### Run Ubuntu Docker Container Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/iptables-primer/010-write-your-own-drop.markdown Starts an interactive Ubuntu container with privileged access. This is the initial setup for experimenting with iptables. ```bash docker run --privileged -it ubuntu bin/bash ``` -------------------------------- ### Example HTTP Request Headers Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/040-tcp-vs-http.markdown This example shows the structure of headers returned by a `cf curl` command, highlighting the `GET` request line which contains the URL path and the `Host` header which contains the URL base. This information is used by GoRouter for routing. ```text REQUEST: [2019-04-24T11:01:49-07:00] GET /networking/v1/external/policies <---- this is the header that contains the URL path HTTP/1.1 Host: api.beanie.c2c.cf-app.com <---- this is the header that contains the URL base Accept: application/json Authorization: [PRIVATE DATA HIDDEN] Content-Type: application/json User-Agent: go-cli 6.43.0+815ea2f3d.2019-02-20 / darwin ``` -------------------------------- ### Install Netcat in Docker Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/010-user-workflow.markdown Sets up a container environment with netcat for testing TCP traffic. ```bash docker run --privileged -it ubuntu bin/bash apt-get update -y apt-get install netcat -y ``` -------------------------------- ### Example application response Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/010-user-workflow.markdown JSON response showing the application's listen addresses and port. ```json {"ListenAddresses":["127.0.0.1","10.255.116.44"],"Port":8080} ``` -------------------------------- ### Install the boom benchmarking tool Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-services/010-user-workflow.markdown Use this command to download the boom tool for testing application traffic. ```bash go get github.com/rakyll/boom ``` -------------------------------- ### Example Access Log Entry Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/120-incoming-http-requests-pt-5.markdown Sample output format of a Gorouter access log entry. ```text APP_A_ROUTE - [2021-02-18T21:22:32.355501523Z] "GET / HTTP/1.1" 200 0 62 "-" "curl/7.54.0" "35.191.2.80:51628" "10.0.1.11:61002" x_forwarded_for:"142.105.202.35, 35.227.211.74, 35.191.2.80" x_forwarded_proto:"http" vcap_request_id:"6cb8b8de-bc85-4479-5f90-1c3a52d88d84" response_time:0.011962 gorouter_time:0.000467 app_id:"cabd9e08-384e-4689-b868-1ba3d5d838bf" app_index:"0" x_cf_routererror:"-" x_b3_traceid:"9d30688835227cf3" x_b3_spanid:"9d30688835227cf3" x_b3_parentspanid:"-" b3:"9d30688835227cf3-9d30688835227cf3" ``` -------------------------------- ### Run project locally Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/README.md Use these commands to clone the repository and start the Jekyll development server. ```bash git clone git@github.com:cloudfoundry/cf-networking-onboarding.git cd cf-networking-onboarding bundle exec jekyll serve --incremental ``` -------------------------------- ### Download and Install NATS CLI Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/050-route-propagation-pt-3.markdown Installs the NATS CLI tool on a Linux system. Ensure you have wget and unzip installed. ```bash wget https://github.com/nats-io/natscli/releases/download/v0.0.32/nats-0.0.32-linux-amd64.zip unzip nats-0.0.32-linux-amd64.zip chmod +x nats-0.0.32-linux-amd64 mv nats-0.0.32-linux-amd64/nats /usr/bin ``` -------------------------------- ### Example VPA chain configuration Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/140-dataflow-pt-8.markdown A sample output showing the structure of a VPA chain, including chain creation, traffic marking, logging, and policy enforcement rules. ```bash -N vpa--1555608460726256 -A vpa--1555608460726256 -s 10.255.77.3/32 -m comment --comment "src:2f978b7f-b3d2-4f50-b08f-776634a6e411" -j MARK --set-xmark 0x2/0xffffffff -A vpa--1555608460726256 -d 10.255.77.4/32 -p tcp -m tcp --dport 8080 -m mark --mark 0x2 -m conntrack --ctstate INVALID,NEW,UNTRACKED -j LOG --log-prefix "OK_0002_c7de6123-d906-4c65-9 " -A vpa--1555608460726256 -d 10.255.77.4/32 -p tcp -m tcp --dport 8080 -m mark --mark 0x2 -m comment --comment "src:2f978b7f-b3d2-4f50-b08f-776634a6e411_dst:c7de6123-d906-4c65-9717-c5d040568c76" -j ACCEPT ``` ```bash -N vpa--1555608460726256 ``` ```bash -A vpa--1555608460726256 -s 10.255.77.3/32 -m comment --comment "src:2f978b7f-b3d2-4f50-b08f-776634a6e411" -j MARK --set-xmark 0x2/0xffffffff ``` ```bash -A vpa--1555608460726256 -d 10.255.77.4/32 -p tcp -m tcp --dport 8080 -m mark --mark 0x2 -m conntrack --ctstate INVALID,NEW,UNTRACKED -j LOG --log-prefix "OK_0002_c7de6123-d906-4c65-9 " ``` ```bash -A vpa--1555608460726256 -d 10.255.77.4/32 -p tcp -m tcp --dport 8080 -m mark --mark 0x2 -m comment --comment "src:2f978b7f-b3d2-4f50-b08f-776634a6e411_dst:c7de6123-d906-4c65-9717-c5d040568c76" -j ACCEPT ``` -------------------------------- ### Example Iptables Rules for ASG Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/020-asgs-and-iptables.markdown These are example iptables rules that might be generated for an ASG, depending on whether logging is enabled. ```bash # If you have logging enabled -A asg-fd7a -m iprange --dst-range 1.2.3.4-1.2.3.4 -g asg-fd7a-log ``` ```bash # If you don't have logging enabled -A asg-fd7a -m iprange --dst-range 1.2.3.4-1.2.3.4 -j ACCEPT ``` -------------------------------- ### Example GoRouter Route