|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
For lack of guidance I went ahead and changed all three occurances.
I still get a 404. But it seems to happen later on: cf api api.10.60.18.186.xip.io --skip-ssl-validation Setting api endpoint to api.10.60.18.186.xip.io... OK API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. cf login -v --skip-ssl-validation API endpoint: https://api.10.60.18.186.xip.io REQUEST: [2016-06-28T20:28:17Z] GET /v2/info HTTP/1.1 Host: api.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-28T20:28:17Z] HTTP/1.1 200 OK Content-Length: 580 Content-Type: application/json;charset=utf-8 Date: Tue, 28 Jun 2016 20:28:23 GMT Server: nginx X-Content-Type-Options: nosniff X-Vcap-Request-Id: 1444e97c-1562-46d4-6820-fe06d920e947 X-Vcap-Request-Id: 1444e97c-1562-46d4-6820-fe06d920e947::b7301932-6078-4334-82ff-46fa76d0032c {"name":"","build":"","support":"http://support.cloudfoundry.com","version":0,"description":"","authorization_endpoint":"http://login.sysdomain.10.60.18.186.xip.io","token_endpoint":"https://uaa.10.60.18.186.xip.io","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.56.0","app_ssh_endpoint":"ssh.sysdomain.10.60.18.186.xip.io:2222","app_ssh_host_key_fingerprint":null,"app_ssh_oauth_client":"ssh-proxy","logging_endpoint":"wss://loggregator.sysdomain.10.60.18.186.xip.io:4443","doppler_logging_endpoint":"wss://doppler.sysdomain.10.60.18.186.xip.io:4443"} REQUEST: [2016-06-28T20:28:17Z] GET /login HTTP/1.1 Host: login.sysdomain.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-28T20:28:17Z] HTTP/1.1 404 Not Found Content-Length: 124 Cache-Control: no-store Content-Language: en-US Content-Type: application/json;charset=UTF-8 Date: Tue, 28 Jun 2016 20:28:24 GMT Server: Apache-Coyote/1.1 X-Vcap-Request-Id: a43cdd2a-1c0f-4f8d-7439-8174c88c7fde {"passwd":"https://console.10.60.18.186.xip.io/password_resets/new","signup":"https://console.10.60.18.186.xip.io/register"} API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. FAILED Server error, status code: 404, error code: , message: |
|
|
|
Re: How to listen to space deletion events?
Nicholas Calugar
Hi Padma,
toggle quoted message
Show quoted text
Apologies for the delay. In the case of a space with a service instance, if the space is deleted, the Cloud Controller sends a deprovision request to the service broker. The broker is responsible for properly handling the deprovision, what other cleanup do you have in mind? -Nick On Sun, Jun 19, 2016 at 4:42 PM, Padmashree B <padmashree.b(a)sap.com> wrote:
Hi, --
Nicholas Calugar Product Manager - Cloud Foundry API Pivotal Software, Inc. |
|
|
|
Re: UAA Multi-Tenant Hierarchical Groups
Sree Tummidi
Hello Brian,
UAA supports hierarchical groups in any given Identity Zone (aka UAA Tenant) The Groups in a given UAA Identity Zone are unique. Please refer to the documentation here : http://docs.cloudfoundry.org/api/uaa/#add-member The Type in your case will be 'GROUP' Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry On Tue, Jun 28, 2016 at 9:16 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: Hello All, |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
Ok, so the oauth-client that is registered with the UAA for this
application (app) only has the openid scope. If you want this client to be able to request other scopes on behalf of the user you would need to add them to the list of scopes on this client in the uaa.yml. This is where you would add them: https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8#file-uaa-yml-L17 On Tue, Jun 28, 2016 at 9:13 AM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: It's a custom client that I wrote (Just a Spring Application). Here is the |
|
|
|
UAA Multi-Tenant Hierarchical Groups
Bryan Perino
Hello All,
Does UAA support Multi-Tenant Hierarchical groups? By this I mean can I have a GroupParent -> GroupChild relationship? The documentation mentioned that the groupName is unique per UAA as well, so I would have to have some sort of prefix for a tenant. Each tenant would want to model their groups based on their organization's internal structure. So, I could have coke.GroupParent -> coke.groupChild, or something like that. Is there out of the box support for this in UAA? Thank you for any guidance. |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Bryan Perino
It's a custom client that I wrote (Just a Spring Application). Here is the YAML file that configures the client:
https://gist.github.com/bryantp/82111bbcbc0db8be701b389fd0f490e9 |
|
|
|
Buildpack creators and maintainers wanted!
