About Domino
Domino Data LabKnowledge BaseData Science BlogTraining

Central Configuration

The Central Configuration is where all global settings for a Domino installation are listed.

  1. Go to the Admin portal.

  2. Click Advanced > Central Config.

  3. On the Configuration Management page, you can:

    • Click an existing record to edit its attributes.

    • Click Add Record to create a new setting. If no record is created in the application, the system uses the default value.

      You must restart the Domino services for changes to take effect. To do this, click here to restart services.

      Click the header link to restart services

      Important

Audit

These options relate to the Audit log. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.audit.enabled

true

Enables Domino to store audit events and shows the Audit Log button. See Download the audit log. Domino recommends that you do not change this value unless you must disable auditing.

com.cerebro.domino.audit.pagination.page.size

100

Page size for the number of records fetched from MongoDB.

com.cerebro.domino.audit.pdf.generation.memory.limit

25

The maximum memory limit used by PDF generation. If the memory usage is greater than 25 MB, temporal files are used.

Authentication

These options relate to the Keycloak authentication service. They are available in namespace common and must be recorded with no name.

Key

Default

Description

authentication.oidc.externalOrgsEnabled

false

Enables Domino organization membership to synchronize with SAML identity provider attributes so that membership can be managed by the identity provider.

com.cerebro.domino.userManagement.userRolesEditingEnabled

true

Enables editing user roles in Domino. Should be set to false in case user roles are coming from the identity provider.

com.cerebro.domino.userManagement.passwordResetEnabled

true

Enables the ability to reset a user’s login password via the admin users page. Should be set to false when users are managed with an external identity provider.

Authorization

These options relate to authorization and user roles.

KeyDefaultDescription

com.cerebro.domino.auth.refreshTokenInRun.proxyPort

8899

The port on which the API proxy operates. Do not change this value.

Caution

com.cerebro.domino.restrictPublishing

false

If true, only SupportStaff and SysAdmins can create launchers, schedule runs, or publish apps and model APIs.

com.cerebro.domino.authorization.restrictManageCollaborators

false

If true, Project Owners can manage project collaborators. However, the Invite button in the Collaborators and permissions section on the Access & Sharing tab in Project Settings is not available for other users, even if they are collaborators. See Invite collaborators.

com.cerebro.domino.authorization.limitProjectSharing

false

If true, then only users with the Project Manager Domino user role or administrators can manage project permissions. See Settings permissions.

Blob storage

Domino can store long-term, unstructured data in blob storage buckets.

KeyDefaultDescription

com.cerebro.domino.blobStorageMedium

""

Determines the DFS storage host for the deployment. For example if set to S3 or AzureBlob, the deployment uses the corresponding object store.

S3 storage options

These options relate to Domino File System support for AWS S3 storage. This is available for AWS deployments only.

KeyDefaultDescription

com.cerebro.domino.blobs.s3.connectionManagerTimeoutDuration

60s

The timeout duration for a connection from the connection manager.

com.cerebro.domino.blobs.s3.connectionTimeoutDuration

60s

The timeout duration for the connection to S3 storage.

com.cerebro.domino.blobs.s3.bucketInPath

false

Configures the S3 client to use path-style access for all requests.

com.cerebro.domino.blobs.s3.bucket

""

Required: Name of the S3 bucket in which you want to store blobs.

com.cerebro.domino.blobs.s3.defaultS3BucketPrefix

""

Prefix that is added to the container name. The user can set this, but this prefix must also be on the container in S3.

com.cerebro.domino.blobs.s3.defaultS3BucketSuffix

""

Suffix that is added to the container name. The user can set this, but this suffix must also be on the container in S3.

com.cerebro.domino.blobs.s3.endpointUrl

""

Overrides the S3 client endpoint.

com.cerebro.domino.blobs.s3.maxConnections

100

Determines the pool size of max blobs to transfer concurrently.

com.cerebro.domino.blobs.s3.path

""

Carried over from the S3 settings.

com.cerebro.domino.blobs.s3.region

""

The region of the S3 account.

com.cerebro.domino.blobs.s3.signedUrlTimeoutDuration

5 minutes

The timeout duration to access the S3 blob store through a signed URL. This pertains to the CLI only.

com.cerebro.domino.blobs.s3.socketTimeoutDuration

60s

The timeout duration for packets to reach the server.

com.cerebro.domino.blobs.s3.sseKmsKeyId

""

The KMS key ID for use with server-side encryption.

Azure blob storage

Domino can store long-term, unstructured data in blob storage buckets.

These options relate Domino File System (DFS) support for Azure blob storage. This is available for new Azure deployments only.

Note
KeyDefaultDescription

com.cerebro.domino.azureblob.accountKey

""

Required: The account key of the Azure blob storage account for the user. Without this, projects won’t load. You can find this information on the Azure Portal Storage Account page under Access Keys.

com.cerebro.domino.azureblob.accountName

""

Required: The account name of the Azure blob storage account for the user. Without setting this, files from projects won’t load. You can find this information on the Azure Portal Storage Account page under Access Keys.

com.cerebro.domino.azureblob.blobStorageMedium

""

Determines the DFS storage host for the deployment. For example if set to Azure, the deployment uses the Azure blob store for DFS.

com.cerebro.domino.azureblob.connectionManagerTimeoutDuration

60s

The timeout duration for a connection from the connection manager.

com.cerebro.domino.azureblob.connectionTimeoutDuration

60s

The timeout duration for the connection to Azure blob storage.

com.cerebro.domino.azureblob.containerName

""

Required: Container name of the blob container in which you want to store blobs.

com.cerebro.domino.azureblob.defaultAzureBlobContainerPrefix

""

Prefix that is added to the container name. The user can set this, but this prefix must also be on the container in Azure.

com.cerebro.domino.azureblob.defaultAzureBlobContainerSuffix

""

Suffix that is added to the container name. The user can set this, but this suffix must also be on the container in Azure.

com.cerebro.domino.azureblob.defaultEndpointsProtocol

https

The protocol to use to hit Azure endpoints. Do not change this value.

com.cerebro.domino.azureblob.endpointSuffix

core.windows.net

The common endpoint suffix for all Azure endpoints. All Azure endpoints end with core.windows.net.

com.cerebro.domino.azureblob.maxConnections

100

Determines the pool size of max blobs to transfer concurrently. Not required for Azure blob storage.

com.cerebro.domino.azureblob.socketTimeoutDuration

60s

The timeout duration for packets to reach the server.

Builder

These options relate to the Domino builder.

The Domino builder is a container that runs as a Kubernetes job to build the Docker images for Domino environments and Model APIs. This container is deployed to a node labeled with a configurable Kubernetes label (defaults to domino/build-node=TRUE) whenever a user triggers an environment or model build.

