Hi, Dharmi,

In order to run private docker images (that is, ones that require
user/password/email authentication with the registry), you'll have to stage
them into the optional diego-docker-cache deployed alongside Diego. The
BOSH release is located at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release. If
you've already deployed Diego using the spiff-based manifest-generation
templates in diego-release, the deployment for this release should be
similar. If you deploy the caching registry release without TLS enabled or
enabled but with a self-signed certificate, Diego should then be configured
with the URL "docker-registry.service.cf.internal:8080" supplied in the
diego.garden-linux.insecure_docker_registry_list property, and
diego.stager.insecure_docker_registry set to 'true', as you can see in
https://github.com/cloudfoundry-incubator/diego-docker-cache-release/blob/develop/stubs-for-diego-release/bosh-lite-property-overrides.yml
.

Once that release is deployed, you can follow the instructions at
https://github.com/cloudfoundry-incubator/diego-docker-cache-release#caching-docker-image-with-diego
to stage your image into the cache, which should be as simple as setting
the DIEGO_DOCKER_CACHE env var to 'true' on your app before staging it.
When you start the app, Diego will then instruct Garden to pull the image
from the internal caching registry rather than from the remote registry you
staged it from. This has the added benefit of ensuring that you're always
running exactly the Docker image you staged, rather than something that may
have changed in the remote registry.

Thanks,
Eric, CF Runtime Diego PM

On Tue, Aug 11, 2015 at 9:32 AM, dharmi <dharmi(a)gmail.com> wrote:

We have CF v214 with Diego deployed on AWS.

I am able to successfully create apps from Docker public repo, as per the
apidocs <http://apidocs.cloudfoundry.org/214/apps/creating_an_app.html>
,

but, while creating apps from the Docker private repos, I see the below
error from 'cf logs' when starting the app.

[API/0] OUT Updated app with guid bcb8f363-xyz
({"route"=>"5af6948b-xyz"})
[API/0] OUT Updated app with guid bcb8f363-xyz ({"state"=>"STARTED"})
[STG/0] OUT Creating container
[STG/0] OUT Successfully created container
[STG/0] OUT Staging...
[STG/0] OUT Staging process started ...
[STG/0] ERR Staging process failed: Exit trace for group:
[STG/0] ERR builder exited with error: failed to fetch metadata from
[:dockerid/go-app] with tag [latest] and insecure registries [] due to
HTTP
code: 404
[STG/0] OUT Exit status 2
[STG/0] ERR Staging Failed: Exited with status 2
[API/0] ERR Failed to stage application: staging failed


cf curl command for reference.

cf curl /v2/apps -X POST -H "Content-Type: application/json" -H
"Authorization: bearer *accessToken*" -d '
{"name": "myapp",
"space_guid": "71b22eba-xyz",
"docker_image": ":dockerid/go-app",
"diego": true,
"docker_credentials_json":
{"docker_login_server": "https://index.docker.io/v1/",
"docker_user": ":dockerid",
"docker_password": ":dockerpwd",
"docker_email": ":email"
}
}'

Looking at the apidocs, the 'Example value' for 'docker_credentials_json'
indicates a Hash value
(#<RspecApiDocumentation::Views::HtmlExample:0x0000000bb883e0>), but
looking
inside the code, we found the below JSON format.

let(:docker_credentials) do
{
docker_login_server: login_server,
docker_user: user,
docker_password: password,
docker_email: email
}

Pls correct me if I am missing something.

Thanks,
Dharmi



--
View this message in context:
http://cf-dev.70369.x6.nabble.com/Running-Docker-private-images-on-CF-tp1148.html
Sent from the CF Dev mailing list archive at Nabble.com.

warden/DEAs keeps container file systems for a configured amount of time,
something like 1 hr before removing the containers, i believe with standard
removal tools.

diego cells and garden removes container file system immediately after
they are stopped by the user or the system. when using docker images, the
container images are cached in the garden graph directory and i'm not quite
sure of their cleanup / garbage collection life cycle.

