Date   

Miniconda has been added to the Python Buildpack

Danny Rosen
 

Over the last few weeks the Buildpacks team has experimented with different
methods of getting the Python buildpack working with various data science
dependencies (ex: sci-py, num-py, sklearn). We believe we have found a
solution that does not create significant challenges and fulfills the
underlying goal of enabling these dependencies in a native CF application.

We have included the addition of Miniconda into the newest version [1
<https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.5.6>] of
the python-buildpack and urge you to give it a try. To do so, include an
environment.yml [2] in your app and cf push *or* try out this sample app [3
<https://github.com/ihuston/pydata_package_test>].

We're very excited about this addition and note that this is our first step
towards providing the functionality. As always, we're interested in
obtaining feedback and pull requests for improvement.

[1] - https://github.com/cloudfoundry/python-buildpack/releases/tag/v1.5.6
[2] - http://conda.pydata.org/docs/using/envs.html#use-environment-from-file
[3] - https://github.com/ihuston/pydata_package_test/


Re: Regarding UAA service

Siva Balan <mailsiva@...>
 

Hi Dax,
Can I request to log your issue at https://forum.predix.io ? There are a
lot more Predix focussed developers on that forum than this mailing list
and you are more likely to get a faster answer there.

Thanks
Siva

On Wed, May 18, 2016 at 8:25 AM, Sree Tummidi <stummidi(a)pivotal.io> wrote:

Hi Dax,
This is happening because your SAML has not been set up properly.
The email, first name and last name need to be mapped to attributes from
the incoming SAML assertion.
Please reach out to the Predix team so that they can set the correct
attribute mappings.

Thanks,
Sree

Sent from my iPhone

On May 17, 2016, at 7:22 PM, Dax Joshi <dax.joshi(a)tcs.com> wrote:

Hi,

Any update on this ?

Please let me know. I need to solve this issue as soon as possible.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <stummidi(a)pivotal.io>
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Date: 05/14/2016 10:55 AM
Subject: Re: Regarding UAA service
------------------------------


Hi Sree and Jonathan,

Thank you very much for your consideration and reply.

I am working on predix. I have bind my UAA service with SAML.

I use the GE's common login page to login so that using SSO anyone from
the same business can use my application.

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=<client-id>&response_type=code*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=ppduaa&response_type=code>


Which redirect me to GE's common login page. After successful login SAML
is sending user information to

*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/<uaa-url>.cloudfoundry-saml-login*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/489afafd-c6b4-4d81-ae52-e51116af4597.cloudfoundry-saml-login>

While this redirection I have seen in browser network, in encoded format
as form data SAML is passing user's correct and full information to UAA.
including first name, last name, email, groups, roles etc..

After that UAA service redirects the browser to my landing page which I
have set as *redirect_uri *with one cookie named *TS0164a009* and one *code
in request param.*

In our application we use that code with */oauth/token* service and get
the *auth_token. *After this we use the *auth_token *with */check_token*
or /*userinfo* service of uaa to get the user information.

In which we get following json



{
"user_id": "d9cf7779-744a-407d-a846-36e0570d70d9",
"user_name": "sso",
"email": "sso(a)unknown.org",
"client_id": "client_id",
"exp": 1462921362,
"scope": [
"scim.me",
"openid"
],
"jti": "684643f2-a15a-4fca-b9ca-2f9ba2c22f82",
"aud": [
"scim",
"openid",
"ppduaa"
],
"sub": "d9cf7779-744a-407d-a846-36e0570d70d9",
"iss": "
*https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/token"*
<https://489afafd-c6b4-4d81-ae52-e51116af4597.predix-uaa.run.asv-pr.ice.predix.io/oauth/token%27>
,
"iat": 1462878162,
"cid": "client-id",
"grant_type": "authorization_code",
"azp": "client_id",
"auth_time": 1462878076,
"zid": "489afafd-c6b4-4d81-ae52-e51116af4597",
"rev_sig": "d8ddc2e6",
"origin": "gefssstg"
}


Here I have replaced *uaa-url, sso *and *client_id* with its actual
values.

