Date   

Re: Change in CF Security RSS Feed

Lee Porte
 

I agree with Matthew.

A redirect should really have been put in place when the change was made. The changes broke our CVE alerting mechanism.

Lee

On 7 February 2018 at 00:51, Matthew Kocher <mkocher@...> wrote:
Can we put a redirect in place? Failing that, how about an update posted to the old feed before it goes dark?

Having the old feed go silent is bad form for something that people may be relying on for security updates.




On Tue, Feb 6, 2018 at 8:56 AM, Molly Crowther <mcrowther@...> wrote:
Hello all,

A few weeks ago, the foundation did some re-architecting of the CF blog to improve SEO and searchability. These updates changed the location of the Security RSS feed.

If you are using this feed, the new address is: https://www.cloudfoundry.org/foundryblog/security-advisory/feed/

Please let me know if you have any questions or concerns!

Thanks,
Molly Crowther
CFF Security Team




CF UAA Localization #cf

Balakrishnan
 

Hi,
     Our project uses standalone UAA for User Authentication. There is a requirement of allowing Client  to create new users using API (/Users - POST) as per his/her locale. 

E.g. If Our Client  locale is in French, then username should allow all French character. 

However as per the current code it seems , it always expects the username in English as there are validation("[\\p{L}+0-9+\\-_.@'!]+") for valid user name . 

Is there any feature available in UAA to localize the instance ? or UAA will always accept Username/Password in English only ?

Thanks,
Balakrishnan


Re: Change in CF Security RSS Feed

Matthew Kocher <mkocher@...>
 

Can we put a redirect in place? Failing that, how about an update posted to the old feed before it goes dark?

Having the old feed go silent is bad form for something that people may be relying on for security updates.




On Tue, Feb 6, 2018 at 8:56 AM, Molly Crowther <mcrowther@...> wrote:
Hello all,

A few weeks ago, the foundation did some re-architecting of the CF blog to improve SEO and searchability. These updates changed the location of the Security RSS feed.

If you are using this feed, the new address is: https://www.cloudfoundry.org/foundryblog/security-advisory/feed/

Please let me know if you have any questions or concerns!

Thanks,
Molly Crowther
CFF Security Team



Change in CF Security RSS Feed

Molly Crowther
 

Hello all,

A few weeks ago, the foundation did some re-architecting of the CF blog to improve SEO and searchability. These updates changed the location of the Security RSS feed.

If you are using this feed, the new address is: https://www.cloudfoundry.org/foundryblog/security-advisory/feed/

Please let me know if you have any questions or concerns!

Thanks,
Molly Crowther
CFF Security Team


Service Brokers using plan_id in last operation requests

Matt McNeeney
 

There is a discussion taking place [1] in the Open Service Broker API group regarding the plan_id that is sent in requests to get the status of an asynchronous operation [2] such as a provision or an update (last_operation endpoint).

Given that an asynchronous update service instance request could change the plan that a service instance is using, we are unsure of what service brokers expect in this scenario; are they expecting to receive the old plan_id or the new plan_id?

If any service broker authors are using the plan_id field, please let me know so that we can guide that discussion and make sure we do not make a breaking change to the specification.

Thanks,
Matt




Re: What should happen to Service Instance Bindings when their Plan is updated?

landzhev@...
 

Hi Alex,

Our service broker implementation to a large extend ignores the planId. We store it as a piece of information, but we do not use it later on,

Best regards,
Nikolay

On Thursday, February 1, 2018, 6:11:48 AM GMT+2, Basavaraju, Jagadish <jagadish.basavaraju@...> wrote:


Our implementation of Service Broker [1] ignores Plan Id and Service Id input during the bind requests and the bindings are valid even post plan update.

 

Jagadish

[1] – Service Fabrik – https://github.com/cloudfoundry-incubator/service-fabrik-broker

          

From: <cf-dev@...> on behalf of Alex Ley <aley@...>
Reply-To: "cf-dev@..." <cf-dev@...>
Date: Wednesday, 31 January 2018 at 9:00 PM
To: "cf-dev@..." <cf-dev@...>
Subject: [cf-dev] What should happen to Service Instance Bindings when their Plan is updated?

