Skip to content

silk-cni job from silk/3.25.1

Github source: b1baa2c or master branch

Properties

burst

Bandwidth burst in Kb for traffic through container. 0 for no limit. If burst is set, rate must also be set.

Default
0

debug

Enable debugging for silk-cni

Default
false

deny_networks

always

List of CIDR blocks to which all containers will be denied access, regardless of security groups. This can severely impact the network connectivity of applications. Use with extreme caution and at your own risk. These rules apply to all containers.

Default
[]

running

List of CIDR blocks to which all containers will be denied access, regardless of security groups. This can severely impact the network connectivity of applications. Use with extreme caution and at your own risk. These rules apply to running scheduled containers: apps and tasks.

Default
[]

staging

List of CIDR blocks to which all containers will be denied access, regardless of security groups. This can severely impact the network connectivity of applications. Use with extreme caution and at your own risk. These rules apply during the staging process.

Default
[]

disable

Disable this monit job. It will not run. Required for backwards compatability

Default
false

dns_servers

DNS servers that containers will use. If set, this list takes precedence over DNS servers configured through garden.

Default
[]

host_tcp_services

List of TCP addresses running on the BOSH VM that should be accessible from containers. The address must not be in the 127.0.0.0/8 range. The network plugin will install an iptables INPUT rule for each service.

Default
[]
Example
|+
  - 169.254.0.2:9001
  - 169.254.0.2:9002

host_udp_services

List of UDP addresses running on the BOSH VM that should be accessible from containers. The address must not be in the 127.0.0.0/8 range. The network plugin will install an iptables INPUT rule for each service.

Default
[]
Example
|+
  - 169.254.0.2:9001
  - 169.254.0.2:9002

iptables_accepted_udp_logs_per_sec

Maximum number of iptables logs per second for accepted UDP packets.

Default
100

iptables_denied_logs_per_sec

Maximum number of iptables logs per second for denied packets.

Default
1

iptables_logging

Enables iptables logging for overlay network policies, Application Security Groups and outbound container connection limits. Logs to the kernel log.

Default
false

mtu

Pre-encapsulation MTU for containers. If set, the network interface inside the container will have an MTU that is 50 bytes less than this value, in order to account for VXLAN encap overhead. If zero, MTU will be automatically configured to account for the VXLAN encapsulation, but it may not account for additional network encapsulations, e.g. IPSec.

Default
0

no_masquerade_cidr_range

CIDR address block that should not be masqueraded. Fallsback to cf_network.network link property if property is not provided.

Default
""

outbound_connections

burst

EXPERIMENTAL: Maximum number of outbound connections per port on destination host allowed to be opened at once per container. Has no effect when outbound_connections.limit is false.

Default
1000

dry_run

EXPERIMENTAL: When set to true negates the effect of outbound_connections.limit. Enables the specific DENY_ORL entries to the kernel log.

Default
false

limit

EXPERIMENTAL: Enables outbound connections count limiting per port on destination host per container.

Default
false

rate_per_sec

EXPERIMENTAL: Maximum number of outbound connections to be opened per second per port on destination host per container given that the burst is exhausted. Has no effect when outbound_connections.limit is false.

Default
100

rate

Bandwidth rate in Kbps for traffic through container. 0 for no limit. If rate is set, burst must also be set.

Default
0

silk_daemon

listen_port

Silk CNI plugin connects to the silk daemon on this port.

Default
23954

temporary

underlay_interface_names

Use with extreme caution. To be used only if there are network interfaces not created by BOSH. Provide names for all interfaces. If provided, only interfaces referenced here will be used. Will not use any bosh interface by default.

Default
[]

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/silk-cni/ directory (learn more).

  • bin/pre-start (from pre-start.erb)
  • config/cni/cni-wrapper-plugin.conflist (from cni-wrapper-plugin.conflist.erb)
  • config/teardown-config.json (from teardown-config.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.