Skip to main content

Edit this page

Command Line Interface

The serened executable starts the SereneDB pg-wire server. It can also delegate to the embedded shell commands without starting the server.

Use serened --help to print the current command line reference.

Usage

serened <data-dir> [--flag=value ...]
serened shell [duckdb-shell args ...]
serened psql  [psql args ...]
serened <data-dir> [--flag=value ...]Start the SereneDB pg-wire server, using the optional data directory and flags.
serened shell [duckdb-shell args ...]Open the embedded DuckDB shell without starting the SereneDB server.
serened psql [psql args ...]Open the psql-compatible shell subcommand without starting the SereneDB server.

Flag Sources

--flagfile=path1,path2

Read flags from one or more files (one '--flag=value' per line, '#' comments OK).

--fromenv=name1,name2

Read each listed flag from FLAGS_<name>; missing env vars are an error.

--tryfromenv=name1,name2

Same as --fromenv but silently skip flags whose env var is unset.

--undefok=name1,name2

Tolerate '--name1=...' even when no flag with that name exists (useful for shared flagfiles across binaries).

Help Variants

--help

This filtered banner.

--helpfull

Every absl-managed flag.

--help=<substring>

Flags whose name or description matches.

--helpshort

Project-defined flags only (no absl/gtest).

--helppackage

Flags grouped by source-tree location.

--version

Print the build banner and exit.

Options

Server

--auth_api_keytypedefaultempty

Static HTTP ApiKey credential as id:key (empty = ApiKey rejected).

--auth_bearer_tokentypedefaultempty

Static HTTP Bearer token (empty = Bearer rejected).

--auth_methodtypedefaultscram

Password auth method for --auth_password: scram (SCRAM-SHA-256, default), md5, or password (cleartext; requires TLS).

--auth_passwordtypedefaultempty

Temporary single-user password (empty = trust). Placeholder until RBAC; SCRAM-SHA-256 by default. Cleartext password auth requires TLS.

--auth_timeouttypedefault30s

Max time from connect to authenticated, per connection (0 = off). pg: covers TLS+startup+auth; http: the request-header read deadline.

--auth_usertypedefaultpostgres

User the temporary --auth_password / token credentials apply to.

--background_threadstypedefault0

Number of background worker threads (drop / cleanup / maintenance tasks; later object-store prefetch). 0 = auto-detect.

--cpu_threadstypedefault0

Executor pool size at process start. 0 = let server auto-detect from cpu_count. The SQL-level `SET threads = N` continues to win at runtime.

--http_body_timeouttypedefault30s

Max time to read one HTTP request body.

--http_cors_originstypedefaultempty

CORS allow-origin list for the HTTP/ES API: comma-separated origins or '*' (empty disables CORS). Echoes an allowed Origin and answers preflight OPTIONS.

--idle_session_timeouttypedefault1m15s

Close a session idle (between requests) longer than this. Drives the HTTP keep-alive idle timeout.

--io_threadstypedefault0

IO threads for HTTP and pg-wire connections (0 = max(1, cpu_count / 4)).

--listentypedefaultpostgres://127.0.0.1:7890

Listener URL(s), comma-separated or repeated (last-wins). Each is one listener: postgres://host:port[?sslmode=...], http(s)://host:port?api=es, postgres:///path/to.sock (unix).

--max_connectionstypedefault0

Max concurrent client connections across all listeners (0 = unlimited). Over-cap connections get 53300 (pg) / 503 (http) then close. Per-listener override via ?max_connections=.

--pg_max_message_bytestypedefault67108864

Maximum size of a single pg-wire message (statement text / bound parameter value). Bulk data should use COPY, which streams.

--server_directorytypedefaultserenedb-data

Path to the database directory. A positional argument, if given, takes precedence.

--tls_catypedefaultempty

Default PEM CA bundle to verify client certificates (sslmode=verify-ca/verify-full).

--tls_certtypedefaultempty

Default PEM server certificate chain for TLS listeners (a listener may override with ?cert=).

--tls_cipherstypedefaultECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

OpenSSL TLS 1.2 cipher list (forward-secret AEAD, Mozilla intermediate); TLS 1.3 suites are fixed by OpenSSL.

--tls_groupstypedefaultX25519:P-256

TLS key-exchange groups, colon-separated.

--tls_keytypedefaultempty

Default PEM private key for --tls_cert.

--tls_min_versiontypedefault1.2

Minimum TLS version: 1.2 or 1.3 (legacy TLS is not supported).

Logging

--log_leveltypedefaultinfo

Minimum log severity at process start: trace | debug | info | warning | error | fatal. Override at runtime with `SET logging_level = '<value>'`.

--log_pathtypedefaultempty

Path used by --log_storage, when it takes one. Its meaning is storage-dependent (for 'file', the log file or directory); ignored by storages that take no path, such as 'stdout' and 'memory'.

--log_storagetypedefaultstdout

Log destination at process start. Accepted values: 'stdout' (default; systemd/container log drivers capture it), 'memory' (queryable via SELECT * FROM duckdb_logs()), or 'file' (uses --log_path). Override at runtime with `CALL enable_logging(storage='<value>', storage_path='<path>')`.