110 | The command map-route supports the --option flag only for new routes.
111 | To update an existing route, the command update-route must be used as described before.
APP-GUID is the GUID of your app that you recorded in an earlier step.ROUTE-HOSTNAME is the subdomain of the domain associated with the route. For example, in the route example-app.<%= vars.app_domain %>, the host name is example-app.APP-GUID is the GUID of your app that you recorded in an earlier step.PORT is the port to which the TCP route sends requests.APP-GUID is the GUID of your app that you recorded in an earlier step.ROUTE-GUID is the GUID of a route that you recorded in an earlier step.PORT is a custom port on which your app is configured to receive requests.PROTOCOL is the protocol that the route uses. For HTTP routes, this value is either http1 or http2. For TCP routes, this value is tcp.PROCESS-TYPE is the value of type that you recorded in an earlier step. This value is usually web.125 | This API call removes all destinations for a route and replaces them with the destinations you provide in the API request.
126 | 127 | ## Additional resources 128 | 129 | * For more information about making requests to the Cloud Controller API (CAPI) `apps` endpoints, see the [CAPI V3 documentation](https://v3-apidocs.cloudfoundry.org/index.html#apps). 130 | -------------------------------------------------------------------------------- /deploy-apps/_c2c_oss_enable.html.md.erb: -------------------------------------------------------------------------------- 1 | ## Activate container-to-container networking 2 | 3 | Container networking is installed by default when you install Cloud Foundry using `cf-deployment`. 4 | 5 | For instructions for using `cf-deployment`, see the [Cloud Foundry documentation](https://docs.cloudfoundry.org/deploying/cf-deployment/index.html). 6 | 7 | Container networking has properties you can configure to change the default behavior. 8 | 9 | The following table has a list of properties and instructions for editing them. 10 | 11 | For more information about container networking configuration, see [Configuration Information for Operators](https://github.com/cloudfoundry/cf-networking-release/blob/develop/docs/06-c2c.md). 12 | 13 || Container-to-container networking opsfiles | 16 |Description | 17 |
|---|---|
|
24 |
25 | The default value for iptables_logging is false.
26 | 27 | (Optional) Change the value to true to activate logging for Container-to-Container policy iptables rules.
28 | |
29 |
|
36 |
37 | The default value for iptables_logging is false.
38 | 39 | (Optional) Change the value to true to activate
40 | logging for Application Security Group (ASG) iptables rules.
41 | |
42 |
|
49 |
50 | (Optional) Enter an IP range for the overlay network. The CIDR must specify an RFC 1918 range. If you do not set a custom range, the deployment uses 10.255.0.0/16.
51 | 52 | See App Instance Communication for more information. 53 | |
54 |
| 62 | (Optional) You can manually configure the Maximum Transmission Unit (MTU) value to support additional encapsulation overhead. 63 | | 64 |
20 | curl -X POST -d 'LOG-LEVEL' localhost:PORT-NUMBER/log-level 21 |22 | 23 | The `LOG-LEVEL` is `DEBUG` or `INFO`. The `PORT-NUMBER` is `22222` unless you specified a different number when you edited the stub file in [Activate on an IaaS](#iaas). 24 |
28 | $ curl -X POST -d 'DEBUG' localhost:22222/log-level 29 |30 | 31 | To decrease the log level to `INFO`, run: 32 |
33 | $ curl -X POST -d 'INFO' localhost:22222/log-level 34 |35 | 36 | 3. The logs are available in: 37 | * **Policy Server**: `/var/vcap/sys/log/policy-server/policy-server.stdout.log` 38 | * **VXLAN Policy Agent**: `/var/vcap/sys/log/vxlan-policy-agent/vxlan-policy-agent.stdout.log` 39 | 40 | ### Activate logging for container-to-container networking policies 41 | 42 | By default, Cloud Foundry does not log iptables policy rules for Container-to-Container network traffic. You can activate logging for iptables policy rules in the manifest in [Activate on an IaaS](#iaas), or use following the steps: 43 | 44 | 1. SSH to the Diego Cell that runs the VXLAN Policy Agent. 45 | 46 | 2. To change the log level, run: 47 | 48 |
49 | curl -X PUT -d '{"enabled": BOOLEAN}' localhost:PORT-NUMBER/iptables-c2c-logging
50 |
51 |
52 | The `BOOLEAN` is `true` or `false`. The `PORT-NUMBER` is `22222` unless you specified a different number when you edited the stub file in [Activate on an IaaS](#iaas).
53 |
57 | $ curl -X PUT -d '{"enabled": true}' localhost:22222/iptables-c2c-logging
58 |
59 |
60 | To deactivate logging for iptables policy rules, run:
61 |
62 | $ curl -X PUT -d '{"enabled": false}' localhost:22222/iptables-c2c-logging
63 |
64 |
65 | 3. Find the logs in `/var/log/kern.log`.
66 |
67 | ### Use metrics to consume logs
68 |
69 | You can stream container-to-container networking component metrics with the [Loggregator Firehose](../../loggregator/architecture.html#firehose).
70 |
71 | Container-to-container networking logs use the following prefixes:
72 |
73 | * `netmon`
74 | * `vxlan_policy_agent`
75 | * `policy_server`
76 |
--------------------------------------------------------------------------------
/deploy-apps/_c2c_oss_overlay.html.md.erb:
--------------------------------------------------------------------------------
1 | ## Configure the overlay network
2 |
3 | Container-to-container networking uses an overlay network to manage
4 | communication between app instances. By default, each Diego Cell in the overlay
5 | network is allocated a /24 range that supports 254 containers per cell, one
6 | container for each of the usable IP addresses, `.1` through `.254`.
7 |
8 | For more information about the overlay network, see [Overlay
9 | network](../../concepts/understand-cf-networking.html#overlay-network) in
10 | _Container-to-container networking_.
11 |
12 | ### Understanding the Overlay Network Properties using a Pie Metaphor
13 |
14 | There are two <%= vars.app_runtime_abbr %> properties concerning the overlay
15 | network. Before going into the details of the actual <%= vars.app_runtime_abbr
16 | %> properties, let's talk about them metaphorically.
17 |
18 | Imagine the entire overlay network is a group of pies. One <%= vars.app_runtime_abbr %>
19 | property defines these pies and their sizes.
20 |
21 | The purpose of these pies are to serve the hungry, hungry Diego Cells. Each Diego
22 | Cell is hungry and needs a slice of pie. Without a slice of pie the Diego Cell
23 | cannot start because it has no energy. This is an egalitarian kitchen, so each
24 | Diego Cell must get the same size pie slice.
25 |
26 | The second <%= vars.app_runtime_abbr %> property determines the size of the pie
27 | slice that each Diego Cell is given. The smaller the slice of pie that each Diego
28 | Cell gets, the less “energy” each Diego Cell has, and thus fewer apps can run on each
29 | Diego Cell. The larger the slice of pie is that each Diego Cell gets, the more
30 | “energy” the Diego Cell has, and thus more apps can run on each Diego Cell.
31 |
32 | If the pies and their sizes stay constant, smaller slices of pie means there can be
33 | more Diego Cells (which are fed less each) and larger slices means there is a
34 | smaller number of possible Diego Cells (which are fed more each).
35 |
36 | | Pie Metaphor Property | 40 |Actual Bosh Property | 41 |Description | 42 |Default | 43 |
|---|---|---|---|
| Group of pies and their sizes | 46 |network on the silk-controller job |
47 | An list of CIDR address blocks for the overlay network provided as an
48 | array of strings. Subnets for each Diego Cell are allocated out of this
49 | network. The subnet_prefix_length property must be smaller than the
50 | smallest CIDR address block.
51 | |
52 | ["10.255.0.0/16"] |
53 |
| Slice size for each Diego Cell | 56 |"subnet_prefix_length" on the silk-controller job | 57 |The CIDR mask for each Diego Cell's individual overlay network subnet.
58 | For a /24 subnet for each Diego Cell, enter 24 This subnet must be
59 | smaller than all individual IP ranges provided in the network property.
60 | | 24 |
61 |
| Property | 114 |Value | 115 |
|---|---|
| network | 117 |["10.255.0.0/20", "10.255.96.0/21", "10.255.200.0/23", "10.255.220.0/24"] |
118 |
| subnet_prefix_length | 121 |24 |
122 |
| Invalid reason | 125 |subnet_prefix_length must be smaller than all CIDRs in the network. In this case it is the same size as 10.255.220.0/24. |
126 |
| Property | 134 |Value | 135 |
|---|---|
| network | 137 |["10.255.0.0/20", "10.255.96.0/21", "10.255.200.0/23", "10.255.220.0/32"] |
138 |
| subnet_prefix_length | 141 |24 |
142 |
| Invalid reason | 145 |subnet_prefix_length must be smaller than all CIDRs in the network. In this case it is larger than 10.255.220.0/32. |
146 |
| Property | 154 |Value | 155 |
|---|---|
| network | 157 |["10.255.0.0/20", "10.255.0.0/16"] |
158 |
| subnet_prefix_length | 161 |24 |
162 |
| Invalid reason | 165 |network must not have any overlapping IP ranges. In this case 10.255.0.0/20 is a subset of 10.255.0.0/16. |
166 |
The overlay network IP address ranges must not conflict with any other IP 177 | addresses in the network. If a conflict exists, Diego Cells cannot reach any 178 | endpoint that has a conflicting IP address.
179 | -------------------------------------------------------------------------------- /deploy-apps/_routing_conflict.html.md.erb: -------------------------------------------------------------------------------- 1 | <%=vars.product_short%> allows multiple apps, or versions of the same app, to be mapped to the same route. This feature activates blue-green deployment. For more information see [Using blue-green deployment to reduce downtime and risk](./blue-green.html). 2 | 3 | Routing multiple apps to the same route might cause undesirable behavior in some situations by routing incoming requests randomly to one of the apps on the shared route. -------------------------------------------------------------------------------- /deploy-apps/_v3-note.html.md.erb: -------------------------------------------------------------------------------- 1 |4 |
cf push APP-NAME. See push - Cloud Foundry CLI for information about this function.containers.graceful_shutdown_interval_in_seconds on the replacement jobs.
50 | <% end %>
51 | This might increase the time it takes to drain Diego Cells, which causes increased deployment time.
52 |
53 | <%= vars.app_graceful_shutdown_config %>
54 |
55 | 56 | An exception to the cases previously mentioned is when monit restarts a Diego Cell replacement or Garden server that has failed. In this case, <%= vars.app_runtime_abbr %> immediately stops the apps that are still running using SIGKILL.
57 | -------------------------------------------------------------------------------- /deploy-apps/app-ssh-overview.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Configuring SSH access for your deployment 3 | owner: Diego 4 | --- 5 | 6 | If you need to troubleshoot an instance of an application, you can gain SSH access to the app using the SSH proxy and daemon. 7 | For example, one of the app instances might be unresponsive, or the log output from the app is inconsistent or incomplete. You can SSH into the individual VM to troubleshoot the problem instance. 8 | 9 | <%= vars.mutual_tls_ssh %> 10 | 11 | 12 | ## About SSH access 13 | 14 | The SSH system components include the SSH proxy and daemon, and the system also supports authentication and load balancing of incoming SSH traffic. For a conceptual overview, see [App SSH components and processes](../../concepts/diego/ssh-conceptual.html). 15 | 16 | 17 | ## SSH access control hierarchy 18 | 19 | Operators, space managers, and space developers can configure SSH access for <%= vars.app_runtime_abbr %>, 20 | for spaces, and for apps as described in the table: 21 | 22 || User role | 25 |Scope of SSH permissions control | 26 |How they define SSH permissions | 27 |
|---|---|---|
| Operator | 30 |Entire deployment | 31 |Configure the deployment to allow or prohibit SSH access (one-time). <%=vars.config_ssh_link%> | 32 |
| Space manager | 34 |Space | 35 |cf CLI allow-space-ssh and disallow-space-ssh commands | 36 |
| Space developer | 38 |App | 39 |cf CLI enable-ssh and disable-ssh commands | 40 |
28 | If your app uses a relational database, blue-green deployment can lead to discrepancies between your green and glue databases during an update. To maximize data integrity, configure a single database for backward and forward compatibility.
29 | 30 | 31 | ## Blue-green deployment with Cloud Foundry example 32 | 33 | For this example, consider a simple app: "demo-time." 34 | This app is a webpage that displays the words "Blue time" and the date/time on 35 | the server. 36 | 37 | ### Step 1: Push an app 38 | 39 | Use the Cloud Foundry Command Line Interface (cf CLI) to push the app. 40 | Name the app "Blue" with the subdomain "demo-time." 41 | 42 |43 | $ cf create-route example.com --hostname demo-time 44 | $ cf push Blue 45 | $ cf map-route Blue example.com --hostname demo-time 46 |47 | 48 | As shown in the graphic: 49 | 50 | * Blue is now running on Cloud Foundry. 51 | * The Cloud Foundry Router sends all traffic for `demo-time.example.com` traffic to Blue. 52 | 53 |  54 | 55 | ### Step 2: Update app and push 56 | 57 | Now make a change to the app. 58 | 1. Replace the word "Blue" on the webpage with "Green," then rebuild the source file for the app. 59 | 1. Run `cf push` again, but use the name "Green" for the app and provide a different subdomain to create a temporary route: 60 | 61 |
62 | $ cf create-route example.com --hostname demo-time-temp 63 | $ cf push Green 64 | $ cf map-route Green example.com --hostname demo-time-temp 65 |66 | 67 | After this push: 68 | 69 | * Two instances of the app are now running on Cloud Foundry: the original Blue and the updated Green. 70 | * The Cloud Foundry Router continues sending all traffic for `demo-time.example.com` to Blue. 71 | The router now also sends any traffic for `demo-time-temp.example.com` to Green. 72 | 73 |  74 | 75 | ### Step 3: Map original route to Green 76 | 77 | Now that both apps are up and running, switch the router so all incoming 78 | requests go to both the Green app and the Blue app. 79 | Use the [cf map-route](http://cli.cloudfoundry.org/en-US/cf/map-route.html) command to map the original URL route (`demo-time.example.com`) to the Green app. 80 | 81 |
82 | $ cf map-route Green example.com -n demo-time 83 | Binding demo-time.example.com to Green... OK 84 |85 | 86 | After the `cf map-route` command : 87 | 88 | * The Cloud Foundry Router continues sending traffic for `demo-time-temp.example.com` to Green. 89 | * Within a few seconds, the Cloud Foundry Router begins load balancing traffic for `demo-time.example.com` between Blue and Green. 90 | 91 |  92 | 93 | ### Step 4: Unmap route to Blue 94 | 95 | After you verify that Green is running as expected, stop routing requests to Blue 96 | using the [cf unmap-route](http://cli.cloudfoundry.org/en-US/cf/unmap-route.html) command: 97 | 98 |
99 | $ cf unmap-route Blue example.com -n demo-time 100 | Unbinding demo-time.example.com from blue... OK 101 |102 | 103 | After the `cf unmap-route` command: 104 | 105 | * The Cloud Foundry Router stops sending traffic to Blue. 106 | 107 | Now all traffic for `demo-time.example.com` is sent to Green. 108 | 109 |  110 | 111 | ### Step 5: Remove temporary route to Green 112 | 113 | You can now use `cf unmap-route` to remove the route `demo-time-temp.example.com` from Green. You can delete the route using `cf delete-route` or reserved it for later use. You can also decommission Blue, or keep it in case you need to roll back your changes. 114 | 115 |  116 | 117 | ## Implementation 118 | 119 | Cloud Foundry community members have written a plug-in to automate blue-green deployment: 120 | 121 | * [BlueGreenDeploy](https://github.com/bluemixgaragelondon/cf-blue-green-deploy): cf-blue-green-deploy is a plug-in, written in Go, for the Cloud Foundry Command Line Interface (cf CLI) that automates a few steps involved in zero-downtime deployments. 122 | -------------------------------------------------------------------------------- /deploy-apps/cf-networking.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Configuring container-to-container networking 3 | owner: CF for VMs Networking 4 | --- 5 | 6 | 7 | The container-to-container networking feature, also known as CF Networking, allows direct network traffic between apps. For an overview of how container-to-container networking works, see [Container-to-container networking](../../concepts/understand-cf-networking.html). 8 | 9 |
10 | Container-to-container networking is not available for apps hosted on Microsoft Windows.
