Skip to content

rep job from diego/2.107.0

Github source: d49607343 or master branch

Properties

bpm

enabled

use the BOSH Process Manager to manage the cell rep process.

Default
false

cell_registrations

locket

enabled

Enable the cell rep to register itself as a service with Locket.

Default
true

containers

graceful_shutdown_interval_in_seconds

time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10.

Default
10

layering_mode

Configures downloaded container asset management mode. Valid values are ‘single-layer’ and ‘two-layer’. Setting this property to ‘two-layer’ enables the conversion of some downloaded Task and LRP assets to container image layers.

Default
single-layer

proxy

additional_memory_allocation_mb

Additional memory allocated to each container for the envoy proxy. This value must not be negative

Default
32
ads_addresses

EXPERIMENTAL: When set, the envoy proxy consumes dynamic config from the specified Aggregated Discovery Service servers (specified as a list of host:port). This config is in addition to the static configuration that supports TLS termination / route-integrity.

Default
[]
Example
- 169.254.0.2:15001
configuration_reload_duration

Duration of time in seconds that the rep grants the container Envoy proxy to reload its listener configuration when shutting down a container gracefully so that TLS-verifying clients will stop making connections. After this time duration, the rep will shut down other processes in the container.

Default
5s
enable_http2

Whether envoy proxy advertises HTTP/2 support via ALPN.

Default
true
enable_unproxied_port_mappings

EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true.

Default
true
enabled

Enable envoy proxy on garden containers. Requires valid TLS credentials in diego.executor.instance_identity_ca_cert and diego.executor.instance_identity_key.

Default
false
require_and_verify_client_certificates

whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable.

Default
false
trusted_ca_certificates

List of CA certificate bundles against which the per-container proxy will verify certificates for clients connecting to its ingress listeners, if containers.proxy.require_and_verify_client_certificates is enabled.

Default
[]
Example
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #1
  ----- END CERTIFICATE -----
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #2
  ----- END CERTIFICATE -----
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #3
  ----- END CERTIFICATE -----
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #4
  ----- END CERTIFICATE -----
verify_subject_alt_name

If specified when containers.proxy.require_and_verify_client_certificates is enabled, the per-container proxy will also verify that the Subject Alternative Name of the presented certificate matches one of the specified values.

Default
[]
Example
- gorouter.service.cf.internal
- tcp-router.service.cf.internal

set_cpu_weight

EXPERIMENTAL: Set CPU weight on each Garden container to be proportional to its memory limit.

Default
false

trusted_ca_certificates

List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs.

Example
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #1
  ----- END CERTIFICATE -----
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #2
  ----- END CERTIFICATE -----
- |+
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #3
  ----- END CERTIFICATE -----
  ----- BEGIN CERTIFICATE -----
  CONTENTS OF CERTIFICATE #4
  ----- END CERTIFICATE -----

diego

executor

auto_disk_capacity_overhead_mb

the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto

Default
0
container_inode_limit

the inode limit enforced on each garden container.

Default
200000
container_max_cpu_shares

number of CPU shares per 100 CPU weight

Default
1024
container_metrics_report_interval

the frequency for emitting container metrics; should be a string that can be parsed by time.ParseDuration, such as 15s

Default
15s
create_work_pool_size

Maximum number of concurrent create container operations.

Default
32
delete_work_pool_size

Maximum number of concurrent delete container operations.

Default
32
disk_capacity_mb

the container disk capacity the executor should manage. this should not be greater than the actual disk quota on the VM

Default
auto
garden
address

Garden server listening address.

Default
/var/vcap/data/garden/garden.sock
network

Network type for the garden server connection (tcp or unix).

Default
unix
garden_healthcheck
command_retry_pause

Time to wait between retrying garden commands

Default
1s
interval

Frequency for healtchecking garden

Default
10m
process
args

List of command line args to pass to the garden health check process

Default
-c, ls > /tmp/test
dir

Directory to run the healthcheck process from

env

Environment variables to use when running the garden health check

Default
""
path

Path of the command to run to perform a container healthcheck

Default
/bin/sh
user

User to use while performing a container healthcheck

Default
vcap
timeout

Maximum allowed time for garden healthcheck

Default
10m
healthcheck_work_pool_size

Maximum number of concurrent health check operations.

Default
64
healthy_monitoring_interval_in_seconds

Interval to check healthy containers in seconds.

Default
30
instance_identity_ca_cert

PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key

instance_identity_key

PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert

instance_identity_validity_period_in_hours

Validity period for the generated instance identity certificate

Default
24
max_cache_size_in_bytes

maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc.

Default
1e+10
max_concurrent_downloads

the max concurrent download steps that can be active

Default
5
max_log_lines_per_second

EXPERIMENTAL: Maximum log lines allowed per second per app instance. Default value of 0 will disable rate limiting. Minimum recommended value is 100.

Default
0
memory_capacity_mb

the memory capacity the executor should manage. this should not be greater than the actual memory on the VM

Default
auto
metrics_work_pool_size

Maximum number of concurrent get container metrics operations.

Default
8
post_setup_hook

Experimental: arbitrary command to run after setup action. WARNING: this applies to both buildpack + docker app lifecycles. Any commands specified here MUST exist in any docker image being run, or the app will fail to start

post_setup_user

Experimental: user to run post setup hook command

read_work_pool_size

Maximum number of concurrent get container info operations.

Default
64
unhealthy_monitoring_interval_in_seconds

Interval to check unhealthy containers in seconds.

Default
2
use_schedulable_disk_size

Use total space available to containers reported by Garden. If false the total size of image plugin store minus max_cache_size_in_bytes is used.

