Skip to content

core job from shield/9.0.0

Github source: f15b39e or master branch

Properties

agent

dial-timeout

Duration timespec for how long to allow for an TCP connection to an agent to establish. Longer values may effectively get overridden by the system’s TCP timeout

Default
30s

key

RSA private key used for securing communications between SHIELD Agents and the SHIELD Core.

macs

List of message authentication code implementations to allow when negotiating SSH with agents.

Default
  - [email protected]
  - hmac-sha2-256
  - hmac-sha1

core

authentication

A list of SHIELD Authentication Provider configurations, to be emitted into the shieldd.conf configuration file as-is (under the auth: key).

color

What color should the SHIELD Web UI render the environment tag in.

Default
yellow

env

A short tag describing this environment (i.e. ‘prod’, ‘staging’, etc.).

Default
sandbox

fast-loop

How frequently should SHIELD check for and execute scheduled jobs.

Default
5s

mbus

backlog

The maximum number of events that the message bus will keep for a client before dropping the client. If this is set too low, then clients may be dropped sporadically. If this is set higher, it will take more memory per client.

Default
100
max-slots

The maximum number of clients that can hook up to the message bus at once. Limits the number of websocket clients.

Default
2048

motd

A (perhaps long-form) message of the day, to display on login forms.

Default
Welcome to SHIELD!

session-timeout

How long should sessions be valid for.

Default
8h

slow-loop

How frequently should SHIELD perform janitorial tasks.

Default
1h

task-timeout

How long after start of execution before timing out a running task.

Default
12h

workers

Maximum allowable number of running, concurrent tasks.

Default
5

domain

Fully-qualified domain name (or IP address) of your SHIELD installation

failsafe

password

A password for the failsafe user.

Default
shield

username

A fallback username for initially accessiong your SHIELD instance.

Default
admin

log-level

Log level for the SHIELD Core. One of ‘error’, ‘warning’, or ‘info’.

Default
error

nginx

connections

Number of nginx connections per worker

Default
8192

keepalive

Timeout for keep-alive connections

Default
75 20

workers

Number of nginx workers

Default
2

plugin_paths

Map of paths that the binary of the plugins can be found

Example
|+
  plugin_paths:
    atmos: /var/vcap/packages/atmos-plugin/bin

port

Incoming port to bind for HTTPS API and Web UI

Default
443

prometheus

namespace

The prefix on exported Prometheus metric keys.

Default
shield

password

The HTTP basic auth password for accessing the SHIELD Prometheus metrics endpoint.

Default
shield

realm

The HTTP basic auth realm for the Prometheus metrics endpoint.

Default
SHIELD Prometheus Exporter

username

The HTTP basic auth username for accessing the SHIELD Prometheus metrics endpoint.

Default
prometheus

tls

certificate

TLS Certificate (PEM encoded), used for the HTTPS API and Web UI

ciphers

Which SSL/TLS ciphers to allow, used for the HTTPS API and Web UI

Default
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH

key

TLS private key (PEM encoded), used for the HTTPS API and Web UI

protocols

Which SSL/TLS protocols to allow, used for the HTTPS API and Web UI

Default
TLSv1 TLSv1.1 TLSv1.2

reuse-after

How long (in hours) before rotating cryptographic parameters

Default
2

vault

tls

ca

The PEM-encoded certificate of the CA that signed the Vault Certificate. The SHIELD core needs this so that it can trust the Vault certificate.

certificate

The PEM-encoded certificate of the Vault itself. This certificate should be issued for the IP SAN 127.0.0.1.

key

The PEM-encoded private key for the Vault certificate.

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/core/ directory (learn more).

  • bin/nginx (from bin/nginx)
  • bin/shieldd (from bin/shieldd)
  • bin/vault (from bin/vault)
  • config/agent.key (from config/agent.key)
  • config/nginx.conf (from config/nginx.conf)
  • config/shieldd.conf (from config/shieldd.conf)
  • config/tls/nginx.key (from config/tls/nginx.key)
  • config/tls/nginx.pub (from config/tls/nginx.pub)
  • config/tls/vault.ca (from config/tls/vault.ca)
  • config/tls/vault.key (from config/tls/vault.key)
  • config/tls/vault.pub (from config/tls/vault.pub)
  • config/vault.conf (from config/vault.conf)
  • envrc (from envrc)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.