|
Curious why CF UAA uses DNS
Anna Muravieva
Hello, š š We are using cf product in development. The question relates to uaa, if you coordinate in research will be very appreciated. What are the benefits why CF UAA uses DNS in routes management in opposite to checking this identity for instance in request header. š Thanks in advance, Anna |
|
|
|
Curious why CF UAA uses DNS
Anna Muravieva
Hello,
We are using cf product in development. The question relates to uaa, if you coordinate in research will be very appreciated. What are the benefits why CF UAA uses DNS in routes management in opposite to checking this identity for instance in request header. Thanks in advance, Anna |
|
|
|
RSA Security Analytics Users List
Mary Lopez <mary.lopez@...>
Hi,
Would you be interested in acquiring the list of users using RSA Security Analytics? We also have some authentic data of other Cloud Computing, ERP, PLM, Analytics software users too. Job Titles - CIO, CTO, Data Center Managers, CSO, Director of IT, IT Security Head, Network Engineer etc. Information Fields - Name, Title, Email, Phone Numbers, Company Name and Company Details like Physical Address, Web Address, Revenue Size, Employee Size and Industry. Reach out with your specific requirement and get a set of free samples. If you are not the right person to discuss this, please forward this email to the right person in your organization. I look forward to hearing from you. Kind Regards, Mary Lopez Business Development Coordinator Dynamics IT Solutions 7800 Shoal Creek Blvd. Suite 230-S Austin, TX 78757 If you do not wish to receive an email from us, please reply "Remove" in the subject line. |
|
|
|
Re: Security Question --- Securely wipe data on warden container removal / destruction???
Will Pragnell <wpragnell@...>
Guillaume, I'm not aware of any plans for secure memory wiping
toggle quoted message
Show quoted text
specifically, but I can say that another track of security work is one of several candidates for the next phase of work on Garden after OCS/runC integration is completed. That said, such a change may fall outside the remit of the Garden team; it may be a platform wide change that involves changes to the stemcell. On 23 September 2015 at 13:28, Guillaume Berche <bercheg(a)gmail.com> wrote:
Chris, thanks for bringing up this important security topic. |
|
|
|
Re: Security group rules to allow HTTP communication between 2 apps deployed on CF
Naveen Asapu
I'm using cf version 6.12.1
|
|
|
|
Re: Security Question --- Securely wipe data on warden container removal / destruction???
Chris, thanks for bringing up this important security topic.
toggle quoted message
Show quoted text
In terms of secrets an app is handling and carrying, I'd think its code has generally limited sensitivity (e.g credentials or API key secrets are rather stored in env vars). I'd expect memory to be much more sensitive (e.g. holding user data), as well as state handed over to data services (12 factor apps are unlikely to store much state on their ephemeral file system). So related to your question about securely wipping data upon app instance deletion, it may be interesting to consider secure RAM wiping when an app container exits (sometimes killed by the oomkiller leaving few opportunity for the app itself to wipe out RAM before exit). See related discussions in [1] [2] [3] [4]. Quickly searching the bosh stemcell builder, and bosh tracker I could not find mention of gresec or pax linux kernel packages/patches that could strengthen RAM wiping after an app instance exits. Will, do you know if is there plans to tackle such kernel hardening ? Related to secrets stored on disk in data services (p-mysql, p-redis), the services should be designed to not provide access to previous deleted service instances when normally functionning. The secured data wiping might be useful if ever the data service itself would get compromised so that an attacker would not be able to access data from deleted service instances after hand. Guillaume. [1] http://security.stackexchange.com/questions/42179/is-there-any-linux-distro-or-kernel-patch-that-wipes-a-process-memory-space-afte [2] https://github.com/coreos/bugs/issues/332#issuecomment-109293958 [3] https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sanitize_all_freed_memory [4] https://blog.docker.com/2013/08/containers-docker-how-secure-are-they/#other-kernel-security-features On Thu, Sep 17, 2015 at 1:38 PM, Will Pragnell <wpragnell(a)pivotal.io> wrote:
In Diego/Garden, container files are stored on btrfs subvolumes. When a |
|
|
|
Re: How to deploy a Web application using HTTPs
Juan Antonio Breña Moral <bren at juanantonio.info...>
@James,
who add the headers? "x-forwarded-for":"CLIENT_REAL_IP, CLOUD_FOUNDRY_IP", "x-forwarded-proto":"https" the load balancer or the GoRouter? |
|
|
|
Re: Security group rules to allow HTTP communication between 2 apps deployed on CF
Denilson Nastacio <dnastacio@...>
The message indicates this problem is unrelated to security groups. You