11 | 12 | <%= vars.app_traffic_logging %> 13 | 14 | <% if vars.platform_code == "CF" %> 15 | <%= partial 'c2c_oss_enable' %> 16 | <% end %> 17 | 18 | <% if vars.platform_code == "CF" %> 19 | <%= partial 'c2c_oss_overlay' %> 20 | <% else %> 21 | <%= partial "/pcf/core/c2c_overlay" %> 22 | <% end %> 23 | 24 | <% if vars.platform_code == "CF" %> 25 | <%= partial 'c2c_oss_logging' %> 26 | <% end %> 27 | 28 | 29 | ## Create and manage networking policies 30 | 31 | This section describes how to create and edit container-to-container networking policies using the Cloud Foundry Command Line Interface (cf CLI). 32 | 33 | <%= vars.app_man_network %> 34 | 35 | ### Prerequisites 36 | 37 | Ensure that you are using cf CLI v7 or later: 38 | 39 |40 | $ cf version 41 |42 | 43 | For more information about updating the cf CLI, see [Installing the cf CLI](../../cf-cli/install-go-cli.html). 44 | 45 | <% if vars.platform_code == "CF" || vars.platform_code == "PCF" %> 46 | 47 | ### Grant permissions 48 | 49 | Cloud Foundry admins use the following UAA scopes to grant specific users or groups permissions to configure network policies: 50 | 51 |
| UAA Scope | 54 |Suitable for… | 55 |Allows users to create policies… | 56 |
|---|---|---|
network.admin |
59 | operators | 60 |for any apps in the Cloud Foundry deployment | 61 |
network.write |
64 | space developers | 65 |for apps in spaces that they can access | 66 |
111 | $ cf add-network-policy frontend backend --protocol tcp --port 8080 112 | Adding network policy to app frontend in org my-org / space dev as admin... 113 | OK 114 |115 | 116 | <%= vars.network_policy_quota %> 117 | This limit does not apply to users with the `network.admin` scope. 118 | 119 | <%= vars.network_policy_quota_config %> 120 | 121 | ### List policies 122 | 123 | You can list all the policies in your space, or just the policies for which a single app is the source: 124 | 125 | * To list the all the policies in your space, run `cf network-policies`. 126 | 127 |
128 | $ cf network-policies 129 |130 | 131 | * To list the policies for an app, run `cf network-policies --source MY-APP`. Replace `MY-APP` with the name of your app. 132 | 133 |
134 | $ cf network-policies --source example-app 135 |136 | 137 | The following example of the `network-policy` command lists policies for the app `frontend`: 138 | 139 |
140 | $ cf network-policies --source frontend 141 | Listing network policies in org my-org / space dev as admin... 142 | 143 | source destination protocol ports destination space destination org 144 | frontend backend tcp 8080 example-space example-org 145 |146 | 147 | ### Remove a network policy 148 | 149 | To remove a policy that allows direct network traffic from an app, run: 150 | 151 | ``` 152 | cf remove-network-policy SOURCE-APP DESTINATION-APP -s DESTINATION-SPACE-NAME -o DESTINATION-ORG-NAME --protocol PROTOCOL --port RANGE 153 | ``` 154 | 155 | Where: 156 | 157 | * `SOURCE-APP` is the name of the app that sends traffic. 158 | * `DESTINATION-APP` is the name of the app that receives traffic. 159 | * `DESTINATION-SPACE-NAME` is the space of the destination app. The default is the targeted space. 160 | * `DESTINATION-ORG-NAME` is the org of the destination app. The default is the targeted org. 161 | * `PROTOCOL` is either `tcp` or `udp`. 162 | * `PORTS` are the ports connecting the apps. The allowed range is from `1` to `65535`. You can specify a single port, such as `8080`, or a range of ports, such as `8080-8090`. 163 | 164 | The `remove-network-policy` command deletes the policy that allows the `frontend` app to communicate with the `backend` app over TCP on port 8080. Here is an example: 165 | 166 |
167 | $ cf remove-network-policy frontend backend --protocol tcp --port 8080 168 | Removing network policy to app frontend in org my-org / space dev as admin... 169 | OK 170 |171 | 172 | ### Deactivate network policy enforcement 173 | 174 | You can deactivate Silk network policy enforcement between apps. Deactivating network policy enforcement allows all apps to send network traffic to all other apps in the foundation despite no policy specifically allowing it. 175 | 176 | To deactivate network policy enforcement between apps: 177 | 178 | <% if vars.platform_code == "CF" %> 179 | 180 | 1. To target your BOSH deployment, run: 181 |
182 | bosh target -e MY-ENV -d MY-DEPLOYMENT 183 |184 | Where: 185 | - `MY-ENV` is the alias you set for your BOSH Director. 186 | - `MY-DEPLOYMENT` is your deployment name. You can see your deployment name by running `bosh -e MY-ENV deployments`. 187 | 188 | 2. To download and save the BOSH manifest, run: 189 |
190 | bosh -e MY-ENV -d MY-DEPLOYMENT manifest > MY-MANIFEST.yml 191 |192 | Where `MY-MANIFEST.yml` is the name you choose for the saved manifest. 193 | 194 | 3. In your BOSH manifest, change the `disable_container_network_policy` value to `false`. 195 | 196 | 4. To redeploy BOSH using the edited BOSH manifest, run: 197 |
198 | bosh -e MY-ENV -d MY-DEPLOYMENT deploy MY-MANIFEST.yml 199 |200 | 201 | <% else %> 202 | 203 | <%= partial "/pcf/core/disable_network_policy_enforcement" %> 204 | 205 | <% end %> 206 | 207 | 208 | ## App service discovery 209 | 210 | With app service discovery, apps pushed to <%= vars.app_runtime_abbr %> can establish container-to-container communications through a known route served by internal BOSH DNS. This allows front end apps to easily connect with back end apps. 211 | 212 | <%= vars.internal_domain_config %> 213 | 214 | To establish container-to-container communications between a front end and back end app, a developer: 215 | 216 | 1. Runs a back end app that publishes a local endpoint. 217 | 1. Maps a named route to the endpoint. 218 | 1. Creates a network policy that allows direct traffic from the front end to the back end app. 219 | 1. Run the front end app. 220 | 221 | See [Cats and Dogs with Service Discovery](https://github.com/cloudfoundry/cf-networking-examples/blob/master/docs/c2c-with-service-discovery.md) in GitHub for an example, written in Go, that demonstrates communication between front end and back end apps. 222 | 223 | To use TLS developer adds a network policy for port 61443. After that the front end app can reach the back end app using HTTPS, `https://backend-app.apps.internal:61443`, for example. 224 | 225 | <% if vars.platform_code == "CF" %> 226 | 227 | ### Activate app service discovery 228 | 229 | To activate app service discovery, <%= vars.enable_c2c_discovery %>. 230 | 231 | <% end %> 232 | -------------------------------------------------------------------------------- /deploy-apps/cf-scale.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Scaling an app using Cloud Foundry CLI (cf scale) 3 | owner: CAPI 4 | --- 5 | 6 | 7 | 8 | Factors such as user load, or the number and nature of tasks performed by an app, can change the disk space and memory the app uses. 9 | This topic describes how to scale an app using the Cloud Foundry Command Line Interface (cf CLI). 10 | For many apps, increasing the available disk space or memory can improve overall performance. 11 | Similarly, running additional instances of an app can allow the app to handle increases in user load and concurrent requests. 12 | These adjustments are called "scaling" an app. 13 | 14 | Use [cf scale](http://cli.cloudfoundry.org/en-US/cf/scale.html) to scale your app up or down to meet changes in traffic 15 | or demand. 16 | 17 | <%=vars.autoscaler_note_dev_guide%> 18 | 19 | ## Scaling horizontally 20 | 21 | Horizontally scaling an app creates or destroys instances of your app. 22 | 23 | Incoming requests to your app are automatically load balanced across all 24 | instances of your app, and each instance handles tasks in parallel with 25 | every other instance. 26 | Adding more instances allows your app to handle increased traffic and 27 | demand. 28 | 29 | Use `cf scale APP -i INSTANCES` to horizontally scale your app. 30 | Cloud Foundry increases or decreases the number of instances of your app to match `INSTANCES`. 31 | 32 |
33 | $ cf scale myApp -i 5 34 |35 | 36 |
37 | In cf CLI v7+, you can also use --process with cf scale to scale specific processes of your app.
50 | $ cf scale myApp -k 512M 51 |52 | 53 | Use `cf scale APP -m MEMORY` to change the memory limit applied to all instances 54 | of your app. 55 | `MEMORY` must be an integer followed by either an **M**, for megabytes, or 56 | **G**, for gigabytes. 57 | 58 |
59 | $ cf scale myApp -m 1G 60 |61 | -------------------------------------------------------------------------------- /deploy-apps/healthchecks.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Using Cloud Foundry health checks 3 | owner: 4 | - CAPI 5 | - CLI 6 | --- 7 | 8 | <%= vars.app_runtime_abbr %> provides support for liveness and readiness health checks. 9 | 10 | Liveness health checks are performed to validate that app instances are running. 11 | When liveness health checks fail, the app instance is marked as crashed and is 12 | restarted. Readiness health checks are performed to validate that app instances are 13 | ready to serve requests. When readiness health checks fail, the app instance is 14 | marked as not ready and removed from the route pool for the app. 15 | 16 | You can configure a liveness health check for an app using the Cloud Foundry 17 | Command Line Interface (cf CLI) or by specifying a combination of the 18 | `health-check-http-endpoint`, `health-check-type`, 19 | `health-check-invocation-timeout`, and `health-check-interval` fields in an 20 | [app manifest](manifest.html). 21 | 22 | Readiness health checks are only configurable through the [app manifest](manifest-attributes.html#optional-attributes). 23 | To use readiness health checks, you must have: 24 | 25 | * garden-runc-release 1.37.0 26 | * diego-release 2.81.0 27 | * capi-release 1.158.0 28 | 29 | To configure a health check using the cf CLI, see: 30 | 31 | * [Configure health checks when creating or updating](#setting-health-checks) 32 | 33 | * [Configure health checks for an existing app](#set-health-checks-exist). 34 | 35 | For more information about using an app manifest to configure a health check, see these sections in _Deploying with app manifests_. 36 | 37 | * [health-check-type](manifest-attributes.html#health-check-type) 38 | * [health-check-interval](manifest-attributes.html#health-check-interval) 39 | * [health-check-http-endpoint](manifest-attributes.html#health-check-http-ep) 40 | * [health-check-invocation-timeout](manifest-attributes.html#health-check-invoc-time) 41 | 42 | * [readiness-health-check-type](manifest-attributes.html#readiness-health-check-type) 43 | * [readiness-health-check-interval](manifest-attributes.html#readiness-health-check-interval) 44 | * [readiness-health-check-http-endpoint](manifest-attributes.html#readiness-health-check-http-ep) 45 | * [readiness-health-check-invocation-timeout](manifest-attributes.html#readiness-health-check-invoc-time) 46 | 47 | App health checks function as part of the app life cycle managed by Diego architecture. For more 48 | information, see [Diego components and architecture](../../concepts/diego/diego-architecture.html). 49 | 50 | 51 | ## Configure liveness health checks when creating or updating an app 52 | 53 | To configure a health check while creating or updating an app, run: 54 | 55 | ``` 56 | cf push APP-NAME --health-check-type LIVENESS-HEALTH-CHECK-TYPE --app-start-timeout LIVENESS-HEALTH-CHECK-TIMEOUT 57 | ``` 58 | 59 | Where: 60 | 61 | * `APP-NAME` is the name of your app. 62 | 63 | * `LIVENESS-HEALTH-CHECK-TYPE` is the type of liveness health check that you want to configure. Valid health check 64 | types are `port`, `process`, and `http`. For more information, see [Health check types](#types). 65 | 66 | * `LIVENESS-HEALTH-CHECK-TIMEOUT` is the amount of time allowed to elapse between starting an app and the 67 | first healthy response. For more information, see [Health check timeouts](#health_check_timeout). 68 | 69 | For more information about the `cf push` command, see 70 | [push](http://cli.cloudfoundry.org/en-US/cf/push.html) in the Cloud Foundry CLI Reference Guide. 71 | 72 |
73 | The health check configuration that you provide with
74 | cf push overrides any configuration in the app manifest.
cf set-health-check. This option also requires restarting the app. For more information, see Apps in the Cloud Foundry CLI Reference Guide.
