cloudfoundry / docs-cloudfoundry-concepts Goto Github PK

replace duildpack with buildpack

The table at http://docs.cloudfoundry.org/concepts/roles.html is currently not describing that only admins (cloudcontroller.admin scope) can act on ASG as specified in http://docs.cloudfoundry.org/adminguide/app-sec-groups.html

It would be great to precise it.

http://docs.cloudfoundry.org/concepts/roles.html#org-roles does not mention the Billing Manager role.
Yet, as a user when I run the CLI help (cf help set-org-role), or as a developer read the API docs at ahttp://apidocs.cloudfoundry.org, there is clearly such a role.

I think it should be included, although should be clarified that it is only relevant if the CF comes with a billing engine (which currently only the commercial vendors like Bluemix and PWS have).

In page https://docs.cloudfoundry.org/concepts/roles.html
table "Roles and Permissions for Active Orgs"
row : “List application and service usage events” is not checked for space auditor

But I did a test, space auditor did have the authority to execute "cf events" commands to " Show recent app events"

Is that a document error? or the type of "cf events" are not included in current table?

>>> cf create-user auditor xxx
Creating user auditor...
OK

TIP: Assign roles with 'cf set-org-role' and 'cf set-space-role'.

>>>cf set-org-role auditor org OrgAuditor
Assigning role OrgAuditor to user auditor in org org as admin...
OK

>>>  cf set-space-role auditor org space SpaceAuditor
Assigning role RoleSpaceAuditor to user auditor in org org / space space as admin...
OK

>>> cf login -u auditor -p xxx
....

>>> cf events demoapp
Getting events for app demoapp in org org / space space as auditor...

time                          event                      actor   description
2017-10-13T03:20:30.00+0800   audit.app.update           admin
2017-10-13T03:20:29.00+0800   audit.app.unmap-route      admin
2017-10-13T03:20:25.00+0800   audit.app.update           admin
2017-10-13T03:20:25.00+0800   audit.app.unmap-route      admin
2017-10-13T02:57:25.00+0800   audit.app.update           admin
2017-10-13T02:57:25.00+0800   audit.app.map-route        admin
2017-10-13T02:52:23.00+0800   audit.app.update           admin
....

After the diagram in the "System Boundaries and Access" section of the "Cloud Foundry Security" page there is an explanation which lists the components shown, and some communications between some of them.
I believe two of them are wrong as they do not reflect what's shown on the diagram. (And one could argue they are illogical.)

1. Outbound NAT communicates with Hypervisor (line 71)

2. BOSH Director communicates with the App Execution (Diego Cells) (line 73)

The connections on the diagram that involve those same components are different:

• The App Execution (Diego Cells) communicates with the Outbound NAT
• BOSH Director communicates with Hypervisor

In the documentation here: https://docs.pivotal.io/pivotalcf/1-7/concepts/roles.html in the chart it states that a Space Manager can CREATE a space. They cannot in 1.7. I think you're going to need to separate out the CREATE from the VIEW.

I'm using the CF Rest API to upload but I don't think I'm creating the zip file correctly. What does cf push do exactly? how does it package the directory and sends it to cloud froundry?

On the roles page, UAA is discussed before being defined. The first mention is in the text Admin is a user role that has been assigned the cloud_controller.admin scope in UAA. It is included in the page by a macro.

I don't think the 1 MB is correct.
`n=1
while true; do

size=$(( n * 1024 ));
echo -n "Size: " > header
get_random_password $size >> header
echo "Size: $size"
curl -q -H @Header 'https://testapp.app-domain/headers' > /dev/null 2>&1
(( n = n * 2 ));
sleep 2;
done
Size: 1024
Size: 2048
Size: 4096
Size: 8192
Size: 16384
Size: 32768
Size: 65536
Size: 131072
Size: 262144
Size: 524288
Size: 1048576
Size: 2097152
Size: 4194304
Size: 8388608
Size: 16777216
Size: 33554432
Size: 67108864
Size: 134217728
Size: 268435456
Size: 536870912
Size: 1073741824
Size: 2147483648
^C
`

Desired outcome: Update the documentation with the actual header size.

I have a version of the docs which is only addressed at end users of my CF installation. Therefore, I don't want the adminguide in my docs. Can you please put the link to adminguide https://github.com/cloudfoundry/docs-cloudfoundry-concepts/blob/master/http-routing.html.md.erb#L77 into a variable so that I can have it point to the official CF docs instead of my own deployed one?

