cf-networking/0.18.0
You can find the source of this version on GitHub at cloudfoundry-incubator/cf-networking-release. It was created based on the commit e339a8b8
.
Release Notes¶
Lots of good stuff in this release. Highlights include:
- Logging for c2c iptables can be enabled through a BOSH property
- Container networking scales to 20K application instances with 3 policies per application.
- Initial support for logging ASG iptables through a BOSH property. ASG logs will be prefixed with OK_
or DENY_
.
- If you are running Diego release v1.10.1 you must upgrade to this release
We do not recommend using cf-networking-release in production yet, but give it a try and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.
Take a look at known issues for current limitations and known issues.
Verified with the following: - CF deployment
New Manifest Properties
cf_networking.rep_listen_addr_admin
enables our drain scripts to wait for the Diego rep to exit. It should always be the same value asdiego.rep.listen_addr_admin
. It defaults to127.0.0.1:1800
.cf_networking.garden_external_networker.iptables_asg_logging
globally enables iptables logging for all ASGs, including logging of denied packets. Defaults to false.cf_networking.vxlan_policy_agent.iptables_c2c_logging
enables iptables logging for container-to-container traffic. It defaults tofalse
. Note: this is already configurable at runtime.cf_networking.plugin.health_check_port
allows BOSH to better health-check theflanneld
process required for connectivity.
Removed Manifest Properties
cf_networking.policy_server.database.connection_string
was deprecated in v0.10.0 and is now removed.
Significant Changes
Scalability
- container networking is reliable with 20k app instances across 100 diego cells
- Scalability test for popular server
- Our docs include recommendations on scaling policy server instances and DB
- The policy server can handle our scalability target of 20K AIs
Upgrades
Manifest Changes
Security
Chores
- Investigate and fix “Ginkgo timed out waiting for parallel nodes to report back”
- Improve stop behavior of monit ctl scripts
Stability
- Flannel has a healthcheck endpoint for monit
- A cell with a subnet mismatch can be recovered by a BOSH restart of the cell
- Policy server monit script checks a healthcheck endpoint
Logging
- Logging for c2c iptables is configurable through a BOSH property
- Logging for denied outbound non-c2c packets
Internal integration
Usage¶
You can reference this release in your deployment manifest from the releases
section:
- name: "cf-networking" version: "0.18.0" url: "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=0.18.0" sha1: "689ff1050b49513d5fe889b9655803bcdd265824"
Or upload it to your director with the upload-release
command:
bosh upload-release --sha1 689ff1050b49513d5fe889b9655803bcdd265824 \ "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=0.18.0"