Page History
Table of Contents |
---|
Introduction
- The JS7 Agent comes preinstalled from a container image.
- The image includes a recent OpenJDK Java LTS release.
- Users who wish to run JS7 - JavaScript Jobs that require JS7 - Installing Oracle GraalVM should consider to build their own images, see JS7 - Agent Build of Container Image.
- Initial operation for JS7 Agents includes:
- registering the Controller instance(s) and Agents that are used in the job scheduling environment.
- optionally registering a JS7 - Agent Cluster.
As an alternative to the instructions from this article users can refer to the JS7 - Agent Installation using Docker Compose article.
Installation Video
This video explains how to install the JS7 Agent from a container image:
Widget Connector | ||
---|---|---|
|
Pulling the Agent Image
Pull the version of the Agent container image that corresponds to the JS7 release in use, for example:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
docker image pull sosberlin/js7:agent-2-5-0 |
Note: Current releases should be applied as available from https://hub.docker.com/r/sosberlin/js7
Alternatively, 'plus' container images are available that include a recent PowerShell environment and the JS7 - PowerShell Module:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
docker image pull sosberlin/js7:agent-2-5-0-SNAPSHOTplus |
Running the Agent Container
After pulling the Agent image you can run the container with a number of options like thissuch as:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh docker run -dit --rm \ --user="$(id -u $USER):$(id -g $USER)" \ --hostname=js7-agent-primary \ --network=js7 \ --publish=16445:4445 \ --env="RUN_JS_JAVA_OPTIONS=-Xmx256m" \ --mountenv="type=volume,src=js7-agent-primary-config,dst=/var/sos-berlin.com/js7/agent/var_4445/config" \ --mount="type=volume,src=js7-agent-primary-logs,dst=/var/sos-berlin.com/js7/agent/var_4445/logs"RUN_JS_USER_ID=$(id -u $USER):$(id -g $USER)" \ --mount="type=volume,src=js7-agent-primary-statevar,dst=/var/sos-berlin.com/js7/agent/var_4445/state" \ --name js7-agent-primary \ sosberlin/js7:agent-2-05-0-SNAPSHOT |
Explanations:
...
Explanation:
--network
The above example makes use of a Docker container network - created e.g. with , for example, using the commanddocker network create js7
- to allow network sharing between containers. Consider Note that any inside ports used by Docker containers are visible within a Docker networkcontainer network. Therefore an Agent running for the inside port4445
is accessible in conjunction with the container's hostname and the same port within the Docker container network.--publish
The Agent is prepared configured to listen to the HTTP port4445
by default. An outside port of the Docker container's host can be mapped to the Agent's inside HTTP port. This is not required for use with a Docker container network, see--network
, however, it will allow direct access to the Agent from the Docker container's host by via its outside port .--env=RUN_JS_JAVA_OPTIONS
This allows to inject any Java options to be injected into the Agent's container. Preferably this is used to specify memory requirements of an for the Agent, e.g. with-Xmx256m
.--env=RUN_JS_USER_ID
Inside the container the Agent is operated with thejobscheduler
user account. In order to access files created by the Agent such as log files, and which are mounted to the container's host, it is recommended that you map the account that is starting the container to thejobscheduler
account inside the container. TheRUN_JS_USER_ID
environment variable accepts the User ID and Group ID of the account that will be mapped. The above example makes use of the current user, for details see JS7 - Running Containers for User Accounts.--mount
The The following volume mounts are suggested:var
: This folder works as an entry point to the following sub-folders:config
: The configuration folder allows
- the specification of individual settings for
- the operation of the Agent - see the sections below and the JS7 - Agent Configuration Items article.
- Default settings are
- available on initial operation.
logs
: In order to have persistent Agent log files
- they have to be written to a volume that is mounted for the container. Feel free to adjust the volume name from the
src
attribute
- . However, the value of the
dst
attribute should not be changed as it reflects the directory hierarchy inside the container. state
: The Agent requires a directory for journal information that should also be
- persistent. The journal is required to restore the state of orders when restarting the Agent.
