ClusterD Agent Options
Required Flags
| Flag | Explanation |
|---|---|
| --master=VALUE |
May be one of:
host:port
zk://host1:port1,host2:port2,.../path
zk://username:password@host1:port1,host2:port2,.../path
file:///path/to/file (where file contains one of the above)
|
| --work_dir=VALUE |
Path of the agent work directory. This is where executor sandboxes
will be placed, as well as the agent's checkpointed state in case of
failover. Note that locations like /tmp which are cleaned
automatically are not suitable for the work directory when running in
production, since long-running agents could lose data when cleanup
occurs. (Example: /var/lib/mesos/agent)
|
Optional Flags
| Flag | Explanation |
|---|---|
| --acls=VALUE |
The value could be a JSON-formatted string of ACLs
or a file path containing the JSON-formatted ACLs used
for authorization. Path could be of the form file:///path/to/file
or /path/to/file.
Note that if the --authorizer flag is provided with a value
other than local, the ACLs contents will be
ignored.
See the ACLs protobuf in acls.proto for the expected format.
Example:
|
| --agent_features=VALUE |
JSON representation of agent features to whitelist. We always require
'MULTI_ROLE', 'HIERARCHICAL_ROLE', 'RESERVATION_REFINEMENT',
'AGENT_OPERATION_FEEDBACK', 'RESOURCE_PROVIDER', 'AGENT_DRAINING', and
'TASK_RESOURCE_LIMITS'.
Example:
|
| --agent_subsystems=VALUE, --slave_subsystems=VALUE |
List of comma-separated cgroup subsystems to run the agent binary
in, e.g., memory,cpuacct. The default is none.
Present functionality is intended for resource monitoring and
no cgroup limits are set, they are inherited from the root mesos
cgroup.
|
| --effective_capabilities=VALUE |
JSON representation of the Linux capabilities that the agent will
grant to a task that will be run in containers launched by the
containerizer (currently only supported by the Mesos Containerizer).
This set overrides the default capabilities for the user but not
the capabilities requested by the framework.
To set capabilities the agent should have the SETPCAP capability.
This flag is effective iff linux/capabilities isolation is enabled.
When linux/capabilities isolation is enabled, the absence of this flag
implies that the operator intends to allow ALL capabilities.
Example:
|
| --bounding_capabilities=VALUE |
JSON representation of the Linux capabilities that the operator
will allow as the maximum level of privilege that a task launched
by the containerizer may acquire (currently only supported by the
Mesos Containerizer).
This flag is effective iff linux/capabilities isolation is enabled.
When linux/capabilities isolation is enabled, the absence of this flag
implies that the operator intends to allow ALL capabilities.
This flag has the same syntax as --effective_capabilities.
|
| --appc_simple_discovery_uri_prefix=VALUE |
URI prefix to be used for simple discovery of appc images,
e.g., http://, https://,
hdfs://.
(default: http://)
|
| --appc_store_dir=VALUE | Directory the appc provisioner will store images in. (default: /tmp/mesos/store/appc) |
| --attributes=VALUE |
Attributes of the agent machine, in the form:
rack:2 or rack:2;u:1
|
| --[no-]authenticate_http_executors |
If true, only authenticated requests for the HTTP executor API are
allowed. If false, unauthenticated requests are also allowed. This
flag is only available when Mesos is built with SSL support.
(default: false)
|
| --authenticatee=VALUE |
Authenticatee implementation to use when authenticating against the
master. Use the default crammd5, or
load an alternate authenticatee module using --modules. (default: crammd5)
|
| --authentication_backoff_factor=VALUE |
The agent will time out its authentication with the master based on
exponential backoff. The timeout will be randomly chosen within the
range [min, min + factor*2^n] where n is the number
of failed attempts. To tune these parameters, set the
--authentication_timeout_[min|max|factor] flags. (default: 1secs)
|
| --authentication_timeout_min=VALUE |
The minimum amount of time the agent waits before retrying authenticating
with the master. See --authentication_backoff_factor for more
details. (default: 5secs)
NOTE that since authentication retry cancels the previous authentication
request, one should consider what is the normal authentication delay when
setting this flag to prevent premature retry.
|
| --authentication_timeout_max=VALUE |
The maximum amount of time the agent waits before retrying authenticating
with the master. See --authentication_backoff_factor for more
details. (default: 1mins)
|
| --authorizer=VALUE |
Authorizer implementation to use when authorizing actions that
require it.
