artery = "akka.remote.serialization.ArteryMessageSerializer"
proto = "akka.remote.serialization.ProtobufSerializer"
daemon-create = "akka.remote.serialization.DaemonMsgCreateSerializer"
- primitive-long = "akka.remote.serialization.LongSerializer"
- primitive-int = "akka.remote.serialization.IntSerializer"
- primitive-string = "akka.remote.serialization.StringSerializer"
- primitive-bytestring = "akka.remote.serialization.ByteStringSerializer"
akka-system-msg = "akka.remote.serialization.SystemMessageSerializer"
}
# Since akka.protobuf.Message does not extend Serializable but
# GeneratedMessage does, need to use the more specific one here in order
# to avoid ambiguity.
+ # This is only loaded if akka-protobuf is on the classpath
+ # It should not be used and users should migrate to using the protobuf classes
+ # directly
+ # Remove in 2.7
"akka.protobuf.GeneratedMessage" = proto
+ "akka.protobufv3.internal.GeneratedMessageV3" = proto
+
# Since com.google.protobuf.Message does not extend Serializable but
# GeneratedMessage does, need to use the more specific one here in order
# to avoid ambiguity.
# This com.google.protobuf serialization binding is only used if the class can be loaded,
# i.e. com.google.protobuf dependency has been added in the application project.
"com.google.protobuf.GeneratedMessage" = proto
+ "com.google.protobuf.GeneratedMessageV3" = proto
- "java.util.Optional" = akka-misc
-
-
- # The following are handled by the MiscMessageSerializer, but they are not enabled for
- # compatibility reasons (it was added in Akka 2.5.[8,9,12]). Enable them by adding:
- # akka.actor.serialization-bindings {
- # "akka.Done" = akka-misc
- # "akka.NotUsed" = akka-misc
- # "akka.actor.Address" = akka-misc
- # "akka.remote.UniqueAddress" = akka-misc
- # }
- }
-
- # Additional serialization-bindings that are replacing Java serialization are
- # defined in this section for backwards compatibility reasons. They are included
- # by default but can be excluded for backwards compatibility with Akka 2.4.x.
- # They can be disabled with enable-additional-serialization-bindings=off.
- additional-serialization-bindings {
"akka.actor.Identify" = akka-misc
"akka.actor.ActorIdentity" = akka-misc
"scala.Some" = akka-misc
"scala.None$" = akka-misc
+ "java.util.Optional" = akka-misc
"akka.actor.Status$Success" = akka-misc
"akka.actor.Status$Failure" = akka-misc
"akka.actor.ActorRef" = akka-misc
"akka.actor.Kill$" = akka-misc
"akka.remote.RemoteWatcher$Heartbeat$" = akka-misc
"akka.remote.RemoteWatcher$HeartbeatRsp" = akka-misc
- "akka.actor.ActorInitializationException" = akka-misc
-
- "akka.dispatch.sysmsg.SystemMessage" = akka-system-msg
-
- "java.lang.String" = primitive-string
- "akka.util.ByteString$ByteString1C" = primitive-bytestring
- "akka.util.ByteString$ByteString1" = primitive-bytestring
- "akka.util.ByteString$ByteStrings" = primitive-bytestring
- "java.lang.Long" = primitive-long
- "scala.Long" = primitive-long
- "java.lang.Integer" = primitive-int
- "scala.Int" = primitive-int
+ "akka.Done" = akka-misc
+ "akka.NotUsed" = akka-misc
+ "akka.actor.Address" = akka-misc
+ "akka.remote.UniqueAddress" = akka-misc
- # Java Serializer is by default used for exceptions.
- # It's recommended that you implement custom serializer for exceptions that are
- # sent remotely, e.g. in akka.actor.Status.Failure for ask replies. You can add
- # binding to akka-misc (MiscMessageSerializerSpec) for the exceptions that have
- # a constructor with single message String or constructor with message String as
- # first parameter and cause Throwable as second parameter. Note that it's not
- # safe to add this binding for general exceptions such as IllegalArgumentException
- # because it may have a subclass without required constructor.
