Configuring Nebula workers
The following table shows the config variables used to set nebula worker at start time, due to using parse_it for config parsing you can use env_vars as well as JSON, YAML or TOML (and more) to configure the app provided they are in the config folder and have a correct file extension:
Tip
The tables slides to to side for viewing it's full information (not clear do to the rtfd theme)
config file variable name | envvar variable name | default value | example value | type | description | required |
---|---|---|---|---|---|---|
registry_auth_user | REGISTRY_AUTH_USER | None | user | string | the docker registry basic auth user, if not set or set to None (the default value) Nebula will attempt to use the standard registry config file that's located inside the container "~/.docker/config.json" file path (if you need multiple registries auth auth use this option) & if that's not configured will carry using no registry auth | no |
registry_auth_password | REGISTRY_AUTH_PASSWORD | None | P@ssw0rd | string | the docker registry basic auth password, if not set or set to None (the default value) Nebula will attempt to use the standard registry config file that's located inside the container "~/.docker/config.json" file path (if you need multiple registries auth auth use this option) & if that's not configured will carry using no registry auth | no |
registry_host | REGISTRY_HOST | https://index.docker.io/v1/ | https://my_registry.example.com:5000 | string | the docker registry FQDN or IP | yes |
max_restart_wait_in_seconds | MAX_RESTART_WAIT_IN_SECONDS | 0 | 5 | int | maximum time (in seconds) each worker server will wait before reloading the containers in case of restart\update (minimum time hard coded to 0 and each worker server will randomly choose between the that range to spread load on on the managers to avoid a roaring hoard) | yes |
nebula_manager_auth_user | NEBULA_MANAGER_AUTH_USER | admin | string | the basic auth user used to secure the manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth | no | |
nebula_manager_auth_password | NEBULA_MANAGER_AUTH_PASSWORD | P@ssw0rd | string | the basic auth password used to secure manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth | no | |
nebula_manager_auth_token | NEBULA_MANAGER_AUTH_TOKEN | ZDMwN2JmYjBmODliMDRmOTViZDlkYmJl | string | the bearer token used to secure manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth | no | |
nebula_manager_host | NEBULA_MANAGER_HOST | mynebulaapi.exampledomain.com | string | the FQDN\IP of the Nebula manager - Note: you must configure either the nebula_manager_uri or the nebula_manager_host | no | |
nebula_manager_port | NEBULA_MANAGER_PORT | 80 | 80 | int | the port of the Nebula manager | no |
nebula_manager_protocol | NEBULA_MANAGER_PROTOCOL | http | http | string | protocol used to contact the Nebula manager - http or https | no |
nebula_manager_uri | NEBULA_MANAGER_URI | https://mynebulaapi.exampledomain.com:8080/nebulaManager | string | Complete URI of the nebula manager including the protocol, host FQDN/IP, port and path -Note you must configure either the nebula_manager_uri or the nebula_manager_host | no | |
nebula_manager_request_timeout | NEBULA_MANAGER_REQUEST_TIMEOUT | 60 | 60 | int | the time (in seconds) to wait for a response from the Nebula manager before timing out | yes |
nebula_manager_check_in_time | NEBULA_MANAGER_CHECK_IN_TIME | 30 | 30 | int | the time (in seconds) the device will check in with the Nebula manager to see if any changes to the application happens, the lower this is the faster changes to any app or device_group will propagate to the device but the higher the load to the manager will be so more mangers will be needed | yes |
device_group | DEVICE_GROUP | smart_fridge_device_group | string | the device group to attach a device to - each device can only exist in a single device_group but each device_group can have unlimited apps in it | yes | |
reporting_fail_hard | REPORTING_FAIL_HARD | true | false | bool | part of the optional reporting system, if true any failures in the reporting system will fail hard and restart the worker and if false will attempt to continue, setting to false will mean that a lot of errors will need to be manually fixed by the admin | no |
report_on_update_only | REPORT_ON_UPDATE_ONLY | false | true | bool | part of the optional reporting system, if false(the default) will send all reports to kafka and if true will only send reports which have had a change in the device configuration in them. | no |
