Date   

Re: Can't push app due to expired certificate

Daniel Mikusa
 

I've reported this and we're working on it.

For what it's worth, this should only affect the Java build pack. I don't
believe the other ones are using that URL. If you're seeing the message
with other build packs, it might be because you aren't setting a specific
build pack for your app (i.e. you are relying on the detect behavior of the
build packs). For non-Java apps if you set a build pack with `-b` or the
`buildpacks` attribute, I believe it should clear up the message.

Dan

On Mon, Aug 31, 2015 at 9:42 AM, Aleksey Zalesov <
aleksey.zalesov(a)altoros.com> wrote:

Can you clarify how can I do this?

It is not problem of our installation SSL cert that can be skipped with
—skip-ssl-validation.

Aleksey Zalesov | CloudFoundry Engineer | Altoros
Tel: (617) 841-2121 ext. 5707 | Toll free: 855-ALTOROS
Fax: (866) 201-3646 | Skype: aleksey_zalesov
www.altoros.com | blog.altoros.com | twitter.com/altoros

On 31 Aug 2015, at 16:18, Quintessence Anx <qanx(a)starkandwayne.com> wrote:

Are you able to work around the issue by skipping SSL validation?
On Aug 31, 2015 9:10 AM, "Kei YAMAZAKI" <daydream.yamazaki(a)gmail.com>
wrote:

Hi all,

I encountered the same problem.
The same problem has occurred even PWS.
Please fix as soon as possible.


Re: Can't push app due to expired certificate

Aleksey Zalesov
 

Can you clarify how can I do this?

It is not problem of our installation SSL cert that can be skipped with —skip-ssl-validation.

Aleksey Zalesov | CloudFoundry Engineer | Altoros
Tel: (617) 841-2121 ext. 5707 | Toll free: 855-ALTOROS
Fax: (866) 201-3646 | Skype: aleksey_zalesov
www.altoros.com <http://www.altoros.com/> | blog.altoros.com <http://blog.altoros.com/> | twitter.com/altoros <http://twitter.com/altoros>

On 31 Aug 2015, at 16:18, Quintessence Anx <qanx(a)starkandwayne.com> wrote:

Are you able to work around the issue by skipping SSL validation?

On Aug 31, 2015 9:10 AM, "Kei YAMAZAKI" <daydream.yamazaki(a)gmail.com <mailto:daydream.yamazaki(a)gmail.com>> wrote:
Hi all,

I encountered the same problem.
The same problem has occurred even PWS.
Please fix as soon as possible.


Re: Can't push app due to expired certificate

Quintessence Anx
 

Are you able to work around the issue by skipping SSL validation?

On Aug 31, 2015 9:10 AM, "Kei YAMAZAKI" <daydream.yamazaki(a)gmail.com> wrote:

Hi all,

I encountered the same problem.
The same problem has occurred even PWS.
Please fix as soon as possible.


Re: Can't push app due to expired certificate

Sylvain Gibier
 

Yup - I can confirm as well. All buildpacks relying on
download.run.pivotal.io are failing now.

S.

On Mon, Aug 31, 2015 at 3:10 PM, Kei YAMAZAKI <daydream.yamazaki(a)gmail.com>
wrote:

Hi all,

I encountered the same problem.
The same problem has occurred even PWS.
Please fix as soon as possible.


Re: Can't push app due to expired certificate

Kei YAMAZAKI
 

Hi all,

I encountered the same problem.
The same problem has occurred even PWS.
Please fix as soon as possible.


Can't push app due to expired certificate

Aleksey Zalesov
 

Hello! Today we can't push apps to CF due to expired SSL certificate of
download.run.pivotal.io

<http://cf-dev.70369.x6.nabble.com/file/n1404/Screen_Shot_2015-08-31_at_15.png>

Here are CF app logs:

2015-08-31T17:36:18.57+0530 [STG/0] ERR [DownloadCache]
WARN Unable to download
https://download.run.pivotal.io/memory-calculator/trusty/x86_64/index
.yml into cache /tmp: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed

Please fix the cert.

P.S. This issue is for Open Source CF, not Pivotal CF!