According to the table (https://docs.cloudfoundry.org/concepts/roles.html), the following should be able to rename a space.

1. Organisation Manager
2. Space Manager
3. Space Developer

A user who is a space developer, in fact, cannot rename a space, only Space and Org Manager are able to. I'm using HPE Stackato Cloud Foundry.

In https://docs.cloudfoundry.org/concepts/architecture/router.html there is a section about the access log format for the gorouter.

I created a grok filter that parses the gorouter logs in Logstash based on the given format, but it seems that the format has recently changed, specifically the "gorouter_time" and "app_time" fields were added. As a result the grok filter failed. I took a look at the gorouter repo and saw that app_time is being removed, so I am not sure whether these are temporary or permanent.

In any case, if the addition of these fields are permanent, the documentation should be updated accordingly.

From documentation about Routing database:

Saves some routing data from Routing API. If the Gorouter misses a message about an unmapped route from NATS, it will not get it again, so TCP router and Routing API can consult routing database for current state of routes.

I am confused - is it Gorouter that stores and consult Routring database as necessary or it is TCP router (or both of them) ?

As a CF provider, I'm using this documentation for my own book at https://github.com/swisscom/docs-appcloud-book. The else statement here: https://github.com/cloudfoundry/docs-cloudfoundry-concepts/blob/master/asg.html.md.erb#L66 requires me to have an opsguide which doesn't make sense in my case. Currently, my builds fail with the following message:

error  build/concepts/asg.html
Error: Could not locate partial: ../opsguide/_default_asg

Can you please change the if/else statement so that it also works for other documentations than PCF and CF? (e.g. if vars.product_name == 'CF', elsif vars.product_name == 'PCF', else).

However, I would only see this as a workaround since I think the CF documentation shouldn't contain any PCF specific statements.

Dear CF community,

since Dynamic ASG is available, the comparison between C2C and ASG is no longer accurate? Restart of the application is not required if you run your deployment with default ASG configuration.

https://docs.cloudfoundry.org/concepts/understand-cf-networking.html#c2cvsasg
cloudfoundry/cf-deployment#957

Best regards,
K.M.

cloud-controller.html.md.erb

The entire NATs section should be removed. Cloud Controller does not use NATs for any purpose.

I have not researched out if Cloud Foundry is still using the Ruby version or if it has switched over to the Go version. The NATS release is the go version.

https://github.com/cloudfoundry/nats-release

https://docs.pivotal.io/pivotalcf/1-10/concepts/architecture/messaging-nats.html
"This information was adapted from the NATS README. NATS is a lightweight publish-subscribe and distributed queueing messaging system written in Ruby."

https://nats.io/documentation/streaming/nats-streaming-intro/

The link works, but takes you to a page pointing to https://github.com/cloudfoundry/cf-acceptance-tests

In below paragraph, should Cloud Controller be replaced by BBS? Besides, BBS should not be described as CC's component, right?

For example, the Cloud Controller initiates a new auction when it detects that the actual number of running instances of LRPs does not match the number desired. The Cloud Controller’s BBS component monitors the number of instances of each LRP that are currently running.

"The Gorouter receives route updates though NATS. "

It should be updates "through" not updates "though"

Incomplete sentence in the "Description" column of the destination row in the table titled "The Structure and Attributes of ASGs" in the ASG docs:

A single IP address, an IP address range like 192.0.2.0-192.0.2.50, or a CIDR block to allow network access to

Per https://docs.cloudfoundry.org/concepts/roles.html#activeroles and testing; it seems odd that we can have a user with the role of Org Auditor that can retrieve all the sensitive information around events for an entire org but that same user can get a list of all the spaces in the ORG (i.e. cf curl /v3/spaces). Its like the space names in the ORG are more sensitive than the event information.

Our use case, we want a single user with ORG auditor role to be able to retrieve all the events for an ORG (doable now) and to be able to take the SPACE GUID for each event to get the SPACE NAME to include it in our daily "event report". Do to the SPACE NAME part now, we have to remember to add the user account to every space.

This is for PCF v2.3 document page.

The Diego architecture diagram shows an arrow going from Diego Cell's Route Emitter to Loggregator's Doppler component. I think, this is an error. As per the document and my understanding Doppler gets logs from Metron Agent in the Diego Cell, not from Route Emitter.

The image needs to be corrected.