You can notice that I am not even receiving correct mail id. it gives @
unknown.org

In this json nothing except sso seems to be useful to me.

Please guide me how to get the exact user details from UAA that SAML is
passing to it.

Let me know if anything else you need.


Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________





From: Sree Tummidi <stummidi(a)pivotal.io>
To: Jonathan Lo <jlo(a)us.ibm.com>
Cc: Dax Joshi <dax.joshi(a)tcs.com>
Date: 05/14/2016 04:01 AM
Subject: Re: Regarding UAA service
------------------------------



Hi Dax,

Nice to meet you virtually. In the future you can use the cf-dev@
*lists.cloudfoundry.org* <http://lists.cloudfoundry.org/> for any UAA &
CloudFoundry related questions.
Can you elaborate on what you are trying to achieve with UAA & SAML
Integration and the use-case you have in mind


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, May 13, 2016 at 10:50 AM, Jonathan Lo <*jlo(a)us.ibm.com*
<jlo(a)us.ibm.com>> wrote:
Hi Dax,

Could you provide a bit more detail so that I can better direct your
query? As far as I know, you would be able to decode your access token in
order to obtain a user id, with which you could then get more user
information.

I've CCed Sree, our UAA PM, on the email.

Regards,

Jonathan

Sent from my iPhone

------------------------------
On May 13, 2016, 4:30:16 AM, *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
wrote:

From: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
To: *jlo(a)us.ibm.com* <jlo(a)us.ibm.com>
Cc:
Date: May 13, 2016 4:30:16 AM
Subject: Regarding UAA service

Hi Jonathan,

This is Dax Joshi From TCS.

I found you email from *https://github.com/GESoftware-CF/uaa*
<https://github.com/GESoftware-CF/uaa>.

I have a query regarding getting loggedin
user details in case of UAA service and SAML Integration.

Please let me know if we can talk over
phone at your convenient time.

Please include other persons in this
loop if they can help me.


Thanks,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- *9586581656* <9586581656>
Mailto: *dax.joshi(a)tcs.com* <dax.joshi(a)tcs.com>
Website: *http://www.tcs.com* <http://www.tcs.com/>
____________________________________________
Experience certainty. IT Services

Business Solutions

Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you






Re: [abacus] Separate time-based from discrete usage metrics

Jean-Sebastien Delfino
 

Hi,

To fix the issue we decided to:
1. Distinguish between time-based (linux-container) and discrete usage
metrics (the rest basically)
2. Store the time-based metrics in a separate DB(s)
Your proposal looks good to me. Piotr, Kevin and Raj and I had several
design discussions on this topic in the last few days and we've come up
with a few more ideas on top of what you're describing here:

- The distinction between time-based and discrete resource usage metering
could also be understood as usage metering of a stateful vs stateless
resource or metric. In the stateful case, we simply store the state of the
resource instance in a separate DB like you're proposing (e.g. we store the
fact that an app or a container is currently running, or has stopped), and
update that state in place when it changes. Then to compute and report
usage later on we just need to the current resource instance state from
that DB.

- We could continue to store the metrics in the current historical
databases as well (on top of that new DB) to preserve the resource instance
history as many users typically want to know their past usage.

- Some of us were not sure if the time-based / discrete distinction should
be at the resource type level or at the metric level... IMO your proposal
to do that at the metric level is cleaner so I'm happy with it :)

- The dataflow module will probably need a few minor code changes to detect
the case where some of the output docs need to go to a separate DB (IIRC
you or someone else also mentioned that on one of our scrums or on slack...)

- Like you said, we may still need to maintain 2 DBs to purge old entries.
If that's easier, we could also adjust the usage accumulator service and
the dataflow module a bit to delete entries for inactive resource instances
right away (e.g. when an app or container stops.)

Thoughts?

P.S. I'll add these comments to issue #88 as well to make it be easier to
follow up there.

