2 #####################################
3 # Akka Remote Reference Config File #
4 #####################################
6 # This is the reference config file that contains all the default settings.
7 # Make your edits/overrides in your application.conf.
9 # comments about akka.actor settings left out where they are already in akka-
10 # actor.jar, because otherwise they would be repeated in config rendering.
12 # For the configuration of the new remoting implementation (Artery) please look
13 # at the bottom section of this file as it is listed separately.
20 akka-containers = "akka.remote.serialization.MessageContainerSerializer"
21 akka-misc = "akka.remote.serialization.MiscMessageSerializer"
22 artery = "akka.remote.serialization.ArteryMessageSerializer"
23 proto = "akka.remote.serialization.ProtobufSerializer"
24 daemon-create = "akka.remote.serialization.DaemonMsgCreateSerializer"
25 akka-system-msg = "akka.remote.serialization.SystemMessageSerializer"
28 serialization-bindings {
29 "akka.actor.ActorSelectionMessage" = akka-containers
31 "akka.remote.DaemonMsgCreate" = daemon-create
33 "akka.remote.artery.ArteryMessage" = artery
35 # Since akka.protobuf.Message does not extend Serializable but
36 # GeneratedMessage does, need to use the more specific one here in order
38 # This is only loaded if akka-protobuf is on the classpath
39 # It should not be used and users should migrate to using the protobuf classes
42 "akka.protobuf.GeneratedMessage" = proto
44 "akka.protobufv3.internal.GeneratedMessageV3" = proto
46 # Since com.google.protobuf.Message does not extend Serializable but
47 # GeneratedMessage does, need to use the more specific one here in order
49 # This com.google.protobuf serialization binding is only used if the class can be loaded,
50 # i.e. com.google.protobuf dependency has been added in the application project.
51 "com.google.protobuf.GeneratedMessage" = proto
52 "com.google.protobuf.GeneratedMessageV3" = proto
54 "akka.actor.Identify" = akka-misc
55 "akka.actor.ActorIdentity" = akka-misc
56 "scala.Some" = akka-misc
57 "scala.None$" = akka-misc
58 "java.util.Optional" = akka-misc
59 "akka.actor.Status$Success" = akka-misc
60 "akka.actor.Status$Failure" = akka-misc
61 "akka.actor.ActorRef" = akka-misc
62 "akka.actor.PoisonPill$" = akka-misc
63 "akka.actor.Kill$" = akka-misc
64 "akka.remote.RemoteWatcher$Heartbeat$" = akka-misc
65 "akka.remote.RemoteWatcher$HeartbeatRsp" = akka-misc
66 "akka.Done" = akka-misc
67 "akka.NotUsed" = akka-misc
68 "akka.actor.Address" = akka-misc
69 "akka.remote.UniqueAddress" = akka-misc
71 "akka.actor.ActorInitializationException" = akka-misc
72 "akka.actor.IllegalActorStateException" = akka-misc
73 "akka.actor.ActorKilledException" = akka-misc
74 "akka.actor.InvalidActorNameException" = akka-misc
75 "akka.actor.InvalidMessageException" = akka-misc
76 "java.util.concurrent.TimeoutException" = akka-misc
77 "akka.remote.serialization.ThrowableNotSerializableException" = akka-misc
79 "akka.actor.LocalScope$" = akka-misc
80 "akka.remote.RemoteScope" = akka-misc
82 "com.typesafe.config.impl.SimpleConfig" = akka-misc
83 "com.typesafe.config.Config" = akka-misc
85 "akka.routing.FromConfig" = akka-misc
86 "akka.routing.DefaultResizer" = akka-misc
87 "akka.routing.BalancingPool" = akka-misc
88 "akka.routing.BroadcastGroup" = akka-misc
89 "akka.routing.BroadcastPool" = akka-misc
90 "akka.routing.RandomGroup" = akka-misc
91 "akka.routing.RandomPool" = akka-misc
92 "akka.routing.RoundRobinGroup" = akka-misc
93 "akka.routing.RoundRobinPool" = akka-misc
94 "akka.routing.ScatterGatherFirstCompletedGroup" = akka-misc
95 "akka.routing.ScatterGatherFirstCompletedPool" = akka-misc
96 "akka.routing.SmallestMailboxPool" = akka-misc
97 "akka.routing.TailChoppingGroup" = akka-misc
98 "akka.routing.TailChoppingPool" = akka-misc
99 "akka.remote.routing.RemoteRouterConfig" = akka-misc
101 "akka.pattern.StatusReply" = akka-misc
103 "akka.dispatch.sysmsg.SystemMessage" = akka-system-msg
105 # Java Serializer is by default used for exceptions and will by default
106 # not be allowed to be serialized, but in certain cases they are replaced
107 # by `akka.remote.serialization.ThrowableNotSerializableException` if
108 # no specific serializer has been defined:
109 # - when wrapped in `akka.actor.Status.Failure` for ask replies
110 # - when wrapped in system messages for exceptions from remote deployed child actors
112 # It's recommended that you implement custom serializer for exceptions that are
113 # sent remotely, You can add binding to akka-misc (MiscMessageSerializer) for the
114 # exceptions that have a constructor with single message String or constructor with
115 # message String as first parameter and cause Throwable as second parameter. Note that it's not
116 # safe to add this binding for general exceptions such as IllegalArgumentException
117 # because it may have a subclass without required constructor.
