custom script as root. This is extremely powerful and makes Bosh viable for most systems. For most of the things we run we don’t need this power and end up reimplementing ways to be rid of it in each job. 2
deletions− • UAA 6 files changed, 41 insertions+, 217 deletions− • CAPI (Cloud Controller job) 5 files changed, 50 insertions+, 130 deletions− • Routing 8 files changed, 34 insertions+, 118 deletions− We found diminishing returns after this. Many other releases were assessed and didn’t show any new challenges. 14
benefit from being in a container it needs to be runnable as non-root. This is being worked on but is still not stable. • Container Networking This needs to run as root. There are still potentially lifecycle and simplicity improvements by running in a container but no security benefit. 15
means that they cannot read the configuration or credentials of other jobs. • Jobs automatically run as the vcap user. • The job is restricted to only writing to its persistent and ephemeral storage directories. Everything else is mounted as read-only. 16
CPU that a job receives. • Setting which can safely be automatically applied in order to improve performance can automatically be applied.[Damato, 2017] 17
good abstraction that wasn’t just the mount(8) command in YAML form. Packaging Format How do we distribute this? Required collocated release? Modify the Bosh team’s stemcell? 18
good abstraction that wasn’t just the mount(8) command in YAML form. Packaging Format How do we distribute this? Required collocated release? Modify the Bosh team’s stemcell? Lifecycle Hooks We found that some releases needed bash in some form to start e.g. keytool. We can’t predict this. A small auditable hook will probably need to stay. 18
paths to decouple from Bosh system paths. System Path Container Path /var/vcap/jobs/bbs/config /config /var/vcap/store/bbs /store CredHub FUSE Filesystem /credentials 20
paths to decouple from Bosh system paths. System Path Container Path /var/vcap/jobs/bbs/config /config /var/vcap/store/bbs /store CredHub FUSE Filesystem /credentials This gets rid of vcap and lets jobs be collocated and uncollocated after they’ve been deployed. 20
variable avoids thousands of system calls. https://blog.packagecloud.io/eng/2017/02/21/set- environment-variable-save-thousands-of-system-calls/. Paul, I. (2015). Scary steam for linux bug erases all the personal files on your pc. http://www.pcworld.com/article/2871653/scary-steam-for- linux-bug-erases-all-the-personal-files-on-your-pc.html. 21