- Jean-Sebastien

On Thu, May 12, 2016 at 5:54 AM, Hristo Iliev <hsiliev(a)gmail.com> wrote:

Hi,

We're trying to fix Abacus issue 88: Missing aggregated usage for the
running application [1].

Background
=========

See the jsdelfino comment in the GitHub issue [2]. TL;DR: Resource
providers have to send a 'ping' doc per month for time-based metrics.

Proposed solution
==============

We decided to implement a solution in Abacus that frees the usage
providers from sending the 'ping' submission.

To fix the issue we decided to:
1. Distinguish between time-based (linux-container) and discrete usage
metrics (the rest basically)
2. Store the time-based metrics in a separate DB(s)

We already drafted a proposal for adding measurement type in the usage
plans with PR #320 [3].

We're about to spike on storing the time-based metrics in their own
Database, but we wanted to get the community opinion on the topic.

Motivation
========

The discrete usage submitted to Abacus is:
* stored in partitioned databases, due to their size/number
* like an event log, storing the history of the usage/resources

In contrast the current time-based metrics are:
* limited number (usually around 2 million on a loaded CF system)
* storing just the app resources usage state (GB/h consumed so far, GB/h
consuming currently)

Therefore it looks like a good idea to separate the two usage metrics
types and store the time-based metrics in a separate database. This will
allow us not only to solve the issue, but also to store and query the data
more effectively.

We may still need to maintain 2 databases and swap new/old (irrelevant)
metrics to reduce the DB size on the month boundaries.


Regards,
Hristo & Adriana

[1] https://github.com/cloudfoundry-incubator/cf-abacus/issues/88
[2]
https://github.com/cloudfoundry-incubator/cf-abacus/issues/88#issuecomment-148498164
[3] https://github.com/cloudfoundry-incubator/cf-abacus/pull/320


Re: Regarding UAA service

Sree Tummidi
 

Hi Dax,
This is happening because your SAML has not been set up properly.
The email, first name and last name need to be mapped to attributes from the incoming SAML assertion.
Please reach out to the Predix team so that they can set the correct attribute mappings.

Thanks,
Sree

Sent from my iPhone

On May 17, 2016, at 7:22 PM, Dax Joshi <dax.joshi(a)tcs.com> wrote:

Hi,

Any update on this ?

Please let me know. I need to solve this issue as soon as possible.


Thanks & Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________




From: Dax Joshi/AHD/TCS
To: Sree Tummidi <stummidi(a)pivotal.io>
Cc: Jonathan Lo <jlo(a)us.ibm.com>, cf-dev(a)lists.cloudfoundry.org
Date: 05/14/2016 10:55 AM
Subject: Re: Regarding UAA service


Hi Sree and Jonathan,

Thank you very much for your consideration and reply.

I am working on predix. I have bind my UAA service with SAML.

I use the GE's common login page to login so that using SSO anyone from the same business can use my application.
https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/authorize?client_id=<client-id>&response_type=code


Which redirect me to GE's common login page. After successful login SAML is sending user information to
https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/saml/SSO/alias/<uaa-url>.cloudfoundry-saml-login

While this redirection I have seen in browser network, in encoded format as form data SAML is passing user's correct and full information to UAA. including first name, last name, email, groups, roles etc..

After that UAA service redirects the browser to my landing page which I have set as redirect_uri with one cookie named TS0164a009 and one code in request param.

In our application we use that code with /oauth/token service and get the auth_token. After this we use the auth_token with /check_token or /userinfo service of uaa to get the user information.

In which we get following json



{
"user_id": "d9cf7779-744a-407d-a846-36e0570d70d9",
"user_name": "sso",
"email": "sso(a)unknown.org",
"client_id": "client_id",
"exp": 1462921362,
"scope": [
"scim.me",
"openid"
],
"jti": "684643f2-a15a-4fca-b9ca-2f9ba2c22f82",
"aud": [
"scim",
"openid",
"ppduaa"
],
"sub": "d9cf7779-744a-407d-a846-36e0570d70d9",
"iss": "https://<uaa-url>.predix-uaa.run.asv-pr.ice.predix.io/oauth/token",
"iat": 1462878162,
"cid": "client-id",
"grant_type": "authorization_code",
"azp": "client_id",
"auth_time": 1462878076,
"zid": "489afafd-c6b4-4d81-ae52-e51116af4597",
"rev_sig": "d8ddc2e6",
"origin": "gefssstg"
}



Here I have replaced uaa-url, sso and client_id with its actual values.