--
View this message in context: http://cf-dev.70369.x6.nabble.com/Can-t-push-app-due-to-expired-certificate-tp1404.html
Sent from the CF Dev mailing list archive at Nabble.com.


www.lists.cloudfoundry.org

Yana | X-Factors Web Networks Ltd <yanarobbins20@...>
 

Hi,

I recently browsed through your business listing and wanted to highlight
some key points for consideration. I am sure it will complement your
SEOwork to help attract quality visitors and gradually scale high on the
search-engine result's page.

A few changes, aesthetically and/or-SEO-wise, can make your site convert
more visitors into leads and also get it placed higher in the organic
search results, for a few of the select terms.

Would you be interested in receiving some more details on the prospect at
absolutely-no-cost-involved?

Regards,

YANA

X-FACTOR WEB NETWORKS Ltd
Headquarters: 5859 Suite Canoga Ave, Woodland Hills, CA 91367
Other Offices: Hong Kong & China | Australia | New Zealand | UAE


www.lists.cloudfoundry.org

Hannah | Office Coffee Soltns <hannahquinn183@...>
 

Hi,

I represent providers of high quality office coffee. By choosing a
specialized coffee delivery service, you can cut your overhead noticeably
vs. using grocery delivery or even wholesale ordering services.

May I send some information about office coffee quotes?

Hannah

Business-Development-Manager

Office Coffee Solutions
2000 Yorkmont Rd, Charlotte, NC 28217, United States


Generic data points for dropsonde

Benjamin Black
 

All,

The existing dropsonde protocol uses a different message type for each
event type. HttpStart, HttpStop, ContainerMetrics, and so on are all
distinct types in the protocol definition. This requires protocol changes
to introduce any new event type, making such changes very expensive. We've
been working for the past few weeks on an addition to the dropsonde
protocol to support easier future extension to new types of events and to
make it easier for users to define their own events.

The document linked below [1] describes a generic data point message
capable of carrying multi-dimensional, multi-metric points as sets of
name/value pairs. This new message is expected to be added as an additional
entry in the existing dropsonde protocol metric type enum. Things are now
at a point where we'd like to get feedback from the community before moving
forward with implementation.

Please contribute your thoughts on the document in whichever way you are
most comfortable: comments on the document, email here, or email directly
to me. If you comment on the document, please make sure you are logged in
so we can keep track of who is asking for what. Your views are not just
appreciated, but critical to the continued health and success of the Cloud
Foundry community. Thank you!


b

[1]
https://docs.google.com/document/d/1SzvT1BjrBPqUw6zfSYYFfaW9vX_dTZZjn5sl2nxB6Bc/edit?usp=sharing


Re: SSH into a pushed Docker image

Matthew Sykes <matthew.sykes@...>
 

The diego ssh daemon is a statically linked binary so if you have a /bin/sh
or a /bin/bash in your docker image, it should work. The scp support is
also baked in so you don't need that binary at the target either.

On Fri, Aug 28, 2015 at 4:21 PM, James Bayer <jbayer(a)pivotal.io> wrote:

diego ssh support should work with docker images. there likely are some
minimal prerequisites for things in the image like a shell or whatever
executables you would try with ssh. here is my output from the
cloudfoundry/lattice-app docker image

lattice is about to have tcp router support included. it will take a
little while longer to get it into full CF.

$ cf ssh jbayer-lattice-app

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # ls -al
total 6820
drwxr-xr-x 1 root root 84 Aug 28 20:18 .
drwxr-xr-x 1 root root 84 Aug 28 20:18 ..
drwxr-xr-x 1 root root 2336 Aug 28 20:18 bin
drwxr-xr-x 1 root root 122 Aug 28 20:18 dev
drwxr-xr-x 1 root root 108 Aug 28 20:18 etc
-rwxr-xr-x 1 root root 6971512 Aug 28 01:54 lattice-app
drwxr-xr-x 1 root root 400 May 22 2014 lib
lrwxrwxrwx 1 root root 3 May 22 2014 lib64 -> lib
dr-xr-xr-x 187 65534 65534 0 Aug 28 20:18 proc
lrwxrwxrwx 1 root root 3 May 22 2014 sbin -> bin
dr-xr-xr-x 13 65534 65534 0 Aug 28 20:18 sys
drwxrwxrwt 1 root root 40 Aug 28 20:18 tmp


On Fri, Aug 28, 2015 at 11:43 AM, Jack Cai <greensight(a)gmail.com> wrote:

The SSH support in Diego is awesome. I'm wondering whether it's possible
to SSH into a pushed Docker image as well? If yes, what need to be done in
the docker image in order to get it working?