Entry Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/060-route-propagation-pt-4.markdown This is an example of a route entry within the GoRouter's routing table. It shows the route name, the destination address (IP and port) for traffic, and whether TLS is enabled for secure communication. ```json "proxy.meow.cloche.c2c.cf-app.com": [ <------ The name of the route! This should match APP_A_ROUTE { "address": "10.0.1.12:61014", <------ This is where GoRouter will send traffic for this route. This should match DIEGO_CELL_IP:DIEGO_CELL_ENVOY_PORT "tls": true <------ This means Route Integrity is turned on, so the GoRouter will send traffic to this app over TLS } ] ``` -------------------------------- ### Gorouter Handler Setup Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/gorouter/061-intro-to-handlers-part-2.markdown This code snippet shows how handlers are set up within the Gorouter's proxy component. It demonstrates the chaining of different handlers to process requests. ```go func NewGorouter(config Config, logger *log.Log, reporter reporter.Reporter, tracer tracer.Tracer) http.Handler { proxy := NewProxy(config, logger, reporter, tracer) handlers := []http.Handler{ // ... other handlers NewAccessLog(proxy), NewReporter(proxy), NewHTTPRewrite(proxy), NewProxyHealthcheck(proxy), NewZipkin(proxy), } var handler http.Handler handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Default handler proxy.ServeHTTP(w, r) }) for _, h := range handlers { handler = ChainHandler(h, handler) } return handler } ``` -------------------------------- ### Example Allow Log Entry Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/160-logging.markdown A sample log output indicating that traffic was permitted by iptables rules. ```text 2019-04-18T18:21:00.670494+00:00 localhost kernel: [23442.243710] OK_0002_c7de6123-d906-4c65-9 <----- OK means that the traffic was allowed by iptables rules. IN=s-010255077003 OUT=s-010255077004 MAC=aa:aa:0a:ff:4d:03:ee:ee:0a:ff:4d:03:08:00 SRC=10.255.77.3 DST=10.255.77.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35333 DF PROTO=TCP SPT=41330 DPT=8080 WINDOW=27400 RES=0x00 SYN URGP=0 MARK=0x2 <----- Successful logs also include the mark of the source app. ``` -------------------------------- ### Identify Custom PREROUTING Chains Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/090-incoming-http-requests-pt-2.markdown Example output showing custom chains attached to the PREROUTING chain for applications on a Diego Cell. ```bash -A PREROUTING -j netin--a0d2b217-fa7d-4ac1-65 -A PREROUTING -j netin--317736ed-70ac-4087-74 ... ``` -------------------------------- ### UAAC context output Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/050-tcp-routes-table.markdown Example output showing the bearer token and scopes. ```text client_id: routing_api_client access_token: eyJhbGciOiJ <------- This is the BEARER_TOKEN that you will need. Yours will be longer. token_type: bearer expires_in: 43199 scope: routing.router_groups.read routing.routes.write routing.routes.read ``` -------------------------------- ### Install UAAC CLI Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/050-tcp-routes-table.markdown Command to install the UAA command line interface via RubyGems. ```bash gem install cf-uaac ``` -------------------------------- ### Install iptables and curl in Docker Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/iptables-primer/010-write-your-own-drop.markdown Updates package lists and installs the iptables and curl utilities within the Ubuntu container. These are necessary for managing firewall rules and testing network connectivity. ```bash apt-get update apt-get install iptables apt-get install curl ``` -------------------------------- ### Claim a Spot for Onboarding Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/FACILITATION.md This message outlines the steps for interested individuals to claim a spot in the CF Networking Onboarding. Participants need to confirm availability, get manager approval, and DM the facilitator with specific details. The deadline for claiming a spot is also mentioned. ```text 🙋‍♀️ How to claim a spot 1. Make sure you are available [DATE] 2. Get approval from your manager to attend. 3. DM [FACILITATOR] to claim your spot. * tell them you have manager approval. * tell them what timezone + hours you typically work. * tell them if you are interested in being a facilitator for future onboardings. Due date: Let [FACILITATOR] know you can attend by [ONE WEEK BEFORE ONBOARDING STARTS]. ``` -------------------------------- ### Record Route Value Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/030-route-propagation-pt-1.markdown Placeholder for recording the specific route value generated during the setup process. ```text APP_A_ROUTE= ``` -------------------------------- ### Example Route Registration Message Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/050-route-propagation-pt-3.markdown This is an example of a route registration message received via NATS. It contains details about the application, its URIs, and network information. ```json { "host": "10.0.1.12", "port": 61012, "tls_port": 61014, "uris": [ "proxy.meow.cloche.c2c.cf-app.com" <--- This should match APP_A_ROUTE ], "app": "6856799f-aebf-4e2b-81a5-28c74dfb6162", "private_instance_id": "a0d2b217-fa7d-4ac1-65a2-7b19", "private_instance_index": "0", "server_cert_domain_san": "a0d2b217-fa7d-4ac1-65a2-7b19", "tags": { "component": "route-emitter" } } ``` -------------------------------- ### Example