Configuration

Outside of development mode, Boundary controllers and workers are configured using a file. The format of this file is HCL. In this section you’ll find configuration block examples for Boundary controllers and workers.

After the configuration is written, use the -config flag to specify a local path to the file.

Parameters

  • controller: Controller specific configuration. If present, boundary server will start a Controller subprocess.

  • worker: Worker specific configuration. If present, boundary server will start a Worker subprocess.

  • listener: Configures the listeners on which Boundary serves traffic (API, cluster, and proxy).

    Controllers will have two listener blocks: one marked for api purpose and the other marked for cluster purpose. By default, the API listener runs on :9200 and the cluster listener (currently used for worker communication) uses :9201.

    Workers will have only one listener, marked for proxy purpose.

  • kms: Configures KMS blocks for various purposes.

  • disable_mlock (bool: false) – Disables the server from executing the mlock syscall, which prevents memory from being swapped to disk. This is fine for local development and testing; in production, it is not recommended unless the systems running Boundary only use encrypted swap or do not use swap at all. Boundary only supports memory locking on UNIX-like systems that support the mlock() syscall (Linux, FreeBSD, etc).

    On Linux, to give the Boundary executable the ability to use the mlock syscall without running the process as root, run:

    1. sudo setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))

    If you use a Linux distribution with a modern version of systemd, you can add the following directive to the “[Service]“ configuration section:

    1. LimitMEMLOCK=infinity

  • log_level (string: "info") – Specifies the log level to use; overridden by CLI and env var parameters. Supported log levels: Trace, Debug, Error, Warn, Info.

  • log_format (string: "") – Specifies the log format to use; overridden by CLI and env var parameters. Supported log formats: "standard", "json".

Example Configurations

For complete example configurations see the sections for controller and worker.