|
Re: one question about CF security
harry zhang
Outbound traffic is not the response, it refers to how your app connect to the outside world.
|
|
|
|
Re: one question about CF security
Gwenn Etourneau
Inbound is connexion initiate from external, in this case dialog between
app and client is throught the LB / Gorouter Outbound is connexion initiate from Internal that's mean your app want to connect to something .... Not sure I am clear ... On Thu, Dec 10, 2015 at 1:35 PM, 姜恩龙jiangenlong <jiangenlong(a)hxdi.com> wrote: Hi,
|
|
|
|
Re: one question about CF security
Zhang Lei <harryzhang@...>
According to your graph, outbound traffic is not the response, it refers to how your app connect to the outside world.
-- Lei Zhang (Harry Zhang) TEL: (+86) 15157180183 Cloud Team VLIS Lab Zhejiang University 在 2015-12-10 12:35:55,"姜恩龙jiangenlong" <jiangenlong(a)hxdi.com> 写道: Hi, · Inbound: From the load balancer through the router to the DEA, then from the DEA to the App Container. · Outbound: From the App Container to the DEA, then to the gateway on the DEA virtual network interface. · This gateway might be a NAT to external networks depending on your IaaS. · -------- this is come from CloudFoundry official docs. Do Load Balancer and NAT have the same ip? In other words, do the two appliance locate on one host( or VM)? If not, client send a request , destination ip is LoadBalancer’s address, then client receive a response, source ip is NAT address. I think, in this situation, client can not communicate with cloudfoundry. Regards, jiangenlong 来自华信咨询设计研究院有限公司友情提醒: 为确保邮件沟通畅通,如你不能投递到jiangenlong(a)hxdi.com, 请临时将邮件地址中com变更为cn尝试投递,谢谢!
|
|
|
|
one question about CF security
姜恩龙jiangenlong <jiangenlong at hxdi.com...>
[cid:image001.png(a)01D13347.127C0FB0]
Hi, ・ Inbound: From the load balancer through the router to the DEA, then from the DEA to the App Container. ・ Outbound: From the App Container to the DEA, then to the gateway on the DEA virtual network interface. ・ This gateway might be a NAT to external networks depending on your IaaS. ・ -------- this is come from CloudFoundry official docs. Do Load Balancer and NAT have the same ip? In other words, do the two appliance locate on one host( or VM)? If not, client send a request , destination ip is LoadBalancer’s address, then client receive a response, source ip is NAT address. I think, in this situation, client can not communicate with cloudfoundry. Regards, jiangenlong 来自华信咨询设计研究院有限公司友情提醒: 为确保邮件沟通畅通,如你不能投递到jiangenlong(a)hxdi.com, 请临时将邮件地址中com变更为cn尝试投递,谢谢!
|
|
|
|
Cloud Foundry Org/Space Metadata Synchronization
Chaskin Saroff <chaskin.saroff@...>
As I project requirement, I'm attempting to extend some user preferences about an org/space. The requirement includes basic CRUD operations for these preferences with each preferences being **user level**. This means that each user gets their own preferences for each org that they are a part of. For example, a user, Bob in orgA should be able to set his first orgA preference to true and his second orgA preference to "banana".
At the moment, my architecture has these preferences stored in a couchdb database outside of cloud foundry. This approach works up to the point where a user is removed from an org that they have set preferences in. The same issue arises when an org is deleted and these same preference ideas and issues can be extended to spaces as well. My question is, is there any way to keep my preferences database up to date with the data living in CF(via webhooks, etc)? Alternatively, is there some other method of storing these preferences that will mitigate these synchronization issues? Hopefully this makes sense, but please ask for clarity if something isn't clicking. The very best regards, Chaskin
|
|
|
|
Re: How to use SSL with multi domain
Anuj Jain <anuj17280@...>
Thanks David/Shannon/Amit - this will solve my problem.
toggle quoted messageShow quoted text
On Dec 10, 2015 7:25 AM, "Shannon Coen" <scoen(a)pivotal.io> wrote:
If you don't want to host the CF certs on your own load balancer, skip
|
|
|
|
[abacus] Slight change to the summary and charge functions
Benjamin Cheng
Previously, the summary and charge functions only received the quantity/cost and query time. This caused issues with the query time fell outside of the specific window in time-based metrics.
