |
| ||
| Specifies the time (in days) after which expired notifications will be deleted. | |
| ||
| Specifies the maximum number of notifications allowed in the system. | |
| ||
| Enables backend telemetry (statistics about the number and type of generated notifications) for notifications. | |
| ||
| The delay before Notifications telemetry is executed the first time. This delays the impact on database processing during initial system startup. | |
| ||
| The time between when the notification statistics are updated. | |
| ||
| If true, the system shows metrics for each user about the number and types of notifications generated. If false, the system shows metrics about all notifications. |
The options relate to Notification channels.
Key | Default | Description |
---|---|---|
| ||
N/A | The email address from which Domino sends email notifications. | |
| ||
N/A | The host address of the SMTP server from which Domino sends emails. | |
| ||
N/A | The password for the SMTP server, which is typically the same password for your web server, from which Domino sends emails. | |
| ||
25 | The TCP port to use to communicate with your SMTP server. | |
| ||
| Indicates whether the SMTP server uses Secure Sockets Layer (SSL) for secure communications. | |
| ||
N/A | The username used by the client to authenticate to the SMTP server to send email. |
The options relate to the on-demand MPI clusters.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Frequency in seconds to run status checks on on-demand MPI clusters. | |
| ||
| How long the frontend waits for a response, in seconds, after a file sync request before sending an error. | |
| ||
| The maximum duration a sync runs before being considered to have timed out. | |
| ||
| The interval, in seconds, the Job launcher script checks the compute cluster file sync status waiting for ready status. | |
| ||
| The name of the secret in the domino-compute namespace containing the SSH key material used when configuring SSH on MPI workers. | |
| ||
| Volume mount path location of additional storage for the compute cluster. | |
| ||
| Whether to inject the Istio Proxy sidecar into worker Pods. | |
| ||
Configures the |
These options relate to the on-demand Spark clusters.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| Frequency in seconds to run status checks on on-demand Spark clusters. | |
| ||
| File system path on which Spark worker storage is mounted. | |
| ||
None | Option to supply alternative default configuration directory for on-demand Spark clusters. | |
| ||
| Minimum amount of memory in MiB to use for Spark worker overhead. | |
| ||
| Spark worker overhead scaling factor. | |
| ||
None | Set to |
The following configuration settings are used for caching.
Key | Default | Description | ||
---|---|---|---|---|
| ||||
| Use this key to modify the period (in months) of historical data that the Control Center uses. You might have to change this value to less than
| |||
| ||||
| Specifies how often the cache is refreshed in minutes. This cache is used in the Control Center and improves performance. However, if the cache is refreshed every 30 minutes some recent data will not be included in the reports. |
This option is available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
String of comma-separated project paths. For example,
| ||
| ||
String, indicating the biggest file that may be rendered in the filebrowser: 5 MB, 10 kB, 1 GB, 7 B |
Project visibility options
These options relate to project visibility settings.
They are available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
| If set to | |
| ||
| Controls the default visibility setting for new projects. Options are |
This option is related to
Grant Access to Domino Apps.
This is available in namespace common
and must be recorded with no name
.
Key | Default | Description |
---|---|---|
| ||
TRUE | Set to FALSE to disable the Anyone, including anonymous users and Anyone with an account access permissions. See Grant Access to Domino Apps for more information about these permissions. |
Key | Default | Description |
---|---|---|
| ||
FALSE | Set to TRUE to enable marking environments and projects as restricted. |
These options relate to read-write datasets.
They are available in namespace common
and must be recorded with no name
.
Scratch spaces have been deprecated starting with Domino 4.5.
Key | Default | Description | ||||
---|---|---|---|---|---|---|
| ||||||
| The time before the system deletes a dataset that was marked for deletion. If you deleted a dataset, you have this time to retrieve the dataset. After this time expires, the dataset cannot be recovered. See Datasets and Snapshots. | |||||
| ||||||
| The maximum number of files shown in the dataset snapshot file viewer | |||||
| ||||||
| The timeout for fetching files in the dataset snapshot file viewer | |||||
| ||||||
| If | |||||
| ||||||
| The maximum number of snapshots a user can create for a dataset. If the user reaches the maximum number of snapshots, the next time they create a snapshot, Domino shows a warning that they have reached their snapshot limit and that if they proceed, their oldest snapshot will be marked for deletion. | |||||
| ||||||
| The maximum number of Datasets you can create in a Project. If the user reaches the maximum number of datasets, Domino shows a message about the limit. | |||||
| ||||||
| The maximum file size (in bytes) that the Data renderer will support to preview files. If a file is larger than this limit, the renderer will default to a message recommending file download. | |||||
| ||||||
| Set the path to mount datasets in Domino projects. Users see this path in the Path column on the Domino Datasets tab on the Data page.