118 "java.lang.Throwable" = java
121 serialization-identifiers {
122 "akka.remote.serialization.ProtobufSerializer" = 2
123 "akka.remote.serialization.DaemonMsgCreateSerializer" = 3
124 "akka.remote.serialization.MessageContainerSerializer" = 6
125 "akka.remote.serialization.MiscMessageSerializer" = 16
126 "akka.remote.serialization.ArteryMessageSerializer" = 17
128 "akka.remote.serialization.SystemMessageSerializer" = 22
130 # deprecated in 2.6.0, moved to akka-actor
131 "akka.remote.serialization.LongSerializer" = 18
132 # deprecated in 2.6.0, moved to akka-actor
133 "akka.remote.serialization.IntSerializer" = 19
134 # deprecated in 2.6.0, moved to akka-actor
135 "akka.remote.serialization.StringSerializer" = 20
136 # deprecated in 2.6.0, moved to akka-actor
137 "akka.remote.serialization.ByteStringSerializer" = 21
144 # if this is set to a valid remote address, the named actor will be
145 # deployed at that node e.g. "akka://sys@host:port"
150 # A list of hostnames and ports for instantiating the children of a
152 # The format should be on "akka://sys@host:port", where:
153 # - sys is the remote actor system name
154 # - hostname can be either hostname or IP address the remote actor
156 # - port should be the port for the remote server on the other node
157 # The number of actor instances to be spawned is still taken from the
158 # nr-of-instances setting as for local routers; the instances will be
159 # distributed round-robin among the given nodes.
168 ### Settings shared by classic remoting and Artery (the new implementation of remoting)
170 # Using remoting directly is typically not desirable, so a warning will
171 # be shown to make this clear. Set this setting to 'off' to suppress that
173 warn-about-direct-use = on
176 # If Cluster is not used, remote watch and deployment are disabled.
177 # To optionally use them while not using Cluster, set to 'on'.
178 use-unsafe-remote-features-outside-cluster = off
180 # A warning will be logged on remote watch attempts if Cluster
181 # is not in use and 'use-unsafe-remote-features-outside-cluster'
182 # is 'off'. Set this to 'off' to suppress these.
183 warn-unsafe-watch-outside-cluster = on
185 # Settings for the Phi accrual failure detector (http://www.jaist.ac.jp/~defago/files/pdf/IS_RR_2004_010.pdf
186 # [Hayashibara et al]) used for remote death watch.
187 # The default PhiAccrualFailureDetector will trigger if there are no heartbeats within
188 # the duration heartbeat-interval + acceptable-heartbeat-pause + threshold_adjustment,
189 # i.e. around 12.5 seconds with default settings.
190 watch-failure-detector {
192 # FQCN of the failure detector implementation.
193 # It must implement akka.remote.FailureDetector and have
194 # a public constructor with a com.typesafe.config.Config and
195 # akka.actor.EventStream parameter.
196 implementation-class = "akka.remote.PhiAccrualFailureDetector"
198 # How often keep-alive heartbeat messages should be sent to each connection.
199 heartbeat-interval = 1 s
201 # Defines the failure detector threshold.
202 # A low threshold is prone to generate many wrong suspicions but ensures
203 # a quick detection in the event of a real crash. Conversely, a high
204 # threshold generates fewer mistakes but needs more time to detect
208 # Number of the samples of inter-heartbeat arrival times to adaptively
209 # calculate the failure timeout for connections.
210 max-sample-size = 200
212 # Minimum standard deviation to use for the normal distribution in
213 # AccrualFailureDetector. Too low standard deviation might result in
214 # too much sensitivity for sudden, but normal, deviations in heartbeat
215 # inter arrival times.
216 min-std-deviation = 100 ms
218 # Number of potentially lost/delayed heartbeats that will be
219 # accepted before considering it to be an anomaly.
220 # This margin is important to be able to survive sudden, occasional,
221 # pauses in heartbeat arrivals, due to for example garbage collect or
223 acceptable-heartbeat-pause = 10 s
226 # How often to check for nodes marked as unreachable by the failure
228 unreachable-nodes-reaper-interval = 1s
230 # After the heartbeat request has been sent the first failure detection
231 # will start after this period, even though no heartbeat mesage has
233 expected-response-after = 1 s
237 # remote deployment configuration section
239 # deprecated, use `enable-allow-list`
240 enable-whitelist = off
242 # If true, will only allow specific classes listed in `allowed-actor-classes` to be instanciated on this
243 # system via remote deployment
244 enable-allow-list = ${akka.remote.deployment.enable-whitelist}
247 # deprecated, use `allowed-actor-classes`
250 allowed-actor-classes = ${akka.remote.deployment.whitelist}
253 ### Default dispatcher for the remoting subsystem
254 default-remote-dispatcher {
256 executor = "fork-join-executor"
259 parallelism-factor = 0.5
275 ### Configuration for classic remoting. Classic remoting is deprecated, use artery.
278 # If set to a nonempty string remoting will use the given dispatcher for
279 # its internal actors otherwise the default dispatcher is used. Please note
280 # that since remoting can load arbitrary 3rd party drivers (see
281 # "enabled-transport" and "adapters" entries) it is not guaranteed that
282 # every module will respect this setting.
283 use-dispatcher = "akka.remote.default-remote-dispatcher"
285 # Settings for the failure detector to monitor connections.
286 # For TCP it is not important to have fast failure detection, since
287 # most connection failures are captured by TCP itself.
288 # The default DeadlineFailureDetector will trigger if there are no heartbeats within
289 # the duration heartbeat-interval + acceptable-heartbeat-pause, i.e. 124 seconds
290 # with the default settings.
291 transport-failure-detector {
293 # FQCN of the failure detector implementation.
294 # It must implement akka.remote.FailureDetector and have
295 # a public constructor with a com.typesafe.config.Config and
296 # akka.actor.EventStream parameter.
297 implementation-class = "akka.remote.DeadlineFailureDetector"
299 # How often keep-alive heartbeat messages should be sent to each connection.
300 heartbeat-interval = 4 s
302 # Number of potentially lost/delayed heartbeats that will be
303 # accepted before considering it to be an anomaly.
304 # A margin to the `heartbeat-interval` is important to be able to survive sudden,
305 # occasional, pauses in heartbeat arrivals, due to for example garbage collect or
307 acceptable-heartbeat-pause = 120 s
311 # Timeout after which the startup of the remoting subsystem is considered
312 # to be failed. Increase this value if your transport drivers (see the
313 # enabled-transports section) need longer time to be loaded.
314 startup-timeout = 10 s
316 # Timout after which the graceful shutdown of the remoting subsystem is
317 # considered to be failed. After the timeout the remoting system is
318 # forcefully shut down. Increase this value if your transport drivers
319 # (see the enabled-transports section) need longer time to stop properly.