95 |
96 | For more information about the `cf set-health-check` command, see
97 | [set-health-check](http://cli.cloudfoundry.org/en-US/cf/set-health-check.html) in
98 | the Cloud Foundry CLI Reference Guide.
99 |
100 |
101 | After you set the health check configuration of a deployed
102 | app with the cf set-health-check command, you must restart the app for the change to
103 | take effect.
| Health check type | 132 |Recommended use case | 133 |Explanation | 134 |
|---|---|---|
http |
138 | The app can provide an HTTP 200 response. |
139 | The http health check performs a GET request to the configured HTTP endpoint
140 | on the app's default port. When the health check receives an HTTP 200 response,
141 | the app is declared healthy. <%= vars.company_name %> recommends that you use the
142 | http health check type whenever possible. A healthy HTTP response ensures that the
143 | web app is ready to serve HTTP requests. The configured endpoint must respond within one second
144 | to be considered healthy.145 | 146 | To prevent false 147 | negatives, use a dedicated endpoint for health checks where response time and result do not 148 | depend on business logic. 149 | |
150 |
port |
153 | The app can receive TCP connections, including HTTP web apps. | 154 |A health check makes a TCP connection to the port or ports configured for the app. For apps
155 | with multiple ports, a health check monitors each port. If you do not specify a health
156 | check type for your app, then monitoring uses a port health
157 | check by default. The TCP connection must be established within one second to be considered healthy. |
158 |
process |
161 | The app does not support TCP connections. An example of such an app is a worker. | 162 |For a process health check, Diego ensures that any process declared for the
163 | app stays running. If the process and all its children exit, Diego stops and deletes the app instance. |
164 |
184 | For HTTP apps, <%= vars.company_name %> recommends setting the health check type to http instead of a simple port check.
42 | Changing the timeout setting for the cf CLI does not change the timeout limit for <%= vars.app_runtime_abbr %>
43 | server-side jobs such as staging or starting apps. You must change server-side timeouts in the manifest. Because of the differences between the
44 | <%= vars.app_runtime_abbr %> and cf CLI timeout values, your app might start even though the cf CLI reports App failed. To review the status of your app, run cf apps APP-NAME, where APP-NAME is the name of your app.
| Setting | 54 |Note | 55 |
|---|---|
| App package size | 58 |Maximum: <%= vars.max_app_size_table %> | 59 |
| Authorization token grace period | 62 |Default: 20 minutes, minimum | 63 |
CF_STAGING_TIMEOUT |
66 | cf CLI environment variable
67 | 68 | Default: 15 minutes |
69 |
CF_STARTUP_TIMEOUT |
72 | cf CLI environment variable
73 | 74 | Default: 5 minutes |
75 |
cf push -t TIMEOUT |
78 | App start timeout maximum
79 | 80 | Default: 60 seconds |
81 |
| Disk space allocation | 84 |Default: 1024 MB | 85 |
| Internet connection speed | 88 |Recommended minimum: 874 KB per second | 89 |
cf push command uses the manifest.yml file in the app directory. To specify a different location for the manifest, pass its local path to the -f flag when you run cf push.
29 |
30 | 1. Add the following content to the file:
31 |
32 | ```
33 | ---
34 | applications:
35 | - name: APP-NAME
36 | ```
37 | Where `APP-NAME` is the name of your app.
38 |
39 | 2. Run:
40 |
41 | ```
42 | cf push
43 | ```
44 | If you specify any values with command-line flags, they override the values specified in the manifest. For more information, see [Deploy multiple apps with one manifest](#multi-apps).
45 |
46 | For more information about manifest format and attributes, see [App manifest attribute reference](manifest-attributes.html).
47 |
48 |
49 | ## Deploy multiple apps with one manifest
50 |
51 | This section describes how to deploy multiple apps with a minimal manifest. For more information about manifest format and attributes, see [App manifest attribute reference](manifest-attributes.html).
52 |
53 | ### General rules
54 |
55 | Follow these general rules when deploying multiple apps with one manifest:
56 |
57 | * Use a `no-route` line in the description of any app that provides background services to another app.
58 |
59 | * You cannot use any command line options with `cf push` except for `-f` and `--no-start`.
60 | * If your manifest is not named `manifest.yml` or not in the current working directory, use the `-f` command line option.
61 |
62 | * To push a single app rather than all of the apps described in the manifest, provide the app name by running `cf push APP-NAME`, where `APP-NAME` is the name of your app.
63 |
64 | * Each app must be in a subdirectory under the same parent directory.
65 |
66 | ### Procedure
67 |
68 | To deploy multiple apps with a manifest:
69 |
70 | 1. Create a `manifest.yml` file in the directory that contains the apps.
71 |
72 | 2. Add each app and its directory to the file. <%= vars.app_runtime_abbr %> pushes the apps in the order specified in the manifest. If you push multiple apps using a manifest and one fails to deploy, <%= vars.app_runtime_abbr %> does not attempt to push apps specified after the app that failed.
73 |
74 | ```
75 | ---
76 | applications:
77 | - name: APP-ONE
78 | path: ./APP-ONE-DIRECTORY
79 | - name: APP-TWO
80 | path: ./APP-TWO-DIRECTORY
81 | ```
82 |
83 | Where:
84 | APP-ONE is the name of the first app you want <%= vars.app_runtime_abbr %> to push.APP-ONE-DIRECTORY is the directory containing the first app.APP-TWO is the name of the second app you want <%= vars.app_runtime_abbr %> to push.APP-TWO-DIRECTORY is the directory containing the second app.111 | tmp 112 | log 113 |114 | 115 | The file types you might want to exclude vary, based on the app frameworks you use. For examples of commonly-used `.gitignore` files, see the [gitignore](https://github.com/github/gitignore) repository on GitHub. 116 | 117 | 118 | ## Run multiple instances to increase availability 119 | 120 | Singleton apps might become temporarily unavailable for reasons that include: 121 | 122 | * During an upgrade, <%= vars.platform_name %> gracefully shuts down the apps running on each Diego Cell 123 | and restarts them on another Diego Cell. Single app instances might become temporarily unavailable if the replacement instance does not become healthy within the Diego Cell's evacuation timeout. The default timeout is 10 minutes. 124 | 125 | * Unexpected faults in <%= vars.platform_name %> system components or underlying infrastructure, 126 | such as container-host VMs or IaaS availability zones, might cause lone app instances to disappear 127 | or become unroutable for a minute or two. 128 | 129 | To avoid the risk of an app becoming temporarily unavailable, developers can run more than one instance of the app. 130 | 131 | 132 | ## Using buildpacks 133 | 134 | A buildpack consists of bundles of detection and configuration scripts that provide framework 135 | and runtime support for your apps. 136 | When you deploy an app that requires a buildpack, <%= vars.platform_name %> installs the buildpack 137 | on the Diego Cell where the app runs. 138 | 139 | For more information, see [Buildpacks](../../buildpacks/index.html). 140 | -------------------------------------------------------------------------------- /deploy-apps/ssh-services.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Accessing services with SSH 3 | owner: Core Services 4 | --- 5 | 6 | 7 | 8 | You can gain direct command line access to your deployed service instance using SSH. This allows you to, for example, access your database to run raw SQL commands to edit the schema, import and export data, or debug app data issues. 9 | 10 | To establish direct command line access to a service, you deploy a host app and use its SSH and port forwarding features to communicate with the service instance through the application container. The technique described here works with TCP services such as MySQL or Redis. 11 | 12 | _This topic requires Cloud Foundry Command Line Interface (cf CLI) v6.15.0 or later, but at least v7 is recommended._ 13 | 14 | <%= vars.mutual_tls_ssh %> 15 | 16 |
17 | The procedure in this topic requires use of a service key, and not all services support service keys. Some services support credentials through app binding only.
18 | 19 | 20 | ## Create a service instance 21 | 22 | 1. In your terminal window, log in to your deployment with `cf login`. 23 | 24 | 1. <%= vars.ssh_marketplace_step %> 25 | 26 |27 | $ cf marketplace 28 | <%=vars.ssh_marketplace_output %> 29 |30 | 31 | 1. Create your service instance. As part of the [create-service](http://cli.cloudfoundry.org/en-US/cf/create-service.html) command, indicate the service name, the service plan, and the name you choose for your service instance. 32 | 33 |
34 | $ cf create-service <%=vars.ssh_service %> <%=vars.ssh_service_plan %> MY-DB 35 |36 | 37 | ##Push your host app 38 | 39 | To push an app that acts as the host for the SSH tunnel, push any app that is deployed to <%= vars.app_runtime_full %>. 40 | Your app must be prepared before you push it. See Pushing an app for details about preparing apps for pushing. 41 | 42 | 1. Push your app: 43 | 44 | ```console 45 | cf push YOUR-HOST-APP 46 | ``` 47 | 48 | 2. Activate SSH for your app: 49 | 50 | ```console 51 | cf enable-ssh YOUR-HOST-APP 52 | ``` 53 | 54 | To activate SSH access to your app, SSH access must also be activated for both the space that contains the app and <%= vars.app_runtime_full %>. For more information, see App SSH Overview. 55 | 56 | ##Create your service key 57 | 58 | To establish SSH access to your service instance, you must create a service key that contains critical information for configuring your SSH tunnel. 59 | 60 | 1. Create a service key for your service instance using the [cf create-service-key](http://cli.cloudfoundry.org/en-US/cf/create-service-key.html) command. 61 | 62 | ```console 63 | cf create-service-key MY-DB EXTERNAL-ACCESS-KEY 64 | ``` 65 | 66 | 1. Retrieve your new service key using the [cf service-key](http://cli.cloudfoundry.org/en-US/cf/service-key.html) command. 67 | 68 | ```console 69 | cf service-key MY-DB EXTERNAL-ACCESS-KEY 70 | ``` 71 | 72 | For example: 73 | 74 |
75 | $ cf service-key MY-DB EXTERNAL-ACCESS-KEY
76 | Getting key EXTERNAL-ACCESS-KEY for service instance MY-DB as user@example.com
77 | <%= vars.ssh_service_access_key %>
78 |
79 |
80 |
81 | ## Configure your SSH tunnel
82 |
83 | Configure an SSH tunnel to your service instance using [cf ssh](http://cli.cloudfoundry.org/en-US/cf/ssh.html). Tailor the following example command with information from your service key.
84 | $ cf ssh -L 63306:<%= vars.ssh_service_host %>:3306 YOUR-HOST-APP85 | 86 | * You can use any available local port for port forwarding; for example, `63306`. 87 | * `<%= vars.ssh_service_host %>` is the address provided under `hostname` in the service key retrieved earlier. 88 | * `3306` is the port provided under `port`. 89 | * `YOUR-HOST-APP` is the name of your host app. 90 | 91 | After you enter the command, open another terminal and follow the steps in [Access your service instance](#access-service). 92 | 93 | 94 | ## Access your service instance 95 | 96 | To establish direct command line access to your service instance, use the relevant command line tool for that service. This example uses the MySQL command line client to access the <%= vars.ssh_service %> service instance. 97 | 98 |
99 | $ mysql -u b5136e448be920 -h 0 -p -D ad_b2fca6t49704585d -P 63306 100 |101 | 102 | * Replace `b5136e448be920` with the user name provided under `username` in your service key. 103 | * `-h 0` instructs `mysql` to connect to your local machine (use `-h 127.0.0.1` for Windows). 104 | * `-p` instructs `mysql` to prompt for a password. When prompted, use the password provided under `password` in your service key. 105 | * Replace `ad_b2fca6t49704585d` with the database name provided under `name` in your service key. 106 | * `-P 63306` instructs `mysql` to connect on port `63306`. 107 | -------------------------------------------------------------------------------- /deploy-apps/stacks.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Changing stacks 3 | owner: 4 | - Buildpacks & Stacks 5 | - Diego 6 | - Runtime OG 7 | --- 8 | 9 | 10 | 11 | You can restage apps on a new stack. Here is a description of stacks and lists of stacks that are supported on <%= vars.current_major_version ? "#{vars.app_runtime_full} v#{vars.current_major_version}" : vars.app_runtime_full %>. 12 | 13 | To restage a Windows app on a new Windows stack, see [Changing Windows stacks](./windows-stacks.html). 14 | 15 | <% if vars.platform_code == "CF" || vars.platform_code == "PCF" %> 16 | You can also use the Stack Auditor plug-in for the Cloud Foundry Command Line Interface (cf CLI) when changing stacks. See [Using the Stack Auditor plug-in](../../adminguide/stack-auditor.html). 17 | <% else %> 18 | <% end %> 19 | 20 | ## Overview 21 | 22 | A stack is a prebuilt root file system (rootfs) that supports a specific operating system. For example, Linux-based systems need `/usr` and `/bin` directories at their root. The stack works in tandem with a buildpack to support apps running in compartments. Under Diego architecture, cell VMs can support multiple stacks. 23 | 24 |
25 | Docker apps do not use stacks.
26 | 27 | 28 | ## Available stacks 29 | 30 | <%= vars.product_short %> <%= vars.current_major_version ? "v#{vars.current_major_version}" : "" %> includes support for `cflinuxfs3`. The Linux `cflinuxfs3` stack is derived from Ubuntu Bionic 18.04. For more information about supported libraries, see the [GitHub stacks page](https://github.com/cloudfoundry/cflinuxfs3/blob/main/receipt.cflinuxfs3.x86_64). 31 | 32 | The latest versions of <%= vars.product_short %> include support for `cflinuxfs4` which is derived from Ubuntu 22.04 LTS (Jammy Jellyfish). For more information, see [GitHub cflinuxfs4 stack receipt](https://github.com/cloudfoundry/cflinuxfs4/blob/main/receipt.cflinuxfs4.x86_64). 33 | 34 | <%= vars.custom_stack %> 35 | 36 | 37 | ## Restaging apps on a new stack 38 | 39 | For security, stacks receive regular updates to address Common Vulnerabilities and Exposures ([CVEs](http://www.ubuntu.com/usn/)). Apps pick up on these stack changes through new releases of <%= vars.product_short %>. However, if your app links statically to a library provided in the rootfs, you might have to manually restage it to pick up the changes. 40 | 41 | It can be difficult to know what libraries an app statically links to, and it depends on the languages you are using. One example is an app that uses a Ruby or Python binary, and links out to part of the C standard library. If the C library requires an update, you might need to recompile the app and restage it. 42 | 43 | To restage an app on a new stack: 44 | 45 | 1. Use the `cf stacks` command to list the stacks available in a deployment. 46 | 47 |
48 | $ cf stacks
49 | Getting stacks in org MY-ORG / space development as developer@example.com...
