ClusterD Agent Options

Required Flags

Flag Explanation
--master=VALUE May be one of: host:port zk://host1:port1,host2:port2,.../path zk://username:password@host1:port1,host2:port2,.../path file:///path/to/file (where file contains one of the above)
--work_dir=VALUE Path of the agent work directory. This is where executor sandboxes will be placed, as well as the agent's checkpointed state in case of failover. Note that locations like /tmp which are cleaned automatically are not suitable for the work directory when running in production, since long-running agents could lose data when cleanup occurs. (Example: /var/lib/mesos/agent)

Optional Flags

Flag Explanation
--acls=VALUE The value could be a JSON-formatted string of ACLs or a file path containing the JSON-formatted ACLs used for authorization. Path could be of the form file:///path/to/file or /path/to/file.

Note that if the --authorizer flag is provided with a value other than local, the ACLs contents will be ignored.

See the ACLs protobuf in acls.proto for the expected format.

Example:

{
  "get_endpoints": [
    {
      "principals": { "values": ["a"] },
      "paths": { "values": ["/flags", "/monitor/statistics"] }
    }
  ]
}
--agent_features=VALUE JSON representation of agent features to whitelist. We always require 'MULTI_ROLE', 'HIERARCHICAL_ROLE', 'RESERVATION_REFINEMENT', 'AGENT_OPERATION_FEEDBACK', 'RESOURCE_PROVIDER', 'AGENT_DRAINING', and 'TASK_RESOURCE_LIMITS'.

Example:


{
    "capabilities": [
        {"type": "MULTI_ROLE"},
        {"type": "HIERARCHICAL_ROLE"},
        {"type": "RESERVATION_REFINEMENT"},
        {"type": "AGENT_OPERATION_FEEDBACK"},
        {"type": "RESOURCE_PROVIDER"},
        {"type": "AGENT_DRAINING"},
        {"type": "TASK_RESOURCE_LIMITS"}
    ]
}
--agent_subsystems=VALUE,

--slave_subsystems=VALUE

List of comma-separated cgroup subsystems to run the agent binary in, e.g., memory,cpuacct. The default is none. Present functionality is intended for resource monitoring and no cgroup limits are set, they are inherited from the root mesos cgroup.
--effective_capabilities=VALUE JSON representation of the Linux capabilities that the agent will grant to a task that will be run in containers launched by the containerizer (currently only supported by the Mesos Containerizer). This set overrides the default capabilities for the user but not the capabilities requested by the framework.

To set capabilities the agent should have the SETPCAP capability.

This flag is effective iff linux/capabilities isolation is enabled. When linux/capabilities isolation is enabled, the absence of this flag implies that the operator intends to allow ALL capabilities.

Example:


{
  "capabilities": [
    "NET_RAW",
    "SYS_ADMIN"
  ]
}
--bounding_capabilities=VALUE JSON representation of the Linux capabilities that the operator will allow as the maximum level of privilege that a task launched by the containerizer may acquire (currently only supported by the Mesos Containerizer).

This flag is effective iff linux/capabilities isolation is enabled. When linux/capabilities isolation is enabled, the absence of this flag implies that the operator intends to allow ALL capabilities.

This flag has the same syntax as --effective_capabilities.

--appc_simple_discovery_uri_prefix=VALUE URI prefix to be used for simple discovery of appc images, e.g., http://, https://, hdfs://:9000/user/abc/cde. (default: http://)
--appc_store_dir=VALUE Directory the appc provisioner will store images in. (default: /tmp/mesos/store/appc)
--attributes=VALUE Attributes of the agent machine, in the form: rack:2 or rack:2;u:1
--[no-]authenticate_http_executors If true, only authenticated requests for the HTTP executor API are allowed. If false, unauthenticated requests are also allowed. This flag is only available when Mesos is built with SSL support. (default: false)
--authenticatee=VALUE Authenticatee implementation to use when authenticating against the master. Use the default crammd5, or load an alternate authenticatee module using --modules. (default: crammd5)
--authentication_backoff_factor=VALUE The agent will time out its authentication with the master based on exponential backoff. The timeout will be randomly chosen within the range [min, min + factor*2^n] where n is the number of failed attempts. To tune these parameters, set the --authentication_timeout_[min|max|factor] flags. (default: 1secs)
--authentication_timeout_min=VALUE The minimum amount of time the agent waits before retrying authenticating with the master. See --authentication_backoff_factor for more details. (default: 5secs)

NOTE that since authentication retry cancels the previous authentication request, one should consider what is the normal authentication delay when setting this flag to prevent premature retry.