Use the default local, or
load an alternate authorizer module using --modules.
Note that if the --authorizer flag is provided with a value
other than the default local, the ACLs
passed through the --acls flag will be ignored.
|
| --[no]-cgroups_cpu_enable_pids_and_tids_count | Cgroups feature flag to enable counting of processes and threads inside a container. (default: false) |
| --cgroups_destroy_timeout=VALUE | Amount of time allowed to destroy a cgroup hierarchy. If the cgroup hierarchy is not destroyed within the timeout, the corresponding container destroy is considered failed. (default: 1mins) |
| --[no]-cgroups_enable_cfs | Cgroups feature flag to enable hard limits on CPU resources via the CFS bandwidth limiting subfeature. (default: false) |
| --enable_cgroupsv2 | Enable support for cgroupsv2 (Currently only the Docker executor supports CgroupsV2. Set these flag to true, will break the Mesos contrainerizer). |
| --cgroups_hierarchy=VALUE | The path to the cgroups hierarchy root. (default: /sys/fs/cgroup) |
| --[no]-cgroups_limit_swap | Cgroups feature flag to enable memory limits on both memory and swap instead of just memory. (default: false) |
| --cgroups_net_cls_primary_handle | A non-zero, 16-bit handle of the form `0xAAAA`. This will be used as the primary handle for the net_cls cgroup. |
| --cgroups_net_cls_secondary_handles |
A range of the form 0xAAAA,0xBBBB, specifying the valid secondary
handles that can be used with the primary handle. This will take
effect only when the --cgroups_net_cls_primary_handle is set.
|
| --allowed_devices |
JSON object representing the devices that will be additionally
whitelisted by cgroups devices subsystem. Noted that the following
devices always be whitelisted by default:
cgroups/devices is set in
--isolation flag.
Example:
|
| --cgroups_root=VALUE | Name of the root cgroup. (default: mesos) |
| --[no-]check_agent_port_range_only |
When this is true, the network/ports isolator allows tasks to
listen on additional ports provided they fall outside the range
published by the agent's resources. Otherwise tasks are restricted
to only listen on ports for which they have been assigned resources.
(default: false); This flag can't be used in conjunction with
--container_ports_isolated_range.
|
| --container_disk_watch_interval=VALUE |
The interval between disk quota checks for containers. This flag is
used for the disk/du isolator. (default: 15secs)
|
| --container_logger=VALUE |
The name of the container logger to use for logging container
(i.e., executor and task) stdout and stderr. The default
container logger writes to stdout and stderr files
in the sandbox directory.
|
| --container_ports_isolated_range=VALUE |
When this flag is set, network/ports isolator will only enforce
the port isolation for the given range of ports range. This flag can't
be used in conjunction with --check_agent_port_range_only.
Example: [0-35000]
|
| --container_ports_watch_interval=VALUE |
Interval at which the network/ports isolator should check for
containers listening on ports they don't have resources for.
(default: 30secs)
|
| --containerizers=VALUE |
Comma-separated list of containerizer implementations
to compose in order to provide containerization.
Available options are mesos and
docker (on Linux). The order the containerizers
are specified is the order they are tried.
(default: mesos)
|
| --credential=VALUE |
Path to a JSON-formatted file containing the credential
to use to authenticate with the master.
Path could be of the form file:///path/to/file or /path/to/file.
Example:
|
| --default_container_dns=VALUE |
JSON-formatted DNS information for CNI networks (Mesos containerizer)
and CNM networks (Docker containerizer). For CNI networks, this flag
can be used to configure `nameservers`, `domain`, `search` and
`options`, and its priority is lower than the DNS information returned
by a CNI plugin, but higher than the DNS information in agent host's
/etc/resolv.conf. For CNM networks, this flag can be used to configure
`nameservers`, `search` and `options`, it will only be used if there
is no DNS information provided in the ContainerInfo.docker.parameters
message.
