Date   

Initialization script for SSHFS

Cory Jett
 

I am looking for a way to push an application (ruby/node/java) and have a script run prior to the application starting that will setup SSHFS and move some of the content onto the share before the application starts. I was able to get the sample wordpress application working which includes this script that does exactly that but it is written in Python https://github.com/dmikusa-pivotal/cf-ex-wordpress/blob/master/.extensions/wordpress/extension.py. ideally, I would have a generic shell script that would run and set up SSHFS on deployment.

I attempted to accomplish this using a shell script in .profile.d but havent been able to get it working. If I get into a container and run the shell script it works fine. This is the script (which follows the same pattern as the wordpress python script, just in bash):


#!/bin/bash
mv $HOME/app/.ssh $HOME/
chmod 644 $HOME/.ssh/*
chmod 600 $HOME/.ssh/sshfs_rsa
mv $HOME/app/main.rb /tmp/
mkdir -p $HOME/app/SSHFS/
sshfs root(a)192.168.1.15:/root/ssh_target/ $HOME/app/SSHFS -o IdentityFile=$HOME/.ssh/sshfs_rsa -o StrictHostKeyChecking=yes -o UserKnownHostsFile=$HOME/.ssh/known_hosts -o idmap=user -o cache=yes -o kernel_cache -o compression=no -o large_read
mv /tmp/main.rb $HOME/app/SSHFS/
fusermount -uz $HOME/app/SSHFS

Any ideas what I am doing wrong or if there is a better way to accomplish this?


Re: [abacus] Usage processing authorization, was: Usage submission authorization

Jean-Sebastien Delfino
 

OK that confirms what I thought. Thanks!

Assk, any thoughts as well? Did that make sense to you?

-- Jean-Sebastien

On Wed, Oct 7, 2015 at 6:09 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote:

Sebastien

So, I'm wondering if it still makes sense to use the resource provider's
token inside our *asynchronous* usage *processing* pipeline. Shouldn't we
require the individual processing steps to obtain their own tokens instead?

It seems natural that the Abacus should use its own token - or tokens to
authenticate and authorize steps in the pipeline. After the submission
Abacus 'takes custody' of the submitted data so it should be solely
responsible for authrizing its processing.

Piotr

Piotr Przybylski | IBM Bluemix | piotrp(a)us.ibm.com | 650-645-8213


[image: Inactive hide details for Jean-Sebastien Delfino ---10/07/2015
09:21:05 AM---Hi all, A few more thoughts on a different, but re]Jean-Sebastien
Delfino ---10/07/2015 09:21:05 AM---Hi all, A few more thoughts on a
different, but related subject.

From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com>
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Date: 10/07/2015 09:21 AM
Subject: [cf-dev] Re: [abacus] Usage processing authorization, was: Usage
submission authorization
------------------------------



Hi all,

A few more thoughts on a different, but related subject.

We're using the resource provider's token and scopes to authorize usage
*submission* to our usage collector service. I agree with that and have
confirmed it in my answer to Piotr's question below.

It also looks like we're using the resource provider's token as well to
flow usage data through our usage *processing* pipeline (after we've
authorized the usage submission, validated that usage and taken
responsibility for it). I'm wondering if we couldn't find a better
approach, as we will run into a number of issues with this:

- processing delays in the pipeline can cause the token to expire, at that
point the resource provider is out of the loop, can't do anything about it,
and it won't make much sense anyway to ask the resource provider for a new
token way after it has submitted its usage;

- when restarting an Abacus service and recovering after a processing
interruption, we don't have a valid resource provider token either;

- more generally, I find a bit odd to use the resource provider's token in
usage processing steps down the Abacus pipeline, as they're really just
processing usage passed to them by the previous Abacus processing step (or
could have just read that usage from one of our usage DBs, and again the
resource provider wouldn't be so relevant as it wouldn't even have written
that usage to that DB itself.)

So, I'm wondering if it still makes sense to use the resource provider's
token inside our *asynchronous* usage *processing* pipeline. Shouldn't we
require the individual processing steps to obtain their own tokens instead?

Thoughts?

-- Jean-Sebastien


On Tue, Oct 6, 2015 at 10:36 PM, Jean-Sebastien Delfino <
*jsdelfino(a)gmail.com* <jsdelfino(a)gmail.com>> wrote:

Hi Piotr,

> what kind of authorization is required to submit usage to Abacus ?
> Is the oauth token used for submission [1] required to have
particular scope, specific to resource or resource provider ?

A resource provider is expected to present an OAuth token with the
usage it submits for a (service or runtime) resource.