320 shutdown-timeout = 10 s
322 # Before shutting down the drivers, the remoting subsystem attempts to flush
323 # all pending writes. This setting controls the maximum time the remoting is
324 # willing to wait before moving on to shut down the drivers.
325 flush-wait-on-shutdown = 2 s
327 # Reuse inbound connections for outbound messages
328 use-passive-connections = on
330 # Controls the backoff interval after a refused write is reattempted.
331 # (Transports may refuse writes if their internal buffer is full)
332 backoff-interval = 5 ms
334 # Acknowledgment timeout of management commands sent to the transport stack.
335 command-ack-timeout = 30 s
337 # The timeout for outbound associations to perform the handshake.
338 # If the transport is akka.remote.classic.netty.tcp or akka.remote.classic.netty.ssl
339 # the configured connection-timeout for the transport will be used instead.
340 handshake-timeout = 15 s
342 ### Security settings
344 # Enable untrusted mode for full security of server managed actors, prevents
345 # system messages to be send by clients, e.g. messages like 'Create',
346 # 'Suspend', 'Resume', 'Terminate', 'Supervise', 'Link' etc.
349 # When 'untrusted-mode=on' inbound actor selections are by default discarded.
350 # Actors with paths defined in this list are granted permission to receive actor
351 # selections messages.
352 # E.g. trusted-selection-paths = ["/user/receptionist", "/user/namingService"]
353 trusted-selection-paths = []
357 # If this is "on", Akka will log all inbound messages at DEBUG level,
358 # if off then they are not logged
359 log-received-messages = off
361 # If this is "on", Akka will log all outbound messages at DEBUG level,
362 # if off then they are not logged
363 log-sent-messages = off
365 # Sets the log granularity level at which Akka logs remoting events. This setting
366 # can take the values OFF, ERROR, WARNING, INFO, DEBUG, or ON. For compatibility
367 # reasons the setting "on" will default to "debug" level. Please note that the effective
368 # logging level is still determined by the global logging level of the actor system:
369 # for example debug level remoting events will be only logged if the system
370 # is running with debug level logging.
371 # Failures to deserialize received messages also fall under this flag.
372 log-remote-lifecycle-events = on
374 # Logging of message types with payload size in bytes larger than
375 # this value. Maximum detected size per message type is logged once,
376 # with an increase threshold of 10%.
377 # By default this feature is turned off. Activate it by setting the property to
378 # a value in bytes, such as 1000b. Note that for all messages larger than this
379 # limit there will be extra performance and scalability cost.
380 log-frame-size-exceeding = off
382 # Log warning if the number of messages in the backoff buffer in the endpoint
383 # writer exceeds this limit. It can be disabled by setting the value to off.
384 log-buffer-size-exceeding = 50000
386 # After failed to establish an outbound connection, the remoting will mark the
387 # address as failed. This configuration option controls how much time should
388 # be elapsed before reattempting a new connection. While the address is
389 # gated, all messages sent to the address are delivered to dead-letters.
390 # Since this setting limits the rate of reconnects setting it to a
391 # very short interval (i.e. less than a second) may result in a storm of
392 # reconnect attempts.
393 retry-gate-closed-for = 5 s
395 # After catastrophic communication failures that result in the loss of system
396 # messages or after the remote DeathWatch triggers the remote system gets
397 # quarantined to prevent inconsistent behavior.
398 # This setting controls how long the Quarantine marker will be kept around
399 # before being removed to avoid long-term memory leaks.
400 # WARNING: DO NOT change this to a small value to re-enable communication with
401 # quarantined nodes. Such feature is not supported and any behavior between
402 # the affected systems after lifting the quarantine is undefined.
403 prune-quarantine-marker-after = 5 d
405 # If system messages have been exchanged between two systems (i.e. remote death
406 # watch or remote deployment has been used) a remote system will be marked as
407 # quarantined after the two system has no active association, and no
408 # communication happens during the time configured here.
409 # The only purpose of this setting is to avoid storing system message redelivery
410 # data (sequence number state, etc.) for an undefined amount of time leading to long
411 # term memory leak. Instead, if a system has been gone for this period,
413 # - there is no association between the two systems (TCP connection, if TCP transport is used)
414 # - neither side has been attempting to communicate with the other
415 # - there are no pending system messages to deliver
416 # for the amount of time configured here, the remote system will be quarantined and all state
417 # associated with it will be dropped.
419 # Maximum value depends on the scheduler's max limit (default 248 days) and if configured
420 # to a longer duration this feature will effectively be disabled. Setting the value to
421 # 'off' will also disable the feature. Note that if disabled there is a risk of a long
423 quarantine-after-silence = 2 d
425 # This setting defines the maximum number of unacknowledged system messages
426 # allowed for a remote system. If this limit is reached the remote system is
427 # declared to be dead and its UID marked as tainted.
428 system-message-buffer-size = 20000
430 # This setting defines the maximum idle time after an individual
431 # acknowledgement for system messages is sent. System message delivery
432 # is guaranteed by explicit acknowledgement messages. These acks are
433 # piggybacked on ordinary traffic messages. If no traffic is detected
434 # during the time period configured here, the remoting will send out
436 system-message-ack-piggyback-timeout = 0.3 s
438 # This setting defines the time after internal management signals
439 # between actors (used for DeathWatch and supervision) that have not been
440 # explicitly acknowledged or negatively acknowledged are resent.
441 # Messages that were negatively acknowledged are always immediately
443 resend-interval = 2 s
445 # Maximum number of unacknowledged system messages that will be resent
446 # each 'resend-interval'. If you watch many (> 1000) remote actors you can
447 # increase this value to for example 600, but a too large limit (e.g. 10000)
448 # may flood the connection and might cause false failure detection to trigger.
449 # Test such a configuration by watching all actors at the same time and stop
450 # all watched actors at the same time.
453 # WARNING: this setting should not be not changed unless all of its consequences
454 # are properly understood which assumes experience with remoting internals
456 # This setting defines the time after redelivery attempts of internal management
457 # signals are stopped to a remote system that has been not confirmed to be alive by
458 # this system before.