On Wed, Aug 19, 2015 at 1:08 AM, Chris K <christopherkugler2(a)yahoo.de>
wrote:

Hi,

I have a few questions regarding the way data is removed when an
application is removed and its corresponding warden container is destroyed.
As the Cloud Foundry instance my company is using may be shared with
multiple tenants, this is a very critical question for us to be answered.
From Cloud Foundry's GitHub repository I gathered the following
information regarding the destruction process:

"When a container is destroyed -- either per user request, or
automatically after being idle -- Warden first kills all unprivileged
processes running inside the container. These processes first receive a
TERM signal followed by a KILL if they haven't exited after a couple of
seconds. When these processes have terminated, the root of the container's
process tree is sent a KILL . Once all resources the container used have
been released, its files are removed and it is considered destroyed."
(Quote: https://github.com/cloudfoundry/warden/tree/master/warden)

According to this quote all files of the file system are removed before
the resources can be used again. But how are they removed? Are they
securely wiped, meaning all blocks are set to zero (or randomized)? And how
is data removed from the RAM before it can be assigned to a new warden
(i.e. new application).

In case the data is not being securely wiped, how much access does an
application have towards the available memory? Is it for example possible
to create files of arbitrary size and read / access them?

I'd be thankful for any kind of hints on this topic.

With Regards,
Chris

--
Thank you,

James Bayer

I would like to know in CF, how to integrate with 3rd party app logging
and monitoring like Graphite, Nagios, etc, what is the recommended
approach. I found few articles where its mentioned firehose is the better
option. Whereas I remember having collector (stats_z1/z2) job pointing to
such monitoring server works well. So what steps I need to follow if I have
to integrate such application monitoring tool using firehose? Do I need to
write Nozzles for my monitoring tool like CloudCredo did for Graphite?
https://github.com/CloudCredo/graphite-nozzle
http://www.cloudcredo.com/how-to-integrate-graphite-with-cloud-foundry/
So if I have to integrate with Nagios, Wily, Splunk etc I would need
nozzle for all of them? If not what changes I need to do in my
configuration and in buildpack(not sure)?

I also found NOAA client https://github.com/cloudfoundry/noaa which I
think consumes all logs from doppler and show them on console? How this
Noaa client is using firehose, is not very clear in the document?

We have CF v214 with Diego deployed on AWS.

I am able to successfully create apps from Docker public repo, as per the
apidocs, but, while creating apps from the Docker private repos, I see the
below error from 'cf logs' when starting the app. 'appreciate any pointers.

[API/0] OUT Updated app with guid bcb8f363-xyz
({"route"=>"5af6948b-xyz"})
[API/0] OUT Updated app with guid bcb8f363-xyz ({"state"=>"STARTED"})
[STG/0] OUT Creating container
[STG/0] OUT Successfully created container
[STG/0] OUT Staging...
[STG/0] OUT Staging process started ...
[STG/0] ERR Staging process failed: Exit trace for group:
[STG/0] ERR builder exited with error: failed to fetch metadata from
[adobecloud/go-app] with tag [latest] and insecure registries [] due to
HTTP code: 404
[STG/0] OUT Exit status 2
[STG/0] ERR Staging Failed: Exited with status 2
[API/0] ERR Failed to stage application: staging failed


cf curl command for reference.

cf curl /v2/apps -X POST -H "Content-Type: application/json" -H
"Authorization: bearer *accessToken*" -d '
{"name": "myapp",
"space_guid": "71b22eba-xyz",
"docker_image": "adobecloud/go-app",
"diego": true,
"docker_credentials_json":
{"docker_login_server": "https://index.docker.io/v1/",
"docker_user": ":dockerid",
"docker_password": ":dockerpwd",
"docker_email": ":email"
}
}'

Looking at the apidocs, the 'Example value' for 'docker_credentials_json'
indicates a Hash value
(#<RspecApiDocumentation::Views::HtmlExample:0x0000000bb883e0>), but
looking inside the code, 'found the below JSON format.

let(:docker_credentials) do
{
docker_login_server: login_server,
docker_user: user,
docker_password: password,
docker_email: email
}

Pls correct me if I am missing something.

