Date   

Re: App Container IP Address assignment on vSphere

Daya Shetty <daya.shetty@...>
 

Thanks Gwenn!


Re: [cf-env] [abacus] Changing how resources are organized

Jean-Sebastien Delfino
 

It depends if you still want usage aggregation at both the resource_id and
resource_type_id levels (more changes as that'll add another aggregation
level to the reports) or if you only need aggregation at the
resource_type_id level (and are effectively treating that resource_type_id
as a 'more convenient' resource_id).

What aggregation levels do you need, both, or just aggregation at that
resource_type_id level?

- Jean-Sebastien

On Mon, Dec 7, 2015 at 3:19 PM, dmangin <dmangin(a)us.ibm.com> wrote:

Yes, this is related to github issue 38.

https://github.com/cloudfoundry-incubator/cf-abacus/issues/38

We want to group the buildpacks by a resource_type_id and bind resource
definitions to the resource_type_id rather than to the resource_id.
However,
when we make this change, how will this affect how abacus is doing all of
the calculations. The only change that I can think of is for abacus to use
the resource_type_id rather than the resource_id when creating the reports.





--
View this message in context:
http://cf-dev.70369.x6.nabble.com/cf-dev-abacus-Changing-how-resources-are-organized-tp2971p2991.html
Sent from the CF Dev mailing list archive at Nabble.com.


Re: FW: issue tracker permissions

Amit Kumar Gupta
 

If you're logged in to Tracker, there's a "Help & Updates" link at the top,
and one of the options is Provide Feedback.

On Wed, Dec 9, 2015 at 10:59 AM, Voelz, Marco <marco.voelz(a)sap.com> wrote:

I'd happily submit a feature request to build up some visible demand for
this – could you point me to the right channel here?

Thanks and warm regards
Marco

On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io> wrote:

Unfortunately in order to follow a story in tracker, the minimum required
level is "member" which allows you to create/comment/delete stories in
tracker.
I would suggest submitting a request to the pivotal tracker team to help
build up evidence that this is a feature that people want.

-Dieu

On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com> wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this is
a frustration I have too. There are several stories in the various CF teams
public backlogs that I'd like to keep track of.

Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?

-Matt

On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were
hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as
well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

Hi,

I was trying to watch a story I am interested in
https://www.pivotaltracker.com/n/projects/892938/stories/105493826


I do have an account but it seems I don't have permissions to watch
nor to comment.

Is there something I missed?

Regards
Jan


Re: FW: issue tracker permissions

Marco Voelz
 

I'd happily submit a feature request to build up some visible demand for this – could you point me to the right channel here?

Thanks and warm regards
Marco

On 08/12/15 23:01, "Dieu Cao" <dcao(a)pivotal.io<mailto:dcao(a)pivotal.io>> wrote:

Unfortunately in order to follow a story in tracker, the minimum required level is "member" which allows you to create/comment/delete stories in tracker.
I would suggest submitting a request to the pivotal tracker team to help build up evidence that this is a feature that people want.

-Dieu

On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com<mailto:cholick(a)gmail.com>> wrote:
Sorry to resurrect an older thread, but I wanted to chime in that this is a frustration I have too. There are several stories in the various CF teams public backlogs that I'd like to keep track of.

Is it possible for community members to get enough permissions on our tracker accounts to add ourselves to the follow list?

-Matt

On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com<mailto:diesk(a)fast.au.fujitsu.com>> wrote:
Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were hoping to close CLI feature requests on GH and let people follow the stories on Tracker. Support confirmed that people need to have R/W access to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com<mailto:marco.voelz(a)sap.com>]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as well. Any ideas on how to solve this? Is this a feature that the tracker team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com<mailto:jan.sievers(a)sap.com>> wrote:

Hi,

I was trying to watch a story I am interested in
https://www.pivotaltracker.com/n/projects/892938/stories/105493826


I do have an account but it seems I don't have permissions to watch nor to comment.

Is there something I missed?

Regards
Jan


Re: CF CAB call for December is this Wednesday Dec. 9th, 2015 @ 8a PDT

Michael Maximilien
 

Cool, thanks for confirming Dieu. I must have missed the fall back hour change and somehow my phone showed me 1a instead if midnight... Argh.




Anyhow, good to know it went fine. See you all next week.




Best,




Max




Sent from Mailbox

On Thu, Dec 10, 2015 at 2:26 AM, Dieu Cao <dcao(a)pivotal.io> wrote:

It went just fine after we sorted out the phone situation.
I believe Altoros took notes and will be sending that out.
-Dieu
On Wed, Dec 9, 2015 at 10:13 AM, Michael Maximilien <maxim(a)us.ibm.com>
wrote:
Oh crap. Looks like I miscalculated the correct time here in Beijing.

Very sorry about this folks. Looks like Alex took over the call. Can
someone let me know if all went well?

Best,

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone

On Dec 7, 2015, at 5:24 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote:

Hi, all, 您好 Nín hǎo,

Quick reminder that the last CAB call for 2015 is this week Wednesday
December 9th @ 8a PDT. I'll be calling from Beijing where it will be 1a, so
I plan to start and end on time :)

Product managers, please add project updates to Agenda here:


https://docs.google.com/document/d/1SCOlAquyUmNM-AQnekCOXiwhLs6gveTxAcduvDcW_xI/edit#heading=h.o44xhgvum2we

Everyone, if you have something to share, please also add an entry at the
end in Other section.