459 initial-system-message-delivery-timeout = 3 m
461 ### Transports and adapters
463 # List of the transport drivers that will be loaded by the remoting.
464 # A list of fully qualified config paths must be provided where
465 # the given configuration path contains a transport-class key
466 # pointing to an implementation class of the Transport interface.
467 # If multiple transports are provided, the address of the first
468 # one will be used as a default address.
469 enabled-transports = ["akka.remote.classic.netty.tcp"]
471 # Transport drivers can be augmented with adapters by adding their
472 # name to the applied-adapters setting in the configuration of a
473 # transport. The available adapters should be configured in this
474 # section by providing a name, and the fully qualified name of
475 # their corresponding implementation. The class given here
476 # must implement akka.akka.remote.transport.TransportAdapterProvider
477 # and have public constructor without parameters.
479 gremlin = "akka.remote.transport.FailureInjectorProvider"
480 trttl = "akka.remote.transport.ThrottlerProvider"
483 ### Default configuration for the Netty based transport drivers
486 # The class given here must implement the akka.remote.transport.Transport
487 # interface and offer a public constructor which takes two arguments:
488 # 1) akka.actor.ExtendedActorSystem
489 # 2) com.typesafe.config.Config
490 transport-class = "akka.remote.transport.netty.NettyTransport"
492 # Transport drivers can be augmented with adapters by adding their
493 # name to the applied-adapters list. The last adapter in the
494 # list is the adapter immediately above the driver, while
495 # the first one is the top of the stack below the standard
497 applied-adapters = []
499 # The default remote server port clients should connect to.
500 # Default is 2552 (AKKA), use 0 if you want a random available port
501 # This port needs to be unique for each actor system on the same machine.
504 # The hostname or ip clients should connect to.
505 # InetAddress.getLocalHost.getHostAddress is used if empty
508 # Use this setting to bind a network interface to a different port
509 # than remoting protocol expects messages at. This may be used
510 # when running akka nodes in a separated networks (under NATs or docker containers).
511 # Use 0 if you want a random available port. Examples:
513 # akka.remote.classic.netty.tcp.port = 2552
514 # akka.remote.classic.netty.tcp.bind-port = 2553
515 # Network interface will be bound to the 2553 port, but remoting protocol will
516 # expect messages sent to port 2552.
518 # akka.remote.classic.netty.tcp.port = 0
519 # akka.remote.classic.netty.tcp.bind-port = 0
520 # Network interface will be bound to a random port, and remoting protocol will
521 # expect messages sent to the bound port.
523 # akka.remote.classic.netty.tcp.port = 2552
524 # akka.remote.classic.netty.tcp.bind-port = 0
525 # Network interface will be bound to a random port, but remoting protocol will
526 # expect messages sent to port 2552.
528 # akka.remote.classic.netty.tcp.port = 0
529 # akka.remote.classic.netty.tcp.bind-port = 2553
530 # Network interface will be bound to the 2553 port, and remoting protocol will
531 # expect messages sent to the bound port.
533 # akka.remote.classic.netty.tcp.port = 2552
534 # akka.remote.classic.netty.tcp.bind-port = ""
535 # Network interface will be bound to the 2552 port, and remoting protocol will
536 # expect messages sent to the bound port.
538 # akka.remote.classic.netty.tcp.port if empty
541 # Use this setting to bind a network interface to a different hostname or ip
542 # than remoting protocol expects messages at.
543 # Use "0.0.0.0" to bind to all interfaces.
544 # akka.remote.classic.netty.tcp.hostname if empty
547 # Enables SSL support on this transport
550 # Sets the connectTimeoutMillis of all outbound connections,
551 # i.e. how long a connect may take until it is timed out
552 connection-timeout = 15 s
554 # If set to "<id.of.dispatcher>" then the specified dispatcher
555 # will be used to accept inbound connections, and perform IO. If "" then
556 # dedicated threads will be used.
557 # Please note that the Netty driver only uses this configuration and does
558 # not read the "akka.remote.use-dispatcher" entry. Instead it has to be
559 # configured manually to point to the same dispatcher if needed.
560 use-dispatcher-for-io = ""
562 # Sets the high water mark for the in and outbound sockets,
563 # set to 0b for platform default
564 write-buffer-high-water-mark = 0b
566 # Sets the low water mark for the in and outbound sockets,
567 # set to 0b for platform default
568 write-buffer-low-water-mark = 0b
570 # Sets the send buffer size of the Sockets,
571 # set to 0b for platform default
572 send-buffer-size = 256000b
574 # Sets the receive buffer size of the Sockets,
575 # set to 0b for platform default
576 receive-buffer-size = 256000b
578 # Maximum message size the transport will accept, but at least
580 # Please note that UDP does not support arbitrary large datagrams,
581 # so this setting has to be chosen carefully when using UDP.
582 # Both send-buffer-size and receive-buffer-size settings has to
583 # be adjusted to be able to buffer messages of maximum size.
584 maximum-frame-size = 128000b
586 # Sets the size of the connection backlog
589 # Enables the TCP_NODELAY flag, i.e. disables Nagle’s algorithm
592 # Enables TCP Keepalive, subject to the O/S kernel’s configuration
595 # Enables SO_REUSEADDR, which determines when an ActorSystem can open
596 # the specified listen port (the meaning differs between *nix and Windows)
597 # Valid values are "on", "off" and "off-for-windows"
598 # due to the following Windows bug: https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4476378
599 # "off-for-windows" of course means that it's "on" for all other platforms
600 tcp-reuse-addr = off-for-windows
602 # Used to configure the number of I/O worker threads on server sockets
603 server-socket-worker-pool {
604 # Min number of threads to cap factor-based number to
607 # The pool size factor is used to determine thread pool size
608 # using the following formula: ceil(available processors * factor).
609 # Resulting size is then bounded by the pool-size-min and
610 # pool-size-max values.
611 pool-size-factor = 1.0
613 # Max number of threads to cap factor-based number to
617 # Used to configure the number of I/O worker threads on client sockets
618 client-socket-worker-pool {
619 # Min number of threads to cap factor-based number to
622 # The pool size factor is used to determine thread pool size
623 # using the following formula: ceil(available processors * factor).