 

For folks who build Service Brokers, I would like to get your input on this issue [1] in the OSBAPI spec project. 

 

Today the spec doesn't give any guidance on what should happen to bindings when a plan is updated. We are looking to add some clarification / set the expected behaviour.

 

Could you share the logic for your service brokers on the issue? Do you use the `plan_id` in the binding request? 

 


Setting Up DNS for Your Environment

Russell Blue
 

Hi,

I want deploy cf-deployment on pike openstack. how can setting up DNS for my environment ?

kind regards


Re: What should happen to Service Instance Bindings when their Plan is updated?

Sascha Matzke
 

Hi,

we have several service brokers (for "normal" backend services and quite a few route services) and we don't use PlanID (or ServiceID) in most of them.

There are exceptions (as always), but those brokers do not support plan updates.

Best,

Sascha


Re: What should happen to Service Instance Bindings when their Plan is updated?

Basavaraju, Jagadish
 

Our implementation of Service Broker [1] ignores Plan Id and Service Id input during the bind requests and the bindings are valid even post plan update.

 

Jagadish

[1] – Service Fabrik – https://github.com/cloudfoundry-incubator/service-fabrik-broker

          

From: <cf-dev@...> on behalf of Alex Ley <aley@...>
Reply-To: "cf-dev@..." <cf-dev@...>
Date: Wednesday, 31 January 2018 at 9:00 PM
To: "cf-dev@..." <cf-dev@...>
Subject: [cf-dev] What should happen to Service Instance Bindings when their Plan is updated?

 

For folks who build Service Brokers, I would like to get your input on this issue [1] in the OSBAPI spec project. 

 

Today the spec doesn't give any guidance on what should happen to bindings when a plan is updated. We are looking to add some clarification / set the expected behaviour.

 

Could you share the logic for your service brokers on the issue? Do you use the `plan_id` in the binding request? 

 


CVE-2018-1192: UAA SessionID present in Audit Event Logs

Molly Crowther <mcrowther@...>
 

Please see below for information on a high-severity UAA CVE.

Sree Tummidi can provide more details if you have questions.

Thanks,
Molly Crowther
CFF Security Team

CVE-2018-1192: UAA SessionID present in Audit Event Logs

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • All cf-release versions prior to v285
  • All cf-deployment versions prior to v1.7
  •  UAA
    • 4.5.x versions prior to 4.5.5
    • 4.8.x versions prior to 4.8.3
    • 4.7.x versions prior to 4.7.4
  • UAA-release
    • 45.7.x versions prior to 45.7
    • 52.7.x versions prior to 52.7
    • 53.3.x versions prior to 53.3

Description

Cloud Foundry UAA logs the SessionID in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • cf-release: 285
    • cf-deployment: 1.7
    • UAA: 4.5.5, 4.8.3, 4.7.4
    • UAA-release: 45.7,52.7, 53.3

Credit

This issue was responsibly reported by the UAA team.

References

History

2018-01-31: Initial vulnerability report published.


Re: What should happen to Service Instance Bindings when their Plan is updated?

Mike Youngstrom
 

We do use the plan_id in the binding request.  Usually to help look up credential config for parts of a service's credentials that are more static.  But, we also don't have any services where updating the plan affect bind credentials either.

I would be careful of doing anything special like auto rebind of services when a service is updated unless you're willing to look at overhauling the current model to also consider things like application restarts and broker initiated rebinds.  For example, I have occasionally wished that I could auto rebind all current service bindings when I've made changes to my broker and want all apps to incorporate a change to the way I was generating credentials.  Though I've always viewed such ideas as somewhat pie in the sky ideas.

I'm inclined to think you just leave existing bindings alone on service update and require the broker to keep the old service working.  Perhaps UIs could add  a little sugar notifying the user they may need to rebind and restart their applications for the update to take effect.

Mike

On Wed, Jan 31, 2018 at 8:28 AM, Alex Ley <aley@...> wrote:
For folks who build Service Brokers, I would like to get your input on this issue [1] in the OSBAPI spec project. 

Today the spec doesn't give any guidance on what should happen to bindings when a plan is updated. We are looking to add some clarification / set the expected behaviour.

