rep job from diego/2.111.0
Github source:
4ec642ff3
or
master branch
Properties¶
bpm
¶
enabled
¶use the BOSH Process Manager to manage the cell rep process.
- Default
false
cell_registrations
¶
locket
¶
enabled
¶Enable the cell rep to register itself as a service with Locket.
- Default
true
containers
¶
graceful_shutdown_interval_in_seconds
¶time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10.
- Default
10
layering_mode
¶Configures downloaded container asset management mode. Valid values are ‘single-layer’ and ‘two-layer’. Setting this property to ‘two-layer’ enables the conversion of some downloaded Task and LRP assets to container image layers.
- Default
single-layer
proxy
¶
additional_memory_allocation_mb
¶Additional memory allocated to each container for the envoy proxy. This value must not be negative
- Default
32
ads_addresses
¶EXPERIMENTAL: When set, the envoy proxy consumes dynamic config from the specified Aggregated Discovery Service servers (specified as a list of host:port). This config is in addition to the static configuration that supports TLS termination / route-integrity.
- Default
[]- Example
- 169.254.0.2:15001
configuration_reload_duration
¶Duration of time in seconds that the rep grants the container Envoy proxy to reload its listener configuration when shutting down a container gracefully so that TLS-verifying clients will stop making connections. After this time duration, the rep will shut down other processes in the container.
- Default
5s
enable_http2
¶Whether envoy proxy advertises HTTP/2 support via ALPN.
- Default
true
enable_unproxied_port_mappings
¶EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true.
- Default
true
enabled
¶Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key.
- Default
false
require_and_verify_client_certificates
¶whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable.
- Default
false
trusted_ca_certificates
¶List of CA certificate bundles against which the per-container proxy will verify certificates for clients connecting to its ingress listeners, if containers.proxy.require_and_verify_client_certificates is enabled.
- Default
[]- Example
- |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #1 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #2 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #3 ----- END CERTIFICATE ----- ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #4 ----- END CERTIFICATE -----
verify_subject_alt_name
¶If specified when containers.proxy.require_and_verify_client_certificates is enabled, the per-container proxy will also verify that the Subject Alternative Name of the presented certificate matches one of the specified values.
- Default
[]- Example
- gorouter.service.cf.internal - tcp-router.service.cf.internal
set_cpu_weight
¶EXPERIMENTAL: Set CPU weight on each Garden container to be proportional to its memory limit.
- Default
false
trusted_ca_certificates
¶List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs.
- Example
- |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #1 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #2 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #3 ----- END CERTIFICATE ----- ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #4 ----- END CERTIFICATE -----
diego
¶
executor
¶
auto_disk_capacity_overhead_mb
¶the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto
- Default
0
container_inode_limit
¶the inode limit enforced on each garden container.
- Default
200000
container_max_cpu_shares
¶number of CPU shares per 100 CPU weight
- Default
1024
container_metrics_report_interval
¶the frequency for emitting container metrics; should be a string that can be parsed by time.ParseDuration, such as 15s
- Default
15s
create_work_pool_size
¶Maximum number of concurrent create container operations.
- Default
32
delete_work_pool_size
¶Maximum number of concurrent delete container operations.
- Default
32
disk_capacity_mb
¶the container disk capacity the executor should manage. this should not be greater than the actual disk quota on the VM
- Default
auto
garden
¶
address
¶Garden server listening address.
- Default
/var/vcap/data/garden/garden.sock
network
¶Network type for the garden server connection (tcp or unix).
- Default
unix
garden_healthcheck
¶
command_retry_pause
¶Time to wait between retrying garden commands
- Default
1s
interval
¶Frequency for healtchecking garden
- Default
10m
process
¶args
¶List of command line args to pass to the garden health check process
- Default
-c, ls > /tmp/testdir
¶Directory to run the healthcheck process from
env
¶Environment variables to use when running the garden health check
- Default
""path
¶Path of the command to run to perform a container healthcheck
- Default
/bin/shuser
¶User to use while performing a container healthcheck
- Default
vcap
timeout
¶Maximum allowed time for garden healthcheck
- Default
10m
healthcheck_work_pool_size
¶Maximum number of concurrent health check operations.
