Date   

Re: App autosleep support

James Bayer
 

this feature request has come up occasionally, but rarely. this type of
feature is usually the most applicable to service providers with a free or
very low cost tier, where this can make a substantial difference in
increasing density.

you should consider rescheduling when moving out of the dormant state
(which may take awhile to send the container image to a new host), then you
have to account for resource reservations on the Cells anyway in case they
all wake up. one possibility is the common case to have the container image
pre-staged on a host and the Cell typically would have enough resources
available. in the case where it doesn't, then you reschedule and hold the
requests (up to a max # of requests for that app) longer. has some
interesting potential for DOS if not constrained.

the use of a route-service for implementation is an interesting idea, but
it does mean that every request for the app needs to go through a route
service even when the app is not sleeping, so i could also see other
alternative designs that stay out of the request path unless the app is
dormant. maybe that's something the system could do (after inactivity
period bind the app to a route-service) and when leaving the dormant state,
unbind the app from the route service.

it's probably most important to define "the what and why" of this feature
first, and then we can ask the routing eng team if they have ideas on how
to implement or if it makes sense as existing points of extension like a
service and the in-progress route service.

On Thu, Jul 30, 2015 at 5:58 PM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

For the autosleep feature why not but again only for non-prod application.

In my previous company, for DEV environment we stop application which have
been not updated since one month except some exception.
We considered that DEV is for active development.
Was just a batch script looking in the CCDB and calling cf-cli to stop
apps.






On Thu, Jul 30, 2015 at 7:46 PM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Hi,

I wonder if there are plans to implement an auto-sleep behavior in
cloudfoundry, in which inactive apps would be automatically stopped after a
max inactivity threshold, and automatically restart upon arrival of traffic
on their routes. Similar to google app engine default behavior [1]

I did not find mentions of this yet in mailing lists and trackers.

We feel at Orange that such feature can improve the density for some of
our non-prod use-cases (with environmental and financial benefits).

I'd like to know if someone in the community already worked on such
feature or would be interested in collaborating on an opensource
implementation.

I drafted some specs for a java-based implementation we're planning to
work on [2]. I'd love to hear feedbacks and suggestions on this.

Thanks in advance,

Guillaume.

[1] https://cloud.google.com/appengine/docs/java/modules/
[2]
https://docs.google.com/document/d/1tMhIBX3tw7kPEOMCzKhUgmtmr26GVxyXwUTwMO71THI/edit#

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Thank you,

James Bayer


Re: SSH access to CF app instances on Diego

James Bayer
 

gwenn, i suspect guillaume is referencing the platform policies around ssh
and container lifecycle which has not had more discussion that i'm aware
of. i think eric has received some additional feedback from some people,
but i have not seen what it is either or an outline of how the defaults and
configuration options will be exposed.

On Thu, Jul 30, 2015 at 6:01 PM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

Guillaume,

Not sure is related but the ssh have been already implemented and is
available on diego and cf-release.


On Thu, Jul 30, 2015 at 10:35 PM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Eric,

The CAB minutes [1] mentionned you were still looking for feedback from
the community on the policy for altered instances, but this thread seems
silent for a while.

Not sure you had seen my email and suggestion below for a way to
quarantine the altered instances (beyond the per-space restart policy
configuration). Such quarantine request might be a good place to include
option to ask for the quarantine instances to be excluded from gorouter
traffic.

[1]
http://www.activestate.com/blog/2015/07/cloud-foundry-advisory-board-meeting-2015-july

Regards,

Guillaume.

On Fri, Jul 3, 2015 at 3:56 PM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Hi,

please find my feedback to this thread

*short version:*
1- need preserve good CF experience with HTTP only (direct SSH flow is
still blocked and a pain in many organisations) => +1 to preserve "cf
files" or fine tune diego plug to have ssh over HTTP to work out of the box
2- default "recycle tainted containers by default" policy seems good to
me
3- needs to be completed with more control of the recycling policy (UX
such as "quarantine" or GAE "lock/unlock" )
4- development use-cases need to be better supported (dev/prod parity)
not sure ssh/scp is the right path though

*long version:*

*1- cf files and ssh over HTTP*

As previously mentionned into [1], CF exposing apis over HTTP api made a
great job to be easily consummed through HTTP proxies that some companies
still use, making CF experience seemless to consumme public paas, or
private paas among corporate entities. It seems important to me to preserve
good CF experience with HTTP only.

If SSH interactive access, scp and port forwarding become the mainstream
solution to operate and troubleshoot apps (supporting "cf files",
replacement for the previous DEBUG and CONSOLE ports), it will be useful
for users behind such firewalls to be able to configure diego ssh plugin to
use HTTP/SOCKS proxies to reach public CF instances. As the diego ssh cli
plugin supports using the regular local host ssh binaries, this may
potentially be done by tweaking the .ssh config file to add flags
associated to host ssh.${domain} to go through proxies (possibly double
tunnels as described into [2]). However, for new users in such network
context, especially on windows operating system, the set up work before
using a CF public instance starts to add up?

*2- default "recycle tainted containers by default" seems good to me*

Given that apps deployed on CF comply to 12 factor apps, there instance
may be restarted at anytime (e.g. during a CF new release deployment or
stemcell upgrade). So the default policy "recycle tainted containers by
default" is not a surprise.

*3- need to be completed with more control of the recycling policy (UX
such as "quarantine" or GAE "lock/unlock" )*

There are some specific use-cases where the "recycle tainted containers
by default" policy would be problematic when running applications in
production:

An application instance is malfunctionning (e.g. hanging) and an
interactive debugging is necessary. The app-ops ssh into the container and
starts taking some diagnostic steps (e.g sending kill -SIGTERM signals to
take thread dumps, or locally changes log levels).

If ever the ssh connection breaks/timeout, the "recycle tainted
containers by default, preventing the current diagnostc to complete.

Another similar use case: a production application is suspected to be
compromised by an attacker. App-ops need to capture evidences and
understand better how the abuse was done. There isn't enough information in
streamed logs, and there is a need to get into the container to inspect the
ephemeral FS and the processes and memory. This may require more than one
simultanenous SSH connection, and may span on multiple hours

In both use-cases above, while the application is 12 factor compliant
and the "recycle tainted containers by default" policy would be opted in on
the corresponding space, there would be a need to transiently turn the mode
off.

In term of user experience, this may appear as an explicit user request
to "quarantine" the tainted app instances (or the whoe app) so that CF does
not attempt to restart them. Or it may appear as the google app engine
"lock/unlock"

a call to a new "unlock" command to a CF app instance would be necessary
to get SSH access to it. CF then considers this instance as
"tained"/untrusted, as it may have deviated from the pushed content, and
does not act to it anymore (i.e. does not monitor its bound $PORT or root
process exit, which may be handy to diagnose it as wish). When the "lock"
command is requested on this instance, Cf destroys this tainted instance,
and recreates a fresh new "trusted" one.

*4- development use-cases need to be better supported (dev/prod parity)
not sure ssh/scp is the right path though*

I agree with James Myers that development use-cases should be better
supported.

First, CF should strive to support dev-prod parity [4]. However
currently, there is not anymore a version of CF that a developper can run
on his laptop (e.g. when doing offline development during commute) that
would behave like prod and embed buildpacks. There used to have "CF on a
single VM". Heroku or GAE have emulators. Cloud rocker [5] is close, but it
still takes 10s or more to have changes made on the app be reflected into a
running app.

There are some legitimate use cases during development for modifying
sources of the application and have those changes be taken in effect
immediately. Lots of app development framework supports those development
modes (even those that promote test-driven practices), and getting a fast
feedback is important. Having dev-prod parity means supporting these use
cases while preserving prod behavior (having the VCAP_SERVICES and
VCAP_APPLICATION and the buildpack processing applied on the same stack
(cflinux2)). Being able to run offline would be even better.

I however believe that providing SSH/SCP access to change the file
system to a running app instance may not be the appropriate response, given
the FS and the app instance is still ephemeral. Who would want to modify
files that could be lost at any time (e.g. a stemcell upgrade ) ?

I'd rather see value in further exploring the ideas layed out by James
Bayer into [5] e.g. as a form of a git repo populated with the
/home/vcap/app subdir, that developers could clone, push to, and have the
instance epheremal FS updated with pushed changes.

This may be combined with a cloudrocker mechanism as to work with a
fully offline mode when this is required.

[1]
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/OavSBIhU_xQ/wJrT08iHfJ8J
[2] http://proxytunnel.sourceforge.net/paper.php
[3]
https://cloud.google.com/appengine/docs/managed-vms/host-env#changing_management
[4] http://12factor.net/dev-prod-parity
[5]
https://docs.google.com/document/d/1_C3OWS6giWx4JL_IL9YLA6jcppyQLVD-YjR0GeA8Z0s/edit#heading=h.toypuu5pxh65



On Thu, Jul 2, 2015 at 10:18 PM, James Myers <jmyers(a)pivotal.io> wrote:

I have to agree with Matt on this one. I feel that the recycling of
containers is a very anti-developer default. When you approach Cloud
Foundry from the perspective of running production applications the recycle
policy makes complete sense. However, I feel that this misses out on one of
the massive benefits/use cases of Cloud Foundry, what it offers to the
development process.

From a security stand point, if you can ssh into a container, it means
you have write access to the application in CloudFoundry. Thus you can
already push new bits/change the application in question. All of the
"papertrail" functionality around pushing/changing applications exists for
SSH as well (we record events, output log lines, make it visible to users
that action was taken on the application), and thus concerned operators
would be able to determine if someone modifying the application in question.