KeyDefaultDescription

com.cerebro.domino.builder.remoteRegistryCredentials.server

quay.io

The external Docker registry URI to pull Domino base images from.

com.cerebro.domino.builder.remoteRegistryCredentials.additionalServers

None

If you use multiple external registries, a comma-separated list of Docker registry URIs from which to build the Domino base image.

com.cerebro.domino.builder.remoteRegistryCredentials.secretName

domino-quay-repos

The K8s secret containing credentials for authentication to an external Docker registry.

com.cerebro.domino.builder.remoteRegistryCredentials.secretNamespace

<Domino Compute Namespace>

The namespace where the external Docker registry secret is located. on

Caching

KeyDefaultDescription

com.cerebro.domino.caching.featureFlagOverridesCacheTimeMs

10000

The length of time from which the feature flag information is requested to the next time they will be retrieved from the server.

Compute Cluster auto-scaling

These settings are related to the ability to enable auto-scaling of Spark, Ray, and Dask on-demand clusters. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.computegrid.computeCluster.autoscaling.targetCpuUtilizationPercent

None

Target CPU utilization percentage when scale up of clusters should trigger. If not set, the Kubernetes default of 80% is used.

com.cerebro.domino.computegrid.computeCluster.autoscaling.targetMemoryUtilizationPercent

None

Target memory utilization percentage when scale up of clusters should trigger.

com.cerebro.domino.computegrid.computeCluster.autoscaling.scaleDownStabilizationWindowSeconds

None

Scale down stabilization window. On lower versions, 300 seconds will apply.

The following table describes the interaction of the auto-scaling settings.

targetCpuUtilizationPercenttargetMemoryUtilizationPercentbehavior

Not set

Not set

The default Kubernetes setting of 80% CPU utilization applies.

X

Not set

X% CPU utilization threshold applies. Memory utilization is not considered.

Not set

Y

CPU utilization is not considered. Y% Memory utilization threshold applies.

X

Y

Scaling will trigger based on reaching either X% CPU OR Y% memory utilization.

For more information on compute cluster auto-scaling, you can see the Kubernetes HPA documentation.

Compute grid

These options relate to the compute grid. They are available in namespace common and must be recorded with no name.

KeyDefaultDescription

com.cerebro.domino.computegrid.eventHistory.executions.allowVpn

false

Must be true to support runs using environments configured to use a VPN. Adds the NET_RAW capability to the run container when using a VPN, which has security drawbacks.

com.cerebro.domino.computegrid.eventHistory.garbageCollection.isEnabled

true

If true, the garbage collector will run periodically to manage the size of the memory of event history in MongoDB.

com.cerebro.domino.computegrid.eventHistory.garbageCollection.periodicity

1 hour

How often the garbage collector runs to manage the size of the memory for the event history in MongoDB.

com.cerebro.domino.computegrid.kubernetes.apps.nginx.clientBodyMaxSizeMiB

25MiB

Sets the client_body_max_size property for the nginx reverse proxy in workspace pods.

Note

com.cerebro.domino.computegrid.kubernetes.apps.nginx.connectTimeout

300s if the key is not configured upon deployment.

The timeout for waiting to connect to the Nginx proxy server running in the run pod. You must use finite duration syntax to configure the time. For example, 30s for 30 seconds, 5m for 5 minutes, and 1h for 1 hour. See Application services.

com.cerebro.domino.computegrid.kubernetes.apps.nginx.readTimeout

300s if the key is not configured upon deployment.

The timeout for waiting to read data from the Nginx proxy server running in the run pod. You must use finite duration syntax to configure the time. For example, 30s for 30 seconds, 5m for 5 minutes, and 1h for 1 hour. See Application services.

com.cerebro.domino.computegrid.kubernetes.volume.gcFrequency

10min

Controls how often the garbage collector runs to delete old or excess persistent volumes.

com.cerebro.domino.computegrid.kubernetes.volume.maxAge

7 days

Setting a value here will cause persistent volumes older than that to be automatically deleted by the garbage collector.

com.cerebro.domino.computegrid.kubernetes.volume.maxIdle

32

Maximum number of idle persistent volumes to keep. Idle volumes in excess of this number will be deleted by the garbage collector.

com.cerebro.domino.computegrid.kubernetes.volume.storageClass

dominodisk

Kubernetes storage class that will be used to dynamically provision persistent volumes. This is set initially to the value of storage_classes.block.name in the installer storage classes configuration.

com.cerebro.domino.computegrid.kubernetes.volume.volumesSizeInGB

15

Size in GB of compute grid persistent volumes. This is the total amount of disk space available to users in runs and workspaces.

com.cerebro.domino.computegrid.kubernetes.nonRootExecutions.enabled

false

If true, user executions will not run as root.

com.cerebro.computegrid.timeouts.sagaStateTimeouts.deployingStateTimeoutSeconds

60 * 60 (1 hour)

The number of seconds an execution pod in a deploying state will wait before timing out.

com.cerebro.computegrid.timeouts.sagaStateTimeouts.executionsOverQuotaStateTimeoutSeconds

24 * 60 * 60 (24 hours)

The number of seconds an execution pod that cannot be assigned due to execution quota limitations will wait for resources to become available before timing out.

com.cerebro.computegrid.timeouts.sagaStateTimeouts.preparingStateTimeoutSeconds

60 * 60 (1 hour)

The number of seconds an execution pod in a preparing state will wait before timing out.

com.cerebro.domino.computegrid.userExecutionsQuota.maximumExecutionsPerUser

25

This is the maximum number of executions each user will be allowed to run concurrently. If a user attempts to start additional executions in excess of this those executions will be queued until some of the user’s other executions finish.

com.cerebro.domino.computegrid.userExecutionsQuota.userExecutionQueueLimit

100

The maximum number of executions that can be queued per user. If a user tries to queue more than this, the excess executions will fail.

com.cerebro.domino.computegrid.userExecutionsQuota.globalExecutionQueueLimit

1000

The maximum total number of executions that can be queued across all users. If users try to queue more than this, the excess executions will fail.

Custom certificates

Use the Custom certificates to configure Domino to connect to external services.

Key

Default

Description

custom_certificates

No

Contents of the custom certificates bundle. Values are concatenated certificates in PEM format1

(1) The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:

      -----BEGIN CERTIFICATE—--
      -----END CERTIFICATE—--

The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates.

Database

These options customize MongoDB connections.

