rep_windows job from diego/2.89.0
Github source:
901665d80
or
master branch
Properties¶
cell_registrations
¶
locket
¶
enabled
¶Enable the cell rep to register itself as a service with Locket.
- Default
true
containers
¶
graceful_shutdown_interval_in_seconds
¶time in seconds between signalling a container to shutdown gracefully and stopping it forcefully. Should not be less than 10.
- Default
10
layering_mode
¶Configures downloaded container asset management mode. Valid values are ‘single-layer’ and ‘two-layer’. Setting this property to ‘two-layer’ enables the conversion of some downloaded Task and LRP assets to container image layers.
- Default
single-layer
proxy
¶
additional_memory_allocation_mb
¶EXPERIMENTAL: Additional memory allocated to each container for the envoy proxy. This must not be negative. Currently doesn’t work on windows cells but left here for compatability with the linux Rep
- Default
32
ads_addresses
¶EXPERIMENTAL: When set, the envoy proxy consumes dynamic config from the specified Aggregated Discovery Service servers (specified as a list of host:port). This config is in addition to the static configuration that supports TLS termination / route-integrity.
- Default
[]- Example
- 169.254.0.2:15001
configuration_reload_duration
¶Duration of time in seconds that the rep grants the container Envoy proxy to reload its listener configuration when shutting down a container gracefully so that TLS-verifying clients will stop making connections. After this time duration, the rep will shut down other processes in the container.
- Default
5s
enable_http2
¶EXPERIMENTAL: Whether envoy proxy advertises HTTP/2 support via ALPN. Currently doesn’t work on windows cells but left here for compatability with the linux Rep
- Default
true
enable_unproxied_port_mappings
¶EXPERIMENTAL: whether the cell should still map host ports directly to the unproxied container ports. Setting to false requires containers.proxy.enabled to be set to true.
- Default
true
enabled
¶EXPERIMENTAL: Enable envoy proxy on garden containers. Currently doesn’t work on windows cells but left here for compatability with the linux Rep
- Default
false
require_and_verify_client_certificates
¶whether the per-container proxy should require and verify a TLS certificate from a client connecting to one of its ingress listeners. Proxy will trust the set of CA certificates supplied in the containers.proxy.trusted_ca_certificates property. Requires containers.proxy.enabled to be set to true to enable.
- Default
false
trusted_ca_certificates
¶List of CA certificate bundles against which the per-container proxy will verify certificates for clients connecting to its ingress listeners, if containers.proxy.require_and_verify_client_certificates is enabled.
- Default
[]- Example
- |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #1 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #2 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #3 ----- END CERTIFICATE ----- ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #4 ----- END CERTIFICATE -----
verify_subject_alt_name
¶If specified when containers.proxy.require_and_verify_client_certificates is enabled, the per-container proxy will also verify that the Subject Alternative Name of the presented certificate matches one of the specified values.
- Default
[]- Example
- gorouter.service.cf.internal - tcp-router.service.cf.internal
set_cpu_weight
¶EXPERIMENTAL: Set CPU weight on each Garden container to be proportional to its memory limit.
- Default
false
trusted_ca_certificates
¶List of PEM-encoded CA certificates to make available inside containers in a conventional location. List entries may be individual or concatenated CAs.
- Example
- |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #1 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #2 ----- END CERTIFICATE ----- - |+ ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #3 ----- END CERTIFICATE ----- ----- BEGIN CERTIFICATE ----- CONTENTS OF CERTIFICATE #4 ----- END CERTIFICATE -----
declarative_healthcheck_path
¶
The directory containing the declarative healthcheck binary
- Default
/var/vcap/packages/healthcheck_windows/external
diego
¶
executor
¶
auto_disk_capacity_overhead_mb
¶the amount of overhead that should be subtracted from the container disk capacity, this only applies when disk_capacity_mb is set to auto
- Default
0
container_inode_limit
¶the inode limit enforced on each garden container.
- Default
200000
container_max_cpu_shares
¶the maximum number of cpu shares for a container.