50 | OK
51 |
52 | name description
53 | cflinuxfs3 Cloud Foundry Linux-based filesystem (Ubuntu 18.04)
54 | cflinuxfs4 Cloud Foundry Linux-based filesystem (Ubuntu 22.04)
55 |
56 |
57 | 2. To change your stack and restage your app, run:
58 |
59 | ```
60 | cf push MY-APP -s STACK-NAME
61 | ```
62 |
63 | Where:
64 | - MY-APP is the name of the app.
65 | - STACK-NAME is the name of the new stack.
66 |
67 | For example, to restage your app on the stack `cflinuxfs4`, run `cf push MY-APP -s cflinuxfs4`:
68 |
69 | $ cf push MY-APP -s cflinuxfs4
70 | Using stack cflinuxfs4...
71 | OK
72 | Creating app MY-APP in org MY-ORG / space development as developer@example.com...
73 | OK
74 | ...
75 | requested state: started
76 | instances: 1/1
77 | usage: 1G x 1 instances
78 | urls: MY-APP.cfapps.io
79 | last uploaded: Wed 17 Jul 22:57:04 UTC 2024
80 | state since cpu memory disk logging cpu entitlement details
81 | \#0 running 2024-07-17T22:57:22Z 0.3% 49.5M of 1G 130.2M of 1G 0B/s of 16K/s 2.4%
82 |
83 |
84 |
85 | ## Stacks API
86 |
87 | For API information, see the _Stacks_ section of the [Cloud Foundry API Documentation](https://v3-apidocs.cloudfoundry.org/).
88 |
--------------------------------------------------------------------------------
/deploy-apps/start-restart-restage.html.md.erb:
--------------------------------------------------------------------------------
1 | ---
2 | title: Starting, restarting, and restaging your apps
3 | owner: CLI
4 | ---
5 |
6 | You can start, restart, and restage apps in Cloud Foundry, using the cf CLI or the app manifest (attributes in a YAML file).
7 |
8 |
9 | ##Start your app
10 |
11 | To start your app, run the following command from your app root directory:
12 |
13 | $ cf push YOUR-APP14 | 15 | For more information about pushing apps, see [Pushing an app](deploy-app.html). 16 | 17 | Cloud Foundry determines the start command for your app from one of these three sources: 18 | 19 | * The `-c` command-line option in the Cloud Foundry Command Line Interface (cf CLI). For example: 20 | 21 |
$ cf push YOUR-APP -c "node YOUR-APP.js"22 | 23 | * The `command` attribute in the app manifest. For example: 24 | 25 | ```yaml 26 | command: node YOUR-APP.js 27 | ``` 28 | 29 | * The buildpack, which provides a start command appropriate for a particular type of app. 30 | 31 | The source that Cloud Foundry uses depends on factors that are explained in the next section. 32 | 33 | ###How Cloud Foundry determines its default start command 34 | 35 | The first time you deploy an app, `cf push` uses the buildpack start command by default. 36 | After that, `cf push` defaults to whatever start command was used for the previous push. 37 | 38 | To override these defaults, provide the `-c` option, or the command attribute in the manifest. 39 | When you provide start commands both at the command line and in the manifest, `cf push` ignores the command in the manifest. 40 | 41 | ###Forcing Cloud Foundry to use the buildpack start command 42 | 43 | To force Cloud Foundry to use the buildpack start command, specify a start command of `null`. 44 | 45 | You can specify a null start command in one of two ways. 46 | 47 | * Using the `-c` command-line option in the cf CLI: 48 | 49 |
$ cf push YOUR-APP -c "null"50 | 51 | * Using the `command` attribute in the app manifest: 52 | 53 | ```console 54 | command: null 55 | ``` 56 | 57 | This can be helpful after you have deployed while providing a start command at the command line or the manifest. 58 | Now a command that you provided, rather than the buildpack start command, has become the default start command. 59 | In this situation, if you decide to deploy using the buildpack start command, the `null` command simplifies that. 60 | 61 | ###Start commands when migrating a database 62 | 63 | Start commands are used in special ways when you migrate a database as part of an app deployment. For more information, see [Services overview](../../devguide/services/index.html#migrating). 64 | 65 | ##Restart your app 66 | 67 | To restart your app, run: 68 | 69 |
$ cf restart YOUR-APP70 | 71 | Restarting your app stops your app and restarts it with the already compiled droplet. A droplet is a tarball that includes: 72 | 73 | * stack 74 | * [buildpack](../../buildpacks/index.html) 75 | * app source code 76 | 77 | The Diego [cell](../../concepts/architecture/index.html#diego-cell) unpacks, compiles, and runs a droplet on a container. 78 | 79 | Restart your app to refresh the app's environment after actions such as binding a new service to the app or setting an environment variable that only the app consumes. However, if your environment variable is consumed by the buildpack in addition to the app, then you must [restage](#restage) the app for the change to take effect. 80 | 81 | ##Restage your app 82 | 83 | To restage your app, run: 84 | 85 |
$ cf restage YOUR-APP86 | 87 | Restaging your app stops your app and restages it, by compiling a new droplet and starting it. 88 | 89 | Restage your app if you have changed the environment in a way that affects your staging process, such as setting an environment variable that the buildpack consumes. Staging has access to environment variables, so the environment can affect the contents of the droplet. You must also restage your app whenever you edit any configuration settings, such as when you rename it, add metadata, or configure health checks. The new settings often do not take effect until you restage the app. 90 | 91 | Restaging your app compiles a new droplet from your app without updating your app source. If you must update your app source, re-push your app by following the steps in [Start your app](#start). 92 | -------------------------------------------------------------------------------- /deploy-apps/stop-delete.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Stopping and deleting your apps 3 | owner: CLI 4 | --- 5 | 6 | 7 | You can stop and delete your apps using Cloud Foundry CLI commands. 8 | 9 | To run the commands shown here, you must first install the Cloud Foundry Command Line Interface (cf CLI). See the [Cloud Foundry Command Line Interface](../../cf-cli/index.html) topics for more information. 10 | 11 | ## Stop and start an app 12 | 13 | You can stop an app for many reasons. For example, stopping an app frees the memory from your quota. 14 | 15 | To stop an app, run `cf stop APP-NAME`. Replace `APP-NAME` with the name of the app you want to stop. 16 | 17 | Example: 18 |
$ cf stop my-example-app19 | 20 | Running this commands stops the app, but databases and other provisioned services still run and consume resources. Users visiting the URL of a stopped app see a `404` error message like this one: 21 | 22 | `404 Not Found: Requested route ('my-example-app.example.com') does not exist.` 23 | 24 | To start an app, run `cf start APP-NAME`. Replace `APP-NAME` with the name of the app you want to stop. 25 | 26 | Example: 27 |
$ cf start my-example-app28 | 29 | ## Delete an app 30 | 31 |
32 | Deleting an app is irreversible. We recommend that you run cf target before you start to confirm you are deleting the app from the correct org and space.
$ cf delete-service my-example-service-instance48 | 49 | ## Delete an app with no services 50 | 51 | To delete an app with no services, run `cf delete -r APP-NAME`. Replace `APP-NAME` with the name of the app. The `-r` option instructs the cf CLI to removes routes associated with the app. 52 | 53 | Example: 54 |
$ cf delete -r my-example-app55 | 56 |
57 | In cf CLI v7+, -r no longer deletes routes when the route is mapped to more than one app.
$ cf delete-route my-domain.com --hostname my-example-app71 | -------------------------------------------------------------------------------- /deploy-apps/trusted-system-certificates.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Trusted system certificates 3 | --- 4 | 5 | As a <%= vars.platform_name %> admin, you can deploy a set of trusted system certificates. These trusted certificates are available in Linux-based app instances running on the Diego back end. Such instances include buildpack-based apps using the `cflinuxfs[3|4]` stack and Docker image-based apps. 6 | 7 | If the admin configures these certificates, they are available inside the instance containers as files with extension `.crt` in the read-only `/etc/cf-system-certificates` directory. 8 | 9 | For `cflinuxfs[3|4]`-based apps, these certificates are also installed directly in the `/etc/ssl/certs` directory, and are available to libraries such as `openssl` that respect that trust store. If the administrator configure these certificates, the location of the certificates is provided in the environment variable `CF_SYSTEM_CERT_PATH` on the instance container. 10 | -------------------------------------------------------------------------------- /deploy-apps/windows-stacks.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Restaging your apps on a Windows stack 3 | owner: 4 | - Buildpacks 5 | - Windows 6 | --- 7 | 8 | 9 | This topic explains how you can restage apps on a new Windows stack. It also describes what stacks are and lists the supported Windows stacks on <%= vars.current_major_version ? "#{vars.windows_runtime_full} v#{vars.current_major_version}" : vars.windows_runtime_full %>. 10 | 11 | To restage a Windows app on a new Linux stack, see [Changing stacks](./stacks.html). 12 | 13 | <% if vars.platform_code == "CF" || vars.platform_code == "PCF" %> 14 | You can also use the Stack Auditor plug-in for the Cloud Foundry Command Line Interface (cf CLI) when changing stacks. See [Using the Stack Auditor plug-in](../../adminguide/stack-auditor.html). 15 | <% else %> 16 | <% end %> 17 | 18 | ## Overview 19 | 20 | A stack is a prebuilt root file system (rootfs) that supports a specific operating system. For example, Linux-based systems need `/usr` and `/bin` directories at their root and Windows needs `/windows`. The stack works in tandem with a buildpack to support apps running in compartments. Under Diego architecture, cell VMs can support multiple stacks. 21 | 22 |
23 | Docker apps do not use stacks.
24 | 25 | ## Available stacks 26 | 27 | If you push your <%= vars.windows_runtime_abbr %> <%= vars.current_major_version ? "v#{vars.current_major_version}" : "" %> app to a Windows stack, you must use `windows`. 28 | The `windows2016` stack is not supported on <%= vars.windows_runtime_abbr %>. 29 | 30 | ## Restaging apps on a new stack 31 | 32 | For security, stacks receive regular updates to address Common Vulnerabilities and Exposures ([CVEs](http://www.ubuntu.com/usn/)). Apps pick up on these stack changes through new releases of <%= vars.windows_runtime_abbr %>. However, if your app links statically to a library provided in the rootfs, you have to manually restage it to pick up the changes. 33 | 34 | It can be difficult to know what libraries an app statically links to, and it depends on the languages you are using. One example is an app that uses a Ruby or Python binary, and links out to part of the C standard library. If the C library requires an update, you might need to recompile the app and restage it. 35 | 36 | To restage an app on a new stack: 37 | 38 | 1. Use the `cf stacks` command to list the stacks available in a deployment. 39 | 40 |
41 | $ cf stacks
42 | Getting stacks in org MY-ORG / space development as developer@example.com...
43 | OK
44 |
45 | name description
46 | windows2016 Windows Server 2016
47 | windows Windows Server
48 |
49 |
50 | 2. To change your stack and restage your app, run:
51 |
52 | ```
53 | cf push MY-APP -s STACK-NAME
54 | ```
55 |
56 | Where:
57 | - MY-APP is the name of the app.
58 | - STACK-NAME is the name of the new stack.
59 |
60 | For example, to restage your app on the `windows` stack, run `cf push MY-APP -s windows`:
61 |
62 | $ cf push MY-APP -s windows
63 | Using stack windows...
64 | OK
65 | Creating app MY-APP in org MY-ORG / space development as developer@example.com...
66 | OK
67 | ...
68 | requested state: started
69 | instances: 1/1
70 | usage: 1G x 1 instances
71 | urls: MY-APP.cfapps.io
72 | last uploaded: Wed 17 Jul 22:57:04 UTC 2024
73 | state since cpu memory disk logging cpu entitlement details
74 | \#0 running 2024-07-17T22:57:22Z 0.3% 49.5M of 1G 130.2M of 1G 0B/s of 16K/s 2.4%
75 |
76 |
77 | ## Stacks API
78 |
79 | For API information, see the "Stacks" section of the [Cloud Foundry API documentation](http://apidocs.cloudfoundry.org).
80 |
--------------------------------------------------------------------------------
/egress-policies.html.md.erb:
--------------------------------------------------------------------------------
1 | ---
2 | title: Topic does not exist
3 | owner: CF for VMs Networking
4 | ---
5 |
6 | <% if vars.platform_code == "CF" %>
7 |
8 | The topic that you were looking for, titled _Administering Dynamic Egress Policies_, does not exist.
9 |
10 | The feature this topic covers is removed.
11 |
12 | <% else %>
13 |
14 | The topic that you were looking for does not exist in this version of the <%= vars.product_full %> documentation.
15 | The feature this topic covers is removed.
16 |
17 | The topic _Administering Dynamic Egress Policies_ is available in <%= vars.product_full %> v2.10.
18 |
19 | <% end %>
20 |
--------------------------------------------------------------------------------
/http2-protocol.html.md.erb:
--------------------------------------------------------------------------------
1 | ---
2 | title: Routing HTTP/2 and gRPC traffic to apps
3 | owner: CF for VMs Networking
4 | ---
5 |
6 | Here are instructions for routing HTTP/2 and gRPC traffic to <%= vars.app_runtime_first %> apps.
7 | HTTP/2 is the second major version of the the HTTP protocol.
8 | <%= vars.http2_support_version %>
9 |
10 | For more information about the HTTP/2 protocol, see [RFC 7540](https://datatracker.ietf.org/doc/html/rfc7540).
11 |
12 | gRPC is a Remote Procedure Call (RPC) framework that uses HTTP/2 as its transport medium.
13 | It is especially useful for managing communication between apps in a microservices cluster.
14 | For apps to serve gRPC traffic, every network hop between the client and app must use HTTP/2.
15 |
16 | For more information, see [gRPC](https://grpc.io/).
17 |
18 | ## Performance
19 |
20 | HTTP/2 can provide performance improvements for apps that are built to:
21 |
22 | - Load many resources in parallel. For example, an HTML page that loads many images or JavaScript files.
23 | - Use large and repetitive headers.
24 |
25 | Other apps might see minimal or no performance increases.
26 | Experiment with your app to see how serving HTTP/2 affects its performance.
27 |
28 | For an example of an app that benefits from HTTP/2, see the [Cloud Foundry HTTP/2 Tile Demo App](https://github.com/Gerg/http2_tile_demo).