KeyDefaultDescription

com.cerebro.domino.caching.userPersisterCacheTimeMs

10000

Domino recommends consulting your Domino representative before changing this key. Sets the time (in milliseconds) after which the user object is retrieved from the MongoDB rather than from the cache.

com.cerebro.domino.centralConfig.isEnabled

true

Deprecated. Set to false to use an external MongoDB specified by the URI in centralConfig.mongoURI.

com.cerebro.domino.centralConfig.mongoCollection

config

Do not change the value of this key. The name of the MongoDB collection that stores central configuration data set at initial deployment.

com.cerebro.domino.centralConfig.mongoURI

Empty

Deprecated. The URI for an external MongoDB used to store Domino metadata.

com.cerebro.domino.database.retry.initialBackoffDuration

1 second

Sets the initial backoff duration for any database operation retries that use an exponential backoff algorithm with the MongoDB.

com.cerebro.domino.database.retry.maxAttempts

8

Sets the maximum attempts for MongoDB operation retries with exponential backoff.

com.cerebro.domino.database.retry.policy

Exponential

Indicates whether MongoDB operations will be retried with exponential backoff or not. Values are Exponential or None.

com.cerebro.domino.organizations.cache.enable

true

Specifies whether the enter organization’s Mongo collection is cached in memory to improve performance in the Domino application.

com.cerebro.domino.organizations.cache.ttlMs

500

Specifies the cache lifetime (in milliseconds) for organizations.cache.enable.

mongodb.default.settings.cluster.maxWaitQueueSize

500

The maximum number of threads allowed to wait for a MongoDB connection. The namespace is role and the name is dispatcher.

Data planes

KeyDefaultDescription

com.cerebro.domino.hybrid.internalRegistryExternal.host

123456789012.dkr.ecr.us-west-2.amazonaws.com

Docker registry host name. Auto populated for hybrid-enabled control planes deployed with version 5.4 and later.

com.cerebro.domino.computegrid.kubernetes.executor.rabbitMqExternal.host

acme-rabbitmq.sandbox.domino.tech

RabbitMQ host name. Used in the data plane install command. Auto populated for hybrid-enabled control planes deployed with version 5.4 and later.

com.cerebro.domino.computegrid.kubernetes.executor.rabbitMqExternal.port

5672

Optional: RabbitMQ port.

com.cerebro.domino.hybrid.vaultExternal.host

acme-vault.sandbox.domino.tech

Vault host name. Used in the data plane install command. Auto populated for hybrid-enabled control planes deployed with version 5.4 and later.

Data Source authentication

See Configure Data Source Authentication for details about how to use these options. They are available in namespace common and must be recorded with no name.

KeyDefaultDescription

com.cerebro.domino.datasource.ADLSConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for ADLS data sources; only Basic is supported.

com.cerebro.domino.datasource.GCSConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for GCS data sources; only Basic is supported.

com.cerebro.domino.datasource.GenericS3Config.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for generic S3 data sources; only Basic is supported. For Amazon S3 data source authentication, see com.cerebro.domino.datasource.S3Config.enabledAuthTypes.

com.cerebro.domino.datasource.MySQLConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for MySQL data sources; Basic and AWSIAMRole are supported.

com.cerebro.domino.datasource.OracleConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for Oracle data sources; only Basic is supported.

com.cerebro.domino.datasource.PostgreSQLConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for PostgreSQL data sources; Basic and AWSIAMRole are supported.

com.cerebro.domino.datasource.RedshiftConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for Redshift data sources; Basic and AWSIAMRole are supported.

com.cerebro.domino.datasource.S3Config.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for Amazon S3 data sources; Basic and AWSIAMRole are supported.

com.cerebro.domino.datasource.SnowflakeConfig.enabledAuthTypes

Basic

A comma-separated string specifying the enabled authentication types for Snowflake data sources; Basic and OAuth are supported. See Snowflake OAuth for instructions about setting up Keycloak integration between Domino and Snowflake.

com.cerebro.domino.datasource.SQLServerConfig.enabledAuthTypes

Basic

A comma-separated string that identifies the enabled authentication types for SQLServer data sources; only Basic is supported.

Domino API options

These options relate to Domino API.

KeyDefaultDescription

com.cerebro.domino.api.isEnabled

true

When false, the Domino API cannot use API key as an authentication method.

com.cerebro.domino.internalApiHost

N/A

Do not use.

com.cerebro.domino.superuser.apiKey

N/A

Typically set at deployment, the Superuser’s API key is used for interactions between Domino components. Contact your Domino representative if you need assistance.

com.cerebro.domino.superuser.username

N/A

Typically set at deployment, the Superuser’s username is used for interactions between Domino components. Contact your Domino representative if you need assistance.

com.cerebro.domino.public.api.enabled

true

When false, the Domino Public API is disabled.

com.cerebro.domino.publicAPI.maxFetchLimit

1000

Sets the upper bound for number of objects accessible at once.

Domino Command-Line Interface (CLI)

These options relate to Domino CLI.

KeyDefaultDescription

com.cerebro.domino.frontend.clientBlobModeOverride

N/A

Identifies what will handle requests to S3. If set to S3, then the Domino CLI will interact directly with S3. If set to API, then the CLI will interact with the Domino instance, and Domino will then interact with S3.

com.cerebro.domino.frontend.cliInstallerLocation

$UserHost/assets/cli/default

Used to separately host the Domino Command Line Interface (CLI). An example of when this might be used is when a critical fix is needed before the next Domino upgrade.

Email notifications

These options relate to email notifications from Domino. They are available in namespace common and must be recorded with no name.

KeyDefaultDescription

com.cerebro.domino.email.notificationFromAddress

N/A

Deprecated. Set this value in Domino’s administrator application. To configure the email address from which to get notifications, go to Admin > Advanced > Email Settings and complete the Notifications FROM Address field.

com.cerebro.domino.email.shouldSendWelcomeEmail

true

When true, new users receive a welcome email from Domino. Email settings must be configured in Admin > Advanced > Email Settings.

com.cerebro.domino.email.smtp.emptyPassword

false

Deprecated. If you want to set SMTP to bypass password authentication, go to Admin > Advanced > Email Settings and select SMTP. Then, select the No Password check box.

com.cerebro.domino.email.smtp.emptyUser

false

Deprecated. If you want to set SMTP to bypass user authentication, go to Admin > Advanced > Email Settings and select SMTP. Then, select the No Username check box.

com.cerebro.domino.email.smtp.transportType

N/A

Deprecated. Go to Admin > Advanced > Email Settings and select the transport type as SES, SMTP, or Logging.

com.cerebro.domino.supportAlerter.enableEmailSupportAlert

false

Enable email notifications for the runs which resulted in errors or warnings.

com.cerebro.domino.email.smtp.host

None

Hostname of SMTP relay to use for sending emails from Domino.

com.cerebro.domino.email.smtp.user

None

Username to use for authenticating to the SMTP host.

com.cerebro.domino.email.smtp.port

25

Port to use for connecting to SMTP host.

com.cerebro.domino.email.smtp.ssl

false

Whether the SMTP host uses SSL.

com.cerebro.domino.supportAlerter.enableEmailSupportAlert

false

Enable email notifications for the runs which resulted in errors or warnings.

com.cerebro.domino.supportAlerter.errorRecipients

None

Comma-separated list of email recipients who should get the error notifications. Needs to be explicitly set if enableEmailSupportAlert is set to true.

com.cerebro.domino.supportAlerter.warningRecipients

None

Comma-separated list of email recipients who should get the warning notifications. Needs to be explicitly set if enableEmailSupportAlert is set to true.

