Central Configuration

The Central Configuration is where all global settings for a Domino installation are enumerated. You can access the Central Configuration interface from the Admin portal by clicking Advanced > Central Config.

The interface is organized into a list of records. You can click on an existing record to edit its attributes, or you can add a record with the Add Record button at top right. If there is no record explicitly set for an option, the default value will be used. In order for changes made in the Central Config to take effect, you must to restart Domino services using the link at the top of the interface.

../_images/central-config-basics.png



Project visibility options

These options are related to project visibility settings and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.publicProjects.enabled

copy to clipboard

true If set to false, users cannot set projects to public visibility.

com.cerebro.domino.defaultProjectVisibility

copy to clipboard

Public Controls the default visibility setting for new projects. Options are Public or Private.



Email notifications

These options are related to email notifications from Domino and are available in namespace common and should be recorded with no name.

key default description

smtp.from

copy to clipboard

None The ‘from’ address for email notifications sent by Domino.

smtp.host

copy to clipboard

None Hostname of SMTP relay to use for sending emails from Domino.

smtp.user

copy to clipboard

None Username to use for authenticating to the SMTP host.

smtp.password

copy to clipboard

None Password for the SMTP user.

smtp.port

copy to clipboard

25 Port to use for connecting to SMTP host.

smtp.ssl

copy to clipboard

false Whether the SMTP host uses SSL.



Model APIs

These options are related to Model APIs and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.modelmanager.instances.defaultNumber

copy to clipboard

2 Default number of instances per Model used for Model API scaling.

com.cerebro.domino.modelmanager.instances.maximumNumber

copy to clipboard

32 Maximum number of instances per Model used for Model API scaling.

com.cerebro.domino.modelManager.nodeSelectorLabelKey

copy to clipboard

dominodatalab.com/node-pool Key used in Kubernetes label node selector for Model API pods.

com.cerebro.domino.modelManager.nodeSelectorLabelValue

copy to clipboard

default Value used in Kubernetes label node selector for Model API pods.



Environments

These options are related to Domino Environments and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.environments.canNonSysAdminsCreateEnvironments

copy to clipboard

true If set to false only system administrators will be able to edit environments.

com.cerebro.domino.environments.default.image

copy to clipboard

quay.io/domino/base:Ubuntu18_DAD_Py3.6_R3.6_20190918

copy to clipboard

Docker image URI for the initial default environment.

com.cerebro.domino.environments.default.name

copy to clipboard

Domino Analytics Distribution Py3.6 R3.6 Name of the initial default environment.



Authentication

These options are related to the Keycloak authentication service and are available in namespace common and should be recorded with no name.

key default description

authentication.oidc.externalOrgsEnabled

copy to clipboard

false When true Domino will manage Organization membership via users’ group SAML attributes

authentication.oidc.externalRolesEnabled

copy to clipboard

false When true Domino will manage Admin roles assignments via users’ role SAML attributes



Long-running workspaces

These options are related to long-running workspace sessions and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.workloadNotifications.longRunningWorkloadDefinitionInSeconds

copy to clipboard

259200 Defines how long a workspace must run in seconds before the workspace is classified as ‘long-running’ and begins to generate notifications or becomes subject to automatic shutdown.

com.cerebro.domino.workloadNotifications.isEnabled

copy to clipboard

false Set to true to enable the option for email notifications to users when their workspaces become long-running. Users can turn these notifications on or off for themselves in their account settings.

com.cerebro.domino.workloadNotifications.isRequired

copy to clipboard

false Set to true to turn on long-running workspace notifications for all users. While this is true users cannot turn off long-running workspace notifications.

com.cerebro.domino.workloadNotifications.maximumPeriodInSeconds

copy to clipboard

7200 Maximum time in seconds users may set as the period between receiving long-running notification emails. Users will receive repeated notifications about long-running workspaces with this frequency.

com.cerebro.domino.workspaceAutoShutdown.isEnabled

copy to clipboard

false Set to true to enable automatic shutdown of long-running workspaces. Users can turn automatic shutdown for their workspaces on or off from their account settings.

com.cerebro.domino.workspaceAutoShutdown.isRequired

copy to clipboard

false Set to true to turn on automatic shutdown of long-running workspaces for all users. While this is true users cannot turn off automatic shutdown of their long-running workspaces.

com.cerebro.domino.workspaceAutoShutdown.globalMaximumLifetimeInSeconds

copy to clipboard

259200 Longest time in seconds a long-running workspace will be allowed to continue before automatic shutdown. Users cannot set their automatic shutdown timer to be longer than this.