Danny Rosen
The CF Buildpacks team will be conducting user research in July and would
like to speak to community members who have experience: - Creating new buildpacks - Maintaining buildpacks bits - Managing buildpacks within a CF environment If you're interested in providing your opinion and are open to a 30 minute conversation please fill out this short form <https://goo.gl/YCzALr>. Thanks! -Cloud Foundry Buildpacks team |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
PS with regards to above comment the login.10.60.18.186.xip.io literal appears not only under the route_registrar, but also here (should it be changed as well?):
login: authorities: oauth.login,scim.write,clients.read,notifications.write,critical_notifications.write,emails.write,scim.userids,password.write authorized-grant-types: authorization_code,client_credentials,refresh_token autoapprove: true override: true redirect-uri: https://login.10.60.18.186.xip.io |
|
|
|
Re: Retrieve __VCAP__ID from instance_ID
Vinod A
I did CF push and push is successful but the app is not starting and in the logs I see the errors the I pasted.
API endpoint: https://api.ng.bluemix.net (API version: 2.44.0) User: vinod_app(a)in.ibm.com Not sure if its supported or now. Can I verify using a quick test ?. Thanks, Vinod |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
Thanks for replying, but I'm not sure I understand your instructions.
I'm not sure what "check the route registrar merge" means. Do you mean that I should change the last 2 lines in cf-deployment.yml as such: - instances: 1 name: uaa_z1 ... properties: ..... route_registrar: routes: ........ uris: - uaa.10.60.18.186.xip.io - '*.uaa.10.60.18.186.xip.io' - login.sysdomain.10.60.18.186.xip.io - '*.login.sysdomain.10.60.18.186.xip.io' |
|
|
|
Re: How shoulld I debug a blobstore error?
Ronak Banka
Regarding z2 number of instances are 0 so it is same as having just 1 zone.
toggle quoted message
Show quoted text
For login route error , route registrar on uaa job is adding login.10.60.18.186.xip.io to routes but from cloud controller config login endpoint is http://login.sysdomain.10.60.18.186.xip.io" which is why you are not able to login. Can you check the route registrar merge , and replace with system domain instead of domain. On Tue, Jun 28, 2016 at 2:28 PM, Eyal Shalev <eshalev(a)cisco.com> wrote:
It seems to have generated two of them even through I am not using 2 zones. |
|
|
|
Re: Spring OAuth not retrieving scopes from UAA
Madhura Bhave
Hi Brian,
toggle quoted message
Show quoted text
The scopes that end up in the access token are the intersection of the client scopes and the user scopes. Which oauth client have you configured your spring cloud application with? Thanks, Madhura On Jun 27, 2016, at 2:57 PM, Bryan Perino <Bryan.Perino(a)gmail.com> wrote: |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
It seems to have generated two of them even through I am not using 2 zones.
Also I see port 8080 mentioned somewhere in there, as mentioned before port 8080 is only opened internally in the security group (between the CF nodes). Should it also be opened up for the client? (what are the ports that the the client needs to function [I have identified ports 80 and 443] ). Here is the config: - instances: 1 name: uaa_z1 networks: - name: cf1 properties: consul: agent: services: uaa: {} metron_agent: zone: z1 route_registrar: routes: - health_check: name: uaa-healthcheck script_path: /var/vcap/jobs/uaa/bin/health_check name: uaa port: 8080 registration_interval: 4s tags: component: uaa uris: - uaa.10.60.18.186.xip.io - '*.uaa.10.60.18.186.xip.io' - login.10.60.18.186.xip.io - '*.login.10.60.18.186.xip.io' uaa: proxy: servers: - 192.168.10.69 resource_pool: medium_z1 templates: - name: uaa release: cf - name: metron_agent release: cf - name: consul_agent release: cf - name: route_registrar release: cf - name: statsd-injector release: cf update: {} - instances: 0 name: uaa_z2 networks: - name: cf2 properties: consul: agent: services: uaa: {} metron_agent: zone: z2 route_registrar: routes: - health_check: name: uaa-healthcheck script_path: /var/vcap/jobs/uaa/bin/health_check name: uaa port: 8080 registration_interval: 4s tags: component: uaa uris: - uaa.10.60.18.186.xip.io - '*.uaa.10.60.18.186.xip.io' - login.10.60.18.186.xip.io - '*.login.10.60.18.186.xip.io' uaa: proxy: servers: - 192.168.10.69 resource_pool: medium_z2 templates: - name: uaa release: cf - name: metron_agent release: cf - name: consul_agent release: cf - name: route_registrar release: cf - name: statsd-injector release: cf update: {} |
|
|
|
Re: How shoulld I debug a blobstore error?
