|
Re: Using a deployment based on a Buildpack, it is possible to define multiple cores for that app?
Daniel Mikusa
No. See this email for an explanation.
https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/message/B76YGMZ5DQS2WGJZLAI45LBV6ZRKVVRI/ Dan On Sat, Dec 10, 2016 at 11:46 AM, Juan Antonio Breña Moral < bren(a)juanantonio.info> wrote: Hi, |
|
|
|
Re: CVE-2016-8218: Unauthenticated JWT signing algorithm in routing
Shannon Coen
Clarification:
The routing-api job is not deployed with cf-release. It is deployed with the routing-release [1], which provides support for TCP routing to apps on Diego. If you have not deployed the routing-release specifically, then chances are you do not have the routing-api job deployed and no action is required. To confirm, look at your BOSH deployments. $ bosh deployments For those who have deployed the routing-release, we recommend upgrading now to version 0.142.0 which contains a fix for the vulnerability: https://github.com/cloudfoundry-incubator/routing-release/releases/tag/0.142.0 [1] https://github.com/cloudfoundry-incubator/routing-release Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Fri, Dec 9, 2016 at 11:00 PM, Molly Crowther <mcrowther(a)cloudfoundry.org> wrote: A new cf-release has been cut to mitigate the following issue. This notice |
|
|
|
Using a deployment based on a Buildpack, it is possible to define multiple cores for that app?
Juan Antonio Breña Moral <bren at juanantonio.info...>
Hi,
I would like to know if using CF with Buildpacks, it is possible to define the number of cores to be used by the app. With Docker, it is possible to define the number of cores with the following option: ``` bash docker run ubuntu /bin/echo 'Hello world --cpuset-cpus="0-3" ```` Juan Antonio |
|
|
|
CVE-2016-8218: Unauthenticated JWT signing algorithm in routing
Molly Crowther
A new cf-release has been cut to mitigate the following issue. This notice
can also be found at https://www.cloudfoundry.org/cve-2016-8218/. An RSS feed of Cloud Foundry vulnerabilities is available at https://www.cloudfoundry.org/category/security/feed/. CVE-2016-8218: Unauthenticated JWT signing algorithm in routing Severity Critical Vendor Cloud Foundry Foundation Versions Affected - cf-release versions prior to 237, if: - any versions of routing release have been uploaded, AND - the routing API is enabled through a manifest property on cf-release - cf-release versions 237 and later, prior to v249 Description Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API. Mitigation OSS users of affected versions are strongly encouraged to: - Upgrade to Cloud Foundry v249 [1] or later Credit The issue was responsibly reported by a Pivotal team member. References - [1] https://github.com/cloudfoundry/cf-release/releases History2016-12-09: Initial vulnerability report published |
|
|
|
Proposal: Private Docker repository support
Will Pragnell <wpragnell@...>
Hi all,
We've recently come up with a proposal for adding support for private Docker repositories to Cloud Foundry [1]. The runtime product team spent some time considering various solutions to the problem (details of which are linked to from within the doc) and we feel that the proposed solution is the best next step, given the relative ease of implementation and the simplicity of the UX. We'd love to hear any feedback from the community. Please leave input and feedback in the comments on the document. We're hoping to begin work on this with at least some of the teams involved before the end of the year. We intend to start at the Garden / GrootFS level, as the changes needed there should be essentially the same regardless of any changes we might make to the whole feature. Thanks, Will - GrootFS project lead [1] https://goo.gl/xw2Z6V |
|
|
|
Custom health checks
John Feminella <jxf@...>
hi all,
Is there a custom health checks proposal that is being worked on or has already been accepted? If not, what is the state of the CF roadmap with respect to custom health checks? best,~ jf--John Feminella Advisory Platform Architect ✉ ·jxf(a)pivotal.io t · @jxxf |