624 # Resulting size is then bounded by the pool-size-min and
625 # pool-size-max values.
626 pool-size-factor = 1.0
628 # Max number of threads to cap factor-based number to
635 netty.ssl = ${akka.remote.classic.netty.tcp}
637 # Enable SSL/TLS encryption.
638 # This must be enabled on both the client and server to work.
641 # Factory of SSLEngine.
642 # Must implement akka.remote.transport.netty.SSLEngineProvider and have a public
643 # constructor with an ActorSystem parameter.
644 # The default ConfigSSLEngineProvider is configured by properties in section
645 # akka.remote.classic.netty.ssl.security
647 # The SSLEngineProvider can also be defined via ActorSystemSetup with
648 # SSLEngineProviderSetup when starting the ActorSystem. That is useful when
649 # the SSLEngineProvider implementation requires other external constructor
650 # parameters or is created before the ActorSystem is created.
651 # If such SSLEngineProviderSetup is defined this config property is not used.
652 ssl-engine-provider = akka.remote.transport.netty.ConfigSSLEngineProvider
655 # This is the Java Key Store used by the server connection
656 key-store = "keystore"
658 # This password is used for decrypting the key store
659 key-store-password = "changeme"
661 # This password is used for decrypting the key
662 key-password = "changeme"
664 # This is the Java Key Store used by the client connection
665 trust-store = "truststore"
667 # This password is used for decrypting the trust store
668 trust-store-password = "changeme"
670 # Protocol to use for SSL encryption.
673 # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
674 # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
675 # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
676 # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
677 # When doing rolling upgrades, make sure to include both the algorithm used
678 # by old nodes and the preferred algorithm.
679 # If you use a JDK 8 prior to 8u161 you need to install
680 # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
682 # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
683 enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
684 "TLS_RSA_WITH_AES_128_CBC_SHA"]
686 # There are two options, and the default SecureRandom is recommended:
687 # "" or "SecureRandom" => (default)
688 # "SHA1PRNG" => Can be slow because of blocking issues on Linux
690 # Setting a value here may require you to supply the appropriate cipher
691 # suite (see enabled-algorithms section above)
692 random-number-generator = ""
694 # Require mutual authentication between TLS peers
696 # Without mutual authentication only the peer that actively establishes a connection (TLS client side)
697 # checks if the passive side (TLS server side) sends over a trusted certificate. With the flag turned on,
698 # the passive side will also request and verify a certificate from the connecting peer.
700 # To prevent man-in-the-middle attacks this setting is enabled by default.
702 # Note: Nodes that are configured with this setting to 'on' might not be able to receive messages from nodes that
703 # run on older versions of akka-remote. This is because in versions of Akka < 2.4.12 the active side of the remoting
704 # connection will not send over certificates even if asked.
706 # However, starting with Akka 2.4.12, even with this setting "off", the active side (TLS client side)
707 # will use the given key-store to send over a certificate if asked. A rolling upgrade from versions of
708 # Akka < 2.4.12 can therefore work like this:
709 # - upgrade all nodes to an Akka version >= 2.4.12, in the best case the latest version, but keep this setting at "off"
710 # - then switch this flag to "on" and do again a rolling upgrade of all nodes
711 # The first step ensures that all nodes will send over a certificate when asked to. The second
712 # step will ensure that all nodes finally enforce the secure checking of client certificates.
713 require-mutual-authentication = on
717 ### Default configuration for the failure injector transport adapter
720 # Enable debug logging of the failure injector transport adapter
724 backoff-remote-dispatcher {
726 executor = "fork-join-executor"
728 # Min number of threads to cap factor-based parallelism number to
743 ### Configuration for Artery, the new implementation of remoting
746 # Disable artery with this flag
749 # Select the underlying transport implementation.
751 # Possible values: aeron-udp, tcp, tls-tcp
752 # See https://doc.akka.io/docs/akka/current/remoting-artery.html#selecting-a-transport for the tradeoffs
756 # Canonical address is the address other clients should connect to.
757 # Artery transport will expect messages to this address.
760 # The default remote server port clients should connect to.
761 # Default is 25520, use 0 if you want a random available port
762 # This port needs to be unique for each actor system on the same machine.
765 # Hostname clients should connect to. Can be set to an ip, hostname
766 # or one of the following special values:
767 # "<getHostAddress>" InetAddress.getLocalHost.getHostAddress
768 # "<getHostName>" InetAddress.getLocalHost.getHostName
770 hostname = "<getHostAddress>"
773 # Use these settings to bind a network interface to a different address
774 # than artery expects messages at. This may be used when running Akka
775 # nodes in a separated networks (under NATs or in containers). If canonical
776 # and bind addresses are different, then network configuration that relays
777 # communications from canonical to bind addresses is expected.
780 # Port to bind a network interface to. Can be set to a port number
781 # of one of the following special values:
782 # 0 random available port
783 # "" akka.remote.artery.canonical.port
787 # Hostname to bind a network interface to. Can be set to an ip, hostname
788 # or one of the following special values:
789 # "0.0.0.0" all interfaces
790 # "" akka.remote.artery.canonical.hostname
791 # "<getHostAddress>" InetAddress.getLocalHost.getHostAddress
792 # "<getHostName>" InetAddress.getLocalHost.getHostName
796 # Time to wait for Aeron/TCP to bind
801 # Actor paths to use the large message stream for when a message
802 # is sent to them over remoting. The large message stream dedicated
803 # is separate from "normal" and system messages so that sending a
804 # large message does not interfere with them.
805 # Entries should be the full path to the actor. Wildcards in the form of "*"
806 # can be supplied at any place and matches any name at that segment -
807 # "/user/supervisor/actor/*" will match any direct child to actor,
808 # while "/supervisor/*/child" will match any grandchild to "supervisor" that
809 # has the name "child"
810 # Entries have to be specified on both the sending and receiving side.
811 # Messages sent to ActorSelections will not be passed through the large message
812 # stream, to pass such messages through the large message stream the selections
813 # but must be resolved to ActorRefs first.