You can notice that I am not even receiving correct mail id. it gives @unknown.org

In this json nothing except sso seems to be useful to me.

Please guide me how to get the exact user details from UAA that SAML is passing to it.

Let me know if anything else you need.


Regards,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________





From: Sree Tummidi <stummidi(a)pivotal.io>
To: Jonathan Lo <jlo(a)us.ibm.com>
Cc: Dax Joshi <dax.joshi(a)tcs.com>
Date: 05/14/2016 04:01 AM
Subject: Re: Regarding UAA service



Hi Dax,

Nice to meet you virtually. In the future you can use the cf-dev(a)lists.cloudfoundry.org for any UAA & CloudFoundry related questions.
Can you elaborate on what you are trying to achieve with UAA & SAML Integration and the use-case you have in mind


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Fri, May 13, 2016 at 10:50 AM, Jonathan Lo <jlo(a)us.ibm.com> wrote:
Hi Dax,

Could you provide a bit more detail so that I can better direct your query? As far as I know, you would be able to decode your access token in order to obtain a user id, with which you could then get more user information.

I've CCed Sree, our UAA PM, on the email.

Regards,

Jonathan

Sent from my iPhone

On May 13, 2016, 4:30:16 AM, dax.joshi(a)tcs.com wrote:

From: dax.joshi(a)tcs.com
To: jlo(a)us.ibm.com
Cc:
Date: May 13, 2016 4:30:16 AM
Subject: Regarding UAA service

Hi Jonathan,

This is Dax Joshi From TCS.

I found you email from https://github.com/GESoftware-CF/uaa.

I have a query regarding getting loggedin
user details in case of UAA service and SAML Integration.

Please let me know if we can talk over
phone at your convenient time.

Please include other persons in this
loop if they can help me.


Thanks,

Dax Joshi
Systems Engineer
Tata Consultancy Services
GARIMA PARK,IT/ITES SEZ,
PLOT # 41,
Gandhinagar - 382007,Gujarat
India
Cell:- 9586581656
Mailto: dax.joshi(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services

Business Solutions

Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you





Re: Team

Layne Peng
 

but we all are saying same thing .. believe me after running multiple bosh
services managing marketplace in a large org is kind of a messy jobs ..
I cannot agree more!


Re: Buildpacks Checksum Site for Release Validation

Gwenn Etourneau
 

Hi,
Any json feed /api ?
Can be nice and more easy to integrate with any CI/CD tool.

Thanks

On Wed, May 18, 2016 at 11:15 AM, taichi nakashima <nsd22843(a)gmail.com>
wrote:

Great,

I hope cloudfoundry/cli will provide the same thing.

cf.
https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/thread/K3BEBY4A2WSUKS7YS5IF2UDQHHSU35A7/

Taichi Nakashima

2016年5月18日(水) 6:20 David Jahn <djahn(a)pivotal.io>:

Dear Cloud Foundry Users,

To help operators and users of Cloud Foundry establish a "chain of
custody" for buildpacks, we have launched the following checksum site:

https://buildpackverify.cloudfoundry.org

This site provides a checksum for all cached buildpack release zip files
(except for the java-buildpack). Whenever the buildpacks team generates a
new buildpack release, we will immediately compute the SHA256 checksum of
that file and upload it to this website.

The site is hosted on a different repository from the main buildpack
github repositories. It allows operators to validate that the zip file we
produced is the same artifact that has been downloaded and installed.

Additionally, if an operator wishes to further investigate the components
of a buildpack, the "manifest.yml" in each buildpack root directory (for
example,
https://github.com/cloudfoundry/go-buildpack/blob/master/manifest.yml)
provides a catalog of every third party component in the buildpack, a URL
of that component's location, and an MD5 checksum of that component.

