Search This Blog

Saturday, 28 October 2017

Testing network connectivity from Cloud Foundry Application Instances

This app below simply tests whether a host:port is accessible from a CF app instance. For example can my application instance access my Oracle Database Instance running outside of PCF given application instances need network access to the database database for example.

You can use bosh2 ssh to get to the Diego Cells if you have access to the environment or even "cf ssh" if that has been enabled.

GitHub URL:

https://github.com/papicella/cloudfoundry-socket-test

Success

pasapicella@pas-macbook:~$ http http://pas-cf-sockettest.cfapps.io/www.google.com.au/80
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 81
Content-Type: application/json;charset=UTF-8
Date: Wed, 25 Oct 2017 08:38:33 GMT
X-Vcap-Request-Id: 8fd05c77-f680-4966-558b-c45e71825fa0

{
    "errorMessage": "N/A",
    "hostname": "www.google.com.au",
    "port": "80",
    "res": "SUCCESS"
}

Failure

pasapicella@pas-macbook:~$ http http://pas-cf-sockettest.cfapps.io/10.0.0.10/8080
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 110
Content-Type: application/json;charset=UTF-8
Date: Wed, 25 Oct 2017 11:52:18 GMT
X-Vcap-Request-Id: 91ad2359-7d95-49c6-4538-548e480b7820

{
    "errorMessage": "Connection refused (Connection refused)",
    "hostname": "10.0.0.10",
    "port": "8080",
    "res": "FAILED"
}

Sunday, 22 October 2017

Just installed Pivotal Cloud Foundry, what's next should I login to Apps Manager?

I get this question often from customers. Pivotal Cloud Foundry has just been installed and the API endpoint to target the instance is working fine. In short we want to do the following before we get developers onto the platform to ensure we no longer using the UAA server admin login details from the CLI or Apps Manager UI.

  • Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers
  • Create an ORG
  • Create at least one Quota maybe more to control memory limit and application instances within an ORG
  • Assign the quota to your ORG
Steps

--> Create a new ADMIN user which will be used to configure Apps Manager ORGS and spaces for the developers

1. Login to Ops Manager VM using SSH for example
2. Target the UAA server as shown below

Eg: $ uaac target uaa.YOUR-DOMAIN

ubuntu@opsmanager-pcf:~$ uaac target uaa.system.YYYY --skip-ssl-validation
Unknown key: Max-Age = 2592000

Target: https://uaa.system.YYYY

3. Authenticate and obtain an access token for the admin client from the UAA server

Note: Record the uaa:admin:client_secret from your deployment manifest

ubuntu@opsmanager-pcf:~$ uaac token client get admin -s PASSWD

Successfully fetched token via client credentials grant.
Target: https://uaa.system.YYYY
Context: admin, from client admin

4. Use the uaac contexts command to display the users and applications authorized by the UAA server, and the permissions granted to each user and application. Ensure in the "scope" field that "scim.write" exists

ubuntu@opsmanager-pcf:~$ uaac contexts

[0]*[https://uaa.system.YYYY]
  skip_ssl_validation: true

  [0]*[admin]
      client_id: admin
      access_token: .....
      token_type: bearer
      expires_in: 43199
      scope: clients.read password.write clients.secret clients.write uaa.admin scim.write scim.read
      jti: b1bf094a5c4640dbac4abc5f3bf15b08

5. Run the following command to create an admin user

ubuntu@opsmanager-pcf:~$ uaac user add apples -p PASSWD --emails papicella@pivotal.io
user account successfully added

6. Run uaac member add GROUP NEW-ADMIN-USERNAME to add the new admin to the groups cloud_controller.admin, uaa.admin, scim.read, and scim.write

ubuntu@opsmanager-pcf:~$ uaac member add cloud_controller.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add uaa.admin apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.read apples
success
ubuntu@opsmanager-pcf:~$ uaac member add scim.write apples
success

--> Create an ORG

1. Login using the new admin user "apples"

pasapicella@pas-macbook:~$ cf login -u apples -p PASSWD -o system -s system
API endpoint: https://api.system.YYYY
Authenticating...
OK

Targeted org system

Targeted space system

API endpoint:   https://api.system.YYYY (API version: 2.94.0)
User:           papicella@pivotal.io
Org:            system
Space:          system