Best,

Chip, James, and Max

PS: call info and details are in the link above; just visit it

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone



Re: CF CAB call for December is this Wednesday Dec. 9th, 2015 @ 8a PDT

Dieu Cao <dcao@...>
 

It went just fine after we sorted out the phone situation.
I believe Altoros took notes and will be sending that out.

-Dieu

On Wed, Dec 9, 2015 at 10:13 AM, Michael Maximilien <maxim(a)us.ibm.com>
wrote:

Oh crap. Looks like I miscalculated the correct time here in Beijing.

Very sorry about this folks. Looks like Alex took over the call. Can
someone let me know if all went well?

Best,

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone

On Dec 7, 2015, at 5:24 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote:

Hi, all, 您好 Nín hǎo,

Quick reminder that the last CAB call for 2015 is this week Wednesday
December 9th @ 8a PDT. I'll be calling from Beijing where it will be 1a, so
I plan to start and end on time :)

Product managers, please add project updates to Agenda here:


https://docs.google.com/document/d/1SCOlAquyUmNM-AQnekCOXiwhLs6gveTxAcduvDcW_xI/edit#heading=h.o44xhgvum2we

Everyone, if you have something to share, please also add an entry at the
end in Other section.

Best,

Chip, James, and Max

PS: call info and details are in the link above; just visit it

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone



Re: CF CAB call for December is this Wednesday Dec. 9th, 2015 @ 8a PDT

Michael Maximilien
 

Oh crap. Looks like I miscalculated the correct time here in Beijing.

Very sorry about this folks. Looks like Alex took over the call. Can someone let me know if all went well?

Best,

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone

On Dec 7, 2015, at 5:24 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote:

Hi, all, 您好 Nín hǎo,

Quick reminder that the last CAB call for 2015 is this week Wednesday December 9th @ 8a PDT. I'll be calling from Beijing where it will be 1a, so I plan to start and end on time :)

Product managers, please add project updates to Agenda here:

https://docs.google.com/document/d/1SCOlAquyUmNM-AQnekCOXiwhLs6gveTxAcduvDcW_xI/edit#heading=h.o44xhgvum2we

Everyone, if you have something to share, please also add an entry at the end in Other section.

Best,

Chip, James, and Max

PS: call info and details are in the link above; just visit it

dr.max
ibm cloud labs
sillicon valley, ca

Sent from my iPhone


Re: App Container IP Address assignment on vSphere

Will Pragnell <wpragnell@...>
 

Hi Daya,

I think the reason that you're getting IPs you don't expect might be
because you're getting the property names wrong. It's not `pool_network`,
it's `network_pool` [1]. There is no `pool_size` property.

Will

[1]:
https://github.com/cloudfoundry-incubator/garden-linux-release/blob/develop/jobs/garden/spec#L68

On 9 December 2015 at 02:50, Gwenn Etourneau <getourneau(a)pivotal.io> wrote:

This pool network is for Warden / Garden (Diego) is not share accross VM
...

On Wed, Dec 9, 2015 at 10:04 AM, Daya Shetty <daya.shetty(a)bnymellon.com>
wrote:

Hello,

On vSphere I'm seeing the app containers are assigned 10.254.0.x,
10.254.2.x, 10.254.3.x addresses though the default value of the
"pool_network" is 10.254.0.0/24 and the pool_size is 256. Any reason why?

Also, if we have DEA's on 2 AZ's, do they share this network_pool or
will they independently allocate from their own NAT'ed pool.

Thanks
Daya


Import large dataset to Postgres instance in CF

Siva Balan <mailsiva@...>
 

Hello,
Below is my requirement:
I have a postgres instance deployed on our corporate CF deployment. I have
created a service instance of this postgres and bound my app to it. Now I
need to import a very large dataset(millions of records) into this postgres
instance.
As a CF user, I do not have access to any ports on CF other than 80 and
443. So I am not be able to use any of the native postgresql tools to
import the data. I can view and run simple SQL commands on this postgres
instance using the phppgadmin app that is also bound to my postgres service
instance.
Now, what is the best way for me to import this large dataset to my
postgres service instance?
All thoughts and suggestions welcome.

Thanks
Siva Balan

--
http://www.twitter.com/sivabalans


Loggregator roadmap for CF Community input

Jim CF Campbell
 

Hi cf-dev,

Over the past two months, I've been gathering customer input about the CF
OSS logging. I've created a first draft of a Loggregator Roadmap
<https://docs.google.com/spreadsheets/d/1QOCUIlTkhGzVwfRji7Q14vczqkBbFGkiDWrJSKdRLRg/edit?usp=sharing>.
I'm looking for feedback from the folks on this list. You can comment on
the doc and/or put your feedback in this thread.

Thanks!

--
Jim Campbell | Product Manager | Cloud Foundry | Pivotal.io | 303.618.0963


Re: How to use SSL with multi domain

D HR
 

Adding your new custom domains as Aliases on 'SAN' SSL certificates is the quickest way to get your SSL traffic enabled in the absence of multi-cert support on HAProxy.


