Broker Configuration Template

Sample configuration

The following redpanda.yaml configuration file includes a complete list of all broker properties and their descriptions. For a summary of all available broker properties, see Broker Configuration Properties.

This is not a valid Redpanda configuration file, but it shows the properties you can configure in the redpanda.yaml file. Ensure that all values entered are properly enclosed in quotes and escaped as necessary. For example, put passwords with special characters in single quotes.

# organization and cluster_id help Redpanda identify your system.
organization: ""
cluster_id: ""

redpanda:
  # Path where Redpanda keeps the data.
  # Required.
  data_directory: "var/lib/redpanda/data"

  # Unique ID identifying the broker in the cluster.
  # Optional.
  node_id: 1

  # Controls how a new cluster is formed. This property must have the same value
  # in all brokers in a cluster.
  # Optional.
  empty_seed_starts_cluster: false

  # Enable the Admin API.
  # Default: true
  enable_admin_api: true

  # Admin API doc directory.
  # Default: /usr/share/redpanda/admin-api-doc
  admin_api_doc_dir: "/usr/share/redpanda/admin-api-doc"

  # Address and port of admin server.
  # Default: 127.0.0.1:9644
  admin:
    address: "0.0.0.0"
    port: 9644

  # TLS configuration for the admin server.
  # Default: null
  admin_api_tls:
    # Whether to enable TLS for the admin server.
    enabled: false
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: ""
    # The path to the server key PEM file
    key_file: ""
    # The path to the truststore PEM file. Only required if client authentication
    # is enabled.
    truststore_file: ""

  # The IP address and port for the internal RPC server.
  # Default should be a real IP address because this is configuring advertised_rpc_api, not rpc_server.
  # Default: 127.0.0.1:33145
  rpc_server:
    address: "0.0.0.0"
    port: 33145

  # TLS configuration for the RPC server.
  # Default: null
  rpc_server_tls:
    # Whether to enable TLS for the RPC server.
    enabled: false
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: ""
    # The path to the server key PEM file
    key_file: ""
    # The path to the truststore PEM file. Only required if client authentication
    # is enabled.
    truststore_file: ""

  # Address of RPC endpoint published to other cluster members.
  # Default: 0.0.0.0:33145
  advertised_rpc_api:
    address: "127.0.0.1"
    port: 33145

  # Multiple listeners are supported per KIP-103.
  # The names must match those in advertised_kafka_api
  kafka_api:
  - address: "0.0.0.0"
    name: internal
    port: 9092
  - address: "0.0.0.0"
    name: external
    port: 9093

  # A list of TLS configurations for the Kafka API listeners.
  # Default: null
  kafka_api_tls:
    # The name of the specific listener to which this config
    # is applied. The names must match those in kafka_api.
  - name: "external"
    # Whether to enable TLS for the Kafka API.
    enabled: true
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: "certs/tls-cert.pem"
    # The path to the server key PEM file
    key_file: "certs/tls-key.pem"
    # The path to the truststore PEM file. Only required if client authentication
    # is enabled.
    truststore_file: "certs/tls-ca.pem"

  - name: "internal"
    enabled: false

  # Multiple listeners are supported per KIP-103.
  # The names must match those in kafka_api
  # Default should be a real IP address because this is configuring advertised_rpc_api, not rpc_server.
  advertised_kafka_api:
  - address: 10.0.0.1
    name: internal
    port: 9092
  - address: redpanda-0.my.domain.com.
    name: external
    port: 9093

  # List of the seed server addresses and ports used to join current cluster.
  # If the seed_server list is empty, the broker is a cluster root and forms a new cluster.
  # Default: []
  seed_servers:
    - host:
      address: 192.168.0.1
      port: 33145

  # Rack identifier.
  # Default: null
  rack: "rack-id"

# The Redpanda REST API provides a RESTful interface for producing and consuming messages with Redpanda.
# To disable the REST API, remove this top-level config broker
pandaproxy:
  # A list of address and port to listen for Kafka REST API requests.
  # Default: 0.0.0.0:8082
  pandaproxy_api:
  - address: "0.0.0.0"
    name: internal
    port: 8082
  - address: "0.0.0.0"
    name: external
    port: 8083