Deny Log Entry Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/160-logging.markdown A sample log output indicating that traffic was blocked by iptables rules. ```text 2019-04-18T18:01:05.306552+00:00 localhost kernel: [22246.987902] DENY_C2C_f13ffea0-9d0d-4ee9- <----- DENY means that the traffic was blocked by iptables rules. The GUID here is the beginning of the instance GUID that we have seen before. IN=s-010255077003 <----- The interface of the source app (This seems backwards given that this is IN, I'm not sure why this is). OUT=s-010255077004 <----- The interface of the destination app (This seems backwards given that this is OUT, I'm not sure why this is). MAC=aa:aa:0a:ff:4d:03:ee:ee:0a:ff:4d:03:08:00 <----- This is a combination of the mac address of the source app's container network interface and the mac address of the source Diego Cell's VTEP. SRC=10.255.77.3 <----- The overlay IP of the source app DST=10.255.77.4 <----- The overlay IP of the destination app LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=12504 DF PROTO=TCP SPT=39304 DPT=8080 WINDOW=27400 RES=0x00 SYN URGP=0 ``` -------------------------------- ### Inspect DNAT Rules for Application Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/090-incoming-http-requests-pt-2.markdown Example of iptables rules performing DNAT to redirect traffic to the container overlay IP and specific ports. ```bash -A netin--a0d2b217-fa7d-4ac1-65 -d 10.0.1.12/32 -p tcp -m tcp --dport 61012 -j DNAT --to-destination 10.255.116.6:8080 -A netin--a0d2b217-fa7d-4ac1-65 -d 10.0.1.12/32 -p tcp -m tcp --dport 61013 -j DNAT --to-destination 10.255.116.6:2222 -A netin--a0d2b217-fa7d-4ac1-65 -d 10.0.1.12/32 -p tcp -m tcp --dport 61014 -j DNAT --to-destination 10.255.116.6:61001 -A netin--a0d2b217-fa7d-4ac1-65 -d 10.0.1.12/32 -p tcp -m tcp --dport 61015 -j DNAT --to-destination 10.255.116.6:61002 ``` -------------------------------- ### View GoRouter Routes Table Entry Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-integrity/020-checking-san-for-route-integrity.markdown Example of a route entry in the GoRouter table showing the server_cert_domain_san field. ```json "proxy.apps.mitre.c2c.cf-app.com": [ { "address": "10.0.1.18:61022", "tls": true, "ttl": 120, "tags": { "component": "route-emitter" }, "private_instance_id": "16b6f1fc-347c-4565-71e0-bf7f", "server_cert_domain_san": "16b6f1fc-347c-4565-71e0-bf7f" <------- This is the SAN that GoRouter is matching against. }, } ``` -------------------------------- ### Analyze GoRouter failure logs Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-integrity/010-route-integrity-demonstration.markdown Example JSON logs showing the GoRouter pruning a failed endpoint due to a hostname mismatch during a misrouting event. ```json {"log_level":3,"timestamp":1554761639.745829,"message":"prune-failed-endpoint","source":"vcap.gorouter.registry","data":{"route-endpoint":{"ApplicationId":"bf1cdd21-ed5b-429b-93ef-f74a4aadc55f","Addr":"10.0.1.13:61010","Tags":{"component":"route-emitter"},"RouteServiceUrl":""}}} {"log_level":3,"timestamp":1554761639.7473993,"message":"backend-endpoint-failed","source":"vcap.gorouter","data":{"route-endpoint":{"ApplicationId":"bf1cdd21-ed5b-429b-93ef-f74a4aadc55f","Addr":"10.0.1.13:61010","Tags":{"component":"route-emitter"},"RouteServiceUrl":""},"error":"x509: certificate is valid for 0c2ca10a-0c19-4288-68e8-8d1f, not e5fdb45c-1b41-4602-45ac-b49e","attempt":1,"vcap_request_id":"3673ccd9-44ee-4d81-4a45-0ea75a96121c"}} ``` -------------------------------- ### Get ASG Details Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/020-asgs-and-iptables.markdown Retrieve the IP addresses allowed by your specific ASG. Save these for future reference. ```bash cf security-group MY_ASG_NAME ``` -------------------------------- ### Example actualLRP JSON Record Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/040-route-propagation-pt-2.markdown A sample JSON structure representing an actualLRP record returned by the BBS API. ```json { "process_guid": "5215a757-4f16-42c2-bbc5-610834372938-6ecb7b0c-e87b-474b-9767-770a7bdf2913", "index": 0, "domain": "cf-apps", "instance_guid": "e85052a7-a8ab-41be-4f9c-2d8b", "cell_id": "93f6b820-ea42-4d88-8fb6-0c9b6349b95f", "address": "10.0.1.12", "ports": [ { "container_port": 8080, "host_port": 0, "container_tls_proxy_port": 61001, "host_tls_proxy_port": 61002 }, { "container_port": 8080, "host_port": 0, "container_tls_proxy_port": 61443, "host_tls_proxy_port": 0 }, { "container_port": 2222, "host_port": 0, "container_tls_proxy_port": 61002, "host_tls_proxy_port": 61003 } ], "instance_address": "10.255.213.150", "preferred_address": "HOST", "crash_count": 0, "state": "RUNNING", "since": 1651054607341185300, "modification_tag": { "epoch": "cebd47c2-68e8-4d4b-79ce-937ea0017c14", "index": 2 }, "presence": "ORDINARY" } ``` -------------------------------- ### Create ASG JSON Definition Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/003-storing-and-syncing.markdown Define a new Application Security Group (ASG) using a JSON file. This example creates an ASG that allows all protocols to a specific IP address. ```json [ { "protocol": "all", "destination": "1.2.3.4" } ] ``` -------------------------------- ### Compile and Deploy HTTP Server Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-registrar/010-workflow-without-rr.markdown Commands to compile the Go server for Linux and deploy the binary to the BOSH instance group via SCP and SSH. ```bash