See the ContainerDNS message in `flags.proto` for the expected format.
Example:
|
| --default_container_info=VALUE |
JSON-formatted ContainerInfo that will be included into
any ExecutorInfo that does not specify a ContainerInfo.
See the ContainerInfo protobuf in mesos.proto for
the expected format.
Example:
|
| --default_role=VALUE |
Any resources in the --resources flag that
omit a role, as well as any resources that
are not present in --resources but that are
automatically detected, will be assigned to
this role. (default: *)
|
| --default_container_shm_size |
The default size of the /dev/shm for the container which has its own
/dev/shm but does not specify the shm_size field in its
LinuxInfo. The format is [number][unit], number must be
a positive integer and unit can be B (bytes), KB (kilobytes), MB
(megabytes), GB (gigabytes) or TB (terabytes). Note that this flag is
only relevant for the Mesos Containerizer and it will be ignored if
the namespaces/ipc isolator is not enabled.
|
| --[no-]disallow_sharing_agent_ipc_namespace |
If set to true, each top-level container will have its own IPC
namespace and /dev/shm, and if the framework requests to share the agent IPC
namespace and /dev/shm for the top level container, the container launch will
be rejected. If set to false, the top-level containers will share
the IPC namespace and /dev/shm with agent if the framework requests it. This
flag will be ignored if the namespaces/ipc isolator is not enabled.
(default: false)
|
| --[no-]disallow_sharing_agent_pid_namespace |
If set to true, each top-level container will have its own pid
namespace, and if the framework requests to share the agent pid namespace for
the top level container, the container launch will be rejected. If set to
false, the top-level containers will share the pid namespace with
agent if the framework requests it. This flag will be ignored if the
namespaces/pid isolator is not enabled.
(default: false)
|
| --disk_profile_adaptor=VALUE | The name of the disk profile adaptor module that storage resource providers should use for translating a 'disk profile' into inputs consumed by various Container Storage Interface (CSI) plugins. If this flag is not specified, the default behavior for storage resource providers is to only expose resources for pre-existing volumes and not publish RAW volumes. |
| --disk_watch_interval=VALUE | Periodic time interval (e.g., 10secs, 2mins, etc) to check the overall disk usage managed by the agent. This drives the garbage collection of archived information and sandboxes. (default: 1mins) |
| --docker=VALUE | The absolute path to the docker executable for docker containerizer. (default: docker) |
| --docker_config=VALUE |
The default docker config file for agent. Can be provided either as an
absolute path pointing to the agent local docker config file, or as a
JSON-formatted string. The format of the docker config file should be
identical to docker's default one (e.g., either
$HOME/.docker/config.json or $HOME/.dockercfg).
Example JSON ($HOME/.docker/config.json):
|
| --docker_ignore_runtime=VALUE |
Ignore any runtime configuration specified in the Docker image. The
Mesos containerizer will not propagate Docker runtime specifications
such as WORKDIR, ENV and CMD
to the container.
(default: false)
|
| --[no-]docker_kill_orphans | Enable docker containerizer to kill orphaned containers. You should consider setting this to false when you launch multiple agents in the same OS, to avoid one of the DockerContainerizer removing docker tasks launched by other agents. (default: true) |
| --docker_mesos_image=VALUE | The Docker image used to launch this Mesos agent instance. If an image is specified, the docker containerizer assumes the agent is running in a docker container, and launches executors with docker containers in order to recover them when the agent restarts and recovers. |
| --docker_registry=VALUE |
The default url for Mesos containerizer to pull Docker images. It could
either be a Docker registry server url (e.g., https://registry.docker.io),
or a source that Docker image archives (result of docker save) are
stored. The Docker archive source could be specified either as a local
path (e.g., /tmp/docker/images), or as an HDFS URI (*experimental*)
(e.g., hdfs://localhost:8020/archives/). Note that this option won't
change the default registry server for Docker containerizer.