29 |
30 | ### Limitations
31 |
32 | HTTP/2 support in <%= vars.app_runtime_abbr %> has these limitations:
33 |
34 | - End-to-end HTTP/2 is not available for Windows Diego Cells. Routes with HTTP/2 mappings continue to send HTTP/1.1 traffic to apps that run on Windows Diego Cells.
35 | - Routes that have route services bound to them might not support end-to-end HTTP/2 depending on what protocols the bound service supports. For more information, see [Route services](../services/route-services.html).
36 |
37 | ## How pushing apps with HTTP/2 works
38 |
39 | If your <%= vars.app_runtime_abbr %> deployment is configured to support HTTP/2,
40 | then all traffic coming in to <%= vars.app_runtime_abbr %> supports HTTP/2.
41 | The traffic is forwarded as HTTP/1.1 before it reaches your app unless configured otherwise.
42 |
43 | <% if vars.platform_code != 'CF' %>
44 | For more information, see [Configuring HTTP/2 support](https://docs.vmware.com/en/VMware-Tanzu-Application-Service/<%= vars.current_major_version %>/tas-for-vms/supporting-http2.html).
45 | <% end %>
46 |
47 | To serve gRPC traffic, your app must use HTTP/2 for all network hops.
48 | Configure your route to send HTTP/2 traffic to your app.
49 | When configured, traffic that matches the route is always sent to your app over HTTP/2 regardless of the original ingress protocol.
50 |
51 | For example, external HTTP/1.1 requests are forwarded to your app over HTTP/2.
52 | Your app does not have the opportunity to negotiate what protocol it receives.
53 |
54 | If a client is familiar with the HTTP/2 specification,
55 | your app receives HTTP/2 with prior knowledge.
56 | For more information, see [Starting HTTP/2 with Prior Knowledge](https://datatracker.ietf.org/doc/html/rfc7540#section-3.4) in _RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2)_.
57 |
58 |
59 | ## Push apps with HTTP/2 support
60 |
61 | This section describes how to push <%= vars.app_runtime_abbr %> apps with support for HTTP/2.
62 |
63 | You do not need to make changes to existing apps to support HTTP/2.
64 | For information about pushing an HTTP/1.1 app that serves HTTP/2 traffic, see [Push an HTTP/1.1 App that Serves HTTP/2](#http1-app).
65 |
66 | There are multiple ways to push an app with end-to-end HTTP/2.
67 | You can push the app using either the app manifest or the Cloud Foundry Command Line Interface (cf CLI).
68 | You can also use either method to push an app that serves gRPC traffic.
69 |
70 | To push an app with end-to-end HTTP/2, see:
71 |
72 | - [Push an app with end-to-end HTTP/2 using the app manifest](#e2e-manifest)
73 | - [Push an app with end-to-end HTTP/2 using the cf CLI](#e2e-cli)
74 | - [Push a gRPC app](#grpc-app)
75 |
76 | ### Push an HTTP/1.1 app that serves HTTP/2
77 |
78 | To push an HTTP/1.1 app that can serve HTTP/2 traffic:
79 |
80 | 1. Push the HTTP/1.1 app by running:
81 |
82 | ```console
83 | cf push MY-APP
84 | ```
85 | Where `MY-APP` is the name of your app.
86 |
87 | 1. Send an HTTP/2 request to the app by running:
88 |
89 | ```
90 | curl MY-APP.EXAMPLE.COM --http2 -v
91 | ```
92 | Where `MY-APP.EXAMPLE.COM` is the route mapped to your app.
96 | To issue this request, you must use a version of curl that supports HTTP/2.
147 | The following procedure is supported only for cf CLI v6. The --hostname flag is deprecated in cf CLI v7, and must be specified in the manifest.
APP-NAME is the name of your app.PROCESS-NAME is the name of the process you want to scale.INSTANCE-COUNT is the number of instances to which you want to scale the process.99 | Showing health and status for app example-app in org test / space test as admin... 100 | 101 | name: example-app 102 | requested state: started 103 | routes: example-app.cloudfoundry.example.com 104 | last uploaded: Wed 17 Jul 22:57:04 UTC 2024 105 | stack: cflinuxfs3 106 | buildpacks: 107 | name version detect output buildpack name 108 | ruby_buildpack 1.8.57 ruby ruby 109 | 110 | type: web 111 | sidecars: 112 | instances: 1/1 113 | memory usage: 1024M 114 | state since cpu memory disk logging cpu entitlement details 115 | #0 running 2024-07-17T22:57:22Z 0.3% 49.5M of 1G 130.2M of 1G 0B/s of 16K/s 2.4% 116 | 117 | type: worker 118 | sidecars: 119 | instances: 2/2 120 | memory usage: 1024M 121 | state since cpu memory disk logging cpu entitlement details 122 | #0 running 2024-07-17T22:57:22Z 0.3% 49.5M of 1G 130.2M of 1G 0B/s of 16K/s 2.4% 123 | #0 running 2024-07-17T22:57:22Z 0.3% 49.5M of 1G 130.2M of 1G 0B/s of 16K/s 2.4% 124 |125 | 126 |
127 | To avoid security exposure, ensure that you migrated your apps and custom buildpacks to use the cflinuxfs4 stack based on Ubuntu 22.04 LTS (Jammy Jellyfish). The cflinuxfs3 stack is based on Ubuntu 18.04 (Bionic Beaver), which reaches end of standard support in April 2023.
| Resource | 27 |Description | 28 |Commands | 29 |
|---|---|---|
| App | 32 |The top-level resource that represents an app and its configuration. 33 | For more information, see Apps in the CAPI documentation. |
34 |
35 |
|
41 |
| Package | 44 |The source code that makes up an app. 45 | For more information, see Packages in the CAPI documentation. |
46 |
47 |
|
52 |
| Build | 55 |Staging the app. Creating a build combines a Package with a Buildpack and builds it into an executable resource, called a Droplet. 56 | For more information, see Builds in the CAPI documentation. |
57 |
58 |
|
62 |
| Droplet | 65 |An executable resource that results from a Build. 66 | For more information, see Droplet in the CAPI documentation. |
67 |
68 |
|
74 |
| Manifest | 77 |A file used when pushing your app to apply bulk configuration to an app and its underlying processes. 78 | For more information, see Space Manifest in the CAPI documentation. |
79 |
80 |
|
85 |
114 | Uploading and creating bits package for app APP-NAME in org test / space test as admin... 115 | package guid: 0dfca85a-8ed4-4f00-90d0-3ab08852dba8 116 | OK 117 |118 | 119 | 1. Stage the package you created: 120 | 121 | ``` 122 | cf stage-package APP-NAME --package-guid PACKAGE-GUID 123 | ``` 124 | Where: 125 |
APP-NAME is the name of your app.PACKAGE-GUID is the package GUID you recorded in an earlier step.133 | Staging package for APP-NAME in org test / space test as admin... 134 | ... 135 | Package staged 136 | droplet guid: f60d3464-415a-4202-9d40-26a70373a487 137 | state: staged 138 | created: Mon 25 Sep 16:37:45 PDT 2018 139 |140 | 141 | 4. Assign the droplet to your app: 142 | 143 | ``` 144 | cf set-droplet APP-NAME DROPLET-GUID 145 | ``` 146 | Where: 147 |
APP-NAME is the name of your app.DROPLET-GUID is the droplet GUID you recorded in an earlier step.175 | Listing droplets of app APP-NAME in org test / space test as admin... 176 | 177 | guid state created 178 | 66524145-5502-40e6-b782-47fe68e13c49 staged Mon 25 Sep 16:37:34 PDT 2018 179 | 0677ad93-9f77-4aaa-9a6b-44da022dcd58 staged Mon 25 Sep 16:44:55 PDT 2018 180 |181 | 182 | 1. Stop your app: 183 | 184 | ``` 185 | cf stop APP-NAME 186 | ``` 187 | 188 | If you wish to avoid incurring downtime when changing your droplet, 189 | consider using [Rolling deployments](./deploy-apps/rolling-deploy.html) 190 | instead of stopping and starting your app. 191 | 192 | 1. Set the app to use the previous droplet: 193 | 194 | ``` 195 | cf set-droplet APP-NAME PREVIOUS-DROPLET-GUID 196 | ``` 197 | Where: 198 |
APP-NAME is the name of your app.PREVIOUS-DROPLET-GUID is the droplet GUID you recorded in an earlier step.12 | CAPI v3 is the recommended API version for revisions. While revisions work with CAPI v2, there are several inconsistencies. For example, revision descriptions for apps with multiple processes can be inaccurate because CAPI v2 does not support apps with multiple processes. Additionally, pushing an app for the first time with revisions in CAPI v2 creates two revisions.
13 | 14 | 15 | ## Overview 16 | 17 | Every <%= vars.platform_name %> app has a name. 18 | When you first deploy an app, <%= vars.platform_name %> gives it the revision version number `1`. 19 | When you re-deploy the app under the same name, for example as an update, <%= vars.platform_name %> increments its version number and saves the old version. 20 | 21 | This saved application history is used by the `revisions` and `revision` CAPI endpoints and cf CLI commands to let you: 22 | 23 | * **View revisions for an app:** To help you understand how your app has changed over time. 24 | 25 | * **Roll back to a previous revision:** To deploy a version of the app that you had running previously without needing to track that previous state yourself or have multiple apps running. When roll back an app, the specified revision deploys as the new current version of your app. 26 | 27 | > **Note** The `cf revision` command takes a `--version` flag to specify a version number, but the command's output lists the same number as its `revision`. 28 | 29 | ### When current app revision changes 30 | 31 | The app's revision version number increments when: 32 | 33 | * A new droplet is deployed for an app. 34 | * An app is deployed with `--strategy rolling` or `--strategy canary` as described in [Configuring app deployments](./deploy-apps/rolling-deploy.html). 35 | * An app is deployed with a new environment variables. 36 | * An app is deployed with a new or changed custom start command. 37 | * An app rolls back to a prior revision. 38 | - In this case, the newly-running version is identical to the specified old version. 39 | 40 | By default, CAPI retains a maximum of 100 revisions per app. 41 | 42 | ### Revision descriptions 43 | 44 | Each revision includes a description of what changed in your app at the time the revision was created. The description includes one or more of these descriptions: 45 | 46 | * `Process type removed` 47 | * `New process type added` 48 | * `Rolled back to revision X` 49 | * `Custom start command removed` 50 | * `Custom start command updated` 51 | * `Custom start command added` 52 | * `New environment variables deployed` 53 | * `New droplet deployed` 54 | 55 | ### Droplet storage considerations 56 | 57 | By default, <%= vars.platform_name %> retains the five most recent staged droplets in its droplets bucket. This means that you can roll back to revisions as long as they are using one of those five droplets. Not all revisions include a change in droplet. 58 | 59 | <% if vars.platform_code == "CF" || vars.platform_code == "PCF" %> 60 | Operators can configure <%= vars.platform_name %> to retain more droplets if necessary using the <%= vars.droplet_config %> 61 | <% end %> 62 | 63 | 64 | ## View revisions 65 | 66 | This section describes how to use CAPI endpoints for viewing revisions. 67 | 68 | ### List revision history for an app 69 | 70 | To list both current and stopped revisions for an app: 71 | 72 | * Using the `revisions` command: 73 | 74 | ``` 75 | cf revisions APP-NAME 76 | ``` 77 | Where `APP-NAME` is the name of your app. 78 | 79 | * Using the `curl` command: 80 | 81 | 1. Retrieve the GUID of the app by running: 82 | 83 | ``` 84 | cf app APP-NAME --guid 85 | ``` 86 | Where `APP-NAME` is the name of your app. 87 | 88 | 1. Run: 89 | 90 | ``` 91 | cf curl /v3/apps/GUID/revisions 92 | ``` 93 | Where `GUID` is the GUID you retrieved in an earlier step. 94 | 95 | ### Get an app's current revision(s) 96 | 97 | The current revision of an app is its currently-deployed, running revision, linked to started processes. There may be multiple currently running revisions during an active canary or rolling deployment. To list an app's current revision(s): 98 | 99 | * Using the `revision` command: 100 | 101 | ``` 102 | cf revision APP-NAME 103 | ``` 104 | Where `APP-NAME` is the name of your app. 105 | 106 | * Using the `curl` command 107 | 108 | 1. Retrieve the GUID of the app by running: 109 | 110 | ``` 111 | cf app APP-NAME --guid 112 | ``` 113 | Where `APP-NAME` is the name of your app. 114 | 115 | 1. Run: 116 | 117 | ``` 118 | cf curl /v3/apps/GUID/revisions/deployed 119 | ``` 120 | Where `GUID` is the GUID you retrieved in an earlier step. 121 | 122 | When the current app is still deploying or is in a `stopped` state, the command output states, `It is not possible to show which revision is currently deployed.` 123 | 124 | 125 | ### Retrieve a revision 126 | 127 | To retrieve a revision: 128 | 129 | * Using the `revision` command: 130 | 131 | ``` 132 | cf revision APP-NAME --version VERSION 133 | ``` 134 | Where `APP-NAME` is the name of your APP and `VERSION` is the revision version. 135 | 136 | * Using the `curl` command: 137 | 138 | 1. Run: 139 | 140 | ``` 141 | cf curl /v3/revisions/GUID 142 | ``` 143 | Where `GUID` is the GUID of the revision. 144 | 145 | 146 | ## Roll back to a previous revision 147 | 148 | To roll back to a previous revision: 149 | 150 | * Using the `rollback` command: 151 | 152 | ``` 153 | cf rollback APP-NAME --version VERSION 154 | ``` 155 | Where `APP-NAME` is the name of your APP and `VERSION` is the revision version you want to rollback to. 156 | 157 | * Using `curl` command: 158 | 159 | 1. Retrieve the GUID of the app: 160 | 161 | ``` 162 | cf app APP-NAME --guid 163 | ``` 164 | Where `APP-NAME` is the name of your app. 165 | 166 | 1. Retrieve the GUID of the revision. See [Retrieve a revision](#get). 167 | 168 | 1. Create a deployment using CAPI by running: 169 | 170 | ``` 171 | cf curl v3/deployments \ 172 | -X POST \ 173 | -d '{ 174 | "revision": { 175 | "guid": "REVISION-GUID" 176 | }, 177 | "relationships": { 178 | "app": { 179 | "data": { 180 | "guid": "APP-GUID" 181 | } 182 | } 183 | } 184 | }' 185 | ``` 186 | 187 | Where: 188 |REVISION-GUID is the GUID of the revision.APP-GUID is the GUID of the app.