GOOS=linux go build go-server.go # <----- compile the golang server bosh scp go-server my-http-server:/tmp/go-server # <----- copy the compiled server to both instances of my-http-server bosh ssh my-http-server -c "sudo mv /tmp/go-server /bin/go-server" # <----- move the compiled server to the /bin/ directory on both instances of my-http-server ``` -------------------------------- ### List Cloud Foundry applications Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/010-user-workflow.markdown Displays all applications and their associated routes. ```bash cf apps ``` -------------------------------- ### Deploy the proxy application Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/get-started/030-meet-proxy.markdown Push the proxy application to the Cloud Foundry environment with the name appA. ```bash cf push appA ``` -------------------------------- ### TCP route entry structure Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/050-tcp-routes-table.markdown Example JSON structure of a TCP route entry. ```json { "router_group_guid": "e47c747a-d655-4ea8-5f1a-b59f21ad7852", "backend_port": 61004, <--------- This is the backend port "backend_ip": "10.0.1.12", <--------- This is the Diego Cell IP "port": 1025, <--------- This is the route port "isolation_segment": "" } ``` -------------------------------- ### Create and Target Org/Space Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/get-started/020-set-up-your-environment.markdown Use this function to create a new organization and space, then set them as your target. Ensure you have CF admin credentials. ```bash cf_seed () { cf create-org o; cf create-space -o o s; cf target -o o -s s } ``` -------------------------------- ### Manage Network Namespaces Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/050-dataflow-pt-1.markdown Commands to create, list, and execute processes within a custom network namespace. ```bash ip netns add meow ``` ```bash ip netns ``` ```bash ip netns exec meow curl google.com ``` -------------------------------- ### Download BOSH manifest Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/050-tcp-routes-table.markdown Command to retrieve the current environment manifest. ```bash bosh manifest > /tmp/my-env.yml ``` -------------------------------- ### Handle unauthorized error response Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/050-tcp-routes-table.markdown Example of the JSON error response received when lacking proper permissions. ```json {"name":"UnauthorizedError","message":"Token is expired"} ``` -------------------------------- ### Navigate to the proxy application directory Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/get-started/030-meet-proxy.markdown Change the working directory to the location of the proxy source code. ```bash cd ~/workspace/cf-networking-release/src/example-apps/proxy ``` -------------------------------- ### Clone the cf-networking-release repository Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/get-started/030-meet-proxy.markdown Download the source code for the networking release to access the proxy application. ```bash git clone https://github.com/cloudfoundry/cf-networking-release ``` -------------------------------- ### Retrieve Application GUID Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/040-route-propagation-pt-2.markdown Use the Cloud Foundry CLI to fetch the unique identifier for a specific application. ```bash cf app appA --guid ``` -------------------------------- ### View project directory structure Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/README.md Displays the project file layout to identify where to edit stories and configuration files. ```bash $ tree # output edited to show the most important dirs and files. . ├── _data │   ├── navigation.yml # This is where you edit the sidebars and top menu │   └── ui-text.yml ├── _site # DON'T touch anything in here! This is generated! ├── about.markdown # the about page in the main menu ├── asgs # edit asg stories here │   ├── 000-intro.markdown │   ├── ... ├── bosh-dns # edit bosh dns stories here │   ├── 000-intro.markdown │   ├── ... ├── c2c # edit c2c stories here │   ├── 000-intro.markdown │   ├── ... ├── curriculum.markdown # the curriculum page in the main menu ├── get-started # edit the get started stories here │   ├── 000-intro.markdown │   ├── ... ├── gorouter #edit the gorouter stories here │   ├── 000-intro.markdown │   ├── ... ├── http-routes # edit the http route stories here │   ├── 000-landing-page.markdown │   ├── ... ├── index.markdown # the index page ├── interrupts # edit the interrupt stories here │   ├── 000-intro.markdown │   ├── ... ├── iptables-primer # edit the iptables stories here │   ├── 000-intro.markdown │   ├── ... ├── route-integrity # edit the route integrity stories here │   ├── 000-intro.markdown │   ├── ... ├── route-registrar # edit the route registrar stories here │   ├── 000-intro.markdown │   ├── ... ├── route-services # edit the route services stories here │   ├── 000-introduction.markdown │   ├── ... ├── service-discovery # edit the service discovery stories here │   ├── 000-intro.markdown │   ├── ... └── tcp-routes # edit the tcp route stories here ├── 000-intro.markdown    ├── ... ``` -------------------------------- ### Configure BOSH DNS Adapter Internal Domains Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/service-discovery/010-user-flow-internal-domain.markdown Example of the internal_domains property configuration within a BOSH