toggle quoted message
Show quoted text
would get something like "host not found" instead of "connection refused". Which version of CF are you using? Can you curl a url from app2 at all? On Wed, Sep 23, 2015, 3:27 AM Naveen Asapu <asapu.naveen(a)gmail.com> wrote:
Hi Matthew Sykes, |
|
|
|
Re: How to deploy a Web application using HTTPs
Juan Antonio Breña Moral <bren at juanantonio.info...>
Hi James,
Now, understood your technical explanation: "the standard way to do this is to terminate SSL at a load balancer, which then forwards to the CF routing tier. the hop between the load balancer and the cf router may be done with SSL. the network path from gorouter to the DEA / Diego Cell backend is only supported with http today." "app client ---HTTPS---> LB ---HTTPS---> GoRouter ---HTTP---> DEA/DiegoCell" Cloud foundry supports SSL connections, but currently GoRouter only handle http. I checked the idea and I noticed that when I deploy an application, the platform add the following http headers: "x-forwarded-for":"CLIENT_REAL_IP, CLOUD_FOUNDRY_IP", "x-forwarded-proto":"https" So, if you only want to execute an API for example with https, it is necessary to filter with this header: "x-forwarded-proto":"https" (The idea from Matthew Sykes) I think that it is necessary to create another issue to add the support for http2 I checked, but if fails, the same reason: https://github.com/jabrena/CloudFoundryLab/blob/master/Node_HelloWorld_http2/index.js |
|
|
|
Re: Avoid some folder or files using the command cf push
Juan Antonio Breña Moral <bren at juanantonio.info...>
Many thanks for the info, I will check the file: .cfignore
http://docs.pivotal.io/pivotalcf/devguide/deploy-apps/prepare-to-deploy.html Juan Antonio |
|
|
|
Re: Avoid some folder or files using the command cf push
Chunhua Zhang <chzhang@...>
please ref to :
toggle quoted message
Show quoted text
https://docs.cloudfoundry.org/devguide/deploy-apps/manifest.htmlHow cf push Finds the Application By default, cf push recursively pushes the contents of the current working directory. Alternatively, you can provide a path using either a manifest or a command line option. - If the path is to a directory, cf push recursively pushes the contents of that directory instead of the current working directory. - If the path is to a file, cf push pushes only that file. *Note*: If you want to push more than a single file, but not the entire contents of a directory, consider using a .cfignore file to tell cf push what to exclude. 2015-09-23 16:08 GMT+08:00 Juan Antonio Breña Moral <bren(a)juanantonio.info>: Hi, --
Thanks & Best Regards, chunhua, zhangï¼ˆå¼ æ˜¥åŽï¼‰ M: +86 187 5198 6615 Department: CONSULTING Manager: Leon Cheng IT issue? Mail to: ask(a)pivotal.io |
|
|
|
Avoid some folder or files using the command cf push
Juan Antonio Breña Moral <bren at juanantonio.info...>
Hi,
sometimes, I deploy applications using CLI with the command cf push. This command uploads the content of a folder and it uses the manifest file. I would like to know if exist some way in the manifest.yml or another file to avoid uploading some folder. For example, if any developer create Node.js Application, the folder node_modules is not necessary to upload because Node.js buildpack is able to read and download the required dependencies described in the file package.json Does exist some way to do it? Many thanks in advance. Juan Antonio |
|
|
|
Re: Security group rules to allow HTTP communication between 2 apps deployed on CF
Naveen Asapu
Hi Matthew Sykes,
Actually I'm trying to monitor usage of app in bluemix. for that i'm using cf-abacus in the example steps this command also there. can u suggest how to monitor app usage using curl and cloudfoundary -- Thanks Naveen Asapu |
|
|
|
Re: Removing support for v1 service brokers
Dieu Cao <dcao@...>
We've found NATS to be unstable under certain conditions, temporary network
toggle quoted message
Show quoted text
interruptions or network instability, around the client reconnection logic. We've seen that it could take anywhere from a few seconds to half an hour to reconnect properly. We spent a fair amount of time investigating ways to improve the reconnection logic and have made some improvements but believe that it's best to work towards not having this dependency. You can find more about this in the stories in this epic [1]. Mike, in addition to removing the NATS dependency, this will remove the burden on the team, almost a weekly fight, in terms of maintaining backwards compatibility for the v1 broker spec any time we work on adding functionality to the service broker api. I'll work with the team in the next couple of weeks on specific stories and I'll link to it here. [1] https://www.pivotaltracker.com/epic/show/1440790 On Tue, Sep 22, 2015 at 10:07 PM, Mike Youngstrom <youngm(a)gmail.com> wrote:
Thanks for the announcement. |
|
|
|
Re: Error 400007: `stats_z1/0' is not running after update
iamflying
It frequently logs the message below. It seems not helpful.