- Default
64
healthy_monitoring_interval_in_seconds
¶Interval to check healthy containers in seconds.
- Default
30
instance_identity_ca_cert
¶PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key
instance_identity_key
¶PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert
instance_identity_validity_period_in_hours
¶Validity period for the generated instance identity certificate
- Default
24
max_cache_size_in_bytes
¶maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc.
- Default
1e+10
max_concurrent_downloads
¶the max concurrent download steps that can be active
- Default
5
max_log_lines_per_second
¶EXPERIMENTAL: Maximum log lines allowed per second per app instance. Default value of 0 will disable rate limiting. Minimum recommended value is 100.
- Default
0
memory_capacity_mb
¶the memory capacity the executor should manage. this should not be greater than the actual memory on the VM
- Default
auto
metrics_work_pool_size
¶Maximum number of concurrent get container metrics operations.
- Default
8
post_setup_hook
¶Experimental: arbitrary command to run after setup action. WARNING: this applies to both buildpack + docker app lifecycles. Any commands specified here MUST exist in any docker image being run, or the app will fail to start
post_setup_user
¶Experimental: user to run post setup hook command
read_work_pool_size
¶Maximum number of concurrent get container info operations.
- Default
64
unhealthy_monitoring_interval_in_seconds
¶Interval to check unhealthy containers in seconds.
- Default
2
use_schedulable_disk_size
¶Use total space available to containers reported by Garden. If false the total size of image plugin store minus max_cache_size_in_bytes is used.
- Default
false
volman
¶
driver_paths
¶OS style path string containing the directories volman will look in for voldriver specs (delimited by : or ; depending on the OS)
- Default
/var/vcap/data/voldrivers
rep
¶
advertise_domain
¶base domain at which the rep should advertise its secure API
- Default
cell.service.cf.internal
advertise_preference_for_instance_address
¶advertise that containers managed by this rep are directly accessible on the infrastructure network at their instance address. Components like ssh-proxy or routers may use this property when determining how to connect to a container. Set this flag only when using a third-party container-networking solution that provides direct connectivity between containers and VMs
- Default
false
bbs
¶
api_location
¶Address of the BBS server
- Default
bbs.service.cf.internal:8889
client_session_cache_size
¶capacity of the tls client cache
max_idle_conns_per_host
¶maximum number of idle http connections
request_timeout
¶Request timeout to the BBS server
- Default
10s
debug_addr
¶address at which to serve debug info
- Default
127.0.0.1:17008
evacuation_polling_interval_in_seconds
¶The interval to look for completed tasks and LRPs during evacuation in seconds
- Default
10
evacuation_timeout_in_seconds
¶The time to wait for evacuation to complete in seconds
- Default
600
job_name
¶The name of the Diego job referenced by this spec (DO NOT override)
- Default
rep
listen_addr_admin
¶serve (insecure) ping and evacuate requests on this address and port
- Default
127.0.0.1:1800
listen_addr_securable
¶address where rep listens for LRP and task start auction requests
- Default
0.0.0.0:1801
locket
¶
api_location
¶Hostname and port of the Locket server. When set, the cell rep will establish its cell registration in the Locket API.
- Default
locket.service.cf.internal:8891
client_keepalive_time
¶Period in seconds after which the locket gRPC client sends keepalive ping requests to the locket server it is connected to.
- Default
10
client_keepalive_timeout
¶Timeout in seconds to receive a response to the keepalive ping. If a response is not received within this time, the locket client will reconnect to another server.