manifest. ```yaml internal_domains: - apps.internal. ``` -------------------------------- ### Explain CF Networking Onboarding Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/FACILITATION.md This message provides a detailed explanation of the CF Networking Onboarding, including its goals, covered features and topics, target audience, and time commitment. It also clarifies the meaning of '[TIMEZONE] friendly'. ```text 💡 What is it? During this onboarding individuals take a week away from their teams and go through a series of stories to learn about the the networking and routing domain of CF. The goals of this onboarding is to introduce people to the breadth of networking and routing features, dive deep into how these features are implemented "under-the-hood", and how to debug these features. ✅ Features Covered: Application Security Groups (ASGs), HTTP Routes, Route Integrity, Route Services , TCP Routes, Container to Container Networking, Service Discovery for Container to Container Networking ✅ Topics Covered: Iptables rules, Network namespaces, Network interfaces, Routes table, Overlay vs Underlay, VXLAN, ARP table, Debugging with tcpdump ❓ Who can participate? This onboarding is useful for anyone who spends their time debugging Cloud Foundry or needs to understand Cloud Foundry deeply. This includes: R&D eng, PAs, customer engineers, PMs, and probably others! This onboarding assumes a working knowledge about bosh so it helps to have at least 6 months of CF experience under your belt before participating. ❓ A full week?? It is super hard for me to take that much time away. Can I attend other meetings? Yes. A full week. If you need to step away for a meeting here or there, that is okay. But you will not have time to do your normal job during this onboarding. ❓ What does [TIMEZONE] friendly mean? Onboarders work together and often pair. In order for this to work, it helps if all participants work in near-ish timezones. This onboarding session is intended for [TIMEZONE] participants. If you do not work [TIMEZONE] hours, feel free to DM me and I will place you on a list to be notified about future onboardings for your timezone. ``` -------------------------------- ### List Network Interfaces with ifconfig Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/060-dataflow-pt-2.markdown Use `ifconfig` to view network interfaces on a system. This is an older method for network interface inspection. ```bash ifconfig ``` -------------------------------- ### Inspect GoRouter Configuration Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/060-route-propagation-pt-4.markdown This command displays the GoRouter configuration file, which contains credentials needed to access the routing API. Ensure you have root privileges on the router VM. ```bash head /var/vcap/jobs/gorouter/config/gorouter.yml ``` -------------------------------- ### View Route Destinations Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Retrieve the destinations (app mappings) for a specific route using its GUID via the Cloud Controller API. ```bash cf curl /v3/routes/ROUTE_GUID/destinations ``` -------------------------------- ### Create User-Provided Service for Route Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-services/020-exploiting-route-services.markdown Use this command to create a user-provided service that specifies a URL for a route service. This is a prerequisite for binding the route service to an application's route. ```bash cf create-user-provided-service MY_SERVICE -r MY_SERVICE_URL ``` -------------------------------- ### Inspect System and Container Networking Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/050-dataflow-pt-1.markdown Commands to view host network interfaces, log directories, and interact with BPM containers. ```bash ifconfig ``` ```bash ls /var/vcap/sys/log ``` ```bash bpm list ``` ```bash bpm shell vxlan-policy-agent ``` -------------------------------- ### Configure Route Registrar in BOSH manifest Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-registrar/020-workflow-with-rr.markdown Example configuration for the route_registrar job within an instance group, including NATS TLS settings and route definitions. ```yaml instance_groups: - azs: - z1 instances: 2 jobs: - name: route_registrar properties: nats: tls: client_cert: ((nats_client_cert.certificate)) client_key: ((nats_client_cert.private_key)) enabled: true route_registrar: routes: - name: meow-route # <<< Add this new stuff to routes port: 9994 # <<< registration_interval: 10s # <<< uris: # <<< - meow.SYSTEM_DOMAIN # <<< Make sure to replace SYSTEM_DOMAIN. You can also replace meow if you want. But why would you? release: routing name: my-http-server networks: - name: default stemcell: default update: serial: true vm_type: minimal ``` -------------------------------- ### Create CF Org and Space Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Helper function to create a new organization and space for Cloud Foundry exercises, then target them. ```bash cf_seed() { cf create-org o cf create-space -o o s cf target -o o -s s } cf_seed ``` -------------------------------- ### Route Registrar Analogy Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/route-registrar/001-vocab.markdown A conceptual comparison between Route Registrar and standard Cloud Foundry app routing. ```text Route Registrar:CF Components::cf map-route:CF Apps ``` -------------------------------- ### Monitor AppB Connectivity via Internal