Re: How to use SSL with multi domain

Anuj Jain <anuj17280@...>
 

Thanks Amit - that means to support any new domain - each time we need to
add more hardware (HAProxy) and need to redeploy cloud foundry.
Do we have any plan in near future to provide native SSL cert support for
custom domains.

On Wed, Dec 9, 2015 at 1:38 AM, Amit Gupta <agupta(a)pivotal.io> wrote:

If you're doing SSL termination at the HAProxy, you have a couple options.

One option is to configure multiple separate HAProxies, have each domain
resolve to the IP of the HAProxy that serves its corresponding cert, and
configure all the HAProxies to balance traffic to all the routers.

Another option is to get a certificate that covers multiple domains, and
just configure HAProxy once to serve that multi-domain cert. I think the
first option is better because it scales better as you add and remove
domains.

Unfortunately, right now there is no way to configure a single HAProxy to
serve multiple different SSL certs.

As for ELB, I'd recommend researching ELB capabilities separately.

Cheers,
Amit



On Tue, Dec 8, 2015 at 2:43 AM, Anuj Jain <anuj17280(a)gmail.com> wrote:

Hi,

We successfully able to create, map and test any new domain (private
and/or shared both) and could also able to access application using that
new domain/route.
Now we want to configure SSL for new domain - I have few questions:

1/ is cloud foundry provide multiple SSL offload on haproxy?
2/ I do not want to use any third party option (e.g. cloudflare -
http://docs.run.pivotal.io/marketplace/integrations/cloudflare/), is
there any otherway which I can use and if not by when we can expect native
SSL termination support on cloud foundry.
3/ we do have two environments one on VSPhere and other one on AWS - on
AWS we are using ELB - can we terminate multiple SSL on ELB for
multiple/custom domains on same port (do not want to change the port for
each SSL cert)

- Anuj


Re: - Urgent - Cloud Foundry Deployment is failing on dea.yml.erb

Kinjal Doshi
 

Thanks Amit, that worked like a charm :)

Regards,
Kinjal

On Tue, Dec 8, 2015 at 11:52 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

Try adding your SSH key to your key-chain before doing bosh ssh: "ssh-add
/path/to/private/key". The private key will be the one listed in your
microbosh manifest.

On Tue, Dec 8, 2015 at 9:15 AM, Kinjal Doshi <kindoshi(a)gmail.com> wrote:

Hi,

I was able to deploy CF successfully after removing '@' symbol from
password as suggested by Amit.

As a last step I am trying to bosh ssh into vms but this is failing.
Below is my command:

*bosh ssh api_z1/0 --gateway_host 52.20.104.199 --gateway_user vcap*

and this results to:

*Acting as user 'admin' on deployment 'cf' on 'microbosh'*
*Target deployment is `cf'*

*Setting up ssh artifacts*

*Director task 8*

*Task 8 done*

*Cleaning up ssh artifacts*

*Director task 9*

*Task 9 queued*
*Authentication failed with gateway 52.20.104.199 and user vcap.*

I am not sure if I have done something wrong with the deployment
manifest. I put a custom password for all placeholder 'PASSWORD' in the
minimal-aws.yml. Is it required to use the standard password instead
'c1oudc0w'? Am using the release 226 and stem cell version 3149. Had the
same issue with 3147 this morning.

Also tried doing ssh vcap(a)ip but that also times out.

Would be great if somebody can please guide with this. Below is the
manifest:

# The following line helps maintain current documentation at
http://docs.cloudfoundry.org.
# code_snippet cf-minimal-aws start
---
name: cf
director_uuid: d5acd624-f5ee-4be3-ae42-a098e1bb315c

releases:
- {name: cf, version: latest}

networks:
- name: cf_private
type: manual
subnets:
- range: 10.0.16.0/24
gateway: 10.0.16.1
dns: [10.0.0.2]
reserved: ["10.0.16.2 - 10.0.16.3"]
static: ["10.0.16.100 - 10.0.16.105"]
cloud_properties:
subnet: subnet-29a7685f

- name: cf_public
type: manual
subnets:
- range: 10.0.0.0/24
gateway: 10.0.0.1
dns: [10.0.0.2]
reserved: ["10.0.0.2 - 10.0.0.10"]
cloud_properties:
subnet: subnet-06965970
security_groups:
- cf-public
- bosh

- name: elastic
type: vip
cloud_properties: {}

resource_pools:
- name: small_z1
network: cf_private
stemcell:
name: bosh-aws-xen-hvm-ubuntu-trusty-go_agent
version: 3149
cloud_properties:
availability_zone: us-east-1c
instance_type: c3.large

compilation:
workers: 6
network: cf_private
reuse_compilation_vms: true
cloud_properties:
availability_zone: us-east-1c
instance_type: c3.large

update:
canaries: 1
max_in_flight: 1
serial: false
canary_watch_time: 30000-600000
update_watch_time: 5000-600000

jobs:
- name: nats_z1
instances: 1
resource_pool: small_z1
templates:
- {name: nats, release: cf}
- {name: nats_stream_forwarder, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
static_ips: [10.0.16.103]

