Cloud Foundry v170 deployment manifest for OpenStack

cf-170-openstack.yml

<%
director_uuid = 'CHANGEME'
static_ip = 'CHANGEME'
root_domain = "#{static_ip}.xip.io"
deployment_name = 'cf'
cf_release = '170'
protocol = 'http'
common_password = 'c1oudc0wc1oudc0w'
%>
---
name: <%= deployment_name %>
director_uuid: <%= director_uuid %>

releases:
 - name: cf
   version: <%= cf_release %>

compilation:
  workers: 3
  network: default
  reuse_compilation_vms: true
  cloud_properties:
    instance_type: m1.large

update:
  canaries: 0
  canary_watch_time: 30000-600000
  update_watch_time: 30000-600000
  max_in_flight: 32
  serial: false

networks:
  - name: default
    type: dynamic
    cloud_properties:
      security_groups:
        - default
        - bosh
        - cf-private

  - name: external
    type: dynamic
    cloud_properties:
      security_groups:
        - default
        - bosh
        - cf-public

  - name: floating
    type: vip
    cloud_properties: {}

resource_pools:
  - name: common
    network: default
    size: 14
    stemcell:
      name: bosh-openstack-kvm-ubuntu-lucid
      version: latest
    cloud_properties:
      instance_type: m1.small

  - name: large
    network: default
    size: 3
    stemcell:
      name: bosh-openstack-kvm-ubuntu-lucid
      version: latest
    cloud_properties:
      instance_type: m1.medium

jobs:
  - name: nats
    templates:
      - name: nats
      - name: nats_stream_forwarder
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: syslog_aggregator
    templates:
      - name: syslog_aggregator
    instances: 1
    resource_pool: common
    persistent_disk: 65536
    networks:
      - name: default
        default: [dns, gateway]

  - name: nfs_server
    templates:
      - name: debian_nfs_server
    instances: 1
    resource_pool: common
    persistent_disk: 65535
    networks:
      - name: default
        default: [dns, gateway]

  - name: postgres
    templates:
      - name: postgres
    instances: 1
    resource_pool: common
    persistent_disk: 65536
    networks:
      - name: default
        default: [dns, gateway]
    properties:
      db: databases

  - name: uaa
    templates:
      - name: uaa
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: loggregator
    templates:
      - name: loggregator
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: trafficcontroller
    templates:
      - name: loggregator_trafficcontroller
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: cloud_controller
    templates:
      - name: cloud_controller_ng
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]
    properties:
      ccdb: ccdb

  - name: cloud_controller_worker
    templates:
      - name: cloud_controller_worker
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]
    properties:
      ccdb: ccdb

  - name: clock_global
    templates:
      - name: cloud_controller_clock
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]
    properties:
      ccdb: ccdb

  - name: etcd
    templates:
      - name: etcd
    instances: 1
    resource_pool: common
    persistent_disk: 10024
    networks:
      - name: default
        default: [dns, gateway]

  - name: health_manager
    templates:
      - name: hm9000
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: dea
    templates:
      - name: dea_logging_agent
      - name: dea_next
    instances: 3
    resource_pool: large
    networks:
      - name: default
        default: [dns, gateway]

  - name: router
    templates:
      - name: gorouter
    instances: 1
    resource_pool: common
    networks:
      - name: default
        default: [dns, gateway]

  - name: haproxy
    templates:
      - name: haproxy
    instances: 1
    resource_pool: common
    networks:
      - name: external
        default: [dns, gateway]
      - name: floating
        static_ips:
          - <%= static_ip %>
    properties:
      networks:
        apps: external

properties:
  domain: <%= root_domain %>
  system_domain: <%= root_domain %>
  system_domain_organization: 'admin'
  app_domains:
    - <%= root_domain %>

  haproxy: {}

  networks:
    apps: default

  nats:
    user: nats
    password: <%= common_password %>
    address: 0.nats.default.<%= deployment_name %>.microbosh
    port: 4222
    machines:
      - 0.nats.default.<%= deployment_name %>.microbosh

  syslog_aggregator:
    address: 0.syslog-aggregator.default.<%= deployment_name %>.microbosh
    port: 54321

  nfs_server:
    address: 0.nfs-server.default.<%= deployment_name %>.microbosh
    network: "*.<%= deployment_name %>.microbosh"
    idmapd_domain: "localdomain"

  debian_nfs_server:
    no_root_squash: true

  loggregator_endpoint:
    shared_secret: <%= common_password %>
    host: 0.trafficcontroller.default.<%= deployment_name %>.microbosh

  loggregator:
    servers:
      zone:
        -  0.loggregator.default.<%= deployment_name %>.microbosh

  traffic_controller:
    zone: 'zone'