--authentication_timeout_max=VALUE The maximum amount of time the agent waits before retrying authenticating with the master. See --authentication_backoff_factor for more details. (default: 1mins)
--authorizer=VALUE Authorizer implementation to use when authorizing actions that require it. Use the default local, or load an alternate authorizer module using --modules.

Note that if the --authorizer flag is provided with a value other than the default local, the ACLs passed through the --acls flag will be ignored.

--[no]-cgroups_cpu_enable_pids_and_tids_count Cgroups feature flag to enable counting of processes and threads inside a container. (default: false)
--cgroups_destroy_timeout=VALUE Amount of time allowed to destroy a cgroup hierarchy. If the cgroup hierarchy is not destroyed within the timeout, the corresponding container destroy is considered failed. (default: 1mins)
--[no]-cgroups_enable_cfs Cgroups feature flag to enable hard limits on CPU resources via the CFS bandwidth limiting subfeature. (default: false)
--enable_cgroupsv2 Enable support for cgroupsv2 (Currently only the Docker executor supports CgroupsV2. Set these flag to true, will break the Mesos contrainerizer).
--cgroups_hierarchy=VALUE The path to the cgroups hierarchy root. (default: /sys/fs/cgroup)
--[no]-cgroups_limit_swap Cgroups feature flag to enable memory limits on both memory and swap instead of just memory. (default: false)
--cgroups_net_cls_primary_handle A non-zero, 16-bit handle of the form `0xAAAA`. This will be used as the primary handle for the net_cls cgroup.
--cgroups_net_cls_secondary_handles A range of the form 0xAAAA,0xBBBB, specifying the valid secondary handles that can be used with the primary handle. This will take effect only when the --cgroups_net_cls_primary_handle is set.
--allowed_devices JSON object representing the devices that will be additionally whitelisted by cgroups devices subsystem. Noted that the following devices always be whitelisted by default:
  * /dev/console
  * /dev/tty0
  * /dev/tty1
  * /dev/pts/*
  * /dev/ptmx
  * /dev/net/tun
  * /dev/null
  * /dev/zero
  * /dev/full
  * /dev/tty
  * /dev/urandom
  * /dev/random
This flag will take effect only when cgroups/devices is set in --isolation flag.

Example:

{
  "allowed_devices": [
    {
      "device": {
        "path": "/path/to/device"
      },
      "access": {
        "read": true,
        "write": false,
        "mknod": false
      }
    }
  ]
}
--cgroups_root=VALUE Name of the root cgroup. (default: mesos)
--[no-]check_agent_port_range_only When this is true, the network/ports isolator allows tasks to listen on additional ports provided they fall outside the range published by the agent's resources. Otherwise tasks are restricted to only listen on ports for which they have been assigned resources. (default: false); This flag can't be used in conjunction with --container_ports_isolated_range.
--container_disk_watch_interval=VALUE The interval between disk quota checks for containers. This flag is used for the disk/du isolator. (default: 15secs)
--container_logger=VALUE The name of the container logger to use for logging container (i.e., executor and task) stdout and stderr. The default container logger writes to stdout and stderr files in the sandbox directory.
--container_ports_isolated_range=VALUE When this flag is set, network/ports isolator will only enforce the port isolation for the given range of ports range. This flag can't be used in conjunction with --check_agent_port_range_only. Example: [0-35000]
--container_ports_watch_interval=VALUE Interval at which the network/ports isolator should check for containers listening on ports they don't have resources for. (default: 30secs)
--containerizers=VALUE Comma-separated list of containerizer implementations to compose in order to provide containerization. Available options are mesos and docker (on Linux). The order the containerizers are specified is the order they are tried. (default: mesos)
--credential=VALUE Path to a JSON-formatted file containing the credential to use to authenticate with the master. Path could be of the form file:///path/to/file or /path/to/file. Example:
{
  "principal": "username",
  "secret": "secret"
}
--default_container_dns=VALUE JSON-formatted DNS information for CNI networks (Mesos containerizer) and CNM networks (Docker containerizer). For CNI networks, this flag can be used to configure `nameservers`, `domain`, `search` and `options`, and its priority is lower than the DNS information returned by a CNI plugin, but higher than the DNS information in agent host's /etc/resolv.conf. For CNM networks, this flag can be used to configure `nameservers`, `search` and `options`, it will only be used if there is no DNS information provided in the ContainerInfo.docker.parameters message.

