|
Re: Tomcat Internal Proxies with Load Balancer
#cf
Matthias Winzeler
Hi Jon We're facing a similar issue for which we have a PR created: https://github.com/cloudfoundry/java-buildpack/pull/546 From some informal discussions with the the buildpack maintainers, it seems like this is not gonna be merged, because they don't want to support some specific tomcat conf parameters. We were pointed to providing a custom Tomcat external configuration (as per https://github.com/cloudfoundry/java-buildpack/blob/master/docs/container-tomcat.md#external-tomcat-configuration) that could also be set as standard env group (and thus be operator-friendly), but it looks like we can not ship one external config that works for both Tomcat 7 and Tomcat 8. Be aware that this would only solve the issue for standalone Tomcat. If your apps use it in the embedded form, they still have to write custom Spring config for it. This is probably also true for other app runtimes; I know at least of .NET core which also defines 'KnownProxies. -Matthias 2018-02-15 17:15 GMT+01:00 Jon Martin <martindesignonline@...>:
We are in the process of standing up several PCF foundations in multiple locations. Each foundation is fronted by a dedicated load balancer. For Java application's we were noticing that httpRequest.getScheme() and httpRequest.getServerPort() --
|
|
|
|
Tomcat Internal Proxies with Load Balancer
#cf
We are in the process of standing up several PCF foundations in multiple locations. Each foundation is fronted by a dedicated load balancer. For Java application's we were noticing that httpRequest.getScheme() and httpRequest.getServerPort() where returning "http" and "80" respectively even though the load balancer forces the use of "https" and "443".
This led us to Tomcat's remoteIpValve documentation: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html In the Java Buildpack, adding an internalProxies attribute to Tomcat's RemoteIpValve with a regex that matched the ERT subnet of the foundation solved the problem. A similar approach can be used for embedded Tomcat: https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-customize-tomcat-behind-a-proxy-server The problems we're trying to solve are:
|
|
|
|
How to rotate the CA certificate of the service_cf_internal_ca
Hi,
has anyone successfully rotated the CA certificate of the service_cf_internal_ca in a cf-deployment? Are there instructions more detailed than those for consul?We are using cf-deployment at v1.14.0 and put an additional CA certificate (generated with bosh) on top of the existing CA cert. The deployment runs fine, but smoke tests fail with: Stager is unavailable: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failedMore details can be found in this bits-service story. Any help or pointers are appreciated. Regards Steffen
|
|
|
|
Invoking a cloud foundry API having Basic authentication using Autosys HTTP job
shruthi s
Hi,
I have spring boot REST API having Basic authentication hosted in cloud foundry. I am using Autosys HTTP job to call the API periodically and it is not working. The Autosys job is sending in credentials but the logs in PCF app shows null. Has anybody tried anything like this ? Any suggestions or ideas will be helpful
|
|
|
|
CAB call for February is Wednesday 02/21 @ 8a PST
Michael Maximilien
FYI...
First off, Happy Valentines Day! Second, reminder that the CAB call for February is scheduled for next Wednesday 02/21 @ 8a PST. WIP agenda in [1] but summary:
I will send one more reminder next week on this list. Zoom soon.
Best,
PS: I will be at INDEXconf all week next week in San Francisco and want to personally invite you (if around) to CF Day @ INDEX on 02/20, the day before CAB call, at the Moscone Center. We have curated a great line up of CF community speakers on various topics (see agenda: https://goo.gl/p9tKmz) and register for FREE with code: CD1CFDAY here: https://goo.gl/KxuZcF
------ dr.max ibm ☁ silicon valley, ca maximilien.org
|
|
|
|
CVE-2018-1221: Gorouter websocket handling vulnerability
Molly Crowther
Hello all, We have identified a critical-severity issue with Routing. This issue has been assigned CVE-2018-1221. The public notice can be found here: https://www.cloudfoundry.org/blog/cve-2018-1221/ Description of the exploit We have discovered a vulnerability with the websockets implementation in Gorouter. The vulnerability is exposed when:
AWS Classic ELBs do no support websocket requests in HTTP mode and so do not expose the vulnerability, while AWS ALBs (Application Load Balancer) do support websockets in HTTP mode and so expose the vulnerability. Developers with access to cf push are able to exploit this vulnerability in vulnerably installations to gather sensitive data, potentially including usernames and passwords, jwt/OAuth tokens, and UAA client ids and secrets. How to tell if your CF installation is affected Your CF installations are affected if ANY of the following are true:
How to tell if your CF installation is NOT affected Your CF installations are not affected if ANY of the following are true:
How to tell if your installation has been exploited
Next Steps
Please let the Routing team know if you have any questions or need further information. Thank you, Molly Crowther Cloud Foundry Foundation Security Team
|
|
|
|
Open Service Broker API enhancement for generic actions / extensions needs reviews
Michael Rhodes <rhodie27@...>
All,
Any service broker author, service operator or openapi expert that has some free time to look at this proposal and PR please do. It would be greatly appreciated and super helpful. We're looking to move it to validating in the next few weeks. Thanks, -- -- Michael Rhodes
|
|
|
|
Do you configure "diego.bbs.convergence.expire_pending_task_duration_in_seconds" on the Diego BBS?