That OAuth token should include:
- a user id uniquely identifying that resource provider;
- an OAuth scope named like abacus.usage.<resource_id>.write.

The precise naming syntax for that scope may still evolve in the next
few days as we progress with the implementation of user story 101703426 [1].

> Is there a different scope required to submit runtimes usage (like
cf bridge) versus other services or its possible to use single scope for
all the submissions

I'd like to handle runtimes and services consistently as they're
basically just different types of resources, i.e. one scope per 'service'
resource, one scope per 'runtime' resource.

We're still working on the detailed design and implementation, but I'm
not sure we'd want to share scopes across (service and runtime) resource
providers as that'd allow a resource provider to submit usage for resources
owned by another...

@assk / @sasrin, anything I missed? Thoughts?

-- Jean-Sebastien


On Tue, Oct 6, 2015 at 6:29 PM, Piotr Przybylski <*piotrp(a)us.ibm.com*
<piotrp(a)us.ibm.com>> wrote:
Hi,
what kind of authorization is required to submit usage to Abacus ?
Is the oauth token used for submission [1] required to have particular
scope, specific to resource or resource provider ? Is there a different
scope required to submit runtimes usage (like cf bridge) versus other
services or its possible to use single scope for all the submissions ?


[1] - *https://www.pivotaltracker.com/story/show/101703426*
<https://www.pivotaltracker.com/story/show/101703426>

Piotr





Re: CF v205 / Pushing an app

Jim Park
 

The cf-release templates allow for a "system_domain" (
https://github.com/cloudfoundry/cf-release/blob/master/templates/cf-jobs.yml#L616),
this allows for a separate namespace for non-app hostnames("app_domain").
Hope this helps

Thanks,


Jim

On Thu, Oct 8, 2015 at 2:49 AM Sylvain Gibier <sylvain(a)munichconsulting.de>
wrote:

Hi,

Bug ?

Pushing an application using a manifest.yml file with an host entry set to
'api', you are able to override the default route api.<<mycf.domain>> with
the application - preventing further cf commands to work correctly, as it
redirects traffic to new application.
I would have expect an error indicating the api.<<mycf.domain>> is already
used to prevent anyone to override api, uaa and login endpoint with a
custom app. Or am I missing something?

Is it a way - to make application/host like api, uaa, login ... not been
able to be overrided by custom application binding?

Sylvain


Re: cloud_controller_ng performance degrades slowly over time

Amit Kumar Gupta
 

We've seen issues on some environments where requests to cc that involve cc
making a request to uaa or hm9k have a 5s delay while the local consul
agent fails to resolves the DNS for uaa/hm9k, before moving on to a
different resolver.

The expected behavior observed in almost all environments is that the DNS
request to consul agent fails fast and moves on to the next resolver, we
haven't figured out why a couple envs exhibit different behavior. The
impact is a 5 or 10s delay (5 or 10, not 5 to 10). It doesn't explain your
1:20 delay though. Are you always seeing delays that long?

Amit

On Thursday, October 8, 2015, Zach Robinson <zrobinson(a)pivotal.io> wrote:

Hey Matt,

I'm trying to think of other things that would affect only the endpoints
that interact with UAA and would be fixed after a CC restart. I'm
wondering if it's possible there are a large number of connections being
kept-alive, or stuck in a wait state or something. Could you take a look
at the netstat information on the CC and UAA next time this happens?

-Zach and Swetha


Re: cloud_controller_ng performance degrades slowly over time

Zach Robinson
 

Hey Matt,

I'm trying to think of other things that would affect only the endpoints that interact with UAA and would be fixed after a CC restart. I'm wondering if it's possible there are a large number of connections being kept-alive, or stuck in a wait state or something. Could you take a look at the netstat information on the CC and UAA next time this happens?

-Zach and Swetha


Re: UAA not sending routes registration and updates

Amit Kumar Gupta
 

What version of cf-release? If it's recent, see the "Important" section of
the release notes about colocating the new route_registrar for v217 and
v218.

https://github.com/cloudfoundry/cf-release/releases/tag/v218

Amit

On Thursday, October 8, 2015, Haitao Jiang <jianghaitao(a)gmail.com> wrote:

I filed a GitHub issue:
https://github.com/cloudfoundry/cf-registrar/issues/7

What is happening was that
- NATS receives route registration from CC and Traffic Controller
- UAA not sending route registration to NATS, so UAA's routes are missing
from gorouter
- UAA's cf registrar stuck after following (instead of sending route
registration messages):
Connected to NATS - varz registration
Announcing start up vcap.component.announce

bosh vms, bosh cck, and monit all saying that everything running.