See the ContainerDNS message in `flags.proto` for the expected format.

Example:

{
  "mesos": [
    {
      "network_mode": "CNI",
      "network_name": "net1",
      "dns": {
        "nameservers": [ "8.8.8.8", "8.8.4.4" ]
      }
    }
  ],
  "docker": [
    {
      "network_mode": "BRIDGE",
      "dns": {
        "nameservers": [ "8.8.8.8", "8.8.4.4" ]
      }
    },
    {
      "network_mode": "USER",
      "network_name": "net2",
      "dns": {
        "nameservers": [ "8.8.8.8", "8.8.4.4" ]
      }
    }
  ]
}
--default_container_info=VALUE JSON-formatted ContainerInfo that will be included into any ExecutorInfo that does not specify a ContainerInfo.

See the ContainerInfo protobuf in mesos.proto for the expected format.

Example:

{
  "type": "MESOS",
  "volumes": [
    {
      "host_path": ".private/tmp",
      "container_path": "/tmp",
      "mode": "RW"
    }
  ]
}
--default_role=VALUE Any resources in the --resources flag that omit a role, as well as any resources that are not present in --resources but that are automatically detected, will be assigned to this role. (default: *)
--default_container_shm_size The default size of the /dev/shm for the container which has its own /dev/shm but does not specify the shm_size field in its LinuxInfo. The format is [number][unit], number must be a positive integer and unit can be B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes) or TB (terabytes). Note that this flag is only relevant for the Mesos Containerizer and it will be ignored if the namespaces/ipc isolator is not enabled.
--[no-]disallow_sharing_agent_ipc_namespace If set to true, each top-level container will have its own IPC namespace and /dev/shm, and if the framework requests to share the agent IPC namespace and /dev/shm for the top level container, the container launch will be rejected. If set to false, the top-level containers will share the IPC namespace and /dev/shm with agent if the framework requests it. This flag will be ignored if the namespaces/ipc isolator is not enabled. (default: false)
--[no-]disallow_sharing_agent_pid_namespace If set to true, each top-level container will have its own pid namespace, and if the framework requests to share the agent pid namespace for the top level container, the container launch will be rejected. If set to false, the top-level containers will share the pid namespace with agent if the framework requests it. This flag will be ignored if the namespaces/pid isolator is not enabled. (default: false)
--disk_profile_adaptor=VALUE The name of the disk profile adaptor module that storage resource providers should use for translating a 'disk profile' into inputs consumed by various Container Storage Interface (CSI) plugins. If this flag is not specified, the default behavior for storage resource providers is to only expose resources for pre-existing volumes and not publish RAW volumes.
--disk_watch_interval=VALUE Periodic time interval (e.g., 10secs, 2mins, etc) to check the overall disk usage managed by the agent. This drives the garbage collection of archived information and sandboxes. (default: 1mins)
--docker=VALUE The absolute path to the docker executable for docker containerizer. (default: docker)
--docker_config=VALUE The default docker config file for agent. Can be provided either as an absolute path pointing to the agent local docker config file, or as a JSON-formatted string. The format of the docker config file should be identical to docker's default one (e.g., either $HOME/.docker/config.json or $HOME/.dockercfg). Example JSON ($HOME/.docker/config.json):
{
  "auths": {
    "https://index.docker.io/v1/": {
      "auth": "xXxXxXxXxXx=",
      "email": "username@example.com"
    }
  }
}
--docker_ignore_runtime=VALUE Ignore any runtime configuration specified in the Docker image. The Mesos containerizer will not propagate Docker runtime specifications such as WORKDIR, ENV and CMD to the container. (default: false)
--[no-]docker_kill_orphans Enable docker containerizer to kill orphaned containers. You should consider setting this to false when you launch multiple agents in the same OS, to avoid one of the DockerContainerizer removing docker tasks launched by other agents. (default: true)
--docker_mesos_image=VALUE The Docker image used to launch this Mesos agent instance. If an image is specified, the docker containerizer assumes the agent is running in a docker container, and launches executors with docker containers in order to recover them when the agent restarts and recovers.
--docker_registry=VALUE The default url for Mesos containerizer to pull Docker images. It could either be a Docker registry server url (e.g., https://registry.docker.io), or a source that Docker image archives (result of docker save) are stored. The Docker archive source could be specified either as a local path (e.g., /tmp/docker/images), or as an HDFS URI (*experimental*) (e.g., hdfs://localhost:8020/archives/). Note that this option won't change the default registry server for Docker containerizer. (default: https://registry-1.docker.io)
--docker_remove_delay=VALUE The amount of time to wait before removing docker containers (i.e., `docker rm`) after Mesos regards the container as TERMINATED (e.g., 3days, 2weeks, etc). This only applies for the Docker Containerizer. (default: 6hrs)
--docker_socket=VALUE Resource used by the agent and the executor to provide CLI access to the Docker daemon. On Unix, this is typically a path to a socket, such as /var/run/docker.sock. On Windows this must be a named pipe, such as //./pipe/docker_engine. NOTE: This must be the path used by the Docker image used to run the agent. (default: //./pipe/docker_engine on Windows; /var/run/docker.sock on other platforms).
--docker_stop_timeout=VALUE The time docker daemon waits after stopping a container before killing that container. This flag is deprecated; use task's kill policy instead. (default: 0ns)
--docker_store_dir=VALUE Directory the Docker provisioner will store images in (default: /tmp/mesos/store/docker)
--docker_volume_checkpoint_dir=VALUE The root directory where we checkpoint the information about docker volumes that each container uses. (default: /var/run/mesos/isolators/docker/volume)
--[no-]docker_volume_chown Whether to chown the docker volume's mount point non-recursively to the container user. Please notice that this flag is not recommended to turn on if there is any docker volume shared by multiple non-root users. By default, this flag is off. (default: false)
--domain_socket_location=VALUE Location on the host filesystem of the domain socket used for communication with executors. Alternatively, this can be set to 'systemd:<identifier>' to use the domain socket with the given identifier, which is expected to be passed by systemd.