Could you share the logic for your service brokers on the issue? Do you use the `plan_id` in the binding request? 



What should happen to Service Instance Bindings when their Plan is updated?

Alex Ley
 

For folks who build Service Brokers, I would like to get your input on this issue [1] in the OSBAPI spec project. 

Today the spec doesn't give any guidance on what should happen to bindings when a plan is updated. We are looking to add some clarification / set the expected behaviour.

Could you share the logic for your service brokers on the issue? Do you use the `plan_id` in the binding request? 


Re: bosh cf login on openstack

Russell Blue
 

Should I deploy "cf deploy" again with the haproxy file and build all virtual machines?

--------------------------------------------

On Wed, 1/31/18, Yitao Jiang <jiangyt.cn@gmail.com> wrote:

Subject: Re: [cf-dev] bosh cf login on openstack
To: cf-dev@lists.cloudfoundry.org
Date: Wednesday, January 31, 2018, 9:01 AM

​Hello Russell
Assuming your ​domain
for management is pcontrollerYou need to configure the dns to
resolve all *.pcontroler to  a routing layer, either by lb
or directly gorouter. Try enable  this one https://github.com/cloudfoundry/cf-deployment/blob/master/operations/use-haproxy-public-network.yml 
On Tue, Jan 30, 2018 at
6:23 PM, Russell Blue via Lists.Cloudfoundry.Org
<bluerussell20=yahoo.com@
lists.cloudfoundry.org> wrote:
Hi,



1- Using the cf-deployment, the virtual machines of cloud
foundry on openstack IaaS were created.

2- cf CLI also installed



There is the following problem to log into the cloud foundry
environment



# cf login

API endpoint> api.pcontroller

FAILED

Error performing request: Get https://api.pcontroller/v2/inf
o: dial tcp: lookup api.pcontroller on 192.168.55.1:53: no such
host

TIP: If you are behind a firewall and require an HTTP proxy,
verify the https_proxy environment variable is correctly
set. Else, check your



what is API endpoint? How to API endpoint set up?



Best Regards










--

Regards,
Yitao


Re: bosh cf login on openstack

Yitao Jiang
 

​Hello Russell

Assuming your ​domain for management is pcontroller
You need to configure the dns to resolve all *.pcontroler to  a routing layer, either by lb or directly gorouter. Try enable  this one https://github.com/cloudfoundry/cf-deployment/blob/master/operations/use-haproxy-public-network.yml 

On Tue, Jan 30, 2018 at 6:23 PM, Russell Blue via Lists.Cloudfoundry.Org <bluerussell20=yahoo.com@lists.cloudfoundry.org> wrote:
Hi,

1- Using the cf-deployment, the virtual machines of cloud foundry on openstack IaaS were created.
2- cf CLI also installed

There is the following problem to log into the cloud foundry environment

# cf login
API endpoint> api.pcontroller
FAILED
Error performing request: Get https://api.pcontroller/v2/info: dial tcp: lookup api.pcontroller on 192.168.55.1:53: no such host
TIP: If you are behind a firewall and require an HTTP proxy, verify the https_proxy environment variable is correctly set. Else, check your

what is API endpoint? How to API endpoint set up?

Best Regards






--

Regards,

Yitao


Proposal: Garden support for Containerd

Julz Friedman
 

Hi cf devvers, the garden team have a proposal about using Containerd to run containers in garden-runc. It's called "Proposal: Use Containerd to run containers in Garden-RunC". The link is here [0].


Looking forward to your feedback, thanks y'all!

Regards,
Julz
Garden PM



Re: bosh cf-deploy on openstack

Johannes Hiemer <jvhiemer@...>
 

SSH into the virtual machine via bosh ssh -d cf api and do a sudo su, then monitor summary. If something there is failing, please provide the logs from /var/vcap/sys/log/ComponentThatIsFailingInMonitOverview


On Tue, 30 Jan 2018 at 11:46 Russell Blue via Lists.Cloudfoundry.Org <bluerussell20=yahoo.com@...> wrote:
Hi,

I created cloud foundry with the following virtual machines. What is the problem with api  the virtual machine?