61 | The Fluentd syslog input plug-in supports tls and tcp options. You must use the same transport that Cloud Foundry is using.
16 | For a service to be available in the Marketplace, it must be integrated with Cloud Foundry by way of APIs. <%= vars.custom_services %>
17 | 18 | ### User-provided service instances 19 | 20 | Cloud Foundry allows developers to use services that are not available in the Marketplace using user-provided service instances (UPSI). For more information, see [User-provided service instances](./user-provided.html) 21 | 22 | 23 | ## Service instance credentials 24 | 25 | Cloud Foundry allows users to provision credentials needed to interface with a service instance. You can use app binding to deliver these credentials to your Cloud Foundry app. For external and local clients, you can use service keys to generate credentials to communicate directly with a service instance. 26 | 27 | ### App binding 28 | 29 | Service instance credentials can be delivered to apps running on Cloud Foundry in an environment variable. For more information, see [Delivering service credentials to an app](./application-binding.html). 30 | 31 | For information about binding to a specific app development framework, see [Buildpacks](../../buildpacks/index.html). 32 | 33 | ### Service keys 34 | 35 | Credentials managed manually are known as service keys. Use service keys when you want a set of credentials for use by clients other than the app in the same space. For example, you can use service keys to connect to a service instance from a local client, or from an app in another space, or even from outside of Cloud Foundry. 36 | 37 | For more information about creating a user-provided service instance with service keys, see [User-provided service instances](./user-provided.html). For more information about service keys, see [Managing service keys](./service-keys.html). 38 | 39 |40 | Not all services support service keys. Some services support credentials through app binding only.
41 | 42 | 43 | ## Outbound IP addresses 44 | 45 | To allow an app to communicate with a service external to <%= vars.product_short %>, you might need to configure the service to accept connections from your app based on its outbound IP address. 46 | 47 | In your external service configuration, you must do one of the following: 48 | 49 | * Add the entire IP range for the Diego Cell where the app is deployed to your allowlist. 50 | * Derive the app IP address from its DNS name using a command-line tool such as `dig`, `host`, or `nslookup`. In your external service configuration, add the IP address or range of the app instance to your allowlist. 51 | 52 | 53 | ## Stream app logs to log management services 54 | 55 | To learn how your app logs can be streamed to third-party log management services, see [Streaming app logs to log management services](./log-management.html). 56 | 57 | User-provided service instances can be used to drain app logs to a service not available in the Marketplace. This is also known as setting up a syslog drain. For guidance on configuring some third-party log management services, see [Service-specific instructions for streaming app logs](./log-management-thirdparty-svc.html). 58 | 59 | 60 | ## Manage app requests with route services 61 | 62 | To learn how Marketplace services (and user-provided service instances) can be used to perform preprocessing on app requests, see [Managing app requests with route services](./route-binding.html). 63 | 64 | 65 | ## Migrate a database schema 66 | 67 | If your app relies on a relational database, you must apply schema changes periodically. To perform database schema migrations on Cloud Foundry-managed services, run a database migration task with the Cloud Foundry Command Line Interface (cf CLI) tool. 68 | 69 | For more information about running cf CLI tasks, see [Running tasks in your apps](../using-tasks.html). 70 | 71 |72 | To run tasks with the cf CLI, you must install cf CLI v6.23.0 or later. The current supported version is cf CLI v8. For information about downloading, installing, and uninstalling the cf CLI, see the Installing the cf CLI.
73 | 74 | To do a database schema migration with cf CLI: 75 | 76 | 1. Push the app: 77 |$ cf push APP-NAME78 | 79 | Where `APP-NAME` is the name of the app. 80 | 81 |
82 | To run a task without starting the app, push the app with cf push -i 0 and then run the task. You can run the app later by scaling up its instance count.
86 | $ cf run-task APP-NAME --command "bin/rails db:migrate" --name TASK-NAME 87 | Creating task for app APP-NAME in org jdoe-org / space development as jdoe@pivotal.io... 88 | OK 89 | Task 1 has been submitted successfully for execution. 90 |91 | 92 | Where: 93 | - `APP-NAME` is the name of the app. 94 | - `TASK-NAME` is the name of the task. 95 | -------------------------------------------------------------------------------- /services/integrate-splunk.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Streaming app logs to Splunk 3 | owner: PCF Metrics 4 | --- 5 | 6 | 7 | 8 | You can follow the steps here to integrate Cloud Foundry with Splunk Enterprise for logging. 9 | 10 | 11 | ## Step 1. Create a Cloud Foundry syslog drain for Splunk 12 | 13 | In Cloud Foundry, create a syslog drain user-provided service instance as 14 | described in [Using third-party log management services](./log-management.html). 15 | 16 | Choose one or more apps whose logs you want to drain to Splunk 17 | through the service. 18 | 19 | Bind each app to the service instance and restart the app. 20 | 21 | Note the GUID for each app, the IP address of the Loggregator host, and the 22 | port number for the service. 23 | Locate the port number in the syslog URL. 24 | For example: 25 | 26 | `syslog://logs.example.com:1234` 27 | 28 | ## Step 2. Prepare Splunk for Cloud Foundry 29 | 30 | For detailed information about the following tasks, see the [Splunk documentation](http://docs.splunk.com/Documentation/Splunk). 31 | 32 | ### Install the RFC5424 syslog technology add-on 33 | 34 | The Cloud Foundry Loggregator component formats logs according to the syslog 35 | protocol defined in [RFC 5424](http://tools.ietf.org/html/rfc5424). 36 | Splunk does not parse log fields according to this protocol. 37 | To allow Splunk to correctly parse RFC 5424 log fields, install the Splunk 38 | [RFC5424 Syslog technical add-on](http://apps.splunk.com/app/978/). 39 | 40 | ### Patch the RFC5424 syslog technology add-on 41 | 42 | 1. SSH into the Splunk VM 43 | 1. Replace `/opt/splunk/etc/apps/rfc5424/default/transforms.conf` with a new 44 | `transforms.conf` file that consists of the following text: 45 | 46 |
47 | [rfc5424_host]
48 | DEST_KEY = MetaData:Host
49 | REGEX = <\d+>\d{1}\s{1}\S+\s{1}(\S+)
50 | FORMAT = host::$1
51 |
52 | [rfc5424_header]
53 | REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{1}(\S+)\s{1}(\S+)
54 | FORMAT = prival::$1 appname::$2 procid::$3 msgid::$4
55 | MV_ADD = true
56 |
57 |
58 | 1. Restart Splunk
59 |
60 | ### Create a TCP syslog data input
61 |
62 | Create a TCP syslog data input in Splunk, with the following settings:
63 |
64 | * **TCP port** is the port number you assigned to your log drain service
65 | * **Set sourcetype** is `Manual`
66 | * **Source type** is `rfc5424_syslog` (type this value into text field)
67 | * **Index** is the index you created for your log drain service
68 |
69 | Your Cloud Foundry syslog drain service is now integrated with Splunk.
70 |
71 | ## Step 3. Verify that the integration was successful
72 |
73 | Use Splunk to run a query of the form:
74 |
75 | ```
76 | sourcetype=rfc5424_syslog index=-THE-INDEX-YOU-CREATED appname=APP-GUID
77 | ```
78 |
79 | To view logs from all apps at once, you can omit the `appname` field.
80 |
81 | Verify that results rows contain the three Cloud Foundry-specific fields:
82 |
83 | * **appname**: The GUID for the Cloud Foundry app
84 | * **host**: The IP address of the Loggregator host
85 | * **procid**: The Cloud Foundry component emitting the log
86 |
87 | If the Cloud Foundry-specific fields appear in the log search results,
88 | integration is successful.
89 |
90 | If logs from an app are missing, ensure that:
91 |
92 | * The app is bound to the service and was restarted after binding
93 | * The service port number matches the TCP port number in Splunk
94 |
--------------------------------------------------------------------------------
/services/log-management-thirdparty-svc.html.md.erb:
--------------------------------------------------------------------------------
1 | ---
2 | title: Streaming app logs to third-party services
3 | owner: PCF Metrics
4 | ---
5 |
6 |
7 | Here are instructions for configuring some third-party log management services for your Cloud Foundry apps.
8 |
9 | After you configure a service, see [Third-party log management services](./log-management.html) for instructions for binding your app to the service.
10 |
11 | ## Logit.io
12 |
13 | From your Logit.io dashboard:
14 |
15 | 1. Identify the Logit ELK stack you want to use.
16 |
17 | 1. Click Logstash **Configuration**.
18 |
19 | 1. Note your Logstash **Endpoint**.
20 |
21 | 1. Note your TCP-SSL, TCP, or UDP **Port** (not the syslog port).
22 |
23 | 1. Create the log drain service in Cloud Foundry.
24 |
25 | 26 | $ cf cups logit-ssl-drain -l syslog-tls://ENDPOINT:PORT 27 |28 | or 29 |
30 | $ cf cups logit-drain -l syslog://ENDPOINT:PORT 31 |32 | 33 | 1. Bind the service to an app. 34 | 35 |
36 | $ cf bind-service YOUR-CF-APP-NAME logit-ssl-drain 37 |38 | or 39 |
40 | $ cf bind-service YOUR-CF-APP-NAME logit-drain 41 |42 | 43 | 1. Restage or push the app using one of these commands: 44 | 45 |
$ cf restage YOUR-CF-APP-NAME46 | 47 |
$ cf push YOUR-CF-APP-NAME48 | 49 | After a short delay, logs begin to appear in Kibana. 50 | 51 | ## Papertrail 52 | 53 | From your Papertrail account: 54 | 55 | 1. Click **Add System**. The Dashboard appears. 56 | 57 | 1. Click the **Other** link. The **Setup Systems** screen appears. 58 | 59 | 1. Click **I use Cloud Foundry**, enter a name, and click **Save**. 60 | 61 |  62 | 63 | 1. After the system is recorded, the URL, with the port, is displayed. Record the URL and port for later use. 64 | 65 |  66 | 67 | 1. Create the log drain service in Cloud Foundry. 68 | 69 |
70 | $ cf cups my-logs -l syslog-tls://logs.papertrailapp.com:PORT 71 |72 | 73 | 1. Bind the service to an app. 74 | 75 |
76 | $ cf bind-service APPLICATION-NAME my-logs 77 |78 | 79 | 1. Restage the app. 80 | 81 |
82 | $ cf restage APPLICATION-NAME 83 |84 | 85 | After a short delay, logs begin to flow. 86 | 87 | 1. When Papertrail starts receiving log entries, the view changes to show the logs viewing page. 88 | 89 |  90 | 91 | ## Splunk 92 | 93 | See [Streaming app logs to splunk](integrate-splunk.html) for details. 94 | 95 | ## Splunk Storm 96 | 97 | From your Splunk Storm account: 98 | 99 | 1. Click **Add project**. On the dialog box that appears, enter the **Project name** and select the **Project time zone**. Click **Continue**. 100 | 101 |  102 | 103 | 2. In **Network data**, create a new input. Under **Network data**, click **Select**. Data is sent directly from your servers, and accepted data types include syslog, syslog-ng, snare, and netcat. 104 | 105 |  106 | 107 | 3. Under **Add network data**, click **Authorize your IP address** and select **Manually**. Next, enter the external IP addresses your Cloud Foundry administrator assigns to outbound traffic. 108 | 109 |  110 | 111 | 4. Record the host and port provided for TCP input for later use. 112 | 113 |  114 | 115 | 5. Using the cf CLI, create the log drain service in Cloud Foundry using the TCP host and port you recorded. Then you bind the service to an app and restage the app using the syntax shown here. After a short delay, the logs begin to flow. 116 | 117 |
118 | $ cf cups my-logs -l syslog://HOST:PORT 119 | $ cf bind-service APPLICATION-NAME my-logs 120 | $ cf restage APPLICATION-NAME 121 |122 | 123 | 6. When events begin to appear, click **Data Summary**. The **Data Summary** button appears in the **What to Search** section. 124 | 125 |  126 | 127 | 7. In the **Data Summary** table, click the **loggregator** link to view all incoming log entries from Cloud Foundry. 128 | 129 |  130 | 131 | ## SumoLogic 132 | 133 | SumoLogic uses HTTPS for communication. HTTPS is supported in Cloud Foundry v158 and later. 134 | 135 | In your SumoLogic account: 136 | 137 | 1. Beside **Manage Collectors and Sources**, click the **Add Collector** link. 138 | 139 |  140 | 141 | 2. Under **Add Collector**, select **Hosted Collector** and fill in the details. 142 | 1. In **Name**, enter `Cloud Foundry`. 143 | 2. In **Description**, enter the purpose of the new collector. 144 | 3. In **Category**, you can enter the source category, if you want. The collector sets the source category to this value unless it is overwritten by the source metadata. 145 | 146 |  147 | 148 |  149 | 150 | 1. Click **Save**. 151 | 3. In the **Manage Collectors and Sources** table, in the row for the new collector, click the **Add Source** link. 152 | 153 |  154 | 155 | 4. Under **Select a type of Source**, select **HTTP** and fill in the details. An HTTPS URL is provided. 156 | 1. In **Name**, leave the entry, `Cloud Foundry``. 157 | 2. In **Description**, enter a description of the source. 158 | 3. In **Source Host**, enter the host name for the system from which the log files are being collected. 159 | 4. In **Source Category**, enter the log category metadata. You can use this later in queries. 160 | 161 |  162 | 163 | 5. When the source is created, a URL is displayed. You can also view the URL by clicking the **Show URL** link beside the newly created source in the **Manage Collectors and Sources** table. Record the URL for the next step. 164 | 165 |  166 | 167 | 6. Using the cf CLI, create the log drain service in Cloud Foundry using the source URL you just recorded. Then you bind the service to an app and restage the app using the syntax shown here. After a short delay, the logs begin to flow. 168 | 169 |
170 | $ cf cups my-logs -l HTTPS-SOURCE-URL 171 | $ cf bind-service APPLICATION-NAME my-logs 172 | $ cf restage APPLICATION-NAME 173 |174 | 175 | 7. In the SumoLogic dashboard, click **Manage**, then click **Status** to see a view of the log entries. 176 | 177 |  178 | 179 | 8. Click **Search**. Place the pointer in the search box, then click **Enter** to submit an empty search query. 180 | 181 |  182 | 183 | ## Logsene 184 | 185 | Logsene uses HTTPS for communication. HTTPS is supported in Cloud Foundry v158 and later. 186 | 187 | In your Sematext account: 188 | 189 | 1. Click the [Create App / Logsene App](https://apps.sematext.com/logsene-reports/registerApplication.do) menu item. Enter a name and click **Add Application** to create the Logsene App. 190 | 191 | 2. Using the cf CLI, create the log drain service using the source URL displayed. Then you bind the service to an app and restage the app using the syntax shown here. After a short delay, the logs begin to flow. The logs appear in the [Logsene UI](https://apps.sematext.com/users-web/services.do#logsene). 192 | 193 |