I think the table in https://docs.cloudfoundry.org/concepts/roles.html might be wrong in specifying that Org Manager and Space Managers can Edit and delete Spaces.

I'm using HPE Helion Stackato Cloud foundry, and as a Space manager I'm unable to delete a space. It appears only Org managers can delete spaces in an org.

I have a version of the docs which is only addressed at end users of my CF installation. Therefore, I don't want the adminguide in my docs. Can you please put the link to adminguide https://github.com/cloudfoundry/docs-cloudfoundry-concepts/blob/master/container-security.html.md.erb#L55 into a variable so that I can have it point to the official CF docs instead of my own deployed one?

I was trying to click on this link and it was broken. This is due to it referencing a main branch though the branch doesn't exist. Would you be open to a change that reverted it to master or is there a coming update to make main the primary branch?

Link sourced here:

points to: https://github.com/cloudfoundry/docs-cloudfoundry-concepts/blob/main/images/power-of-platform.png?raw=true which doesn't exist.

It seems that the instructions within Deploy UAA to Cloud Foundry may be incomplete or outdated? Some possible issues...

1. Memory Spec is Too Low

When testing the deployment of UAA to a Cloud Foundry installation (PWS), the specification of 512M for UAA is too low:

cf push APP-NAME -m 512M -p PATH-TO-WAR-FILE --no-start

Until pushed > 672M of memory, the logs showed insufficient memory or that UAA would not spin up as healthy:

2018-10-25T06:41:11.22-0600 [APP/PROC/WEB/0] ERR Cannot calculate JVM memory configuration: There is insufficient memory remaining for heap. Memory available for allocation 512M is less than allocated memory 672257K (-XX:ReservedCodeCacheSize=240M, -XX:MaxDirectMemorySize=10M, -XX:MaxMetaspaceSize=160257K, -Xss1M * 250 threads)

2018-10-25T07:14:21.60-0600 [HEALTH/0] ERR Failed to make TCP connection to port 8080: connection refused
2018-10-25T07:14:21.60-0600 [CELL/0] ERR Timed out after 1m0s: health check never passed.

2. Clients Setup is Not Clear

Interacting with UAA typically requires obtaining a token from a client account. Usually this is "admin" to start with. Running UAA locally is different than running in CF, but this is not explicitly mentioned or detailed. (Which could leave the dev with a non-working UAA install when deployed to CF.)

Locally, the admin client comes from
\uaa\src\main\webapp\WEB-INF\spring\oauth-clients.xml

But when running in CF, the admin client must be specified somewhere elsewhere as oauth-clients.xml does not seem to be used.

To run remotely...

The admin secret comes from uaa_admin_client_secret in a cf-deployment according to @jhamon in Issue 620.
...or...
The admin client account can also be specified directly in uaa.yml (or an override) as specified in Issue 543.

Including instructions on how to set up the admin account for a CF deployment might be helpful.

3. required_configuration.yml vs uaa.yml

When running locally (per \uaa\build.gradle), required_configuration.yml is used. But in a CF deployment, this file is NOT used? Which means that uaa.yml (or an override), must be re-configured in order to get fully running UAA instance.

This seems to be an important step that could be mentioned or referred to (along with a link to some guidance).

Obviously the docs must strike a balance between highlighting the basics and diving into too much detail, but at least mentioning these steps above might save some time for others since they seem to be required.

If I am approaching the deployment of UAA to CF improperly, any correction would be appreciated.

Thanks!

I have a version of the docs which is only addressed at end users of my CF installation. Therefore, I don't want the adminguide in my docs. Can you please put the link to adminguide https://github.com/cloudfoundry/docs-cloudfoundry-concepts/blob/master/http-routing.html.md.erb#L89 into a variable so that I can have it point to the official CF docs instead of my own deployed one?

I'm a real fan of cf and just learned about mTLS, had a search for mTLS inside cf and found https://docs.cloudfoundry.org/concepts/http-routing.html#tls-to-back-end.

Since its in the general concepts part of the webpage I got hooked and had a bit more research. As a dev I couldn't find any reference on something like use these certs for mtls or heres how you get started. There are a lot of references to set it up behind the scenes but again I couldn't find a part on which certs I should host or accept.

Is this meant to be? Did I miss something?

From docs :

Download cached files Cloud Controller downloads the matched files from the blobstore to its local disk.

I believe it should be "Cloud Controller downloads the CACHED (instead of matched) filed.

This is for PCF v2.3 document page.