Thanks,
Dharmi

I've seen this happen to a good number of apps running on PWS, so it's
something you can encounter when running CF on AWS as well.

What usually happens is that the application takes significantly longer to
start, sometimes to the point where it fails to start quick enough and CF
marks it as crashed. I haven't seen it cause any NPE's though. My
understanding is that the JVM will just block until it gets the entropy it
needs.

Dan

On Wed, Aug 19, 2015 at 3:32 AM, Johannes Hiemer <jvhiemer(a)gmail.com>
wrote:

Daniel,
I have had a problem with the deployment of Spring applications on
Openstack recently as well. I am also not sure, without seeing the logs,
what could be the reason, but did you try:
http://www.evoila.de/vsphere/java-applications-not-starting-on-openstack-based-cloud-foundry-deployment/?lang=en


Regards,
Johannes

On Wed, Aug 19, 2015 at 9:28 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Thanks for the input, that's a good call. A colleague of mine (who is
currently on vacation) did look at that... Sadly he's not around to ask
what he tested.

On Wed, Aug 19, 2015 at 7:06 AM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Some other "state" on the dea host such has shorteage on /dev/random
(that went away with vm reconstruction but not with dea job restart) ?

Guillaume.
Le 12 août 2015 14:14, "Daniel Mikusa" <dmikusa(a)pivotal.io> a écrit :

It seems like you were pretty thorough. I can't think of anything
that would be different or that could cause symptoms like this, although I
could be overlooking something as well. Without logs / app to try and
replicate I'm not sure I can help much more. Sorry.

Perhaps someone else on the list has some thoughts?

Dan


On Wed, Aug 12, 2015 at 3:25 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi Dan,

Thanks for taking the time to reply.

I didn't include too much in the way of detail, as I was thinking
that there must be a moving part in the equation I'm blind to, in which
case that's a gap in my knowledge that I ought to fill in.

As we did `bosh recreate` on all the VMs, which fixed it` I can't go
back and fetch logs unfortunately. There's no chance of being able to
create a test case as I'm on client's time, so consider this a thought
exercise :)

The app was Spring Boot 1.2.3, pulling in Spring Boot JDBC and Spring
LDAP. Root FS was cflinuxfs2, and the Java buildpack logged the same for
both. On some failing DEAs there were no other apps, on others there were -
it didn't seem to be a factor. All DEAs had plenty of disk space.

I was wondering if there was a race condition, but I assumed Spring
contexts start single-threadedly. Do you know if that's a correct
assumption?

Do you know if there any *things* that could have been different
between the DEAs that I didn't account for? Ie another moving part that's
*not* either release, job, stemcell, droplet, root FS, app
environment?

On Tue, Aug 11, 2015 at 12:32 PM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Tue, Aug 11, 2015 at 5:15 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi all,

I've witnessed behaviour caused by the combination of a DEA and a
Spring application that I can't explain. If you like a good mystery or you
happen to know a lot about Java proxies and DEA transient state, please
read on!

A particular Spring app

Version of Spring? What parts of Spring are you pulling into the
app?

was crashing only on specific DEAs in a Cloud Foundry.

Ever try bumping up the log level for Spring when you were getting
the problem? If so, did the problem still occur? Were you able to capture
the logs?

All DEAs were from the same CF release (PCF ERT 1.5.2)
All DEAs were up-to-date according to BOSH (ie no outstanding
changes waiting to be applied)
All DEAs were deployed with identical BOSH job config
All Warden containers were using the same root FS

lucid64 or cflinuxfs2? or didn't matter?

