I am trying to enumerate all the ways I could identify all the DEA's in a
CF cluster in an IAAS agnostic way (e.g. not querying Openstack to read
metadata on the VM's that list the job type).

I think the only reliable way is to listen on NATS and look for the DEA
advertisement messages. Am I correct or is there a method I am missing (I'd
rather call and API rather than subscribe to NATS)?

Thanks,
John

What about with BOSH?

On Mon, Dec 7, 2015 at 2:17 PM, john mcteague <john.mcteague(a)gmail.com>
wrote:

I am trying to enumerate all the ways I could identify all the DEA's in a
CF cluster in an IAAS agnostic way (e.g. not querying Openstack to read
metadata on the VM's that list the job type).

I think the only reliable way is to listen on NATS and look for the DEA
advertisement messages. Am I correct or is there a method I am missing (I'd
rather call and API rather than subscribe to NATS)?

Thanks,
John

I hadnt considered that. I see that there are now docs for the BOSH api,
however is the BOSH api suited to concurrent access by multiple processes?
We are writing a component that will need to frequently validate that a
particular machine is a DEA.

I believe you could use the BOSH API:

https://bosh.io/docs/director-api-v1.html#list-vms-detailed

From: john mcteague <john.mcteague(a)gmail.com<mailto:john.mcteague(a)gmail.com>>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Date: Monday, December 7, 2015 at 3:29 PM
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>>
Subject: [cf-dev] Re: Re: Identifying all DEA's on a CF install

I hadnt considered that. I see that there are now docs for the BOSH api, however is the BOSH api suited to concurrent access by multiple processes? We are writing a component that will need to frequently validate that a particular machine is a DEA.

Maybe you can explain the problem you're trying to solve.

You're not just trying to find the VMs which are DEAs, you need to be able
to do this constantly and programmatically. What's the actual overall goal
here, why do you need to do this?

Thanks,
Amit

On Mon, Dec 7, 2015 at 2:38 PM, Curry, Matthew <Matt.Curry(a)allstate.com>
wrote:

I believe you could use the BOSH API:

https://bosh.io/docs/director-api-v1.html#list-vms-detailed

From: john mcteague <john.mcteague(a)gmail.com>
Reply-To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Monday, December 7, 2015 at 3:29 PM
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Identifying all DEA's on a CF install

I hadnt considered that. I see that there are now docs for the BOSH api,
however is the BOSH api suited to concurrent access by multiple processes?
We are writing a component that will need to frequently validate that a
particular machine is a DEA.

On Mon, Dec 7, 2015 at 10:26 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

What about with BOSH?

On Mon, Dec 7, 2015 at 2:17 PM, john mcteague <john.mcteague(a)gmail.com>
wrote:

I am trying to enumerate all the ways I could identify all the DEA's in
a CF cluster in an IAAS agnostic way (e.g. not querying Openstack to read
metadata on the VM's that list the job type).

I think the only reliable way is to listen on NATS and look for the DEA
advertisement messages. Am I correct or is there a method I am missing (I'd
rather call and API rather than subscribe to NATS)?

Thanks,
John

We have components that are co deployed with DEAs that form part of an
application level encryption and security framework that talk to an
external service. That service validates that requests came from a valid
DEA.

John.

Is it because you're worried about misconfiguring things so that colocated
agent starts running on a non-DEA, or are you worried about someone
deploying a malicious DEA that has that agent colocated on it?

Does it make sense to instead have some sort of mutual agent/server
authentication instead, that's a little more decoupled from the actual
knowledge of whether something is on a DEA? I.e. your auth model seems to
be something like, the incoming request IP is the IP of a known DEA. But
you could instead use some standard key-based authentication mechanism.
This is, for example, how etcd and consul clients authenticate with their
servers in a Cloud Foundry deployment.

On Tue, Dec 8, 2015 at 7:37 AM, john mcteague <john.mcteague(a)gmail.com>
wrote:

We have components that are co deployed with DEAs that form part of an
application level encryption and security framework that talk to an
external service. That service validates that requests came from a valid
DEA.

John.
On 8 Dec 2015 02:59, "Amit Gupta" <agupta(a)pivotal.io> wrote:

Maybe you can explain the problem you're trying to solve.

You're not just trying to find the VMs which are DEAs, you need to be
able to do this constantly and programmatically. What's the actual overall
goal here, why do you need to do this?

Thanks,
Amit

On Mon, Dec 7, 2015 at 2:38 PM, Curry, Matthew <Matt.Curry(a)allstate.com>
wrote:

I believe you could use the BOSH API:

https://bosh.io/docs/director-api-v1.html#list-vms-detailed

From: john mcteague <john.mcteague(a)gmail.com>
Reply-To: "Discussions about Cloud Foundry projects and the system
overall." <cf-dev(a)lists.cloudfoundry.org>
Date: Monday, December 7, 2015 at 3:29 PM
To: "Discussions about Cloud Foundry projects and the system overall." <
cf-dev(a)lists.cloudfoundry.org>
Subject: [cf-dev] Re: Re: Identifying all DEA's on a CF install

I hadnt considered that. I see that there are now docs for the BOSH api,
however is the BOSH api suited to concurrent access by multiple processes?
We are writing a component that will need to frequently validate that a
particular machine is a DEA.

On Mon, Dec 7, 2015 at 10:26 PM, Amit Gupta <agupta(a)pivotal.io> wrote:

What about with BOSH?

On Mon, Dec 7, 2015 at 2:17 PM, john mcteague <john.mcteague(a)gmail.com>
wrote:

I am trying to enumerate all the ways I could identify all the DEA's
in a CF cluster in an IAAS agnostic way (e.g. not querying Openstack to
read metadata on the VM's that list the job type).

I think the only reliable way is to listen on NATS and look for the
DEA advertisement messages. Am I correct or is there a method I am missing
(I'd rather call and API rather than subscribe to NATS)?

Thanks,
John