(default: https://registry-1.docker.io)
|
| --docker_remove_delay=VALUE |
The amount of time to wait before removing docker containers (i.e., `docker rm`)
after Mesos regards the container as TERMINATED
(e.g., 3days, 2weeks, etc).
This only applies for the Docker Containerizer. (default: 6hrs)
|
| --docker_socket=VALUE |
Resource used by the agent and the executor to provide CLI access to the
Docker daemon. On Unix, this is typically a path to a socket, such as
/var/run/docker.sock. On Windows this must be a named pipe,
such as //./pipe/docker_engine. NOTE: This must be the path
used by the Docker image used to run the agent. (default:
//./pipe/docker_engine on Windows; /var/run/docker.sock on other
platforms).
|
| --docker_stop_timeout=VALUE | The time docker daemon waits after stopping a container before killing that container. This flag is deprecated; use task's kill policy instead. (default: 0ns) |
| --docker_store_dir=VALUE | Directory the Docker provisioner will store images in (default: /tmp/mesos/store/docker) |
| --docker_volume_checkpoint_dir=VALUE | The root directory where we checkpoint the information about docker volumes that each container uses. (default: /var/run/mesos/isolators/docker/volume) |
| --[no-]docker_volume_chown | Whether to chown the docker volume's mount point non-recursively to the container user. Please notice that this flag is not recommended to turn on if there is any docker volume shared by multiple non-root users. By default, this flag is off. (default: false) |
| --domain_socket_location=VALUE |
Location on the host filesystem of the domain socket used for
communication with executors. Alternatively, this can be set to
'systemd:<identifier>' to use the domain socket
with the given identifier, which is expected to be passed by systemd.
This flag will be ignored unless the Total path length must be less than 108 characters. Will be set to |
| --[no-]enforce_container_disk_quota |
Whether to enable disk quota enforcement for containers. This flag
is used by the disk/du and disk/xfs isolators. (default: false)
|
| --[no-]enforce_container_ports |
Whether to enable network port enforcement for containers. This flag
is used by the network/ports isolator. (default: false)
|
| --executor_environment_variables=VALUE |
JSON object representing the environment variables that should be
passed to the executor, and thus subsequently task(s). By default this
flag is none. Users have to define executor environment explicitly.
Example:
|
| --executor_registration_timeout=VALUE | Amount of time to wait for an executor to register with the agent before considering it hung and shutting it down (e.g., 60secs, 3mins, etc) (default: 1mins) |
| --executor_reregistration_timeout=VALUE | The timeout within which an executor is expected to reregister after the agent has restarted, before the agent considers it gone and shuts it down. Note that currently, the agent will not reregister with the master until this timeout has elapsed (see MESOS-7539). (default: 2secs) |
| --executor_reregistration_retry_interval=VALUE | For PID-based executors, how long the agent waits before retrying the reconnect message sent to the executor during recovery. NOTE: Do not use this unless you understand the following (see MESOS-5332): PID-based executors using Mesos libraries >= 1.1.2 always re-link with the agent upon receiving the reconnect message. This avoids the executor replying on a half-open TCP connection to the old agent (possible if netfilter is dropping packets, see: MESOS-7057). However, PID-based executors using Mesos libraries < 1.1.2 do not re-link and are therefore prone to replying on a half-open connection after the agent restarts. If we only send a single reconnect message, these "old" executors will reply on their half-open connection and receive a RST; without any retries, they will fail to reconnect and be killed by the agent once the executor re-registration timeout elapses. To ensure these "old" executors can reconnect in the presence of netfilter dropping packets, we introduced optional retries of the reconnect message. This results in "old" executors correctly establishing a link when processing the second reconnect message. (default: no retries) |
| --max_completed_executors_per_framework=VALUE | Maximum number of completed executors per framework to store in memory. (default: 150) |