194 | $ cf cups logsene-log-drain -l https://logsene-cf-receiver.sematext.com/YOUR_LOGSENE_TOKEN 195 | $ cf bind-service YOUR-CF-APP-NAME logsene-log-drain 196 | $ cf restage APPLICATION-NAME 197 |198 | 199 | ## Logentries is not supported 200 | 201 | Using Logentries is discouraged because it does not support multiple syslog sources. Cloud Foundry distributes log entries over multiple servers to handle the load. 202 | -------------------------------------------------------------------------------- /services/metrics.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Using metrics with drain logs 3 | owner: PCF Metrics 4 | --- 5 | 6 | Here are instructions for using metrics to filter and report draining logs from Cloud Foundry. It also describes how to detect and diagnose system problems based on dropped metrics. 7 | 8 | 9 | ## How app logs are collected 10 | 11 | The Diego Runtime reads the apps `stdout` and `stderr`, packs the logs into a common format, and sends the data to the forwarder agents. The forwarder agents aggregate the various ways of reading the logs and metrics on the VM. The forwarder agent then forwards the data to the Syslog agent and the Loggregator agent. The Syslog agent gathers all app logs, container metrics, and platform component metrics and forwards them to various syslog drains, based on the configuration. For more info, see [loggregator-agents-release](https://github.com/cloudfoundry/loggregator-agent-release) on GitHub. 12 | 13 | 14 | ## Ingress and egress metrics 15 | 16 | There are two ingress metrics with different values for the `drain_scope` tag: 17 | 18 | * `agent` - shows the overall number of log envelopes ingested by the syslog agent 19 | * `all_drains` - shows the overall number of log envelopes written to the separate drain buffers 20 | 21 | There are two layers of buffering of the ingested messages: 22 | 23 | * The first layer is a single buffer connected to the forwarder agent. This doesn't involve filtering. The buffer receives everything. This buffer also has an `ingress_dropped` metric, which is incremented when a message cannot be ingested. 24 | 25 | * The second layer is made up of multiple buffers, one per syslog drain. The EnvelopeWriter reads messages from the first layer buffer, matches the source ID (app GUID or platform component name), selects the proper drain buffer, and writes the log envelope to it. There is no ingress metric here. The messages from these buffers are read, and based on the syslog scheme configuration, they are forwarded to the external Syslog servers. 26 | 27 | The egress metric shows the number of logs forwarded with the syslog drain. The `dropped_logs` metric shows the number of failures and where the messages were dropped. Drops can happen when, for example, the Syslog server is overloaded and cannot process any more messages. The addition of the `drain_scope` and `drain_url` tags allows you to quickly see if there are some log drops in a particular drain and what kind of drain that is. If it's an `app` drain, it means that the third-party logging system cannot consume the messages. For `aggregate` drains, it is important that they work properly. Otherwise, you might collect platform metrics and send them to your platform monitoring, and if the platform monitoring doesn't work properly, you don't have a good overview of what's happening in the system. 28 | 29 | ## Checking for dropped metrics 30 | 31 | Egress drops could mean that you are getting the wrong picture of the current state of the system, and you might not take appropriate or adequate action when something is wrong. You are generally not very concerned if an application syslog drain has egress drops, but if the metrics in the platform monitoring are missing, that will definitely be an indication you need to take some remedial action. 32 | 33 | If there are many ingress drops on particular VM and you see higher egress rates on an application's drains, it might mean that some application has problems and has started to log too much, or if this happens on multiple applications, you might need to scale the Diego Cells. You can use aggregate metrics based on the `drain_scope` value to generate to check the usage and generate alerts, if needed. 34 | 35 | There are also syslog drain egress dropped metrics. The metric that gives you the drops per drain is `messages_dropped_per_drain`. Using the `drain_url` and setting the direction to `egress`, you can filter by drain to see if there are drops. If you use the same `drain_url` for apps and aggregate drains, you can filter on the `drain_scope` tag as well. These metrics are available "out of the box." 36 | 37 | Alternatively, you can correlate ingress and egress messages based on the source ID (app GUID). For example, you might have egress drops on a drain with a given `drain_url`. You can read the egress dropped metric based on the value of the `drain_url` tag and get the value of the `SourceId` tag. With the `SourceId` tag, you can check the ingress for that `SourceId`. If you want to inspect it even more deeply and you have applications with multiple instances, you can analyze the `InstanceId` tag to get the app instance GUID. With this information, you can use cf API calls to get the `org`, `space`, and `org users`, for example, and take some action, like contacting the app owners or developers. 38 | 39 | Using the `drain_scope` and `drain_url` to get information about dropped metrics: 40 | 41 | * `drain_scope` - The aggregate drains are special drains that send everything to the specified URL, which is generally the logging and monitoring system for the whole platform (Loggregator gathers and forwards app logs, app container metrics, and platform component metrics), so it is important to see that everything is forwarded and there are no drops. 42 | 43 | * `drain_url` - If you see problems, higher loads, or more drops on a particular syslog drain, you can identify the problem app based on the `drain_url`. Syslog drain egress drops mean that the syslog server is not properly scaled to handle the required number of messages. You can set it up so that an alert is triggered to inform the app owners (customers) to check their systems. This helps you avoid outage tickets. 44 | 45 | Generally speaking, adding these tags allows you to get a fine-grained overview of what's happening with the syslog drains, and then proactively take actions to avoid outages in your foundations. You can also keep your customers informed about the state of their syslog drains, and possibly overloaded servers. 46 | 47 | ### Example queries (using Grafana and InfluxDB) 48 | 49 | Here are some example queries using Grafana and InfluxDB for monitoring. 50 | 51 | * Aggregate drain egress drops per second on Diego-Cells: 52 | 53 | `SELECT non_negative_derivative(mean("messages_dropped_per_drain"), 1s) FROM "CF.syslog_agent" WHERE $timeFilter AND "drain_scope" = 'aggregate' AND "instance" = 'diego-cell' GROUP BY time($__interval), "deployment", "instance", "instance_id", "drain_url" fill(null)` 54 | 55 | * App drain egress per second on Diego-Cells: 56 | 57 | `SELECT non_negative_derivative(mean("egress"), 1s) FROM "CF.syslog_agent" WHERE $timeFilter AND "instance" = 'diego-cell' AND "drain_scope" = 'app' GROUP BY time($__interval), "instance", "instance_id", "drain_url" fill(null)` 58 | 59 | * For syslog agent ingress metrics on Diego-Cells: 60 | 61 | `SELECT non_negative_derivative(mean("ingress"), 1s) FROM "CF.syslog_agent" WHERE $timeFilter AND "scope" = 'agent' AND "instance" = 'diego-cell' GROUP BY time($__interval), "instance", "instance_id" fill(null)` 62 | 63 | Because the transfer from the first level buffer to the second level syslog drain buffers happens in the same app, the syslog agent, the metric should have the same values despite the value set for the scope "agent" or "all_drains." These examples use "agent" for consistency because, for agent, there is an ingress metric, and an ingress dropped metric. 64 | -------------------------------------------------------------------------------- /services/play-service-bindings.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Configuring Play Framework service connections 3 | owner: Core Services 4 | --- 5 | 6 | 7 | 8 | Cloud Foundry provides support for connecting a Play Framework app to services such as MySQL and PostgreSQL. In many cases, a Play Framework app running on Cloud Foundry can detect and configure connections to services. 9 | 10 | By default, Cloud Foundry detects service connections in a Play Framework app and configures them to use the credentials provided in the Cloud Foundry environment. Auto-configuration only happens if it's a single service for one of the supported types, MySQL or PostgreSQL. 11 | -------------------------------------------------------------------------------- /services/route-binding.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Managing app requests with route services 3 | owner: CF for VMs Networking 4 | --- 5 | 6 | 7 | You can bind a service instance to a route for the purpose of adding preprocessing to your Cloud Foundry app requests. 8 | 9 | <%= vars.route_services_appsman2 %> 10 | 11 | Route services are a class of Marketplace Services that perform filtering or content transformation on app requests and responses. 12 | For more information about Marketplace Services, see [Managing services](../services/managing-services.html) and [User-provided service instances](./user-provided.html). 13 | 14 | Route services exist to help remove the burden on developers who would otherwise have to implement these functions themselves. Popular use cases for route services include rate limiting, authorization, and caching. A route service might reject requests or, after some transformation, pass requests to apps. 15 | 16 | To use route services, developers must first create a service instance, choosing from compatible Marketplace services. Developers then bind this service instance to a route, and all requests for the route are preprocessed by the service instance. While some services can support instances being bound to both routes and apps, these operations have different effects. For app requests and responses to be routed through a route service, the service instance must be bound to the route. 17 | 18 | To view an example demonstrating the use of a sample route service, see [Route Services in Pivotal Cloud Foundry](https://youtu.be/VaaZJE2E4jI) on YouTube. 19 | 20 | ## Bind a route to a service instance 21 | 22 | You must install the Cloud Foundry Command Line Interface (cf CLI) to bind a route to a service instance. For more information, see [Installing the cf CLI](../../cf-cli/install-go-cli.html). 23 | 24 |
25 | Gorouter rejects WebSocket requests for routes that are bound to route services. These requests return a 503 error and a X-Cf-Routererror route_service_unsupported header.
32 | $ cf bind-route-service <%=vars.app_domain%> my-route-service --hostname my-app 33 | 34 | Binding route my-app.<%=vars.app_domain%> to service instance my-route-service in org my-org / space my-space as developer... 35 | OK 36 |37 | 38 |
39 | When binding a service instance to a route, Cloud Foundry might have proxy requests for the route to the service instance, or configure a network component already in the request path.
40 | 41 | ### Bind with parameters 42 | 43 | Some services support additional configuration parameters supplied with the bind request. You can pass service-specific configuration parameters in a valid JSON object, provided either in-line or in a file. For a list of supported configuration parameters, see the documentation for the particular service offering you bind to. 44 | 45 | This example binds the route from `my-app.<%=vars.app_domain%>` to the service instance `my-route-service`, and passes configuration parameters in-line. 46 | 47 |
48 | $ cf bind-route-service <%=vars.app_domain%> my-route-service --hostname my-app -c '{"rate_limit_threshold_rps":10000}'
49 |
50 | Binding service my-db to app rails-sample in org console / space development as user@example.com...
51 | OK
52 |
53 |
54 | This example binds the route from `my-app.<%=vars.app_domain%>` to the service instance `my-route-service`, and passes configuration parameters in a file, `/tmp/config.json`.
55 |
56 | 57 | $ cf bind-route-service <%=vars.app_domain%> my-route-service --hostname my-app -c /tmp/config.json 58 | 59 | Binding route my-app.<%=vars.app_domain%> to service instance my-route-service in org my-org / space my-space as developer... 60 | OK 61 |62 | 63 | ## Unbind a route from a service instance 64 | 65 | You must install the Cloud Foundry Command Line Interface (cf CLI) to bind a route to a service instance. For more information, see [Installing the cf CLI](../../cf-cli/install-go-cli.html). 66 | 67 | Run the [cf unbind-route-service](http://cli.cloudfoundry.org/en-US/cf/unbind-route-service.html) command to unbind a route from an app to a service instance. 68 | 69 | This example removes the route from `my-app.<%=vars.app_domain%>` to the service instance `my-route-service`. 70 | 71 |
72 | $ cf unbind-route-service <%=vars.app_domain%> my-route-service --hostname my-app 73 | 74 | Unbinding might leave apps mapped to route my-app.<%=vars.app_domain%> vulnerable e.g. if service instance my-route-service provides authentication. Do you want to proceed?> y 75 | 76 | Unbinding route my-app.<%=vars.app_domain%> from service instance my-route-service in org my-org / space my-space as developer... 77 | OK 78 |79 | -------------------------------------------------------------------------------- /services/service-keys.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Managing service keys 3 | owner: Core Services 4 | --- 5 | 6 | 7 | 8 | Here are instructions for managing service instance credentials (binding credentials) with service keys. 9 | 10 | Service keys generate credentials for manually configuring consumers of Marketplace services. After you configure them for your service, local clients, apps in other spaces, or entities outside your deployment can access your service with these keys. 11 | 12 |
13 | Some service brokers do not support service keys. To build a service broker that supports service keys, see Services. To use a service broker that does not support service keys, see Delivering service credentials to an app.
14 | 15 | ## Create a service key 16 | 17 | To generate credentials for a service instance, use the `cf create-service-key` command: 18 | 19 |20 | $ cf create-service-key MY-SERVICE MY-KEY 21 | Creating service key MY-KEY for service instance MY-SERVICE as me@example.com... 22 | OK 23 |24 | 25 | Use the `-c` flag to provide service-specific configuration parameters in a valid JSON object, either in-line or in a file. 26 | 27 | To provide the JSON object in-line, use the following format: 28 | 29 |
30 | $ cf create-service-key MY-SERVICE MY-KEY -c '{"read-only":true}'
31 | Creating service key MY-KEY for service instance MY-SERVICE as me@example.com...
32 | OK
33 |
34 |
35 | To provide the JSON object as a file, give the absolute or relative path to your JSON file:
36 |
37 | 38 | $ cf create-service-key MY-SERVICE MY-KEY -c PATH-TO-JSON-FILE 39 | Creating service key MY-KEY for service instance MY-SERVICE as me@example.com... 40 | OK 41 |42 | 43 | ## List service keys for a service instance 44 | 45 | To list service keys for a service instance, use the `cf service-keys` command: 46 | 47 |
48 | $ cf service-keys MY-SERVICE 49 | Getting service keys for service instance MY-SERVICE as me@example.com... 50 | 51 | name 52 | mykey1 53 | mykey2 54 | 55 |56 | 57 | ## Get credentials for a service key 58 | 59 | To retrieve credentials for a service key, use the `cf service-key` command: 60 | 61 |
62 | $ cf service-key MY-SERVICE MY-KEY
63 | Getting key MY-KEY for service instance MY-SERVICE as me@example.com...