  logger_endpoint:
    use_ssl: <%= protocol == 'https' %>
    port: 80

  ssl:
    skip_cert_verify: true

  router:
    endpoint_timeout: 60
    status:
      port: 8080
      user: gorouter
      password: <%= common_password %>
    servers:
      z1:
        - 0.router.default.<%= deployment_name %>.microbosh
      z2: []

  etcd:
    machines:
      - 0.etcd.default.<%= deployment_name %>.microbosh

  dea: &dea
    disk_mb: 102400
    disk_overcommit_factor: 2
    memory_mb: 15000
    memory_overcommit_factor: 3    
    directory_server_protocol: <%= protocol %>
    mtu: 1460
    deny_networks:
      - 169.254.0.0/16 # Google Metadata endpoint

  dea_next: *dea

  disk_quota_enabled: false

  dea_logging_agent:
    status:
      user: admin
      password: <%= common_password %>

  databases: &databases
    db_scheme: postgres
    address: 0.postgres.default.<%= deployment_name %>.microbosh
    port: 5524
    roles:
      - tag: admin
        name: ccadmin
        password: <%= common_password %>
      - tag: admin
        name: uaaadmin
        password: <%= common_password %>
    databases:
      - tag: cc
        name: ccdb
        citext: true
      - tag: uaa
        name: uaadb
        citext: true

  ccdb: &ccdb
    db_scheme: postgres
    address: 0.postgres.default.<%= deployment_name %>.microbosh
    port: 5524
    roles:
      - tag: admin
        name: ccadmin
        password: <%= common_password %>
    databases:
      - tag: cc
        name: ccdb
        citext: true

  ccdb_ng: *ccdb

  uaadb:
    db_scheme: postgresql
    address: 0.postgres.default.<%= deployment_name %>.microbosh
    port: 5524
    roles:
      - tag: admin
        name: uaaadmin
        password: <%= common_password %>
    databases:
      - tag: uaa
        name: uaadb
        citext: true

  cc: &cc
    srv_api_uri: <%= protocol %>://api.<%= root_domain %>    
    jobs:
      local:
        number_of_workers: 2
      generic:
        number_of_workers: 2
      global:
        timeout_in_seconds: 14400
      app_bits_packer:
        timeout_in_seconds: null
      app_events_cleanup:
        timeout_in_seconds: null
      app_usage_events_cleanup:
        timeout_in_seconds: null
      blobstore_delete:
        timeout_in_seconds: null
      blobstore_upload:
        timeout_in_seconds: null
      droplet_deletion:
        timeout_in_seconds: null
      droplet_upload:
        timeout_in_seconds: null
      model_deletion:
        timeout_in_seconds: null
    bulk_api_password: <%= common_password %>
    staging_upload_user: upload
    staging_upload_password: <%= common_password %>
    quota_definitions:
      default:
        memory_limit: 10240
        total_services: 100
        non_basic_services_allowed: true
        total_routes: 1000
        trial_db_allowed: true
    resource_pool:
      resource_directory_key: cloudfoundry-resources
      fog_connection:
        provider: Local
        local_root: /var/vcap/nfs/shared
    packages:
      app_package_directory_key: cloudfoundry-packages
      fog_connection:
        provider: Local
        local_root: /var/vcap/nfs/shared
    droplets:
      droplet_directory_key: cloudfoundry-droplets
      fog_connection:
        provider: Local
        local_root: /var/vcap/nfs/shared
    buildpacks:
      buildpack_directory_key: cloudfoundry-buildpacks
      fog_connection:
        provider: Local
        local_root: /var/vcap/nfs/shared        
    install_buildpacks:
      - name: java_buildpack
        package: buildpack_java
      - name: ruby_buildpack
        package: buildpack_ruby
      - name: nodejs_buildpack
        package: buildpack_nodejs
      - name: go_buildpack
        package: buildpack_go
    db_encryption_key: <%= common_password %>
    hm9000_noop: false
    diego: false
    newrelic:
      license_key: null
      environment_name: <%= deployment_name %>       