These functions will now receive a from and to time that represents the lower bound of the current window and the upper bound of the current window respectively.
|
|
|
|
Re: How to use SSL with multi domain
Shannon Coen
If you don't want to host the CF certs on your own load balancer, skip
toggle quoted messageShow quoted text
HAProxy and terminate SSL at the Gorouter. In this scenario HAProxy is an unnecessary network hop. Gorouter also only supports one certificate, but you can support multiple domains in the same way David mentioned. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
On Wed, Dec 9, 2015 at 4:40 AM, David Head-Rapson <dave(a)dhrapson.com> wrote:
Adding your new custom domains as Aliases on 'SAN' SSL certificates is the
|
|
|
|
Re: Import large dataset to Postgres instance in CF
Siva Balan <mailsiva@...>
Hi Nick,
Your Option 1(Using psql CLI) is not possible since there is a firewall that only allows connection from CF apps to postgres DB. Apps like psql CLI that are outside of CF have no access to the postgres DB. I just wanted to get some thoughts from this community since I presume many would have faced a similar circumstance of importing large sets of data to their DB which is behind a firewall and accessible only through CF apps. Thanks Siva On Wed, Dec 9, 2015 at 2:27 PM, Nicholas Calugar <ncalugar(a)pivotal.io> wrote: Hi Siva, -- http://www.twitter.com/sivabalans
|
|
|
|
Quotas in CF
Rajesh Jain
In cf at an org level you have quotas for
1. Memory 2. Routes 3. Services Two questions on quotas for routes and services: Is there any correlation or best practice on assigning quotas for routes and services based on memory quota for an org. For e.g 16 GB quota can have 8 app instances of 2 GB per instance and assuming 2 routes per app, you can assign (though not scientifically) quota of 16 routes? What about service quota? And what is the memory footprint of a service instance on the org quota? Thanks, Rajesh
|
|
|
|
Re: cf start of diego enabled app results in status code: 500 -- where to look for logs?
Eric Malm <emalm@...>
Hi, Tom,
toggle quoted messageShow quoted text
It may be that Cloud Controller is unable to resolve the consul-provided DNS entries for the CC-Bridge components, as that '10001 Unknown Error' 500 response sounds like this bug in the Diego tracker: https://www.pivotaltracker.com/story/show/104066600. That 500 response should be reflected as some sort of error in the CC log file, located by default in /var/vcap/sys/log/cloud_controller_ng/cloud_controller_ng.log on your CC VMs. It may even be helpful to follow that log in real-time with `tail -f` while you try starting the Diego-targeted app via the CLI. To be sure you capture it, you should tail that log file on each CC in your deployment. In any case, a stack trace associated to that error would likely help us identify what to check next. Also, does `bosh vms` report any failing VMs in either the CF or the Diego deployments? Best, Eric
On Wed, Dec 9, 2015 at 2:27 PM, Tom Sherrod <tom.sherrod(a)gmail.com> wrote:
I'm giving CF 225 and diego 0.1441.0 a run.
|
|
|
|
Re: cf start of diego enabled app results in status code: 500 -- where to look for logs?