64 |
65 | {
66 | uri: foo://user2:pass2@example.com/mydb,
67 | servicename: mydb
68 | }
69 |
70 |
71 | Use the `--guid` flag to display the API GUID for the service key:
72 |
73 | 74 | $ cf service-key --guid MY-SERVICE MY-KEY 75 | Getting key MY-KEY for service instance MY-SERVICE as me@example.com... 76 | 77 | e3696fcb-7a8f-437f-8692-436558e45c7b 78 | 79 | OK 80 |81 | 82 | ## Configure credentials for a service key 83 | 84 | After obtaining these credentials, you can use a local CLI or utility to connect to the service instance, configure an app running outside the platform to connect to the service instance, or create a user-provided service instance so that apps in another space can connect to the service instance. How you configure these credentials depends on what local client, app, or entity is used to access your service instance. 85 | 86 | For more information about configuring credentials with a user-provided service instance, see [User-provided service instances](http://docs.cloudfoundry.org/devguide/services/user-provided.html). 87 | 88 | ## Delete a service key 89 | 90 | To delete a service key, use the `cf delete-service-key` command: 91 | 92 |
93 | $ cf delete-service-key MY-SERVICE MY-KEY 94 | 95 | Are you sure you want to delete the service key MY-KEY ? y 96 | Deleting service key MY-KEY for service instance MY-SERVICE as me@example.com... 97 | 98 | OK 99 |100 | 101 | Add option `-f` to force deletion without confirmation. 102 | 103 |
104 | $ cf delete-service-key -f MY-SERVICE MY-KEY 105 | 106 | Deleting service key MY-KEY for service instance MY-SERVICE as me@example.com... 107 | 108 | OK 109 |110 | -------------------------------------------------------------------------------- /services/sharing-instances.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Sharing service instances 3 | owner: Core Services 4 | --- 5 | 6 | Here are instructions for sharing service instances in your Cloud Foundry apps. 7 | 8 | 9 | ## About service instance sharing 10 | 11 | Sharing a service instance among multiple spaces and across orgs allows apps to share databases, messaging queues, and other types of services. 12 | This eliminates the need for development teams to use service keys and 13 | user-provided services to bind their apps to the same service instance that was 14 | provisioned using the `cf create-service` command. 15 | Sharing service instances improves security and auditing, and provides a more intuitive user experience. 16 | 17 | * Developers and administrators can share service instances between spaces 18 | in which they have the Space Developer role. 19 | 20 | * Developers who have a service instance shared with them can only bind and 21 | unbind apps to that service instance. They cannot update, rename, or delete it. 22 | 23 | * Developers who have a service instance shared with them can view 24 | the values of any configuration parameters that were used to provision or update the service instance. 25 | 26 | For example, if two development teams have apps in their own spaces, 27 | and both apps want to send messages to each other using a 28 | messaging queue: 29 | 30 | 1. The development team in space A can create a new instance of 31 | a messaging queue service, bind it to their app, and share that service instance into space B. 32 | 33 | 1. A developer in space B can then bind their app to the same service 34 | instance, and the two apps can begin publishing and receiving 35 | messages from one another. 36 | 37 | 38 | ## Activating service instance sharing in Cloud Foundry 39 | 40 | To activate service instance sharing, the platform operator must activate the `service_instance_sharing` flag in Cloud Foundry. 41 | 42 |
43 | $ cf enable-feature-flag service_instance_sharing 44 |45 | 46 | 47 | ## Sharing a service instance 48 | 49 | You can share a service instance from one space to another if you have the Space Developer role in both spaces. 50 | 51 | To share a service instance to another space, run the following Cloud 52 | Foundry Command Line Interface (cf CLI) command: 53 | 54 |
55 | $ cf share-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] 56 |57 | 58 | * You cannot share a service instance into a space where a service 59 | instance with the same name already exists. 60 | 61 | * To share a service instance into a space, the space must have access to the 62 | service and service plan of the service instance that you are sharing. Run the `cf enable-service-access` command to set this access. 63 | 64 | * If you no longer have access to the service or service plan used to create your service instance, 65 | you cannot share that service instance. 66 | 67 | ## Get information about service instance sharing 68 | 69 | To get information about service instance sharing on the originating space, run the following cf CLI command from that originating space: 70 | 71 | ``` 72 | cf service SERVICE-INSTANCE-NAME 73 | ``` 74 | 75 | For example: 76 | 77 |
78 | $ cf service mydb 79 | 80 | name: mydb 81 | service: p-mysql 82 | tags: 83 | plan: 100mb 84 | description: mysql databases on demand been created by a platform. 85 | documentation: 86 | dashboard: 87 | service broker: mysql-broker 88 | 89 | shared with spaces: 90 | org space bindings 91 | org-1 space-1 0 92 | org-1 space-2 2 93 | 94 | Showing status of last operation from service my-service-3... 95 | 96 | status: create succeeded 97 | message: Operation succeeded 98 | started: 2021-03-01T15:10:15Z 99 | updated: 2021-03-01T15:10:17Z 100 | 101 | bound apps: 102 | name binding name status message 103 | my-music-app create succeeded Operation succeeded 104 | 105 | No upgrade available for this service. 106 |107 | 108 | * For each of the spaces, the service instance is shared into the output. The output shows the number of bindings to apps of the service instance in that space. 109 | * When the service instance is not shared, `This service is not currently shared` appears instead of `shared with spaces`. 110 | 111 | If you run the command while targeting the space where the service instance is shared, you see the originating space and organization. 112 | 113 | For example: 114 | 115 | 116 |
117 | $ cf service mydb 118 | 119 | name: mydb 120 | shared from org/space: acceptance / dev 121 | service: p-mysql 122 | tags: 123 | plan: 100mb 124 | description: mysql databases on demand been created by a platform. 125 | documentation: 126 | dashboard: 127 | service broker: mysql-broker 128 | 129 | Showing status of last operation from service my-service-3... 130 | 131 | status: create succeeded 132 | message: Operation succeeded 133 | started: 2021-03-01T15:10:15Z 134 | updated: 2021-03-01T15:10:17Z 135 | 136 | bound apps: 137 | name binding name status message 138 | my-library-app create succeeded Operation succeeded 139 | 140 | No upgrade available for this service. 141 |142 | 143 | In this case, no information about other spaces is exposed. 144 | 145 | 146 | ## Unsharing a service instance 147 | 148 |
149 | Unsharing a service instance deletes all bindings to apps in the spaces it was shared into. This might cause apps to fail. Before unsharing a service instance, run the cf service SERVICE-INSTANCE command to find out how many bindings exist in the spaces the service instance is shared into.
160 | $ cf unshare-service SERVICE-INSTANCE -s OTHER-SPACE [-o OTHER-ORG] [-f] 161 |162 | 163 | The `-f` flag (optional) forces unsharing without confirmation. 164 | 165 | 166 | ## Security considerations 167 | 168 | * [Service keys](./service-keys.html) cannot be created from a space that a 169 | service instance is shared into. This ensures that developers in the space where a service instance is 170 | shared from have visibility into where and how many times the service instance is used. 171 | 172 | * Sharing service instances does not update app security groups (ASGs). 173 | The network policies defined in your ASGs might need to be updated to ensure that apps using shared service instances can access the underlying service. 174 | 175 | * Access to a service must be activated using the `cf enable-service-access` command for a service instance to be shared into a space. 176 | 177 | * Not all services are activated for sharing the instances capability. 178 | Contact the service vendor directly if you are unable to share instances of their service. 179 | If you are a service author, see [Enabling service instance sharing](../../services/enable-sharing.html). 180 | 181 | 182 | ## Deactivating service instance sharing in Cloud Foundry 183 | 184 | To deactivate service instance sharing, run: 185 | 186 |
187 | $ cf disable-feature-flag service_instance_sharing 188 |189 | 190 | This only prevents new shares from being created. To remove existing shares, see [Deleting all shares](#deleting). 191 | 192 | 193 | ## Deleting all shares 194 | 195 | The following script finds all service instances that are shared, and for each 196 | space that the service instance is shared into, all service bindings to that service instance are deleted, and all shares are deleted. 197 | 198 | If a service binding is not deleted, the script continues trying to unshare subsequent service instances. 199 | 200 | To use this script, you must be logged in as an administrator and have jq installed. 201 | 202 |
203 | This script was tested on macOS Sierra 10.12.4 and Ubuntu 14.04.5. Use the script at your own risk.
204 | 205 | ``` 206 | #!/usr/bin/env bash 207 | 208 | set -u 209 | set -e 210 | 211 | # refresh auth token 212 | cf oauth-token >/dev/null 213 | 214 | for instance_guid in $(cf curl /v3/service_instances | jq -r '.resources[].guid'); do 215 | for space_guid in $(cf curl /v2/service_instances/$instance_guid/shared_to | jq -r 216 | '.resources[].space_guid'); do 217 | echo "Unsharing service instance $instance_guid from space $space_guid" 218 | 219 | set +e 220 | cf curl -X DELETE "/v3/service_instances/$instance_guid/relationships/shared_spaces/$space_guid" 221 | set -e 222 | done 223 | done 224 | ``` 225 | -------------------------------------------------------------------------------- /services/user-provided.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: User-provided service instances 3 | owner: Core Services 4 | --- 5 | 6 | 7 | 8 | User-provided service instances allow you to use services that are not available in the Marketplace with their apps running on Cloud Foundry. 9 | 10 | You can use user-provided service instances to deliver service credentials to an app, or to trigger streaming of app logs to a syslog-compatible consumer. These two functions can be used individually or both at the same time. 11 | 12 | <%= vars.user_provided_apps_man %> 13 | 14 | After creation, user-provided service instances behave like service instances created through the Marketplace. See [Managing service instances](managing-services.html) and [App binding](application-binding.html) for details about listing, renaming, deleting, binding, and unbinding service instances. 15 | 16 | ## Create a user-provided service instance 17 | 18 | The alias for [cf create-user-provided-service](http://cli.cloudfoundry.org/en-US/cf/create-user-provided-service.html) is `cf cups`. 19 | 20 | ### Deliver service credentials to an app 21 | 22 | Suppose a developer obtains a URL, port, user name, and password for communicating with an Oracle database managed outside of Cloud Foundry. The developer can manually create custom environment variables to configure their app with these credentials (of course you never hard code these credentials in your app!). 23 | 24 | User-provided service instances allow developers to inject credentials into the app container using the familiar [App binding](application-binding.html) operation and the same [Credential Delivery Methods](./application-binding.html#credential-delivery-methods) used by Cloud Foundry to deliver credentials for Marketplace services. 25 | 26 |
27 | cf cups SERVICE_INSTANCE -p '{"username":"admin","password":"pa55woRD"}'
28 |
29 |
30 | To create a service instance in interactive mode, use the `-p` option with a comma-separated list of parameter names. The Cloud Foundry Command Line Interface (cf CLI) prompts you for each parameter value.
31 |
32 | 33 | $ cf cups my-user-provided-route-service -p "host, port" 34 | 35 | host> rdb.local 36 | 37 | port> 5432 38 | 39 | Creating user provided service my-user-provided-route-service in org my-org / space my-space as user@example.com... 40 | OK 41 |42 | 43 | After creating the user-provided service instance, to deliver the credentials to one or more apps, see [App binding](application-binding.html). 44 | 45 | ### Stream app logs to a service 46 | 47 | User-provided service instances allow developers to stream app logs to a syslog compatible aggregation or analytics service that isn't available in the Marketplace. For more information about the syslog protocol see [RFC 5424](http://tools.ietf.org/html/rfc5424) and [RFC 6587](http://tools.ietf.org/html/rfc6587). 48 | 49 |
50 | RFC-5424 is used to establish connections over HTTP/HTTPS. RFC-6587 is used for TCP based communication over syslog/syslog-tls drains. 51 |
52 | 53 | Create the user-provided service instance, specifying the URL of the service with the `-l` option. 54 | 55 |56 | cf cups SERVICE_INSTANCE -l syslog-tls://example.log-aggregator.com:6514 57 |58 | 59 | To stream app logs to the service, bind the user-provided service instance to your app. 60 | 61 | ### Proxy app requests to a route service 62 | 63 | User-provided service instances allow developers to proxy app requests to [route services](./index.html#route-services) for preprocessing. To create a user-provided service instance for a route service, specify the URL for the route service using the `-r` option. 64 | 65 |
66 | $ cf create-user-provided-service my-user-provided-route-service -r https://my-route-service.example.com 67 | Creating user provided service my-user-provided-route-service in org my-org / space my-space as user@example.com... 68 | OK 69 |70 | 71 |
72 | When creating the user-provided service, the route service URL you specify must be "https." 73 |
74 | 75 | To proxy requests to the user-provided route service, you must bind the service instance to the route. 76 | For more information, see [Managing app requests with route services](./route-binding.html). 77 | 78 | ## Update a user-provided service instance 79 | 80 | You can use [cf update-user-provided-service](http://cli.cloudfoundry.org/en-US/cf/update-user-provided-service.html) to update the attributes of an instance of a user-provided service. New credentials overwrite old credentials, and parameters that are not provided are deleted. 81 | 82 | The alias for `update-user-provided-service` is `uups`. Bound apps can access the new configuration after restart. 83 | You can use rolling restarts to avoid any app downtime. 84 | For more information, see [Restart an app](../deploy-apps/rolling-deploy.html#restart) in _Rolling App Deployments_. 85 | 86 |87 | If you are rotating credentials, the old credentials must be active until the restart is finished.
88 | -------------------------------------------------------------------------------- /services/using-vol-services.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: Using an external file system (volume services) 3 | owner: Core Services 4 | --- 5 | 6 | <% if vars.platform_code == "PCF" || vars.platform_code == "CF" %> 7 | 8 | <%= partial 'using-vol-services' %> 9 | 10 | <% else %> 11 | 12 | <%= vars.vol_services_not_available %> 13 | 14 | <% end %> 15 | -------------------------------------------------------------------------------- /ssh-index.html.md.erb: -------------------------------------------------------------------------------- 1 | --- 2 | title: SSH for Apps and Services 3 | owner: 4 | --- 5 | 6 | These topics contain information about configuring and using SSH for apps and services: 7 | 8 |