We hope that this will assist people in auditing the source of their
buildpack code!

Cheers,
Buildpacks Team


Re: Buildpacks Checksum Site for Release Validation

taichi nakashima
 

Great,

I hope cloudfoundry/cli will provide the same thing.

cf.
https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/thread/K3BEBY4A2WSUKS7YS5IF2UDQHHSU35A7/

Taichi Nakashima

2016年5月18日(水) 6:20 David Jahn <djahn(a)pivotal.io>:

Dear Cloud Foundry Users,

To help operators and users of Cloud Foundry establish a "chain of
custody" for buildpacks, we have launched the following checksum site:

https://buildpackverify.cloudfoundry.org

This site provides a checksum for all cached buildpack release zip files
(except for the java-buildpack). Whenever the buildpacks team generates a
new buildpack release, we will immediately compute the SHA256 checksum of
that file and upload it to this website.

The site is hosted on a different repository from the main buildpack
github repositories. It allows operators to validate that the zip file we
produced is the same artifact that has been downloaded and installed.

Additionally, if an operator wishes to further investigate the components
of a buildpack, the "manifest.yml" in each buildpack root directory (for
example,
https://github.com/cloudfoundry/go-buildpack/blob/master/manifest.yml)
provides a catalog of every third party component in the buildpack, a URL
of that component's location, and an MD5 checksum of that component.

We hope that this will assist people in auditing the source of their
buildpack code!

Cheers,
Buildpacks Team


Re: Team

Ronak Banka
 

Hi Amulya,

"believe me after running multiple bosh services managing marketplace"

Are you using bosh releases for deploying service brokers or service
deployments??

Thanks
Ronak

On Wednesday, 18 May 2016, Amulya Sharma <amulya.sharma(a)gmail.com> wrote:

Thank You all .. for responding ..

my whole idea is to simplify

Large Market place
Service/Plan visibility
Billing and offering
self hosted or SaaS providers

by taking market place as separate component to pair with Cloud Foundry


but we all are saying same thing .. believe me after running multiple bosh
services managing marketplace in a large org is kind of a messy jobs ..



On Tue, May 17, 2016 at 1:27 AM Layne Peng <layne.peng(a)emc.com
<javascript:_e(%7B%7D,'cvml','layne.peng(a)emc.com');>> wrote:

Sorry for the name misunderstanding... We use the word "marketplace", but
not the term in CF.

The background is, firstly it is a public cloud, people use CF and the
services provided by the CF; We built a framework (not like service broker)
to help people contribute different service, then sell the services in it
to the developers using Cloud Foundry. (The services can be used in CF, by
the service broker we build; but it also in K8S and other PaaS. But mainly
it is used in CF currently...)

So the problem is, when a new contribution, such as MySQL based on
Brooklyn added to the marketplace, we need to register it to the CF.

I am not sure if it is clear enough, if you interested in it, I can share
some introduction videos.


Re: Team

Amulya Sharma <amulya.sharma@...>
 

Thank You all .. for responding ..

my whole idea is to simplify

Large Market place
Service/Plan visibility
Billing and offering
self hosted or SaaS providers

by taking market place as separate component to pair with Cloud Foundry


but we all are saying same thing .. believe me after running multiple bosh
services managing marketplace in a large org is kind of a messy jobs ..

On Tue, May 17, 2016 at 1:27 AM Layne Peng <layne.peng(a)emc.com> wrote:

Sorry for the name misunderstanding... We use the word "marketplace", but
not the term in CF.

The background is, firstly it is a public cloud, people use CF and the
services provided by the CF; We built a framework (not like service broker)
to help people contribute different service, then sell the services in it
to the developers using Cloud Foundry. (The services can be used in CF, by
the service broker we build; but it also in K8S and other PaaS. But mainly
it is used in CF currently...)

So the problem is, when a new contribution, such as MySQL based on
Brooklyn added to the marketplace, we need to register it to the CF.