Meanwhile, I suppose the tcp-routing support is still not available in
Diego, right?

Thanks in advance!

Jack


--
Thank you,

James Bayer
--
Matthew Sykes
matthew.sykes(a)gmail.com


Re: SSH into a pushed Docker image

James Bayer
 

diego ssh support should work with docker images. there likely are some
minimal prerequisites for things in the image like a shell or whatever
executables you would try with ssh. here is my output from the
cloudfoundry/lattice-app docker image

lattice is about to have tcp router support included. it will take a little
while longer to get it into full CF.

$ cf ssh jbayer-lattice-app

BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # ls -al
total 6820
drwxr-xr-x 1 root root 84 Aug 28 20:18 .
drwxr-xr-x 1 root root 84 Aug 28 20:18 ..
drwxr-xr-x 1 root root 2336 Aug 28 20:18 bin
drwxr-xr-x 1 root root 122 Aug 28 20:18 dev
drwxr-xr-x 1 root root 108 Aug 28 20:18 etc
-rwxr-xr-x 1 root root 6971512 Aug 28 01:54 lattice-app
drwxr-xr-x 1 root root 400 May 22 2014 lib
lrwxrwxrwx 1 root root 3 May 22 2014 lib64 -> lib
dr-xr-xr-x 187 65534 65534 0 Aug 28 20:18 proc
lrwxrwxrwx 1 root root 3 May 22 2014 sbin -> bin
dr-xr-xr-x 13 65534 65534 0 Aug 28 20:18 sys
drwxrwxrwt 1 root root 40 Aug 28 20:18 tmp

On Fri, Aug 28, 2015 at 11:43 AM, Jack Cai <greensight(a)gmail.com> wrote:

The SSH support in Diego is awesome. I'm wondering whether it's possible
to SSH into a pushed Docker image as well? If yes, what need to be done in
the docker image in order to get it working?

Meanwhile, I suppose the tcp-routing support is still not available in
Diego, right?

Thanks in advance!

Jack

--
Thank you,

James Bayer


SSH into a pushed Docker image

Jack Cai
 

The SSH support in Diego is awesome. I'm wondering whether it's possible to
SSH into a pushed Docker image as well? If yes, what need to be done in the
docker image in order to get it working?

Meanwhile, I suppose the tcp-routing support is still not available in
Diego, right?

Thanks in advance!

Jack


Re: CF Release Acceptance Test Changes

Mike Youngstrom
 

Excellent addition. One less reason for us to maintain our acceptance test
fork.

Mike

On Fri, Aug 14, 2015 at 5:38 PM, Zachary Auerbach <zauerbach(a)pivotal.io>
wrote:

The CF Acceptance Tests have been modified so that users can configure
them to run with HTTPS or HTTP. By default the settings have been changed
from HTTP to HTTPS. If you need to run them in HTTP mode for development
(like bosh-lite) then you can set the `"use_http": true` property in the
integration json config. This property can also be set for the
acceptance-test errand in your CF manifest.

Zak + Dan
CF OSS Integration
"Defender of the Universe"

--
-Zak
CF Voltron
"Defender of the Universe"


Re: Logstash and Multiline Log Entry

Mike Youngstrom
 

I replied a while ago but it appears the mailing list dropped it. Here is
another attempt.

Thanks for the response Erik.