- "java.lang.Throwable" = java
+ "akka.actor.ActorInitializationException" = akka-misc
"akka.actor.IllegalActorStateException" = akka-misc
"akka.actor.ActorKilledException" = akka-misc
"akka.actor.InvalidActorNameException" = akka-misc
"akka.actor.InvalidMessageException" = akka-misc
-
- # TODO issue #27330: TimeoutException not enabled for serialization in 2.5.x yet
- #"java.util.concurrent.TimeoutException" = akka-misc
- # TODO issue #27330: ThrowableNotSerializableException not enabled for serialization in 2.5.x yet
- #"akka.remote.serialization.ThrowableNotSerializableException" = akka-misc
+ "java.util.concurrent.TimeoutException" = akka-misc
+ "akka.remote.serialization.ThrowableNotSerializableException" = akka-misc
"akka.actor.LocalScope$" = akka-misc
"akka.remote.RemoteScope" = akka-misc
"akka.routing.TailChoppingGroup" = akka-misc
"akka.routing.TailChoppingPool" = akka-misc
"akka.remote.routing.RemoteRouterConfig" = akka-misc
- }
- # Additional serialization bindings which are enabled automatically when allow-java-serialization is disabled.
- java-serialization-disabled-additional-serialization-bindings = {
- "akka.Done" = akka-misc
- "akka.NotUsed" = akka-misc
- "akka.actor.Address" = akka-misc
- "akka.remote.UniqueAddress" = akka-misc
+ "akka.pattern.StatusReply" = akka-misc
+
+ "akka.dispatch.sysmsg.SystemMessage" = akka-system-msg
+
+ # Java Serializer is by default used for exceptions and will by default
+ # not be allowed to be serialized, but in certain cases they are replaced
+ # by `akka.remote.serialization.ThrowableNotSerializableException` if
+ # no specific serializer has been defined:
+ # - when wrapped in `akka.actor.Status.Failure` for ask replies
+ # - when wrapped in system messages for exceptions from remote deployed child actors
+ #
+ # It's recommended that you implement custom serializer for exceptions that are
+ # sent remotely, You can add binding to akka-misc (MiscMessageSerializer) for the
+ # exceptions that have a constructor with single message String or constructor with
+ # message String as first parameter and cause Throwable as second parameter. Note that it's not
+ # safe to add this binding for general exceptions such as IllegalArgumentException
+ # because it may have a subclass without required constructor.
+ "java.lang.Throwable" = java
}
serialization-identifiers {
"akka.remote.serialization.MessageContainerSerializer" = 6
"akka.remote.serialization.MiscMessageSerializer" = 16
"akka.remote.serialization.ArteryMessageSerializer" = 17
+
+ "akka.remote.serialization.SystemMessageSerializer" = 22
+
+ # deprecated in 2.6.0, moved to akka-actor
"akka.remote.serialization.LongSerializer" = 18
+ # deprecated in 2.6.0, moved to akka-actor
"akka.remote.serialization.IntSerializer" = 19
+ # deprecated in 2.6.0, moved to akka-actor
"akka.remote.serialization.StringSerializer" = 20
+ # deprecated in 2.6.0, moved to akka-actor
"akka.remote.serialization.ByteStringSerializer" = 21
- "akka.remote.serialization.SystemMessageSerializer" = 22
}
deployment {
default {
# if this is set to a valid remote address, the named actor will be
- # deployed at that node e.g. "akka.tcp://sys@host:port"
+ # deployed at that node e.g. "akka://sys@host:port"
remote = ""
target {
# A list of hostnames and ports for instantiating the children of a
# router
- # The format should be on "akka.tcp://sys@host:port", where:
+ # The format should be on "akka://sys@host:port", where:
# - sys is the remote actor system name
# - hostname can be either hostname or IP address the remote actor
# should connect to
remote {
### Settings shared by classic remoting and Artery (the new implementation of remoting)
- # If set to a nonempty string remoting will use the given dispatcher for
- # its internal actors otherwise the default dispatcher is used. Please note
- # that since remoting can load arbitrary 3rd party drivers (see
- # "enabled-transport" and "adapters" entries) it is not guaranteed that
- # every module will respect this setting.
- use-dispatcher = "akka.remote.default-remote-dispatcher"
-
- # Settings for the failure detector to monitor connections.
- # For TCP it is not important to have fast failure detection, since
- # most connection failures are captured by TCP itself.
