core job from shield/8.6.3

Github source: db113bf or master branch

Properties¶

`agent`¶

dial-timeout¶

Duration timespec for how long to allow for an TCP connection to an agent to establish. Longer values may effectively get overridden by the system’s TCP timeout
Default
30s
key¶

RSA private key used for securing communications between SHIELD Agents and the SHIELD Core.

macs¶

List of message authentication code implementations to allow when negotiating SSH with agents.
Default
  - hmac-sha2-256-etm@openssh.com
  - hmac-sha2-256
  - hmac-sha1

`core`¶

authentication¶

A list of SHIELD Authentication Provider configurations, to be emitted into the shieldd.conf configuration file as-is (under the auth: key).

color¶

What color should the SHIELD Web UI render the environment tag in.
Default
yellow
env¶

A short tag describing this environment (i.e. ‘prod’, ‘staging’, etc.).
Default
sandbox
fast-loop¶

How frequently should SHIELD check for and execute scheduled jobs.
Default
5s
mbus¶
backlog¶

The maximum number of events that the message bus will keep for a client before dropping the client. If this is set too low, then clients may be dropped sporadically. If this is set higher, it will take more memory per client.
Default
100
max-slots¶

The maximum number of clients that can hook up to the message bus at once. Limits the number of websocket clients.
Default
2048
motd¶

A (perhaps long-form) message of the day, to display on login forms.
Default
Welcome to SHIELD!
session-timeout¶

How long should sessions be valid for.
Default
8h
slow-loop¶

How frequently should SHIELD perform janitorial tasks.
Default
1h
task-timeout¶

How long after start of execution before timing out a running task.
Default
12h
workers¶

Maximum allowable number of running, concurrent tasks.
Default
5

`domain`¶

Fully-qualified domain name (or IP address) of your SHIELD installation

`failsafe`¶

password¶

A password for the failsafe user.
Default
shield
username¶

A fallback username for initially accessiong your SHIELD instance.
Default
admin

`log-level`¶

Log level for the SHIELD Core. One of ‘error’, ‘warning’, or ‘info’.

Default

error

`nginx`¶

connections¶

Number of nginx connections per worker
Default
8192
keepalive¶

Timeout for keep-alive connections
Default
75 20
workers¶

Number of nginx workers
Default
2

`plugin_paths`¶

Map of paths that the binary of the plugins can be found

Example

|+
  plugin_paths:
    atmos: /var/vcap/packages/atmos-plugin/bin

`port`¶

Incoming port to bind for HTTPS API and Web UI

Default

`prometheus`¶

namespace¶

The prefix on exported Prometheus metric keys.
Default
shield
password¶

The HTTP basic auth password for accessing the SHIELD Prometheus metrics endpoint.
Default
shield
realm¶

The HTTP basic auth realm for the Prometheus metrics endpoint.
Default
SHIELD Prometheus Exporter
username¶

The HTTP basic auth username for accessing the SHIELD Prometheus metrics endpoint.
Default
prometheus

`tls`¶

certificate¶

TLS Certificate (PEM encoded), used for the HTTPS API and Web UI

ciphers¶

Which SSL/TLS ciphers to allow, used for the HTTPS API and Web UI
Default
ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
key¶

TLS private key (PEM encoded), used for the HTTPS API and Web UI

protocols¶

Which SSL/TLS protocols to allow, used for the HTTPS API and Web UI
Default
TLSv1 TLSv1.1 TLSv1.2
reuse-after¶

How long (in hours) before rotating cryptographic parameters
Default
2

`vault`¶

tls¶

ca¶

The PEM-encoded certificate of the CA that signed the Vault Certificate. The SHIELD core needs this so that it can trust the Vault certificate.

certificate¶

The PEM-encoded certificate of the Vault itself. This certificate should be issued for the IP SAN 127.0.0.1.

key¶

The PEM-encoded private key for the Vault certificate.

Templates¶

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/core/ directory (learn more).

bin/nginx (from bin/nginx)
bin/shieldd (from bin/shieldd)
bin/vault (from bin/vault)
config/agent.key (from config/agent.key)
config/nginx.conf (from config/nginx.conf)
config/shieldd.conf (from config/shieldd.conf)
config/tls/nginx.key (from config/tls/nginx.key)
config/tls/nginx.pub (from config/tls/nginx.pub)
config/tls/vault.ca (from config/tls/vault.ca)
config/tls/vault.key (from config/tls/vault.key)
config/tls/vault.pub (from config/tls/vault.pub)
config/vault.conf (from config/vault.conf)
envrc (from envrc)

Packages¶

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.

core job from shield/8.6.3

Properties¶

agent¶

dial-timeout¶

key¶

macs¶

core¶

authentication¶

color¶

env¶

fast-loop¶

mbus¶

backlog¶

max-slots¶

motd¶

session-timeout¶

slow-loop¶

task-timeout¶

workers¶

domain¶

failsafe¶

password¶

username¶

log-level¶

nginx¶

connections¶

keepalive¶

workers¶

plugin_paths¶

port¶

prometheus¶

namespace¶

password¶

realm¶

username¶

tls¶

certificate¶

ciphers¶

key¶

protocols¶

reuse-after¶

vault¶

tls¶

ca¶

certificate¶

key¶

Templates¶

Packages¶

`agent`¶

`dial-timeout`¶

`key`¶

`macs`¶

`core`¶

`authentication`¶

`color`¶

`env`¶

`fast-loop`¶

`mbus`¶

`backlog`¶

`max-slots`¶

`motd`¶

`session-timeout`¶

`slow-loop`¶

`task-timeout`¶

`workers`¶

`domain`¶

`failsafe`¶

`password`¶

`username`¶

`log-level`¶

`nginx`¶

`connections`¶

`keepalive`¶

`workers`¶

`plugin_paths`¶

`port`¶

`prometheus`¶

`namespace`¶

`password`¶

`realm`¶

`username`¶

`tls`¶

`certificate`¶

`ciphers`¶

`key`¶

`protocols`¶

`reuse-after`¶

`vault`¶

`tls`¶

`ca`¶

`certificate`¶

`key`¶