  # A list of TLS configurations for the REST API.
  # Default: null
  pandaproxy_api_tls:
  - name: external
    # Whether to enable TLS.
    enabled: false
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: ""
    # The path to the server key PEM file
    key_file: ""
    # The path to the truststore PEM file. Only required if client
    # authentication is enabled.
    truststore_file: ""
  - name: internal
    enabled: false

  # A list of address and port for the REST API to publish to client
  # Default: from pandaproxy_api
  # Default should be a real IP address because this is configuring advertised_rpc_api, not rpc_server.
  advertised_pandaproxy_api:
    - address: 10.0.0.1
      name: internal
      port: 8082
    - address: "redpanda-rest-0.my.domain.com."
      name: external
      port: 8083

  # How long to wait for an idle consumer before removing it.
  # Default: 60000
  consumer_instance_timeout_ms: 60000

# The REST API client
pandaproxy_client:
  # List of address and port of the brokers
  # Default: "127.0.0.1:9092
  brokers:
   - address: "127.0.0.1"
     port: 9092

  # TLS configuration for the brokers
  broker_tls:
    # Whether to enable TLS.
    enabled: false
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: ""
    # The path to the server key PEM file
    key_file: ""
    # The path to the truststore PEM file. Only required if client authentication
    # is enabled.
    truststore_file: ""

  # Number of times to retry a request to a broker
  # Default: 5
  retries: 5

  # Delay (in milliseconds) for initial retry backoff
  # Default: 100ms
  retry_base_backoff_ms: 100

  # Number of records to batch before sending to broker
  # Default: 1000
  produce_batch_record_count: 1000

  # Number of bytes to batch before sending to broker
  # Defautl 1MiB
  produce_batch_size_bytes: 1048576

  # Delay (in milliseconds) to wait before sending batch
  # Default: 100ms
  produce_batch_delay_ms: 100

  # Interval (in milliseconds) for consumer request timeout
  # Default: 100ms
  consumer_request_timeout_ms: 100

  # Max bytes to fetch per request
  # Default: 1MiB
  consumer_request_max_bytes: 1048576

  # Timeout (in milliseconds) for consumer session
  # Default: 10s
  consumer_session_timeout_ms: 10000

  # Timeout (in milliseconds) for consumer rebalance
  # Default: 2s
  consumer_rebalance_timeout_ms: 2000

  # Interval (in milliseconds) for consumer heartbeats
  # Default: 500ms
  consumer_heartbeat_interval_ms: 500

  # SASL mechanism to use for authentication
  # Supported: SCRAM-SHA-{256,512}
  # Default: ""
  # Support for SASL is disabled when no mechanism is specified.
  sasl_mechanism: ""

  # Username for SCRAM authentication mechanisms
  # Default: ""
  scram_username: ""

  # Password for SCRAM authentication mechanisms
  # Default: ""
  scram_password: ""

# The Schema Registry provides a RESTful interface for schema storage, retrieval, and compatibility.
# To disable the Schema Registry, remove this top-level config broker
schema_registry:
  # A list of address and port to listen for Schema Registry API requests.
  # Default: 0.0.0.0:8082
  schema_registry_api:
  - address: "0.0.0.0"
    name: internal
    port: 8081
  - address: "0.0.0.0"
    name: external
    port: 18081

  # The replication factor of Schema Registry's internal storage topic
  schema_registry_replication_factor: 3

  # A list of TLS configurations for the Schema Registry API.
  # Default: null
  schema_registry_api_tls:
  - name: external
    # Whether to enable TLS.
    enabled: false
    # Require client authentication
    require_client_auth: false
    # The path to the server certificate PEM file.
    cert_file: ""
    # The path to the server key PEM file
    key_file: ""
    # The path to the truststore PEM file. Only required if client
    # authentication is enabled.
    truststore_file: ""
  - name: internal
    enabled: false

# The Schema Registry client config
# See pandaproxy_client for a list of options
schema_registry_client:

rpk:
  # Add optional flags to have rpk start Redpanda with specific parameters.
  # The available start flags are found in: /src/v/config/configuration.cc
  additional_start_flags:
    - "--overprovisioned"
    - "--smp=2"
    - "--memory=4G"
    - "--default-log-level=info"