Therefore I'm lost on how this is truly the most secure default. If we
are really going by the idea that all defaults should be the most secure,
ssh should be disabled by default.

As a developer, I can see many times in which I would want to be able
to ssh into my container and change my application as part of a
troubleshooting process. Using BOSH as an example, CF Devs constantly ssh
into VMs and change the processes running on them in order to facilitate
development. BOSH does not reap the VM and redeploy a new instance when you
have closed the SSH session. Once again this is largely due to the fact
that if you have SSH access, you can already perform the necessary actions
to change the application through different means.

Another huge hindrance to development, is that the recycling policy is
controlled by administrators. It is not something that normal users can
control, even though we allow the granularity of enabling/disabling SSH
completely to the end user. This seems counterintuitive.

I feel that a better solution would be to provide the user with some
knowledge of which instances may be tainted, and then allowing them to opt
into a policy which will reap tainted containers. This provides users with
clear insight that their application instance may be a snowflake (and that
they may want to take action), while also allowing normal behavior with
regards to SSH access to containers.

To summarize, by enabling the recycling policy by default we not only
produce extremely unusual behavior / workflows for developers, we are also
minimizing the developer-friendliness of CF in general. This mixed with the
fact that as a user I cannot even control this policy, leads me to believe
that as a default recycling should be turned off as it provides the most
cohesive and friendly user experience.

On Mon, Jun 29, 2015 at 9:14 AM, John Wong <gokoproject(a)gmail.com>
wrote:

after executing a command, concluding an interactive session, or
copying a file into an instance, that instance will be restarted.

How does it monitor the behavior? Is there a list of commands
whitelisted? I am curious because I am trying to find out what the
whitelist contain. Also is it at the end of the bosh ssh APP_NAME session?
What if two users are there simultaneously?

Thanks.

On Mon, Jun 29, 2015 at 5:49 AM, Dieu Cao <dcao(a)pivotal.io> wrote:

I think with the CLI we could add clarifying messaging when using ssh
what the current policy around recycling is.
Eric, what do you think about calling it the "recycling" policy,
enabled by default? =D

-Dieu


On Sat, Jun 27, 2015 at 3:42 AM, Matthew Sykes <
matthew.sykes(a)gmail.com> wrote:

Depends on your role and where your app is in the deployment
pipeline. Most of the scenarios I envisioned were for the tail end of
development where you need to poke around to debug and figure out those
last few problems.

For example, Ryan Morgan was saying that the Cloud Foundry plugin
for eclipse is going to be using the ssh support in diego to enable debug
of application instances in the context of a buildpack deployed app. This
is aligned with other requirements I've heard from people working on dev
tools.

As apps reach production, I would hope that interactive ssh is
disabled entirely on the prod space leaving only scp in source mode as an
option (something the proxy can do).

Between dev and prod, there's a spectrum, but in general, I either
expect access to be enabled or disabled - not enabled with a suicidal
tendency.

On Thu, Jun 25, 2015 at 10:53 PM, Benjamin Black <bblack(a)pivotal.io>
wrote:

matt,

could you elaborate a bit on what you believe ssh access to
instances is for?


b


On Thu, Jun 25, 2015 at 9:29 PM, Matthew Sykes <
matthew.sykes(a)gmail.com> wrote:

My concern is the default behavior.

When I first prototyped this support in February, I never expected
that merely accessing a container would cause it to be terminated. As we
can see from Jan's response, it's completely unexpected; many others have
the same reaction.

I do not believe that this behavior should be part of the default
configuration and I do believe the control needs to be at the space level.
I have have already expressed this opinion during Diego retros and at the
runtime PMC meeting.

I honestly believe that if we were talking about applying this
behavior to `bosh ssh` and `bosh scp`, few would even consider running in a
'kill on taint mode' because of how useful it is. We should learn from that.

If this behavior becomes the default, I think our platform will be
seen as moving from opinionated to parochial. That would be unfortunate.


On Thu, Jun 25, 2015 at 6:05 PM, James Bayer <jbayer(a)pivotal.io>
wrote:

you can turn the "restart tainted containers" feature off with
configuration if you are authorized to do so. then using scp to write files
into a container would be persisted for the lifetime of the container even
after the ssh session ends.

On Thu, Jun 25, 2015 at 5:50 PM, Jan Dubois <jand(a)activestate.com
wrote:
On Thu, Jun 25, 2015 at 5:36 PM, Eric Malm <emalm(a)pivotal.io>
wrote:
after executing a command, concluding an
interactive session, or copying a file into an instance, that
instance will
be restarted.
What is the purpose of being able to copy a file into an
instance if
the instance is restarted as soon as the file has been received?

Cheers,
-Jan
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Thank you,

James Bayer

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Matthew Sykes
matthew.sykes(a)gmail.com

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Matthew Sykes
matthew.sykes(a)gmail.com

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Thank you,

James Bayer


Re: CF-Abacus: incubation and inception meeting coming soon

Matt Cowger
 

Stormy - I will happily blog it and take pictures...but you don't want my
notes...I was always the one in college that borrowed notes.

On Thu, Jul 30, 2015 at 3:37 PM, Stormy Peters <speters(a)cloudfoundry.org>
wrote:

Will somebody be taking notes? Would somebody be willing to blog about
this afterwards?

Maybe take a group picture and summarize what was discussed?

Thanks,

Stormy


On Thu, Jul 30, 2015 at 3:31 PM, Michael Maximilien <maxim(a)us.ibm.com>
wrote:

Hi, all,

Here is pertinent information for CF-Abacus inception meeting next week.

Invites to those interested is sent. If you want to attend physically then ping me or Devin from CFF on CC: since
we need to add you to the list for the WeWork building.

---------
*Date:* Wednesday August 5th, 2015

*Time:* 9:30am - 12:30pm PDT

*Location:*
CloudFoundry Foundation Offices @ WeWork SF on Mission

WeWork
535 Mission St., *19th floor *
San Francisco, CA

*Room:* 19B

*Call info:*
IBM AT&T Conference Call
USA 888-426-6840; 215-861-6239 | Participant code: 1985291
All other countries, find number here: http://goo.gl/RnNfc1

*Hangout:* TBD
---------

Best,

------
dr.max
ibm cloud labs
silicon valley, ca
maximilien.org


*Michael Maximilien/Almaden/IBM*

07/29/2015 11:35 AM
To
"cf-dev(a)lists.cloudfoundry.org" <cf-dev(a)lists.cloudfoundry.org>
cc
Subject
Re: CF-Abacus: incubation and inception meeting coming soon




Quick update on inception meeting.

To accommodate our friends and colleagues from Europe who would like to
attend, let's plan to move the meeting to 10a to 12:30p with the option of
lunch after at nearby location in SF.

Unless I hear any objections I will send the invites to those interested
parties who have already contacted me and confirm details here.

If you want to attend (local or remote) please remember to reply to me
with email so I can add you to invite list.

Best,

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone

On Jul 28, 2015, at 10:15 PM, Michael Maximilien <*maxim(a)us.ibm.com*
<maxim(a)us.ibm.com>> wrote:

Hi, all,

Now that CF-Abacus is officially an incubator under the guidance of the
CFF, here are some quick updates:

1. The project official github moved to:

*https://github.com/cloudfoundry-incubator/cf-abacus*
<https://github.com/cloudfoundry-incubator/cf-abacus>

2. We are planning an inception next week Wednesday from 2p to 5p in SF.

We invite everyone interested to take a look at the repo, provide
feedback, or better, join us at the inception meeting. The location will be
either CFF, Pivotal, or IBM. All within a few blocks in downtown SF.

We will also have Google hangout and conference call for remote
participants.

If interested, then respond to me directly so I add you to the invite
list.

Thanks and talk next week. Best,

CF-Abacus team

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt


Re: FYI: CAB call for July 2015 - moved to 7/15 @ 8a PDT

Amit Kumar Gupta
 

Hi Guillaume,

Thanks for your question. The best place to start understanding how diego
generates manifests is to look at the manifest generation script in the
diego-release repository:

https://github.com/cloudfoundry-incubator/diego-release/blob/develop/scripts/generate-deployment-manifest

It primarily merges data into the main diego template:

https://github.com/cloudfoundry-incubator/diego-release/blob/develop/manifest-generation/diego.yml

There are several principles operating at the heart of this manifest
generation strategy:

1. The inputs to the script should be a fixed list of stubs with a specific
data structure (not an arbitrary list of stub files which can have all sorts
of crazy structures in their YAML).
2. The YAML structure of the stub should make sense for the purpose of the
stub, i.e. clearly represent the data it contains, it should not represent
the data in some strange contorted format that needs to know where in the
upstream manifest template it will be merged into.
3. Avoid (( merge )) within the body of the template, places that need to
have values filled in explicitly reference the value from the stub that they
need.
4. No nested templates, or "stubs" that have spiff double-parens syntax in
them.
5. Each stub should have a single responsibility (e.g. instance count
overrides, persistent disk overrides, etc.) which should be small and easy
to understand; any two stubs should have orthogonal responsibilities, e.g.
you don't specify some credentials in this stub, and some other credentials
in another stub.
6. The responsibilities of the stubs should be generalizable to any BOSH
release (e.g. "instance count overrides" is a generic enough purpose that
would make sense for any BOSH release.)
7. Have an explicit stub for IaaS settings (basically anything that goes
into a cloud_properties stanza in a BOSH manifest); the main template should
be IaaS agnostic (rather than a template for each IaaS).
8. Cleanliness; do not produce a manifest in the end that has a bunch of
unnecessary junk that BOSH doesn't even use (e.g. "meta"). People tend to
develop the bad habit of depending on this random data.
9. No default property values in the templates; defaults should live in the
job specs, the only properties exposed in the template should be the ones it
makes sense to override.
10. Don't expose every property for override. spiff has hard limitations
that make it impossible to use if you want to construct any arbitrary
deployment manifest for a given release (or set of releases). Given that it
already can't solve every problem, understand that the manifest generation
tooling also doesn't need to solve every possible problem. Advanced users
who want to override obscure properties can use their own advanced tooling.
11. Dovetail with upcoming bosh features:
https://github.com/cloudfoundry/bosh-notes/blob/master/links.md
https://github.com/cloudfoundry/bosh-notes/blob/master/global-networking.md
https://github.com/cloudfoundry/bosh-notes/blob/master/cloud-config.md
https://github.com/cloudfoundry/bosh-notes/blob/master/availability-zones.md

The long-term goal is to make BOSH smarter and ideally obviate the need for
complex tooling to generate these unwieldy, several-thousand-line YAML
manifests. On the surface, both diego-release and cf-release suggest how to
use spiff to generate manifests, but the way the two use spiff is
drastically different. With diego, we've started by simplifying how
manifests are generated so that the full power of spiff isn't needed, and
identifying better abstractions that make sense for BOSH to know about so
that eventually none of the power of spiff is needed.



