layout: layout.pug navigationTitle: Configuration Reference excerpt: List of all configuration parameters for DC/OS Open Source installations title: Configuration Reference menuWeight: 600

This topic provides all available configuration parameters. Except where explicitly indicated, the configuration parameters apply to both DC/OS and DC/OS Enterprise.

Cluster Setup

Parameter Description
agent_list A YAML nested list (-) of IPv4 addresses to your private agent host names.
aws_template_storage_bucket The name of your S3 bucket.
aws_template_storage_bucket_path The S3 bucket storage path.
aws_template_upload Indicates whether to automatically upload the customized advanced templates to your S3 bucket.
aws_template_storage_access_key_id The AWS Access Key ID.
aws_template_storage_secret_access_key The AWS Secret Access Key.
bootstrap_url (Required) The URI path for the DC/OS installer to store the customized DC/OS build files.
cluster_docker_credentials The dictionary of Docker credentials to pass.
cluster_docker_credentials_enabled Whether to pass the Mesos --docker_config option to Mesos.
cluster_docker_registry_url The custom URL that Mesos uses to pull Docker images from.
cluster_name The name of your cluster.
cosmos_config The dictionary of packaging configuration to pass to the DC/OS Package Manager (Cosmos).
exhibitor_storage_backend The type of storage backend to use for Exhibitor.
enable_gpu_isolation Indicates whether to enable GPU support in DC/OS.
gpus_are_scarce Indicates whether to treat GPUs as a scarce resource in the cluster.
ip_detect_public_filename The IP detect file to use in your cluster.
master_discovery (Required) The Mesos master discovery method.
mesos_container_log_sink The log manager for containers (tasks).
public_agent_list A YAML nested list (-) of IPv4 addresses to your public agent host names.
platform The infrastructure platform.
rexray_config The REX-Ray configuration method for enabling external persistent volumes in Marathon.

Networking

Parameter Description
dcos_overlay_enable This block of parameters specifies whether to enable DC/OS virtual networks.
dns_forward_zones A nested list of DNS zones, IP addresses, and ports that configure custom forwarding behavior of DNS queries.
dns_search A space-separated list of domains that are tried when an unqualified domain is entered.
resolvers A YAML nested list (-) of DNS resolvers for your DC/OS cluster nodes.
master_dns_bindall Indicates whether the master DNS port is open.
use_proxy Indicates whether to enable the DC/OS proxy.

Performance and Tuning

Parameter Description
docker_remove_delay The amount of time to wait before removing docker containers (i.e., docker rm) after Mesos regards the container as TERMINATED.
dcos_audit_logging Enterprise Indicates whether security decisions (authentication, authorization) are logged for Mesos, Marathon, and Jobs.
enable_docker_gc Indicates whether to run the docker-gc script, a simple Docker container and image garbage collection script, once every hour to clean up stray Docker containers.
gc_delay The maximum amount of time to wait before cleaning up the executor directories.
log_directory The path to the installer host logs from the SSH processes.
process_timeout The allowable amount of time, in seconds, for an action to begin after the process forks.
mesos_max_completed_tasks_per_framework The number of completed tasks for each framework that the Mesos master will retain in memory.

Security and Authentication

Parameter Description
auth_cookie_secure_flag Enterprise Indicates whether to allow web browsers to send the DC/OS authentication cookie through a non-HTTPS connection.
bouncer_expiration_auth_token_days Enterprise Sets the auth token time-to-live (TTL) for Identity and Access Management.
customer_key Enterprise (required) The DC/OS Enterprise customer key.
oauth_enabled Open Source Indicates whether to enable authentication for your cluster.
security Enterprise The security mode: disabled, permissive, or strict.
ssh_key_path The path to the installer uses to log into the target nodes.
ssh_port The port to SSH to, for example 22.
ssh_user The SSH username, for example centos.
superuser_password_hash Enterprise (Required) The hashed superuser password.
superuser_username Enterprise (Required) The user name of the superuser.
telemetry_enabled Indicates whether to enable sharing of anonymous data for your cluster.
zk_super_credentials Enterprise The ZooKeeper superuser credentials.
zk_master_credentials Enterprise The ZooKeeper master credentials.
zk_agent_credentials Enterprise The ZooKeeper agent credentials.

agent_list

A YAML nested list (-) of IPv4 addresses to your private agent host names.

