- Check for unpatched known issues
- Validate the health of core services
- Get information to assist troubleshooting, run remediation actions, or provide context about issues affecting the deployment
- Provide the toolkit report to Domino Support as part of an incident
https://<your-domino-url>/toolkit/ where you can view scan reports and initiate new scans. There is also a CLI tool to initiate scans and help manage the toolkit deployment.
You can run scans as many times as necessary because the checks performed by the toolkit are only reading information and not making any modifications. You can run a scan during any of these stages:
- After a new Domino install
- At the start of an incident
- In the midst of an incident
- After incident resolution to verify health
- Before and after a Domino upgrade
- Before and after a Domino migration
Access Admin Toolkit
Admin Toolkit is available at the URLhttps://<your-domino-domain>/toolkit/ or through the Domino Admin UI under Advanced > Diagnostics.
Out of the box, Admin Toolkit should be configured with SSO so that users will automatically be logged in to the Toolkit UI if they are logged in to Domino. If they are not currently logged in to Domino or their session has expired, then they will see the Admin Toolkit login screen.
Clicking on Continue with Domino SSO will take the user to the normal Domino login screen where they can log in using their Domino credentials as normal. Once logged in, Domino will redirect back to the Toolkit UI.
All Domino SysAdmin users are automatically granted the Toolkit Admin role.
Login when SSO is unavailable
When SSO is not working (for example, Keycloak is unavailable for some reason), then there is a backup method to access Toolkit with Admin privileges.Get the Admin Toolkit password
When the toolkit is installed, the installer generates a random password that does not change for the life of the toolkit deployment. If you installed the toolkit on the command line using the CLI, this password (along with the ingress URL) is displayed at the end of the installation process. If you forget the password, or if toolkit was installed by the Domino installer, you can retrieve the password using this command:- Enter the login you retrieved above.
- Enter the password you retrieved above.
- Click Login.
Get the Admin Toolkit password without the toolkit.sh CLI
The Admin Toolkit password is stored in a secret calleddomino-admin-toolkit-http in the domino-platform namespace. You can also retrieve the password with kubectl:
admin-toolkit.
Run a system scan
You can run a system scan using the Admin Toolkit web interface or CLI.Run a scan using the web interface
-
Navigate to
https://<your-domino-url>/toolkit/and log in. -
Click the Run New Report button at the bottom of the page:
When the scan has finished, the web interface displays a link to the report.
Run a scan using the CLI
From your bastion host or laptop where you havetoolkit.sh saved, run this command:
Run a scan on an air-gapped deployment
If your Domino deployment blocks AWS access, run the following command to output the report only in the console:Troubleshooting
Attempting to run./toolkit.sh results in the following error:
/usr/local/bin/python: Error while finding module specification for ‘domino_admin_toolkit.test_runner’ (ModuleNotFoundError: No module named ‘domino_admin_toolkit’)This indicates there is still a v1 toolkit installation present. Run
error: Internal error occurred: error executing command in container: Internal error occurred: error executing command in container: command terminated with exit code 1
./toolkit.sh uninstall to remove it and ./toolkit.sh install to install the latest version.
View the reports
Use the Admin Toolkit’s web interface to review the reports in HTML format. The web interface displays a list of the 10 most recent reports that have been generated by the toolkit. Click the link of the report you wish to view.
Reports are stored on the toolkit’s pod storage and are not persisted across pod restarts. With kubectl access you can download all stored reports using:
kubectl cp -n domino-platform -c domino-admin-toolkit <pod_name>:/app/domino_admin_toolkit/ui/templates/reports/ ./reports/ replacing <pod_name> with the complete name of the toolkit pod.Send reports to Domino
Regardless of whether a scan runs from the web interface or CLI, the toolkit can automatically and securely upload the report to a secure centralized S3 bucket owned by Domino within Domino’s internal AWS account. Access to the reports is restricted to authorized Domino engineers through a secure single sign-on (SSO) system with granted permissions. This behavior is on by default, but can be disabled by either selecting the option in the web interface to opt out of uploads, applying aConfigMap, or when using the command line by running with the --local-only option:
The
--local-only option applies to that run only and does not change the default behavior.- Quicker resolution of support tickets.
- Validation of deployment configuration.
- Receive more proactive, rather than reactive, support.
Enable/disable reports to be sent to Domino
By default, the functionality to have reports uploaded to Domino is enabled. Each newly generated toolkit report is securely sent to Domino Support and Engineering. This allows Domino engineers to gain access to the reports faster during an outage and get historical context to previous outages. You can opt out of this service (or opt in again) via the web interface or through an applied KubernetesConfigMap.
To opt out of sending reports to Domino via the web interface, navigate to the Settings tab and then click the Opt Out of sending reports to Domino button. To opt back in, click the Opt Into sending reports to Domino button.
To opt out of sending reports to Domino through an applied Kubernetes ConfigMap, follow the instructions below.
These reports only collect deployment and service verification data and do not contain any sensitive data.
ConfigMap
AConfigMap is generated by default. Here is an example of the default ConfigMap:
send_to_domino value to "False".
Scheduled reports
Scheduled reporting lets you generate Domino health reports at regular intervals. Having a “healthy state” report handy provides a comparative baseline during system disruptions. This can be invaluable in swiftly identifying system anomalies, thus accelerating the issue resolution process.Set up scheduled reporting
Follow the steps below to set up scheduled reporting:- Open the toolkit web interface and navigate to the Settings tab.
- Under the Schedule Admin Toolkit section, specify the frequency and timing for the reports as per your requirement. This is accepted in cron formatting only.
- Click Submit.

Utilize scheduled reports during system disruptions
In case of a system disruption or outage:- Access the most recent “healthy state” report from the stored scheduled reports.
- Generate an immediate system health report (if possible).
- Compare the two reports to identify any deviations or unusual activities.
Understand and resolve failures
The Admin Toolkit documentation provides comprehensive information about the checks, their meanings, and any details on resolving issues. Use the toolkit and its documentation to quickly identify and resolve issues, and ensure optimal performance of the Domino platform. You can access the documentation in two ways:-
Publicly-accessible online documentation:
- https://docs.toolkit.re.domino.tech/ (always updated to the latest version of the toolkit).
- Support site knowledge base (requires sign-in).
-
Documentation included within the Domino deployment:
https://<your-domino-url>/toolkit/docs/(specific to the deployed version of the toolkit).