Re: DEA/Warden staging error


Kyle Havlovitz (kyhavlov)
 

After more tinkering, I got security group rules set up that allowed the app to download the buildpack and push succesfully. However after about 30 seconds the container loses network connectivity and external requests to it fail. I can still get into the container with the warden shell but any network requests fail. Would something be blocking the container’s network access shortly after it come up (mistakenly thinking it’s unresponsive)?

From: Kyle Havlovitz <kyhavlov(a)cisco.com<mailto:kyhavlov(a)cisco.com>>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Date: Thursday, September 17, 2015 at 3:30 PM
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Subject: [cf-dev] DEA/Warden staging error

I’ve been trying to configure the CC security groups to get this stuff working and haven’t been able to do it. Currently I’m trying to use just one security group to allow anything:
Name allow_all
Rules
[
{
"destination": "0.0.0.0-255.255.255.255",
"protocol": "all"
},
{
"destination": "0.0.0.0/0",
"ports": "53",
"protocol": "tcp"
},
{
"destination": "0.0.0.0/0",
"ports": "53",
"protocol": "udp"
}
]

But I still can’t get to anything from inside the container. Is there something else I have to configure for this?

From: CF Runtime <cfruntime(a)gmail.com<mailto:cfruntime(a)gmail.com>>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Date: Thursday, September 17, 2015 at 1:28 PM
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Subject: [cf-dev] Re: Re: Re: Re: Re: Re: Re: Re: DEA/Warden staging error

It certainly could be. By default the contains reject all egress traffic. CC security groups configure iptables rules that allow traffic out.

One of the default security groups in the BOSH templates allows access on port 53. If you have no security groups, the containers will not be able to make any outgoing requests.

Joseph & Natalie
CF Release Integration Team

On Thu, Sep 17, 2015 at 8:44 AM, Kyle Havlovitz (kyhavlov) <kyhavlov(a)cisco.com<mailto:kyhavlov(a)cisco.com>> wrote:
On running git clone inside the container via the warden shell, I get:
"Cloning into 'staticfile-buildpack'...
fatal: unable to access 'https://github.com/cloudfoundry/staticfile-buildpack/': Could not resolve host: github.com<http://github.com>".
So the container can't get to anything outside of it (I also tried pinging some external IPs to make sure it wasn't a DNS thing). Would this be caused by cloud controller security group settings?

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.