Eric Malm <emalm@...>
Hi, all, Do any of you CF operators ever configure the "diego.bbs.convergence.expire_pending_task_duration_in_seconds" property on the Diego BBS? The Diego team is considering some changes to make task placement more resilient to transient lack of resources or compatible cells, and we may be interested in altering the current default value of 1800 seconds (30 minutes) for this property. Please let me know! Thanks, Eric
|
|
|
|
Re: Looking for users with user cases for HTTP/2
Shannon Coen
I should clarify that we are looking at ingress use cases initially; HTTP/2 from external clients to apps on CF. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
On Mon, Feb 12, 2018 at 5:41 PM, Shannon Coen <scoen@...> wrote:
|
|
|
|
Looking for users with user cases for HTTP/2
Shannon Coen
The CF Routing team has been working on a productized integration with Istio+Envoy for Cloud Foundry. One of the first features we could deliver using this integration is support for HTTP/2. We’d like to hear from users with uses case for this feature, and/or who would be willing to test the feature in an experimental stage and give us feedback. We’d like to learn:
Thank you! Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc.
|
|
|
|
Re: cf deploy on openstack
Tim Downey
Hi Russell,
It sounds like something went wrong with your Cloud Controller API as it tried to start up. Since it mentions that it failed while executing one of its pre-start scripts, you can "bosh ssh" on to the failing api vm (api/215a8746-2867-415f-892b-f80be09f779c) and inspect the following log files to find out what went wrong: /var/vcap/sys/log/cloud_controller_ng/pre-start.stderr.log /var/vcap/sys/log/cloud_controller_ng/pre-start.stdout.log Hope that helps, Tim
|
|
|
|
cf deploy on openstack
Russell Blue
Hi,
I deploy cloud foundry openstack Pike. At the time of construction VMs and get error: Updating instance api: api/215a8746-2867-415f-892b-f80be09f779c (0) (canary) (00:13:04) L Error: Action Failed get_task: Task 058419ac-7dad-4183-65f0-5dc8a2c1ffba result: 1 of 7 pre-start scripts failed. Failed Jobs: cloud_controller_ng. Successful Jobs: cc_uploader, file_server, policy-server-internal, route_registrar, routing-api, consul_agent Kind Regards
|
|
|
|
Metric Drains - A New Way for App Developers to Monitor their Containers
#loggregator
In service to our mission of providing all users of Cloud Foundry observability of their systems the Loggregator team is excited to offer a new feature for App Developers to use external monitoring tools for monitoring their applications without the need for FIrehose scope. This is accomplished by the use of User Provided Syslog Drains and a new CLI Plugin and we have called the new feature Metric Drains.
Leveraging the user provided abstraction as well as the tcp based syslog:// protocol is a powerful tool for streaming data off the platform. We have plans to support more data and logs for streaming to app developers this way as well potentially other streaming formats. We'd love your feedback and ideas on either of these. A special thanks to several community members that originally suggested and voted for this feature on our github repo! Requirements: This feature still requires opt in at this time. To utilize this feature you'll need cf-deployment 1.9+ and to set the scalablesyslog.adapter.metrics_to_syslog_enabled feature flag on the cf-syslog-drain deployment.