2. Create an ORG as follows

pasapicella@pas-macbook:~$ cf create-org myfirst-org
Creating org myfirst-org as apples...
OK

Assigning role OrgManager to user apples in org myfirst-org ...
OK

TIP: Use 'cf target -o "myfirst-org"' to target new org

--> Create at least one Quota maybe more to control memory limit and application instances within an ORG

1. Here we create what I call a medium-quota which allows 20G of memory, 2 service instances, each application instance can be no more then 1G of memory and only 20 Application Instances can be created using this quota.

pasapicella@pas-macbook:~$ cf create-quota medium-quota -m 20G -i 1G -a 20 -s 2 -r 1000 --allow-paid-service-plans
Creating quota medium-quota as apples...
OK

pasapicella@pas-macbook:~$ cf quota medium-quota
Getting quota medium-quota info as apples...
OK

Total Memory           20G
Instance Memory        1G
Routes                 1000
Services               2
Paid service plans     allowed
App instance limit     20
Reserved Route Ports   0

--> Assign the quota to your ORG

1. Assign the newly created quota to the ORG we created above

pasapicella@pas-macbook:~$ cf set-quota myfirst-org medium-quota
Setting quota medium-quota to org myfirst-org as apples...
OK

pasapicella@pas-macbook:~$ cf org myfirst-org
Getting info for org myfirst-org as apples...

name:                 myfirst-org
domains:              apps.pas-apples.online
quota:                medium-quota
spaces:
isolation segments:

Finally we can add a space to the ORG and assign privileges to a user called "pas" as shown below

- Set OrgManager role to the user "pas"

pasapicella@pas-macbook:~$ cf set-org-role pas myfirst-org OrgManager
Assigning role OrgManager to user pas in org myfirst-org as apples...
OK

- Logout as "apples" admin user as "pas" can now do his own admin for the ORG " myfirst-org"

pasapicella@pas-macbook:~$ cf logout
Logging out...
OK

- Login as pas and target the ORG

pasapicella@pas-macbook:~$ cf login -u pas -p PASSWD -o myfirst-org
API endpoint: https://api.system.YYYY
Authenticating...
OK

Targeted org myfirst-org

API endpoint:   https://api.system.YYYY (API version: 2.94.0)
User:           pas
Org:            myfirst-org
Space:          No space targeted, use 'cf target -s SPACE'

- Create a space which will set space roles for the user "pas"

pasapicella@pas-macbook:~$ cf create-space dev
Creating space dev in org myfirst-org as pas...
OK
Assigning role RoleSpaceManager to user pas in org myfirst-org / space dev as pas...
OK
Assigning role RoleSpaceDeveloper to user pas in org myfirst-org / space dev as pas...
OK

TIP: Use 'cf target -o "myfirst-org" -s "dev"' to target new space

- Target the new space

pasapicella@pas-macbook:~$ cf target -o myfirst-org -s dev
api endpoint:   https://api.system.pas-apples.online
api version:    2.94.0
user:           pas
org:            myfirst-org
space:          dev

Typically we would assign other users to the spaces using "cf set-space-role .."

pasapicella@pas-macbook:~$ cf set-space-role --help
NAME:
   set-space-role - Assign a space role to a user

USAGE:
   cf set-space-role USERNAME ORG SPACE ROLE

ROLES:
   'SpaceManager' - Invite and manage users, and enable features for a given space
   'SpaceDeveloper' - Create and manage apps and services, and see logs and reports
   'SpaceAuditor' - View logs, reports, and settings on this space

SEE ALSO:
   space-users

More Information

Creating and Managing Users with the UAA CLI (UAAC)
https://docs.pivotal.io/pivotalcf/1-12/uaa/uaa-user-management.html

Creating and Managing Users with the cf CLI
https://docs.pivotal.io/pivotalcf/1-12/adminguide/cli-user-management.html

Thursday, 5 October 2017

Pivotal Cloud Foundry 1.12 on Google Cloud Platform with VM labels

Once PCF is installed on GCP it's worth noting that viewing the "Compute Engine" labels gives you as indication of what VM each CF service is associated with. The screen shots below show's this.