-----
Amit, CF OSS Release Integration PM
Pivotal Software, Inc.
--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-CAB-call-for-July-2015-moved-to-7-15-8a-PDT-tp645p986.html
Sent from the CF Dev mailing list archive at Nabble.com.


Re: SSH access to CF app instances on Diego

Gwenn Etourneau
 

Guillaume,

Not sure is related but the ssh have been already implemented and is
available on diego and cf-release.


On Thu, Jul 30, 2015 at 10:35 PM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Eric,

The CAB minutes [1] mentionned you were still looking for feedback from
the community on the policy for altered instances, but this thread seems
silent for a while.

Not sure you had seen my email and suggestion below for a way to
quarantine the altered instances (beyond the per-space restart policy
configuration). Such quarantine request might be a good place to include
option to ask for the quarantine instances to be excluded from gorouter
traffic.

[1]
http://www.activestate.com/blog/2015/07/cloud-foundry-advisory-board-meeting-2015-july

Regards,

Guillaume.

On Fri, Jul 3, 2015 at 3:56 PM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Hi,

please find my feedback to this thread

*short version:*
1- need preserve good CF experience with HTTP only (direct SSH flow is
still blocked and a pain in many organisations) => +1 to preserve "cf
files" or fine tune diego plug to have ssh over HTTP to work out of the box
2- default "recycle tainted containers by default" policy seems good to me
3- needs to be completed with more control of the recycling policy (UX
such as "quarantine" or GAE "lock/unlock" )
4- development use-cases need to be better supported (dev/prod parity)
not sure ssh/scp is the right path though

*long version:*

*1- cf files and ssh over HTTP*

As previously mentionned into [1], CF exposing apis over HTTP api made a
great job to be easily consummed through HTTP proxies that some companies
still use, making CF experience seemless to consumme public paas, or
private paas among corporate entities. It seems important to me to preserve
good CF experience with HTTP only.

If SSH interactive access, scp and port forwarding become the mainstream
solution to operate and troubleshoot apps (supporting "cf files",
replacement for the previous DEBUG and CONSOLE ports), it will be useful
for users behind such firewalls to be able to configure diego ssh plugin to
use HTTP/SOCKS proxies to reach public CF instances. As the diego ssh cli
plugin supports using the regular local host ssh binaries, this may
potentially be done by tweaking the .ssh config file to add flags
associated to host ssh.${domain} to go through proxies (possibly double
tunnels as described into [2]). However, for new users in such network
context, especially on windows operating system, the set up work before
using a CF public instance starts to add up?

*2- default "recycle tainted containers by default" seems good to me*

Given that apps deployed on CF comply to 12 factor apps, there instance
may be restarted at anytime (e.g. during a CF new release deployment or
stemcell upgrade). So the default policy "recycle tainted containers by
default" is not a surprise.

*3- need to be completed with more control of the recycling policy (UX
such as "quarantine" or GAE "lock/unlock" )*

There are some specific use-cases where the "recycle tainted containers
by default" policy would be problematic when running applications in
production:

An application instance is malfunctionning (e.g. hanging) and an
interactive debugging is necessary. The app-ops ssh into the container and
starts taking some diagnostic steps (e.g sending kill -SIGTERM signals to
take thread dumps, or locally changes log levels).

If ever the ssh connection breaks/timeout, the "recycle tainted
containers by default, preventing the current diagnostc to complete.

Another similar use case: a production application is suspected to be
compromised by an attacker. App-ops need to capture evidences and
understand better how the abuse was done. There isn't enough information in
streamed logs, and there is a need to get into the container to inspect the
ephemeral FS and the processes and memory. This may require more than one
simultanenous SSH connection, and may span on multiple hours

In both use-cases above, while the application is 12 factor compliant and
the "recycle tainted containers by default" policy would be opted in on the
corresponding space, there would be a need to transiently turn the mode off.

In term of user experience, this may appear as an explicit user request
to "quarantine" the tainted app instances (or the whoe app) so that CF does
not attempt to restart them. Or it may appear as the google app engine
"lock/unlock"

a call to a new "unlock" command to a CF app instance would be necessary
to get SSH access to it. CF then considers this instance as
"tained"/untrusted, as it may have deviated from the pushed content, and
does not act to it anymore (i.e. does not monitor its bound $PORT or root
process exit, which may be handy to diagnose it as wish). When the "lock"
command is requested on this instance, Cf destroys this tainted instance,
and recreates a fresh new "trusted" one.

*4- development use-cases need to be better supported (dev/prod parity)
not sure ssh/scp is the right path though*

I agree with James Myers that development use-cases should be better
supported.

First, CF should strive to support dev-prod parity [4]. However
currently, there is not anymore a version of CF that a developper can run
on his laptop (e.g. when doing offline development during commute) that
would behave like prod and embed buildpacks. There used to have "CF on a
single VM". Heroku or GAE have emulators. Cloud rocker [5] is close, but it
still takes 10s or more to have changes made on the app be reflected into a
running app.

There are some legitimate use cases during development for modifying
sources of the application and have those changes be taken in effect
immediately. Lots of app development framework supports those development
modes (even those that promote test-driven practices), and getting a fast
feedback is important. Having dev-prod parity means supporting these use
cases while preserving prod behavior (having the VCAP_SERVICES and
VCAP_APPLICATION and the buildpack processing applied on the same stack
(cflinux2)). Being able to run offline would be even better.

I however believe that providing SSH/SCP access to change the file system
to a running app instance may not be the appropriate response, given the FS
and the app instance is still ephemeral. Who would want to modify files
that could be lost at any time (e.g. a stemcell upgrade ) ?

I'd rather see value in further exploring the ideas layed out by James
Bayer into [5] e.g. as a form of a git repo populated with the
/home/vcap/app subdir, that developers could clone, push to, and have the
instance epheremal FS updated with pushed changes.

This may be combined with a cloudrocker mechanism as to work with a fully
offline mode when this is required.

[1]
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/OavSBIhU_xQ/wJrT08iHfJ8J
[2] http://proxytunnel.sourceforge.net/paper.php
[3]
https://cloud.google.com/appengine/docs/managed-vms/host-env#changing_management
[4] http://12factor.net/dev-prod-parity
[5]
https://docs.google.com/document/d/1_C3OWS6giWx4JL_IL9YLA6jcppyQLVD-YjR0GeA8Z0s/edit#heading=h.toypuu5pxh65



On Thu, Jul 2, 2015 at 10:18 PM, James Myers <jmyers(a)pivotal.io> wrote:

I have to agree with Matt on this one. I feel that the recycling of
containers is a very anti-developer default. When you approach Cloud
Foundry from the perspective of running production applications the recycle
policy makes complete sense. However, I feel that this misses out on one of
the massive benefits/use cases of Cloud Foundry, what it offers to the
development process.

From a security stand point, if you can ssh into a container, it means
you have write access to the application in CloudFoundry. Thus you can
already push new bits/change the application in question. All of the
"papertrail" functionality around pushing/changing applications exists for
SSH as well (we record events, output log lines, make it visible to users
that action was taken on the application), and thus concerned operators
would be able to determine if someone modifying the application in question.

Therefore I'm lost on how this is truly the most secure default. If we
are really going by the idea that all defaults should be the most secure,
ssh should be disabled by default.

As a developer, I can see many times in which I would want to be able to
ssh into my container and change my application as part of a
troubleshooting process. Using BOSH as an example, CF Devs constantly ssh
into VMs and change the processes running on them in order to facilitate
development. BOSH does not reap the VM and redeploy a new instance when you
have closed the SSH session. Once again this is largely due to the fact
that if you have SSH access, you can already perform the necessary actions
to change the application through different means.

Another huge hindrance to development, is that the recycling policy is
controlled by administrators. It is not something that normal users can
control, even though we allow the granularity of enabling/disabling SSH
completely to the end user. This seems counterintuitive.

I feel that a better solution would be to provide the user with some
knowledge of which instances may be tainted, and then allowing them to opt
into a policy which will reap tainted containers. This provides users with
clear insight that their application instance may be a snowflake (and that
they may want to take action), while also allowing normal behavior with
regards to SSH access to containers.

To summarize, by enabling the recycling policy by default we not only
produce extremely unusual behavior / workflows for developers, we are also
minimizing the developer-friendliness of CF in general. This mixed with the
fact that as a user I cannot even control this policy, leads me to believe
that as a default recycling should be turned off as it provides the most
cohesive and friendly user experience.