Route Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/service-discovery/001-user-flow.markdown Continuously check connectivity to AppB using its newly mapped internal route. This demonstrates successful service discovery setup. ```bash watch "curl -sS appB.apps.internal:8080" ``` -------------------------------- ### Iptables Command Help Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/020-asgs-and-iptables.markdown Use these commands to understand the meaning of different iptables flags. Record the definitions for later reference. ```bash -A ... ``` ```bash -m ... ``` ```bash --dst-range ... ``` ```bash -g ... ``` ```bash -j ... ``` -------------------------------- ### Welcome Onboarders to Slack Channel Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/FACILITATION.md A welcome message for participants joining the Slack channel for the CF Networking Onboarding. It provides an overview of the week, introduces the facilitator, outlines the learning approach, and includes action items for the onboarders. ```text Welcome [ONBOARDERS] 🎉 You have signed up for CF Networking Onboarding for the week of [DATE]. I wanted to get in touch with everyone and give you an idea about what to expect that week. 💬 For starters, your facilitator, [FACILITATOR], will continue working their "day job" but will check in a few times a day to answer questions and make sure everyone is going well. They will also be there for stand ups, and will lead some sessions on the architecture of some of the Cloud Foundry networking and routing systems. You should have just gotten these calendar invites. 👷‍♀️👩‍⚕️🧟‍♀️ This is a group with different backgrounds and skills. The stories can get a bit technical, but by and large you'll be going through actual user journeys and then jumping in to debug them -- HTTP Routes, TCP Routes, container-to-container networking policies, route integrity, etc. Please help each other out as much as possible, write down what you learn, and think about how difficulties you have with the stories could be feedback for this onboarding or for teams that build the products you're using. 🍐 There is a lot of timezone overlap in this group! We will chat as a group on Friday at the "Welcome to CF Networking Onboarding" event about how we want to handle pairing. 🛠 This onboarding is a full week of work. You should expect to not being doing any other team work during the week, but if you need to jump out for a meeting here or there that is okay. 👉 Action Items for you * Think about if you want to pair during the week or work solo. * Do the [pre-work](https://cloudfoundry.github.io/cf-networking-onboarding/recommended-reading/)! * Otherwise, if you have any questions, feel free to reply here. ``` -------------------------------- ### Get App B's Internal IP Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/001-user-workflow.markdown Retrieve the internal overlay IP address for 'appB'. This IP is used for direct communication between containers and is necessary for configuring network policies and making direct connections. ```bash cf ssh appB -c "env | grep CF_INSTANCE_INTERNAL_IP" ``` -------------------------------- ### Check Bosh DNS Process Binding Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/020-requirements.markdown Use netstat to verify the IP address and port that the Bosh DNS process is listening on. This helps confirm the BOSH_DNS_IP. ```bash netstat -tulpn ``` -------------------------------- ### Push TCP Listener App Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Deploy an application designed to listen for raw TCP traffic, without an associated HTTP route. ```bash cf push tcp-app --no-route ``` -------------------------------- ### List Security Groups via Cloud Controller API Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/003-storing-and-syncing.markdown Retrieve a list of all security groups configured in Cloud Foundry by making a GET request to the v3 CAPI endpoint. This is useful for verifying the creation and existence of custom ASGs. ```bash cf curl /v3/security_groups ``` -------------------------------- ### List Network Interfaces with ip link Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/060-dataflow-pt-2.markdown Use `ip link list` to display network interfaces. This is the modern and recommended command for network interface management. ```bash ip link list ``` -------------------------------- ### Policy Server ASG Syncer Lock Collision Error Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/003-storing-and-syncing.markdown An example log message indicating a 'lock-collision' error from the Policy Server ASG Syncer. This signifies that multiple syncer instances are attempting to acquire the same lock, and only one should be active at a time. ```json { "timestamp": "2024-09-06T19:15:54.962147693Z", "level": "error", "source": "cfnetworking.policy-server-asg-syncer", "message": "cfnetworking.policy-server-asg-syncer.locket-lock.failed-to-acquire-lock", "data": { "error": "rpc error: code = AlreadyExists desc = lock-collision", "lock": { "key": "policy-server-asg-syncer", "owner": "9bbc1c96-f033-486b-a8ca-b240bb86a188", "type": "lock", "type_code": 1 } } } ``` -------------------------------- ### View Available Domains Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt List all domains available in the Cloud Foundry environment, paying attention to those marked as 'internal' for service discovery. ```bash cf domains ``` -------------------------------- ### Debug Network Traffic with