814 large-message-destinations = []
816 # Enable untrusted mode, which discards inbound system messages, PossiblyHarmful and
817 # ActorSelection messages. E.g. remote watch and remote deployment will not work.
818 # ActorSelection messages can be enabled for specific paths with the trusted-selection-paths
821 # When 'untrusted-mode=on' inbound actor selections are by default discarded.
822 # Actors with paths defined in this list are granted permission to receive actor
823 # selections messages.
824 # E.g. trusted-selection-paths = ["/user/receptionist", "/user/namingService"]
825 trusted-selection-paths = []
827 # If this is "on", all inbound remote messages will be logged at DEBUG level,
828 # if off then they are not logged
829 log-received-messages = off
831 # If this is "on", all outbound remote messages will be logged at DEBUG level,
832 # if off then they are not logged
833 log-sent-messages = off
835 # Logging of message types with payload size in bytes larger than
836 # this value. Maximum detected size per message type is logged once,
837 # with an increase threshold of 10%.
838 # By default this feature is turned off. Activate it by setting the property to
839 # a value in bytes, such as 1000b. Note that for all messages larger than this
840 # limit there will be extra performance and scalability cost.
841 log-frame-size-exceeding = off
845 # Maximum serialized message size, including header data.
846 maximum-frame-size = 256 KiB
848 # Direct byte buffers are reused in a pool with this maximum size.
849 # Each buffer has the size of 'maximum-frame-size'.
850 # This is not a hard upper limit on number of created buffers. Additional
851 # buffers will be created if needed, e.g. when using many outbound
852 # associations at the same time. Such additional buffers will be garbage
853 # collected, which is not as efficient as reusing buffers in the pool.
854 buffer-pool-size = 128
856 # Maximum serialized message size for the large messages, including header data.
857 # If the value of akka.remote.artery.transport is set to aeron-udp, it is currently
858 # restricted to 1/8th the size of a term buffer that can be configured by setting the
859 # 'aeron.term.buffer.length' system property.
860 # See 'large-message-destinations'.
861 maximum-large-frame-size = 2 MiB
863 # Direct byte buffers for the large messages are reused in a pool with this maximum size.
864 # Each buffer has the size of 'maximum-large-frame-size'.
865 # See 'large-message-destinations'.
866 # This is not a hard upper limit on number of created buffers. Additional
867 # buffers will be created if needed, e.g. when using many outbound
868 # associations at the same time. Such additional buffers will be garbage
869 # collected, which is not as efficient as reusing buffers in the pool.
870 large-buffer-pool-size = 32
872 # For enabling testing features, such as blackhole in akka-remote-testkit.
875 # Settings for the materializer that is used for the remote streams.
876 materializer = ${akka.stream.materializer}
878 # Remoting will use the given dispatcher for the ordinary and large message
880 use-dispatcher = "akka.remote.default-remote-dispatcher"
882 # Remoting will use the given dispatcher for the control stream.
883 # It can be good to not use the same dispatcher for the control stream as
884 # the dispatcher for the ordinary message stream so that heartbeat messages
886 use-control-stream-dispatcher = "akka.actor.internal-dispatcher"
889 # Total number of inbound lanes, shared among all inbound associations. A value
890 # greater than 1 means that deserialization can be performed in parallel for
891 # different destination actors. The selection of lane is based on consistent
892 # hashing of the recipient ActorRef to preserve message ordering per receiver.
893 # Lowest latency can be achieved with inbound-lanes=1 because of one less
894 # asynchronous boundary.
897 # Number of outbound lanes for each outbound association. A value greater than 1
898 # means that serialization and other work can be performed in parallel for different
899 # destination actors. The selection of lane is based on consistent hashing of the
900 # recipient ActorRef to preserve message ordering per receiver. Note that messages
901 # for different destination systems (hosts) are handled by different streams also
902 # when outbound-lanes=1. Lowest latency can be achieved with outbound-lanes=1
903 # because of one less asynchronous boundary.
906 # Size of the send queue for outgoing messages. Messages will be dropped if
907 # the queue becomes full. This may happen if you send a burst of many messages
908 # without end-to-end flow control. Note that there is one such queue per
909 # outbound association. The trade-off of using a larger queue size is that
910 # it consumes more memory, since the queue is based on preallocated array with
912 outbound-message-queue-size = 3072
914 # Size of the send queue for outgoing control messages, such as system messages.
915 # If this limit is reached the remote system is declared to be dead and its UID
916 # marked as quarantined. Note that there is one such queue per outbound association.
917 # It is a linked queue so it will not use more memory than needed but by increasing
918 # too much you may risk OutOfMemoryError in the worst case.
919 outbound-control-queue-size = 20000
921 # Size of the send queue for outgoing large messages. Messages will be dropped if
922 # the queue becomes full. This may happen if you send a burst of many messages
923 # without end-to-end flow control. Note that there is one such queue per
924 # outbound association.
925 # It is a linked queue so it will not use more memory than needed but by increasing
926 # too much you may risk OutOfMemoryError, especially since the message payload
927 # of these messages may be large.
928 outbound-large-message-queue-size = 256
930 # This setting defines the maximum number of unacknowledged system messages
931 # allowed for a remote system. If this limit is reached the remote system is
932 # declared to be dead and its UID marked as quarantined.
933 system-message-buffer-size = 20000
935 # unacknowledged system messages are re-delivered with this interval
936 system-message-resend-interval = 1 second
940 # The timeout for outbound associations to perform the initial handshake.
941 # This timeout must be greater than the 'image-liveness-timeout' when
942 # transport is aeron-udp.
943 handshake-timeout = 20 seconds
945 # incomplete initial handshake attempt is retried with this interval
946 handshake-retry-interval = 1 second
948 # Handshake requests are performed periodically with this interval,
949 # also after the handshake has been completed to be able to establish
950 # a new session with a restarted destination system.
951 inject-handshake-interval = 1 second
954 # System messages that are not acknowledged after re-sending for this period are
955 # dropped and will trigger quarantine. The value should be longer than the length
956 # of a network partition that you need to survive.
957 give-up-system-message-after = 6 hours
959 # Outbound streams are stopped when they haven't been used for this duration.