On Mon, Jun 29, 2015 at 9:14 AM, John Wong <gokoproject(a)gmail.com>
wrote:

after executing a command, concluding an interactive session, or
copying a file into an instance, that instance will be restarted.

How does it monitor the behavior? Is there a list of commands
whitelisted? I am curious because I am trying to find out what the
whitelist contain. Also is it at the end of the bosh ssh APP_NAME session?
What if two users are there simultaneously?

Thanks.

On Mon, Jun 29, 2015 at 5:49 AM, Dieu Cao <dcao(a)pivotal.io> wrote:

I think with the CLI we could add clarifying messaging when using ssh
what the current policy around recycling is.
Eric, what do you think about calling it the "recycling" policy,
enabled by default? =D

-Dieu


On Sat, Jun 27, 2015 at 3:42 AM, Matthew Sykes <
matthew.sykes(a)gmail.com> wrote:

Depends on your role and where your app is in the deployment
pipeline. Most of the scenarios I envisioned were for the tail end of
development where you need to poke around to debug and figure out those
last few problems.

For example, Ryan Morgan was saying that the Cloud Foundry plugin for
eclipse is going to be using the ssh support in diego to enable debug of
application instances in the context of a buildpack deployed app. This is
aligned with other requirements I've heard from people working on dev tools.

As apps reach production, I would hope that interactive ssh is
disabled entirely on the prod space leaving only scp in source mode as an
option (something the proxy can do).

Between dev and prod, there's a spectrum, but in general, I either
expect access to be enabled or disabled - not enabled with a suicidal
tendency.

On Thu, Jun 25, 2015 at 10:53 PM, Benjamin Black <bblack(a)pivotal.io>
wrote:

matt,

could you elaborate a bit on what you believe ssh access to
instances is for?


b


On Thu, Jun 25, 2015 at 9:29 PM, Matthew Sykes <
matthew.sykes(a)gmail.com> wrote:

My concern is the default behavior.

When I first prototyped this support in February, I never expected
that merely accessing a container would cause it to be terminated. As we
can see from Jan's response, it's completely unexpected; many others have
the same reaction.

I do not believe that this behavior should be part of the default
configuration and I do believe the control needs to be at the space level.
I have have already expressed this opinion during Diego retros and at the
runtime PMC meeting.

I honestly believe that if we were talking about applying this
behavior to `bosh ssh` and `bosh scp`, few would even consider running in a
'kill on taint mode' because of how useful it is. We should learn from that.

If this behavior becomes the default, I think our platform will be
seen as moving from opinionated to parochial. That would be unfortunate.


On Thu, Jun 25, 2015 at 6:05 PM, James Bayer <jbayer(a)pivotal.io>
wrote:

you can turn the "restart tainted containers" feature off with
configuration if you are authorized to do so. then using scp to write files
into a container would be persisted for the lifetime of the container even
after the ssh session ends.

On Thu, Jun 25, 2015 at 5:50 PM, Jan Dubois <jand(a)activestate.com>
wrote:

On Thu, Jun 25, 2015 at 5:36 PM, Eric Malm <emalm(a)pivotal.io>
wrote:
after executing a command, concluding an
interactive session, or copying a file into an instance, that
instance will
be restarted.
What is the purpose of being able to copy a file into an instance
if
the instance is restarted as soon as the file has been received?

Cheers,
-Jan
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Thank you,

James Bayer

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Matthew Sykes
matthew.sykes(a)gmail.com

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
Matthew Sykes
matthew.sykes(a)gmail.com

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: App autosleep support

Gwenn Etourneau
 

For the autosleep feature why not but again only for non-prod application.

In my previous company, for DEV environment we stop application which have
been not updated since one month except some exception.
We considered that DEV is for active development.
Was just a batch script looking in the CCDB and calling cf-cli to stop
apps.

On Thu, Jul 30, 2015 at 7:46 PM, Guillaume Berche <bercheg(a)gmail.com> wrote:

Hi,

I wonder if there are plans to implement an auto-sleep behavior in
cloudfoundry, in which inactive apps would be automatically stopped after a
max inactivity threshold, and automatically restart upon arrival of traffic
on their routes. Similar to google app engine default behavior [1]

I did not find mentions of this yet in mailing lists and trackers.

We feel at Orange that such feature can improve the density for some of
our non-prod use-cases (with environmental and financial benefits).

I'd like to know if someone in the community already worked on such
feature or would be interested in collaborating on an opensource
implementation.

I drafted some specs for a java-based implementation we're planning to
work on [2]. I'd love to hear feedbacks and suggestions on this.

Thanks in advance,

Guillaume.

[1] https://cloud.google.com/appengine/docs/java/modules/
[2]
https://docs.google.com/document/d/1tMhIBX3tw7kPEOMCzKhUgmtmr26GVxyXwUTwMO71THI/edit#

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: CF-Abacus: incubation and inception meeting coming soon

Stormy
 

Will somebody be taking notes? Would somebody be willing to blog about this
afterwards?

Maybe take a group picture and summarize what was discussed?

Thanks,

Stormy


On Thu, Jul 30, 2015 at 3:31 PM, Michael Maximilien <maxim(a)us.ibm.com>
wrote:

Hi, all,

Here is pertinent information for CF-Abacus inception meeting next week.

Invites to those interested is sent. If you want to attend physically then ping me or Devin from CFF on CC: since
we need to add you to the list for the WeWork building.

---------
*Date:* Wednesday August 5th, 2015

*Time:* 9:30am - 12:30pm PDT

*Location:*
CloudFoundry Foundation Offices @ WeWork SF on Mission

WeWork
535 Mission St., *19th floor *
San Francisco, CA

*Room:* 19B

*Call info:*
IBM AT&T Conference Call
USA 888-426-6840; 215-861-6239 | Participant code: 1985291
All other countries, find number here: http://goo.gl/RnNfc1

*Hangout:* TBD
---------

Best,

------
dr.max
ibm cloud labs
silicon valley, ca
maximilien.org


*Michael Maximilien/Almaden/IBM*

07/29/2015 11:35 AM
To
"cf-dev(a)lists.cloudfoundry.org" <cf-dev(a)lists.cloudfoundry.org>
cc
Subject
Re: CF-Abacus: incubation and inception meeting coming soon




Quick update on inception meeting.

To accommodate our friends and colleagues from Europe who would like to
attend, let's plan to move the meeting to 10a to 12:30p with the option of
lunch after at nearby location in SF.

Unless I hear any objections I will send the invites to those interested
parties who have already contacted me and confirm details here.

If you want to attend (local or remote) please remember to reply to me
with email so I can add you to invite list.

Best,

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone

On Jul 28, 2015, at 10:15 PM, Michael Maximilien <*maxim(a)us.ibm.com*
<maxim(a)us.ibm.com>> wrote:

Hi, all,

Now that CF-Abacus is officially an incubator under the guidance of the
CFF, here are some quick updates:

1. The project official github moved to:

*https://github.com/cloudfoundry-incubator/cf-abacus*
<https://github.com/cloudfoundry-incubator/cf-abacus>

2. We are planning an inception next week Wednesday from 2p to 5p in SF.

We invite everyone interested to take a look at the repo, provide
feedback, or better, join us at the inception meeting. The location will be
either CFF, Pivotal, or IBM. All within a few blocks in downtown SF.

We will also have Google hangout and conference call for remote
participants.

If interested, then respond to me directly so I add you to the invite list.

Thanks and talk next week. Best,

CF-Abacus team

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Removing FUSE support from CF

Onsi Fakhouri <ofakhouri@...>
 

Yes, and perhaps I wasn't very clear about that. Thanks for teasing that
out Mike.

Onsi

On Thu, Jul 30, 2015 at 2:27 PM, Mike Youngstrom <youngm(a)gmail.com> wrote:

Right. So to restate this discussion only applies to buildpack containers
docker containers currently are and will continue to be run in unprivileged
mode by default. Correct?

On Thu, Jul 30, 2015 at 2:47 PM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

Hey Mike,

Just to be clear, I think you have a (consistent) sign error throughout
your e-mail?

Cloud Controller's current behavior is to request *un*privileged (i.e.
"more secure") containers for Docker images and privileged (i.e. "less
secure") containers for buildpack apps.

Our proposal is to make the privileged flag for buildpack apps
configurable (and it sounds like folks are leaning towards the per-space
approach).

I think we want to continue to enforce *un*privileged containers for
docker images as the attack surface is substantially higher with a docker
image.

Onsi



On Thu, Jul 30, 2015 at 12:39 PM, Mike Youngstrom <youngm(a)gmail.com>
wrote:

Good description. Count us as one who does not use FUSE and would very
much like to run docker images in privileged mode.

Perhaps it would be appropriate to force privileged mode for docker apps
but allow running non privileged for non docker applications until FUSE can
be removed?

Mike



On Thu, Jul 30, 2015 at 10:34 AM, Julian Friedman <
julz.friedman(a)gmail.com> wrote:

Hi Guillaume, I'd put it like this: running containers with
'privileged: false' makes them safe /even if/ a user gets root. With a
docker image this is essential, because getting root is trivial. With a
buildpack image this is less essential, but it means /even if/ a root
escalation exploit is found (these do exist, there was an escalation via
overlayfs patched a while ago) you're still safe. 'Privileged: false' turns
on user namespacing and turns off various capabilities: it's what the
Garden team recommend most containers use. 'Privileged: true' relies on the
security of your rootfs and users never getting root; if your use case
requires it you'll of course need to make a judgement, but you're trading
off quite a lot of security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged
container (as a workaround for the lack of fuse support within user
namespace), when pushing an app that goes through the buildpack staging
process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see

// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool <http://godoc.org/builtin#bool> `json:"privileged,omitempty"`


I understand the risk is specific to running a docker image built using
the docker file USER directive (specially root): then the container will
run as the host root ?