Eric Malm <emalm@...>
Hi, Tom,
toggle quoted messageShow quoted text
It may be that Cloud Controller is unable to resolve the consul-provided DNS entries for the CC-Bridge components, as that '10001 Unknown Error' 500 response sounds like this bug in the Diego tracker: https://www.pivotaltracker.com/story/show/104066600. That 500 response should be reflected as some sort of error in the CC log file, located by default in /var/vcap/sys/log/cloud_controller_ng/cloud_controller_ng.log on your CC VMs. It may even be helpful to follow that log in real-time with `tail -f` while you try starting the Diego-targeted app via the CLI. To be sure you capture it, you should tail that log file on each CC in your deployment. In any case, a stack trace associated to that error would likely help us identify what to check next. Also, does `bosh vms` report any failing VMs in either the CF or the Diego deployments? Best, Eric
On Wed, Dec 9, 2015 at 2:27 PM, Tom Sherrod <tom.sherrod(a)gmail.com> wrote:
I'm giving CF 225 and diego 0.1441.0 a run.
|
|
|
|
Re: Import large dataset to Postgres instance in CF
Nicholas Calugar
Hi Siva,
toggle quoted messageShow quoted text
You'll have to tell us more about how your PostgreSQL and CF was deployed, but you might be able to connect to it from your local machine using the psql CLI and the credentials for one of your bound apps. This takes CF out of the equation other than the service binding providing the credentials. If this doesn't work, there are a number of things that could be in the way, i.e. firewall that only allows connection from CF or the PostgreSQL server is on a different subnet. You can then try using some machine as a jump box that will allow access to the PostgreSQL. Nick
On Wed, Dec 9, 2015 at 9:40 AM Siva Balan <mailsiva(a)gmail.com> wrote:
Hello,
|
|
|
|
cf start of diego enabled app results in status code: 500 -- where to look for logs?
Tom Sherrod <tom.sherrod@...>
I'm giving CF 225 and diego 0.1441.0 a run.
CF 225 is up and app deployed. Stop app. cf enable-diego app. Start app: FAILED Server error, status code: 500, error code: 10001, message: An unknown error occurred. FAILED Server error, status code: 500, error code: 10001, message: An unknown error occurred. CF_TRACE ends with: REQUEST: [2015-12-09T17:17:37-05:00] PUT /v2/apps/02c68ddd-0596-4aab-8c05-a8f538d06712?async=true&inline-relations-depth=1 HTTP/1.1 Host: api.dev.foo.com Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.14.0+2654a47 / darwin {"state":"STARTED"} RESPONSE: [2015-12-09T17:17:37-05:00] HTTP/1.1 500 Internal Server Error Content-Length: 99 Content-Type: application/json;charset=utf-8 Date: Wed, 09 Dec 2015 22:17:36 GMT Server: nginx X-Cf-Requestid: 6edf0ac8-384f-4db3-576a-6744b7eb4b8c X-Content-Type-Options: nosniff X-Vcap-Request-Id: 860d73f9-9415-478f-6c60-13e2e5ddde8c::80a4a687-7f2d-44c5-9b09-4e3c9fa07b68 { "error_code": "UnknownError", "description": "An unknown error occurred.", "code": 10001 } Where next to look for the broken piece?
|
|
|
|
Re: App Container IP Address assignment on vSphere
Daya Shetty <daya.shetty@...>
Will,
We are using warden containers in our deployment and I was referring to the attributes defined in ./cf-release/jobs/dea_next/templates/warden.yml.erb network: pool_start_address: 10.254.0.0 pool_size: 256 and in ./cf-release/src/warden/warden/lib/warden/config.rb def self.network_defaults { "pool_network" => "10.254.0.0/24", "deny_networks" => [], "allow_networks" => [], "allow_host_access" => false, "mtu" => 1500, } end def self.network_schema ::Membrane::SchemaParser.parse do { # Preferred way to specify networks to pool optional("pool_network") => String, # Present for Backwards compatibility optional("pool_start_address") => String, optional("pool_size") => Integer, optional("release_delay") => Integer, optional("mtu") => Integer, "deny_networks" => [String], "allow_networks" => [String], optional("allow_host_access") => bool, } end Thanks Daya
|
|
|
|
Re: FW: issue tracker permissions
Amit Kumar Gupta
I believe it will create a ZenDesk ticket, and someone from Tracker will
toggle quoted messageShow quoted text
follow up. I've raised this issue before as well, IIRC the response was it's something they've heard before, but wasn't something they were going to do right away. You're right, there's no mechanism to raise an issue that other people can then +1. Maybe Twitter?