toggle quoted message
Show quoted text
{"timestamp":1442987404.9433253,"message":"collector.started","log_level":"info","source":"collector","data":{},"thread_id":70132569199380,"fiber_id":70132570371720,"process_id":19392,"file":"/var/vcap/packages/collector/lib/collector/config.rb","lineno":45,"method":"setup_logging"} the only possible error message from the bosh debug log is "ntp":{"message":"bad ntp server"} But I don't think, it is related to the failure of stats_z1 updating. I, [2015-09-23 04:55:59 #2392] [canary_update(stats_z1/0)] INFO -- DirectorJobRunner: Checking if stats_z1/0 has been updated after 63.333333333333336 seconds D, [2015-09-23 04:55:59 #2392] [canary_update(stats_z1/0)] DEBUG -- DirectorJobRunner: SENT: agent.7d3452bd-679e-4a97-8514-63a373a54ffd {"method":"get_state","arguments":[],"reply_to":"director.c5b97fc1-b972-47ec-9412-a83ad240823b.473fda64-6ac3-4a53-9ebc-321fc7eabd7a"} D, [2015-09-23 04:55:59 #2392] [] DEBUG -- DirectorJobRunner: RECEIVED: director.c5b97fc1-b972-47ec-9412-a83ad240823b.473fda64-6ac3-4a53-9ebc-321fc7eabd7a {"value":{"properties":{"logging":{"max_log_file_size":""}},"job":{"name":"stats_z1","release":"","template":"fluentd","version":"4c71c87bbf0144428afacd470e2a5e32b91932fc","sha1":"b141c6037d429d732bf3d67f7b79f8d7d80aac5d","blobstore_id":"d8451d63-2e4f-4664-93a8-a77e5419621d","templates":[{"name":"fluentd","version":"4c71c87bbf0144428afacd470e2a5e32b91932fc","sha1":"b141c6037d429d732bf3d67f7b79f8d7d80aac5d","blobstore_id":"d8451d63-2e4f-4664-93a8-a77e5419621d"},{"name":"collector","version":"889b187e2f6adc453c61fd8f706525b60e4b85ed","sha1":"f5ae15a8fa2417bf984513e5c4269f8407a274dc","blobstore_id":"3eeb0166-a75c-49fb-9f28-c29788dbf64d"},{"name":"metron_agent","version":"e6df4c316b71af68dfc4ca476c8d1a4885e82f5b","sha1":"42b6d84ad9368eba0508015d780922a43a86047d","blobstore_id":"e578bfb0-9726-4754-87ae-b54c8940e41a"},{"name":"apaas_collector","version":"8808f0ae627a54706896a784dba47570c92e0c8b","sha1":"b9a63da925b40910445d592c70abcf4d23ffe84d","blobstore_id":"3e6fa71a-07f7-446a-96f4-3caceea02f2f"}]},"packages":{"apaas_collector":{"name":"apaas_collector","version":"f294704d51d4517e4df3d8417a3d7c71699bc04d.1","sha1":"5af77ceb01b7995926dbd4ad7481dcb7c3d94faf","blobstore_id":"fa0e96b9-71a6-4828-416e-dde3427a73a9"},"collector":{"name":"collector","version":"ba47450ce83b8f2249b75c79b38397db249df48b.1","sha1":"0bf8ee0d69b3f21cf1878a43a9616cb7e14f6f25","blobstore_id":"722a5455-f7f7-427d-7e8d-e562552857bc"},"common":{"name":"common","version":"99c756b71550530632e393f5189220f170a69647.1","sha1":"90159de912c9bfc71740324f431ddce1a5fede00","blobstore_id":"37be6f28-c340-4899-7fd3-3517606491bb"},"fluentd-0.12.13":{"name":"fluentd-0.12.13","version":"71d8decbba6c863bff6c325f1f8df621a91eb45f.1","sha1":"2bd32b3d3de59e5dbdd77021417359bb5754b1cf","blobstore_id":"7bc81ac6-7c24-4a94-74d1-bb9930b07751"},"metron_agent":{"name":"metron_agent","version":"997d87534f57cad148d56c5b8362b72e726424e4.1","sha1":"a21404c50562de75000d285a02cd43bf098bfdb9","blobstore_id":"6c7cf72c-9ace-40a1-4632-c27946bf631e"},"ruby-2.1.6":{"name":"ruby-2.1.6","version":"41d0100ffa4b21267bceef055bc84dc37527fa35.1","sha1":"8a9867197682cabf2bc784f71c4d904bc479c898","blobstore_id":"536bc527-3225-43f6-7aad-71f36addec80"}},"configuration_hash":"a73c7d06b0257746e95aaa2ca994c11629cbd324","networks":{"private_cf_subnet":{"cloud_properties":{"name":"random","net_id":"1e1c9aca-0b5a-4a8f-836a-54c18c21c9b9","security_groups":["az1_cf_management_secgroup_bosh_cf_ssh_cf2","az1_cf_management_secgroup_cf_private_cf2","az1_cf_management_secgroup_cf_public_cf2"]},"default":["dns","gateway"],"dns":["192.168.110.8","133.162.193.10","133.162.193.9","192.168.110.10"