- Docker offers
Containers offer a number of
ways how to mount volumes to containers that include e.g. to createmethods for mounting volumes that include, for example, creating a local folder and
to mapmapping the folder to a volume
like thisbefore executing the
docker run
command listed above:Code Block language bash title Example how to create Docker volumes linenumbers true # example to map volumes to directories on the Dockercontainer's host prior to running the Agent container mkdir -p /home/sos/js7/js7-agent-primary/config /home/sos/js7/js7-agent-primary/logsvar docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-agent-primary/configvar" js7-agent-primary-config docker volume create --driver local --opt o=bind --opt type=none --opt device="/home/sos/js7/js7-agent-primary/logs" js7-agent-primary-logs
Configuring the Agent
var
sosberlin/js7:agent-2-5-0
: The name of the base image is the same as that which was previously used with thedocker pull
command. Alternatively this could besosberlin/js7:agent-2-5-0-plus
for use of a "plus" image.
Time Service
It is recommended that a time service is operated on the host which runs the Agent container in order to synchronize the system clock's time.
Log Files
Access to log files is essential to identify problems during installation and operation of containers.
When mounting a volume for log files as explained above you should have access to the files indicated with the JS7 - Log Files and Locations article.
- The
agent.log
file reports general information, warnings and errors. - The
watchdog.log
file includes information about automated restarts of the Agent.
Further Resources
Running the Agent Container from a "plus" Image
- See the JS7 - Agent Installation for Containers with 'plus' images article.
Manage Agents
Configure the Agent
Note that it is not necessary to configure the Consider that it is not required to configure an Agent - it runs out-of-the-box. Zero The default configuration includes specifies that:
- deployment of objects , e.g. such as workflows and jobs , is not subject to compliance requirements such as non-repudiation.
- HTTP connections are used that which expose unencrypted communication between Controller instances and Agent. Authentication is performed by hashed passwords.
Users who intend to operate a compliant and secure job scheduling environment should consider the below explanations for
- deployment of objects with digital signatures that can be used to restrict and to verify who deploys a given object such as a workflow.
- HTTPS connections that encrypt communication and that include mutual authentication by certificates without use of passwords.
Compliance: Use of Signing Certificates
Agents accept deployments for a number of objects such as workflows from a Controller only if such objects are digitally signed.
- If JOC Cockpit is operated for Security Level Low then a single X.509 private key assigned to the JOC Cockpit
root
account is used to sign any objects by any JOC Cockpit accounts. - If JOC Cockpit is operated for Security Level Medium or High then each account that deploys objects has to own an individual X.509 private key or PGP private key.
To verify the signature of an object the Agent has to apply the public key or certificate that matches the private key used for signing with JOC Cockpit.
- If X.509 private keys are used for signing of objects then the Root CA Certificate or Intermediate CA Certificate that was used to sign the respective private key has to be in place with the Agent.
- If PGP private keys are used for signing of objects then the public key matching the signing key has to be in place with the Agent.
- The Agent expects certificates/public keys from the following locations:
- X.509 Certificates
- Location
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-x509-keys
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-x509-keys
- Windows:
- The expected X.509 certificate format is PEM. Certificates can be added from any file names with the extension
.pem
. - Consider that instead of individual certificates per signing key the Root CA Certificate or Intermediate CA Certificate that was used to sign the private keys is sufficient.
- Location
- PGP Public Keys
- Location
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\trusted-pgp-keys
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/trusted-pgp-keys
- Windows:
- PGP public keys are expected in ASCII armored format. They can be added from any file names with the extension
.asc
. - Consider that for each PGP private key that is used for signing the corresponding public key has to be available with the Agent.
- Location
- By default the Agent ships with an X.509 certificate of SOS that matches the default signing key available with the JOC Cockpit
root
account.
- X.509 Certificates
- In order to add individual certificates/public keys add the respective files to the above location corresponding the key type. To revoke certificates/public keys accordingly remove the respective files from the above location matching the key type.