Environments

These options relate to Domino Environments. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.environments.canNonSysAdminsCreateEnvironments

true

If set to false only system administrators can edit environments.

com.cerebro.domino.environments.default.image

Docker image URI for the initial default environment.

com.cerebro.domino.environments.default.name

Domino Analytics Distribution Py3.6 R3.6

Name of the initial default environment.

com.cerebro.domino.executableTarget.enabled

false

If set to true, allows users to create custom file handlers. Custom file handlers override built-in file handlers for supported file types.

com.cerebro.domino.workbench.restrictedAssets.enabled

false

If set to true, allows users to create restricted projects and admins to classify restricted environments.

Feedback

These options relate to the Domino Feedback feature. See Send Feedback.

Key

Default

Description

com.cerebro.domino.frontend.enableFeedbackModal

true

If true, and the SMTP server is configured, enables the feedback button in the Domino UI.

com.cerebro.domino.feedback.settings.sender.name

Domino Feedback

Name of the feedback email sender.

com.cerebro.domino.feedback.settings.sender.address

feedback@dominodatalab.com

Email address of the feedback email sender.

com.cerebro.domino.feedback.settings.recipient.address

feedback@dominodatalab.com

Email address of the feedback email recipient.

File download API

These options relate to the file contents download API endpoint. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.restrictBlobApi

false

Set to true to require an admin API key to download files through API. When false, any user with the blob ID for a file might download it through API.

com.cerebro.domino.frontend.clientBlobModeOverride

None

Set to API to download blobs directly in the Domino API. Set to S3 to download blobs through S3. You cannot set the blob mode override in site_config.json.

ImageBuilder

These options relate to the Domino ImageBuilder V3.

Use the ImageBuilder to create new environment revision and Model API version Docker images. To satisfy requirements around heightened security and support for non-Docker container runtimes (such as cri-o for OpenShift), the ImageBuilder uses an open-source image building engine named Buildkit and wraps in a suitable fashion for Domino’s use. The ImageBuilder acts as a controller, built around the Kubernetes operator pattern in which it acts on custom resources (ContainerImageBuild) using standard CRUD actions.

Key

Default

Description

com.cerebro.domino.builder.remoteRegistryCredentials.server

quay.io

The external Docker registry URI to pull Domino base images from.

com.cerebro.domino.builder.remoteRegistryCredentials.additionalServers

None

If you use multiple external registries, a comma-separated list of Docker registry URIs from which to build the Domino base image.

com.cerebro.domino.builder.remoteRegistryCredentials.secretName

domino-quay-repos

The K8s secret containing credentials for authentication to an external Docker registry.

com.cerebro.domino.builder.remoteRegistryCredentials.secretNamespace

<Domino Compute Namespace>

The namespace where the external Docker registry secret is located.

Long-running Workspaces

These options relate to long-running workspace sessions and long-running jobs. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.workloadNotifications.longRunningWorkloadDefinitionInSeconds

86400

Defines how long a workspace must run in seconds before the workspace is classified as 'long-running' and begins to generate notifications or becomes subject to automatic shutdown.

com.cerebro.domino.workloadNotifications.isEnabled

false

Set to true to enable the option for email notifications to users when their workspaces become long-running. If com.cerebro.domino.workloadNotifications.isEnabled is true and com.cerebro.domino.workloadNotifications.isRequired is false, users can turn these notifications on or off in their account settings.

com.cerebro.domino.workloadNotifications.isRequired

false

Set to true to turn on long-running workspace notifications for all users. While this is true users cannot turn off long-running workspace notifications.

com.cerebro.domino.workloadNotifications.maximumPeriodInSeconds

7200

Maximum time (in seconds) that a user can set as the period between receiving long-running notification emails.

Note

These options relate to long-running workspace sessions. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.workspaceAutoShutdown.isEnabled

false

Set to true to enable automatic shutdown of long-running workspaces. Users can turn automatic shutdown for their workspaces on or off from their account settings.

com.cerebro.domino.workspaceAutoShutdown.isRequired

false

Set to true to turn on automatic shutdown of long-running workspaces for all users. While this is true users cannot turn off automatic shutdown of their long-running workspaces.

com.cerebro.domino.workspaceAutoShutdown.globalMaximumLifetimeInSeconds

259200

Longest time in seconds a long-running workspace will be allowed to continue before automatic shutdown. Users cannot set their automatic shutdown timer to be longer than this.

Model APIs

These options relate to Model APIs. They are available in namespace common and must be recorded with no name.

KeyDefaultDescription

com.cerebro.domino.modelmanager.instances.defaultNumber

2

Default number of instances per Model used for Model API scaling.

com.cerebro.domino.modelmanager.instances.maximumNumber

32

Maximum number of instances per Model used for Model API scaling.

com.cerebro.domino.modelManager.nodeSelectorLabelKey

dominodatalab.com/node-pool

Key used in Kubernetes label node selector for Model API pods.

com.cerebro.domino.modelManager.nodeSelectorLabelValue

default

Value used in Kubernetes label node selector for Model API pods.

com.cerebro.domino.modelmanager.uWsgi.workerCount

1

The uWSGI worker count. This scales all Python Model APIs by setting the degree of parallelism.

com.cerebro.domino.modelmanager.harnessProxy.maxBodyLogLengthInBytes

1024

The maximum size, after truncation, of the JSON representation of Model API requests and responses that are written to stdout.

Model Monitoring

These options customize how prediction data is captured for monitoring:

Data retention and deletion options

KeyDefaultDescription

domino.parquet.cleanup_job.retention_days

30

Retention of the parquet files (in number of days) before they get deleted to free up space.

domino.parquet.conversion_job.autodelete_key

autodelete

Key of the \{key: value} pair used to select a file for auto-deletion

domino.parquet.conversion_job.autodelete_value

TRUE

Value of the \{key: value} pair used to select a file for auto-deletion

domino.parquet.conversion_job.raw_data_debug_grace_days

1

Grace period to keep the source raw log files post processing

Model API-specific options

Key

Default

Description

com.cerebro.domino.modelmanager.pvc.name

shared-$stage-compute (Same as domino filecache)

PVC name for storing prediction data.

com.cerebro.domino.modelmanager.pvc.mountPoint

/domino/shared

PVC mount point for storing prediction data.

Com.cerebro.domino.modelmanager.pvc.subdir

scratch

PVC sub mount point.

com.cerebro.domino.modelmanager.fluentBit.image

Supplied from Domino Charts

Fluent-bit image.

com.cerebro.domino.modelmanager.logrotate.image

Supplied from Domino Charts

Logrotate image.

com.cerebro.domino.modelmanager.ingress.tls.secret

Supplied from Domino Charts

The secret for the ingress route for Model API publishing.

Tip

com.cerebro.domino.modelApis.async.maxMsgSizeInBytes

10Kb

This property determines the maximum size of message in input and output queues. Therefore this property restricts the size of prediction input payload as well as inference output from model.

com.cerebro.domino.modelApis.async.mongoDb.minimumAvailableBytes

500000000

Minimum available MongoDB disk storage for asynchronous Model APIs. See Asynchronous Model APIs Capacity Planning for more information.

com.cerebro.domino.modelApis.async.rabbitmq.availableAsyncLimitBytes

1000000000

Minimum available RabbitMQ disk storage for asynchronous Model APIs. See Asynchronous Model APIs Capacity Planning for more information.