- # The default DeadlineFailureDetector will trigger if there are no heartbeats within
- # the duration heartbeat-interval + acceptable-heartbeat-pause, i.e. 124 seconds
- # with the default settings.
- transport-failure-detector {
+ # Using remoting directly is typically not desirable, so a warning will
+ # be shown to make this clear. Set this setting to 'off' to suppress that
+ # warning.
+ warn-about-direct-use = on
- # FQCN of the failure detector implementation.
- # It must implement akka.remote.FailureDetector and have
- # a public constructor with a com.typesafe.config.Config and
- # akka.actor.EventStream parameter.
- implementation-class = "akka.remote.DeadlineFailureDetector"
- # How often keep-alive heartbeat messages should be sent to each connection.
- heartbeat-interval = 4 s
+ # If Cluster is not used, remote watch and deployment are disabled.
+ # To optionally use them while not using Cluster, set to 'on'.
+ use-unsafe-remote-features-outside-cluster = off
- # Number of potentially lost/delayed heartbeats that will be
- # accepted before considering it to be an anomaly.
- # A margin to the `heartbeat-interval` is important to be able to survive sudden,
- # occasional, pauses in heartbeat arrivals, due to for example garbage collect or
- # network drop.
- acceptable-heartbeat-pause = 120 s
- }
+ # A warning will be logged on remote watch attempts if Cluster
+ # is not in use and 'use-unsafe-remote-features-outside-cluster'
+ # is 'off'. Set this to 'off' to suppress these.
+ warn-unsafe-watch-outside-cluster = on
# Settings for the Phi accrual failure detector (http://www.jaist.ac.jp/~defago/files/pdf/IS_RR_2004_010.pdf
# [Hayashibara et al]) used for remote death watch.
# remote deployment configuration section
deployment {
- # If true, will only allow specific classes to be instanciated on this system via remote deployment
+ # deprecated, use `enable-allow-list`
enable-whitelist = off
+ # If true, will only allow specific classes listed in `allowed-actor-classes` to be instanciated on this
+ # system via remote deployment
+ enable-allow-list = ${akka.remote.deployment.enable-whitelist}
+
+
+ # deprecated, use `allowed-actor-classes`
whitelist = []
+
+ allowed-actor-classes = ${akka.remote.deployment.whitelist}
}
-#//#shared
+
+ ### Default dispatcher for the remoting subsystem
+ default-remote-dispatcher {
+ type = Dispatcher
+ executor = "fork-join-executor"
+ fork-join-executor {
+ parallelism-min = 2
+ parallelism-factor = 0.5
+ parallelism-max = 16
+ }
+ throughput = 10
+ }
+ #//#shared
}
}
akka {
- remote {
-#//#classic
+ remote.classic {
+ #//#classic
+
+ ### Configuration for classic remoting. Classic remoting is deprecated, use artery.
+
+
+ # If set to a nonempty string remoting will use the given dispatcher for
+ # its internal actors otherwise the default dispatcher is used. Please note
+ # that since remoting can load arbitrary 3rd party drivers (see
+ # "enabled-transport" and "adapters" entries) it is not guaranteed that
+ # every module will respect this setting.
+ use-dispatcher = "akka.remote.default-remote-dispatcher"
+
+ # Settings for the failure detector to monitor connections.
+ # For TCP it is not important to have fast failure detection, since
+ # most connection failures are captured by TCP itself.
+ # The default DeadlineFailureDetector will trigger if there are no heartbeats within
+ # the duration heartbeat-interval + acceptable-heartbeat-pause, i.e. 124 seconds
+ # with the default settings.
+ transport-failure-detector {
+
+ # FQCN of the failure detector implementation.
+ # It must implement akka.remote.FailureDetector and have
+ # a public constructor with a com.typesafe.config.Config and
+ # akka.actor.EventStream parameter.
+ implementation-class = "akka.remote.DeadlineFailureDetector"
+
+ # How often keep-alive heartbeat messages should be sent to each connection.
+ heartbeat-interval = 4 s
+
+ # Number of potentially lost/delayed heartbeats that will be
+ # accepted before considering it to be an anomaly.
