JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

  • The JS7 Controller comes preinstalled from a container image.
  • Initial operation for JS7 Controllers includes:
    • registering the Controller instance(s) and Agents that are used in the job scheduling environment.
    • optionally registering a JS7 Controller Cluster. 

As an alternative to the instructions from this article users can refer to the JS7 - Controller Installation using Docker Compose article.

Installation Video

This video explains how to install the JS7 Controller for containers:

Widget Connector
urlhttps://www.youtube.com/watch?v=y1sEtVq6mow&ab_channel=JobScheduler

Pulling the Controller Image

Pull the version of the Controller container image that corresponds to the JS7 release in use, for example:

Code Block
languagebash
titlePulling the Controller Image
linenumberstrue
docker image pull sosberlin/js7:controller-2-0-0-SNAPSHOT5-0

Note: Current releases should be applied as available from https://hub.docker.com/r/sosberlin/js7

Running the Controller Container

After pulling the Controller image you can run the container with a number of options like thissuch as:

Code Block
languagebash
titleRunning the Controller Container for HTTP Connections
linenumberstrue
#!/bin/sh

docker run -dit --rm \
      --user="$(id -u $USER):$(id -g $USER)" \
      --hostname=js7-controller-primary \
      --network=js7 \
      --publish=15444:4444 \
      --env="RUN_JS_JAVA_OPTIONS=-Xmx256m" \
      --env="RUN_JS_ID=jobscheduler" \
      --mountenv="type=volume,src=js7-controller-primary-config,dst=/var/sos-berlin.com/js7/controller/var/config" \
      --mount="type=volume,src=js7-controller-primary-logs,dst=/var/sos-berlin.com/js7/controller/var/logs"RUN_JS_USER_ID=$(id -u $USER):$(id -g $USER)" \
      --mount="type=volume,src=js7-controller-primary-statevar,dst=/var/sos-berlin.com/js7/controller/var/state" \
      --name js7-controller-primary \
      sosberlin/js7:controller-2-05-0-SNAPSHOT


ExplanationsExplanation:

  • --user Inside the container the Controller instance is operated for the user account jobscheduler. In order to access e.g. log files created by the Controller instance that are mounted to the Docker host it is recommended that you map the account that is starting the container to the jobscheduler account inside the container. The --user option accepts the user ID and group ID of the account that will be mapped. The network The above example makes use of the current user.--network The above example makes use of a Docker a container network - created e.g. with the command docker network create js7  command - to allow network sharing between containers. Consider Note that any inside ports used by Docker containers are is visible within a Docker container network. Therefore a Controller instance running for the inside port 4444 is accessible with can be accessed using the container's hostname and the same port within the Docker container network.
  • --publish The Controller is prepared to listen to the HTTP port 4444. An outside port of the Docker container's host can be mapped to the Controller's inside HTTP port. This is not required for use with a Docker container network, see --network, however, it will allow direct access to the Controller from the Docker host by Controller from the container's host through its outside port .
  • --env=RUN_JS_JAVA_OPTIONS This allows to inject any Java options to be injected into the Controller's container. Preferably this is used to specify memory requirements of a Controller, e.g. with -Xmx256m.
  • --env=RUN_JS_ID This setting specifies the Controller ID that is a unique identifier for either a standalone Controller instance or for both the primary Controller instance and secondary Controller instance instances in a cluster that use the same Controller ID.a common Controller ID.
  • --env=RUN_JS_USER_ID Inside the container the Controller is operated with the jobscheduler user account. In order to access, for example, log files created by the Controller and mounted to the container's host, it is recommended that you map the account that starts the container to the jobscheduler account inside the container. The RUN_JS_USER_ID environment variable accepts the User ID and Group ID of the account that will be mapped. The example listed above uses the current user, for details see JS7 - Running Containers for User Accounts.
  • --mount The following volume mounts are suggested:
    • var: This folder works as an entry point to the following sub-folders:
      • config: The
      optional
      • configuration folder allows
      to specify
      • the specification of  individual settings for
      Controller operation, see below chapters Without this folder the default
      • Default settings are
      used
      • available from initial operation..
      • logs: In order to have persistent Controller log files
      persisted
      • they have to be written to a volume that is mounted for the container. Feel free to adjust the volume name from the src attribute, however, the value of the dst attribute should not be changed as it reflects the directory hierarchy inside the container.
      • state: The Controller requires a directory for journal information that should be
      persisted
      • persistent. The journal is required to restore the state of orders when restarting the Controller.
    • Docker offers