See Domino Datasets. | |||||
| ||||||
| Path at which datasets reside in git-based projects.
| |||||
| ||||||
1 minute | The time allotted to gather all file sizes to calculate the size of the snapshot. If the time expires and the size hasn’t finished calculating, Domino shows the current calculation for the snapshot but doesn’t notify the user that the calculation is incomplete. | |||||
| ||||||
| The percentage of a user’s dataset storage quota that, when reached, triggers warning notifications. | |||||
| ||||||
| The percentage of a user’s dataset storage quota that, when reached, triggers email notifications. | |||||
| ||||||
| Interval during which the size of a snapshot are not recalculated. | |||||
| ||||||
| Interval during which notifications to users about their storage usage are not repeated. | |||||
| ||||||
| Estimate unit cost of a dataset (in dollars/GB/month). This value is multiplied linearly by the size of a dataset to estimate its cost per month. |
Key | Default | Description |
---|---|---|
| ||
| The maximum number of input files to compare. | |
| ||
| The maximum number of input file comparisons that will be found. If this value is reached, the comparison will stop. | |
| ||
| The maximum number of result files to compare. | |
| ||
| The maximum number of result file comparisons that will be found. If this value is reached, the comparison will stop. |
These options relate to the User Activity Reports.
Key | Default | Description | ||
---|---|---|---|---|
| ||||
| Sets the default recipient for the user activity report. To access this report, go to Admin > Advanced > User Activity Report. | |||
| ||||
| When | |||
| ||||
| Specifies the number of days to report for recent activity in the user activity reports. For example, the default value includes activity within the past 30 days in the Recent Activity section.
| |||
| ||||
| Defines the frequency for automatically scheduled user activity reports. The default cron string value is set to daily at 02:00. | |||
| ||||
Empty | Identifies a comma-separated list of email addresses that receive automatic scheduled user activity reports. This is not shown in the Central Configuration unless it is set explicitly. Example values are: email1@domain.com, email2@domain.com. |
In Domino, secrets are stored in an instance of HashiCorp Vault. By default, Vault does not require any configuration for specific secrets to be stored in encrypted form at rest. Supported Secrets are:
-
User environment variables
-
User API keys
-
Data source access secrets
-
Project environment variables
The following configuration settings are used to connect to Vault.
Key | Default | Description |
---|---|---|
| ||
N/A | Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. This is the path where the Vault token is present. If the .token config key is present, this is ignored. | |
| ||
N/A | Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. This is the literal value of the Vault token that overrides the .tokenFile config key. | |
| ||
N/A | Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. Specifies how often to reread the token when configuring an external Vault integration. This setting is only useful when the token is configured with tokenFile. Example values are: 2s, 10m, 1h. See duration format for syntax information. | |
| ||
N/A | Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. The URL with port for the Vault’s API endpoint which is used to configure the external Vault integration. | |
| ||
| Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. The path in the Vault to the key-value store that Domino uses. | |
| ||
| Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster. An optional path in the key-value store that serves as the root for all Domino-stored secrets. |
IFrame Security
Web apps in Domino are served in HTML inline frames, also known as “iframes”. To improve iframe security, a “sandbox” attribute can be set for iframe elements. When this attribute is set, extra security restrictions are applied to the iframes serving web apps in Domino, like blocking cross-origin requests, form submissions, script executions, and much more.
In Domino, this “sandbox” attribute can be toggled with the ShortLived.iFrameSecurityEnabled
feature flag.
Setting this flag to “TRUE” will apply the sandbox attribute to the iframe and apply the extra security restrictions.
If the flag is set to “FALSE”, no security restrictions will be applied to the iframe.