Ronak Banka
Eyal ,
toggle quoted message
Show quoted text
In your final manifest , can you check what are the properties under route-registrar for uaa job ? https://github.com/cloudfoundry/cf-release/blob/master/templates/cf.yml#L194 On Tue, Jun 28, 2016 at 6:53 AM, Eyal Shalev <eshalev(a)cisco.com> wrote:
That works, but now I cannot connect the cf client. |
|
|
|
Emitting service instance logs to dopplr
Dr Nic Williams <drnicwilliams@...>
Has anyone implemented (and has some sample code/OSS project) for a service broker implementation to emit logs/events back into dopplr for each service binding's app?
Nic |
|
|
|
Spring OAuth not retrieving scopes from UAA
Bryan Perino
Hello All,
Brand new to Cloud Foundry. I have hooked up a Spring Cloud Application to a UAA server and gotten it to authenticate properly. However, I noticed that none of the scopes that I defined in uaa.yml for the user are showing up in the resource server backend. Here is a link to the debugging session of what I can see: http://imgur.com/6wTYpQD Here is the code I am debugging: @RequestMapping("/") public Message home(OAuth2Authentication principal) { System.out.println(principal.getName()); return new Message("Hello World"); } The screenshot is the value of the 'principal' variable. I have set the Spring Security yml variables for the resource server like so: security: oauth2: resource: userInfoUri: http://localhost:8080/uaa/userinfo and here is the relevant parts from the uaa.yml: https://gist.github.com/bryantp/2bfc4538f36f28ba285fda84c59b89f8 Thanks for any help. |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
That works, but now I cannot connect the cf client.
I am getting a 404. It does not explicilty say so in the docs, so I assuming that the API endoint is: https://api.domain_for_haproxy_node is this correct? my client is not accessing cf from within the security groups (an openstack limitation in the deployment that I use). As such I only opened ports 80,443,4443 & 2222 in the firewall . [internally all tcp traffic is enabled] These are the commands that I ran (see the 404): bosh vms RSA 1024 bit CA certificates are loaded due to old openssl compatibility Acting as user 'admin' on 'my-bosh' Deployment 'ENVIRONMENT' Director task 33 Task 33 done +---------------------------------------------------------------------------+---------+-----+-----------+---------------+ | VM | State | AZ | VM Type | IPs | +---------------------------------------------------------------------------+---------+-----+-----------+---------------+ | api_worker_z1/0 (e9f91b0e-ad01-4053-975f-47715023b4cb) | running | n/a | small_z1 | 192.168.10.56 | | api_z1/0 (34bf56c5-5bcc-496c-859d-c56a917a8901) | running | n/a | large_z1 | 192.168.10.54 | | blobstore_z1/0 (4f12e375-1003-4a66-ac8b-a5eb5571f920) | running | n/a | medium_z1 | 192.168.10.52 | | clock_global/0 (f099a159-9ae2-4d92-b88b-d0d55fdd5f3e) | running | n/a | medium_z1 | 192.168.10.55 | | consul_z1/0 (ff08d8b8-fbba-474c-9640-a03577acf586) | running | n/a | small_z1 | 192.168.10.76 | | doppler_z1/0 (437a1ab7-b6b8-4ae2-be0f-cd75b62b8228) | running | n/a | medium_z1 | 192.168.10.59 | | etcd_z1/0 (a2527fc7-3e3e-489c-8ea0-cd3a443f1c7d) | running | n/a | medium_z1 | 192.168.10.72 | | ha_proxy_z1/0 (e4fd4fdd-8d5e-4e85-90e5-6774f277c4a8) | running | n/a | router_z1 | 192.168.10.64 | | | | | | 10.60.18.186 | | hm9000_z1/0 (14d70eac-2687-4961-99f7-3f3f8f4e55c8) | running | n/a | medium_z1 | 192.168.10.57 | | loggregator_trafficcontroller_z1/0 (ea59e739-15f9-4149-8d1a-cca3b1fbfb55) | running | n/a | small_z1 | 192.168.10.60 | | nats_z1/0 (7a31a162-e5a3-4b29-82f8-fe76897d587d) | running | n/a | medium_z1 | 192.168.10.66 | | postgres_z1/0 (8ed03c6f-8ea5-403a-bbb5-f1bc091b96b4) | running | n/a | medium_z1 | 192.168.10.68 | | router_z1/0 (9749bd15-48f3-4b7d-a82e-d0aac34554fe) | running | n/a | router_z1 | 192.168.10.69 | | runner_z1/0 (54e20fba-3185-45d2-9f3b-8da00de495f5) | running | n/a | runner_z1 | 192.168.10.58 | | stats_z1/0 (9a107f21-7eb3-4df8-ac7b-13bd1d709e1f) | running | n/a | small_z1 | 192.168.10.51 | | uaa_z1/0 (9b58319d-451a-4726-a4bf-e9431a467f47) | running | n/a | medium_z1 | 192.168.10.53 | +---------------------------------------------------------------------------+---------+-----+-----------+---------------+ VMs total: 16 cf api api.10.60.18.186.xip.io --skip-ssl-validation Setting api endpoint to api.10.60.18.186.xip.io... OK API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. cf -v login --skip-ssl-validation API endpoint: https://api.10.60.18.186.xip.io REQUEST: [2016-06-27T21:36:51Z] GET /v2/info HTTP/1.1 Host: api.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-27T21:36:51Z] HTTP/1.1 200 OK Content-Length: 580 Content-Type: application/json;charset=utf-8 Date: Mon, 27 Jun 2016 21:36:57 GMT Server: nginx X-Content-Type-Options: nosniff X-Vcap-Request-Id: 9170d9a4-3dce-45aa-7576-377a6d9c2940 X-Vcap-Request-Id: 9170d9a4-3dce-45aa-7576-377a6d9c2940::a4533964-ae04-4aa1-93ef-4626f4336187 {"name":"","build":"","support":"http://support.cloudfoundry.com","version":0,"description":"","authorization_endpoint":"http://login.sysdomain.10.60.18.186.xip.io","token_endpoint":"https://uaa.10.60.18.186.xip.io","min_cli_version":null,"min_recommended_cli_version":null,"api_version":"2.56.0","app_ssh_endpoint":"ssh.sysdomain.10.60.18.186.xip.io:2222","app_ssh_host_key_fingerprint":null,"app_ssh_oauth_client":"ssh-proxy","logging_endpoint":"wss://loggregator.sysdomain.10.60.18.186.xip.io:4443","doppler_logging_endpoint":"wss://doppler.sysdomain.10.60.18.186.xip.io:4443"} REQUEST: [2016-06-27T21:36:52Z] GET /login HTTP/1.1 Host: login.sysdomain.10.60.18.186.xip.io Accept: application/json Content-Type: application/json User-Agent: go-cli 6.19.0+b29b4e0 / linux RESPONSE: [2016-06-27T21:36:52Z] HTTP/1.1 404 Not Found Content-Length: 87 Content-Type: text/plain; charset=utf-8 Date: Mon, 27 Jun 2016 21:36:57 GMT X-Cf-Routererror: unknown_route X-Content-Type-Options: nosniff X-Vcap-Request-Id: 4419650f-6a06-4b9d-5475-0f2790934fd5 404 Not Found: Requested route ('login.sysdomain.10.60.18.186.xip.io') does not exist. API endpoint: https://api.10.60.18.186.xip.io (API version: 2.56.0) Not logged in. Use 'cf login' to log in. FAILED Server error, status code: 404, error code: , message: |
|
|
|
Re: Consul Encryption in CF v234+
Amit Kumar Gupta
Hi Carsten,
That's a good question. We haven't built anything specifically to support 0-downtime for the DEAs, but we have some upcoming changes to make the etcd used by etcd-metric-server, routing-api, all loggregator components, and HM9k also switch to TLS. This would affect all the metron agents colocated on all the VMs, and we're building out a component to support a 0-downtime transition. This work is currently in flight: https://www.pivotaltracker.com/epic/show/2566951 You could apply this concept to consul: * create a new secure (TLS) consul cluster * replace the existing consul cluster (don't change the job name or IPs, just what processes it runs) with an HTTP proxy that proxies requests to the secure cluster * roll out the new IPs and TLS credentials to all clients of the consul cluster * after that deploy is done, nothing should be talking to the HTTP proxy, and you can simply delete that job. Best, Amit On Fri, Jun 24, 2016 at 8:46 AM, Long Nguyen <long.nguyen11288(a)gmail.com> wrote:
|
|
|
|
Re: How shoulld I debug a blobstore error?
Amit Kumar Gupta
You can replace it in the stub and rerun generate.
toggle quoted message
Show quoted text
On Mon, Jun 27, 2016 at 11:10 AM, Eyal Shalev <eshalev(a)cisco.com> wrote:
Can I replace it in the manifest stub and rerun generate? or do I need to |
|
|
|
Re: How shoulld I debug a blobstore error?
Eyal Shalev
Can I replace it in the manifest stub and rerun generate? or do I need to replace it in the generated manifest?
|
|
|