| --jwt_secret_key=VALUE | Path to a file containing the key used when generating JWT secrets. This flag is only available when Mesos is built with SSL support. |
| --executor_shutdown_grace_period=VALUE | Default amount of time to wait for an executor to shut down (e.g. 60secs, 3mins, etc). ExecutorInfo.shutdown_grace_period overrides this default. Note that the executor must not assume that it will always be allotted the full grace period, as the agent may decide to allot a shorter period, and failures / forcible terminations may occur. (default: 5secs) |
| --fetcher_cache_dir=VALUE |
Parent directory for fetcher cache directories
(one subdirectory per agent). (default: /tmp/mesos/fetch)
Directory for the fetcher cache. The agent will clear this directory on startup. It is recommended to set this value to a separate volume for several reasons:
|
| --fetcher_cache_size=VALUE | Size of the fetcher cache in Bytes. (default: 2GB) |
| --fetcher_stall_timeout=VALUE | Amount of time for the fetcher to wait before considering a download being too slow and abort it when the download stalls (i.e., the speed keeps below one byte per second). NOTE: This feature only applies when downloading data from the net and does not apply to HDFS. (default: 1mins) |
| --frameworks_home=VALUE | Directory path prepended to relative executor URIs (default: ) |
| --gc_delay=VALUE | Maximum amount of time to wait before cleaning up executor directories (e.g., 3days, 2weeks, etc). Note that this delay may be shorter depending on the available disk usage. (default: 1weeks) |
| --gc_disk_headroom=VALUE |
Adjust disk headroom used to calculate maximum executor
directory age. Age is calculated by:
gc_delay * max(0.0, (1.0 - gc_disk_headroom - disk usage))
every --disk_watch_interval duration. gc_disk_headroom must
be a value between 0.0 and 1.0 (default: 0.1)
|
| --[no-]gc_non_executor_container_sandboxes |
Determines whether nested container sandboxes created via the
LAUNCH_CONTAINER and LAUNCH_NESTED_CONTAINER APIs will be
automatically garbage collected by the agent upon termination.
The REMOVE_(NESTED_)CONTAINER API is unaffected by this flag
and can still be used. (default: false).
|
| --hadoop_home=VALUE |
Path to find Hadoop installed (for
fetching framework executors from HDFS)
(no default, look for HADOOP_HOME in
environment or find hadoop on PATH)
|
| --host_path_volume_force_creation |
A colon-separated list of directories where descendant directories are
allowed to be created by the volume/host_path isolator,
if the directories do not exist.
|
| --http_credentials=VALUE |
Path to a JSON-formatted file containing credentials. These
credentials are used to authenticate HTTP endpoints on the agent.
Path can be of the form file:///path/to/file or /path/to/file.
Example:
|
| --[no-]http_command_executor |
The underlying executor library to be used for the command executor.
If set to true, the command executor would use the HTTP based
executor library to interact with the Mesos agent. If set to false,
the driver based implementation would be used.
NOTE: This flag is *experimental* and should not be used in
production yet. (default: false)
|
| --http_executor_domain_sockets | If true, the agent will provide a unix domain sockets that the executor can use to connect to the agent, instead of relying on a TCP connection. |
| --http_heartbeat_interval=VALUE |
This flag sets a heartbeat interval (e.g. '5secs', '10mins') for
messages to be sent over persistent connections made against
the agent HTTP API. Currently, this only applies to the
LAUNCH_NESTED_CONTAINER_SESSION and ATTACH_CONTAINER_OUTPUT calls.
(default: 30secs)
|
| --image_providers=VALUE |
Comma-separated list of supported image providers,
e.g., APPC,DOCKER.
|
| --image_provisioner_backend=VALUE |
Strategy for provisioning container rootfs from images, e.g., aufs,
bind, copy, overlay.
|
| --image_gc_config=VALUE |
JSON-formatted configuration for automatic container image garbage
collection. This is an optional flag. If it is not set, it means
the automatic container image gc is not enabled. Users have to
trigger image gc manually via the operator API. If it is set, the
auto image gc is enabled. This image gc config can be provided either
as a path pointing to a local file, or as a JSON-formatted string.
Please note that the image garbage collection only work with Mesos
Containerizer for now.
See the ImageGcConfig message in `flags.proto` for the expected
format.