|
|
|
Re: USN-3151-2: Linux kernel (Xenial HWE) vulnerability
Molly Crowther
Hi Marco,
toggle quoted message
Show quoted text
Thanks for the feedback - I do usually include the Ubuntu link in the postings but overlooked it this time (and just added it on the site). I agree it's annoying to have to copy-paste out the link. :) https://www.ubuntu.com/usn/usn-3151-2/ Thanks, Molly On Thu, Dec 8, 2016 at 11:35 PM, Voelz, Marco <marco.voelz(a)sap.com> wrote:
Dear Molly, |
|
|
|
Re: Memory/Disk usage information -MB vs MiB
Nicholas Calugar
Hi Ponraj,
toggle quoted message
Show quoted text
Apologies for the delay, I promise you I have been considering this query, just having trouble finding the correct response. I think I actually do need more of an example of how this is failing you, it’s not clear why presenting [1] Org Memory Usage in MB is inherently wrong when [2] App Memory is also MB. For example: cf curl "/v2/apps?q=space_guid:d2357fe4-a9f2-4c76-99d9-321b7668fde4" | grep memory "memory": 256, "memory": 1000, cf curl /v2/organizations/$(cf org system --guid)/memory_usage { "memory_usage_in_mb": 1256 } Do you think you could provide a more end-to-end example of when this goes wrong? Thanks, Nick [1] http://apidocs.cloudfoundry.org/234/organizations/retrieving_organization_memory_usage.html [2] http://apidocs.cloudfoundry.org/234/apps/creating_an_app.html -- Nicholas Calugar On December 7, 2016 at 11:16:53 AM, Ponraj E (ponraj.e(a)gmail.com) wrote:
Hi Nicholas, Anything that you expect from us? Are we missing something here? --- Ponraj |
|
|
|
Re: USN-3151-2: Linux kernel (Xenial HWE) vulnerability
Graham Bleach
On 9 December 2016 at 08:13, Guillaume Berche <bercheg(a)gmail.com> wrote:
+1thanks for pushing these security notifications to the cloudfoundrysite and this mailing list! We're currently doing this by running an app [1] in our CF that scrapes the Pivotal security page once an hour & creates events in Datadog corresponding to new CVEs. Datadog then raises a ticket in our support system. It's perhaps a bit over-engineered, but we wanted to have the events in Datadog so we could put the alerts in a dashboard etc. if we wanted. We only used the Pivotal security page because the Cloud Foundry one didn't exist then. Ideally there would be a stable machine-readable list of all CVEs relevant to the open source product. If it is RSS/atom we might be able to do what we want without writing code, using something like https://ifttt.com/ Cheers, Graham [1] https://github.com/alphagov/paas-cve-notifier |
|
|
|
Re: USN-3151-2: Linux kernel (Xenial HWE) vulnerability
thanks for pushing these security notifications to the cloudfoundry siteand this mailing list! +1 Also, is there an RSS feed that enables programmatic access to newly disclosed vulnerabilities on the security page ? Looking at wordpress rss feed plugin syntax [1], I was able to get the RSS feed for all cloudfoundry.org articles [2], but I did not yet find the right syntax to filter by the "Security Advisory" category/tag [3][4][5] that still return an empty page. While client-side filtering would be fine granted the category "Security Advisory" remains stable, it may make sense to ease such RSS subscription by the Cf community, and display the RSS feed button on the cloudfoundry.org/security page. [1] https://codex.wordpress.org/WordPress_Feeds [2] https://www.cloudfoundry.org/feed/ [3] https://www.cloudfoundry.org/tag/Security%20Advisory/feed/ [4] https://www.cloudfoundry.org/use/security/feed [5] https://www.cloudfoundry.org/feed/?tag=Security%20Advisory Guillaume. On Fri, Dec 9, 2016 at 8:35 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote: Dear Molly, |
|
|
|
Re: USN-3151-2: Linux kernel (Xenial HWE) vulnerability
Marco Voelz
Dear Molly,