This flag will be ignored unless the --http_executor_domain_sockets flag is also set to true.

Total path length must be less than 108 characters.

Will be set to <runtime_dir>/agent.sock by default.

--[no-]enforce_container_disk_quota Whether to enable disk quota enforcement for containers. This flag is used by the disk/du and disk/xfs isolators. (default: false)
--[no-]enforce_container_ports Whether to enable network port enforcement for containers. This flag is used by the network/ports isolator. (default: false)
--executor_environment_variables=VALUE JSON object representing the environment variables that should be passed to the executor, and thus subsequently task(s). By default this flag is none. Users have to define executor environment explicitly. Example:
{
  "PATH": "/bin:/usr/bin",
  "LD_LIBRARY_PATH": "/usr/local/lib"
}
--executor_registration_timeout=VALUE Amount of time to wait for an executor to register with the agent before considering it hung and shutting it down (e.g., 60secs, 3mins, etc) (default: 1mins)
--executor_reregistration_timeout=VALUE The timeout within which an executor is expected to reregister after the agent has restarted, before the agent considers it gone and shuts it down. Note that currently, the agent will not reregister with the master until this timeout has elapsed (see MESOS-7539). (default: 2secs)
--executor_reregistration_retry_interval=VALUE For PID-based executors, how long the agent waits before retrying the reconnect message sent to the executor during recovery. NOTE: Do not use this unless you understand the following (see MESOS-5332): PID-based executors using Mesos libraries >= 1.1.2 always re-link with the agent upon receiving the reconnect message. This avoids the executor replying on a half-open TCP connection to the old agent (possible if netfilter is dropping packets, see: MESOS-7057). However, PID-based executors using Mesos libraries < 1.1.2 do not re-link and are therefore prone to replying on a half-open connection after the agent restarts. If we only send a single reconnect message, these "old" executors will reply on their half-open connection and receive a RST; without any retries, they will fail to reconnect and be killed by the agent once the executor re-registration timeout elapses. To ensure these "old" executors can reconnect in the presence of netfilter dropping packets, we introduced optional retries of the reconnect message. This results in "old" executors correctly establishing a link when processing the second reconnect message. (default: no retries)
--max_completed_executors_per_framework=VALUE Maximum number of completed executors per framework to store in memory. (default: 150)
--jwt_secret_key=VALUE Path to a file containing the key used when generating JWT secrets. This flag is only available when Mesos is built with SSL support.
--executor_shutdown_grace_period=VALUE Default amount of time to wait for an executor to shut down (e.g. 60secs, 3mins, etc). ExecutorInfo.shutdown_grace_period overrides this default. Note that the executor must not assume that it will always be allotted the full grace period, as the agent may decide to allot a shorter period, and failures / forcible terminations may occur. (default: 5secs)
--fetcher_cache_dir=VALUE Parent directory for fetcher cache directories (one subdirectory per agent). (default: /tmp/mesos/fetch)