- Default
10000
container_metrics_report_interval
¶the frequency for emitting container metrics
- Default
15s
create_work_pool_size
¶Maximum number of concurrent create container operations.
- Default
32
delete_work_pool_size
¶Maximum number of concurrent delete container operations.
- Default
32
disk_capacity_mb
¶the container disk capacity the executor should manage. this should not be greater than the actual disk quota on the VM
- Default
auto
garden
¶
address
¶Garden server listening address.
- Default
127.0.0.1:9241
network
¶Network type for the garden server connection (tcp or unix).
- Default
tcp
garden_healthcheck
¶
command_retry_pause
¶Time to wait between retrying garden commands
- Default
1s
interval
¶Frequency for healtchecking garden
- Default
10m
process
¶args
¶List of command line args to pass to the garden health check process
- Default
/c, dirdir
¶Directory to run the healthcheck process from
env
¶Environment variables to use when running the garden health check
- Default
""path
¶Path of the command to run to perform a container healthcheck
- Default
C:\windows\system32\cmd.exeuser
¶User to use while performing a container healthcheck
- Default
vcap
timeout
¶Maximum allowed time for garden healthcheck
- Default
10m
healthcheck_work_pool_size
¶Maximum number of concurrent health check operations.
- Default
64
healthy_monitoring_interval_in_seconds
¶Interval to check healthy containers in seconds.
- Default
30
instance_identity_ca_cert
¶PEM-encoded CA used to sign instance identity credentials. Enables instance identity if set along with instance_identity_key
instance_identity_key
¶PEM-encoded key used to sign instance identity credentials. Enables instance identity if set along with instance_identity_ca_cert
instance_identity_validity_period_in_hours
¶Validity period for the generated instance identity certificate
- Default
24
max_cache_size_in_bytes
¶maximum size of the cache in bytes - this should leave a healthy overhead for temporary items, etc.
- Default
1e+10
max_concurrent_downloads
¶the max concurrent download steps that can be active
- Default
5
max_log_lines_per_second
¶EXPERIMENTAL: Maximum log lines allowed per second per app instance. Default value of 0 will disable rate limiting. Minimum recommended value is 100.
- Default
0
memory_capacity_mb
¶the memory capacity the executor should manage. this should not be greater than the actual memory on the VM
- Default
auto
metrics_work_pool_size
¶Maximum number of concurrent get container metrics operations.
- Default
8
post_setup_hook
¶Experimental: arbitrary command to run after setup action
post_setup_user
¶Experimental: user to run post setup hook command
read_work_pool_size
¶Maximum number of concurrent get container info operations.
- Default
64
unhealthy_monitoring_interval_in_seconds
¶Interval to check unhealthy containers in seconds.
- Default
2
use_schedulable_disk_size
¶Use total space available to containers reported by Garden. If false the total size of image plugin store minus max_cache_size_in_bytes is used.
- Default
false
rep
¶
advertise_domain
¶base domain at which the rep should advertise its secure API
- Default
cell.service.cf.internal
advertise_preference_for_instance_address
¶advertise that containers managed by this rep are directly accessible on the infrastructure network at their instance address. Components like ssh-proxy or routers may use this property when determining how to connect to a container. Set this flag only when using a third-party container-networking solution that provides direct connectivity between containers and VMs
- Default
false
bbs
¶
api_location
¶Address of the BBS server
- Default
bbs.service.cf.internal:8889
client_session_cache_size
¶capacity of the tls client cache
max_idle_conns_per_host
¶maximum number of idle http connections
request_timeout
¶Request timeout to the BBS server
- Default
10s
debug_addr
¶address at which to serve debug info
- Default
127.0.0.1:17008
evacuation_polling_interval_in_seconds
¶The interval to look for completed tasks and LRPs during evacuation in seconds
- Default
10
evacuation_timeout_in_seconds
¶The time to wait for evacuation to complete in seconds
- Default
600
job_name
¶The name of the Diego job referenced by this spec (DO NOT override)
- Default
rep_windows
listen_addr_admin
¶serve (insecure) ping and evacuate requests on this address and port
- Default
127.0.0.1:1800
listen_addr_securable
¶address where rep listens for LRP and task start auction requests
- Default
0.0.0.0:1801
locket
¶
api_location
¶Hostname and port of the locket server
- Default
locket.service.cf.internal:8891
client_keepalive_time
¶Period in seconds after which the locket gRPC client sends keepalive ping requests to the locket server it is connected to.