      Containers offer a number of ways

      how to mount volumes to containers that include e.g. to create

      of mounting volumes, which include, for example, creating a local folder and

      to map

      mapping the folder to a volume

      like this:docker volume create --driver local --opt o=bind --opt type=none --opt

      before executing the docker run command listed above:

      Code Block
      languagebash
      titleExample how to create Docker volumes
      linenumberstrue
      # example to map volumes to directories on the container's host prior to running the Controller container
mkdir -p /home/sos/js7/js7-controller-primary/var
docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-controller-primary/
      config
      var" js7-controller-primary-
      config

Configuring the Controller

Consider that it is not required to configure a Controller - it runs out-of-the-box. Zero configuration includes that

  • deployment of objects, e.g. workflows and jobs, is not subject to compliance requirements such as non-repudiation.
  • HTTP connections are used that expose unencrypted communication between JOC Cockpit and Controller. Authentication is performed by hashed passwords.

Users who intend to operate a compliant and secure job scheduling environment should consider the below explanations for

  • deployment of objects with digital signatures that can be used to restrict and to verify who deploys a given object such as a workflow.
  • HTTPS connections that encrypt communication and that include mutual authentication by certificates without use of passwords.

Compliance: Use of Signing Certificates

Controller instances accept deployments for a number of objects such as workflows from a JOC Cockpit instance only if such objects are digitally signed.

  • If JOC Cockpit is operated for Security Level Low then a single X.509 private key assigned to the JOC Cockpit root account is used to sign any objects by any JOC Cockpit accounts.
  • If JOC Cockpit is operated for Security Level Medium or High then each account that deploys objects has to own an individual X.509 private key or PGP private key.

To verify the signature of an object the Controller has to apply the public key or certificate that matches the private key used for signing with JOC Cockpit.

  • If X.509 private keys are used for signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Controller.
  • If PGP private keys are used for signing of objects then the public key matching the signing key has to be in place with the Controller.
  • The Controller expects certificates/public keys from the following locations:
    • X.509 Certificates
      • Location
        • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-x509-keys
        • Unix: /var/sos-berlin.com/js7/controller/var/config/private/trusted-x509-keys
      • The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension .pem.
      • Consider that instead of individual certificates per signing key the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
    • PGP Public Keys
      • Location
        • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\trusted-pgp-keys
        • Unix: /var/sos-berlin.com/js7/controller/var/config/private/trusted-pgp-keys
      • PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension .asc.
      • Consider that for each PGP private key that is used for signing the corresponding public key has to be available with the Controller instance.
    • By default the Controller ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit root account.
  • In order to add individual certificates/public keys add the respective files to the above location corresponding the key type. To revoke certificates/public keys accordingly remove the respective files from the above location matching the key type.
  • The above locations for certificates/public keys can be accessed from the Docker volume specified with the --mount option for the Controller's container directory /var/sos-berlin.com/js7/controller/var/config. The locations for X.509 certificates and PGP public keys are available from sub-directories.

Security: Use with HTTPS Connections

The Controller by default is prepared for connections by JOC Cockpit instances using the HTTP and the HTTPS protocols. 

In order to activate HTTPS consider the following prerequisites.

Provide Keystore, Truststore and Configuration for Mutual Authentication

Connections to Controller instances are established from a JOC Cockpit instance. If the HTTPS protocol is used then in addition to securing the communication channel the Controller instance requires mutual authentication.