BTW, is the ability to run as a different user in staging and running
currently considered as discussed into
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ
?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:

+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:

We're wary of adding too many knobs to the platform and exposing
them all the way down to app developers increases the cognitive load for
folks using the platform. Enabling/disabling it on a per-installation
level, and - maybe - a per-space level, might be a decent compromise?

Agreed. I'd argue this this probably not be a 'per-app' thing, as I
too amy way of the knobs that developers like to turn. I think a per space
level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io
wrote:
That's still very much open for discussion. Obviously, someone with
administrative privileges should be in charge of this particular piece of
configuration.

Also making this a runtime config (e.g. feature flag) as opposed to
a deploy-time config (e.g. part of the CC config written out by BOSH) would
make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the
platform and exposing them all the way down to app developers increases the
cognitive load for folks using the platform. Enabling/disabling it on a
per-installation level, and - maybe - a per-space level, might be a decent
compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:

Once - configurable on a per-app, per space, or per deployment
basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <
ofakhouri(a)pivotal.io> wrote:

Hey all,

Based on the feedback we got and the relatively low cost to
maintain privileged support we'd like to propose making running privileged
containers on the platform configurable - we will recommend this be turned
off when running untrusted workloads and it will likely default to off. We
have longer term plans to support mounting persistent volumes in Diego at
which point support for mounting FUSE in unprivileged containers can become
a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io
wrote:
On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <
vedran.lerenc(a)sap.com> wrote:

Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from
Stackato who do it in the public), have used SSHFS + FUSE to implement a
persistent file system for old-fashioned apps/apps that are not
Cloud-native. I don’t want to fight an ideological battle here, it’s just
that these apps do still exist (in majority) and a file system service is
an important service/feature for them.



So if you remove FUSE (which we thought is not going away/was
added to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very
helpful for running apps that depend on a persistent FS, like Wordpress.
Perhaps this use case of mounting a remote SSHFS could be supported in some
other way?

Dan








*From: *Onsi Fakhouri
*Reply-To: *"Discussions about Cloud Foundry projects and the
system overall."
*Date: *Saturday 11 July 2015 01:10
*To: *cf-dev
*Subject: *[cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving
Garden-Linux's security features. Garden-Linux now employs user namespaces
and drops capabilities when creating unprivileged containers - we're
excited to bring both of these features to the platform!



Diego currently runs applications in *privileged* containers.
These lack the security features outlined above and we are planning on
switching to launch all CF applications in *unprivileged*
containers.



Unfortunately, it has proved difficult to support
mounting FUSE filesystems from within unprivileged containers. We believe
the security benefits outweigh the features that FUSE give us and* are
planning on removing support for FUSE in favor of better securing our
containers.* If/when FUSE support in unprivileged containers
becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: CF-Abacus: incubation and inception meeting coming soon

Michael Maximilien
 

Hi, all,

Here is pertinent information for CF-Abacus inception meeting next week.

Invites to those interested is sent. If you want to attend physically then ping me or Devin from CFF on CC: since
we need to add you to the list for the WeWork building.

---------
Date: Wednesday August 5th, 2015

Time: 9:30am - 12:30pm PDT

Location:
CloudFoundry Foundation Offices @ WeWork SF on Mission

WeWork
535 Mission St., 19th floor
San Francisco, CA

Room: 19B

Call info:
IBM AT&T Conference Call
USA 888-426-6840; 215-861-6239 | Participant code: 1985291
All other countries, find number here: http://goo.gl/RnNfc1

Hangout: TBD
---------

Best,

------
dr.max
ibm cloud labs
silicon valley, ca
maximilien.org



Michael Maximilien/Almaden/IBM
07/29/2015 11:35 AM

To
"cf-dev(a)lists.cloudfoundry.org" <cf-dev(a)lists.cloudfoundry.org>
cc

Subject
Re: CF-Abacus: incubation and inception meeting coming soon






Quick update on inception meeting.

To accommodate our friends and colleagues from Europe who would like to
attend, let's plan to move the meeting to 10a to 12:30p with the option of
lunch after at nearby location in SF.

Unless I hear any objections I will send the invites to those interested
parties who have already contacted me and confirm details here.

If you want to attend (local or remote) please remember to reply to me
with email so I can add you to invite list.

Best,

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone

On Jul 28, 2015, at 10:15 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote:

Hi, all,

Now that CF-Abacus is officially an incubator under the guidance of the
CFF, here are some quick updates:

1. The project official github moved to:

https://github.com/cloudfoundry-incubator/cf-abacus

2. We are planning an inception next week Wednesday from 2p to 5p in SF.

We invite everyone interested to take a look at the repo, provide
feedback, or better, join us at the inception meeting. The location will
be either CFF, Pivotal, or IBM. All within a few blocks in downtown SF.

We will also have Google hangout and conference call for remote
participants.

If interested, then respond to me directly so I add you to the invite
list.

Thanks and talk next week. Best,

CF-Abacus team

dr.max
ibm cloud labs
silicon valley, ca

Sent from my iPhone


Re: Removing FUSE support from CF

Mike Youngstrom
 

Right. So to restate this discussion only applies to buildpack containers
docker containers currently are and will continue to be run in unprivileged
mode by default. Correct?

On Thu, Jul 30, 2015 at 2:47 PM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:

Hey Mike,

Just to be clear, I think you have a (consistent) sign error throughout
your e-mail?

Cloud Controller's current behavior is to request *un*privileged (i.e.
"more secure") containers for Docker images and privileged (i.e. "less
secure") containers for buildpack apps.

Our proposal is to make the privileged flag for buildpack apps
configurable (and it sounds like folks are leaning towards the per-space
approach).

I think we want to continue to enforce *un*privileged containers for
docker images as the attack surface is substantially higher with a docker
image.

Onsi



On Thu, Jul 30, 2015 at 12:39 PM, Mike Youngstrom <youngm(a)gmail.com>
wrote:

Good description. Count us as one who does not use FUSE and would very
much like to run docker images in privileged mode.

Perhaps it would be appropriate to force privileged mode for docker apps
but allow running non privileged for non docker applications until FUSE can
be removed?

Mike



On Thu, Jul 30, 2015 at 10:34 AM, Julian Friedman <
julz.friedman(a)gmail.com> wrote:

Hi Guillaume, I'd put it like this: running containers with 'privileged:
false' makes them safe /even if/ a user gets root. With a docker image this
is essential, because getting root is trivial. With a buildpack image this
is less essential, but it means /even if/ a root escalation exploit is
found (these do exist, there was an escalation via overlayfs patched a
while ago) you're still safe. 'Privileged: false' turns on user namespacing
and turns off various capabilities: it's what the Garden team recommend
most containers use. 'Privileged: true' relies on the security of your
rootfs and users never getting root; if your use case requires it you'll of
course need to make a judgement, but you're trading off quite a lot of
security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged
container (as a workaround for the lack of fuse support within user
namespace), when pushing an app that goes through the buildpack staging
process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see

// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool <http://godoc.org/builtin#bool> `json:"privileged,omitempty"`


I understand the risk is specific to running a docker image built using
the docker file USER directive (specially root): then the container will
run as the host root ?

BTW, is the ability to run as a different user in staging and running
currently considered as discussed into
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ
?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:

+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:

We're wary of adding too many knobs to the platform and exposing
them all the way down to app developers increases the cognitive load for
folks using the platform. Enabling/disabling it on a per-installation
level, and - maybe - a per-space level, might be a decent compromise?

Agreed. I'd argue this this probably not be a 'per-app' thing, as I
too amy way of the knobs that developers like to turn. I think a per space
level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

That's still very much open for discussion. Obviously, someone with
administrative privileges should be in charge of this particular piece of
configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a
deploy-time config (e.g. part of the CC config written out by BOSH) would
make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the
platform and exposing them all the way down to app developers increases the
cognitive load for folks using the platform. Enabling/disabling it on a
per-installation level, and - maybe - a per-space level, might be a decent
compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:

Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io
wrote:
Hey all,

Based on the feedback we got and the relatively low cost to
maintain privileged support we'd like to propose making running privileged
containers on the platform configurable - we will recommend this be turned
off when running untrusted workloads and it will likely default to off. We
have longer term plans to support mounting persistent volumes in Diego at
which point support for mounting FUSE in unprivileged containers can become
a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <
vedran.lerenc(a)sap.com> wrote:

Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from
Stackato who do it in the public), have used SSHFS + FUSE to implement a
persistent file system for old-fashioned apps/apps that are not
Cloud-native. I don’t want to fight an ideological battle here, it’s just
that these apps do still exist (in majority) and a file system service is
an important service/feature for them.



So if you remove FUSE (which we thought is not going away/was
added to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very
helpful for running apps that depend on a persistent FS, like Wordpress.
Perhaps this use case of mounting a remote SSHFS could be supported in some
other way?

Dan








*From: *Onsi Fakhouri
*Reply-To: *"Discussions about Cloud Foundry projects and the
system overall."
*Date: *Saturday 11 July 2015 01:10
*To: *cf-dev
*Subject: *[cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving
Garden-Linux's security features. Garden-Linux now employs user namespaces
and drops capabilities when creating unprivileged containers - we're
excited to bring both of these features to the platform!