{quote}
* Loggregator's dropsonde protocol didn't allow for a clean way to
enforce/tag multi-line data consistency - something we are about to put
forward a proposal to remedy.
** Timestamps are not a clean mechanism for reliably re-assembling a
multi-line log - some combination of app-instance and order-of-output would
need to be tacked on, or a decent vector-time implementation.
{quote}

It seems these features above are focused on breaking apart a multi-line
event into multiple events then re-assembling them somewhere else. I think
I've been looking at the issue from a different perspective. I've been
looking for ways to allow an application to get multiple lines into a
single Loggregator event. That would be good enough to solve my problems
without all the complexity of breaking up and reassembling a series of
events. Even if Loggregator had ways to add metadata to join multiple
events into 1 we are still faced with the problem of how the
dea_logging_agent knows when an app logs multiple stdout/err lines when
should those be considered a multi-line message.

Do you have any thoughts on how an app might hint to the logging agent that
a message is a multi-line message? It seems to me that is the real problem
I need solved. Or am I missing something?

Mike

On Tue, Aug 11, 2015 at 1:26 PM, Erik Jasiak <mjasiak(a)pivotal.io> wrote:

Hi Steve and Simon; hello again Mike,

First, apologies for the delay in reply on this one- I've also been
trying to come up with a simple, short answer to this problem. I failed.

Here are the high-level, non-technical answers:
1) Yes, we'd love to enable multi-line logging. Regardless of any
other challenges, we know that there's interest.
2) The problem is multi-layered, and extends beyond loggregator.
2a) Most of the problems with multi-line logging that overlap
loggregator also overlap "general scalability" - problems we've been
handling as part of moving toward collector retirement.
3) We have a hack day project looking at anything "quick and dirty" to
help fix this.
4) Redirecting app logs have known workarounds (eg in Java: via log4j
or similar) while we tackled this - not preferred at all, but do-able.

#########

Technical answers: Loggregator's goals are "Fast, thorough, dumb."
Multi-line logging - as handled by loggregator - has no clean way of
working at the moment w/o violating "fast" or "dumb" principles today.
We're getting there though.

Here's how we've been working towards a fix:
* Syslog drains were not performant enough, or could not handle
large java traces - something we recently fixed[1][2][3] and are going to
email about separately.
* Horizontal scalability allows for overall better performance and
reliability, but pushes the cost on data consistency to the edges of
loggregator (hence nozzles, injectors.)
* Loggregator's dropsonde protocol didn't allow for a clean way to
enforce/tag multi-line data consistency - something we are about to put
forward a proposal to remedy.
** Timestamps are not a clean mechanism for reliably re-assembling a
multi-line log - some combination of app-instance and order-of-output would
need to be tacked on, or a decent vector-time implementation. We'd need a
way to add this metadata that would allow for re-assembly (see protocol
item above). We'd also have to add extra info at DEA or garden without
sacrificing performance - and we know that the DEA logging agent today
already has questions around "acceptable" performance.

So a multiline fix intersects our goals today. I will do my best to
highlight stories that help us with multi-line logging, and we need to do a
better job at communicating that we're working toward it, even if it's not
the obvious target goal.

,
Erik

[1] https://www.pivotaltracker.com/story/show/99494586
[2] https://www.pivotaltracker.com/story/show/97928938
[3] https://www.pivotaltracker.com/story/show/100163298


Steve Wall wrote:

Now I see what that means. Each line of a multiline log message could be
sent to a different logstash server. Definitely problematic. Especially
with the ephemeral nature of the CF logs there needs to be a viable
solution to persist the logs and syslog seems to be a natural solution. I'm
located in Denver and attend the local CF meetups held in the Pivotal
offices. I believe some LAMB devs attend. I'll be sure to bring it up with
them.
-Steve

On Wed, Jul 29, 2015 at 9:47 AM, Mike Youngstrom <youngm(a)gmail.com> wrote:

Thanks Steve. Though I'm no logstash expert I assume this won't work if
you have multiple logstash machine's doing filtering like Simon mentioned
right? Same is true for us with splunk if you are forwarding logs to more
than one indexer via the REST api. I'd still like to have a discussion
with Erik about this problem see if he thinks there is anything that can be
done in loggregator to help.