  # The Kafka API configuration
  kafka_api:
    # A list of broker addresses that rpk will use
    brokers:
    - 192.168.72.34:9092
    - 192.168.72.35:9092

    # The TLS configuration to be used when interacting with the Kafka API.
    # If present, TLS is enabled. If missing or null, TLS is disabled.
    tls:
      # The path to the client certificate (PEM). Only required if client authentication is
      # enabled in the broker.
      cert_file: ~/certs/cert.pem
      # The path to the client certificate key (PEM). Only required if client authentication is
      # enabled in the broker.
      key_file: ~/certs/key.pem
      # The path to the root CA certificate (PEM).
      truststore_file: ~/certs/ca.pem

    # The SASL config, if enabled in the brokers.
    sasl:
      user: user
      password: 'pass'
      type: SCRAM-SHA-256

  # The Admin API configuration
  admin_api:
    # A list of the brokers' Admin API addresses that rpk will use.
    addresses:
    - 192.168.72.34:9644
    - 192.168.72.35:9644
    # The TLS configuration to be used when with the Admin API.
    # If present, TLS is enabled. If missing or null, TLS is disabled.
    tls:
      # The path to the client certificate (PEM). Only required if client authentication is
      # enabled in the broker.
      cert_file: ~/certs/admin-cert.pem
      # The path to the client certificate key (PEM). Only required if client authentication is
      # enabled in the broker.
      key_file: ~/certs/admin-key.pem
      # The path to the root CA certificate (PEM).
      truststore_file: ~/certs/admin-ca.pem

  # Available tuners. Set to true to enable, false to disable.

  # Setup NIC IRQs affinity, sets up NIC RPS and RFS, sets up NIC XPS, increases socket
  # listen backlog, increases the number of remembered connection requests, bans the
  # IRQ Balance service from moving distributed IRQs.
  # Default: false
  tune_network: false

  # Sets the preferred I/O scheduler for given block devices.
  # It can work using both the device name or a directory, in which the device where
  # directory is stored is optimized. Sets either 'none' or 'noop' scheduler
  # if supported.
  # Default: false
  tune_disk_scheduler: false

  # Disables IOPS merging.
  # Default: false
  tune_disk_nomerges: false

  # Distributes IRQs across cores with the method deemed the most appropriate for the
  # current device type (i.e. NVMe).
  # Default: false
  tune_disk_irq: false

  # Installs a systemd service to run fstrim weekly, or starts the default fstrim service
  # which comes with most Linux distributions.
  # Default: false
  tune_fstrim: false

  # Disables hyper-threading, sets the ACPI-cpufreq governor to 'performance'. Additionaly
  # if system reboot is allowed: disables Intel P-States, disables Intel C-States,
  # disables Turbo Boost.
  # Default: false
  tune_cpu: true

  # Increases the number of allowed asynchronous IO events.
  # Default: false
  tune_aio_events: false

  # Syncs NTP.
  # Default: false
  tune_clocksource: true

  # Tunes the kernel to prefer keeping processes in-memory instead of swapping them out.
  # Default: false
  tune_swappiness: false

  # Enables transparent hugepages (THP) to reduce TLB misses.
  # Default: false
  tune_transparent_hugepages: false

  # Enables memory locking.
  # Default: false
  enable_memory_locking: false

  # Installs a custom script to process coredumps and save them to the given directory.
  # Default: false
  tune_coredump: false

  # The directory where all coredumps are saved after they're processed.
  # Default: ''
  coredump_dir: "/var/lib/redpanda/coredump"

  # Creates a "ballast" file, so if a Redpanda broker runs out of space,
  # you can delete the ballast file to allow the broker to resume operations and then
  # delete a topic or records to reduce the space used by Redpanda.
  # Default: false
  tune_ballast_file: false

  # The path where the ballast file is created.
  # Default: "/var/lib/redpanda/data/ballast"
  ballast_file_path: "/var/lib/redpanda/data/ballast"

  # The ballast file size.
  # Default: "1GiB"
  ballast_file_size: "1GiB"

  # (Optional) The vendor, VM type, and storage device type that Redpanda runs on, in
  # the format <vendor>:<vm>:<storage>. This hints to rpk which configuration values it
  # should use for the Redpanda IO scheduler.
  # Default: ''
  well_known_io: "aws:i3.xlarge:default"

Suggested reading