Default
false
volman
driver_paths

OS style path string containing the directories volman will look in for voldriver specs (delimited by : or ; depending on the OS)

Default
/var/vcap/data/voldrivers

rep

advertise_domain

base domain at which the rep should advertise its secure API

Default
cell.service.cf.internal
advertise_preference_for_instance_address

advertise that containers managed by this rep are directly accessible on the infrastructure network at their instance address. Components like ssh-proxy or routers may use this property when determining how to connect to a container. Set this flag only when using a third-party container-networking solution that provides direct connectivity between containers and VMs

Default
false
bbs
api_location

Address of the BBS server

Default
bbs.service.cf.internal:8889
client_session_cache_size

capacity of the tls client cache

max_idle_conns_per_host

maximum number of idle http connections

request_timeout

Request timeout to the BBS server

Default
10s
debug_addr

address at which to serve debug info

Default
127.0.0.1:17008
evacuation_polling_interval_in_seconds

The interval to look for completed tasks and LRPs during evacuation in seconds

Default
10
evacuation_timeout_in_seconds

The time to wait for evacuation to complete in seconds

Default
600
job_name

The name of the Diego job referenced by this spec (DO NOT override)

Default
rep
listen_addr_admin

serve (insecure) ping and evacuate requests on this address and port

Default
127.0.0.1:1800
listen_addr_securable

address where rep listens for LRP and task start auction requests

Default
0.0.0.0:1801
locket
api_location

Hostname and port of the Locket server. When set, the cell rep will establish its cell registration in the Locket API.

Default
locket.service.cf.internal:8891
client_keepalive_time

Period in seconds after which the locket gRPC client sends keepalive ping requests to the locket server it is connected to.

Default
10
client_keepalive_timeout

Timeout in seconds to receive a response to the keepalive ping. If a response is not received within this time, the locket client will reconnect to another server.

Default
22
log_level

Log level

Default
info
max_containers

Maximum container capacity per rep

Default
250
optional_placement_tags

Array of optional tags used for scheduling Tasks and LRPs

Default
[]
placement_tags

Array of tags used for scheduling Tasks and LRPs

Default
[]
polling_interval_in_seconds

The interval to look for completed tasks and LRPs in seconds

Default
30
preloaded_rootfses

Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden

rootfs_providers

Array of schemes for which the underlying garden can support arbitrary root filesystems

Default
- docker
use_azure_fault_domains

If set to true the rep zone will be determined by IAAS. If VM belongs to Azure Fault-Domain the value of the zone will be z. e.g. z0, z1, etc. If VM belongs to Azure Availability Zone the value of zone determined in diego.rep.zone will be used.

Default
false
zone

The zone associated with the rep. This will override the BOSH-provided spec.az property if present.

ssl

skip_cert_verify

when connecting over https, ignore bad ssl certificates

Default
false

enable_declarative_healthcheck

When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action. Requires Garden-Runc v1.10.0+

Default
false

enable_healthcheck_metrics

When set, enables the rep to emit healtcheck failure metrics. Requires enable_declarative_healthcheck to be set to true.

Default
false

logging

format

timestamp

Format for timestamp in component logs. Valid values are ‘unix-epoch’ and ‘rfc3339’.

Default
unix-epoch

max_data_string_length

Length in bytes above which logged strings will be truncated. If set to 0, turns off truncation.

Default
640

loggregator

app_metric_exclusion_filter

Array of application metrics to not emit

Default
- cpu_entitlement

ca_cert

CA Cert used to communicate with local metron agent over gRPC

cert

Cert used to communicate with local metron agent over gRPC

key

Key used to communicate with local metron agent over gRPC

use_v2_api

True to use local metron agent gRPC v2 API. False to use UDP v1 API.

Default
false

v2_api_port

Local metron agent gRPC port

Default
3458

set_kernel_parameters

Enable tuning /proc/sys kernel parameters. NOTE: set this property to ‘false’ when deploying to BOSH-Lite or other containerized BOSH clouds.

Default
true

tls

ca_cert

REQUIRED: PEM-encoded tls client CA certificate for asset upload/download

cert

REQUIRED: PEM-encoded tls certificate that can be used for client or server auth

key

REQUIRED: PEM-encoded tls client key

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/rep/ directory (learn more).

  • bin/bpm-pre-start (from bpm-pre-start.erb)
  • bin/drain (from drain.erb)
  • bin/post-start (from post-start.erb)
  • bin/rep (from rep.erb)
  • bin/rep_as_vcap (from rep_as_vcap.erb)
  • bin/rep_ctl (from rep_ctl.erb)
  • bin/set-rep-kernel-params (from set-rep-kernel-params.erb)
  • bin/setup_mounted_data_dirs (from setup_mounted_data_dirs.erb)
  • config/bpm.yml (from bpm.yml.erb)
  • config/certs/loggregator/ca.crt (from loggregator_ca.crt.erb)
  • config/certs/loggregator/client.crt (from loggregator_client.crt.erb)
  • config/certs/loggregator/client.key (from loggregator_client.key.erb)
  • config/certs/rep/instance_identity.crt (from instance_identity.crt.erb)
  • config/certs/rep/instance_identity.key (from instance_identity.key.erb)
  • config/certs/rep/trusted_ca_certificates.json (from trusted_ca_certificates.json.erb)
  • config/certs/tls.crt (from tls.crt.erb)
  • config/certs/tls.key (from tls.key.erb)
  • config/certs/tls_ca.crt (from tls_ca.crt.erb)
  • config/indicators.yml (from indicators.yml.erb)
  • config/rep.json (from rep.json.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.