960 # They are started again when new messages are sent.
961 stop-idle-outbound-after = 5 minutes
963 # Outbound streams are quarantined when they haven't been used for this duration
964 # to cleanup resources used by the association, such as compression tables.
965 # This will cleanup association to crashed systems that didn't announce their
967 # The value should be longer than the length of a network partition that you
969 # The value must also be greater than stop-idle-outbound-after.
970 # Once every 1/10 of this duration an extra handshake message will be sent.
971 # Therfore it's also recommended to use a value that is greater than 10 times
972 # the stop-idle-outbound-after, since otherwise the idle streams will not be
974 quarantine-idle-outbound-after = 6 hours
976 # Stop outbound stream of a quarantined association after this idle timeout, i.e.
977 # when not used any more.
978 stop-quarantined-after-idle = 3 seconds
980 # After catastrophic communication failures that could result in the loss of system
981 # messages or after the remote DeathWatch triggers the remote system gets
982 # quarantined to prevent inconsistent behavior.
983 # This setting controls how long the quarantined association will be kept around
984 # before being removed to avoid long-term memory leaks. It must be quarantined
985 # and also unused for this duration before it's removed. When removed the historical
986 # information about which UIDs that were quarantined for that hostname:port is
987 # gone which could result in communication with a previously quarantined node
988 # if it wakes up again. Therfore this shouldn't be set too low.
989 remove-quarantined-association-after = 1 h
991 # during ActorSystem termination the remoting will wait this long for
992 # an acknowledgment by the destination system that flushing of outstanding
993 # remote messages has been completed
994 shutdown-flush-timeout = 1 second
996 # Before sending notificaiton of terminated actor (DeathWatchNotification) other messages
997 # will be flushed to make sure that the Terminated message arrives after other messages.
998 # It will wait this long for the flush acknowledgement before continuing.
999 # The flushing can be disabled by setting this to `off`.
1000 death-watch-notification-flush-timeout = 3 seconds
1002 # See 'inbound-max-restarts'
1003 inbound-restart-timeout = 5 seconds
1005 # Max number of restarts within 'inbound-restart-timeout' for the inbound streams.
1006 # If more restarts occurs the ActorSystem will be terminated.
1007 inbound-max-restarts = 5
1009 # Retry outbound connection after this backoff.
1010 # Only used when transport is tcp or tls-tcp.
1011 outbound-restart-backoff = 1 second
1013 # See 'outbound-max-restarts'
1014 outbound-restart-timeout = 5 seconds
1016 # Max number of restarts within 'outbound-restart-timeout' for the outbound streams.
1017 # If more restarts occurs the ActorSystem will be terminated.
1018 outbound-max-restarts = 5
1020 # compression of common strings in remoting messages, like actor destinations, serializers etc
1024 # Max number of compressed actor-refs
1025 # Note that compression tables are "rolling" (i.e. a new table replaces the old
1026 # compression table once in a while), and this setting is only about the total number
1027 # of compressions within a single such table.
1028 # Must be a positive natural number. Can be disabled with "off".
1031 # interval between new table compression advertisements.
1032 # this means the time during which we collect heavy-hitter data and then turn it into a compression table.
1033 advertisement-interval = 1 minute
1036 # Max number of compressed manifests
1037 # Note that compression tables are "rolling" (i.e. a new table replaces the old
1038 # compression table once in a while), and this setting is only about the total number
1039 # of compressions within a single such table.
1040 # Must be a positive natural number. Can be disabled with "off".
1043 # interval between new table compression advertisements.
1044 # this means the time during which we collect heavy-hitter data and then turn it into a compression table.
1045 advertisement-interval = 1 minute
1049 # List of fully qualified class names of remote instruments which should
1050 # be initialized and used for monitoring of remote messages.
1051 # The class must extend akka.remote.artery.RemoteInstrument and
1052 # have a public constructor with empty parameters or one ExtendedActorSystem
1054 # A new instance of RemoteInstrument will be created for each encoder and decoder.
1055 # It's only called from the stage, so if it dosn't delegate to any shared instance
1056 # it doesn't have to be thread-safe.
1057 # Refer to `akka.remote.artery.RemoteInstrument` for more information.
1058 instruments = ${?akka.remote.artery.advanced.instruments} []
1060 # Only used when transport is aeron-udp
1062 # Periodically log out all Aeron counters. See https://github.com/real-logic/aeron/wiki/Monitoring-and-Debugging#counters
1063 # Only used when transport is aeron-udp.
1064 log-aeron-counters = false
1066 # Controls whether to start the Aeron media driver in the same JVM or use external
1067 # process. Set to 'off' when using external media driver, and then also set the
1069 # Only used when transport is aeron-udp.
1070 embedded-media-driver = on
1072 # Directory used by the Aeron media driver. It's mandatory to define the 'aeron-dir'
1073 # if using external media driver, i.e. when 'embedded-media-driver = off'.
1074 # Embedded media driver will use a this directory, or a temporary directory if this
1075 # property is not defined (empty).
1076 # Only used when transport is aeron-udp.
1079 # Whether to delete aeron embedded driver directory upon driver stop.
1080 # Only used when transport is aeron-udp.
1081 delete-aeron-dir = yes
1083 # Level of CPU time used, on a scale between 1 and 10, during backoff/idle.
1084 # The tradeoff is that to have low latency more CPU time must be used to be
1085 # able to react quickly on incoming messages or send as fast as possible after
1086 # backoff backpressure.
1087 # Level 1 strongly prefer low CPU consumption over low latency.
1088 # Level 10 strongly prefer low latency over low CPU consumption.
1089 # Only used when transport is aeron-udp.
1092 # messages that are not accepted by Aeron are dropped after retrying for this period
1093 # Only used when transport is aeron-udp.
1094 give-up-message-after = 60 seconds
1096 # Timeout after which aeron driver has not had keepalive messages
1097 # from a client before it considers the client dead.
1098 # Only used when transport is aeron-udp.
1099 client-liveness-timeout = 20 seconds
1101 # Timout after after which an uncommitted publication will be unblocked
1102 # Only used when transport is aeron-udp.