Diego currently runs applications in *privileged* containers.
These lack the security features outlined above and we are planning on
switching to launch all CF applications in *unprivileged*
containers.



Unfortunately, it has proved difficult to support
mounting FUSE filesystems from within unprivileged containers. We believe
the security benefits outweigh the features that FUSE give us and* are
planning on removing support for FUSE in favor of better securing our
containers.* If/when FUSE support in unprivileged containers
becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Removing FUSE support from CF

Onsi Fakhouri <ofakhouri@...>
 

Hey Mike,

Just to be clear, I think you have a (consistent) sign error throughout
your e-mail?

Cloud Controller's current behavior is to request *un*privileged (i.e.
"more secure") containers for Docker images and privileged (i.e. "less
secure") containers for buildpack apps.

Our proposal is to make the privileged flag for buildpack apps configurable
(and it sounds like folks are leaning towards the per-space approach).

I think we want to continue to enforce *un*privileged containers for docker
images as the attack surface is substantially higher with a docker image.

Onsi

On Thu, Jul 30, 2015 at 12:39 PM, Mike Youngstrom <youngm(a)gmail.com> wrote:

Good description. Count us as one who does not use FUSE and would very
much like to run docker images in privileged mode.

Perhaps it would be appropriate to force privileged mode for docker apps
but allow running non privileged for non docker applications until FUSE can
be removed?

Mike



On Thu, Jul 30, 2015 at 10:34 AM, Julian Friedman <julz.friedman(a)gmail.com
wrote:
Hi Guillaume, I'd put it like this: running containers with 'privileged:
false' makes them safe /even if/ a user gets root. With a docker image this
is essential, because getting root is trivial. With a buildpack image this
is less essential, but it means /even if/ a root escalation exploit is
found (these do exist, there was an escalation via overlayfs patched a
while ago) you're still safe. 'Privileged: false' turns on user namespacing
and turns off various capabilities: it's what the Garden team recommend
most containers use. 'Privileged: true' relies on the security of your
rootfs and users never getting root; if your use case requires it you'll of
course need to make a judgement, but you're trading off quite a lot of
security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged
container (as a workaround for the lack of fuse support within user
namespace), when pushing an app that goes through the buildpack staging
process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see

// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool <http://godoc.org/builtin#bool> `json:"privileged,omitempty"`


I understand the risk is specific to running a docker image built using
the docker file USER directive (specially root): then the container will
run as the host root ?

BTW, is the ability to run as a different user in staging and running
currently considered as discussed into
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ
?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:

+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:

We're wary of adding too many knobs to the platform and exposing them
all the way down to app developers increases the cognitive load for folks
using the platform. Enabling/disabling it on a per-installation level, and
- maybe - a per-space level, might be a decent compromise?

Agreed. I'd argue this this probably not be a 'per-app' thing, as I
too amy way of the knobs that developers like to turn. I think a per space
level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

That's still very much open for discussion. Obviously, someone with
administrative privileges should be in charge of this particular piece of
configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a
deploy-time config (e.g. part of the CC config written out by BOSH) would
make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the
platform and exposing them all the way down to app developers increases the
cognitive load for folks using the platform. Enabling/disabling it on a
per-installation level, and - maybe - a per-space level, might be a decent
compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:

Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

Hey all,

Based on the feedback we got and the relatively low cost to maintain
privileged support we'd like to propose making running privileged
containers on the platform configurable - we will recommend this be turned
off when running untrusted workloads and it will likely default to off. We
have longer term plans to support mounting persistent volumes in Diego at
which point support for mounting FUSE in unprivileged containers can become
a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <
vedran.lerenc(a)sap.com> wrote:

Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from Stackato
who do it in the public), have used SSHFS + FUSE to implement a persistent
file system for old-fashioned apps/apps that are not Cloud-native. I don’t
want to fight an ideological battle here, it’s just that these apps do
still exist (in majority) and a file system service is an important
service/feature for them.



So if you remove FUSE (which we thought is not going away/was
added to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very
helpful for running apps that depend on a persistent FS, like Wordpress.
Perhaps this use case of mounting a remote SSHFS could be supported in some
other way?

Dan








*From: *Onsi Fakhouri
*Reply-To: *"Discussions about Cloud Foundry projects and the
system overall."
*Date: *Saturday 11 July 2015 01:10
*To: *cf-dev
*Subject: *[cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving
Garden-Linux's security features. Garden-Linux now employs user namespaces
and drops capabilities when creating unprivileged containers - we're
excited to bring both of these features to the platform!



Diego currently runs applications in *privileged* containers.
These lack the security features outlined above and we are planning on
switching to launch all CF applications in *unprivileged*
containers.



Unfortunately, it has proved difficult to support
mounting FUSE filesystems from within unprivileged containers. We believe
the security benefits outweigh the features that FUSE give us and* are
planning on removing support for FUSE in favor of better securing our
containers.* If/when FUSE support in unprivileged containers
becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Is Garden limiting disk IOs ?

Guillaume Berche
 

Thanks Will.

Would other existing limits (e.g. nice, or fair cpu share) prevent one app
from using up all of the host disk io, or could such app impact its
neighbor containers (and other DEA/Cell process), and possibly up to denial
of service (e.g. a compromised app that was to impact the cf platform that
host them) ?

Guillaume.

On Thu, Jul 30, 2015 at 6:34 PM, Will Pragnell <wpragnell(a)pivotal.io> wrote:

Hi Guillaume,

No, Garden-Linux does not currently do any disk IO limiting.

Thanks,
Will

On 30 July 2015 at 17:24, Guillaume Berche <bercheg(a)gmail.com> wrote:

Out of curiosity, I'd like to understand whether Garden is limiting disk
IOs, similar to [2].

I do see disk space, inodes..., and network IOs limits described into [1]
but did not find block IOs.

Thanks in advance,

Guillaume.

[1] http://godoc.org/github.com/cloudfoundry-incubator/garden
[2]
https://github.com/appc/spec/blob/master/spec/ace.md#resourceblock-bandwidth


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Removing FUSE support from CF

Mike Youngstrom
 

Good description. Count us as one who does not use FUSE and would very
much like to run docker images in privileged mode.

Perhaps it would be appropriate to force privileged mode for docker apps
but allow running non privileged for non docker applications until FUSE can
be removed?

Mike



On Thu, Jul 30, 2015 at 10:34 AM, Julian Friedman <julz.friedman(a)gmail.com>
wrote:

Hi Guillaume, I'd put it like this: running containers with 'privileged:
false' makes them safe /even if/ a user gets root. With a docker image this
is essential, because getting root is trivial. With a buildpack image this
is less essential, but it means /even if/ a root escalation exploit is
found (these do exist, there was an escalation via overlayfs patched a
while ago) you're still safe. 'Privileged: false' turns on user namespacing
and turns off various capabilities: it's what the Garden team recommend
most containers use. 'Privileged: true' relies on the security of your
rootfs and users never getting root; if your use case requires it you'll of
course need to make a judgement, but you're trading off quite a lot of
security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged
container (as a workaround for the lack of fuse support within user
namespace), when pushing an app that goes through the buildpack staging
process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see

// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool <http://godoc.org/builtin#bool> `json:"privileged,omitempty"`


I understand the risk is specific to running a docker image built using
the docker file USER directive (specially root): then the container will
run as the host root ?

BTW, is the ability to run as a different user in staging and running
currently considered as discussed into
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ
?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:

+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:

We're wary of adding too many knobs to the platform and exposing them
all the way down to app developers increases the cognitive load for folks
using the platform. Enabling/disabling it on a per-installation level, and
- maybe - a per-space level, might be a decent compromise?

Agreed. I'd argue this this probably not be a 'per-app' thing, as I too
amy way of the knobs that developers like to turn. I think a per space
level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

That's still very much open for discussion. Obviously, someone with
administrative privileges should be in charge of this particular piece of
configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a
deploy-time config (e.g. part of the CC config written out by BOSH) would
make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the
platform and exposing them all the way down to app developers increases the
cognitive load for folks using the platform. Enabling/disabling it on a
per-installation level, and - maybe - a per-space level, might be a decent
compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:

Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

Hey all,

Based on the feedback we got and the relatively low cost to maintain
privileged support we'd like to propose making running privileged
containers on the platform configurable - we will recommend this be turned
off when running untrusted workloads and it will likely default to off. We
have longer term plans to support mounting persistent volumes in Diego at
which point support for mounting FUSE in unprivileged containers can become
a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <
vedran.lerenc(a)sap.com> wrote:

Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from Stackato
who do it in the public), have used SSHFS + FUSE to implement a persistent
file system for old-fashioned apps/apps that are not Cloud-native. I don’t
want to fight an ideological battle here, it’s just that these apps do
still exist (in majority) and a file system service is an important
service/feature for them.



So if you remove FUSE (which we thought is not going away/was added
to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very
helpful for running apps that depend on a persistent FS, like Wordpress.
Perhaps this use case of mounting a remote SSHFS could be supported in some
other way?

Dan








*From: *Onsi Fakhouri
*Reply-To: *"Discussions about Cloud Foundry projects and the
system overall."
*Date: *Saturday 11 July 2015 01:10
*To: *cf-dev
*Subject: *[cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving
Garden-Linux's security features. Garden-Linux now employs user namespaces
and drops capabilities when creating unprivileged containers - we're
excited to bring both of these features to the platform!



Diego currently runs applications in *privileged* containers.
These lack the security features outlined above and we are planning on
switching to launch all CF applications in *unprivileged*
containers.