Any suggestion on how to troubleshoot this? What are the possible reasons
cf-registrar not sending route.register messages?


Java Buildpack v3.3

Christopher Frost
 

I'm pleased to announce the release of the java-buildpack, version 3.3. This
release contains updates to various dependencies.

- When processing Java Options the $ and \ characters are no longer
escaped to allow environment properties to be used. (see the
documentation
<https://github.com/cloudfoundry/java-buildpack/blob/master/docs/framework-java_opts.md#escaping-strings>
)
- Improved Luna Security Provider HA Support
- Improved configuration of the DynaTrace agent. (via Tom Collings
<https://github.com/cloudfoundry/java-buildpack/pull/235>)
- Better AppDynamics code comments. (via Nikhil Katre
<https://github.com/cloudfoundry/java-buildpack/pull/229>)
- Better documentation of the Oracle JRE support. (via Dominik Bartholdi
<https://github.com/cloudfoundry/java-buildpack/pull/230>)

For a more detailed look at the changes in 3.3, please take a look at
the commit
log <https://github.com/cloudfoundry/java-buildpack/compare/v3.2...v3.3>.
Packaged versions of the buildpack, suitable for use with create-buildpack
and update-buildpack, can be found attached to this release
<https://github.com/cloudfoundry/java-buildpack/releases/tag/v3.3>.
*Packaged Dependencies*

- AppDynamics Agent: 4.1.4_2
- GemFire 8.0.0
- GemFire Modules 8.0.0.1
- GemFire Modules Tomcat7 8.0.0.1
- GemFire Security 8.0.0
- Groovy: 2.4.5
- JRebel 6.2.5
- MariaDB JDBC: 1.2.2
- Memory Calculator (mountainlion): 2.0.0.RELEASE
- Memory Calculator (precise): 2.0.0.RELEASE
- Memory Calculator (trusty): 2.0.0.RELEASE
- New Relic Agent: 3.21.0
- OpenJDK JRE (mountainlion): 1.8.0_60
- OpenJDK JRE (precise): 1.8.0_60
- OpenJDK JRE (trusty): 1.8.0_60
- Play Framework JPA Plugin: 1.10.0.RELEASE
- PostgreSQL JDBC: 9.4.1203
- RedisStore: 1.2.0_RELEASE
- Spring Auto-reconfiguration: 1.10.0_RELEASE
- Spring Boot CLI: 1.2.6_RELEASE
- Tomcat Access Logging Support: 2.4.0_RELEASE
- Tomcat Lifecycle Support: 2.4.0_RELEASE
- Tomcat Logging Support: 2.4.0_RELEASE
- Tomcat: 8.0.27


Christopher Frost - Pivotal UK
Java Buildpack Team


UAA not sending routes registration and updates

Haitao Jiang
 

I filed a GitHub issue: https://github.com/cloudfoundry/cf-registrar/issues/7

What is happening was that
- NATS receives route registration from CC and Traffic Controller
- UAA not sending route registration to NATS, so UAA's routes are missing from gorouter
- UAA's cf registrar stuck after following (instead of sending route registration messages):
Connected to NATS - varz registration
Announcing start up vcap.component.announce

bosh vms, bosh cck, and monit all saying that everything running.

Any suggestion on how to troubleshoot this? What are the possible reasons cf-registrar not sending route.register messages?


Re: "bosh ssh" times out

Amit Kumar Gupta
 

You can use your bosh director as a gateway:

bosh ssh --gateway-host ADDRESS-OF-DIRECTOR --gateway-user vcap

On Thursday, October 8, 2015, Daniel Mikusa <dmikusa(a)pivotal.io> wrote:

I was under the impression that you need to be able to connect directly,
but I can't say that definitively. Perhaps someone else can confirm.

Dan


On Thu, Oct 8, 2015 at 11:43 AM, Remi Tassing <tassingremi(a)gmail.com
<javascript:_e(%7B%7D,'cvml','tassingremi(a)gmail.com');>> wrote:

Hi Daniel,
10.0.16.103 is the internal address of that particular VM within the VPC
(I've deployed CF in AWS). So I can't access it directly.
I thought that was the point of using "bosh ssh", i.e., connecting to the
ha_proxy (which has a public address) first and then to the VM.

I have a feeling I've completed missed the point

Remi


Re: "bosh ssh" times out

Jim Park
 

You can proxy through the director or whatever else if you'd like with
`bosh ssh --gateway_host director.example.com --gateway_user vcap
--gateway_identity_file /path/to/bosh_directors_key`.

