cf-networking/1.2.0

CF networking is officially part of cf-deployment! You do not need a separate ops-file to include cf-networking in your deployment. This release also adds new capabilities for bandwidth limiting and logging enhancements for ASGs and container networking.

Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following: - CF deployment

Manifest Changes

New Properties

• Optional parameters have been added to the silk-cni job to limit the bandwidth in and out of containers.
  • cf_networking.rate is the rate in Kbps at which traffic can leave and enter a container.
  • cf_networking.burst is the burst in Kb at which traffic can leave and enter a container.
  • Both of these parameters must be set in order to limit bandwidth. If neither one is set, then bandwidth is not limited.
  • The burst must high enough to support the given rate. If burst is not high enough, then creating containers will fail.
• An optional parameter has been added to configure the rate of logs by iptables for denied packets. Before, this rate was hardcoded to 2 packets per minute. Now, the rate defaults to 1 packet per second.
  • cf_networking.iptables_denied_logs_per_sec is the maximum number of denied packets logged by iptables per second, it should be configured on the silk-cni job.

Significant Changes

Port Ranges

• External APIs are ready for supporting port ranges

Logging

• c2c logs for accepted packets use conntrack
• An operator can change the sampling time of deny logging
• ASG logging works for accepted traffic that match UDP and ICMP whitelist rules

Bandwidth Limiting

• Operators can configure bandwidth limits for apps

Deployment Changes

• cf-networking is in cf-deployment

Documentation

• As an operator I know the options to enable self-service
• Update docs based on boxes & lines

Bug Fixes

• cf list-access fails for non-admin users when there are policies for more than 50 unique apps
• cloudfoundry-incubator/cf-networking-release #8: Make add route work for Linux
• CF CLI plugin version number matches release version

- name: "cf-networking"
  version: "1.2.0"
  url: "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=1.2.0"
  sha1: "c5a61b8be54e62b6d0eacfe2e0a45880345a3a21"

bosh upload-release --sha1 c5a61b8be54e62b6d0eacfe2e0a45880345a3a21 \
  "https://bosh.io/d/github.com/cloudfoundry-incubator/cf-networking-release?v=1.2.0"