+ # A margin to the `heartbeat-interval` is important to be able to survive sudden,
+ # occasional, pauses in heartbeat arrivals, due to for example garbage collect or
+ # network drop.
+ acceptable-heartbeat-pause = 120 s
+ }
- ### Configuration for classic remoting
# Timeout after which the startup of the remoting subsystem is considered
# to be failed. Increase this value if your transport drivers (see the
command-ack-timeout = 30 s
# The timeout for outbound associations to perform the handshake.
- # If the transport is akka.remote.netty.tcp or akka.remote.netty.ssl
+ # If the transport is akka.remote.classic.netty.tcp or akka.remote.classic.netty.ssl
# the configured connection-timeout for the transport will be used instead.
handshake-timeout = 15 s
untrusted-mode = off
# When 'untrusted-mode=on' inbound actor selections are by default discarded.
- # Actors with paths defined in this white list are granted permission to receive actor
+ # Actors with paths defined in this list are granted permission to receive actor
# selections messages.
# E.g. trusted-selection-paths = ["/user/receptionist", "/user/namingService"]
trusted-selection-paths = []
- # Should the remote server require that its peers share the same
- # secure-cookie (defined in the 'remote' section)? Secure cookies are passed
- # between during the initial handshake. Connections are refused if the initial
- # message contains a mismatching cookie or the cookie is missing.
- require-cookie = off
-
- # Deprecated since 2.4-M1
- secure-cookie = ""
-
### Logging
# If this is "on", Akka will log all inbound messages at DEBUG level,
# pointing to an implementation class of the Transport interface.
# If multiple transports are provided, the address of the first
# one will be used as a default address.
- enabled-transports = ["akka.remote.netty.tcp"]
+ enabled-transports = ["akka.remote.classic.netty.tcp"]
# Transport drivers can be augmented with adapters by adding their
# name to the applied-adapters setting in the configuration of a
# Akka protocol
applied-adapters = []
- transport-protocol = tcp
-
# The default remote server port clients should connect to.
# Default is 2552 (AKKA), use 0 if you want a random available port
# This port needs to be unique for each actor system on the same machine.
# when running akka nodes in a separated networks (under NATs or docker containers).
# Use 0 if you want a random available port. Examples:
#
- # akka.remote.netty.tcp.port = 2552
- # akka.remote.netty.tcp.bind-port = 2553
+ # akka.remote.classic.netty.tcp.port = 2552
+ # akka.remote.classic.netty.tcp.bind-port = 2553
# Network interface will be bound to the 2553 port, but remoting protocol will
# expect messages sent to port 2552.
#
- # akka.remote.netty.tcp.port = 0
- # akka.remote.netty.tcp.bind-port = 0
+ # akka.remote.classic.netty.tcp.port = 0
+ # akka.remote.classic.netty.tcp.bind-port = 0
# Network interface will be bound to a random port, and remoting protocol will
# expect messages sent to the bound port.
#
- # akka.remote.netty.tcp.port = 2552
- # akka.remote.netty.tcp.bind-port = 0
+ # akka.remote.classic.netty.tcp.port = 2552
+ # akka.remote.classic.netty.tcp.bind-port = 0
# Network interface will be bound to a random port, but remoting protocol will
# expect messages sent to port 2552.
#
- # akka.remote.netty.tcp.port = 0
- # akka.remote.netty.tcp.bind-port = 2553
+ # akka.remote.classic.netty.tcp.port = 0
+ # akka.remote.classic.netty.tcp.bind-port = 2553
# Network interface will be bound to the 2553 port, and remoting protocol will
# expect messages sent to the bound port.
#
- # akka.remote.netty.tcp.port = 2552
- # akka.remote.netty.tcp.bind-port = ""
+ # akka.remote.classic.netty.tcp.port = 2552
+ # akka.remote.classic.netty.tcp.bind-port = ""
# Network interface will be bound to the 2552 port, and remoting protocol will
# expect messages sent to the bound port.
#
- # akka.remote.netty.tcp.port if empty
+ # akka.remote.classic.netty.tcp.port if empty
bind-port = ""
# Use this setting to bind a network interface to a different hostname or ip
# than remoting protocol expects messages at.
# Use "0.0.0.0" to bind to all interfaces.
- # akka.remote.netty.tcp.hostname if empty
+ # akka.remote.classic.netty.tcp.hostname if empty
bind-hostname = ""
# Enables SSL support on this transport
}
- # DEPRECATED, since 2.5.0
- # The netty.udp transport is deprecated, please use Artery instead.