- The above locations for certificates/public keys can be accessed from the Docker volume specified with the
--mount
option for the Agent's container directory/var/sos-berlin.com/js7/agent/var_4445/config
. The locations for X.509 certificates and PGP public keys are available from sub-directories.
Security: Use with HTTPS Connections
The Agent by default is prepared for connections by Controller instances using the HTTP and the HTTPS protocols.
In order to activate HTTPS consider the following prerequisites.
Provide Keystore, Truststore and Configuration for Mutual Authentication
Connections to Agents are established from Controller instances. If the HTTPS protocol is used then in addition to securing the communication channel the Agent requires mutual authentication.
Agent Keystore and Truststore
- The Controller instance's private key has to be created for Server Authentication and Client Authentication extended key usages.
- The Agent is provided
- a keystore that holds its private key, certificate, Root CA Certificate and optionally Intermediate CA Certificate.
- a truststore that holds the certificate chain - consisting of Root CA Certificate and optionally Intermediate CA Certificate - required to verify the Controller instance's certificate.
- Keystores and truststores are files in PKCS12 format, usually with a .p12 extension. They should be added to the following locations:
- Keystore
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-keystore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-keystore.p12
- Windows:
- Truststore
- Windows:
C:\ProgramData\sos-berlin.com\js7\agent\var_4445\config\private\https-truststore.p12
- Unix:
/var/sos-berlin.com/js7/agent/var_4445/config/private/https-truststore.p12
- Windows:
- Keystore
Agent Configuration
- The Agent's
private.conf
configuration file has to be added the following configuration items. For details see JS7 - Agent Configuration- Mutual Authentication
Code Block language bash title Agent Configuration for Mutual Authentication linenumbers true js7 { auth { # User accounts for https connections users { # Controller account for connections by primary/secondary Controller instance Controller { distinguished-names=[ "DNQ=SOS CA, CN=js7-controller-primary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE", "DNQ=SOS CA, CN=js7-controller-secondary, OU=IT, O=SOS, L=Berlin, ST=Berlin, C=DE" ] } } }
- This setting specifies the distinguished names that are available from the subjects of Controller instance certificates. Consider that the common name (CN) attribute specifies the hostname of a Controller instance. The configuration authenticates a given Controller instance as the distinguished name is unique for a server certificate and therefore replaces use of passwords.
- Keystore and truststore locations:
Code Block language bash title Agent Configuration for Keystore and Truststore Locations linenumbers true js7 { web { # Locations of keystore and truststore files for HTTPS connections https { keystore { # Default: ${js7.config-directory}"/private/https-keystore.p12" file=${js7.config-directory}"/private/https-keystore.p12" key-password=jobscheduler store-password=jobscheduler } truststores=[ { # Default: ${js7.config-directory}"/private/https-truststore.p12" file=${js7.config-directory}"/private/https-truststore.p12" store-password=jobscheduler } ] } } }
- The above configuration items specify the locations of keystore and truststore.
- Consider optional use of a key password and store password for keystores and of a store password for truststores.
- Mutual Authentication
Run the Agent Container for HTTPS Connections
The following additional arguments are required for HTTPS connections:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/sh
docker run -dit --rm \
...
--publish=16443:4443 \
--env="RUN_JS_HTTPS_PORT=4443" \
... |
Explanations:
--publish
The Agent image is prepared to accept HTTPS requests on port4443
. If the Agent is not operated in a Docker network then an outside port of the Docker host has to be mapped to the inside HTTPS port4443
. The same port has to be assigned theRUN_JS_HTTPS_PORT
environment variable.--env=RUN_JS_HTTPS_PORT
The port assigned this environment variable is the same as the inside HTTPS port specified with the--publish
option.
Note:
are recommended to familiarize themselves with the JS7 - Agent Configuration for Containers article series.
Build the Agent Image
User who wish to create individual images of the Agent will find instructions in the JS7 - Agent Build of Container Image article
...
.