Directory for the fetcher cache. The agent will clear this directory on startup. It is recommended to set this value to a separate volume for several reasons:

  • The cache directories are transient and not meant to be backed up. Upon restarting the agent, the cache is always empty.
  • The cache and container sandboxes can potentially interfere with each other when occupying a shared space (i.e. disk contention).
--fetcher_cache_size=VALUE Size of the fetcher cache in Bytes. (default: 2GB)
--fetcher_stall_timeout=VALUE Amount of time for the fetcher to wait before considering a download being too slow and abort it when the download stalls (i.e., the speed keeps below one byte per second). NOTE: This feature only applies when downloading data from the net and does not apply to HDFS. (default: 1mins)
--frameworks_home=VALUE Directory path prepended to relative executor URIs (default: )
--gc_delay=VALUE Maximum amount of time to wait before cleaning up executor directories (e.g., 3days, 2weeks, etc). Note that this delay may be shorter depending on the available disk usage. (default: 1weeks)
--gc_disk_headroom=VALUE Adjust disk headroom used to calculate maximum executor directory age. Age is calculated by: gc_delay * max(0.0, (1.0 - gc_disk_headroom - disk usage)) every --disk_watch_interval duration. gc_disk_headroom must be a value between 0.0 and 1.0 (default: 0.1)
--[no-]gc_non_executor_container_sandboxes Determines whether nested container sandboxes created via the LAUNCH_CONTAINER and LAUNCH_NESTED_CONTAINER APIs will be automatically garbage collected by the agent upon termination. The REMOVE_(NESTED_)CONTAINER API is unaffected by this flag and can still be used. (default: false).
--hadoop_home=VALUE Path to find Hadoop installed (for fetching framework executors from HDFS) (no default, look for HADOOP_HOME in environment or find hadoop on PATH)
--host_path_volume_force_creation A colon-separated list of directories where descendant directories are allowed to be created by the volume/host_path isolator, if the directories do not exist.
--http_credentials=VALUE Path to a JSON-formatted file containing credentials. These credentials are used to authenticate HTTP endpoints on the agent. Path can be of the form file:///path/to/file or /path/to/file.

Example:

{
  "credentials": [
    {
      "principal": "yoda",
      "secret": "usetheforce"
    }
  ]
}
--[no-]http_command_executor The underlying executor library to be used for the command executor. If set to true, the command executor would use the HTTP based executor library to interact with the Mesos agent. If set to false, the driver based implementation would be used. NOTE: This flag is *experimental* and should not be used in production yet. (default: false)
--http_executor_domain_sockets If true, the agent will provide a unix domain sockets that the executor can use to connect to the agent, instead of relying on a TCP connection.
--http_heartbeat_interval=VALUE This flag sets a heartbeat interval (e.g. '5secs', '10mins') for messages to be sent over persistent connections made against the agent HTTP API. Currently, this only applies to the LAUNCH_NESTED_CONTAINER_SESSION and ATTACH_CONTAINER_OUTPUT calls. (default: 30secs)
--image_providers=VALUE Comma-separated list of supported image providers, e.g., APPC,DOCKER.
--image_provisioner_backend=VALUE Strategy for provisioning container rootfs from images, e.g., aufs, bind, copy, overlay.
--image_gc_config=VALUE JSON-formatted configuration for automatic container image garbage collection. This is an optional flag. If it is not set, it means the automatic container image gc is not enabled. Users have to trigger image gc manually via the operator API. If it is set, the auto image gc is enabled. This image gc config can be provided either as a path pointing to a local file, or as a JSON-formatted string. Please note that the image garbage collection only work with Mesos Containerizer for now.