The reference of "Executor" in CC-Uploader description is either confusing or errorful. Is this the same "Executor" component, which is inside "Rep" of a Diego Cell? If the yes, then the sentence

Mediates uploads from the Executor to the Cloud Controller

does not make sense. If the reference of Executor is not the same as of the "Executor" component in "Rep" then there should be a different name/word used here to avoid confusion to the reader. A better term could be "cf CLI user".

The Diego architecture displays Consul and Consul-Agent but there is no mention of these components in the document. They either should be removed from the image or included in the document.

I think we should replace [feature flag](../adminguide/listing-feature-flags.html) in _oss_roles_table.html.md.erb with a variable from the book. I need to use this page in my docs but I have no interest in having the whole Admin Guide so I would like to replace it with the string "feature flag".

--> Let's add this as a variable as we do for vars.services_link

Hi Team,

We are facing issue where one of the application intermittently errors out with 502 response after some time we start.

Error Logs are as below:

2018-06-26T17:09:30.41+0530 [RTR/3] OUT customer360.apps.scdc1.itcna.vmware.com - [2018-06-26T11:34:30.412+0000] "GET /c360/api/v4.1/customers/elaDetails?customerName=Kohl%27s%20Corporate&email=[email protected]&userType=Gloabl&userValue=Glob HTTP/1.1" 502 0 67 "-" "PostmanRuntime/7.1.1" "10.165.17.1:56975" "192.168.120.38:61012" x_forwarded_for:"10.5.73.200, 10.165.17.1" x_forwarded_proto:"https" vcap_request_id:"fd2940bb-dd8e-44fe-6439-3ab14c2b0aef" response_time:300.004082213 app_id:"574947ff-1b7f-409f-955f-442b5a1831bb" app_index:"2" x_b3_traceid:"123eb1b523776405" x_b3_spanid:"123eb1b523776405" x_b3_parentspanid:"-"

2018-07-02T15:57:59.57+0530 [APP/PROC/WEB/2] OUT 2018-07-02 03:27:59.575 INFO [customer360-stage,4ea40c11d406d160,4ea40c11d406d160,true] 16 --- [-8080-exec-7421] c.v.c.g.c.v4_1.CustomerDetailController : Inside Controller : Request received to get Customer Ela Details for Customer: [Government of the United States]

2018-07-02T15:57:59.58+0530 [RTR/1] OUT customer360.apps.scdc1.itcna.vmware.com - [2018-07-02T10:27:59.555+0000] "GET
/c360/api/v4.1/customers/elaDetails?customerName=Government%20of%20the%20United%20States&email=[email protected]&filter=&userType=GLOBAL&userValue=GLasa HTTP/1.1" 200 0 326 "-" "PostmanRuntime/6.4.1" "10.165.17.1:17957" "192.168.120.38:61012" x_forwarded_for:"10.104.24.248, 10.165.17.1" x_forwarded_proto:"https" vcap_request_id:"cee6b1e4-1a84-4b87-63e1-8a68c4984cd9" response_time:0.027781874 app_id:"574947ff-1b7f-409f-955f-442b5a1831bb" app_index:"2" x_b3_traceid:"4ea40c11d406d160" x_b3_spanid:"4ea40c11d406d160" x_b3_parentspanid:"-"
2018-07-02T15:57:59.58+0530 [RTR/1]

2018-07-02T16:00:08.93+0530 [RTR/1] OUT customer360.apps.scdc1.itcna.vmware.com - [2018-07-02T10:25:08.929+0000] "GET /c360/api/v4.1/customers/bookings/globalultimate/paretoanalysis?period=&geo=&email=[email protected]&filter=&userType=GLOBAL&userValue=GL HTTP/1.1" 502 0 67 "-" "PostmanRuntime/6.4.1" "10.165.17.1:11871" "192.168.120.45:61006" x_forwarded_for:"10.104.24.248, 10.165.17.1" x_forwarded_proto:"https" vcap_request_id:"2d246e16-43fa-4a73-6f1f-9d8102cc86d5" response_time:300.001768516 app_id:"574947ff-1b7f-409f-955f-442b5a1831bb" app_index:"0" x_b3_traceid:"331f642419f2f566" x_b3_spanid:"331f642419f2f566" x_b3_parentspanid:"-"
2018-07-02T16:00:08.93+0530 [RTR/1] OUT

Please let us know how we can fix this errors

Best Regards
Ganesh Kumar