  ccng: *cc

  login:
    enabled: false

  uaa:
    url: <%= protocol %>://uaa.<%= root_domain %>
    no_ssl: <%= protocol == 'http' %>
    cc:
      client_secret: <%= common_password %>
    admin:
      client_secret: <%= common_password %>
    batch:
      username: batch
      password: <%= common_password %>
    clients:
      cf:
        override: true
        authorized-grant-types: password,implicit,refresh_token
        authorities: uaa.none
        scope: cloud_controller.read,cloud_controller.write,openid,password.write,cloud_controller.admin,scim.read,scim.write
        access-token-validity: 7200
        refresh-token-validity: 1209600
      admin:
        secret: <%= common_password %>
        authorized-grant-types: client_credentials
        authorities: clients.read,clients.write,clients.secret,password.write,scim.read,uaa.admin
    scim:
      users:
      - admin|<%= common_password %>|scim.write,scim.read,openid,cloud_controller.admin,uaa.admin,password.write
      - services|<%= common_password %>|scim.write,scim.read,openid,cloud_controller.admin
    jwt:
      signing_key: |
        -----BEGIN RSA PRIVATE KEY-----
        MIICXAIBAAKBgQDHFr+KICms+tuT1OXJwhCUmR2dKVy7psa8xzElSyzqx7oJyfJ1
        JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMXqHxf+ZH9BL1gk9Y6kCnbM5R6
        0gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBugspULZVNRxq7veq/fzwIDAQAB
        AoGBAJ8dRTQFhIllbHx4GLbpTQsWXJ6w4hZvskJKCLM/o8R4n+0W45pQ1xEiYKdA
        Z/DRcnjltylRImBD8XuLL8iYOQSZXNMb1h3g5/UGbUXLmCgQLOUUlnYt34QOQm+0
        KvUqfMSFBbKMsYBAoQmNdTHBaz3dZa8ON9hh/f5TT8u0OWNRAkEA5opzsIXv+52J
        duc1VGyX3SwlxiE2dStW8wZqGiuLH142n6MKnkLU4ctNLiclw6BZePXFZYIK+AkE
        xQ+k16je5QJBAN0TIKMPWIbbHVr5rkdUqOyezlFFWYOwnMmw/BKa1d3zp54VP/P8
        +5aQ2d4sMoKEOfdWH7UqMe3FszfYFvSu5KMCQFMYeFaaEEP7Jn8rGzfQ5HQd44ek
        lQJqmq6CE2BXbY/i34FuvPcKU70HEEygY6Y9d8J3o6zQ0K9SYNu+pcXt4lkCQA3h
        jJQQe5uEGJTExqed7jllQ0khFJzLMx0K6tj0NeeIzAaGCQz13oo2sCdeGRHO4aDh
        HH6Qlq/6UOV5wP8+GAcCQFgRCcB+hrje8hfEEefHcFpyKH+5g1Eu1k0mLrxK2zd+
        4SlotYRHgPCEubokb2S1zfZDWIXW3HmggnGgM949TlY=
        -----END RSA PRIVATE KEY-----
      verification_key: |
        -----BEGIN PUBLIC KEY-----
        MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHFr+KICms+tuT1OXJwhCUmR2d
        KVy7psa8xzElSyzqx7oJyfJ1JZyOzToj9T5SfTIq396agbHJWVfYphNahvZ/7uMX
        qHxf+ZH9BL1gk9Y6kCnbM5R60gfwjyW1/dQPjOzn9N394zd2FJoFHwdq9Qs0wBug
        spULZVNRxq7veq/fzwIDAQAB
        -----END PUBLIC KEY-----

Thank you! It was a quota problem.

So glad with your help.

Hi Ferrán,When i deploy cloudfoundry on openstack ，the components' IP address could not be resolved correctly from the format like this "0.postgres.default.<%= deployment_name %>.microbosh". Since my network is dynamic，so when the vms are created , i use the "bosh vms" to see the correct ip address and replace the "0.XXX.default.<%= deployment_name %>.microbosh" with the real IP. And deploy again , it will be successful.
How components' ip are converted from "0.XXX.default.<%= deployment_name %>.microbosh" to ips.
Thank you very much!

Some clarification on the network usage would be appreciated. You have 3 networks, external, default (your private network) and a floating network for the static ip.

Your haproxy uses both the external and the floating. Should it not be default and floating (otherwise the haproxy cannot route) or default and external. External and floating would just give it 2 ip's on the external network and no route to the internal network.

@fmzhen The hostnames are converted to IP's automatically by BOSH director, it uses the patten '....'. It VM's cannot resolve the hostnames, check if your security group has port 53 opened. Also ssh into one of the VM's and check the /etc/resolv.conf file, it should contain the microBOSH IP as nameserver.

@johnmcteague No, the main difference between 'default' and 'external' networks is the security groups: 'external' assign the 'cf-public'. The external network uses dhcp and the internal network, like the default network, so it won't allocate a public IP, hence that you need to assign a floating IP address to the haproxy.

Hello Ferran -

What is "static_ip = 'CHANGEME'" on line number 3 - Will this be the IP of MicroBOSH? Can I write a deployment file that has just only the "default" network with a static private IP address - that is I dont want to use "external" and "haproxy" because I do not have a public IP address?

Also, If I need to push an application that runs on Tomcat 7 with its database as MySQL 5.6 to a single VM, what will my manifest look like? Would you be kind enough to provide me a sample with this requirement?

Many thanks,
Sekhar H.

@sekh77 The static IP is usually the floating IP where your CF wildcard domain points to. If you don't have floating IPs, you can use "manual" networks and assign an IP to your haproxy job.