The droplet was the same across all DEAs
The droplet version was the same
The droplet tarballs all had the same MD5 checksum

What was the output of the Java build pack when the droplet was
created? or better yet, run `cf files <app> app/.java-buildpack.log` and
include the output.

Warden was providing the exact same env and start command to all
containers
I saw the same behaviour repeat itself across 5 completely separate
Cloud Foundry installations

The crash was Spring not being able to autowire a bean, where it
was referenced by implementation rather than interface (yes, I know, but it
was not my code!).

Any chance you could include logs from the crash? Was there an
exception / stacktrace generated? Alternatively, have you been able to
create a simple test app that replicates the behavior?

There was some Javassist/CGLIB action going on, creating proxies
for the sake of transaction management.

Rebooting the troublesome DEAs did not fix the problem.

Doing a `bosh recreate` did reliably fix the problem.

Alternatively, changing the Spring code to wire by interface also
reliably fixed the problem.

I can't understand why different DEA instances, from the same BOSH
release, with the same config, on the same stemcell, running the same
version of Warden, with the same droplet, and the same root FS, and the
same env, and the same start command, yielded different behaviour. I'm even
further confused as to why a `bosh recreate` changed that behaviour. What
could possibly have changed? Something on ephemeral disk? But what else is
there on ephemeral disk that could have mattered and was likely to have
changed?

How much was on the disk? Was it getting full? How many other apps
were running on that DEA (before vs after)?

Do CGLIB/Javassist have some native dependencies that weren't in
sync between DEAs?

Anyone with a convincing explanation (that does not involve voodoo)
will receive one free beer and a high-five at the next CF Summit!

Wild guess, race condition in the code somewhere?

Dan

--
Regards,

Daniel Jones
EngineerBetter.com

--
Regards,

Daniel Jones
EngineerBetter.com

--
Mit freundlichen Grüßen

Johannes Hiemer

Daniel,
I have had a problem with the deployment of Spring applications on
Openstack recently as well. I am also not sure, without seeing the logs,
what could be the reason, but did you try:
http://www.evoila.de/vsphere/java-applications-not-starting-on-openstack-based-cloud-foundry-deployment/?lang=en


Regards,
Johannes

On Wed, Aug 19, 2015 at 9:28 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Thanks for the input, that's a good call. A colleague of mine (who is
currently on vacation) did look at that... Sadly he's not around to ask
what he tested.

On Wed, Aug 19, 2015 at 7:06 AM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Some other "state" on the dea host such has shorteage on /dev/random
(that went away with vm reconstruction but not with dea job restart) ?

Guillaume.
Le 12 août 2015 14:14, "Daniel Mikusa" <dmikusa(a)pivotal.io> a écrit :

It seems like you were pretty thorough. I can't think of anything that
would be different or that could cause symptoms like this, although I could
be overlooking something as well. Without logs / app to try and replicate
I'm not sure I can help much more. Sorry.

Perhaps someone else on the list has some thoughts?

Dan


On Wed, Aug 12, 2015 at 3:25 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi Dan,

Thanks for taking the time to reply.

I didn't include too much in the way of detail, as I was thinking that
there must be a moving part in the equation I'm blind to, in which case
that's a gap in my knowledge that I ought to fill in.

As we did `bosh recreate` on all the VMs, which fixed it` I can't go
back and fetch logs unfortunately. There's no chance of being able to
create a test case as I'm on client's time, so consider this a thought
exercise :)

The app was Spring Boot 1.2.3, pulling in Spring Boot JDBC and Spring
LDAP. Root FS was cflinuxfs2, and the Java buildpack logged the same for
both. On some failing DEAs there were no other apps, on others there were -
it didn't seem to be a factor. All DEAs had plenty of disk space.

I was wondering if there was a race condition, but I assumed Spring
contexts start single-threadedly. Do you know if that's a correct
assumption?

Do you know if there any *things* that could have been different
between the DEAs that I didn't account for? Ie another moving part that's
*not* either release, job, stemcell, droplet, root FS, app
environment?