By default, in Domino 4.4.1 the ShortLived.iFrameSecurityEnabled
flag is set to FALSE.
Important
| This feature flag will be deprecated in future versions of Domino. Domino recommends implementing web app security using content security policies instead (described below). |
Content Security Policies
A content security policy allows Domino web apps to access specific, whitelisted external resources. Any request made to non-whitelisted external resources, however, will be blocked.
In Domino, you can toggle this feature with the EnableContentSecurityPolicyforApps
feature flag.
Setting this flag to “TRUE” will block requests to all non-whitelisted resources and allow requests to whitelisted resources.
Setting this flag to “FALSE” will allow all requests to resources (that is, no blocking of any kind).
By default, in Domino 4.4.1 the EnableContentSecurityPolicyforApps
is set to FALSE.
The keys and default values associated with this feature flag are listed in the table below.
Key | Default | Description |
---|---|---|
| ||
| Whitelist the app’s own host URL for all resource types.
This can be toggled to | |
| ||
| Allows images to be inserted directly into a webapp using a | |
| ||
| Whitelists the URLs of the scripts that the demo Apps in the | |
| ||
| Allows apps to define their own styles with | |
| ||
| Allows the app to use WebSockets, which use URLs that begin with |
To whitelist a resource:
-
Go to Configuration Management (that is, Central Config) in your Domino admin settings.
-
Click Add Record.
-
Set the key to
com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList
. -
Set the value to
ws:
followed by the URL of the resource you’d like to whitelist (that is,ws: https://foobar.buz.bax/
). You must work with your team to figure out which URLs have to be whitelisted. For more details, see: Identify Resources to Whitelist. -
Save the record and restart Domino services.
IFrame Security in combination with Content Security Policies
In Domino 4.4.1, the ShortLived.iFrameSecurityEnabled
and EnableContentSecurityPolicyforApps
feature flags coexist.
The matrix below describes the blocking behavior for requests based on both feature flags.
Important
|
The IFrame feature flag will be deprecated in future versions of Domino. Domino recommends implementing web app security using content security policies instead. |
ShortLived.iFrameSecurityEnabled = FALSE | ShortLived.iFrameSecurityEnabled = TRUE | |
---|---|---|
EnableContent SecurityPolicyForApps = FALSE | No blocking occurs. All requests to external resources are allowed. | All requests from web apps to external resources are blocked. |
EnableContent SecurityPolicyForApps = TRUE | Only requests to whitelisted external resources are allowed. All other requests to external resources are blocked. | All requests from web apps to external resources are blocked. |
Use these options to customize the Domino application with your organization’s brand. See White Labeling.
Key | Default | Description |
---|---|---|
| ||
N/A | Set a URL that directs your users to a web-based form or email address (mailto:support@domain.com). | |
| ||
N/A | Set the custom HTML to show immediately above the page footer. | |
| ||
N/A | Set the URL for the image that you want shown in the footer.
The image displays on the same line as the Domino logo.
If | |
| ||
N/A | A JSON-formatted list of white labeling configuration parameters, such as:
|
These options relate to Domino workspaces.
Key | Default | Description |
---|---|---|
| ||
| Controls default allocated persistent volume size for a new workspace. | |
| ||
| Controls min allocated persistent volume size for a new workspace. | |
| ||
| Controls max allocated persistent volume size for a new workspace. | |
| ||
| Sets a limit on the number of provisioned workspaces per user per project. | |
| ||
| Sets a limit on the number of provisioned workspaces per user across all projects. | |
| ||
| Sets a limit on the number of provisioned workspaces across the whole Domino. | |
| ||
| Sets a limit on the total volume size of all provisioned workspaces across the whole Domino combined. | |
| ||
| The number of seconds the frontend waits after the workspace stops before making the delete request to the backend. This allows for enough time after workspace stop for the workspace’s persistent volume to be released. If users frequently receive an error after trying a delete, then this value should be increased. | |
| ||
| Whether to capture snapshots of workspace persistent volumes in AWS. | |
| ||
| How often to delete all but the X most recent snapshots
Where X is a number defined by | |
| ||
| The number of snapshots to retain. All older snapshots beyond this limit will be deleted during a periodic cleanup. |