Cohort Analysis options

Key

Default

Description

com.cerebro.domino.actionable.insights.project.name

DominoActionableInsights

The name of the project for Actionable Insights.

com.cerebro.domino.actionable.insights.dataset.name

DominoActionableInsightsDataset

The name of the dataset for Actionable Insights.

com.cerebro.domino.actionable.insights.environment.id

Environment ID for the Actionable Insights Job. If not defined

com.cerebro.domino.actionable.insights.compute.environment.id

Environment ID for the Actionable Insights Spark Cluster. If not defined

com.cerebro.domino.actionable.insights.hardware.tier.id

small-k8s

Hardware Tier ID for the Actionable Insights Job.

com.cerebro.domino.actionable.insights.master.hardware.tier.id

medium-k8s

Hardware Tier ID for the Actionable Insights Spark Master.

com.cerebro.domino.actionable.insights.worker.hardware.tier.id

medium-k8s

Hardware Tier ID for the Actionable Insights Spark Workers.

com.cerebro.domino.actionable.insights.worker.count

2

Number of workers for the Spark cluster.

Multi-storage support for Datasets

These options relate to Multi-Storage Support for Datasets. They are available in namespace common and must be recorded with no name. Do not change these configurations unless you have reached out to your field team and have been instructed to do so.

Key

Default

Description

com.cerebro.domino.datacache.pvc.names

domino-shared-store-domino-compute

This is a comma-separated list of all compute-PVC names used for dataset/snapshot storage at Domino. Note that if this is set, it is crucial that the original PVC name is also included in the list.

com.cerebro.domino.datacache.pvc.primaryName

The first value in the array above

The compute-PVC name of the volume in which to store every next dataset and snapshot.

com.cerebro.domino.datacache.pvc.originalName

shared-$stage-compute (same as domino filecache)

The compute-PVC name corresponding to the original Domino storage.

com.cerebro.domino.datacache.pvc.<COMPUTE-PVC-NAME>.mountPoint

/domino/shared

For each PVC name specified in the values of com.cerebro.domino.datacache.pvc.names, specify the compute-PVC name in the key, and mount point at which the PVC is mounted in the nucleus-* deployments in the value.

Important

Notifications

The ShortLived.EnableUserNotifications feature flag enables the Notifications feature. This means that it shows the following:

  • Notifications page for Administrators where they can create and manage notifications.

  • Notifications icon and indicator to identify the criticality of the notifications in the navigation pane.

  • Notifications page where users can view their notifications.

If this flag is turned off, all these items are hidden.

See Event Notifications in the User Guide and Notifications in this Admin Guide.

Key

Default

Description

com.cerebro.domino.userNotifications.dbCleanup.jobFrequency

10 minutes

Frequency with which notifications will be checked for automatic expiry (dbCleanup.expirationEnabled) or deletion (dbCleanup.deletionEnabled).

com.cerebro.domino.userNotifications.dbCleanup.expirationEnabled

true

Enables the job that expires notifications. Notifications without a set end time are expired based on the setting in com.cerebro.domino.userNotifications.dbCleanup.expirationThreshold.

com.cerebro.domino.userNotifications.dbCleanup.expirationThreshold

30 days

Sets an expiration time (in days) for notifications without an end date.

com.cerebro.domino.userNotifications.dbCleanup.deletionThreshold

30 days

Specifies the time (in days) after which expired notifications will be deleted.

com.cerebro.domino.userNotifications.limit

5000

Specifies the maximum number of notifications allowed in the system.

com.cerebro.domino.userNotifications.telemetry.enabled

true

Enables backend telemetry (statistics about the number and type of generated notifications) for notifications.

com.cerebro.domino.userNotifications.telemetry.initialDelay

2 minutes

The delay before Notifications telemetry is executed the first time. This delays the impact on database processing during initial system startup.

com.cerebro.domino.userNotifications.telemetry.interval

2 hours

The time between when the notification statistics are updated.

com.cerebro.domino.userNotifications.telemetry.perUserMetricsEnabled

true

If true, the system shows metrics for each user about the number and types of notifications generated. If false, the system shows metrics about all notifications.

com.cerebro.domino.notification.maxFilesToAttach

10

The maximum number of files that can be attached to a single notification.

com.cerebro.domino.notification.maxFileSizeToAttachInMB

2

The maximum size, in megabytes, of any single file attached to a notification.

Notifications for monitoring

The options relate to Notification channels.

Key

Default

Description

com.cerebro.domino.email.smtp.from

N/A

The email address from which Domino sends email notifications.

com.cerebro.domino.email.smtp.host

N/A

The host address of the SMTP server from which Domino sends emails.

com.cerebro.domino.email.smtp.password

N/A

The password for the SMTP server, which is typically the same password for your web server, from which Domino sends emails.

com.cerebro.domino.email.smtp.port

25

The TCP port to use to communicate with your SMTP server.

com.cerebro.domino.email.smtp.ssl

false

Indicates whether the SMTP server uses Secure Sockets Layer (SSL) for secure communications.

com.cerebro.domino.email.smtp.user

N/A

The username used by the client to authenticate to the SMTP server to send email.

On-demand MPI

The options relate to the on-demand MPI clusters. They are available in namespace common and must be recorded with no name.

KeyDefaultDescription

com.cerebro.domino.computegrid.computeCluster.checkClusterStatusIntervalSeconds

1.0

Frequency in seconds to run status checks on on-demand MPI clusters.

com.cerebro.domino.computegrid.timeouts.executor.responseTimeout

1.0

How long the frontend waits for a response, in seconds, after a file sync request before sending an error.

com.cerebro.domino.computegrid.timeouts.computeCluster.fileSyncTimeout

1 hour

The maximum duration a sync runs before being considered to have timed out.

com.cerebro.domino.computegrid.computeCluster.checkFileSyncStatusIntervalSeconds

15

The interval, in seconds, the Job launcher script checks the compute cluster file sync status waiting for ready status.

com.cerebro.domino.computegrid.computeCluster.secretName

domino-compute-cluster

The name of the secret in the domino-compute namespace containing the SSH key material used when configuring SSH on MPI workers.

com.cerebro.domino.computegrid.computeCluster.storageMountPath

/tmp

Volume mount path location of additional storage for the compute cluster.

com.cerebro.domino.computegrid.computeCluster.mpi.disableIstio

false

Whether to inject the Istio Proxy sidecar into worker Pods.

com.cerebro.domino.computegrid.computeCluster.mpi.istioMutualTLSMode

Configures the istioMutualTLSMode for MPI if Istio is enabled. Valid values are: STRICT and PERMISSIVE.