- # See: https://doc.akka.io/docs/akka/current/remoting-artery.html
- netty.udp = ${akka.remote.netty.tcp}
- netty.udp {
- transport-protocol = udp
- }
-
- netty.ssl = ${akka.remote.netty.tcp}
+ netty.ssl = ${akka.remote.classic.netty.tcp}
netty.ssl = {
# Enable SSL/TLS encryption.
# This must be enabled on both the client and server to work.
# Must implement akka.remote.transport.netty.SSLEngineProvider and have a public
# constructor with an ActorSystem parameter.
# The default ConfigSSLEngineProvider is configured by properties in section
- # akka.remote.netty.ssl.security
+ # akka.remote.classic.netty.ssl.security
#
# The SSLEngineProvider can also be defined via ActorSystemSetup with
# SSLEngineProviderSetup when starting the ActorSystem. That is useful when
# This password is used for decrypting the trust store
trust-store-password = "changeme"
- # Protocol to use for SSL encryption, choose from:
- # TLS 1.2 is available since JDK7, and default since JDK8:
- # https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
+ # Protocol to use for SSL encryption.
protocol = "TLSv1.2"
- # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
- # You need to install the JCE Unlimited Strength Jurisdiction Policy
- # Files to use AES 256.
+ # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+ # When doing rolling upgrades, make sure to include both the algorithm used
+ # by old nodes and the preferred algorithm.
+ # If you use a JDK 8 prior to 8u161 you need to install
+ # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
# More info here:
- # http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
- enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
+ # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
+ enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_128_CBC_SHA"]
# There are two options, and the default SecureRandom is recommended:
# "" or "SecureRandom" => (default)
debug = off
}
- ### Default dispatcher for the remoting subsystem
-
- default-remote-dispatcher {
- type = Dispatcher
- executor = "fork-join-executor"
- fork-join-executor {
- parallelism-min = 2
- parallelism-factor = 0.5
- parallelism-max = 16
- }
- throughput = 10
- }
-
backoff-remote-dispatcher {
type = Dispatcher
executor = "fork-join-executor"
}
#//#classic
+#//#artery
akka {
remote {
- #//#artery
### Configuration for Artery, the new implementation of remoting
artery {
- # Enable the new remoting with this flag
+ # Disable artery with this flag
enabled = off
# Select the underlying transport implementation.
#
# Possible values: aeron-udp, tcp, tls-tcp
- #
- # The Aeron (UDP) transport is a high performance transport and should be used for systems
- # that require high throughput and low latency. It is using more CPU than TCP when the
- # system is idle or at low message rates. There is no encryption for Aeron.
- # https://github.com/real-logic/aeron
- #
- # The TCP and TLS transport is implemented using Akka Streams TCP/TLS. This is the choice
- # when encryption is needed, but it can also be used with plain TCP without TLS. It's also
- # the obvious choice when UDP can't be used.
- # It has very good performance (high throughput and low latency) but latency at high throughput
- # might not be as good as the Aeron transport.
- # It is using less CPU than Aeron when the system is idle or at low message rates.
+ # See https://doc.akka.io/docs/akka/current/remoting-artery.html#selecting-a-transport for the tradeoffs
+ # for each transport
transport = aeron-udp
# Canonical address is the address other clients should connect to.
bind-timeout = 3s
}
- # Periodically log out all Aeron counters. See https://github.com/real-logic/aeron/wiki/Monitoring-and-Debugging#counters
- # Only used when transport is aeron-udp.
- log-aeron-counters = false
# Actor paths to use the large message stream for when a message
# is sent to them over remoting. The large message stream dedicated
untrusted-mode = off
# When 'untrusted-mode=on' inbound actor selections are by default discarded.
- # Actors with paths defined in this white list are granted permission to receive actor
+ # Actors with paths defined in this list are granted permission to receive actor
# selections messages.
# E.g. trusted-selection-paths = ["/user/receptionist", "/user/namingService"]
trusted-selection-paths = []
# if off then they are not logged
log-sent-messages = off
+ # Logging of message types with payload size in bytes larger than
+ # this value. Maximum detected size per message type is logged once,
+ # with an increase threshold of 10%.