In the following example, image garbage collection is configured to
sample disk usage every hour, and will attempt to maintain at least
10% of free space on the container image filesystem:
|
| --ip6=VALUE |
IPv6 address to listen on. This cannot be used in conjunction
with --ip6_discovery_command.
NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
this IPv6 address is only used to advertise IPv6 addresses for
containers running on the host network.
|
| --ip6_discovery_command=VALUE | Optional IPv6 discovery binary: if set, it is expected to emit the IPv6 address on which Mesos will try to bind when IPv6 socket support is enabled in Mesos. NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence this IPv6 address is only used to advertise IPv6 addresses for containers running on the host network. |
| --isolation=VALUE |
Isolation mechanisms to use, e.g., posix/cpu,posix/mem (or
windows/cpu,windows/mem if you are on Windows), or
cgroups/cpu,cgroups/mem, or network/port_mapping
(configure with flag: --with-network-isolator to enable),
or gpu/nvidia for nvidia specific gpu isolation, or load an alternate
isolator module using the --modules flag. If cgroups/all
is specified, any other cgroups related isolation options (e.g.,
cgroups/cpu) will be ignored, and all the local enabled cgroups
subsystems on the agent host will be automatically loaded by the cgroups isolator.
Note that this flag is only relevant for the Mesos Containerizer. (default:
windows/cpu,windows/mem on Windows; posix/cpu,posix/mem on other platforms)
|
| --launcher=VALUE |
The launcher to be used for Mesos containerizer. It could either be
linux or posix. The Linux launcher is required for cgroups
isolation and for any isolators that require Linux namespaces such as
network, pid, etc. If unspecified, the agent will choose the Linux
launcher if it's running as root on Linux.
|
| --launcher_dir=VALUE | Directory path of Mesos binaries. Mesos looks for the fetcher, containerizer, and executor binary files under this directory. (default: /usr/local/libexec/mesos) |
| --master_detector=VALUE |
The symbol name of the master detector to use. This symbol should exist in a
module specified through the --modules flag. Cannot be used in
conjunction with --master.
|
| --nvidia_gpu_devices=VALUE |
A comma-separated list of Nvidia GPU devices. When gpus is specified
in the --resources flag, this flag determines which GPU devices will
be made available. The devices should be listed as numbers that
correspond to Nvidia's NVML device enumeration (as seen by running the
command nvidia-smi on an Nvidia GPU equipped system). The GPUs
listed will only be isolated if the --isolation flag contains the
string gpu/nvidia.
|
| --network_cni_plugins_dir=VALUE |
Directory path of the CNI plugin binaries. The network/cni
isolator will find CNI plugins under this directory so that it can execute
the plugins to add/delete container from the CNI networks. It is the operator's
responsibility to install the CNI plugin binaries in the specified directory.
|
| --network_cni_config_dir=VALUE | Directory path of the CNI network configuration files. For each network that containers launched in Mesos agent can connect to, the operator should install a network configuration file in JSON format in the specified directory. |
| --[no-]network_cni_root_dir_persist | This setting controls whether the CNI root directory persists across reboot or not. |
| --[no-]network_cni_metrics | This setting controls whether the networking metrics of the CNI isolator should be exposed. |
| --oversubscribed_resources_interval=VALUE | The agent periodically updates the master with the current estimation about the total amount of oversubscribed resources that are allocated and available. The interval between updates is controlled by this flag. (default: 15secs) |
| --perf_duration=VALUE |
Duration of a perf stat sample. The duration must be less
than the perf_interval. (default: 10secs)
|
| --perf_events=VALUE |
List of command-separated perf events to sample for each container
when using the perf_event isolator. Default is none.