Unfortunately, it has proved difficult to support
mounting FUSE filesystems from within unprivileged containers. We believe
the security benefits outweigh the features that FUSE give us and* are
planning on removing support for FUSE in favor of better securing our
containers.* If/when FUSE support in unprivileged containers
becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Questions about /v2/app_usage_events

Matthew Sykes <matthew.sykes@...>
 

The buildpack set event is, essentially, a metadata event. It records the
buildpack that was used to stage an application.

This information could not be included in the started event because staging
happens after the app is started.

On Thu, Jul 30, 2015 at 5:46 AM, 王小锋 <zzuwxf(a)gmail.com> wrote:

Hi, there

I noticed there are three state about the app event, started, stopped and
buildpack_set.

what does "buildpack_set" mean? If the app is in buildpack_set status,
does it occupy cup/memory/disk?

If the app is deleted, will the event reflected in app_usage_events? if
no, should I use /v2/app_usage_events together with
/v2/events?q=type:audit.app.delete-request to determine the lifetime of an
app?

Many thanks.

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

--
Matthew Sykes
matthew.sykes(a)gmail.com


Re: Default cgroup CPU share

Matthew Sykes <matthew.sykes@...>
 

The old vcap-dev mailing list had a number of exchanges around this topic
that you might want to look at.

The basic gist is that linux gives processes that are not associated with a
cgroup a cpu share of 1024. That means that the code that runs the DEA and
all of the linux daemons that make things go will get that share.

When applications are placed on a DEA, the containers they run in are
associated with a cpu share that is proportional to the amount of memory
requested. If you request a lot of memory per app instance, you'll have a
high cpu share; if you request a little memory per app instance, you'll
have a low cpu share.

The cpu share values associated with the container cgroups will never be
allowed to exceed 1024 (to prevent applications from adversely impacting
the DEA processes).

These cpu share values really only start to impact things when there's
competition for the cpu. When that happens, processes in a cgroup that is
associated with higher shares will get more cpu than those with lower
shares.

There is no "limit" to the number of shares - they're treated as relative
values when the scheduler needs to make a choice. The goal is that, given
two processes A and B, if process A has a share weight that is twice that
of process B and both processes are cpu bound, process A will get twice as
many shares of the cpu as process A.

For a more complete understanding, you should read the documentation in the
linux tree for the scheduler.

On Tue, Jul 28, 2015 at 8:11 PM, John Wong <gokoproject(a)gmail.com> wrote:

I am reading
https://docs.cloudfoundry.org/concepts/architecture/warden.html#cpu and
it said:

If B is idle, A may receive up to all the CPU. Shares per cgroup range
from 2 to 1024, with 1024 the default. Both Diego apps and DEA apps scale
the number of allocated shares linearly with the amount of memory, with an
app instance requesting 8G of memory getting the upper limit of 1024
shares. Diego also guarantees a minimum of 10 shares per app instance.

So 1024 is the default share every app get by default?

Say I start with an empty DEA.


APP #1: 1G shared = 1024?

APP #2 added. 1G shared =? what happen to APP #1?

APP #2 added: 512MB shared =? What happened to APP #1 & APP 2?

APP #3 added: 8GB, now what happened?


I am all assuming their usage is nearly idle. What is the total number of
share for a N-core DEA? Also are the shares dynamic? In the mean time I
will try to understand how CPU usage is shared in cgroup from other
resource.


Thanks.


John

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

--
Matthew Sykes
matthew.sykes(a)gmail.com


Re: Removing FUSE support from CF

Guillaume Berche
 

Thanks Julian and Onsi for the additional details. Much clearer now.

Guillaume.

On Thu, Jul 30, 2015 at 6:40 PM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:

To that I would add that privileged: true is the behavior of the existing
platform and warden. Sticking with privileged: true essentially opts you
out off gardens new security features.

So running privileged containers isn't a step backwards. It's simply a
choice not to take a step forwards.

Onsi



On Jul 30, 2015, at 9:34 AM, Julian Friedman <julz.friedman(a)gmail.com>
wrote:

Hi Guillaume, I'd put it like this: running containers with 'privileged:
false' makes them safe /even if/ a user gets root. With a docker image this
is essential, because getting root is trivial. With a buildpack image this
is less essential, but it means /even if/ a root escalation exploit is
found (these do exist, there was an escalation via overlayfs patched a
while ago) you're still safe. 'Privileged: false' turns on user namespacing
and turns off various capabilities: it's what the Garden team recommend
most containers use. 'Privileged: true' relies on the security of your
rootfs and users never getting root; if your use case requires it you'll of
course need to make a judgement, but you're trading off quite a lot of
security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged
container (as a workaround for the lack of fuse support within user
namespace), when pushing an app that goes through the buildpack staging
process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see

// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool <http://godoc.org/builtin#bool> `json:"privileged,omitempty"`


I understand the risk is specific to running a docker image built using
the docker file USER directive (specially root): then the container will
run as the host root ?

BTW, is the ability to run as a different user in staging and running
currently considered as discussed into
https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ
?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:

+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:

We're wary of adding too many knobs to the platform and exposing them
all the way down to app developers increases the cognitive load for folks
using the platform. Enabling/disabling it on a per-installation level, and
- maybe - a per-space level, might be a decent compromise?

Agreed. I'd argue this this probably not be a 'per-app' thing, as I too
amy way of the knobs that developers like to turn. I think a per space
level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

That's still very much open for discussion. Obviously, someone with
administrative privileges should be in charge of this particular piece of
configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a
deploy-time config (e.g. part of the CC config written out by BOSH) would
make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the
platform and exposing them all the way down to app developers increases the
cognitive load for folks using the platform. Enabling/disabling it on a
per-installation level, and - maybe - a per-space level, might be a decent
compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:

Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io>
wrote:

Hey all,

Based on the feedback we got and the relatively low cost to maintain
privileged support we'd like to propose making running privileged
containers on the platform configurable - we will recommend this be turned
off when running untrusted workloads and it will likely default to off. We
have longer term plans to support mounting persistent volumes in Diego at
which point support for mounting FUSE in unprivileged containers can become
a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <
vedran.lerenc(a)sap.com> wrote:

Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from Stackato
who do it in the public), have used SSHFS + FUSE to implement a persistent
file system for old-fashioned apps/apps that are not Cloud-native. I don’t
want to fight an ideological battle here, it’s just that these apps do
still exist (in majority) and a file system service is an important
service/feature for them.



So if you remove FUSE (which we thought is not going away/was added
to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very
helpful for running apps that depend on a persistent FS, like Wordpress.
Perhaps this use case of mounting a remote SSHFS could be supported in some
other way?

Dan








*From: *Onsi Fakhouri
*Reply-To: *"Discussions about Cloud Foundry projects and the
system overall."
*Date: *Saturday 11 July 2015 01:10
*To: *cf-dev
*Subject: *[cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving
Garden-Linux's security features. Garden-Linux now employs user namespaces
and drops capabilities when creating unprivileged containers - we're
excited to bring both of these features to the platform!



Diego currently runs applications in *privileged* containers.
These lack the security features outlined above and we are planning on
switching to launch all CF applications in *unprivileged*
containers.



Unfortunately, it has proved difficult to support
mounting FUSE filesystems from within unprivileged containers. We believe
the security benefits outweigh the features that FUSE give us and* are
planning on removing support for FUSE in favor of better securing our
containers.* If/when FUSE support in unprivileged containers
becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Removing FUSE support from CF

Onsi Fakhouri <ofakhouri@...>
 

To that I would add that privileged: true is the behavior of the existing platform and warden. Sticking with privileged: true essentially opts you out off gardens new security features.

So running privileged containers isn't a step backwards. It's simply a choice not to take a step forwards.

Onsi

On Jul 30, 2015, at 9:34 AM, Julian Friedman <julz.friedman(a)gmail.com> wrote:

Hi Guillaume, I'd put it like this: running containers with 'privileged: false' makes them safe /even if/ a user gets root. With a docker image this is essential, because getting root is trivial. With a buildpack image this is less essential, but it means /even if/ a root escalation exploit is found (these do exist, there was an escalation via overlayfs patched a while ago) you're still safe. 'Privileged: false' turns on user namespacing and turns off various capabilities: it's what the Garden team recommend most containers use. 'Privileged: true' relies on the security of your rootfs and users never getting root; if your use case requires it you'll of course need to make a judgement, but you're trading off quite a lot of security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged container (as a workaround for the lack of fuse support within user namespace), when pushing an app that goes through the buildpack staging process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see
// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool `json:"privileged,omitempty"`

I understand the risk is specific to running a docker image built using the docker file USER directive (specially root): then the container will run as the host root ?

BTW, is the ability to run as a different user in staging and running currently considered as discussed into https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ ?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:
+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:
We're wary of adding too many knobs to the platform and exposing them all the way down to app developers increases the cognitive load for folks using the platform. Enabling/disabling it on a per-installation level, and - maybe - a per-space level, might be a decent compromise?
Agreed. I'd argue this this probably not be a 'per-app' thing, as I too amy way of the knobs that developers like to turn. I think a per space level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:
That's still very much open for discussion. Obviously, someone with administrative privileges should be in charge of this particular piece of configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a deploy-time config (e.g. part of the CC config written out by BOSH) would make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the platform and exposing them all the way down to app developers increases the cognitive load for folks using the platform. Enabling/disabling it on a per-installation level, and - maybe - a per-space level, might be a decent compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:
Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:
Hey all,

Based on the feedback we got and the relatively low cost to maintain privileged support we'd like to propose making running privileged containers on the platform configurable - we will recommend this be turned off when running untrusted workloads and it will likely default to off. We have longer term plans to support mounting persistent volumes in Diego at which point support for mounting FUSE in unprivileged containers can become a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote:
On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <vedran.lerenc(a)sap.com> wrote:
Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from Stackato who do it in the public), have used SSHFS + FUSE to implement a persistent file system for old-fashioned apps/apps that are not Cloud-native. I don’t want to fight an ideological battle here, it’s just that these apps do still exist (in majority) and a file system service is an important service/feature for them.