Datasets scratch spaces

Scratch spaces have been deprecated starting with Domino 4.5.

For more information see, here.




Compute grid

These options are related to the compute grid and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.computegrid.kubernetes.volume.gcFrequency

copy to clipboard

10min Controls how often the garbage collector runs to delete old or excess persistent volumes.

com.cerebro.domino.computegrid.kubernetes.volume.maxAge

copy to clipboard

None Setting a value in minutes here will cause persistent volumes older than that to be automatically deleted by the garbage collector.

com.cerebro.domino.computegrid.kubernetes.volume.maxIdle

copy to clipboard

32 Maximum number of idle persistent volumes to keep. Idle volumes in excess of this number will be deleted by the garbage collector.

com.cerebro.domino.computegrid.kubernetes.volume.storageClass

copy to clipboard

dominodisk Kubernetes storage class that will be used to dynamically provision persistent volumes. This is set initially to the value of storage_classes.block.name in the installer storage classes configuration.

com.cerebro.domino.computegrid.kubernetes.volume.volumesSizeInGB

copy to clipboard

15 Size in GB of compute grid persistent volumes. This is the total amount of disk space available to users in runs and workspaces.

com.cerebro.domino.computegrid.userExecutionsQuota.maximumExecutionsPerUser

copy to clipboard

25 This is the maximum number of executions each user will be allowed to run concurrently. If a user attempts to start additional executions in excess of this those executions will be queued until some of the user’s other executions finish.



On-demand Spark

These options are related to the on-demand Spark clusters and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.integrations.spark.checkClusterStatusIntervalSeconds

copy to clipboard

1 Frequency in seconds to run status checks on on-demand Spark clusters.

com.cerebro.domino.integrations.spark.onDemand.workerStorageMountPath

copy to clipboard

/tmp File system path on which Spark worker storage is mounted.

com.cerebro.domino.integrations.spark.sparkConfDirDefault

copy to clipboard

None Option to supply alternative default configuration directory for on-demand Spark clusters.

com.cerebro.domino.workbench.onDemandSpark.worker.memoryOverheadMinMiB

copy to clipboard

384 Minimum amount of memory in MiB to use for Spark worker overhead.

com.cerebro.domino.workbench.onDemandSpark.worker.memoryOverheadFactor

copy to clipboard

0.1 Spark worker overhead scaling factor.

com.cerebro.domino.computegrid.computeCluster.spark.proxyCompatability

copy to clipboard

None Set to legacy when the Spark UI for on-demand Spark on Domino needs to be compatible with Spark versions prior to 3.1.1.



File download API

These options are related to the file contents download API endpoint and are available in namespace common and should be recorded with no name.

key default description

com.cerebro.domino.restrictBlobApi

copy to clipboard

false Set to true to require an admin API key to download files via API. When false, any user with the blob ID for a file may download it via API.

com.cerebro.domino.frontend.clientBlobModeOverride

copy to clipboard

None Set to API to download blobs directly in the Domino API. Set to S3 to download blobs via S3. Note that unlike in Domino 3.x, you cannot set the blob mode override in site_config.json

Builder

These options are related to the Domino builder.

The Domino builder is a container that runs as a Kubernetes job to build the Docker images for Domino environments and Domino model APIs. This container is deployed to a node labeled with a configurable Kubernetes label (defaults to domino/build-node=true) whenever a user triggers an environment or model build.

key default description

com.cerebro.domino.builder.nodeSelectorLabelKey

copy to clipboard

domino/build-node Node label key that the selector in the pod specification for the builder job will target.

com.cerebro.domino.builder.nodeSelectorLabelValue

copy to clipboard

true Node label value that the selector in the pod specification for the builder job will target.

com.cerebro.domino.builder.docker.socketPath

copy to clipboard

/var/run/docker.sock The builder job mounts the host Docker socket to execute builds. This should point to a path on the builder nodes where a Docker socket file can be mounted as part of the builder job pod specification.

com.cerebro.domino.builder.remoteRegistryCredentials.server

copy to clipboard

quay.io The external Docker registry URI to pull Domino base images from.

com.cerebro.domino.builder.remoteRegistryCredentials.secretName

copy to clipboard

domino-quay-repos The K8s secret containing credentials for authentication to an external Docker registry.

com.cerebro.domino.builder.remoteRegistryCredentials.secretNamespace

copy to clipboard

<Domino Compute Namespace> The namespace where the external Docker registry secret is located.