],"dns_record_name":"0.stats-z1.private-cf-subnet.cf-apaas.microbosh","gateway":"192.168.110.11","ip":"192.168.110.204","netmask":"255.255.255.0"}},"resource_pool":{"cloud_properties":{"instance_type":"S-1"},"name":"small_z1","stemcell":{"name":"bosh-openstack-kvm-ubuntu-trusty-go_agent","version":"2989"}},"deployment":"cf-apaas","index":0,"persistent_disk":0,"persistent_disk_pool":null,"rendered_templates_archive":{"sha1":"0ffd89fa41e02888c9f9b09c6af52ea58265a8ec","blobstore_id":"4bd01ae7-a69a-4fe5-932b-d98137585a3b"},"agent_id":"7d3452bd-679e-4a97-8514-63a373a54ffd","bosh_protocol":"1","job_state":"failing","vm":{"name":"vm-12d45510-096d-4b8b-9547-73ea5fda00c2"},"ntp":{"message":"bad ntp server"}}} On Wed, Sep 23, 2015 at 5:13 PM, Amit Gupta <agupta(a)pivotal.io> wrote:
Please check the file collector/collector.log, it's in a subdirectory of |
|
|
|
Re: Error 400007: `stats_z1/0' is not running after update
Amit Kumar Gupta
Please check the file collector/collector.log, it's in a subdirectory of
the unpacked log tarball. On Wed, Sep 23, 2015 at 12:01 AM, Guangcai Wang <guangcai.wang(a)gmail.com> wrote: Actually, I checked the two files in status_z1 job VM. I did not find any |
|
|
|
Re: Error 400007: `stats_z1/0' is not running after update
iamflying
Actually, I checked the two files in status_z1 job VM. I did not find any
toggle quoted message
Show quoted text
clues. Attached for reference. On Wed, Sep 23, 2015 at 4:54 PM, Amit Gupta <agupta(a)pivotal.io> wrote:
If you do "bosh logs stats_z1 0 --job" you will get a tarball of all the |
|
|
|
Re: Error 400007: `stats_z1/0' is not running after update
Amit Kumar Gupta
If you do "bosh logs stats_z1 0 --job" you will get a tarball of all the
logs for the relevant processes running on the stats_z1/0 VM. You will likely find some error messages in the collectors stdout or stderr logs. On Tue, Sep 22, 2015 at 11:30 PM, Guangcai Wang <guangcai.wang(a)gmail.com> wrote: It does not help. |
|
|
|
Re: Introducing CF-Swagger
Thanks Mohamed and Max for sharing this great work. Besides the supporting
an official TCK, the cf-swagger repo seems great to ease the delivery of acceptance tests as part of a a service broker release (e.g. scheduled through bosh errands). +1 for formal description of CF APIs allowing partly? automated client generation, and lowering the maintenance burden w.r.t; existing CC API v2 manually maintained clients (e.g. cf-java-client, go-cfclient, nodejs, php clients...). I had also suggested swagger for consideration in the CC API v3 [1]. It seems the CAPI team was initially considering Swagger as a documentation media for CC API v3 into [2] . Dieu, would it be possible to share the "Doc of comparisons of pros and cons of different options" at [3] which does not yet seem public ? Thanks, Guillaume. [1] https://github.com/cloudfoundry/cc-api-v3-style-guide/issues/46 [2] https://www.pivotaltracker.com/n/projects/966314/stories/99237980 [3] https://docs.google.com/a/pivotal.io/document/d/1aVOZfd0n7BOLuJvK0_Sgie9Y3D7GT6NUF4V-bVG-BCs/edit?usp=sharing On Tue, Sep 22, 2015 at 9:12 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote: Since I know various folks are looking at better API docs. I went ahead |
|
|
|
Re: Error 400007: `stats_z1/0' is not running after update
iamflying
It does not help.
toggle quoted message
Show quoted text
I always see the "collector" process bouncing between "running" and "does not exit" when I use "monit summary" in a while loop. Who knows how to get the real error when the "collector" process is not failed? Thanks. On Wed, Sep 23, 2015 at 4:11 PM, Tony <Tonyl(a)fast.au.fujitsu.com> wrote:
My approach is to login on the stats vm and sudo, then |
|
|