- name: etcd_z1
instances: 1
resource_pool: small_z1
persistent_disk: 102400
templates:
- {name: etcd, release: cf}
- {name: etcd_metrics_server, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
static_ips: [10.0.16.104]
properties:
etcd_metrics_server:
nats:
machines: [10.0.16.103]
password: Oro1602
username: nats

- name: nfs_z1
instances: 1
persistent_disk: 102400
resource_pool: small_z1
templates:
- {name: debian_nfs_server, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
static_ips: [10.0.16.105]

- name: postgres_z1
instances: 1
persistent_disk: 1024
resource_pool: small_z1
templates:
- {name: postgres, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
static_ips: [10.0.16.101]
update:
serial: true

- name: api_z1
instances: 1
resource_pool: small_z1
templates:
- {name: cloud_controller_ng, release: cf}
- {name: cloud_controller_worker, release: cf}
- {name: cloud_controller_clock, release: cf}
- {name: metron_agent, release: cf}
- {name: nfs_mounter, release: cf}
- {name: route_registrar, release: cf}
networks:
- name: cf_private
properties:
nfs_server:
address: 10.0.16.105
allow_from_entries: [10.0.16.0/24]
route_registrar:
routes:
- name: api
port: 9022
uris:
- "api.52.20.104.199.xip.io"

- name: ha_proxy_z1
instances: 1
resource_pool: small_z1
templates:
- {name: haproxy, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: elastic
static_ips: [52.20.104.199]
- name: cf_public
default: [gateway, dns]
properties:
ha_proxy:
ssl_pem: |
-----BEGIN CERTIFICATE-----
MIICozCCAgwCCQCCK7S6lnxzATANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmFuZ2Fsb3JlMRIwEAYD
VQQKDAlBY2NlbnR1cmUxDDAKBgNVBAsMA0lEQzERMA8GA1UEAwwIKi54aXAuaW8x
KTAnBgkqhkiG9w0BCQEWGmtpbmphbC5kb3NoaUBhY2NlbnR1cmUuY29tMB4XDTE1
MTIwODE2MDk1NFoXDTE2MDEwNzE2MDk1NFowgZUxCzAJBgNVBAYTAklOMRIwEAYD
VQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdhbG9yZTESMBAGA1UECgwJQWNj
ZW50dXJlMQwwCgYDVQQLDANJREMxETAPBgNVBAMMCCoueGlwLmlvMSkwJwYJKoZI
hvcNAQkBFhpraW5qYWwuZG9zaGlAYWNjZW50dXJlLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAnOM1PNZn0YP0lzc36MLQ73uiJ1/LR6BMB+kKO4mW9YCF
FDGCeijSxwGtqM2PldMUyOGRN4jvjQsWRjl+9M/XoOk/tdlycgxGSP8oYm8NIaqR
rCKUnbegOvpOsAWjw0ojTAK9loUPSs8J0AS2WpcpCcpv5Sc8bh8j9bKw7wLD7c0C
AwEAATANBgkqhkiG9w0BAQsFAAOBgQAd3wtd2uwwB+sC17IKdFEfrKZt7yQY0GJp
TusARTimYTvyH9gHb6Qy1xOIrwoawkmvO+SuAtUjRuBse1JOWnKaLrOzrsToaCam
kzY6G5mf9VpgdCaj2+oNXYDl/IO3jf6KyRhZo9sZ/OMao7CRVn9mNJkHxOW1ELo0
Uc/rvH2mxg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCc4zU81mfRg/SXNzfowtDve6InX8tHoEwH6Qo7iZb1gIUUMYJ6
KNLHAa2ozY+V0xTI4ZE3iO+NCxZGOX70z9eg6T+12XJyDEZI/yhibw0hqpGsIpSd
t6A6+k6wBaPDSiNMAr2WhQ9KzwnQBLZalykJym/lJzxuHyP1srDvAsPtzQIDAQAB
AoGAZwZ5pnrx8E9kJo03ZN3SUQHyaULp/h5Q73zkoFZpUMzWF32vvkLir5b1kH11
BiF4a7ZdI4gEL64RMYp+SYvXgCdwKMwQTur85PGwo+ljCdanCA1rxG8/zOc8hMJa
+65PffQ9uFk8DKJr8E3BYysadB1TlTp6xzomOYaie8nDM60CQQDPNivf3z56e2fk
jZh0uGqhDAx7dE6ii10KuRFFY602DNY4TExZx/0Km4TgCgdv+yV4IQ2SEcGWs2ZO
8fXL3XHzAkEAwdO3eoXsvxcn2bFLRX6sZ0HU8pIJYpx1iSs6RBLd1DUIfbdpW0wf
a7ajpRmslXhhzDi8E7ljlSSJMr5GZ61RPwJBAMYoBuMrqaMV+q+t3TrZ1Va3oAQ7
oKt+3PZRLzwNa2qB8iaaiHVfdBQ9z181GBG1ugpciY7Dnj8Qxuj+KNHRrpMCQD34
C4w/ry51H8eI2JDya/pjYMrhB+EgNq/RQ0KqaYPEJN/UuPl4f/83GGDbsYLkRxg8
91yzA/SWBstTbD0Pe48CQDRcstoomvsRbUFTNcowQKsAWNdPN2sTUYYIBcNfOlql
Yo8/FSWzX5poKw16NHMGawUQ11ykX6p/Qnrh5wyniZc=
-----END RSA PRIVATE KEY-----
router:
servers:
z1: [10.0.16.102]