BOSH director only manages creating a one-time use user login with sudo
privileges and passes it back to bosh_cli.

We use a bastion host to perform BOSH-ey things because of this.

Thanks,


Jim

On Thu, Oct 8, 2015 at 8:49 AM Daniel Mikusa <dmikusa(a)pivotal.io> wrote:

I was under the impression that you need to be able to connect directly,
but I can't say that definitively. Perhaps someone else can confirm.

Dan


On Thu, Oct 8, 2015 at 11:43 AM, Remi Tassing <tassingremi(a)gmail.com>
wrote:

Hi Daniel,
10.0.16.103 is the internal address of that particular VM within the VPC
(I've deployed CF in AWS). So I can't access it directly.
I thought that was the point of using "bosh ssh", i.e., connecting to the
ha_proxy (which has a public address) first and then to the VM.

I have a feeling I've completed missed the point

Remi


Re: "bosh ssh" times out

Daniel Mikusa
 

I was under the impression that you need to be able to connect directly,
but I can't say that definitively. Perhaps someone else can confirm.

Dan

On Thu, Oct 8, 2015 at 11:43 AM, Remi Tassing <tassingremi(a)gmail.com> wrote:

Hi Daniel,
10.0.16.103 is the internal address of that particular VM within the VPC
(I've deployed CF in AWS). So I can't access it directly.
I thought that was the point of using "bosh ssh", i.e., connecting to the
ha_proxy (which has a public address) first and then to the VM.

I have a feeling I've completed missed the point

Remi


Re: "bosh ssh" times out

Remi Tassing
 

Hi Daniel,
10.0.16.103 is the internal address of that particular VM within the VPC (I've deployed CF in AWS). So I can't access it directly.
I thought that was the point of using "bosh ssh", i.e., connecting to the ha_proxy (which has a public address) first and then to the VM.

I have a feeling I've completed missed the point

Remi


Re: "bosh ssh" times out

Daniel Mikusa
 

Have you checked that the connection is not being blocked by a firewall?
What happens if you SSH directly to that IP?

Dan

On Thu, Oct 8, 2015 at 11:22 AM, Remi Tassing <tassingremi(a)gmail.com> wrote:

Hi,
I was trying "bosh ssh" in the interactive mode and after choosing the VM
it hangs for a bit then times out. I was following this tutorial:
http://docs.pivotal.io/pivotalcf/customizing/trouble-advanced.html

Console snippet:
....
13. stats_z1/0
Choose an instance: 1
Acting as user 'admin' on deployment 'cf' on 'microbosh'
Enter password (use it to sudo on remote host): *
Target deployment is `cf'

Setting up ssh artifacts

Director task 43

Task 43 done
Starting interactive shell on job nats_z1/0
ssh: connect to host 10.0.16.103 port 22: Connection timed out
...

Has anyone encountered this problem? Is there other alternative?

Remi


"bosh ssh" times out

Remi Tassing
 

Hi,
I was trying "bosh ssh" in the interactive mode and after choosing the VM it hangs for a bit then times out. I was following this tutorial: http://docs.pivotal.io/pivotalcf/customizing/trouble-advanced.html

Console snippet:
....
13. stats_z1/0
Choose an instance: 1
Acting as user 'admin' on deployment 'cf' on 'microbosh'
Enter password (use it to sudo on remote host): *
Target deployment is `cf'

Setting up ssh artifacts

Director task 43

Task 43 done
Starting interactive shell on job nats_z1/0
ssh: connect to host 10.0.16.103 port 22: Connection timed out
...

Has anyone encountered this problem? Is there other alternative?

Remi


Re: Metron: Timed out talking to store

Kyle Havlovitz (kyhavlov)
 

I only have one ETCD node, and it's the correct address in the metron config.

From: Rohit Kumar <rokumar(a)pivotal.io<mailto:rokumar(a)pivotal.io>>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Date: Wednesday, October 7, 2015 at 8:24 PM
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Subject: [cf-dev] Re: Metron: Timed out talking to store

Hi Kyle,

How many nodes do you have in your ETCD cluster? Also can you check whether the ETCD servers listed in the metron config match the IP addresses of the machines in your cluster. The config file is located in /var/vcap/jobs/metron_agent/config/metron_agent.json and you should look for the "EtcdUrls" field.