bosh -e bosh-1 vms
Instance                                                  Process State  AZ  IPs        VM CID                                VM Type
adapter/018b9e7f-698f-4417-a33b-5f8351c61cda              running
api/b6ec5273-f586-4279-b2df-7f843efe4f92                  stopped
cc-worker/0111a82d-f7e4-4870-a90a-a6b399b150f7            running
consul/691ee9ca-b869-44a1-b2cc-6a509ddcca63               running
database/149b717d-a836-42e2-91ea-d35a7366bf08             running
diego-api/1e494667-7946-446e-aeb3-cc5393ca8281            running
diego-cell/a28fbba0-d469-46f1-b4f6-c43b0aee0ced           running
doppler/67ec24fe-7449-4881-bf5f-4a254f5385e5              running
log-api/eaea64ed-b33a-4ceb-bcc7-d292bfe4a900              running
nats/5a0e69f1-860f-42c8-9296-d3f143264b3b                 running
router/d390d148-ce2b-42b5-b8ed-4b2c4f203d03               running
scheduler/8befb5c8-38bb-4440-b469-5edd0b25b936            running
singleton-blobstore/78e5fce4-1012-4f0a-ab6b-92a23036514b  running
tcp-router/15e444d3-73d8-43fb-a1ae-c30da4d5a2b9           running
uaa/0cb6927f-42fd-4351-9f30-3a2f074abf52                  running


Best Regards




bosh cf-deploy on openstack

Russell Blue
 

Hi,

I created cloud foundry with the following virtual machines. What is the problem with api the virtual machine?

bosh -e bosh-1 vms
Instance Process State AZ IPs VM CID VM Type
adapter/018b9e7f-698f-4417-a33b-5f8351c61cda running
api/b6ec5273-f586-4279-b2df-7f843efe4f92 stopped
cc-worker/0111a82d-f7e4-4870-a90a-a6b399b150f7 running
consul/691ee9ca-b869-44a1-b2cc-6a509ddcca63 running
database/149b717d-a836-42e2-91ea-d35a7366bf08 running
diego-api/1e494667-7946-446e-aeb3-cc5393ca8281 running
diego-cell/a28fbba0-d469-46f1-b4f6-c43b0aee0ced running
doppler/67ec24fe-7449-4881-bf5f-4a254f5385e5 running
log-api/eaea64ed-b33a-4ceb-bcc7-d292bfe4a900 running
nats/5a0e69f1-860f-42c8-9296-d3f143264b3b running
router/d390d148-ce2b-42b5-b8ed-4b2c4f203d03 running
scheduler/8befb5c8-38bb-4440-b469-5edd0b25b936 running
singleton-blobstore/78e5fce4-1012-4f0a-ab6b-92a23036514b running
tcp-router/15e444d3-73d8-43fb-a1ae-c30da4d5a2b9 running
uaa/0cb6927f-42fd-4351-9f30-3a2f074abf52 running


Best Regards


bosh cf login on openstack

Russell Blue
 

Hi,

1- Using the cf-deployment, the virtual machines of cloud foundry on openstack IaaS were created.
2- cf CLI also installed

There is the following problem to log into the cloud foundry environment

# cf login
API endpoint> api.pcontroller
FAILED
Error performing request: Get https://api.pcontroller/v2/info: dial tcp: lookup api.pcontroller on 192.168.55.1:53: no such host
TIP: If you are behind a firewall and require an HTTP proxy, verify the https_proxy environment variable is correctly set. Else, check your

what is API endpoint? How to API endpoint set up?

Best Regards


Re: bosh cf-deploy on openstack

Russell Blue
 

Error creating four virtual machines has been fixed.
(router, tcp-router, scheduler and smoke-test)

--------------------------------------------

On Mon, 1/29/18, <ahmad.abed@gmail.com> wrote:

Subject: Re: [cf-dev] bosh cf-deploy on openstack
To: cf-dev@lists.cloudfoundry.org
Date: Monday, January 29, 2018, 4:38 PM

Russell,

can you provide  cloud-config.yml after
removing lbaas config parts ?

Regards,


Re: bosh cf-deploy on openstack

ahmad.abed@...
 

Russell,

can you provide  cloud-config.yml after removing lbaas config parts ?

Regards,

1681 - 1700 of 9388