On-demand Spark

These options relate to the on-demand Spark clusters. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.integrations.spark.checkClusterStatusIntervalSeconds

1

Frequency in seconds to run status checks on on-demand Spark clusters.

com.cerebro.domino.integrations.spark.onDemand.workerStorageMountPath

/tmp

File system path on which Spark worker storage is mounted.

com.cerebro.domino.integrations.spark.sparkConfDirDefault

None

Option to supply alternative default configuration directory for on-demand Spark clusters.

com.cerebro.domino.workbench.onDemandSpark.worker.memoryOverheadMinMiB

384

Minimum amount of memory in MiB to use for Spark worker overhead.

com.cerebro.domino.workbench.onDemandSpark.worker.memoryOverheadFactor

0.1

Spark worker overhead scaling factor.

com.cerebro.domino.computegrid.computeCluster.spark.proxyCompatability

None

Set to legacy when the Spark UI for on-demand Spark on Domino needs to be compatible with Spark versions prior to 3.1.1.

Performance

The following configuration settings are used for caching.

KeyDefaultDescription

com.cerebro.domino.controlCenter.cacheMaxLoadPeriodInMonths

12

Use this key to modify the period (in months) of historical data that the Control Center uses. You might have to change this value to less than 12 to prevent timeout issues when loading data into the application. Do not set cacheMaxLoadPeriodInMonths to greater than 12 months or the chart cannot be used. The report options remain the same: Current Month, Previous Month, Last 3 months, Last 6 months, and Custom. This might improve performance.

Caution

com.cerebro.domino.controlCenter.cacheTimeToLiveInMinutes

30

Specifies how often the cache is refreshed in minutes. This cache is used in the Control Center and improves performance. However, if the cache is refreshed every 30 minutes some recent data will not be included in the reports.

Projects

This option is available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.frontend.overrideDefaultProject

String of comma-separated project paths. For example, admin-user/getting-started-project, admin-user/sample-app-project. See Change The Default Project For New Users.

com.cerebro.domino.frontend.defaultMaxFileSizeToRenderInBytes

String, indicating the biggest file that may be rendered in the filebrowser: 5 MB, 10 kB, 1 GB, 7 B

com.cerebro.domino.workbench.project.projectCopy.githubCopyEnabled

false

true to enable copying GitHub-backed projects.

com.cerebro.domino.workbench.project.projectCopy.gitlabCopyEnabled

false

true to enable copying GitLab-backed projects.

AI Project Hub

KeyDefaultDescription

com.cerebro.domino.workbench.project.projectTemplateHubEnabled

false

Set to true to enable the AI Project Hub UI and AI Project Hub public API.

com.cerebro.domino.workbench.project.projectTemplateHubPrimary

https://templates-metadata.s3.us-west-2.amazonaws.com/templates/project_templates.json

The URL for the primary hub. Defaults to the Domino template hub.

com.cerebro.domino.workbench.project.projectTemplateRemoteHubsEnabled

true

Whether or not nucleus-frontend will try to reach out to the URL defined for the primary hub.

com.cerebro.domino.workbench.project.projectTemplateHubRaw

[]

A JSON list of project templates. Users can configure this if they can’t reach Domino’s hub and don’t have their own hub.

com.cerebro.domino.workbench.project.excludePartnerTemplates

false

false to receive templates owned by Domino and partners. true to only receive templates owned by Domino.

Project templates

These options enable Git-based project copy for the specified git providers.

KeyDefaultDescription

com.cerebro.domino.workbench.project.projectCopy.githubCopyEnabled

true

Enable copy project for a Git-based project created from a Github repository.

com.cerebro.domino.workbench.project.projectCopy.gitlabCopyEnabled

true

Enable copy project for a Git-based project created from a Gitlab repository.

Project visibility options

These options relate to project visibility settings. They are available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.publicProjects.enabled

true

If set to false, Practitioners cannot set projects to public visibility. However, an Admin can still create public projects. A change in this setting does not affect existing projects.

com.cerebro.domino.defaultProjectVisibility

Public

Controls the default visibility setting for new projects. Options are Public or Private.

Git and Jira credentials

These options enable storing Git and Jira credentials in Vault.

KeyDefaultDescription

com.cerebro.domino.jira.vault.enabled

true

Consult your Domino representative before changing this key. If set to true, Jira credentials are stored in Vault. If false, they are stored in Mongo.

com.cerebro.domino.workbench.project.vaultGitCredentials

true

Consult your Domino representative before changing this key. If set to true, user Git credentials are stored in Vault. If false, they are stored in S3’s blob store.

Public applications

This option is related to Grant Access to Domino Apps. This is available in namespace common and must be recorded with no name.

Key

Default

Description

com.cerebro.domino.launchpad.allowPublicModelProducts

TRUE

Set to FALSE to disable the Anyone, including anonymous users and Anyone with an account access permissions. See Grant Access to Domino Apps for more information about these permissions.

Restricted Environments and Projects

Key

Default

Description

com.cerebro.domino.workbench.restrictedAssets.enabled

FALSE

Set to TRUE to enable marking environments and projects as restricted.

Read-write Datasets

These options relate to read-write datasets. They are available in namespace common and must be recorded with no name. Scratch spaces have been deprecated starting with Domino 4.5.

Key

Default

Description

com.cerebro.domino.dataset.graceTimeForDeletion

15min

The time before the system deletes a dataset that was marked for deletion. If you deleted a dataset, you have this time to retrieve the dataset. After this time expires, the dataset cannot be recovered. See Datasets and Snapshots.

com.cerebro.domino.dataset.quota.enabled

true

If true, the dataset (com.cerebro.domino.dataset.quota.maxActiveSnapshotsPerDataset) and snapshot (com.cerebro.domino.dataset.quota.maxDatasetsPerProject) limits will be enforced. If false, these settings are ignored.

com.cerebro.domino.dataset.quota.maxActiveSnapshotsPerDataset

20

The maximum number of snapshots a user can create for a dataset. com.cerebro.domino.dataset.quota.enabled must be true for this to work.

If the user reaches the maximum number of snapshots, the next time they create a snapshot, Domino shows a warning that they have reached their snapshot limit and that if they proceed, their oldest snapshot will be marked for deletion.

See Create a Snapshot of a Dataset and Datasets and Snapshots.

com.cerebro.domino.dataset.quota.maxDatasetsPerProject

50

The maximum number of Datasets you can create in a Project. com.cerebro.domino.dataset.quota.enabled must be true for this to work.

If the user reaches the maximum number of datasets, Domino shows a message about the limit.

com.cerebro.domino.dataset.quota.maxFileSizeForPreview

5000000

The maximum file size (in bytes) that the Data renderer will support to preview files. If a file is larger than this limit, the renderer will default to a message recommending file download.

See Datasets and Snapshots.

com.cerebro.domino.dataset.containerHome

/domino/datasets

Set the path to mount datasets in Domino projects. Users see this path in the Path column on the Domino Datasets tab on the Data page.