Controller Keystore and Truststore

  • The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
  • The Controller instance is provided
    • a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
    • a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller's certificate.
  • Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
    • Keystore
      • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-keystore.p12
      • Unix: /var/sos-berlin.com/js7/controller/var/config/private/https-keystore.p12
    • Truststore
      • Windows: C:\ProgramData\sos-berlin.com\js7\controller\var\config\private\https-truststore.p12
      • Unix: /var/sos-berlin.com/js7/controller/var/config/private/https-truststore.p12

Controller Configuration

  • The Controller instance's private.conf configuration file has to be added the following configuration items. For details see JS7 - Controller Configuration
    • Mutual Authentication
      • Code Block
        languagebash
        titleController Configuration for Mutual Authentication
        linenumberstrue
        js7 {
    auth {
        # User accounts for https connections
        users {
            # Controller account for connections by primary/secondary JOC Cockpit instance
            Controller {
                distinguished-names=[
                    "DNQ=SOS CA, CN=js7-joc-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE",
                    "DNQ=SOS CA, CN=js7-joc-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE"
                ]
            }
        }
    }
      • This setting specifies the distinguished names that are available from the subjects of JOC Cockpit certificates. Consider that the common name (CN) attribute specifies the hostname of a JOC Cockpit instance. The configuration authenticates a given JOC Cockpit instance as the distinguished name is unique for a server certificate and therefore replaces use of passwords.
    • Keystore and truststore locations:
      • Code Block
        languagebash
        titleController Configuration for Keystore and Truststore Locations
        linenumberstrue
        js7 {
    web {
        # Locations of keystore and truststore files for HTTPS connections
        https {
            keystore {
                # Default: ${js7.config-directory}"/private/https-keystore.p12"
                file=${js7.config-directory}"/private/https-keystore.p12"
                key-password=jobscheduler
                store-password=jobscheduler
            }
            truststores=[
                {
                    # Default: ${js7.config-directory}"/private/https-truststore.p12"
                    file=${js7.config-directory}"/private/https-truststore.p12"
                    store-password=jobscheduler
                }
            ]
        }
    }
}
      • The above configuration items specify the locations of keystore and truststore.
      • Consider optional use of a key password and store password for keystores and of a store password for truststores.

Run Controller Container for HTTPS Connections

The following additional arguments are required for HTTPS connections:

Code Block
languagebash
titleRun Controller Container for HTTPS Connections
linenumberstrue
#!/bin/sh

docker run -dit --rm \
      ...
      --publish=15443:4443 \
      --env="RUN_JS_HTTPS_PORT=4443" \
      ...

Explanations:

  • --publish The Controller image is prepared to accept HTTPS requests on port 4443. If the Controller instance is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port 4443. The same port has to be assigned the RUN_JS_HTTPS_PORT environment variable.
  • --env=RUN_JS_HTTPS_PORT The port assigned this environment variable is the same as the inside HTTPS port specified with the --publish option.

Note:

    • var

Time Service

It is important that a time service is operated on the container's host which runs the Controller in order to synchronize the system clock's time.

Log Files

Access to log files is essential for identifying problems during installation and operation of containers.

When mounting a volume for log files as explained above you should have access to the files indicated in the JS7 - Log Files and Locations article.

  • The controller.log file reports general information, warnings and errors.
  • The watchdog.log file includes information about automated restarts of the Controller.

Anchor
initial_operation
initial_operation
Initial Operation

The following information applies for use of the Controller with the Open Source license and with the commercial JS7 - License:

The following information applies if the Controller is used for high availability in a JS7 - Controller Cluster using the commercial JS7 - License:

Further Resources

Configure the Controller

Note that it is not necessary to configure the Controller - it runs out-of-the-box. The default configuration specifies that:

  • deployment of objects such as workflows and jobs is not subject to compliance requirements such as non-repudiation.
  • HTTP connections are used which expose unencrypted communication between JOC Cockpit and Controller. Authentication is performed by hashed passwords.

Users who intend to operate a compliant and secure job scheduling environment or who wish to operate the Controller as a cluster for high availability are recommended to familiarize themselves with the JS7 - Controller Configuration for Containers article series.

Build the Controller Image

User who wish to create individual images of the Controller will find instructions in the JS7 - Controller Build of Container Image article

...

.