I am not sure if it is clear enough, if you interested in it, I can share
some introduction videos.


Re: How are you using HAProxy in cf-release?

Aaron Huber
 

I've seen more than a few references over time to poor performance of TLS
termination at GoRouter vs. HAProxy - is this no longer the case? It's
probably the only reason I'd be concerned about taking HAProxy out of the
loop.

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-How-are-you-using-HAProxy-in-cf-release-tp4924p4925.html
Sent from the CF Dev mailing list archive at Nabble.com.


How are you using HAProxy in cf-release?

Shannon Coen
 

Hello,

To support the project wide goal of deploying CF as a collection of
composable releases, rather than one, the CF Routing team has extracted
Gorouter from cf-release into cf-routing-release. Of course, Gorouter is
still symlinked into cf-release so it will be deployed with cf-release.

Very few jobs remain in cf-release. The Routing team will also extract the
route-registrar job in the routing-release. The last one the Routing team
is responsible for is HAProxy.

But I wonder, what purpose does this serve? Is it necessary to maintain
this job for the new way of deploying CF? What use case does it currently
fulfill, and could those use cases be fulfilled in a better way?

If this is of interest, please take a look at the following document, and
share your thoughts and feedback as comments.

https://docs.google.com/document/d/11fHx-Bz7j50D_jHsNUoohFj3opKHC8gVudT4U44zlng/edit?usp=sharing

Thank you!

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.


Buildpacks Checksum Site for Release Validation

David Jahn
 

Dear Cloud Foundry Users,

To help operators and users of Cloud Foundry establish a "chain of custody" for buildpacks, we have launched the following checksum site:

https://buildpackverify.cloudfoundry.org

This site provides a checksum for all cached buildpack release zip files (except for the java-buildpack). Whenever the buildpacks team generates a new buildpack release, we will immediately compute the SHA256 checksum of that file and upload it to this website.

The site is hosted on a different repository from the main buildpack github repositories. It allows operators to validate that the zip file we produced is the same artifact that has been downloaded and installed.

Additionally, if an operator wishes to further investigate the components of a buildpack, the "manifest.yml" in each buildpack root directory (for
example, https://github.com/cloudfoundry/go-buildpack/blob/master/manifest.yml) provides a catalog of every third party component in the buildpack, a URL of that component's location, and an MD5 checksum of that component.

We hope that this will assist people in auditing the source of their buildpack code!

Cheers,
Buildpacks Team


Re: Proposal: Reducing State in Service Brokers - Service Broker API Enhancement

Dr Nic Williams <drnicwilliams@...>
 

I think it's a great idea to help make SBs stateless if possible. I've even toyed with modifying service instance tags as the only place in CF API where arbitrary data can be stored (base64 encode the data and append to list of tags) - nasty but was only option. Didn't end up using that as it was just too nasty. Plus the service object didn't actually exist yet during service provisioning:/
I like the idea of returning an arbitrary (to CF) last_op_id 
But I can imagine that SBs might want to return arbitrary blob of data rather than simple ID, and have CF return with that data.
If you only gave me the ability to return a simple ID string then I would repeat the trick above - I'd construct a JSON object, convert with base64, and return that string as my "ID".
So my ask is to allow the ID value to be an artbitrarily long string pleaze?

On Tue, May 17, 2016 at 9:02 AM -0700, "Alex Ley" <aley(a)pivotal.io> wrote:










Hello cf-dev,

I work on a team at Pivotal that builds lots of service brokers. We are currently working on broker that backs onto BOSH and want to move towards making it stateless. We have written a proposal to enhance the CF Service Broker API to allow us to achieve this. We believe this will help other service broker authors as the principal transfers to most asynchronous backing systems.

You can read the full proposal here:

https://docs.google.com/document/d/1QzrG3d9-RgB7v5W44jnwgDuQWgqqPosASyCunLwfYF0/edit?usp=sharing

Open to comments on the document and on this thread.