Tcpdump Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Demonstrates how to use tcpdump on a Diego Cell to inspect network traffic for debugging C2C networking issues. It covers getting overlay IPs, continuously curling between apps, SSHing to the Diego Cell, and filtering packets. ```bash # Get overlay IPs for both apps cf ssh appA -c "env | grep CF_INSTANCE_INTERNAL_IP" cf ssh appB -c "env | grep CF_INSTANCE_INTERNAL_IP" # Continuously curl from appA to appB watch -n 15 curl -sS APP_A_ROUTE/proxy/APP_B_OVERLAY_IP:8080 # SSH to Diego Cell and run tcpdump bosh ssh diego-cell/INSTANCE_GUID sudo -i # Filter packets between overlay IPs on any interface tcpdump -n src 10.255.77.3 and dst 10.255.77.4 -i any # Look for response packets tcpdump -n src 10.255.77.4 and dst 10.255.77.3 -i any # Add C2C policy and observe successful packets cf add-network-policy appA appB --protocol tcp --port 8080 ``` -------------------------------- ### Tail Gorouter Access Logs Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/120-incoming-http-requests-pt-5.markdown Command to monitor real-time access logs on the Router VM. ```bash tail -f /var/vcap/sys/log/gorouter/access.log ``` -------------------------------- ### List C2C Policies via Internal Policy Server API Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/070-dataflow-pt-3.markdown Use this JSON structure to view all c2c policies, including source and destination app GUIDs and their associated marks (tags). This is useful for verifying that the mark in an iptables rule matches the application's mark. ```json { "total_policies": 1, "policies": [ { "source": { "id": "90ff1b89-a69d-4c77-b1bd-415ae09833ed", <------- AppA guid "tag": "0004" <------- AppA mark, should match what you saw in the iptables rule above }, "destination": { "id": "0babce4f-6739-4fc8-8f74-01f11179bfe5", <------- AppB guid "tag": "0005", <------- AppB mark "protocol": "tcp", "ports": { "start": 8080, "end": 8080 } } } ] } ``` -------------------------------- ### Map Custom Route to Multiple Apps Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Create a custom hostname route and map it to multiple applications, enabling shared access. ```bash cf map-route appA apps.example.com --hostname my-route cf map-route appB apps.example.com --hostname my-route ``` -------------------------------- ### Perform DNS Lookup with Custom Server Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/050-requests-for-aliases.markdown General syntax for performing DNS lookups optionally specifying a target server IP. ```bash dig URL [@SERVER_IP] # for example dig neopets.com # OR dig neopets.com @169.254.4.4 ``` -------------------------------- ### View Cloud Controller Apps Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Retrieve a list of all applications managed by the Cloud Controller API. ```bash cf curl /v3/apps ``` -------------------------------- ### View all security groups Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/001-user-workflow.markdown List all security groups currently defined in the foundation. ```bash cf security-groups ``` -------------------------------- ### Map TCP Route to Application Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Maps a TCP route to an application and demonstrates how to test the mapping using curl for HTTP over TCP and netcat for raw TCP connections. Ensure the application is running and accessible via the specified route. ```bash # Map TCP route to app cf map-route tcp-app tcp.example.com # Outputs assigned port, e.g., tcp.example.com:1024 # Test with curl (HTTP over TCP) cf logs tcp-app & curl tcp.example.com:1024 # Test with netcat for raw TCP docker run --privileged -it ubuntu bin/bash apt-get update -y && apt-get install netcat -y nc tcp.example.com 1024 # Type anything and press enter - see it in app logs ``` -------------------------------- ### Create and Verify Internal Domain Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/service-discovery/010-user-flow-internal-domain.markdown Commands to create a shared internal domain and verify its status in the Cloud Foundry environment. ```bash cf create-shared-domain meow.meow.meow --internal ``` ```bash $ cf domains Getting domains in org o as admin... name status type details meow.meow.meow shared internal ``` -------------------------------- ### Configure Bosh DNS alias in manifest Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/030-dns-alias.markdown Add the provides and custom_provider_definitions blocks to the instance group configuration in your deployment manifest. ```yaml instance_groups: - azs: - z1 instances: 2 jobs: - name: route_registrar properties: { redacted for brevity } release: routing provides: # < ------------ Add this block to add a Bosh DNS alias my_custom_link: # < ------------ aliases: # < ------------ - domain: "meow.meow" # < ------------ Make the domain anything you want :D health_filter: "healthy" # < ------------ Record the domain you choose as HTTP_SERVER_ALIAS custom_provider_definitions: # < ------------ - name: my_custom_link # < ------------ type: my_custom_link_type # < ------------ name: my-http-server # remaining yaml redacted for brevity ``` -------------------------------- ### Access App B from App A Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/001-user-workflow.markdown Enter the 'appA' container and use 'curl' to attempt a connection to 'appB' on its internal IP and port. Initially, this is expected to fail due to the absence of a network policy. ```bash cf ssh