- name: hm9000_z1
instances: 1
resource_pool: small_z1
templates:
- {name: hm9000, release: cf}
- {name: metron_agent, release: cf}
- {name: route_registrar, release: cf}
networks:
- name: cf_private
properties:
route_registrar:
routes:
- name: hm9000
port: 5155
uris:
- "hm9000.52.20.104.199.xip.io"

- name: doppler_z1
instances: 1
resource_pool: small_z1
templates:
- {name: doppler, release: cf}
networks:
- name: cf_private
properties:
doppler: {zone: z1}
doppler_endpoint:
shared_secret: Oro1602

- name: loggregator_trafficcontroller_z1
instances: 1
resource_pool: small_z1
templates:
- {name: loggregator_trafficcontroller, release: cf}
- {name: metron_agent, release: cf}
- {name: route_registrar, release: cf}
networks:
- name: cf_private
properties:
traffic_controller: {zone: z1}
route_registrar:
routes:
- name: doppler
port: 8081
uris:
- "doppler.52.20.104.199.xip.io"
- name: loggregator
port: 8080
uris:
- "loggregator.52.20.104.199.xip.io"

- name: uaa_z1
instances: 1
resource_pool: small_z1
templates:
- {name: uaa, release: cf}
- {name: metron_agent, release: cf}
- {name: route_registrar, release: cf}
networks:
- name: cf_private
properties:
login:
catalina_opts: -Xmx768m -XX:MaxPermSize=256m
route_registrar:
routes:
- name: uaa
port: 8080
uris:
- "uaa.52.20.104.199.xip.io"
- "*.uaa.52.20.104.199.xip.io"
- "login.52.20.104.199.xip.io"
- "*.login.52.20.104.199.xip.io
uaa:
admin:
client_secret: Oro1602
batch:
password: Oro1602
username: batch_user
cc:
client_secret: Oro1602
scim:
userids_enabled: true
users:
-
admin|Oro1602|scim.write,scim.read,openid,cloud_controller.admin,doppler.firehose,routing.router_groups.read
uaadb:
address: 10.0.16.101
databases:
- {name: uaadb, tag: uaa}
db_scheme: postgresql
port: 5524
roles:
- {name: uaaadmin, password: Oro1602, tag: admin}

- name: router_z1
instances: 1
resource_pool: small_z1
templates:
- {name: gorouter, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
static_ips: [10.0.16.102]
properties:
dropsonde: {enabled: true}

- name: runner_z1
instances: 1
resource_pool: small_z1
templates:
- {name: dea_next, release: cf}
- {name: dea_logging_agent, release: cf}
- {name: metron_agent, release: cf}
networks:
- name: cf_private
properties:
dea_next: {zone: z1}