On Wed, Dec 9, 2015 at 12:20 PM, Voelz, Marco <marco.voelz(a)sap.com> wrote:
Thanks for pointing me to this link. However, we seem to have the same
|
|
|
|
Re: FW: issue tracker permissions
Marco Voelz
Thanks for pointing me to this link. However, we seem to have the same problem here: This seems like a fire-and-forget solution. Where does this item go? How can I send it to other people and have them +1 it, like it, follow it, favorite it or whatever is necessary to indicate that there is more than 1 person wanting this feature?
toggle quoted messageShow quoted text
Thanks and warm regards Marco
On 09/12/15 20:01, "Amit Gupta" <agupta(a)pivotal.io<mailto:agupta(a)pivotal.io>> wrote:
If you're logged in to Tracker, there's a "Help & Updates" link at the top, and one of the options is Provide Feedback. On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com<mailto:marco.voelz(a)sap.com>> wrote: I'd happily submit a feature request to build up some visible demand for this – could you point me to the right channel here? Thanks and warm regards Marco On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io<mailto:dcao(a)pivotal.io>> wrote: Unfortunately in order to follow a story in tracker, the minimum required level is "member" which allows you to create/comment/delete stories in tracker. I would suggest submitting a request to the pivotal tracker team to help build up evidence that this is a feature that people want. -Dieu On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com<mailto:cholick(a)gmail.com>> wrote: Sorry to resurrect an older thread, but I wanted to chime in that this is a frustration I have too. There are several stories in the various CF teams public backlogs that I'd like to keep track of. Is it possible for community members to get enough permissions on our tracker accounts to add ourselves to the follow list? -Matt On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com<mailto:diesk(a)fast.au.fujitsu.com>> wrote: Hi Marco, Jan, I sent an email to Tracker support about that last week because we were hoping to close CLI feature requests on GH and let people follow the stories on Tracker. Support confirmed that people need to have R/W access to a project to do that. I have just replied to ask if they'd consider an enhancement. Not sure what the proper channel would be to get such a story prioritized. Will let you know if I get a reply. Regards, Dies Koper Cloud Foundry CLI PM -----Original Message----- From: Voelz, Marco [mailto:marco.voelz(a)sap.com<mailto:marco.voelz(a)sap.com>] Sent: Monday, November 23, 2015 8:00 PM To: Discussions about Cloud Foundry projects and the system overall. Subject: [cf-dev] Re: FW: issue tracker permissions Thanks Jan for bringing that up, I've had similar problems with that as well. Any ideas on how to solve this? Is this a feature that the tracker team actively works on? Hitting cmd+r every few days on the same stories doesn't seem like the best way to stay informed about your favorite features. Warm regards Marco On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com<mailto:jan.sievers(a)sap.com>> wrote: Hi,
|
|
|
|
Re: App Container IP Address assignment on vSphere
Daya Shetty <daya.shetty@...>
Thanks Gwenn!
|
|
|
|
Re: [cf-env] [abacus] Changing how resources are organized
Jean-Sebastien Delfino
It depends if you still want usage aggregation at both the resource_id and
toggle quoted messageShow quoted text
resource_type_id levels (more changes as that'll add another aggregation level to the reports) or if you only need aggregation at the resource_type_id level (and are effectively treating that resource_type_id as a 'more convenient' resource_id). What aggregation levels do you need, both, or just aggregation at that resource_type_id level? - Jean-Sebastien
On Mon, Dec 7, 2015 at 3:19 PM, dmangin <dmangin(a)us.ibm.com> wrote:
Yes, this is related to github issue 38.
|
|
|
|
Re: FW: issue tracker permissions
Amit Kumar Gupta
If you're logged in to Tracker, there's a "Help & Updates" link at the top,
toggle quoted messageShow quoted text
and one of the options is Provide Feedback.
On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote:
I'd happily submit a feature request to build up some visible demand for
|
|
|