See the ImageGcConfig message in `flags.proto` for the expected format.

In the following example, image garbage collection is configured to sample disk usage every hour, and will attempt to maintain at least 10% of free space on the container image filesystem:

{
  "image_disk_headroom": 0.1,
  "image_disk_watch_interval": {
    "nanoseconds": 3600000000000
  },
  "excluded_images": []
}
--ip6=VALUE IPv6 address to listen on. This cannot be used in conjunction with --ip6_discovery_command.

NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence this IPv6 address is only used to advertise IPv6 addresses for containers running on the host network.

--ip6_discovery_command=VALUE Optional IPv6 discovery binary: if set, it is expected to emit the IPv6 address on which Mesos will try to bind when IPv6 socket support is enabled in Mesos.

NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence this IPv6 address is only used to advertise IPv6 addresses for containers running on the host network.

--isolation=VALUE Isolation mechanisms to use, e.g., posix/cpu,posix/mem (or windows/cpu,windows/mem if you are on Windows), or cgroups/cpu,cgroups/mem, or network/port_mapping (configure with flag: --with-network-isolator to enable), or gpu/nvidia for nvidia specific gpu isolation, or load an alternate isolator module using the --modules flag. If cgroups/all is specified, any other cgroups related isolation options (e.g., cgroups/cpu) will be ignored, and all the local enabled cgroups subsystems on the agent host will be automatically loaded by the cgroups isolator. Note that this flag is only relevant for the Mesos Containerizer. (default: windows/cpu,windows/mem on Windows; posix/cpu,posix/mem on other platforms)
--launcher=VALUE The launcher to be used for Mesos containerizer. It could either be linux or posix. The Linux launcher is required for cgroups isolation and for any isolators that require Linux namespaces such as network, pid, etc. If unspecified, the agent will choose the Linux launcher if it's running as root on Linux.
--launcher_dir=VALUE Directory path of Mesos binaries. Mesos looks for the fetcher, containerizer, and executor binary files under this directory. (default: /usr/local/libexec/mesos)
--master_detector=VALUE The symbol name of the master detector to use. This symbol should exist in a module specified through the --modules flag. Cannot be used in conjunction with --master.
--nvidia_gpu_devices=VALUE A comma-separated list of Nvidia GPU devices. When gpus is specified in the --resources flag, this flag determines which GPU devices will be made available. The devices should be listed as numbers that correspond to Nvidia's NVML device enumeration (as seen by running the command nvidia-smi on an Nvidia GPU equipped system). The GPUs listed will only be isolated if the --isolation flag contains the string gpu/nvidia.
--network_cni_plugins_dir=VALUE Directory path of the CNI plugin binaries. The network/cni isolator will find CNI plugins under this directory so that it can execute the plugins to add/delete container from the CNI networks. It is the operator's responsibility to install the CNI plugin binaries in the specified directory.
--network_cni_config_dir=VALUE Directory path of the CNI network configuration files. For each network that containers launched in Mesos agent can connect to, the operator should install a network configuration file in JSON format in the specified directory.
--[no-]network_cni_root_dir_persist This setting controls whether the CNI root directory persists across reboot or not.
--[no-]network_cni_metrics This setting controls whether the networking metrics of the CNI isolator should be exposed.
--oversubscribed_resources_interval=VALUE The agent periodically updates the master with the current estimation about the total amount of oversubscribed resources that are allocated and available. The interval between updates is controlled by this flag. (default: 15secs)
--perf_duration=VALUE Duration of a perf stat sample. The duration must be less than the perf_interval. (default: 10secs)
--perf_events=VALUE List of command-separated perf events to sample for each container when using the perf_event isolator. Default is none. Run command perf list to see all events. Event names are sanitized by downcasing and replacing hyphens with underscores when reported in the PerfStatistics protobuf, e.g., cpu-cycles becomes cpu_cycles; see the PerfStatistics protobuf for all names.
--perf_interval=VALUE Interval between the start of perf stat samples. Perf samples are obtained periodically according to perf_interval and the most recently obtained sample is returned rather than sampling on demand. For this reason, perf_interval is independent of the resource monitoring interval. (default: 60secs)
--qos_controller=VALUE The name of the QoS Controller to use for oversubscription.
--qos_correction_interval_min=VALUE The agent polls and carries out QoS corrections from the QoS Controller based on its observed performance of running tasks. The smallest interval between these corrections is controlled by this flag. (default: 0secs)
--reconfiguration_policy=VALUE This flag controls which agent configuration changes are considered acceptable when recovering the previous agent state. Possible values: equal: The old and the new state must match exactly. additive: The new state must be a superset of the old state: it is permitted to add additional resources, attributes and domains but not to remove or to modify existing ones.