properties:
networks: {apps: cf_private}
app_domains: [52.20.104.199.xip.io]
cc:
allow_app_ssh_access: false
bulk_api_password: Oro1602
db_encryption_key: Oro1602
default_running_security_groups: [public_networks, dns]
default_staging_security_groups: [public_networks, dns]
install_buildpacks:
- {name: java_buildpack, package: buildpack_java}
- {name: ruby_buildpack, package: buildpack_ruby}
- {name: nodejs_buildpack, package: buildpack_nodejs}
- {name: go_buildpack, package: buildpack_go}
- {name: python_buildpack, package: buildpack_python}
- {name: php_buildpack, package: buildpack_php}
- {name: staticfile_buildpack, package: buildpack_staticfile}
- {name: binary_buildpack, package: buildpack_binary}
internal_api_password: Oro1602
quota_definitions:
default:
memory_limit: 102400
non_basic_services_allowed: true
total_routes: 1000
total_services: -1
security_group_definitions:
- name: public_networks
rules:
- {destination: 0.0.0.0-9.255.255.255, protocol: all}
- {destination: 11.0.0.0-169.253.255.255, protocol: all}
- {destination: 169.255.0.0-172.15.255.255, protocol: all}
- {destination: 172.32.0.0-192.167.255.255, protocol: all}
- {destination: 192.169.0.0-255.255.255.255, protocol: all}
- name: dns
rules:
- {destination: 0.0.0.0/0, ports: '53', protocol: tcp}
- {destination: 0.0.0.0/0, ports: '53', protocol: udp}
srv_api_uri: http://api.52.20.104.199.xip.io
staging_upload_password: Oro1602
staging_upload_user: staging_upload_user
ccdb:
address: 10.0.16.101
databases:
- {name: ccdb, tag: cc}
db_scheme: postgres
port: 5524
roles:
- {name: ccadmin, password: Oro1602, tag: admin}
databases:
databases:
- {name: ccdb, tag: cc, citext: true}
- {name: uaadb, tag: uaa, citext: true}
port: 5524
roles:
- {name: ccadmin, password: Oro1602, tag: admin}
- {name: uaaadmin, password: Oro1602, tag: admin}
dea_next:
advertise_interval_in_seconds: 5
heartbeat_interval_in_seconds: 10
memory_mb: 33996
description: Cloud Foundry sponsored by Pivotal
domain: 52.20.104.199.xip.io
etcd:
machines: [10.0.16.104]
peer_require_ssl: false
require_ssl: false
hm9000:
url: http://hm9000.52.20.104.199.xip.io
logger_endpoint:
port: 4443
loggregator:
etcd:
machines: [10.0.16.104]
loggregator_endpoint:
shared_secret: Oro1602
login:
protocol: http
metron_agent:
zone: z1
deployment: minimal-aws
metron_endpoint:
shared_secret: Oro1602
nats:
machines: [10.0.16.103]
password: Oro1602
port: 4222
user: nats
nfs_server:
address: 10.0.16.105
allow_from_entries: [10.0.16.0/24]
ssl:
skip_cert_verify: true
system_domain: 52.20.104.199.xip.io
system_domain_organization: default_organization
uaa:
clients:
cc-service-dashboards:
authorities: clients.read,clients.write,clients.admin
authorized-grant-types: client_credentials
scope: openid,cloud_controller_service_permissions.read
secret: Oro1602
cloud_controller_username_lookup:
authorities: scim.userids
authorized-grant-types: client_credentials
secret: Oro1602
cc_routing:
authorities: routing.router_groups.read
secret: Oro1602
authorized-grant-types: client_credentials
gorouter:
authorities:
clients.read,clients.write,clients.admin,routing.routes.write,routing.routes.read
authorized-grant-types: client_credentials,refresh_token
scope: openid,cloud_controller_service_permissions.read
secret: Oro1602
doppler:
authorities: uaa.resource
secret: Oro1602
login:
authorities:
oauth.login,scim.write,clients.read,notifications.write,critical_notifications.write,emails.write,scim.userids,password.write
authorized-grant-types:
authorization_code,client_credentials,refresh_token
redirect-uri: http://login.52.20.104.199.xip.io
scope: openid,oauth.approvals
secret: Oro1602
servicesmgmt:
authorities:
uaa.resource,oauth.service,clients.read,clients.write,clients.secret
authorized-grant-types:
authorization_code,client_credentials,password,implicit
autoapprove: true
redirect-uri:
http://servicesmgmt.52.20.104.199.xip.io/auth/cloudfoundry/callback
scope: openid,cloud_controller.read,cloud_controller.write
secret: Oro1602
jwt:
signing_key: |
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1
JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6
0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB
AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA
Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+0
KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J
duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE
xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8
+5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek
lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h
jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh
HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+
4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY=
-----END RSA PRIVATE KEY-----
verification_key: |
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d
KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX
qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug
spULZVNRxq7veq/fzwIDAQAB
-----END PUBLIC KEY-----
no_ssl: true
url: http://uaa.52.20.104.199.xip.io
# code_snippet cf-minimal-aws end
# The previous line helps maintain current documentation at
http://docs.cloudfoundry.org.

Thanks,
Kinjal


On Tue, Dec 8, 2015 at 7:32 AM, Kinjal Doshi <kindoshi(a)gmail.com> wrote:

Hi Amit,

Thanks a lot for your response.

I too agree with what Gwenn and you have said. In my own hurry to meet a
dead line, I did not think through well before putting in 'Urgent' on the
email subject.

Will refrain from this going forward Apologies for the inconvenience.

Am removing the '@' symbol from the credentials and retrying, hopefully
it will work with that.

Thanks a lot for your inputs.

Regards,
Kinjal

On Tue, Dec 8, 2015 at 7:25 AM, Amit Gupta <agupta(a)pivotal.io> wrote:

Hi Kinjal,

+1 to everything Gwenn said. The OSS mailing lists cannot do special
things for "Urgent" subjects. Contact a private vendor if you require that
kind of support.

My guess is your problem is you have an '@' symbol in the user
component of one of your basic auth credentials. Ruby doesn't deal with
that. See this previous issue:
https://github.com/cloudfoundry/cf-release/issues/493

Best,
Amit

On Mon, Dec 7, 2015 at 4:58 PM, Gwenn Etourneau <getourneau(a)pivotal.io>
wrote:

Hi,

Please give your manifest and so on...
No magic here we need to check this kind of things.

Btw no need to put Urgent here, it's a community based support, if you
need commercial support you can ask to Pivotal, IBM and so on..

Thanks

On Tue, Dec 8, 2015 at 2:17 AM, Kinjal Doshi <kindoshi(a)gmail.com>
wrote:

Hi,

I am trying to deploy cloud foundry with the
stemcell light-bosh-stemcell-3147-aws-xen-hvm-ubuntu-trusty-go_agent.tgz
and cloud foundry release manifest cf-226yml

I am also using the minimal-aws.yml for configuration data.