kafka_bootstrap_servers | KAFKA_BOOTSTRAP_SERVERS | mykafka.mydomain.com:9092 or empty | string | part of the optional reporting system, the FQDN\ip address of the bootstrap kafka nodes, if not set everything regarding the optional reporting system will be unused, setting it to any value is the trigger to turn on the reporting component of the workers | no | |
kafka_security_protocol | KAFKA_SECURITY_PROTOCOL | PLAINTEXT | PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL | string | part of the optional reporting system, Protocol used to communicate with the kafka brokers, valid values are PLAINTEXT, SSL, SASL_PLAINTEXT or SASL_SSL | no |
kafka_sasl_mechanism | KAFKA_SASL_MECHANISM | PLAIN or empty | string | part of the optional reporting system, string picking sasl mechanism when security_protocol is SASL_PLAINTEXT or SASL_SSL. valid values are PLAIN or EMPTY, leaving empty\undefeind will mean sasl is not used | no | |
kafka_sasl_plain_username | KAFKA_SASL_PLAIN_USERNAME | mysaslusername or empty | string | part of the optional reporting system, the username to use to connect to the kafka brokers if kafka_sasl_mechanism is set to PLAIN & kafka_security_protocol is set to SASL_PLAINTEXT | no | |
kafka_sasl_plain_password | KAFKA_SASL_PLAIN_PASSWORD | mysaslpassword or empty | string | part of the optional reporting system, the password to use to connect to the kafka brokers if kafka_sasl_mechanism is set to PLAIN & kafka_security_protocol is set to SASL_PLAINTEXT | no | |
kafka_ssl_keyfile | KAFKA_SSL_KEYFILE | /mykeyfile or empty | string | part of the optional reporting system, path of SSL keyfile to connecto to the kafka brokers with if SSL is set to be used | no | |
kafka_ssl_password | KAFKA_SSL_PASSWORD | mysslpassword or empty | string | part of the optional reporting system, path of SSL keyfile password to connecto to the kafka brokers with if SSL is set to be used | no | |
kafka_ssl_certfile | KAFKA_SSL_CERTFILE | /mycertfile or empty | string | part of the optional reporting system, path of SSL certfile to connecto to the kafka brokers with if SSL is set to be used | no | |
kafka_ssl_cafile | KAFKA_SSL_CAFILE | /mycafile or empty | string | part of the optional reporting system, path of SSL cafile to connecto to the kafka brokers with if SSL is set to be used | no | |
kafka_ssl_crlfile | KAFKA_SSL_CRLFILE | /mycrlfile or empty | string | part of the optional reporting system, path of SSL crlfile to connecto to the kafka brokers with if SSL is set to be used | no | |
kafka_sasl_kerberos_service_name | KAFKA_SASL_KERBEROS_SERVICE_NAME | kafka | kafka | string | part of the optional reporting system, the kerberos service name used to connect to the kafka brokers if kerberos is configured to be used | no |
kafka_sasl_kerberos_domain_name | KAFKA_SASL_KERBEROS_DOMAIN_NAME | kafka | kafka | string | part of the optional reporting system, the kerberos domain name used to connect to the kafka brokers if kerberos is configured to be used | no |
kafka_topic | KAFKA_TOPIC | nebula-reports | my-nebula-kafka-topic | string | part of the optional reporting system, the kafka topic name reports will be written to, it's up to the admin to ensure proper topic sizing\partitioning on the kafka side | no |
envvars take priority over variables set in the config/* files in case both are set (the registry user & pass values can also be set by using the standard "~/.docker/config.json" file and not setting them as envvars and the Nebula config file ), it's suggested to always wrap envvars values in quotation marks but it's only required if the envvar uses special characters (for example "mongodb://mongo_user:mongo_pass@mongo_host:27017/?ssl=true&replicaSet=mongo_replica_set&authSource=mongo_auth_schema"), some variables have defaults that will be used if they are not set as envvars and in the conf.json file.
An example config file is located at "example_conf.json.example" at the /config/ folder of the worker github repo (and inside the containers of them by extension).
The following table shows the path of each config file inside the docker containers:
container | config path inside container | example Dockerfile COPY command overwrite |
---|---|---|
worker | /worker/config/conf.json | COPY config/conf.json /worker/config/conf.json |