+ # By default this feature is turned off. Activate it by setting the property to
+ # a value in bytes, such as 1000b. Note that for all messages larger than this
+ # limit there will be extra performance and scalability cost.
+ log-frame-size-exceeding = off
+
advanced {
# Maximum serialized message size, including header data.
# Settings for the materializer that is used for the remote streams.
materializer = ${akka.stream.materializer}
- # If set to a nonempty string artery will use the given dispatcher for
- # the ordinary and large message streams, otherwise the default dispatcher is used.
+ # Remoting will use the given dispatcher for the ordinary and large message
+ # streams.
use-dispatcher = "akka.remote.default-remote-dispatcher"
- # If set to a nonempty string remoting will use the given dispatcher for
- # the control stream, otherwise the default dispatcher is used.
+ # Remoting will use the given dispatcher for the control stream.
# It can be good to not use the same dispatcher for the control stream as
# the dispatcher for the ordinary message stream so that heartbeat messages
# are not disturbed.
- use-control-stream-dispatcher = ""
-
- # Controls whether to start the Aeron media driver in the same JVM or use external
- # process. Set to 'off' when using external media driver, and then also set the
- # 'aeron-dir'.
- # Only used when transport is aeron-udp.
- embedded-media-driver = on
-
- # Directory used by the Aeron media driver. It's mandatory to define the 'aeron-dir'
- # if using external media driver, i.e. when 'embedded-media-driver = off'.
- # Embedded media driver will use a this directory, or a temporary directory if this
- # property is not defined (empty).
- # Only used when transport is aeron-udp.
- aeron-dir = ""
-
- # Whether to delete aeron embedded driver directory upon driver stop.
- # Only used when transport is aeron-udp.
- delete-aeron-dir = yes
-
- # Level of CPU time used, on a scale between 1 and 10, during backoff/idle.
- # The tradeoff is that to have low latency more CPU time must be used to be
- # able to react quickly on incoming messages or send as fast as possible after
- # backoff backpressure.
- # Level 1 strongly prefer low CPU consumption over low latency.
- # Level 10 strongly prefer low latency over low CPU consumption.
- # Only used when transport is aeron-udp.
- idle-cpu-level = 5
+ use-control-stream-dispatcher = "akka.actor.internal-dispatcher"
+
# Total number of inbound lanes, shared among all inbound associations. A value
# greater than 1 means that deserialization can be performed in parallel for
# unacknowledged system messages are re-delivered with this interval
system-message-resend-interval = 1 second
- # Timeout of establishing outbound connections.
- # Only used when transport is tcp or tls-tcp.
- connection-timeout = 5 seconds
+
# The timeout for outbound associations to perform the initial handshake.
# This timeout must be greater than the 'image-liveness-timeout' when
# a new session with a restarted destination system.
inject-handshake-interval = 1 second
- # messages that are not accepted by Aeron are dropped after retrying for this period
- # Only used when transport is aeron-udp.
- give-up-message-after = 60 seconds
# System messages that are not acknowledged after re-sending for this period are
# dropped and will trigger quarantine. The value should be longer than the length
# remote messages has been completed
shutdown-flush-timeout = 1 second
+ # Before sending notificaiton of terminated actor (DeathWatchNotification) other messages
+ # will be flushed to make sure that the Terminated message arrives after other messages.
+ # It will wait this long for the flush acknowledgement before continuing.
+ # The flushing can be disabled by setting this to `off`.
+ death-watch-notification-flush-timeout = 3 seconds
+
# See 'inbound-max-restarts'
inbound-restart-timeout = 5 seconds
# If more restarts occurs the ActorSystem will be terminated.
outbound-max-restarts = 5
- # Timeout after which aeron driver has not had keepalive messages
- # from a client before it considers the client dead.
- # Only used when transport is aeron-udp.
- client-liveness-timeout = 20 seconds
-
- # Timeout for each the INACTIVE and LINGER stages an aeron image
- # will be retained for when it is no longer referenced.
- # This timeout must be less than the 'handshake-timeout'.
- # Only used when transport is aeron-udp.