Note

See Domino Datasets.

com.cerebro.domino.dataset.gitBasedContainerHome

/mnt

Path at which datasets resides in git based projects.

com.cerebro.domino.dataset.executor.snapshotSizeTimeout

1 minute

The time allotted to gather all file sizes to calculate the size of the snapshot. If the time expires and the size hasn’t finished calculating, Domino shows the current calculation for the snapshot but doesn’t notify the user that the calculation is incomplete.

com.cerebro.domino.dataset.storageUsageWarningThreshold

70

The percentage of a user’s dataset storage quota that, when reached, triggers warning notifications.

com.cerebro.domino.dataset.storageUsageCriticalThreshold

85

The percentage of a user’s dataset storage quota that, when reached, triggers email notifications.

com.cerebro.domino.dataset.snapshotSizingPeriod

7 days

Interval during which the size of a snapshot are not recalculated.

com.cerebro.domino.dataset.thresholdActionPeriod

7 days

Interval during which notifications to users about their storage usage are not repeated.

com.cerebro.domino.dataset.unitCostDollarsPerGbPerMonth

None

Estimate unit cost of a dataset (in dollars/GB/month). This value is multiplied linearly by the size of a dataset to estimate its cost per month.

Run Results

These options relate to the Execution Results. They are used to limit the number of file comparisons and number of differences found.

Note
KeyDefaultDescription

com.cerebro.domino.runResults.maximumNumberOfInputComparisons

1000

The maximum number of input files to compare.

com.cerebro.domino.runResults.maximumNumberOfInputDiffs

250

The maximum number of input file comparisons that will be found. If this value is reached, the comparison will stop.

com.cerebro.domino.runResults.maximumNumberOfResultsComparisons

1000

The maximum number of result files to compare.

com.cerebro.domino.runResults.maximumNumberOfResultsDiffs

250

The maximum number of result file comparisons that will be found. If this value is reached, the comparison will stop.

Usage reports

These options relate to the User Activity Reports.

KeyDefaultDescription

com.cerebro.domino.email.usageReportRecipient

usage@dominodatalab.com

Sets the default recipient for the user activity report. To access this report, go to Admin > Advanced > User Activity Report.

com.cerebro.domino.email.EmailToDomino

true

When true, the system sends a scheduled user activity report to usage@dominodatalab.com to help improve Domino. See How to pull usage information.

com.cerebro.domino.Usage.RecentUsageDays

30

Specifies the number of days to report for recent activity in the user activity reports. For example, the default value includes activity within the past 30 days in the Recent Activity section.

Important

com.cerebro.domino.Usage.ReportFrequency

0 2 * * *

Defines the frequency for automatically scheduled user activity reports. The default cron string value is set to daily at 02:00.

com.cerebro.domino.Usage.ReportRecipients

Empty

Identifies a comma-separated list of email addresses that receive automatic scheduled user activity reports. This is not shown in the Central Configuration unless it is set explicitly. Example values are: email1@domain.com, email2@domain.com.

com.cerebro.domino.Usage.IncludeUsernameAndEmail

false

When true, automatically generated and emailed user activity reports include username and email address columns.

Vault

In Domino, secrets are stored in an instance of HashiCorp Vault. By default, Vault does not require any configuration for specific secrets to be stored in encrypted form at rest. Supported Secrets are:

  • User environment variables

  • User API keys

  • Data source access secrets

  • Project environment variables

The following configuration settings are used to connect to Vault.

Key

Default

Description

com.cerebro.domino.vault.auth.kube.authPath

domino/kubernetes

Do not use.

com.cerebro.domino.vault.auth.kube.authRole

nucleus

Do not use.

com.cerebro.domino.vault.auth.kube.tokenFile

/var/run/secrets/kubernetes.io/serviceaccount/token`

Do not use.

com.cerebro.domino.vault.auth.kube.token

N/A

Do not use.

com.cerebro.domino.vault.auth.token.tokenFile

N/A

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

This is the path where the Vault token is present. If the .token config key is present, this is ignored.

com.cerebro.domino.vault.auth.token.token

N/A

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

This is the literal value of the Vault token that overrides the .tokenFile config key.

com.cerebro.domino.vault.auth.token.refreshEvery

N/A

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

Specifies how often to reread the token when configuring an external Vault integration. This setting is only useful when the token is configured with tokenFile. Example values are: 2s, 10m, 1h. See duration format for syntax information.

com.cerebro.domino.vault.secretstore.baseUrl

N/A

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

The URL with port for the Vault’s API endpoint which is used to configure the external Vault integration.

com.cerebro.domino.vault.secretsengine.kv2.basePath

domino/kv

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

The path in the Vault to the key-value store that Domino uses.

com.cerebro.domino.vault.secretsengine.kv2.subPath

nucleus

Beta feature: Contact your Domino representative for assistance. Used to configure Domino to work with your Vault installation outside the Domino cluster.

An optional path in the key-value store that serves as the root for all Domino-stored secrets.

Web Apps

IFrame Security

Web apps in Domino are served in HTML inline frames, also known as “iframes”. To improve iframe security, a “sandbox” attribute can be set for iframe elements. When this attribute is set, extra security restrictions are applied to the iframes serving web apps in Domino, like blocking cross-origin requests, form submissions, script executions, and much more.

In Domino, this “sandbox” attribute can be toggled with the ShortLived.iFrameSecurityEnabled feature flag. Setting this flag to “TRUE” will apply the sandbox attribute to the iframe and apply the extra security restrictions. If the flag is set to “FALSE”, no security restrictions will be applied to the iframe. By default, in Domino 4.4.1 the ShortLived.iFrameSecurityEnabled flag is set to FALSE.

Important

Content Security Policies

A content security policy allows Domino web apps to access specific, whitelisted external resources. Any request made to non-whitelisted external resources, however, will be blocked.

In Domino, you can toggle this feature with the EnableContentSecurityPolicyforApps feature flag. Setting this flag to “TRUE” will block requests to all non-whitelisted resources and allow requests to whitelisted resources. Setting this flag to “FALSE” will allow all requests to resources (that is, no blocking of any kind). By default, in Domino 4.4.1 the EnableContentSecurityPolicyforApps is set to FALSE.

The keys and default values associated with this feature flag are listed in the table below.

Key

Default

Description

com.cerebro.domino.apps.contentSecurityPolicy.whiteListAppHost

true

Whitelist the app’s own host URL for all resource types. This can be toggled to false for an even more stringent security policy. For example, to prevent internal attacks by disabling all JavaScript in web apps, you can set this flag to false and com.cerebro.domino.apps.contentSecurityPolicy.whiteListedScriptSrcList to none or the empty string.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedImageSrcList

data:

Allows images to be inserted directly into a webapp using a data: URL. This allows Domino apps to include images in the app’s HTML without loading the image from an outside resource. Learn more about data: URLs here: Mozilla - Data URLs.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedScriptSrcList

cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js cdn.plot.ly/plotly-latest.min.js 'unsafe-eval' 'unsafe-inline'

Whitelists the URLs of the scripts that the demo Apps in the quick-start project load to display their interactive charts. It also allows an app to define scripts in HTML using the <script> tag. Also allows JavaScript to create more JavaScript as the app runs using the built-in JavaScript function eval.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedStyleSrcList

'unsafe-inline'

Allows apps to define their own styles with <style>, javascript: URLs, and inline <script> elements.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList

ws:

Allows the app to use WebSockets, which use URLs that begin with ws:, to communicate with other resources.