com.cerebro.domino.builder.job.environment.imageSizeLimit

copy to clipboard

None Sets a hard upper limit on the object size of created environment revisions in the internal Docker registry. Takes arguments in the form: 10M.

com.cerebro.domino.builder.job.model.imageSizeLimit

copy to clipboard

None Sets a hard upper limit on the object size of created Model API revisions in the internal Docker registry. Takes arguments in the form: 10M.

com.cerebro.domino.builder.job.resource.limits.cpu

copy to clipboard

4 (cores) Sets a hard upper limit on the vCPU required for image builds. Takes kubernetes quantities as arguments.

com.cerebro.domino.builder.job.resource.limits.memory

copy to clipboard

15Gi Sets a hard upper limit on the memory required for image builds. Takes kubernetes quantities as arguments

Forge

These options are related to the Domino Image Builder v2 (code name Forge).

Forge is the next generation service powering creation of new Environment revision and Model API version Docker images. In order to satisfy requirements around heightened security and support for non-Docker container runtimes (such as cri-o for OpenShift), Forge uses an open source image building engine named Buildkit and wraps in a suitable fashion for Domino’s use. Forge acts as a controller, built around the Kubernetes operator pattern in which it acts on custom resources (ContainerImageBuild) using standard CRUD actions.

key default description

com.cerebro.domino.builder.remoteRegistryCredentials.server

copy to clipboard

quay.io The external Docker registry URI to pull Domino base images from.

com.cerebro.domino.builder.remoteRegistryCredentials.secretName

copy to clipboard

domino-quay-repos The K8s secret containing credentials for authentication to an external Docker registry.

com.cerebro.domino.builder.remoteRegistryCredentials.secretNamespace

copy to clipboard

<Domino Compute Namespace> The namespace where the external Docker registry secret is located.

com.cerebro.domino.builder.job.environment.imageSizeLimit

copy to clipboard

None Sets a hard upper limit on the object size of created environment revisions in the internal Docker registry. Takes arguments in the form: 10M.

com.cerebro.domino.builder.job.model.imageSizeLimit

copy to clipboard

None Sets a hard upper limit on the object size of created Model API revisions in the internal Docker registry. Takes arguments in the form: 10M.

com.cerebro.domino.builder.job.resource.limits.cpu

copy to clipboard

4 (cores) Sets a hard upper limit on the vCPU required for image builds. Takes kubernetes quantities as arguments.

com.cerebro.domino.builder.job.resource.limits.memory

copy to clipboard

15Gi Sets a hard upper limit on the memory required for image builds. Takes kubernetes quantities as arguments

Workspaces

These options are related to Domino workspaces.

key default description

com.cerebro.domino.workbench.project.defaultVolumeSizeGiB

copy to clipboard

10 Controls default allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.project.minVolumeSizeGiB

copy to clipboard

4 Controls min allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.project.maxVolumeSizeGiB

copy to clipboard

200 Controls max allocated persistent volume size for a new workspace.

com.cerebro.domino.workbench.workspace.maxWorkspacesPerUserPerProject

copy to clipboard

2 Sets a limit on the number of provisioned workspaces per user per project.

com.cerebro.domino.workbench.workspace.maxWorkspacesPerUser

copy to clipboard

8 Sets a limit on the number of provisioned workspaces per user across all projects.

com.cerebro.domino.workbench.workspace.maxWorkspaces

copy to clipboard

1500 Sets a limit on the number of provisioned workspaces across the whole Domino.

com.cerebro.domino.workbench.workspace.maxAllocatedVolumeSizeAcrossAllWorkspacesGiB

copy to clipboard

None Sets a limit on the total volume size of all provisioned workspaces across the whole Domino combined.

com.cerebro.domino.workbench.workspace.stopToDeleteDelayDuration

copy to clipboard

20.seconds The number of seconds the frontend waits after the workspace stops before making the delete request to the backend. This allows for enough time after workspace stop for the workspace’s persistent volume to be released. If users frequently receive an error after trying a delete, then this value should be increased.

com.cerebro.domino.workbench.workspace.volume.enableSnapshots

copy to clipboard

true Whether or not to capture snapshots of workspace persistent volumes.

com.cerebro.domino.workbench.workspace.volume.snapshotCleanupFrequency

copy to clipboard

1.day How often to delete all but the X most recent snapshots. Where X is a number defined by workbench.workspace.volume.numSnapshotsToRetain

com.cerebro.domino.workbench.workspace.volume.numSnapshotsToRetain

copy to clipboard

5 The number of snapshots to retain. All older snapshots beyond this limit will be deleted during a periodic cleanup.

Authorization

These options are related to authorization and user roles.