Indicates whether to allow web browsers to send the DC/OS authentication cookie through a non-HTTPS connection. Because the DC/OS authentication cookie allows access to the DC/OS cluster, it should be sent over an encrypted connection.

bootstrap_url

(Required) The URI path for the DC/OS installer to store the customized DC/OS build files. If you are using the automated DC/OS installer, you should specify bootstrap_url: file:///opt/dcos_install_tmp unless you have moved the installer assets. By default the automated DC/OS installer places the build files in file:///opt/dcos_install_tmp.

bouncer_expiration_auth_token_days Enterprise

This parameter sets the auth token time-to-live (TTL) for Identity and Access Management. You must specify the value in Python float syntax wrapped in a YAML string. By default the token expires after 5 days. For example, to set the token lifetime to half a day:

bouncer_expiration_auth_token_days: '0.5'

Small expiration periods may be harmful to DC/OS components. We recommend that the this value is set to no less than 0.25. If you wish to use a lower value, contact a Mesosphere support representative for guidance.

For more information, see the security documentation.

cluster_docker_credentials

The dictionary of Docker credentials to pass.

Note:

You can use the following options to further configure the Docker credentials:

For more information, see the examples.

cluster_docker_credentials_enabled

Whether to pass the Mesos --docker_config option containing cluster_docker_credentials to Mesos.

cluster_docker_registry_url

The custom URL that Mesos uses to pull Docker images from. If set, it will configure the Mesos’ --docker_registry flag to the specified URL. This changes the default URL Mesos uses for pulling Docker images. By default https://registry-1.docker.io is used.

cluster_name

The name of your cluster.

cosmos_config

The dictionary of packaging configuration to pass to the DC/OS package manager. If set, the following options must also be specified.

customer_key Enterprise

(required) The DC/OS Enterprise customer key. Customer keys are delivered via email to the Authorized Support Contact.

This key is a 128-bit hyphen-delimited hexadecimal identifier used to distinguish an individual cluster. The customer key serves as the Universally Unique Identifier (UUID) for a given installation.

Customer keys look like this:

ab1c23de-45f6-7g8h-9012-i345j6k7lm8n

For more information, see the security documentation.

dcos_audit_logging Enterprise

Indicates whether security decisions (authentication, authorization) are logged for Mesos, Marathon, and Jobs.

For more information, see the security documentation.

dcos_overlay_enable

Indicates whether to enable DC/OS virtual networks.

Important: Virtual networks require Docker version 1.11 or later. If you are using Docker 1.10 or earlier, you must specify dcos_overlay_enable: 'false'. For more information, see the system requirements.

For more information, see the example and documentation.

dns_forward_zones

Important: Available for DC/OS 1.9.1 and later.

A nested list of DNS zones, IP addresses, and ports that configure custom forwarding behavior of DNS queries. A DNS zone is mapped to a set of DNS resolvers.

A sample definition is as follows:

dns_forward_zones:
a.contoso.com:
- "1.1.1.1:53"
- "2.2.2.2:53"
b.contoso.com:
- "3.3.3.3:53"
- "4.4.4.4:53"

In the above example, a DNS query to myapp.a.contoso.com will be forwarded to 1.1.1.1:53 or 2.2.2.2:53. Likewise, a DNS query to myapp.b.contoso.com will be forwarded to 3.3.3.3:53 or 4.4.4.4:53.