Run command perf list to see all events. Event names are
sanitized by downcasing and replacing hyphens with underscores
when reported in the PerfStatistics protobuf, e.g., cpu-cycles
becomes cpu_cycles; see the PerfStatistics protobuf for all names.
|
| --perf_interval=VALUE |
Interval between the start of perf stat samples. Perf samples are
obtained periodically according to perf_interval and the most
recently obtained sample is returned rather than sampling on
demand. For this reason, perf_interval is independent of the
resource monitoring interval. (default: 60secs)
|
| --qos_controller=VALUE | The name of the QoS Controller to use for oversubscription. |
| --qos_correction_interval_min=VALUE | The agent polls and carries out QoS corrections from the QoS Controller based on its observed performance of running tasks. The smallest interval between these corrections is controlled by this flag. (default: 0secs) |
| --reconfiguration_policy=VALUE |
This flag controls which agent configuration changes are considered
acceptable when recovering the previous agent state. Possible values:
equal: The old and the new state must match exactly.
additive: The new state must be a superset of the old state:
it is permitted to add additional resources, attributes
and domains but not to remove or to modify existing ones.
Note that this only affects the checking done on the agent itself, the master may still reject the agent if it detects a change that it considers unacceptable, which, e.g., currently happens when port or hostname are changed. (default: equal) |
| --recover=VALUE |
Whether to recover status updates and reconnect with old executors.
Valid values for recover are
reconnect: Reconnect with any old live executors.
cleanup : Kill any old live executors and exit.
Use this option when doing an incompatible agent
or executor upgrade!). (default: reconnect)
|
| --recovery_timeout=VALUE | Amount of time allotted for the agent to recover. If the agent takes longer than recovery_timeout to recover, any executors that are waiting to reconnect to the agent will self-terminate. (default: 15mins) |
| --registration_backoff_factor=VALUE |
Agent initially picks a random amount of time between [0, b], where
b = registration_backoff_factor, to (re-)register with a new master.
Subsequent retries are exponentially backed off based on this
interval (e.g., 1st retry uses a random value between [0, b * 2^1],
2nd retry between [0, b * 2^2], 3rd retry between [0, b * 2^3],
etc) up to a maximum of 1mins (default: 1secs)
|
| --resource_estimator=VALUE | The name of the resource estimator to use for oversubscription. |
| --resources=VALUE |
Total consumable resources per agent. Can be provided in JSON format
or as a semicolon-delimited list of key:value pairs, with the role
optionally specified.
As a key:value list:
name(role):value;name:value...
To use JSON, pass a JSON-formatted string or use
--resources=filepath to specify the resources via a file containing
a JSON-formatted string. 'filepath' can only be of the form
file:///path/to/file.
Example JSON:
|
| --resource_provider_config_dir=VALUE |
Path to a directory that contains local resource provider configs.
Each file in the config dir should contain a JSON object representing
a ResourceProviderInfo object. Each local resource
provider provides resources that are local to the agent. It is also
responsible for handling operations on the resources it provides.
Please note that resources field might not need to be
specified if the resource provider determines the resources
automatically.
Example config file in this directory:
|
| --csi_plugin_config_dir=VALUE |
Path to a directory that contains CSI plugin configs.
Each file in the config dir should contain a JSON object representing
a CSIPluginInfo object which can be either a managed CSI
plugin (i.e. the plugin launched by Mesos as a standalone container)
or an unmanaged CSI plugin (i.e. the plugin launched out of Mesos).
Example config files in this directory:
|
| --[no-]revocable_cpu_low_priority | Run containers with revocable CPU at a lower priority than normal containers (non-revocable cpu). Currently only supported by the cgroups/cpu isolator. (default: true) |
| --runtime_dir |
Path of the agent runtime directory. This is where runtime data
is stored by an agent that it needs to persist across crashes (but
not across reboots). This directory will be cleared on reboot.
(Example: /var/run/mesos)
|
| --sandbox_directory=VALUE | The absolute path for the directory in the container where the sandbox is mapped to. (default: /mnt/mesos/sandbox) |
| --[no-]strict |
If strict=true, any and all recovery errors are considered fatal.
If strict=false, any expected errors (e.g., agent cannot recover
information about an executor, because the agent died right before
the executor registered.) during recovery are ignored and as much
state as possible is recovered.
(default: true)
|
| --secret_resolver=VALUE | The name of the secret resolver module to use for resolving environment and file-based secrets. If this flag is not specified, the default behavior is to resolve value-based secrets and error on reference-based secrets. |
| --[no-]switch_user |
If set to true, the agent will attempt to run tasks as
the user who submitted them (as defined in FrameworkInfo)
(this requires setuid permission and that the given user
exists on the agent).