appA ``` ```bash watch "curl -Ssk :8080" ``` -------------------------------- ### Define Bosh DNS environment variables Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/040-records-table.markdown Placeholder values for Bosh DNS configuration variables used in previous deployment steps. ```text BOSH_DNS_IP= NON_BOSH_DNS_IP= HTTP_SERVER_ALIAS= ``` -------------------------------- ### Benchmark Application Performance Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Benchmarks an application's performance using the 'boom' tool, first without a route service and then with a rate-limiting route service bound to the application's route. This helps in understanding the impact of route services on response times and error rates. ```bash # Benchmark without route service go get github.com/rakyll/boom boom -n 100 -c 10 -q 10 http://APP_A_ROUTE # Status code distribution: # [200] 100 responses # Bind rate limiting route service cf create-user-provided-service rate-limiter -r https://rate-limiter.example.com cf bind-route-service apps.example.com rate-limiter --hostname appA # Benchmark with route service boom -n 100 -c 10 -q 10 http://appA.apps.example.com # Status code distribution: # [200] 2 responses # [429] 98 responses ``` -------------------------------- ### Generate Mark Rules in VXLAN Policy Agent Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/070-dataflow-pt-3.markdown This Go code snippet demonstrates how the vxlan policy agent iterates through source applications to create mark rules. It's part of the planner component that translates policy information into iptables rules. ```go for _, app := range apps { rule := rules.NewMarkSetRule(app.Mark) ipt.Insert(rule) } ``` -------------------------------- ### Dissected actualLRP Configuration Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/040-route-propagation-pt-2.markdown A annotated JSON snippet highlighting key networking fields within an actualLRP record. ```json { "process_guid": "ab2bd185-9d9a-4628-9cd8-626649ec5432-cb50adac-6861-4f03-92e4-9fcc1a204a1e", "index": 0, "cell_id": "d8d4f5fe-36f2-4f50-8c4a-8df293f6bc5b", "address": "10.0.1.12", <------ DIEGO_CELL_IP "ports": [ { "container_port": 8080, <------ CONTAINER_APP_PORT "host_port": 0, <------ DIEGO_CELL_APP_PORT "container_tls_proxy_port": 61001, <------ CONTAINER_ENVOY_PORT "host_tls_proxy_port": 61002 <------ DIEGO_CELL_ENVOY_PORT }, { "container_port": 8080, <------- FOR_C2C "host_port": 0, <------- FOR_C2C "container_tls_proxy_port": 61443, <------- FOR_C2C "host_tls_proxy_port": 0 <------- FOR_C2C }, { "container_port": 2222, <------ CONTAINER_SSH_PORT "host_port": 0, <------ DIEGO_CELL_SSH_PORT "container_tls_proxy_port": 61002, <------ CONTAINER_ENVOY_SSH_PORT "host_tls_proxy_port": 61003 <------ DIEGO_CELL_ENVOY_SSH_PORT } ], "instance_address": "10.255.116.6", <------ The overlay IP address of this app instance, let's call this the OVERLAY_IP "state": "RUNNING", ... } ``` -------------------------------- ### Find Policy Server ASG Syncer VM Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/asgs/003-storing-and-syncing.markdown Identify the virtual machine running the Policy Server ASG Syncer process using the 'bosh is --ps' command. This is a prerequisite for accessing and modifying the syncer's configuration. ```bash bosh is --ps | grep policy-server-asg-syncer ``` -------------------------------- ### Manage TCP Router Groups and Domains Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/tcp-routes/010-user-workflow.markdown Commands to list available router groups and create a shared TCP domain. ```bash cf router-groups ``` ```bash cf create-shared-domain TCP_DOMAIN --router-group default-tcp ``` -------------------------------- ### Implementation of NewMarkSetRule Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/c2c/070-dataflow-pt-3.markdown This Go code shows the implementation of the NewMarkSetRule function, which is responsible for creating the iptables mark set rule. This function is called by the vxlan policy agent's planner. ```go func NewMarkSetRule(mark uint32) *iptables.Rule { return iptables.NewRule( iptables.RuleTypeMark, []string{fmt.Sprintf("%d", mark)}, ) } ``` -------------------------------- ### Display Bosh DNS Server Information Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/020-requirements.markdown View the contents of the /etc/resolv.conf file to identify the IP addresses for Bosh DNS and non-Bosh DNS servers. ```bash cat /etc/resolv.conf ``` -------------------------------- ### Record Application Networking Values Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/http-routes/040-route-propagation-pt-2.markdown Template for documenting discovered networking values for a specific application instance. ```text APP_A_GUID= DIEGO_CELL_IP= CONTAINER_APP_PORT= DIEGO_CELL_APP_PORT= CONTAINER_ENVOY_PORT= DIEGO_CELL_ENVOY_PORT= OVERLAY_IP= ``` -------------------------------- ### Scale App for Load Balancing Source: https://context7.com/cloudfoundry/cf-networking-onboarding/llms.txt Adjust the number of instances for an application to test automatic load balancing when using internal routes for service discovery. ```bash cf scale appB -i 3 ``` -------------------------------- ### Record Bosh DNS IP values Source: https://github.com/cloudfoundry/cf-networking-onboarding/blob/gh-pages/bosh-dns/030-dns-alias.markdown Placeholder variables for recording Bosh DNS IP addresses from previous configuration steps. ```text BOSH_DNS_IP= NON_BOSH_DNS_IP= ```