A space-separated list of domains that are tried when an unqualified domain is entered (e.g., domain searches that do not contain ‘.’). The Linux implementation of /etc/resolv.conf restricts the maximum number of domains to 6 and the maximum number of characters the setting can have to 256. For more information, see man /etc/resolv.conf.

A search line with the specified contents is added to the /etc/resolv.conf file of every cluster host. search can do the same things as domain and is more extensible because multiple domains can be specified.

In this example, example.com has public website www.example.com and all of the hosts in the datacenter have fully qualified domain names that end with dc1.example.com. One of the hosts in your datacenter has the hostname foo.dc1.example.com. If dns_search is set to ‘dc1.example.com example.com’, then every DC/OS host which does a name lookup of foo will get the A record for foo.dc1.example.com. If a machine looks up www, first www.dc1.example.com would be checked, but it does not exist, so the search would try the next domain, lookup www.example.com, find an A record, and then return it.

dns_search: dc1.example.com dc1.example.com example.com dc1.example.com dc2.example.com example.com

docker_remove_delay

The amount of time to wait before removing docker containers (i.e., docker rm) after Mesos regards the container as TERMINATED (e.g., 3days, 2weeks, etc). This only applies for the Docker Containerizer. It is recommended that you accept the default value 1 hour.

enable_docker_gc

Indicates whether to run the docker-gc script, a simple Docker container and image garbage collection script, once every hour to clean up stray Docker containers. You can configure the runtime behavior by using the /etc/ config. For more information, see the documentation

exhibitor_storage_backend

The type of storage backend to use for Exhibitor. You can use internal DC/OS storage (static) or specify an external storage system (zookeeper, aws_s3, and azure) for configuring and orchestrating ZooKeeper with Exhibitor on the master nodes. Exhibitor automatically configures your ZooKeeper installation on the master nodes during your DC/OS installation.

enable_gpu_isolation

Indicates whether to enable GPU support in DC/OS.

For more information, see the GPU documentation.

gc_delay

The maximum amount of time to wait before cleaning up the executor directories. It is recommended that you accept the default value of 2 days.

gpus_are_scarce

Indicates whether to treat GPUs as a scarce resource in the cluster.

ip_detect_public_filename

The path to a file (/genconf/ip-detect-public) on your bootstrap node that contains a shell script to map internal IPs to a public IP. For example:

#!/bin/sh
set -o nounset -o errexit

curl -fsSL https://ipinfo.io/ip

log_directory

The path to the installer host logs from the SSH processes. By default this is set to /genconf/logs. In most cases this should not be changed because /genconf is local to the container that is running the installer, and is a mounted volume.

master_discovery

(Required) The Mesos master discovery method. The available options are static or master_http_loadbalancer.

Important:

master_dns_bindall

Indicates whether the master DNS port is open. An open master DNS port listens publicly on the masters. If you are upgrading, set this parameter to true.

mesos_container_log_sink

The log manager for containers (tasks). The options are:

The default is logrotate. Due to performance issues, journald is not recommended. For details, see Logging API.

mesos_max_completed_tasks_per_framework

The number of completed tasks for each framework that the Mesos master will retain in memory. In clusters with a large number of long-running frameworks, retaining too many completed tasks can cause memory issues on the master. If this parameter is not specified, the default Mesos value of 1000 is used.

oauth_enabled Open Source

Indicates whether to enable authentication for your cluster.

If you’ve already installed your cluster and would like to disable this in-place, you can go through an upgrade with the same parameter set.

public_agent_list

A YAML nested list (-) of IPv4 addresses to your public agent host names.

platform

The infrastructure platform. The value is optional, free-form with no content validation, and used for telemetry only. Please supply an appropriate value to help inform DC/OS platform prioritization decisions. Example values: aws, azure, oneview, openstack, vsphere, vagrant-virtualbox, onprem (default).

process_timeout

The allowable amount of time, in seconds, for an action to begin after the process forks. This parameter is not the complete process time. The default value is 120 seconds.