If the user does not exist, an error occurs and the task will fail.
If set to false, tasks will be run as the same user as the Mesos
agent process.
NOTE: This feature is not yet supported on Windows agent, and
therefore the flag currently does not exist on that platform. (default: true)
|
| --[no-]systemd_enable_support | Top level control of systemd support. When enabled, features such as executor life-time extension are enabled unless there is an explicit flag to disable these (see other flags). This should be enabled when the agent is launched as a systemd unit. (default: true) |
| --systemd_runtime_directory=VALUE | The path to the systemd system run time directory. (default: /run/systemd/system) |
| --volume_gid_range=VALUE |
When this flag is specified, if a task running as non-root user uses a
shared persistent volume or a PARENT type SANDBOX_PATH volume, the
volume will be owned by a gid allocated from this range and have the
`setgid` bit set, and the task process will be launched with the gid
as its supplementary group to make sure it can access the volume.
(Example: [10000-20000])
|
Network Isolator Flags
Available when configured with --with-network-isolator.
| Flag | Explanation |
|---|---|
| --ephemeral_ports_per_container=VALUE |
Number of ephemeral ports allocated to a container by the network
isolator. This number has to be a power of 2. This flag is used
for the network/port_mapping isolator. (default: 1024)
|
| --eth0_name=VALUE |
The name of the public network interface (e.g., eth0). If it is
not specified, the network isolator will try to guess it based
on the host default gateway. This flag is used for the
network/port_mapping isolator.
|
| --lo_name=VALUE |
The name of the loopback network interface (e.g., lo). If it is
not specified, the network isolator will try to guess it. This
flag is used for the network/port_mapping isolator.
|
| --egress_rate_limit_per_container=VALUE |
The limit of the egress traffic for each container, in Bytes/s.
If not specified or specified as zero, the network isolator will
impose no limits to containers' egress traffic throughput.
This flag uses the Bytes type (defined in stout) and is used for
the network/port_mapping isolator.
|
| --[no-]egress_unique_flow_per_container |
Whether to assign an individual flow for each container for the
egress traffic. This flag is used for the network/port_mapping
isolator. (default: false)
|
| --egress_flow_classifier_parent=VALUE |
When egress_unique_flow_per_container is enabled, we need to install
a flow classifier (fq_codel) qdisc on egress side. This flag specifies
where to install it in the hierarchy. By default, we install it at root.
|
| --[no-]network_enable_socket_statistics_summary |
Whether to collect socket statistics summary for each container.
This flag is used for the network/port_mapping isolator.
(default: false)
|
| --[no-]network_enable_socket_statistics_details |
Whether to collect socket statistics details (e.g., TCP RTT) for
each container. This flag is used for the network/port_mapping
isolator. (default: false)
|
| --[no-]network_enable_snmp_statistics | Whether to collect SNMP statistics details (e.g., TCPRetransSegs) for each container. This flag is used for the 'network/port_mapping' isolator. (default: false) |
Seccomp Isolator flags
Available when configured with --enable-seccomp-isolator.
| Flag | Explanation |
|---|---|
| --seccomp_config_dir=VALUE |
Directory path of the Seccomp profiles.
If a container is launched with a specified Seccomp profile name,
the linux/seccomp isolator will try to locate a Seccomp
profile in the specified directory.
|
| --seccomp_profile_name=VALUE |
Path of the default Seccomp profile relative to the seccomp_config_dir.
If this flag is specified, the linux/seccomp isolator applies the Seccomp
profile by default when launching a new Mesos container.
NOTE: A Seccomp profile must be compatible with the
Docker Seccomp profile format (e.g., https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).
|
XFS Disk Isolator flags
Available when configured with --enable-xfs-disk-isolator.
| Flag | Explanation |
|---|---|
| --xfs_project_range=VALUE | The ranges of XFS project IDs that the isolator can use to track disk quotas for container sandbox directories. Valid project IDs range from 1 to max(uint32). (default `[5000-10000]`) |