- image-liveness-timeout = 10 seconds
-
- # Timeout after which the aeron driver is considered dead
- # if it does not update its C'n'C timestamp.
- # Only used when transport is aeron-udp.
- driver-timeout = 20 seconds
-
- flight-recorder {
- // FIXME it should be enabled by default when we have a good solution for naming the files
- enabled = off
- # Controls where the flight recorder file will be written. There are three options:
- # 1. Empty: a file will be generated in the temporary directory of the OS
- # 2. A relative or absolute path ending with ".afr": this file will be used
- # 3. A relative or absolute path: this directory will be used, the file will get a random file name
- destination = ""
- }
-
# compression of common strings in remoting messages, like actor destinations, serializers etc
compression {
# Note that compression tables are "rolling" (i.e. a new table replaces the old
# compression table once in a while), and this setting is only about the total number
# of compressions within a single such table.
- # Must be a positive natural number.
+ # Must be a positive natural number. Can be disabled with "off".
max = 256
# interval between new table compression advertisements.
# Note that compression tables are "rolling" (i.e. a new table replaces the old
# compression table once in a while), and this setting is only about the total number
# of compressions within a single such table.
- # Must be a positive natural number.
+ # Must be a positive natural number. Can be disabled with "off".
max = 256
# interval between new table compression advertisements.
# Refer to `akka.remote.artery.RemoteInstrument` for more information.
instruments = ${?akka.remote.artery.advanced.instruments} []
+ # Only used when transport is aeron-udp
+ aeron {
+ # Periodically log out all Aeron counters. See https://github.com/real-logic/aeron/wiki/Monitoring-and-Debugging#counters
+ # Only used when transport is aeron-udp.
+ log-aeron-counters = false
+
+ # Controls whether to start the Aeron media driver in the same JVM or use external
+ # process. Set to 'off' when using external media driver, and then also set the
+ # 'aeron-dir'.
+ # Only used when transport is aeron-udp.
+ embedded-media-driver = on
+
+ # Directory used by the Aeron media driver. It's mandatory to define the 'aeron-dir'
+ # if using external media driver, i.e. when 'embedded-media-driver = off'.
+ # Embedded media driver will use a this directory, or a temporary directory if this
+ # property is not defined (empty).
+ # Only used when transport is aeron-udp.
+ aeron-dir = ""
+
+ # Whether to delete aeron embedded driver directory upon driver stop.
+ # Only used when transport is aeron-udp.
+ delete-aeron-dir = yes
+
+ # Level of CPU time used, on a scale between 1 and 10, during backoff/idle.
+ # The tradeoff is that to have low latency more CPU time must be used to be
+ # able to react quickly on incoming messages or send as fast as possible after
+ # backoff backpressure.
+ # Level 1 strongly prefer low CPU consumption over low latency.
+ # Level 10 strongly prefer low latency over low CPU consumption.
+ # Only used when transport is aeron-udp.
+ idle-cpu-level = 5
+
+ # messages that are not accepted by Aeron are dropped after retrying for this period
+ # Only used when transport is aeron-udp.
+ give-up-message-after = 60 seconds
+
+ # Timeout after which aeron driver has not had keepalive messages
+ # from a client before it considers the client dead.
+ # Only used when transport is aeron-udp.
+ client-liveness-timeout = 20 seconds
+
+ # Timout after after which an uncommitted publication will be unblocked
+ # Only used when transport is aeron-udp.
+ publication-unblock-timeout = 40 seconds
+
+ # Timeout for each the INACTIVE and LINGER stages an aeron image
+ # will be retained for when it is no longer referenced.
+ # This timeout must be less than the 'handshake-timeout'.
+ # Only used when transport is aeron-udp.
+ image-liveness-timeout = 10 seconds
+
+ # Timeout after which the aeron driver is considered dead
+ # if it does not update its C'n'C timestamp.
+ # Only used when transport is aeron-udp.
+ driver-timeout = 20 seconds
+ }
+
+ # Only used when transport is tcp or tls-tcp.
+ tcp {
+ # Timeout of establishing outbound connections.
+ connection-timeout = 5 seconds
+
+ # The local address that is used for the client side of the TCP connection.