So if you remove FUSE (which we thought is not going away/was added to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very helpful for running apps that depend on a persistent FS, like Wordpress. Perhaps this use case of mounting a remote SSHFS could be supported in some other way?

Dan







From: Onsi Fakhouri
Reply-To: "Discussions about Cloud Foundry projects and the system overall."
Date: Saturday 11 July 2015 01:10
To: cf-dev
Subject: [cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving Garden-Linux's security features. Garden-Linux now employs user namespaces and drops capabilities when creating unprivileged containers - we're excited to bring both of these features to the platform!



Diego currently runs applications in privileged containers. These lack the security features outlined above and we are planning on switching to launch all CF applications in unprivileged containers.



Unfortunately, it has proved difficult to support mounting FUSE filesystems from within unprivileged containers. We believe the security benefits outweigh the features that FUSE give us and are planning on removing support for FUSE in favor of better securing our containers. If/when FUSE support in unprivileged containers becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Removing FUSE support from CF

Julz Friedman
 

Hi Guillaume, I'd put it like this: running containers with 'privileged: false' makes them safe /even if/ a user gets root. With a docker image this is essential, because getting root is trivial. With a buildpack image this is less essential, but it means /even if/ a root escalation exploit is found (these do exist, there was an escalation via overlayfs patched a while ago) you're still safe. 'Privileged: false' turns on user namespacing and turns off various capabilities: it's what the Garden team recommend most containers use. 'Privileged: true' relies on the security of your rootfs and users never getting root; if your use case requires it you'll of course need to make a judgement, but you're trading off quite a lot of security in my opinion.

Sent from my iPhone

On 30 Jul 2015, at 17:12, Guillaume Berche <bercheg(a)gmail.com> wrote:

Thanks Onsi. Being able to use FUSE is quite important to us too.

Can you clarify the security risk associated with running a privileged container (as a workaround for the lack of fuse support within user namespace), when pushing an app that goes through the buildpack staging process (hence running as vcap user) ?

From http://godoc.org/github.com/cloudfoundry-incubator/garden I see
// If Privileged is true the container does not have a user namespace and the root user in the container
// is the same as the root user in the host. Otherwise, the container has a user namespace and the root
// user in the container is mapped to a non-root user in the host. Defaults to false.
Privileged bool `json:"privileged,omitempty"`

I understand the risk is specific to running a docker image built using the docker file USER directive (specially root): then the container will run as the host root ?

BTW, is the ability to run as a different user in staging and running currently considered as discussed into https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/ZlC-2DVOSHo/uRrF6Io52mEJ ?

Thanks,

Guillaume.

On Thu, Jul 30, 2015 at 3:27 AM, Jack Cai <greensight(a)gmail.com> wrote:
+1 for space-level configuration.

Jack

On Wed, Jul 29, 2015 at 2:04 PM, Matt Cowger <matt(a)cowger.us> wrote:
We're wary of adding too many knobs to the platform and exposing them all the way down to app developers increases the cognitive load for folks using the platform. Enabling/disabling it on a per-installation level, and - maybe - a per-space level, might be a decent compromise?
Agreed. I'd argue this this probably not be a 'per-app' thing, as I too amy way of the knobs that developers like to turn. I think a per space level is just the right level.

On Wed, Jul 29, 2015 at 10:20 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:
That's still very much open for discussion. Obviously, someone with administrative privileges should be in charge of this particular piece of configuration.

Also making this a runtime config (e.g. feature flag) as opposed to a deploy-time config (e.g. part of the CC config written out by BOSH) would make the different behaviors more testable.

Thoughts? Preferences? We're wary of adding too many knobs to the platform and exposing them all the way down to app developers increases the cognitive load for folks using the platform. Enabling/disabling it on a per-installation level, and - maybe - a per-space level, might be a decent compromise?

Onsi



On Wed, Jul 29, 2015 at 9:54 AM, Matt Cowger <matt(a)cowger.us> wrote:
Once - configurable on a per-app, per space, or per deployment basis?

On Wed, Jul 29, 2015 at 9:50 AM, Onsi Fakhouri <ofakhouri(a)pivotal.io> wrote:
Hey all,

Based on the feedback we got and the relatively low cost to maintain privileged support we'd like to propose making running privileged containers on the platform configurable - we will recommend this be turned off when running untrusted workloads and it will likely default to off. We have longer term plans to support mounting persistent volumes in Diego at which point support for mounting FUSE in unprivileged containers can become a reality.

Thoughts?

Onsi

On Mon, Jul 13, 2015 at 4:42 AM, Daniel Mikusa <dmikusa(a)pivotal.io> wrote:
On Mon, Jul 13, 2015 at 2:48 AM, Lerenc, Vedran <vedran.lerenc(a)sap.com> wrote:
Hi Onsi,



Ø Thoughts? Concerns?



Well, that’s bad news.



We, and I assume many others as well (like the folks from Stackato who do it in the public), have used SSHFS + FUSE to implement a persistent file system for old-fashioned apps/apps that are not Cloud-native. I don’t want to fight an ideological battle here, it’s just that these apps do still exist (in majority) and a file system service is an important service/feature for them.



So if you remove FUSE (which we thought is not going away/was added to stay), it’s pretty bad for us/many apps.



Best regards, Vedran
+1 - It would be sad to see FUSE support go away. It's been very helpful for running apps that depend on a persistent FS, like Wordpress. Perhaps this use case of mounting a remote SSHFS could be supported in some other way?

Dan







From: Onsi Fakhouri
Reply-To: "Discussions about Cloud Foundry projects and the system overall."
Date: Saturday 11 July 2015 01:10
To: cf-dev
Subject: [cf-dev] Removing FUSE support from CF



Hey CF-Dev,



The Garden team has been hard at work substantially improving Garden-Linux's security features. Garden-Linux now employs user namespaces and drops capabilities when creating unprivileged containers - we're excited to bring both of these features to the platform!



Diego currently runs applications in privileged containers. These lack the security features outlined above and we are planning on switching to launch all CF applications in unprivileged containers.



Unfortunately, it has proved difficult to support mounting FUSE filesystems from within unprivileged containers. We believe the security benefits outweigh the features that FUSE give us and are planning on removing support for FUSE in favor of better securing our containers. If/when FUSE support in unprivileged containers becomes possible we may add it back to the platform.



Thoughts? Concerns?



Thanks!



Onsi


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


--
-- Matt

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Re: Is Garden limiting disk IOs ?

Will Pragnell <wpragnell@...>
 

Hi Guillaume,

No, Garden-Linux does not currently do any disk IO limiting.

Thanks,
Will

On 30 July 2015 at 17:24, Guillaume Berche <bercheg(a)gmail.com> wrote:

Out of curiosity, I'd like to understand whether Garden is limiting disk
IOs, similar to [2].

I do see disk space, inodes..., and network IOs limits described into [1]
but did not find block IOs.

Thanks in advance,

Guillaume.

[1] http://godoc.org/github.com/cloudfoundry-incubator/garden
[2]
https://github.com/appc/spec/blob/master/spec/ace.md#resourceblock-bandwidth


_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


Java Buildpack v3.1.1

Christopher Frost
 

I'm pleased to announce the release of the java-buildpack, version 3.1.1. This
release ensures that the dependencies contained in the offline buildpack
are up to date.

For a more detailed look at the changes in 3.1.1, please take a look
at the commit
log <https://github.com/cloudfoundry/java-buildpack/compare/v3.1...v3.1.1>.
Packaged versions of the buildpack, suitable for use with create-buildpack
and update-buildpack, can be found attached to this release
<https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.1.1>.
*Packaged Dependencies*

- AppDynamics Agent: 4.0.7_0
- GemFire 8.0.0
- GemFire Modules 8.0.0.1
- GemFire Modules Tomcat7 8.0.0.1
- GemFire Security 8.0.0
- Groovy: 2.4.4
- JRebel 6.2.2
- MariaDB JDBC: 1.1.9
- Memory Calculator (centos6): 1.1.1.RELEASE
- Memory Calculator (lucid): 1.1.1.RELEASE
- Memory Calculator (mountainlion): 1.1.1.RELEASE
- Memory Calculator (precise): 1.1.1.RELEASE
- Memory Calculator (trusty): 1.1.1.RELEASE
- New Relic Agent: 3.18.0
- OpenJDK JRE (centos6): 1.8.0_51
- OpenJDK JRE (lucid): 1.8.0_51
- OpenJDK JRE (mountainlion): 1.8.0_51
- OpenJDK JRE (precise): 1.8.0_51
- OpenJDK JRE (trusty): 1.8.0_51
- Play Framework JPA Plugin: 1.7.0.RELEASE
- PostgreSQL JDBC: 9.4.1201
- RedisStore: 1.2.0_RELEASE
- Spring Auto-reconfiguration: 1.7.0_RELEASE
- Spring Boot CLI: 1.2.5_RELEASE
- Tomcat Access Logging Support: 2.4.0_RELEASE
- Tomcat Lifecycle Support: 2.4.0_RELEASE
- Tomcat Logging Support: 2.4.0_RELEASE
- Tomcat: 8.0.24


Christopher Frost - Pivotal UK
Java Buildpack Team

8401 - 8420 of 9422