To whitelist a resource:

  1. Go to Configuration Management (that is, Central Config) in your Domino admin settings.

  2. Click Add Record.

  3. Set the key to com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList.

  4. Set the value to ws: followed by the URL of the resource you’d like to whitelist (that is, ws: https://foobar.buz.bax/). You must work with your team to figure out which URLs have to be whitelisted. For more details, see: Identify Resources to Whitelist.

  5. Save the record and restart Domino services.

IFrame Security in combination with Content Security Policies

In Domino 4.4.1, the ShortLived.iFrameSecurityEnabled and EnableContentSecurityPolicyforApps feature flags coexist. The matrix below describes the blocking behavior for requests based on both feature flags.

Important

The IFrame feature flag will be deprecated in future versions of Domino. Domino recommends implementing web app security using content security policies instead.

ShortLived.iFrameSecurityEnabled = FALSEShortLived.iFrameSecurityEnabled = TRUE

EnableContent SecurityPolicyForApps = FALSE

No blocking occurs. All requests to external resources are allowed.

All requests from web apps to external resources are blocked.

EnableContent SecurityPolicyForApps = TRUE

Only requests to whitelisted external resources are allowed. All other requests to external resources are blocked.

All requests from web apps to external resources are blocked.

White labeling

Use these options to customize the Domino application with your organization’s brand. See White Labeling.

KeyDefaultDescription

com.cerebro.domino.frontend.footerCustomization.customContactUsHref

N/A

Set a URL that directs your users to a web-based form or email address (mailto:support@domain.com).

com.cerebro.domino.frontend.footerCustomization.customFooterHtml

N/A

Set the custom HTML to show immediately above the page footer.

com.cerebro.domino.frontend.footerCustomization.customFooterImageUrl

N/A

Set the URL for the image that you want shown in the footer. The image displays on the same line as the Domino logo. If customFooterHTML is set, this displays below the custom HTML, inside the footer.

com.cerebro.domino.whitelabel.jsonConfig

N/A

A JSON-formatted list of white labeling configuration parameters, such as:

{
"appLogo": "https://s3-us-west-2.amazonaws.com/your-logo.png",
"appName": "Your Company Name",
"favicon": "https://www.your-website.com/favicon.ico",
"helpContentUrl": "https://your-support-website.com",
"showSupportButton": true,
"supportEmail": "support@your-email-domain.com",
"errorPageContactEmail": "support-error@your-email-domain.com",
"hidePopularProjects": true,
"hideSuggestedProjects": true,
"gitCredentialsDescription": "Authenticate to your Git Account by clicking Add a New Git Credential",
"hideDownloadDominoCli": true,
"pageFooter": "<p>Your Custom Footer</p>",
"hideSearchableProjects": true
}

Custom HTML banner

Use these options to display a custom banner on every page in the Domino application.

KeyDefaultDescription

com.cerebro.domino.frontend.globalBanner.content

N/A

Required: HTML markup specifying your banner’s content and style. Example: <div style="background-color: blue; font-size: 50px;">Global Banner</div>

com.cerebro.domino.frontend.globalBanner.isClosable

false

If true, lets users close the banner.

com.cerebro.domino.frontend.globalBanner.reappearTimeAfterCloseInSec

N/A

Optional: Time, in seconds, until the banner reappears after closing the banner. The banner reappears when a page is refreshed or loaded. If not set, the closed banner will stay closed. Clearing hide-global-banner in the local storage will make the banner reappear.

Workspaces

These options relate to Domino workspaces.

Key

Default

Description

com.cerebro.domino.workbench.project.defaultVolumeSizeGiB

10

Controls default allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.project.minVolumeSizeGiB

4

Controls min allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.project.maxVolumeSizeGiB

200

Controls max allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.workspace.maxWorkspacesPerUserPerProject

4

Sets a limit on the number of provisioned workspaces per user per project.

com.cerebro.domino.workbench.workspace.maxWorkspacesPerUser

16

Sets a limit on the number of provisioned workspaces per user across all projects.

com.cerebro.domino.workbench.workspace.maxWorkspaces

3000

Sets a limit on the number of provisioned workspaces across the whole Domino.

com.cerebro.domino.workbench.workspace.maxAllocatedVolumeSizeAcrossAllWorkspacesGiB

None

Sets a limit on the total volume size of all provisioned workspaces across the whole Domino combined.

com.cerebro.domino.workbench.workspace.stopToDeleteDelayDuration

20.seconds

The number of seconds the frontend waits after the workspace stops before making the delete request to the backend. This allows for enough time after workspace stop for the workspace’s persistent volume to be released. If users frequently receive an error after trying a delete, then this value should be increased.

com.cerebro.domino.workbench.workspace.volume.enableSnapshots

true

Whether to capture snapshots of workspace persistent volumes in AWS. Workspace volume snapshotting is disabled for remote data planes.

com.cerebro.domino.workbench.workspace.volume.snapshotCleanupFrequency

1.day

How often to delete all but the X most recent snapshots , including snapshots of deleted workspaces. Where X is a number defined by workbench.workspace.volume.numSnapshotsToRetain. Only snapshots older than two hours are cleaned up. Snapshots of deleted workspaces are cleaned up regardless of their age.

com.cerebro.domino.workbench.workspace.volume.numSnapshotsToRetain

5

The number of snapshots to retain. All older snapshots beyond this limit will be deleted during a periodic cleanup. Domino does not retain snapshots for deleted workspaces.

com.cerebro.domino.workbench.workspace.volume.recommendedSizeFactor

1.2

The number by which Domino multiples the project size to calculate the recommended volume size.

com.cerebro.domino.workbench.workspace.volume.highDiskUsageThresholdPercent

90

The threshold, as a percentage, at which Domino notifies users and recommends reducing the project size or adjusting the volume size to avoid performance issues.

com.cerebro.domino.workbench.workspace.enabledPVCleanup

false

"True" to enable the unused workspace volume cleaner job, which deletes unused disk volumes to reduce cost.

com.cerebro.domino.workbench.workspace.cleanupFrequencyDays

1.day

The frequency, in days, at which the workspace volume cleaner job runs.

com.cerebro.domino.workbench.workspace.idlePeriodThresholdDays

10

The number of days a workspace can remain unused before it is marked for deletion and the grace period begins.

com.cerebro.domino.workbench.workspace.unusedGracePeriodDays

30

The number of days between when a workspace is marked for deletion and when it is actually deleted, also called the grace period. During this period, the workspace owner is notified in Domino and through email.