1103 publication-unblock-timeout = 40 seconds
1105 # Timeout for each the INACTIVE and LINGER stages an aeron image
1106 # will be retained for when it is no longer referenced.
1107 # This timeout must be less than the 'handshake-timeout'.
1108 # Only used when transport is aeron-udp.
1109 image-liveness-timeout = 10 seconds
1111 # Timeout after which the aeron driver is considered dead
1112 # if it does not update its C'n'C timestamp.
1113 # Only used when transport is aeron-udp.
1114 driver-timeout = 20 seconds
1117 # Only used when transport is tcp or tls-tcp.
1119 # Timeout of establishing outbound connections.
1120 connection-timeout = 5 seconds
1122 # The local address that is used for the client side of the TCP connection.
1123 outbound-client-hostname = ""
1128 # SSL configuration that is used when transport=tls-tcp.
1130 # Factory of SSLEngine.
1131 # Must implement akka.remote.artery.tcp.SSLEngineProvider and have a public
1132 # constructor with an ActorSystem parameter.
1133 # The default ConfigSSLEngineProvider is configured by properties in section
1134 # akka.remote.artery.ssl.config-ssl-engine
1135 ssl-engine-provider = akka.remote.artery.tcp.ConfigSSLEngineProvider
1137 # Config of akka.remote.artery.tcp.ConfigSSLEngineProvider
1140 # This is the Java Key Store used by the server connection
1141 key-store = "keystore"
1143 # This password is used for decrypting the key store
1144 # Use substitution from environment variables for passwords. Don't define
1145 # real passwords in config files. key-store-password=${SSL_KEY_STORE_PASSWORD}
1146 key-store-password = "changeme"
1148 # This password is used for decrypting the key
1149 # Use substitution from environment variables for passwords. Don't define
1150 # real passwords in config files. key-password=${SSL_KEY_PASSWORD}
1151 key-password = "changeme"
1153 # This is the Java Key Store used by the client connection
1154 trust-store = "truststore"
1156 # This password is used for decrypting the trust store
1157 # Use substitution from environment variables for passwords. Don't define
1158 # real passwords in config files. trust-store-password=${SSL_TRUST_STORE_PASSWORD}
1159 trust-store-password = "changeme"
1161 # Protocol to use for SSL encryption.
1162 protocol = "TLSv1.2"
1164 # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
1165 # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
1166 # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
1167 # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
1168 # When doing rolling upgrades, make sure to include both the algorithm used
1169 # by old nodes and the preferred algorithm.
1170 # If you use a JDK 8 prior to 8u161 you need to install
1171 # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
1173 # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
1174 enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
1175 "TLS_RSA_WITH_AES_128_CBC_SHA"]
1177 # There are two options, and the default SecureRandom is recommended:
1178 # "" or "SecureRandom" => (default)
1179 # "SHA1PRNG" => Can be slow because of blocking issues on Linux
1181 # Setting a value here may require you to supply the appropriate cipher
1182 # suite (see enabled-algorithms section above)
1183 random-number-generator = ""
1185 # Require mutual authentication between TLS peers
1187 # Without mutual authentication only the peer that actively establishes a connection (TLS client side)
1188 # checks if the passive side (TLS server side) sends over a trusted certificate. With the flag turned on,
1189 # the passive side will also request and verify a certificate from the connecting peer.
1191 # To prevent man-in-the-middle attacks this setting is enabled by default.
1192 require-mutual-authentication = on
1194 # Set this to `on` to verify hostnames with sun.security.util.HostnameChecker
1195 # If possible it is recommended to have this enabled. Hostname verification is designed for
1196 # situations where things locate each other by hostname, in scenarios where host names are dynamic
1197 # and not known up front it can make sense to have this disabled.
1198 hostname-verification = off
1201 # Config of akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
1202 # This engine provider reads PEM files from a mount point shared with the secret
1203 # manager. The constructed SSLContext is cached some time (configurable) so when
1204 # the credentials rotate the new credentials are eventually picked up.
1205 # By default mTLS is enabled.
1206 # This provider also includes a verification phase that runs after the TLS handshake
1207 # phase. In this verification, both peers run an authorization and verify they are
1208 # part of the same akka cluster. The verification happens via comparing the subject
1209 # names in the peer's certificate with the name on the own certificate so if you
1210 # use this SSLEngineProvider you should make sure all nodes on the cluster include
1211 # at least one common subject name (CN or SAN).
1212 # The Key setup this implementation supports has some limitations:
1213 # 1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
1214 # 2. the private key must be be of an algorythm supported by `akka-pki` tools (e.g. "RSA", not "EC")
1215 # 3. the node certificate must be issued by a root CA (not an intermediate CA)
1216 # 4. both the node and the CA certificates must be provided in PEM-formatted files
1217 rotating-keys-engine {
1219 # This is a convention that people may follow if they wish to save themselves some configuration
1220 secret-mount-point = /var/run/secrets/akka-tls/rotating-keys-engine
1222 # The absolute path the PEM file with the private key.
1223 key-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.key
1224 # The absolute path to the PEM file of the certificate for the private key above.
1225 cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.crt
1226 # The absolute path to the PEM file of the certificate of the CA that emited
1227 # the node certificate above.
1228 ca-cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/ca.crt
1230 # There are two options, and the default SecureRandom is recommended:
1231 # "" or "SecureRandom" => (default)
1232 # "SHA1PRNG" => Can be slow because of blocking issues on Linux
1234 # Setting a value here may require you to supply the appropriate cipher
1235 # suite (see enabled-algorithms section)
1236 random-number-generator = ""
1238 # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
1239 # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
1240 # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
1241 # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
1242 # If you use a JDK 8 prior to 8u161 you need to install
1243 # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
1245 # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
1246 enabled-algorithms = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
1248 # Protocol to use for SSL encryption.
1249 protocol = "TLSv1.2"
1251 # How long should an SSLContext instance be cached. When rotating keys and certificates,
1252 # there must a time overlap between the old certificate/key and the new ones. The
1253 # value of this setting should be lower than duration of that overlap.
1254 ssl-context-cache-ttl = 5m