During 'bosh deploy' command, I run into the following deployment
error:

Started preparing deployment
Started preparing deployment > Binding releases. Done (00:00:00)
Started preparing deployment > Binding existing deployment. Done
(00:00:01)
Started preparing deployment > Binding resource pools. Done
(00:00:00)
Started preparing deployment > Binding stemcells. Done (00:00:00)
Started preparing deployment > Binding templates. Done (00:00:00)
Started preparing deployment > Binding properties. Done (00:00:00)
Started preparing deployment > Binding unallocated VMs. Done
(00:00:00)
Started preparing deployment > Binding instance networks. Done
(00:00:00)

Started preparing package compilation > Finding packages to
compile. Done (00:00:00)

Started preparing dns > Binding DNS. Done (00:00:00)

Started preparing configuration > Binding configuration. Failed:
Error filling in template `dea.yml.erb' for `runner_z1/0' (line 86: bad
component(expected user component): Oro(a)1602) (00:00:01)

Error 100: Error filling in template `dea.yml.erb' for `runner_z1/0'
(line 86: bad component(expected user component): Oro(a)1602)

I noticed that the property cc.internal_api_user is missing from the
global properties and have added the same to minimal-aws.yml but the
deployment still fails.

I need to have the CF deployment up and running tonight. Would be
great if some one can please help me with this on priority?

Regards,
Kinjal


Re: App Container IP Address assignment on vSphere

Gwenn Etourneau
 

This pool network is for Warden / Garden (Diego) is not share accross VM
...

On Wed, Dec 9, 2015 at 10:04 AM, Daya Shetty <daya.shetty(a)bnymellon.com>
wrote:

Hello,

On vSphere I'm seeing the app containers are assigned 10.254.0.x,
10.254.2.x, 10.254.3.x addresses though the default value of the
"pool_network" is 10.254.0.0/24 and the pool_size is 256. Any reason why?

Also, if we have DEA's on 2 AZ's, do they share this network_pool or will
they independently allocate from their own NAT'ed pool.

Thanks
Daya


App Container IP Address assignment on vSphere

Daya Shetty <daya.shetty@...>
 

Hello,

On vSphere I'm seeing the app containers are assigned 10.254.0.x, 10.254.2.x, 10.254.3.x addresses though the default value of the "pool_network" is 10.254.0.0/24 and the pool_size is 256. Any reason why?

Also, if we have DEA's on 2 AZ's, do they share this network_pool or will they independently allocate from their own NAT'ed pool.

Thanks
Daya


Re: FW: issue tracker permissions

Dieu Cao <dcao@...>
 

Unfortunately in order to follow a story in tracker, the minimum required
level is "member" which allows you to create/comment/delete stories in
tracker.
I would suggest submitting a request to the pivotal tracker team to help
build up evidence that this is a feature that people want.

-Dieu

On Tue, Dec 8, 2015 at 12:49 PM, Matt Cholick <cholick(a)gmail.com> wrote:

Sorry to resurrect an older thread, but I wanted to chime in that this is
a frustration I have too. There are several stories in the various CF teams
public backlogs that I'd like to keep track of.

Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?

-Matt

On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were
hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as
well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

Hi,

I was trying to watch a story I am interested in
https://www.pivotaltracker.com/n/projects/892938/stories/105493826


I do have an account but it seems I don't have permissions to watch nor
to comment.

Is there something I missed?

Regards
Jan


Re: FW: issue tracker permissions

Matt Cholick
 

Sorry to resurrect an older thread, but I wanted to chime in that this is a
frustration I have too. There are several stories in the various CF teams
public backlogs that I'd like to keep track of.

Is it possible for community members to get enough permissions on our
tracker accounts to add ourselves to the follow list?

-Matt

On Mon, Nov 23, 2015 at 3:10 AM, Koper, Dies <diesk(a)fast.au.fujitsu.com>
wrote:

Hi Marco, Jan,

I sent an email to Tracker support about that last week because we were
hoping to close CLI feature requests on GH and let people follow the
stories on Tracker. Support confirmed that people need to have R/W access
to a project to do that.
I have just replied to ask if they'd consider an enhancement. Not sure
what the proper channel would be to get such a story prioritized.
Will let you know if I get a reply.

Regards,
Dies Koper
Cloud Foundry CLI PM

-----Original Message-----
From: Voelz, Marco [mailto:marco.voelz(a)sap.com]
Sent: Monday, November 23, 2015 8:00 PM
To: Discussions about Cloud Foundry projects and the system overall.
Subject: [cf-dev] Re: FW: issue tracker permissions

Thanks Jan for bringing that up, I've had similar problems with that as
well. Any ideas on how to solve this? Is this a feature that the tracker
team actively works on?
Hitting cmd+r every few days on the same stories doesn't seem like the
best way to stay informed about your favorite features.

Warm regards
Marco



On 19/11/15 09:23, "Sievers, Jan" <jan.sievers(a)sap.com> wrote:

Hi,

I was trying to watch a story I am interested in
https://www.pivotaltracker.com/n/projects/892938/stories/105493826


I do have an account but it seems I don't have permissions to watch nor
to comment.

Is there something I missed?

Regards
Jan


Re: How to use SSL with multi domain

Amit Kumar Gupta
 

If you're doing SSL termination at the HAProxy, you have a couple options.

One option is to configure multiple separate HAProxies, have each domain
resolve to the IP of the HAProxy that serves its corresponding cert, and
configure all the HAProxies to balance traffic to all the routers.

Another option is to get a certificate that covers multiple domains, and
just configure HAProxy once to serve that multi-domain cert. I think the
first option is better because it scales better as you add and remove
domains.