thanks for pushing these security notifications to the cloudfoundry site and this mailing list! One small suggestion: Could you please include a link to the original source of the vulnerability posting, in this case to the Ubuntu USN? Otherwise, everybody just has to copy out the USN-id, open the Ubuntu USN page, paste it to find the original notice. Thanks and warm regards Marco From: Molly Crowther <mcrowther(a)cloudfoundry.org> Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Date: Thursday, 8 December 2016 at 00:26 To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org> Subject: [cf-dev] USN-3151-2: Linux kernel (Xenial HWE) vulnerability The following notice has been posted to cloudfoundry.org/security<http://cloudfoundry.org/security>: https://www.cloudfoundry.org/usn-3151-2/ It details the information for the new versions of the BOSH stemcell that mitigate a high-severity kernel CVE. Users are strongly encouraged to upgrade BOSH stemcells in all deployments to one of the following versions: · Upgrade all earlier versions to 3151.5 · Upgrade 3233.x versions to 3233.6 or later · Upgrade 3263.x versions to 3263.12 or later · Upgrade 3312.x versions to to 3312.7 or later Thanks, Molly Crowther Cloud Foundry Foundation Security Team |
|
|
|
Re: UAA local run stuck at "cargoRunLocal"
Serg Hospodarets
Hi Filip, Hi Alex,
I have the same problem. I have macOS Sierra. I just cloned the https://github.com/cloudfoundry/uaa.git . "./gradlew run" just stuck on "Building 97% > :cargoRunLocal", "./gradlew run --info" and "./gradlew clean assemble run --info" both provide an output that "Tomcat 8.x started on port [8080]" , but: "curl -H "Accept: application/json" localhost:8080/uaa/login" always returns: FAILURE Alex, how did you manage that to work for you? |
|
|
|
Re: Does diego support window server 2016?
Amin J
Hi Xiangyi,
toggle quoted message
Show quoted text
The community version of CF supports Windows cells with Server 2012 right now. Currently we don't have an official support for Windows Server 2016. The same goes with windows docker images. There may be a plan to start officially supporting Windows Server 2016 in the near future. Thanks! Amin & David On Thu, Dec 8, 2016 at 1:38 AM Meng, Xiangyi <Xiangyi.Meng(a)dell.com> wrote:
Hi, |
|
|
|
Does diego support window server 2016?
Meng, Xiangyi <Xiangyi.Meng@...>
Hi,
I know Diego 1.0 has been released and we want to try it out in our dev environment. Just have a couple of questions. Could anyone help to answer? 1. Does community version CF support Diego windows cell? If it is true, what is the minimal version? 2. Does Diego support windows server 2016? 3. Does Diego support windows docker image? If possible, please guide us with documentation or webpage link. We really appreciate the help. Thanks, Maggie |
|
|
|
USN-3151-2: Linux kernel (Xenial HWE) vulnerability
Molly Crowther
The following notice has been posted to cloudfoundry.org/security:
https://www.cloudfoundry.org/usn-3151-2/ It details the information for the new versions of the BOSH stemcell that mitigate a high-severity kernel CVE. Users are strongly encouraged to upgrade BOSH stemcells in all deployments to one of the following versions: - Upgrade all earlier versions to 3151.5 - Upgrade 3233.x versions to 3233.6 or later - Upgrade 3263.x versions to 3263.12 or later - Upgrade 3312.x versions to to 3312.7 or later Thanks, Molly Crowther Cloud Foundry Foundation Security Team |
|
|
|
CF CAB call next week Wednesday December 14th @ 8a PST --- last one for 2016
Michael Maximilien
Hi, all, Quick reminder of the final CAB call of 2016 is next Wednesday, December 14th @ 8a PST.
In addition to open QAs with CF PMs, we are also looking for suggestions of two or three cloudfoundry-community projects or new proposals to highlight and perhaps have a short presentation on. Please reply directly to me with your suggestions and nominations (nominating yourself is perfectly fine).
Finally, join the slack.cloudfoundry.org and join the #CAB channel for previous and future discussions.
Talk to you all next week. We'll send one more reminder on this list.