Mike

On Wed, Jul 29, 2015 at 9:00 AM, Steve Wall <
steve.wall(a)primetimesoftware.com> wrote:

Here's a suggested pattern to handle stack traces.


http://stackoverflow.com/questions/31657863/logstash-and-multiline-log-entry-from-cloud-foundry?noredirect=1#comment51279061_31657863


On Mon, Jul 27, 2015 at 11:02 AM, Mike Youngstrom <youngm(a)gmail.com>
wrote:

Yet another request for improved multi line log message handling. Is
there any update from the LAMB team on plans to improve this problem?
There have been several proposed solutions but I'm not aware of anything
actually making it into the LAMB tracker. It would be great if we could
hear from Erik on this issue. Does the LAMB team believe it is not an
issue? Are there plans to improve this situation? Whatever the
perspective lets discuss it as a community and see if there are any options
better than the current. I'd really like to see something turned into a
tracker issue if there are better options.

Mike

[0]
http://lists.cloudfoundry.org/pipermail/cf-dev/2015-June/000423.html
[1] http://lists.cloudfoundry.org/pipermail/cf-dev/2015-May/000083.html
[2]
https://groups.google.com/a/cloudfoundry.org/forum/?utm_medium=email&utm_source=footer#!msg/vcap-dev/B1W6_vO0oyo/84X1eAtFsKoJ

On Mon, Jul 27, 2015 at 9:47 AM, Simon Johansson <
simon(a)simonjohansson.com> wrote:

This is a tricky one. Especially if you have more than one logstash
machine doing filtering as they will do filtering independently of each
other as the events come in.

The reason why CF adds a timestamp to each line is because how syslog
works, where each line is its own even.

What we tend to do in my company is to log this kind of stuff via GELF
or with Sentry.

On Mon, Jul 27, 2015 at 5:41 PM, Steve Wall <stevewallone(a)gmail.com>
wrote:

Hello,
We are sending CF logs message to an ELK stack. Multiline logs
message are broken out into several log messages in Logstash. One end per
line of the multiline log message. This is problematic when stack traces
dumped to the log. Each line of the stack trace is translated into a log
message. Trying to view this through Kibana is nearly impossible. Logstash
provides a Grok feature allowing for the manipulation of the log messages.
One common solution is to create a Grok filter that using a timestamp to
indicate when a log entry starts and to combine all lines until the next
timestamp into one log message. The problem is that CF adds a timestamp to
every line. Has anyone come up with a good Grok expression to handle
multiline log message coming out of CF?
Thanks!
Steve



_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

_______________________________________________
cf-dev mailing listcf-dev(a)lists.cloudfoundry.orghttps://lists.cloudfoundry.org/mailman/listinfo/cf-dev



Re: Placement Pools

James Bayer
 

we've been using a new term for the same concept we've previously labeled
placement pools called "isolation groups".

onsi has been working on some documentation for what this may look like and
the requirements, but the work has not started. i believe onsi will share
something soon.

so today, the way to accomplish this need to place apps on specific
infrastructure is to use separate CF installations.

On Fri, Aug 28, 2015 at 8:50 AM, Matt Cholick <cholick(a)gmail.com> wrote:

More than a year ago, there was some discussion and a proposal around
adding placement pools so cloud foundry admins could better target how
applications were placed on runners:

https://docs.google.com/document/d/1GNjQwGBh0BvfAYpX0LTUYn6h4oLz7v4P9pNy0xHZtMw/edit#

Did this work gain traction? I've looked through the release notes as well
as MEGA and CF Diego's public trackers and don't see stories for this work
either done or planned, though it could also be that I'm just not finding
it.

My goal is to place canary apps in specifically Z1 or Z2, as well as place
some internally used apps that, for networking reasons, should be in one
zone or the other.

-Matt Cholick

--
Thank you,

James Bayer


Placement Pools

Matt Cholick
 

More than a year ago, there was some discussion and a proposal around
adding placement pools so cloud foundry admins could better target how
applications were placed on runners:
https://docs.google.com/document/d/1GNjQwGBh0BvfAYpX0LTUYn6h4oLz7v4P9pNy0xHZtMw/edit#

Did this work gain traction? I've looked through the release notes as well
as MEGA and CF Diego's public trackers and don't see stories for this work
either done or planned, though it could also be that I'm just not finding
it.