Tip: If have a slower network, consider changing to process_timeout: 600.

resolvers

A YAML nested list (-) of DNS resolvers for your DC/OS cluster nodes. You can specify a maximum of 3 resolvers. Set this parameter to the most authoritative nameservers that you have.

Caution: If you set the resolvers parameter incorrectly, you will permanently damage your configuration and have to reinstall DC/OS.

rexray_config

The REX-Ray configuration method for enabling external persistent volumes in Marathon. REX-Ray is a storage orchestration engine. The following is an example configuration.

rexray_config:
  rexray:
    loglevel: info
    modules:
      default-admin:
        host: tcp://127.0.0.1:61003
    storageDrivers:
    - ec2
    volume:
      unmount:
        ignoreusedcount: true

See the external persistent volumes documentation for information on how to create your configuration.

security Enterprise

Use this parameter to specify a security mode other than security: permissive (the default). The possible values follow.

Refer to the security modes section for a detailed discussion of each parameter.

ssh_key_path

The path that the installer uses to log into the target nodes. By default this is set to /genconf/ssh_key. This parameter should not be changed because /genconf is local to the container that is running the installer, and is a mounted volume.

ssh_port

The port to SSH to, for example 22.

ssh_user

The SSH username, for example centos.

superuser_password_hash Enterprise

(Required) The hashed superuser password. The superuser_password_hash is generated by using the installer --hash-password flag. For more information, see the security documentation.

superuser_username Enterprise

(Required) The user name of the superuser. For more information, see the security documentation.

telemetry_enabled

Indicates whether to enable sharing of anonymous data for your cluster.

If you’ve already installed your cluster and would like to disable this in-place, you can go through an [upgrade][3] with the same parameter set.

use_proxy

Indicates whether to enable the DC/OS proxy.

Important: You should also configure an HTTP proxy for Docker.

zk_super_credentials Enterprise

On DC/OS strict and permissive mode clusters the information stored in ZooKeeper is protected using access control lists (ACLs) so that a malicious user cannot connect to the ZooKeeper Quorum and directly modify service metadata. ACLs specify sets of resource IDs (RIDs) and actions that are associated with those IDs. ZooKeeper supports pluggable authentication schemes and has a few built in schemes: world, auth, digest, host, and ip.

DC/OS ZooKeeper credentials zk_super_credentials, zk_master_credentials, and zk_agent_credentials use digest authentication, which requires a <uid>:<password> string which is then used as an ID while checking if a client can access a particular resource.

zk_super_credentials enables access to ZooKeeper’s equivalent of the root or superuser account, which has access to all resources regardless of existing ACLs. This credential allows an operator to access all the metadata stored in the ZooKeeper Quorum and is used by the DC/OS bootstrap script while initializing the cluster. Default: 'super:secret'.

To harden clusters, Mesosphere recommends that you change the defaults of all credentials to long, complex values. Once set, you can verify the settings using /opt/mesosphere/active/exhibitor/usr/zookeeper/bin/zkCli.sh available on DC/OS master nodes. By default, zkCli does not authenticate, so the nodes in the /dcos tree will not be accessible. After invoking addauth digest <zk_super_credentials> in zkCli, all the nodes in ZooKeeper will be accessible, with zk_master_credentials and zk_agent_credentials providing access to a subset of them. For example:

[zk: localhost:2181(CONNECTED) 0] addauth digest super:secret
[zk: localhost:2181(CONNECTED) 1] ls /dcos
[backup, agent, RootCA, secrets, vault, CAChainInclRoot, CAChain, CACertKeyType, ca, master]
[zk: localhost:2181(CONNECTED) 2] ls /dcos/secrets
[core, init, system, bootstrap_user, keys]

zk_master_credentials Enterprise

Credentials used by the bootstrapping processes to access the credentials of the services that will be running on the DC/OS master nodes.

zk_agent_credentials Enterprise

Credentials used by the bootstrapping processes to access the credentials of the services that will be running on the DC/OS agent nodes.