Rohit

On Wed, Oct 7, 2015 at 3:12 PM, Kyle Havlovitz (kyhavlov) <kyhavlov(a)cisco.com<mailto:kyhavlov(a)cisco.com>> wrote:
I'm seeing this error in the Metron logs repeatedly: "ServerAddressList.Run: Timed out talking to store; will try again soon." Metron seems to be able to connect to ETCD just fine, and I can curl /v2/keys/healthstatus/doppler from the machine. I'm not sure what would cause this error and can't think of anything else to try. Later, when it gets logs from the dea agent, it gives the error "can't forward message: loggregator client pool is empty", presumably because of the previous error.

I can't figure out what the problem is with this; the zone property in the logging config files matches and it doesn't seem like a firewall problem, could anyone give advice? CF version is 217.


Re: Cloud Foundry REST API in Golang

Rasheed Abdul-Aziz
 

The best we have to offer is the API package in CLI
https://github.com/cloudfoundry/cli

This is a private API implementation, and as such we wake no promises about
stability. In fact, we promise it will be unstable, but it's a good jumping
in point if you need to get started. Especially as it demonstrates how to
consume the API at the same time.

All the best,
Rasheed Abdul-Aziz
Engineer, CLI Open Source Team

On Thu, Oct 8, 2015 at 6:18 AM, Pravin Mishra <pravinmishra88(a)gmail.com>
wrote:

Hello,

I am developing CF dashboard in Golang that will communicate with the
cloud controller for REST call. I saw there is cfoundry
<https://github.com/cloudfoundry-attic/cfoundry> a ruby gem that provides
a REST client for the Cloud Foundry REST API.

Is there any package written on Golang similar to cfoundry or I need to
implement by myself?

Best Regards,
Pravin Mishra


Cloud Foundry REST API in Golang

Pravin Mishra <pravinmishra88@...>
 

Hello,

I am developing CF dashboard in Golang that will communicate with the cloud
controller for REST call. I saw there is cfoundry
<https://github.com/cloudfoundry-attic/cfoundry> a ruby gem that provides a
REST client for the Cloud Foundry REST API.

Is there any package written on Golang similar to cfoundry or I need to
implement by myself?

Best Regards,
Pravin Mishra


CF v205 / Pushing an app

Sylvain Gibier
 

Hi,

Bug ?

Pushing an application using a manifest.yml file with an host entry set to 'api', you are able to override the default route api.<<mycf.domain>> with the application - preventing further cf commands to work correctly, as it redirects traffic to new application.
I would have expect an error indicating the api.<<mycf.domain>> is already used to prevent anyone to override api, uaa and login endpoint with a custom app. Or am I missing something?

Is it a way - to make application/host like api, uaa, login ... not been able to be overrided by custom application binding?

Sylvain


Runner's /varz endpoint - how "available_disk_ratio" is computed?

Rafal Radecki
 

Hi :)

I tried to find in the source code on one of my runners how available_disk_ratio is computed. Initially I thought that it will show how much space there is available on my runner, for example:

df -h /var/vcap/data/
Filesystem Size Used Avail Use% Mounted on
/dev/xvdb2 820G 12G 767G 2% /var/vcap/data

So on my runner I see that 98% of space is free but in /varz I see that

available_disk_ratio -> 0.97152

From cf documentation (http://docs.pivotal.io/pivotalcf/customizing/use-metrics.html):
"available_disk_ratio Percentage of disk available for allocation by future applications/staging requests"
I tried to check this in source code ->
/var/vcap/data/packages/dea_next/b4fe12b3a1243a6724e8b80c39f5ee62c47b3168.1-e0eb07312ea47e31e414c7fb70474ff7d99a6cd2/lib/dea/bootstrap.rb
/var/vcap/data/packages/dea_next/b4fe12b3a1243a6724e8b80c39f5ee62c47b3168.1-e0eb07312ea47e31e414c7fb70474ff7d99a6cd2/lib/dea/resource_manager.rb
but I got to the point of
module Dea
class ResourceManager
DEFAULT_CONFIG = {
"memory_mb" => 8 * 1024,
"memory_overcommit_factor" => 1,
"disk_mb" => 16 * 1024 * 1024,
"disk_overcommit_factor" => 1,
}.freeze
in resource_manager.rb.
Can anyone tell me how available_disk_ratio is exactly computed? I am not sure but base on the lines for DEFAULT_CONFIG I think that it may be computed based on statically set "disk_mb" value ;)
Overall I need this to my monitoring. Are there maybe other ways to tell how many disc space is available on a given runner?

BR,
Rafal.


Re: "fork/exec exec format error" when installing cf CLI plugins

Remi Tassing
 

Hi Simon,
I did try that before starting this thread. I also tried changing the TMP dir so a folder under home but it didn't work.
Remi

7241 - 7260 of 9417