key default description

com.cerebro.domino.frontend.authentication.defaultRoles

copy to clipboard

Practitioner A comma-separated set of roles that will be assigned to a newly created user if no other roles are specified.

com.cerebro.domino.restrictPublishing

copy to clipboard

false If true only SupportStaff and SysAdmins can create launchers and schedule runs

com.cerebro.domino.authorization.restrictManageCollaborators

copy to clipboard

false If true only Project Owners can manage project collaborators

com.cerebro.domino.authorization.restrictProjectSharing

copy to clipboard

false If true only SupportStaff and SysAdmins can manage project collaborators and visibility or transfer project ownership

Web Apps

IFrame Security

Web apps in Domino are served in HTML inline frames, also known as “iframes”. To improve iframe security, a “sandbox” attribute can be set for iframe elements. When this attribute is set, extra security restrictions are applied to the iframes serving web apps in Domino, like blocking cross-origin requests, form submissions, script executions, and much more.

In Domino, this “sandbox” attribute can be toggled with the ShortLived.iFrameSecurityEnabled feature flag. Setting this flag to “true” will apply the sandbox attribute to the iframe and apply the extra security restrictions. If the flag is set to “false”, no security restrictions will be applied to the iframe. By default, in Domino 4.4.1 the ShortLived.iFrameSecurityEnabled flag is set to false.

Attention

This feature flag will be deprecated in future versions of Domino. We recommend implementing web app security using content security policies instead (described below).

Content Security Policies

A content security policy allows Domino web apps to access specific, whitelisted external resources. Any request made to non-whitelisted external resources, however, will be blocked.

In Domino, you can toggle this feature with the EnableContentSecurityPolicyforApps feature flag. Setting this flag to “true” will block requests to all non-whitelisted resources and allow requests to whitelisted resources. Setting this flag to “false” will allow all requests to resources (i.e., no blocking of any kind). By default, in Domino 4.4.1 the EnableContentSecurityPolicyforApps is set to false.

The keys and default values associated with this feature flag are listed in the table below.

key default description

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedImageSrcList

copy to clipboard

data: Allows images to be inserted directly into a webapp using a data: URL. This allows Domino apps to include images in the app’s HTML without loading the image from an outside resource. Learn more about data: URLs here: Mozilla - Data URLs.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedScriptSrcList

copy to clipboard

cdnjs.cloudflare.com/ajax/libs/jquery/3.1.0/jquery.js cdn.plot.ly/plotly-latest.min.js 'unsafe-eval' 'unsafe-inline' Whitelists the URLs of the scripts that the demo Apps in the quick-start project load to display their interactive charts. It also allows an app to define scripts in HTML using the <script> tag. Also allows JavaScript to create more JavaScript as the app runs using the built-in JavaScript function eval.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedStyleSrcList

copy to clipboard

'unsafe-inline' Allows apps to define their own styles with <style>, javascript: URLs, and inline <script> elements.

com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList

copy to clipboard

ws: Allows the app to use WebSockets – which use URLs that begin with ws: to communicate with other resources.

To whitelist a resource:

  1. Navigate to “Configuration Management” (i.e., “Central Config”) in your Domino admin settings.
  2. Click “Add Record”.
  3. Set the key to com.cerebro.domino.apps.contentSecurityPolicy.whiteListedConnectSrcList.
  4. Set the value to ws: followed by the URL of the resource you’d like to whitelist (i.e., ws: https://foobar.buz.bax/). You’ll need to work with your team to figure out which URLs need to be whitelisted. For more details, please see: Content Security Policies for Web Apps.
  5. Save the record and restart Domino services.

IFrame Security in combination with Content Security Policies

In Domino 4.4.1, the ShortLived.iFrameSecurityEnabled and EnableContentSecurityPolicyforApps feature flags coexist. The matrix below describes the blocking behavior for requests based on both feature flags.

Attention

The IFrame feature flag will be deprecated in future versions of Domino. We recommend implementing web app security using content security policies instead.

  ShortLived.iFrameSecurityEnabled = FALSE ShortLived.iFrameSecurityEnabled = TRUE
EnableContentSecurityPolicyForApps = FALSE No blocking occurs. All requests to external resources are allowed. All requests from web apps to external resources are blocked.
EnableContentSecurityPolicyForApps = TRUE Only requests to whitelisted external resources are allowed. All other requests to external resources are blocked. All requests from web apps to external resources are blocked.