On Tue, Aug 11, 2015 at 12:32 PM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Tue, Aug 11, 2015 at 5:15 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi all,

I've witnessed behaviour caused by the combination of a DEA and a
Spring application that I can't explain. If you like a good mystery or you
happen to know a lot about Java proxies and DEA transient state, please
read on!

A particular Spring app

Version of Spring? What parts of Spring are you pulling into the app?

was crashing only on specific DEAs in a Cloud Foundry.

Ever try bumping up the log level for Spring when you were getting
the problem? If so, did the problem still occur? Were you able to capture
the logs?

All DEAs were from the same CF release (PCF ERT 1.5.2)
All DEAs were up-to-date according to BOSH (ie no outstanding
changes waiting to be applied)
All DEAs were deployed with identical BOSH job config
All Warden containers were using the same root FS

lucid64 or cflinuxfs2? or didn't matter?

The droplet was the same across all DEAs
The droplet version was the same
The droplet tarballs all had the same MD5 checksum

What was the output of the Java build pack when the droplet was
created? or better yet, run `cf files <app> app/.java-buildpack.log` and
include the output.

Warden was providing the exact same env and start command to all
containers
I saw the same behaviour repeat itself across 5 completely separate
Cloud Foundry installations

The crash was Spring not being able to autowire a bean, where it was
referenced by implementation rather than interface (yes, I know, but it was
not my code!).

Any chance you could include logs from the crash? Was there an
exception / stacktrace generated? Alternatively, have you been able to
create a simple test app that replicates the behavior?

There was some Javassist/CGLIB action going on, creating proxies for
the sake of transaction management.

Rebooting the troublesome DEAs did not fix the problem.

Doing a `bosh recreate` did reliably fix the problem.

Alternatively, changing the Spring code to wire by interface also
reliably fixed the problem.

I can't understand why different DEA instances, from the same BOSH
release, with the same config, on the same stemcell, running the same
version of Warden, with the same droplet, and the same root FS, and the
same env, and the same start command, yielded different behaviour. I'm even
further confused as to why a `bosh recreate` changed that behaviour. What
could possibly have changed? Something on ephemeral disk? But what else is
there on ephemeral disk that could have mattered and was likely to have
changed?

How much was on the disk? Was it getting full? How many other apps
were running on that DEA (before vs after)?

Do CGLIB/Javassist have some native dependencies that weren't in
sync between DEAs?

Anyone with a convincing explanation (that does not involve voodoo)
will receive one free beer and a high-five at the next CF Summit!

Wild guess, race condition in the code somewhere?

Dan

--
Regards,

Daniel Jones
EngineerBetter.com

--
Regards,

Daniel Jones
EngineerBetter.com

--
Mit freundlichen Grüßen

Johannes Hiemer

Daniel,
I have had a problem with the deployment of Spring applications on
Openstack recently as well. I am also not sure, without seeing the logs,
what could be the reason, but did you try:
http://www.evoila.de/vsphere/java-applications-not-starting-on-openstack-based-cloud-foundry-deployment/?lang=en


Regards,
Johannes

On Wed, Aug 19, 2015 at 9:28 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Thanks for the input, that's a good call. A colleague of mine (who is
currently on vacation) did look at that... Sadly he's not around to ask
what he tested.

On Wed, Aug 19, 2015 at 7:06 AM, Guillaume Berche <bercheg(a)gmail.com>
wrote:

Some other "state" on the dea host such has shorteage on /dev/random
(that went away with vm reconstruction but not with dea job restart) ?

Guillaume.
Le 12 août 2015 14:14, "Daniel Mikusa" <dmikusa(a)pivotal.io> a écrit :

It seems like you were pretty thorough. I can't think of anything that
would be different or that could cause symptoms like this, although I could
be overlooking something as well. Without logs / app to try and replicate
I'm not sure I can help much more. Sorry.

Perhaps someone else on the list has some thoughts?