- Default
22
log_level
¶Log level
- Default
info
max_containers
¶Maximum container capacity per rep
- Default
250
optional_placement_tags
¶Array of optional tags used for scheduling Tasks and LRPs
- Default
[]
placement_tags
¶Array of tags used for scheduling Tasks and LRPs
- Default
[]
polling_interval_in_seconds
¶The interval to look for completed tasks and LRPs in seconds
- Default
30
preloaded_rootfses
¶Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden
rootfs_providers
¶Array of schemes for which the underlying garden can support arbitrary root filesystems
- Default
- docker
use_azure_fault_domains
¶If set to true the rep zone will be determined by IAAS. If VM belongs to Azure Fault-Domain the value of the zone will be z. e.g. z0, z1, etc. If VM belongs to Azure Availability Zone the value of zone determined in diego.rep.zone will be used.
- Default
false
zone
¶The zone associated with the rep. This will override the BOSH-provided spec.az property if present.
ssl
¶
skip_cert_verify
¶when connecting over https, ignore bad ssl certificates
- Default
false
enable_declarative_healthcheck
¶
When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action. Requires Garden-Runc v1.10.0+
- Default
false
enable_healthcheck_metrics
¶
When set, enables the rep to emit healtcheck failure metrics. Requires enable_declarative_healthcheck to be set to true.
- Default
false
logging
¶
format
¶
timestamp
¶Format for timestamp in component logs. Valid values are ‘unix-epoch’ and ‘rfc3339’.
- Default
unix-epoch
max_data_string_length
¶Length in bytes above which logged strings will be truncated. If set to 0, turns off truncation.
- Default
640
loggregator
¶
app_metric_exclusion_filter
¶Array of application metrics to not emit
- Default
- cpu_entitlement
ca_cert
¶CA Cert used to communicate with local metron agent over gRPC
cert
¶Cert used to communicate with local metron agent over gRPC
key
¶Key used to communicate with local metron agent over gRPC
use_v2_api
¶True to use local metron agent gRPC v2 API. False to use UDP v1 API.
- Default
false
v2_api_port
¶Local metron agent gRPC port
- Default
3458
set_kernel_parameters
¶
Enable tuning /proc/sys kernel parameters. NOTE: set this property to ‘false’ when deploying to BOSH-Lite or other containerized BOSH clouds.
- Default
true
tls
¶
ca_cert
¶REQUIRED: PEM-encoded tls client CA certificate for asset upload/download
cert
¶REQUIRED: PEM-encoded tls certificate that can be used for client or server auth
key
¶REQUIRED: PEM-encoded tls client key
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/rep/
directory
(learn more).
bin/bpm-pre-start
(frombpm-pre-start.erb
)bin/drain
(fromdrain.erb
)bin/post-start
(frompost-start.erb
)bin/rep
(fromrep.erb
)bin/rep_as_vcap
(fromrep_as_vcap.erb
)bin/rep_ctl
(fromrep_ctl.erb
)bin/set-rep-kernel-params
(fromset-rep-kernel-params.erb
)bin/setup_mounted_data_dirs
(fromsetup_mounted_data_dirs.erb
)config/bpm.yml
(frombpm.yml.erb
)config/certs/loggregator/ca.crt
(fromloggregator_ca.crt.erb
)config/certs/loggregator/client.crt
(fromloggregator_client.crt.erb
)config/certs/loggregator/client.key
(fromloggregator_client.key.erb
)config/certs/rep/instance_identity.crt
(frominstance_identity.crt.erb
)config/certs/rep/instance_identity.key
(frominstance_identity.key.erb
)config/certs/rep/trusted_ca_certificates.json
(fromtrusted_ca_certificates.json.erb
)config/certs/tls.crt
(fromtls.crt.erb
)config/certs/tls.key
(fromtls.key.erb
)config/certs/tls_ca.crt
(fromtls_ca.crt.erb
)config/indicators.yml
(fromindicators.yml.erb
)config/rep.json
(fromrep.json.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.