JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Pulling an Agent Image

Pull the version of  the Agent image that corresponds to the JS7 release in use:

Download Agent Image
docker image pull sosberlin/jobscheduler:agent-2-0-0


Running an Agent Container

After pulling the Agent image you can run the container with a number of options like this:


Run Agent Container
#!/bin/sh

docker run -dit --rm \
      --user="$(id -u $USER):$(id -g $USER)" \
      --hostname=js7-agent-2-0-primary \
      --network=js7 \
      --publish=14445:4445 \
      --env="RUN_JS_HTTP_PORT=14445" \
      --env="RUN_JS_JAVA_OPTIONS=-Xmx256m" \
      --mount="type=volume,src=js7-agent-2-0-primary-config,dst=/var/sos-berlin.com/js7/agent/var_4445/config" \
      --mount="type=volume,src=js7-agent-2-0-primary-logs,dst=/var/sos-berlin.com/js7/agent/var_4445/logs" \
      --mount="type=volume,src=js7-agent-2-0-primary-state,dst=/var/sos-berlin.com/js7/agent/var_4445/state" \
      --name js7-agent-2-0-0-primary \
      sosberlin/jobscheduler:agent-2-0-0

Explanations:

  • --user Inside the container the Agent is operated for the user account jobscheduler. In order to access e.g. log files created by the Agent that are mounted to the Docker host it is recommended that you map the account that is starting the container to the jobscheduler account inside the container. The --user option accepts the user ID and group ID of the account that will be mapped. The above example makes use of the current user.
  • --network The above example makes use of a Docker network - created e.g. with docker network create js7 - to allow network sharing between containers. Consider that any inside ports used by Docker containers are visible within a Docker network. Therefore an Agent running for the inside port 4445 is accessible from the container's hostname and the same port within the Docker network.
  • --publish An outside port of the Docker host is mapped to the Agent's inside HTTP port. This is not required for use with a Docker network, see --network, however, it will allow to directly access the Agent by its outside port from the Docker host.
  • --env=RUN_JS_HTTP_PORT Consider to specify the same outside port that is used with the --publish option to map an outside port to the inside HTTP port.
  • --env=JAVA_OPTIONS This allows to inject any Java options to the Agent's container. Preferably this is used to specify memory requirements of an Agent, e.g. with -Xmx256m.
  • --mount The following volume mounts are suggested:
    • config: The optional configuration folder allows to specify individual settings for Agent operation, see JS7 - Agent Configuration. Without this folder the default settings are used.
    • logs: In order to have Agent log files persisted they should be written to a volume that is mounted for the Agent. Feel free to adjust the volume name from the src attribute, however, the value of the dst attribute should no be changed as it reflects the directory hierarchy inside the container.
    • state: The Agent requires a directory for journal information that should be persisted. The journal is required to restore the state of orders when restarting the Agent.

Configuring an Agent

Use of Signing Certificates

Agents accept deployments for a number of objects such as workflows from a Controller only if the objects are digitally signed.

  • If JOC Cockpit is operated for Security Level Low then a single X.509 private key assigned to the root account is used to sign any objects by any JOC Cockpit accounts.
  • If JOC Cockpit is operated for Security Level Medium or High then each account that deploys objects has to own an individual X.509 key or PGP key.

To verify the signature of an object the Agent has to apply the public key or certificate that matches the private key used for signing with JOC Cockpit.

  • If X.509 keys are used for signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
  • If PGP keys are used for signing of objects then the public key matching the signing key has to be in place with the Agent.
  • The Agent expects certificates/public keys from the following locations inside the container:
    • X.509 Certificates: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
      • The X.509 certificate format should be PEM.
      • Certificates can be added from any file names with the extension .pem.
      • Consider that instead of individual certificates per signing key the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
    • PGP Public Keys: /var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
      • PGP public keys are expected in ASCII armored format.
      • Public keys can be added from any file names with the extension .asc.
      • Consider that for each PGP private key that is used for signing the corresponding public key has to be available with the Agent.
    • By default the Agent ships with an X.509 certificate of SOS that matches the default signing key available with the root account in JOC Cockpit.
  • In order to add individual certificates/public keys add the respective files to the above location corresponding the key type. To revoke certificates/public keys accordingly remove the respective files from the above location matching the key type.
  • The above locations for certificates/public keys can be accessed from the Docker volume specified with the --mount option for the Agent's container directory /var/sos-berlin.com/js7/agent/var_4445/config.  The locations for X509 certificates and PGP public keys are available from sub-directories.

Use with HTTPS Connections





  • No labels