Dan


On Wed, Aug 12, 2015 at 3:25 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi Dan,

Thanks for taking the time to reply.

I didn't include too much in the way of detail, as I was thinking that
there must be a moving part in the equation I'm blind to, in which case
that's a gap in my knowledge that I ought to fill in.

As we did `bosh recreate` on all the VMs, which fixed it` I can't go
back and fetch logs unfortunately. There's no chance of being able to
create a test case as I'm on client's time, so consider this a thought
exercise :)

The app was Spring Boot 1.2.3, pulling in Spring Boot JDBC and Spring
LDAP. Root FS was cflinuxfs2, and the Java buildpack logged the same for
both. On some failing DEAs there were no other apps, on others there were -
it didn't seem to be a factor. All DEAs had plenty of disk space.

I was wondering if there was a race condition, but I assumed Spring
contexts start single-threadedly. Do you know if that's a correct
assumption?

Do you know if there any *things* that could have been different
between the DEAs that I didn't account for? Ie another moving part that's
*not* either release, job, stemcell, droplet, root FS, app
environment?

On Tue, Aug 11, 2015 at 12:32 PM, Daniel Mikusa <dmikusa(a)pivotal.io>
wrote:

On Tue, Aug 11, 2015 at 5:15 AM, Daniel Jones <
daniel.jones(a)engineerbetter.com> wrote:

Hi all,

I've witnessed behaviour caused by the combination of a DEA and a
Spring application that I can't explain. If you like a good mystery or you
happen to know a lot about Java proxies and DEA transient state, please
read on!

A particular Spring app

Version of Spring? What parts of Spring are you pulling into the app?

was crashing only on specific DEAs in a Cloud Foundry.

Ever try bumping up the log level for Spring when you were getting
the problem? If so, did the problem still occur? Were you able to capture
the logs?

All DEAs were from the same CF release (PCF ERT 1.5.2)
All DEAs were up-to-date according to BOSH (ie no outstanding
changes waiting to be applied)
All DEAs were deployed with identical BOSH job config
All Warden containers were using the same root FS

lucid64 or cflinuxfs2? or didn't matter?

The droplet was the same across all DEAs
The droplet version was the same
The droplet tarballs all had the same MD5 checksum

What was the output of the Java build pack when the droplet was
created? or better yet, run `cf files <app> app/.java-buildpack.log` and
include the output.

Warden was providing the exact same env and start command to all
containers
I saw the same behaviour repeat itself across 5 completely separate
Cloud Foundry installations

The crash was Spring not being able to autowire a bean, where it was
referenced by implementation rather than interface (yes, I know, but it was
not my code!).

Any chance you could include logs from the crash? Was there an
exception / stacktrace generated? Alternatively, have you been able to
create a simple test app that replicates the behavior?

There was some Javassist/CGLIB action going on, creating proxies for
the sake of transaction management.

Rebooting the troublesome DEAs did not fix the problem.

Doing a `bosh recreate` did reliably fix the problem.

Alternatively, changing the Spring code to wire by interface also
reliably fixed the problem.

I can't understand why different DEA instances, from the same BOSH
release, with the same config, on the same stemcell, running the same
version of Warden, with the same droplet, and the same root FS, and the
same env, and the same start command, yielded different behaviour. I'm even
further confused as to why a `bosh recreate` changed that behaviour. What
could possibly have changed? Something on ephemeral disk? But what else is
there on ephemeral disk that could have mattered and was likely to have
changed?

How much was on the disk? Was it getting full? How many other apps
were running on that DEA (before vs after)?

Do CGLIB/Javassist have some native dependencies that weren't in
sync between DEAs?

Anyone with a convincing explanation (that does not involve voodoo)
will receive one free beer and a high-five at the next CF Summit!

Wild guess, race condition in the code somewhere?

Dan

--
Regards,

Daniel Jones
EngineerBetter.com

--
Regards,

Daniel Jones
EngineerBetter.com

--
Mit freundlichen Grüßen

Johannes Hiemer