+ outbound-client-hostname = ""
+ }
+
}
# SSL configuration that is used when transport=tls-tcp.
# real passwords in config files. trust-store-password=${SSL_TRUST_STORE_PASSWORD}
trust-store-password = "changeme"
- # Protocol to use for SSL encryption, choose from:
- # TLS 1.2 is available since JDK7, and default since JDK8:
- # https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
+ # Protocol to use for SSL encryption.
protocol = "TLSv1.2"
- # Example: ["TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"]
- # You need to install the JCE Unlimited Strength Jurisdiction Policy
- # Files to use AES 256.
+ # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+ # When doing rolling upgrades, make sure to include both the algorithm used
+ # by old nodes and the preferred algorithm.
+ # If you use a JDK 8 prior to 8u161 you need to install
+ # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
# More info here:
- # http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
- enabled-algorithms = ["TLS_RSA_WITH_AES_128_CBC_SHA"]
+ # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
+ enabled-algorithms = ["TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ "TLS_RSA_WITH_AES_128_CBC_SHA"]
# There are two options, and the default SecureRandom is recommended:
# "" or "SecureRandom" => (default)
require-mutual-authentication = on
# Set this to `on` to verify hostnames with sun.security.util.HostnameChecker
+ # If possible it is recommended to have this enabled. Hostname verification is designed for
+ # situations where things locate each other by hostname, in scenarios where host names are dynamic
+ # and not known up front it can make sense to have this disabled.
hostname-verification = off
}
+ # Config of akka.remote.artery.tcp.ssl.RotatingKeysSSLEngineProvider
+ # This engine provider reads PEM files from a mount point shared with the secret
+ # manager. The constructed SSLContext is cached some time (configurable) so when
+ # the credentials rotate the new credentials are eventually picked up.
+ # By default mTLS is enabled.
+ # This provider also includes a verification phase that runs after the TLS handshake
+ # phase. In this verification, both peers run an authorization and verify they are
+ # part of the same akka cluster. The verification happens via comparing the subject
+ # names in the peer's certificate with the name on the own certificate so if you
+ # use this SSLEngineProvider you should make sure all nodes on the cluster include
+ # at least one common subject name (CN or SAN).
+ # The Key setup this implementation supports has some limitations:
+ # 1. the private key must be provided on a PKCS#1 or a non-encrypted PKCS#8 PEM-formatted file
+ # 2. the private key must be be of an algorythm supported by `akka-pki` tools (e.g. "RSA", not "EC")
+ # 3. the node certificate must be issued by a root CA (not an intermediate CA)
+ # 4. both the node and the CA certificates must be provided in PEM-formatted files
+ rotating-keys-engine {
+
+ # This is a convention that people may follow if they wish to save themselves some configuration
+ secret-mount-point = /var/run/secrets/akka-tls/rotating-keys-engine
+
+ # The absolute path the PEM file with the private key.
+ key-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.key
+ # The absolute path to the PEM file of the certificate for the private key above.
+ cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/tls.crt
+ # The absolute path to the PEM file of the certificate of the CA that emited
+ # the node certificate above.
+ ca-cert-file = ${akka.remote.artery.ssl.rotating-keys-engine.secret-mount-point}/ca.crt
+
+ # There are two options, and the default SecureRandom is recommended:
+ # "" or "SecureRandom" => (default)
+ # "SHA1PRNG" => Can be slow because of blocking issues on Linux
+ #
+ # Setting a value here may require you to supply the appropriate cipher
+ # suite (see enabled-algorithms section)
+ random-number-generator = ""
+
+ # Example: ["TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ # "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+ # "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+ # If you use a JDK 8 prior to 8u161 you need to install
+ # the JCE Unlimited Strength Jurisdiction Policy Files to use AES 256.
+ # More info here:
+ # https://www.oracle.com/java/technologies/javase-jce-all-downloads.html
+ enabled-algorithms = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]
+
+ # Protocol to use for SSL encryption.
+ protocol = "TLSv1.2"
+
+ # How long should an SSLContext instance be cached. When rotating keys and certificates,
+ # there must a time overlap between the old certificate/key and the new ones. The
+ # value of this setting should be lower than duration of that overlap.
+ ssl-context-cache-ttl = 5m
+ }
}
}
}