Configuring Nebula workers

The following table shows the config variables used to set nebula worker at start time, due to using parse_it for config parsing you can use env_vars as well as JSON, YAML or TOML (and more) to configure the app provided they are in the config folder and have a correct file extension:

Tip

The tables slides to to side for viewing it's full information (not clear do to the rtfd theme)

config file variable name envvar variable name default value example value type description required
registry_auth_user REGISTRY_AUTH_USER None user string the docker registry basic auth user, if not set or set to None (the default value) Nebula will attempt to use the standard registry config file that's located inside the container "~/.docker/config.json" file path (if you need multiple registries auth auth use this option) & if that's not configured will carry using no registry auth no
registry_auth_password REGISTRY_AUTH_PASSWORD None P@ssw0rd string the docker registry basic auth password, if not set or set to None (the default value) Nebula will attempt to use the standard registry config file that's located inside the container "~/.docker/config.json" file path (if you need multiple registries auth auth use this option) & if that's not configured will carry using no registry auth no
registry_host REGISTRY_HOST https://index.docker.io/v1/ https://my_registry.example.com:5000 string the docker registry FQDN or IP yes
max_restart_wait_in_seconds MAX_RESTART_WAIT_IN_SECONDS 0 5 int maximum time (in seconds) each worker server will wait before reloading the containers in case of restart\update (minimum time hard coded to 0 and each worker server will randomly choose between the that range to spread load on on the managers to avoid a roaring hoard) yes
nebula_manager_basic_auth_user NEBULA_MANAGER_BASIC_AUTH_USER admin string the basic auth user used to secure the manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth no
nebula_manager_basic_auth_password NEBULA_MANAGER_AUTH_PASSWORD P@ssw0rd string the basic auth password used to secure manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth no
nebula_manager_auth_token NEBULA_MANAGER_AUTH_TOKEN ZDMwN2JmYjBmODliMDRmOTViZDlkYmJl string the bearer token used to secure manager - unless you set auth_enabled=false you must configure either basic_auth (user & pass) or token auth no
nebula_manager_host NEBULA_MANAGER_HOST mynebulaapi.exampledomain.com string the FQDN\IP of the Nebula manager yes
nebula_manager_port NEBULA_MANAGER_PORT 80 80 int the port of the Nebula manager yes
nebula_manager_protocol NEBULA_MANAGER_PROTOCOL http http string protocol used to contact the Nebula manager - http or https yes
nebula_manager_request_timeout NEBULA_MANAGER_REQUEST_TIMEOUT 60 60 int the time (in seconds) to wait for a response from the Nebula manager before timing out yes
nebula_manager_check_in_time NEBULA_MANAGER_CHECK_IN_TIME 30 30 int the time (in seconds) the device will check in with the Nebula manager to see if any changes to the application happens, the lower this is the faster changes to any app or device_group will propagate to the device but the higher the load to the manager will be so more mangers will be needed yes
device_group DEVICE_GROUP smart_fridge_device_group string the device group to attach a device to - each device can only exist in a single device_group but each device_group can have unlimited apps in it yes
reporting_fail_hard REPORTING_FAIL_HARD true false bool part of the optional reporting system, if true any failures in the reporting system will fail hard and restart the worker and if false will attempt to continue, setting to false will mean that a lot of errors will need to be manually fixed by the admin no
report_on_update_only REPORT_ON_UPDATE_ONLY false true bool part of the optional reporting system, if false(the default) will send all reports to kafka and if true will only send reports which have had a change in the device configuration in them. no
kafka_bootstrap_servers KAFKA_BOOTSTRAP_SERVERS mykafka.mydomain.com:9092 or empty string part of the optional reporting system, the FQDN\ip address of the bootstrap kafka nodes, if not set everything regarding the optional reporting system will be unused, setting it to any value is the trigger to turn on the reporting component of the workers no
kafka_security_protocol KAFKA_SECURITY_PROTOCOL PLAINTEXT PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL string part of the optional reporting system, Protocol used to communicate with the kafka brokers, valid values are PLAINTEXT, SSL, SASL_PLAINTEXT or SASL_SSL no
kafka_sasl_mechanism KAFKA_SASL_MECHANISM PLAIN or empty string part of the optional reporting system, string picking sasl mechanism when security_protocol is SASL_PLAINTEXT or SASL_SSL. valid values are PLAIN or EMPTY, leaving empty\undefeind will mean sasl is not used no
kafka_sasl_plain_username KAFKA_SASL_PLAIN_USERNAME mysaslusername or empty string part of the optional reporting system, the username to use to connect to the kafka brokers if kafka_sasl_mechanism is set to PLAIN & kafka_security_protocol is set to SASL_PLAINTEXT no
kafka_sasl_plain_password KAFKA_SASL_PLAIN_PASSWORD mysaslpassword or empty string part of the optional reporting system, the password to use to connect to the kafka brokers if kafka_sasl_mechanism is set to PLAIN & kafka_security_protocol is set to SASL_PLAINTEXT no
kafka_ssl_keyfile KAFKA_SSL_KEYFILE /mykeyfile or empty string part of the optional reporting system, path of SSL keyfile to connecto to the kafka brokers with if SSL is set to be used no
kafka_ssl_password KAFKA_SSL_PASSWORD mysslpassword or empty string part of the optional reporting system, path of SSL keyfile password to connecto to the kafka brokers with if SSL is set to be used no
kafka_ssl_certfile KAFKA_SSL_CERTFILE /mycertfile or empty string part of the optional reporting system, path of SSL certfile to connecto to the kafka brokers with if SSL is set to be used no
kafka_ssl_cafile KAFKA_SSL_CAFILE /mycafile or empty string part of the optional reporting system, path of SSL cafile to connecto to the kafka brokers with if SSL is set to be used no
kafka_ssl_crlfile KAFKA_SSL_CRLFILE /mycrlfile or empty string part of the optional reporting system, path of SSL crlfile to connecto to the kafka brokers with if SSL is set to be used no
kafka_sasl_kerberos_service_name KAFKA_SASL_KERBEROS_SERVICE_NAME kafka kafka string part of the optional reporting system, the kerberos service name used to connect to the kafka brokers if kerberos is configured to be used no
kafka_sasl_kerberos_domain_name KAFKA_SASL_KERBEROS_DOMAIN_NAME kafka kafka string part of the optional reporting system, the kerberos domain name used to connect to the kafka brokers if kerberos is configured to be used no
kafka_topic KAFKA_TOPIC nebula-reports my-nebula-kafka-topic string part of the optional reporting system, the kafka topic name reports will be written to, it's up to the admin to ensure proper topic sizing\partitioning on the kafka side no

envvars take priority over variables set in the config/* files in case both are set (the registry user & pass values can also be set by using the standard "~/.docker/config.json" file and not setting them as envvars and the Nebula config file ), it's suggested to always wrap envvars values in quotation marks but it's only required if the envvar uses special characters (for example "mongodb://mongo_user:mongo_pass@mongo_host:27017/?ssl=true&replicaSet=mongo_replica_set&authSource=mongo_auth_schema"), some variables have defaults that will be used if they are not set as envvars and in the conf.json file.

An example config file is located at "example_conf.json.example" at the /config/ folder of the worker github repo (and inside the containers of them by extension).

The following table shows the path of each config file inside the docker containers:

container config path inside container example Dockerfile COPY command overwrite
worker /worker/config/conf.json COPY config/conf.json /worker/config/conf.json