Note that this only affects the checking done on the agent itself, the master may still reject the agent if it detects a change that it considers unacceptable, which, e.g., currently happens when port or hostname are changed. (default: equal)

--recover=VALUE Whether to recover status updates and reconnect with old executors. Valid values for recover are reconnect: Reconnect with any old live executors. cleanup : Kill any old live executors and exit. Use this option when doing an incompatible agent or executor upgrade!). (default: reconnect)
--recovery_timeout=VALUE Amount of time allotted for the agent to recover. If the agent takes longer than recovery_timeout to recover, any executors that are waiting to reconnect to the agent will self-terminate. (default: 15mins)
--registration_backoff_factor=VALUE Agent initially picks a random amount of time between [0, b], where b = registration_backoff_factor, to (re-)register with a new master. Subsequent retries are exponentially backed off based on this interval (e.g., 1st retry uses a random value between [0, b * 2^1], 2nd retry between [0, b * 2^2], 3rd retry between [0, b * 2^3], etc) up to a maximum of 1mins (default: 1secs)
--resource_estimator=VALUE The name of the resource estimator to use for oversubscription.
--resources=VALUE Total consumable resources per agent. Can be provided in JSON format or as a semicolon-delimited list of key:value pairs, with the role optionally specified.

As a key:value list: name(role):value;name:value...

To use JSON, pass a JSON-formatted string or use --resources=filepath to specify the resources via a file containing a JSON-formatted string. 'filepath' can only be of the form file:///path/to/file.

Example JSON:

[
  {
    "name": "cpus",
    "type": "SCALAR",
    "scalar": {
      "value": 24
    }
  },
  {
    "name": "mem",
    "type": "SCALAR",
    "scalar": {
      "value": 24576
    }
  }
]
--resource_provider_config_dir=VALUE Path to a directory that contains local resource provider configs. Each file in the config dir should contain a JSON object representing a ResourceProviderInfo object. Each local resource provider provides resources that are local to the agent. It is also responsible for handling operations on the resources it provides. Please note that resources field might not need to be specified if the resource provider determines the resources automatically.

Example config file in this directory:

{
  "type": "org.mesos.apache.rp.local.storage",
  "name": "lvm"
}
--csi_plugin_config_dir=VALUE Path to a directory that contains CSI plugin configs. Each file in the config dir should contain a JSON object representing a CSIPluginInfo object which can be either a managed CSI plugin (i.e. the plugin launched by Mesos as a standalone container) or an unmanaged CSI plugin (i.e. the plugin launched out of Mesos).

Example config files in this directory:

{
  "type": "org.apache.mesos.csi.managed-plugin",
  "containers": [
    {
      "services": [
        "NODE_SERVICE"
      ],
      "command": {
        "value": " --endpoint=$CSI_ENDPOINT"
      },
      "resources": [
        {"name": "cpus", "type": "SCALAR", "scalar": {"value": 0.1}},
        {"name": "mem", "type": "SCALAR", "scalar": {"value": 1024}}
      ]
    }
  ]
}
{
  "type": "org.apache.mesos.csi.unmanaged-plugin",
  "endpoints": [
    {
      "csi_service": "NODE_SERVICE",
      "endpoint": "/var/lib/unmanaged-plugin/csi.sock"
    }
  ],
  "target_path_root": "/mnt/unmanaged-plugin"
}
--[no-]revocable_cpu_low_priority Run containers with revocable CPU at a lower priority than normal containers (non-revocable cpu). Currently only supported by the cgroups/cpu isolator. (default: true)
--runtime_dir Path of the agent runtime directory. This is where runtime data is stored by an agent that it needs to persist across crashes (but not across reboots). This directory will be cleared on reboot. (Example: /var/run/mesos)
--sandbox_directory=VALUE The absolute path for the directory in the container where the sandbox is mapped to. (default: /mnt/mesos/sandbox)
--[no-]strict If strict=true, any and all recovery errors are considered fatal. If strict=false, any expected errors (e.g., agent cannot recover information about an executor, because the agent died right before the executor registered.) during recovery are ignored and as much state as possible is recovered. (default: true)
--secret_resolver=VALUE The name of the secret resolver module to use for resolving environment and file-based secrets. If this flag is not specified, the default behavior is to resolve value-based secrets and error on reference-based secrets.
--[no-]switch_user If set to true, the agent will attempt to run tasks as the user who submitted them (as defined in FrameworkInfo) (this requires setuid permission and that the given user exists on the agent). If the user does not exist, an error occurs and the task will fail. If set to false, tasks will be run as the same user as the Mesos agent process. NOTE: This feature is not yet supported on Windows agent, and therefore the flag currently does not exist on that platform. (default: true)
--[no-]systemd_enable_support Top level control of systemd support. When enabled, features such as executor life-time extension are enabled unless there is an explicit flag to disable these (see other flags). This should be enabled when the agent is launched as a systemd unit. (default: true)
--systemd_runtime_directory=VALUE The path to the systemd system run time directory. (default: /run/systemd/system)
--volume_gid_range=VALUE When this flag is specified, if a task running as non-root user uses a shared persistent volume or a PARENT type SANDBOX_PATH volume, the volume will be owned by a gid allocated from this range and have the `setgid` bit set, and the task process will be launched with the gid as its supplementary group to make sure it can access the volume. (Example: [10000-20000])

Network Isolator Flags

Available when configured with --with-network-isolator.

Flag Explanation
--ephemeral_ports_per_container=VALUE Number of ephemeral ports allocated to a container by the network isolator. This number has to be a power of 2. This flag is used for the network/port_mapping isolator. (default: 1024)
--eth0_name=VALUE The name of the public network interface (e.g., eth0). If it is not specified, the network isolator will try to guess it based on the host default gateway. This flag is used for the network/port_mapping isolator.
--lo_name=VALUE The name of the loopback network interface (e.g., lo). If it is not specified, the network isolator will try to guess it. This flag is used for the network/port_mapping isolator.
--egress_rate_limit_per_container=VALUE The limit of the egress traffic for each container, in Bytes/s. If not specified or specified as zero, the network isolator will impose no limits to containers' egress traffic throughput. This flag uses the Bytes type (defined in stout) and is used for the network/port_mapping isolator.
--[no-]egress_unique_flow_per_container Whether to assign an individual flow for each container for the egress traffic. This flag is used for the network/port_mapping isolator. (default: false)
--egress_flow_classifier_parent=VALUE When egress_unique_flow_per_container is enabled, we need to install a flow classifier (fq_codel) qdisc on egress side. This flag specifies where to install it in the hierarchy. By default, we install it at root.
--[no-]network_enable_socket_statistics_summary Whether to collect socket statistics summary for each container. This flag is used for the network/port_mapping isolator. (default: false)
--[no-]network_enable_socket_statistics_details Whether to collect socket statistics details (e.g., TCP RTT) for each container. This flag is used for the network/port_mapping isolator. (default: false)
--[no-]network_enable_snmp_statistics Whether to collect SNMP statistics details (e.g., TCPRetransSegs) for each container. This flag is used for the 'network/port_mapping' isolator. (default: false)

Seccomp Isolator flags

Available when configured with --enable-seccomp-isolator.

Flag Explanation
--seccomp_config_dir=VALUE Directory path of the Seccomp profiles. If a container is launched with a specified Seccomp profile name, the linux/seccomp isolator will try to locate a Seccomp profile in the specified directory.
--seccomp_profile_name=VALUE Path of the default Seccomp profile relative to the seccomp_config_dir. If this flag is specified, the linux/seccomp isolator applies the Seccomp profile by default when launching a new Mesos container. NOTE: A Seccomp profile must be compatible with the Docker Seccomp profile format (e.g., https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).

XFS Disk Isolator flags

Available when configured with --enable-xfs-disk-isolator.

Flag Explanation
--xfs_project_range=VALUE The ranges of XFS project IDs that the isolator can use to track disk quotas for container sandbox directories. Valid project IDs range from 1 to max(uint32). (default `[5000-10000]`)