cf-networking/1.3.0

Try out our new feature for augmented traffic logging with org, space and app information! Instructions are here. This release also lays the groundwork for supporting port ranges in policy configuration. Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following: - CF deployment

Manifest Changes

New Properties - An optional parameter has been added to configure the rate of logs by iptables for accepted UDP packets. Before, logging was done per UDP connection. Now, the rate defaults to 100 packets per second. - cf_networking.iptables_accepted_udp_logs_per_sec is the maximum number of accepted udp packets logged by iptables per second, it should be configured on the silk-cni job for ASGs or on the vxlan-policy-agent job for C2C.

Significant Changes

Traffic logging enhancements

• Operators can see logs of egress network traffic with app/space/org GUIDs of the source in a file that can be forwarded via syslog
• ASG and c2c logging for UDP traffic is rate-limited
• Logs of egress network traffic include cell IP and GUIDs of the source in a file that can be forwarded via syslog
• Operators have instructions to consume augmented traffic logs in github

Port Ranges

• The internal API supports port ranges
• Policy server closes db connections on shutdown

• vxlan-policy-agent uses ports field to write iptables rules

  Github Issues

• cloudfoundry-incubator/cf-networking-release #12: Is vtep port by default supposed to be 4789 or something else?

• cloudfoundry-incubator/cf-networking-release #13: cf-release docs contain wrong configuration

• remove http health check from cni wrapper

  Miscellaneous

• Golang 1.8.x upgrade

• drain and pre-start clean up all potentially leftover cf-networking state