Unfortunately, right now there is no way to configure a single HAProxy to
serve multiple different SSL certs.

As for ELB, I'd recommend researching ELB capabilities separately.

Cheers,
Amit

On Tue, Dec 8, 2015 at 2:43 AM, Anuj Jain <anuj17280(a)gmail.com> wrote:

Hi,

We successfully able to create, map and test any new domain (private
and/or shared both) and could also able to access application using that
new domain/route.
Now we want to configure SSL for new domain - I have few questions:

1/ is cloud foundry provide multiple SSL offload on haproxy?
2/ I do not want to use any third party option (e.g. cloudflare -
http://docs.run.pivotal.io/marketplace/integrations/cloudflare/), is
there any otherway which I can use and if not by when we can expect native
SSL termination support on cloud foundry.
3/ we do have two environments one on VSPhere and other one on AWS - on
AWS we are using ELB - can we terminate multiple SSL on ELB for
multiple/custom domains on same port (do not want to change the port for
each SSL cert)

- Anuj


Re: Identifying all DEA's on a CF install

Amit Kumar Gupta
 

Is it because you're worried about misconfiguring things so that colocated
agent starts running on a non-DEA, or are you worried about someone
deploying a malicious DEA that has that agent colocated on it?

Does it make sense to instead have some sort of mutual agent/server
authentication instead, that's a little more decoupled from the actual
knowledge of whether something is on a DEA? I.e. your auth model seems to
be something like, the incoming request IP is the IP of a known DEA. But
you could instead use some standard key-based authentication mechanism.
This is, for example, how etcd and consul clients authenticate with their
servers in a Cloud Foundry deployment.

On Tue, Dec 8, 2015 at 7:37 AM, john mcteague <john.mcteague(a)gmail.com>
wrote:

We have components that are co deployed with DEAs that form part of an
application level encryption and security framework that talk to an
external service. That service validates that requests came from a valid
DEA.

John.
On 8 Dec 2015 02:59, "Amit Gupta" <agupta(a)pivotal.io> wrote:

Maybe you can explain the problem you're trying to solve.

You're not just trying to find the VMs which are DEAs, you need to be
able to do this constantly and programmatically. What's the actual overall
goal here, why do you need to do this?

Thanks,
Amit

On Mon, Dec 7, 2015 at 2:38 PM, Curry, Matthew <Matt.Curry(a)allstate.com>
wrote:

I believe you could use the BOSH API:

https://bosh.io/docs/director-api-v1.html#list-vms-detailed

From: john mcteague <john.mcteague(a)gmail.com>
Reply-To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Monday, December 7, 2015 at 3:29 PM
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Identifying all DEA's on a CF install

I hadnt considered that. I see that there are now docs for the BOSH api,
however is the BOSH api suited to concurrent access by multiple processes?
We are writing a component that will need to frequently validate that a
particular machine is a DEA.

On Mon, Dec 7, 2015 at 10:26 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

What about with BOSH?

On Mon, Dec 7, 2015 at 2:17 PM, john mcteague <john.mcteague(a)gmail.com>
wrote:

I am trying to enumerate all the ways I could identify all the DEA's
in a CF cluster in an IAAS agnostic way (e.g. not querying Openstack to
read metadata on the VM's that list the job type).

I think the only reliable way is to listen on NATS and look for the
DEA advertisement messages. Am I correct or is there a method I am missing
(I'd rather call and API rather than subscribe to NATS)?

Thanks,
John


Re: Passwords visible in infrastructure logs

Eric Malm <emalm@...>
 

Hi, Momchil,

We at Pivotal generally don't run with debug logging on for Diego and
Garden in our production systems, instead opting for the default 'info'
log-level. It is possible to toggle that log-level dynamically on
garden-linux via its debug server (which defaults to running on port 17013)
by doing a PUT to its `/log-level` endpoint with the payload 'debug',
though. Even so, the Garden team has scrubbed a lot of user-specified
information such as environment variables and command arguments out of
their logs, even at the debug level. The most relevant stories appear to be
https://www.pivotaltracker.com/story/show/101689730,
https://www.pivotaltracker.com/story/show/101874066, and
https://www.pivotaltracker.com/story/show/102666020, but if you need more
details I'm sure the Garden team can direct you to other stories as well.

Thanks,
Eric

On Tue, Dec 8, 2015 at 12:45 AM, Momchil Atanassov <
momchil.atanassov(a)sap.com> wrote:

Hi Amit,

Thanks for the quick reply!

We get logs from both DEA and Warden.

As for NATS, it's not NATS itself that is logging but rather the
`nats_steam_forwarder` (
https://github.com/cloudfoundry/cf-release/tree/master/jobs/nats_stream_forwarder
) job running on the `nats` VMs, as can be seen here:
https://github.com/cloudfoundry/cf-release/blob/master/jobs/nats_stream_forwarder/templates/nats_stream_forwarder.rb
It always logs in `info` level so the only way to disable it is to remove
it from the deployment configuration so that it is never located on the
NATS VM and never runs.

You say that you are running 100% Diego on your productive environment.
Doesn't Garden also do some type of logging that would contain the
container configuraiton (including environment variables) or are you not
running `debug` on your systems?

Regards,
Momchil