DB
Operations

Configuration

Build, review, and validate the NYXDB startup contract.

NYXDB's primary runtime configuration is the nyxdb command line. Storage topology can be imported from YAML, after which catalog DDL is authoritative. Always derive defaults from nyxdb --help in the exact artifact being deployed.

Baseline

nyxdb \
  --host=127.0.0.1 \
  --port=7510 \
  --data-dir=/srv/nyxdb/data \
  --require-auth \
  --admin-password-file=/run/secrets/nyxdb-admin-password \
  --wal-sync=always \
  --memory-limit-bytes=15032385536 \
  --memory-governor=on

Choose values from workload and recovery tests; the example is not a universal sizing prescription.

Configuration groups

GroupRepresentative controlsReview question
Listener--host, --port, connection count/workers, handshake/idle/frame/write timeoutsCan a client consume an unbounded worker or socket?
Access--require-auth, first-boot admin secret, operator users/grants, application auth providers/endpoints/limitsCan any reachable socket skip authentication or cross identity planes?
Persistence--data-dir, --wal-sync, --journal-commitWhat does an acknowledged write survive?
Storage I/O--storage-io, depth, mmap, flush thresholds/pollingIs the selected backend proven on this kernel/filesystem?
PSIdelivery mode, lane workers, ring capacity, source partitionsCan stream fan-out and lag remain bounded?
Committed tailrow/byte caps, delay ramp, seal, publisher threads, spillWhat happens when ingest outruns flush?
Memoryprocess limit, governor, sealed-memory cap, spill, allocator releaseDoes pressure degrade to bounded latency/rejection before OOM?
Compaction/cachepolling, job/I/O limits, cache profile and byte capsIs background work isolated from foreground reads?
Ingestprofile, queue count/bytes, workers, coalescingIs parked decoded input bounded in bytes?
Queryconcurrency, queue, timeout, row/output/operator/cardinality limitsCan one query monopolize the process?
Telemetrysystem tick and query-log retentionIs incident data useful and bounded?

Use the full help output for exact flag names, ranges, and revision-specific defaults.

Defaults worth making explicit

ControlCurrent executable default
Live connections256
Connection workers256
Handshake timeout10 s
Idle timeout300 s
Frame timeout30 s absolute
Write timeout30 s absolute
Operator authentication enforcementOff; without --require-auth, every connection is an implicit full-SQL operator
Native TLS and Origin policyAbsent; the server exposes raw TCP and ws:// and must remain behind a reviewed trusted-network edge
WAL syncgroup
PSI deliveryasync
PSI ring capacity65,536 per exact source
Committed-tail rows10,000,000
Committed-tail bytes2 GiB
Memory governoron
Memory ramp / block80% / 95%, with 2% downgrade hysteresis
System snapshot tick1,000 ms; inputs below 100 ms clamp to 100 ms

Explicit values make a future default change visible in code review.

Access posture

--require-auth is mandatory for every browser-facing or otherwise untrusted listener. Auth providers protect the end-user endpoint path; they do not close the default-open operator path. The native listener has no TLS, so place it on a trusted network behind reviewed TLS termination plus Origin and network policy before an untrusted client can reach it.

On a fresh catalog with no users, NYXDB seeds admin with role admin. Supply the first-boot password through a mounted secret file:

nyxdb \
  --data-dir=/srv/nyxdb/data \
  --require-auth \
  --admin-password-file=/run/secrets/nyxdb-admin-password

Secret-source precedence is:

  1. --admin-password-file=<path>;
  2. NYXDB_ADMIN_PASSWORD_FILE;
  3. --admin-password=<password>; and
  4. NYXDB_ADMIN_PASSWORD.

File inputs strip trailing newlines and fail startup when explicitly selected but unreadable or empty. The inline flag and environment variable are supported for provisioning but can leak through process inspection or orchestration metadata. If no source is supplied, the engine generates a random 24-character password and prints it once. With --data-dir, the user catalog persists and the resolved value no longer changes the existing admin after seeding. However, an explicitly configured password file is still opened and validated on every process start. Keep it mounted and readable, or remove the file flag/environment source from the reviewed startup command after provisioning. Without persistence, seeding runs again on every start.

--require-auth allows one capability negotiation, ping, and either operator or end-user OP_AUTH before authentication; it gates other operations. It does not configure application users. Direct application access separately requires an auth provider, a typed endpoint or granted logical view, and the appropriate limits. See Operator governance and Application access SQL.

Operator grants gate raw query/stream operations and the canonical stored query behind operator-class endpoint/view execute or subscribe operations. Named non-admin operators need read or subscribe on every scanned base relation; operator-class calls remain exempt from application endpoint quotas.

Storage YAML ownership

--storage-config=<file> imports resources, pools, and policies that do not already exist in the catalog. Once an object exists:

  1. the catalog definition wins;
  2. YAML drift produces a warning; and
  3. operators use CREATE, ALTER, or DROP storage DDL for changes.

Invalid YAML or invalid imported topology is fatal at boot. Do not edit the file expecting an existing catalog object to change silently.

Change procedure

  1. Capture the old command line, help output, artifact identity, and baseline telemetry.
  2. Change one resource policy at a time.
  3. Validate the candidate with representative ingest, read, stream, restart, and memory-pressure workloads.
  4. Schedule a clean offline restart.
  5. Verify the effective build and startup log.
  6. Compare query, event, memory, part, and subscription telemetry.
  7. Keep the previous configuration with the pre-change backup evidence.

Removed compatibility flags may still parse and warn while doing nothing. Treat startup warnings as review failures, not harmless noise.

On this page