|
|
|
|
Scheduler for PCF
#service
shruthi s
Hi,
I have a spring boot application implementing a commandline runner and terminates after the process. The main class looks like: @SpringBootApplication
public class MyClass implements CommandLineRunner{
@Override
public void run(String... strings) throws Exception {
if(strings[i].equals("A"){
do processA();
}
else if(strings[i].equals("B"){
do processB();
}
System.exit(0);
}
public static void main(String[] args) throws Exception{
SpringApplication.run(CTFRetryNotification.class, args);
}
} I run this command: java -jar executable.jar arg0 arg1 -Dspring.profiles.active=dev. It workd fine when i run the command in terminal. I am now trying to push this executable jar to PCF as an application, bind it to the scheduler and then schedule a job with command which executes the jar. I am using the below manifest file to push the app: ---
applications:
- name: my-app
memory: 1024M
host: my-app
domain: my.pcf.domain
health-check-type: process
instances: 1
timeout: 60
path: executable.jar
env:
SPRING_PROFILES_ACTIVE: dev
JBP_CONFIG_JAVA_MAIN: '{java_main_class: com.abc.MyClass}'
JBP_CONFIG_JAVA_MAIN: '{ arguments: "arg0 arg1" }'
Command to push: cf push -f manifest.yml --no-route The app starts but suddenly crashes with the following message: [API/0] [OUT] Process has crashed with type: "web"
[API/0] [OUT] App instance exited with guid 7bd4c9a8-a67e-471d-ad39-43623b6f29cd payload: {"instance"=>"d296990c-ead6-48e0-5308-3657", "index"=>0, "reason"=>"CRASHED", "exit_description"=>"Codependent step exited", "crash_count"=>2, "crash_timestamp"=>1518194091169216190, "version"=>"ed0bbd60-9e1c-4d95-97aa-b750446332d5"}
i am trying to figure out the command i can use to run the jar by using run-task command in cf cli but i cannot get it to work. cf run-task my-app '$PWD/.java-buildpack/open_jdk_jre/bin/java -Dspring.profiles.active=dev -cp $PWD/. org.springframework.boot.loader.JarLauncher arg0 arg1' This command fails " Incorrect Usage: unknown flag `c'" I tried using double quotes around the command but it fails "out of memory". Has anybody done something like this in PCF? What would be the command i can use to run the jar? Thanks in advance
|
|
|
|
Re: Should route services really need a route-app mapping?
Krannich, Bernd <bernd.krannich@...>
Hi Shannon,
Thank you very much for getting back to us on the topic. Quite a few teams here at SAP will be happy to hear about the topic and I’ll make sure to pass your update on to them.
Thanks again, Bernd
From:
<cf-dev@...> on behalf of Shannon Coen <scoen@...>
[Edited Message Follows] Currently routes are only known to Gorouter when they are mapped to an app AND the app has running instances. If the app is stopped or crashing, Gorouter will return
a 404 for the route. This is because routing configuration is passed through the Diego BBS.
|
|
|
|
CF Summit Contributor Registration Time
Chip Childers <cchilders@...>
Hey all! -- It's time again for contributors to get themselves registered for CF Summit North America in April! For those of you that have contributed to a CFF project (any repo in the cloudfoundry, cloudfoundry-incubator, cloudfoundry-attic or openservicebrokerapi GitHub orgs), we've got you covered with free registration. :) CFNA18CONT -chip Chip Childers CTO, Cloud Foundry Foundation 1.267.250.0815
|
|
|
|
Calling all CF Users!
Chip Childers <cchilders@...>
Hey all, -- Are you a CF user? If so, we want to hear from you! The CFF is running it's latest user survey to help us get to know the community better. Please take a few minutes to share your story here > https://www.surveymonkey.com/r/CFUserSurvey2018 Thanks! -chip Chip Childers CTO, Cloud Foundry Foundation 1.267.250.0815
|
|
|
|
Re: Should route services really need a route-app mapping?
Currently routes are only known to Gorouter when they are mapped to an app AND the app has running instances. If the app is stopped or crashing, Gorouter will return a 404 for the route. This is because routing configuration is passed through the Diego BBS.
We've received requests for this several times in the past; see http://cf-dev.70369.x6.nabble.com/cf-dev-Brokered-route-services-only-receiving-traffic-for-routes-mapped-to-started-apps-td4699.html#a4742. You may be happy to learn that we plan to support this use case in coming months. However, we will offer it through our integration with Istio Pilot and Envoy; we don't plan on offering it using Gorouter. One of the key differences between the current routing subsystem and our integration with Istio is that Istio will receive routes directly from Cloud Controller, while only backend IPs and ports will be obtained from Diego BBS. This will enable us to have the router (Envoy) be configured with a route that is associated with a route service but not an app. More on our initiative here: https://docs.google.com/document/d/1VldkvgWPUh13o5RCNjSvzoPFhbY9BtLqBDdk2k0z9fw/edit.
|
|
|
|
Re: Change in CF Security RSS Feed
Matthew Kocher <mkocher@...>
Thanks Chip!
On Wed, Feb 7, 2018 at 11:03 AM, Chip Childers <cchilders@...> wrote:
|
|
|
|
Re: Change in CF Security RSS Feed
Chip Childers <cchilders@...>
Redirects should be in place now and the team is now aware of the importance. Thanks for pointing this out all! On Wed, Feb 7, 2018 at 3:07 AM Lee Porte via Lists.Cloudfoundry.Org <lee.porte=digital.cabinet-office.gov.uk@...> wrote:
-- Chip Childers CTO, Cloud Foundry Foundation 1.267.250.0815
|
|
|