Alex


Re: UX proposal App manifests improvements for Routes, open for review

Dr Nic Williams <drnicwilliams@...>
 

Follow on - a discussion/reference of this thread/proposal turned up in
https://github.com/cloudfoundry/cli/issues/418 (New issue In manifest,
'no-hostname' clobbers 'host' or 'hosts')

Nic

--
Dr Nic Williams
Stark & Wayne LLC - consultancy for Cloud Foundry users
http://drnicwilliams.com
http://starkandwayne.com
cell +1 (415) 860-2185
twitter @drnic


CVE-2016-3091 Diego log encoding vulnerability

Chip Childers <cchilders@...>
 

CVE-2016-3091 Diego log encoding vulnerability
Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Diego-release versions 0.1468.0 through 0.1470.0

Description

Due to how Diego handles breaking up large log streams on UTF-8 boundaries,
it is possible to cause a denial of service on a Cloud Foundry installation
with an app outputting malformed UTF-8 sequences.
Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

-

Diego-release versions 0.1468.0 through 0.1470.0

Mitigation

Users of affected versions should apply the following mitigation:

-

The Cloud Foundry project recommends that Cloud Foundry Deployments
running Diego versions 0.1468.0 through 0.1470.0 upgrade to Diego version
0.1471.0.

CreditThis issue was identified by a Pivotal team and reported responsibly
to the Cloud Foundry Foundation.


Removing nginx 1.8 from PHP Buildpack

David Jahn
 

The Buildpack team is planning to remove nginx 1.8 from the PHP Buildpack. 1.9 is currently the default version so this change will not affect default behavior.

The pull request for this change can be found at:

https://github.com/cloudfoundry/php-buildpack/pull/147

We are opening this thread so that the community can provide any comments they may have on this proposed change.

We are planning to merge the change in 2 weeks, on May 31.

Thanks!
Buildpacks Team


Proposal: Reducing State in Service Brokers - Service Broker API Enhancement

Alex Ley
 

Hello cf-dev,

I work on a team at Pivotal that builds lots of service brokers. We are currently working on broker that backs onto BOSH and want to move towards making it stateless. We have written a proposal to enhance the CF Service Broker API to allow us to achieve this. We believe this will help other service broker authors as the principal transfers to most asynchronous backing systems.

You can read the full proposal here:

https://docs.google.com/document/d/1QzrG3d9-RgB7v5W44jnwgDuQWgqqPosASyCunLwfYF0/edit?usp=sharing

Open to comments on the document and on this thread.

Alex


Re: Team

Layne Peng
 

Sorry for the name misunderstanding... We use the word "marketplace", but not the term in CF.

The background is, firstly it is a public cloud, people use CF and the services provided by the CF; We built a framework (not like service broker) to help people contribute different service, then sell the services in it to the developers using Cloud Foundry. (The services can be used in CF, by the service broker we build; but it also in K8S and other PaaS. But mainly it is used in CF currently...)

So the problem is, when a new contribution, such as MySQL based on Brooklyn added to the marketplace, we need to register it to the CF.

I am not sure if it is clear enough, if you interested in it, I can share some introduction videos.


Re: Team

Gwenn Etourneau
 

Hi,
Marketplace is a CF things for CF so what is exaclty the problem you try to
solve ?

On Tue, May 17, 2016 at 3:39 PM, Layne Peng <layne.peng(a)emc.com> wrote:

Actually, we are creating the a service marketplace, and meet the same
problem, too: when we add a new service from the service marketplace, it
need to be registered in the CF side.

But with the service broker, we can manage the services just like managing
the instances. You can set a usage restrictions on the service, make it
only be consumed by a given team/org (defined in CF).


Re: Team

Gwenn Etourneau
 

marketplace is CF ....

On Tue, May 17, 2016 at 3:39 PM, Layne Peng <layne.peng(a)emc.com> wrote:

Actually, we are creating the a service marketplace, and meet the same
problem, too: when we add a new service from the service marketplace, it
need to be registered in the CF side.

But with the service broker, we can manage the services just like managing
the instances. You can set a usage restrictions on the service, make it
only be consumed by a given team/org (defined in CF).

4501 - 4520 of 9425