core job from shield/9.0.0
Github source:
f15b39e
or
master branch
Properties¶
agent
¶
dial-timeout
¶Duration timespec for how long to allow for an TCP connection to an agent to establish. Longer values may effectively get overridden by the system’s TCP timeout
- Default
30s
key
¶RSA private key used for securing communications between SHIELD Agents and the SHIELD Core.
macs
¶List of message authentication code implementations to allow when negotiating SSH with agents.
- Default
- [email protected] - hmac-sha2-256 - hmac-sha1
core
¶
authentication
¶A list of SHIELD Authentication Provider configurations, to be emitted into the shieldd.conf configuration file as-is (under the
auth:
key).
color
¶What color should the SHIELD Web UI render the environment tag in.
- Default
yellow
env
¶A short tag describing this environment (i.e. ‘prod’, ‘staging’, etc.).
- Default
sandbox
fast-loop
¶How frequently should SHIELD check for and execute scheduled jobs.
- Default
5s
mbus
¶
backlog
¶The maximum number of events that the message bus will keep for a client before dropping the client. If this is set too low, then clients may be dropped sporadically. If this is set higher, it will take more memory per client.
- Default
100
max-slots
¶The maximum number of clients that can hook up to the message bus at once. Limits the number of websocket clients.
- Default
2048
motd
¶A (perhaps long-form) message of the day, to display on login forms.
- Default
Welcome to SHIELD!
session-timeout
¶How long should sessions be valid for.
- Default
8h
slow-loop
¶How frequently should SHIELD perform janitorial tasks.
- Default
1h
task-timeout
¶How long after start of execution before timing out a running task.
- Default
12h
workers
¶Maximum allowable number of running, concurrent tasks.
- Default
5
domain
¶
Fully-qualified domain name (or IP address) of your SHIELD installation
failsafe
¶
password
¶A password for the failsafe user.
- Default
shield
username
¶A fallback username for initially accessiong your SHIELD instance.
- Default
admin
log-level
¶
Log level for the SHIELD Core. One of ‘error’, ‘warning’, or ‘info’.
- Default
error
nginx
¶
connections
¶Number of nginx connections per worker
- Default
8192
keepalive
¶Timeout for keep-alive connections
- Default
75 20
workers
¶Number of nginx workers
- Default
2
plugin_paths
¶
Map of paths that the binary of the plugins can be found
- Example
-
|+ plugin_paths: atmos: /var/vcap/packages/atmos-plugin/bin
port
¶
Incoming port to bind for HTTPS API and Web UI
- Default
443
prometheus
¶
namespace
¶The prefix on exported Prometheus metric keys.
- Default
shield
password
¶The HTTP basic auth password for accessing the SHIELD Prometheus metrics endpoint.
- Default
shield
realm
¶The HTTP basic auth realm for the Prometheus metrics endpoint.
- Default
SHIELD Prometheus Exporter
username
¶The HTTP basic auth username for accessing the SHIELD Prometheus metrics endpoint.
- Default
prometheus
tls
¶
certificate
¶TLS Certificate (PEM encoded), used for the HTTPS API and Web UI
ciphers
¶Which SSL/TLS ciphers to allow, used for the HTTPS API and Web UI
- Default
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
key
¶TLS private key (PEM encoded), used for the HTTPS API and Web UI
protocols
¶Which SSL/TLS protocols to allow, used for the HTTPS API and Web UI
- Default
TLSv1 TLSv1.1 TLSv1.2
reuse-after
¶How long (in hours) before rotating cryptographic parameters
- Default
2
vault
¶
tls
¶
ca
¶The PEM-encoded certificate of the CA that signed the Vault Certificate. The SHIELD core needs this so that it can trust the Vault certificate.
certificate
¶The PEM-encoded certificate of the Vault itself. This certificate should be issued for the IP SAN 127.0.0.1.
key
¶The PEM-encoded private key for the Vault certificate.
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/core/
directory
(learn more).
bin/nginx
(frombin/nginx
)bin/shieldd
(frombin/shieldd
)bin/vault
(frombin/vault
)config/agent.key
(fromconfig/agent.key
)config/nginx.conf
(fromconfig/nginx.conf
)config/shieldd.conf
(fromconfig/shieldd.conf
)config/tls/nginx.key
(fromconfig/tls/nginx.key
)config/tls/nginx.pub
(fromconfig/tls/nginx.pub
)config/tls/vault.ca
(fromconfig/tls/vault.ca
)config/tls/vault.key
(fromconfig/tls/vault.key
)config/tls/vault.pub
(fromconfig/tls/vault.pub
)config/vault.conf
(fromconfig/vault.conf
)envrc
(fromenvrc
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.