Best,
Chip, James, and Max dr.max ibm cloud labs sillicon valley, ca Sent from my iPhone |
|
|
|
Re: CF-Extensions kickoff meeting on Thursday @ 11a PDT @ Pivotal SF in Pictor
Michael Maximilien
Final reminder, see info below.
Remember to join https://appear.in/cf-extensions or come to 4th floor Pictor if at Pivotal or phone info below if we get a lot of participants.
Look forward to chatting and your feedback. Best,
------ dr.max ibm cloud labs silicon valley, ca maximilien.org ----- Original message ----- |
|
|
|
Re: Runtime PMC - Infrastructure Project Lead Call for Nominations
Dieu Cao <dcao@...>
Hello all,
toggle quoted message
Show quoted text
Pivotal is nominating Evan Farrar for the Infrastructure Project Lead in the Runtime PMC. Evan Farrar has been working as an engineer on the Infrastructure team and would like to transition to Product Management. Evan most recently re-joined Pivotal in 2014 and has worked as both an engineer and a product manager for the Cloud Foundry incubator projects "Notifications" and "Container Networking." In addition to those projects Evan has had patches merged to Garden, Cloud Controller and Diego. Evan's previous experience includes a decade as an engineer in web, iOS and embedded applications for startups large and small. Any other nominations should be sent to me/in reply by end of day December 12th, 2016. If you have any questions about the role/process, please let me know. These are described in the CFF governance documents. [1] -Dieu Cao Runtime PMC Lead [1] https://www.cloudfoundry.org/wp-content/uploads/2015/09/CFF_ Development_Operations_Policy.pdf On Tue, Dec 6, 2016 at 1:07 AM, Dieu Cao <dcao(a)pivotal.io> wrote:
Hello all, |
|
|
|
Runtime PMC - Infrastructure Project Lead Call for Nominations
Dieu Cao <dcao@...>
Hello all,
Adrian Zankich, the Project Lead for the Infrastructure team within the Runtime PMC, will be transitioning back to an engineering role in the new year along with a move to San Francisco. We wish him well in his future endeavors and thank him for his time serving as the Infrastructure Project Lead for the past few months. The Infrastructure team, primarily located in Santa Monica, California, now has an opening for its project lead. The team currently maintains etcd and consul bosh releases as well as working on BBL(bosh boot loader). Project leads must be nominated by a Cloud Foundry Foundation member. Please send nominations to me/in reply to this posting by end of day December 12th, 2016. If you have any questions about the role/process, please let me know. These are described in the CFF governance documents. [1] -Dieu Cao Runtime PMC Lead [1] https://www.cloudfoundry.org/wp-content/uploads/2015/09/ CFF_Development_Operations_Policy.pdf |
|
|
|
Re: [ CF-243 / Blobstore ] Troubleshooting errors in internal_error.log
Fabien Guichard
Hello,
to begin with, i would like to thank you for your answer. In the meantime, we solved this issue, which was a concern with some security-group syntax validation against diego cells. Here's what we saw cc-bridge logs files : {"timestamp":"1480919305.373668909","source":"nsync-bulker","message":"nsync-bulker.sync-lrps.create-missing-desired-lrps.failed-creating-desired-lrp","log_level":2,"da ta":{"error":"Invalid field: egress_rules, Invalid field: log","process-guid":"dfaff32d-78b1-4493-b34f-ee10137c121f-7b633557-cbe5-438e-99d0-d05579156709","session":"106 682.5"}} The faulty syntax of staging & running security groups was : [ { "description": "", "log": true, "destination": "0.0.0.0/0", "ports": "1-65535", "protocol": "tcp" } ] Our setup was : CF : 243 Diego-runC : 0.8.0 Diego : 0.1485.0 Even if this upper-syntax is described on https://apidocs.cloudfoundry.org/243/security_groups/creating_a_security_group.html (CC API 2.62 / cf-243), it dosen't seem to work when writing staging & running security groups that way. So we did only rewrite of security groups json files with "proper" synta, Regards, Fabien. |
|
|