- Default
10
client_keepalive_timeout
¶Timeout in seconds to receive a response to the keepalive ping. If a response is not received within this time, the locket client will reconnect to another server.
- Default
22
log_level
¶Log level
- Default
info
open_bindmounts_acl
¶Add more permissive ACLs to directories that are bind mounted into containers. Required for Windows 2016 cells
- Default
false
optional_placement_tags
¶Array of optional tags used for scheduling Tasks and LRPs
- Default
[]
placement_tags
¶Array of tags used for scheduling Tasks and LRPs
- Default
[]
polling_interval_in_seconds
¶The interval to look for completed tasks and LRPs in seconds
- Default
30
preloaded_rootfses
¶Array of name:absolute_path pairs representing root filesystems preloaded onto the underlying garden
- Default
- windows2012R2:/tmp/windows2012R2
rootfs_providers
¶Array of schemes for which the underlying garden can support arbitrary root filesystems
- Default
[]
use_azure_fault_domains
¶Use Azure Fault-Domains to determine the value of the zone. The value of the zone will be z. e.g. z0, z1, etc.
- Default
false
zone
¶The zone associated with the rep. This will override the BOSH-provided spec.az property if present.
ssl
¶
skip_cert_verify
¶when connecting over https, ignore bad ssl certificates
- Default
false
enable_declarative_healthcheck
¶
When set, enables the rep to prefer the LRP CheckDefinition to healthcheck instances over the Monitor action.
- Default
false
logging
¶
format
¶
timestamp
¶Format for timestamp in component logs. Valid values are ‘unix-epoch’ and ‘rfc3339’.
- Default
unix-epoch
max_data_string_length
¶Length in bytes above which logged strings will be truncated. If set to 0, turns off truncation.
- Default
640
loggregator
¶
ca_cert
¶CA Cert used to communicate with local metron agent over gRPC
cert
¶Cert used to communicate with local metron agent over gRPC
key
¶Key used to communicate with local metron agent over gRPC
use_v2_api
¶True to use local metron agent gRPC v2 API. False to use UDP v1 API.
- Default
false
v2_api_port
¶Local metron agent gRPC port
- Default
3458
syslog_daemon_config
¶
address
¶Syslog host
- Default
""
port
¶Syslog port
- Default
""
transport
¶Syslog transport protocol (tcp or udp)
- Default
udp
tls
¶
ca_cert
¶REQUIRED: PEM-encoded tls client CA certificate for asset upload/download
cert
¶REQUIRED: PEM-encoded tls certificate that can be used for client and server authentication
key
¶REQUIRED: PEM-encoded tls client key
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/rep_windows/
directory
(learn more).
bin/drain.ps1
(fromdrain.ps1.erb
)bin/post-start.ps1
(frompost-start.ps1.erb
)bin/pre-start.ps1
(frompre-start.ps1.erb
)bin/start.ps1
(fromstart.ps1.erb
)config/certs/loggregator/ca.crt
(fromloggregator_ca.crt.erb
)config/certs/loggregator/client.crt
(fromloggregator_client.crt.erb
)config/certs/loggregator/client.key
(fromloggregator_client.key.erb
)config/certs/rep/instance_identity.crt
(frominstance_identity.crt.erb
)config/certs/rep/instance_identity.key
(frominstance_identity.key.erb
)config/certs/rep/trusted_ca_certificates.json
(fromtrusted_ca_certificates.json.erb
)config/certs/tls.crt
(fromtls.crt.erb
)config/certs/tls.key
(fromtls.key.erb
)config/certs/tls_ca.crt
(fromtls_ca.crt.erb
)config/indicators.yml
(fromindicators.yml.erb
)config/rep.json
(fromrep.json.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.