My goal is to place canary apps in specifically Z1 or Z2, as well as place
some internally used apps that, for networking reasons, should be in one
zone or the other.

-Matt Cholick


Proposal for blacklisting public service plans

Sandy Cash Jr <lhcash@...>
 

Hi all,

In our deployment we have a number of customers who want to be able, as
organization owners, to block access to specific public services from their
org members. I have put together a proposal for a feature to implement
this capability at:

https://docs.google.com/document/d/1AJ5R38Agacrhse4pI9dA0-ix5XFyLu5Mz5oDp1FQBiU/edit?usp=sharing

Dieu has already provided some comments/questions, to which I've tried to
provide cogent responses, so please take a look at the comments thread as
well.

Thanks,

-Sandy


--
Sandy Cash
Certified Senior IT Architect/Senior SW Engineer
IBM BlueMix
lhcash(a)us.ibm.com
(919) 543-0209

"I skate to where the puck is going to be, not to where it has been.” -
Wayne Gretzky


Re: Update on Mailman 3 launch

Marco Voelz
 

Hi Eric,

Just to confirm, did you leave it enabled in "mime digest" mode for longer than
a day so that there was list traffic to bundle and digest for you? I don't see any
errors in the error log related to MIME digest sends, but see about reproducing this today
and submit a bug.
Yes, I can confirm that I left mime digest on for several days and there were mails which I didn't receive. Note that regular digests aren't working for me, either. Currently the only working setting seems to be single mail delivery, which is not my preferred setting.

Did you manage to reproduce that?

The preference lookup appears to give precedence to the settings on the subscription, then
on the address, then on the user ("global"), and finally on the system
default—it stops at the first defined value it sees. I'll file a bug to have some
better clarification in the UI.
Great, thanks for the bug and the explanation!

Warm regards
Marco


Travel Sponsorships for Cloud Foundry Advocates

Stormy
 

Today we announced that we will help sponsor Cloud Foundry Meetups, and
outreach in general, by helping to fund travel for speakers.

https://www.cloudfoundry.org/supporting-cloud-foundry-meetups-and-their-speakers-with-travel/

Please feel free to apply if you can help teach others about Cloud Foundry.
And please encourage others! Sometimes the best speakers (and that probably
includes you!) don't realize they would be great teachers. :)

Let me know if you have questions.

Best,

Stormy


Re: Self-signed cert for registry failing on stager

James Bayer
 

perhaps see if the lattice instructions for private registries have any
hints for you: http://lattice.cf/docs/private-docker-registry/

On Thu, Aug 27, 2015 at 4:50 PM, Tom Sherrod <tom.sherrod(a)gmail.com> wrote:

Successfully deployed from a registry with a public cert.
A registry with a private/self-signed cert fails at the stager.
I've got the name of the registry in insecure_docker_registry_list and
insecure_docker_registry: true in the manifest.
On the cell, the garden-linux process is running with
-insecureDockerRegistryList=theregistryname.
On the stager, the stager process is running with -insecureDockerRegistry
-logLevel=info
Shouldn't theregistryname also be in stager arguments?

The error:
2015-08-27T18:43:00.50-0400 [STG/0] ERR builder exited with error:
failed to fetch metadata from [theregistryname/tom/diegotest] with tag
[latest] and insecure registries [] due to Invalid registry endpoint
https://theregistryname/v1/: Get https://theregistryname/v1/_ping: x509:
certificate signed by unknown authority. If this private registry supports
only HTTP or HTTPS with an unknown CA certificate, please add
`--insecure-registry theregistryname` to the daemon's arguments. In the
case of HTTPS, if you have access to the registry's CA certificate, no need
for the flag; simply place the CA certificate at
/etc/docker/certs.d/theregistryname/ca.crt

(change the hostname to "theregistryname" in this message...the real
hostname can be resolved and reached on each machine)
--
Thank you,

James Bayer

7961 - 7980 of 9388