forked from pivotal-cf/docs-ops-guide
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstalling-pcf-is.html.md.erb
115 lines (68 loc) · 7.79 KB
/
installing-pcf-is.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
---
title: Installing PCF Isolation Segment
owner: RelEng
---
<strong><%= modified_date %></strong>
This topic describes how to install the PCF Isolation Segment tile, which allows operators to isolate deployment workloads into dedicated resource pools called _isolation segments_.
Installing the tile installs a single isolation segment. However, you can install multiple isolation segments using the Replicator tool documented in [Step 4](#copy).
After installing the tile, you must perform the steps in the [Create an Isolation Segment](../adminguide/isolation-segments.html#create-an-is) section of the <em>Managing Isolation Segments</em> topic to create the isolation segment in the Cloud Controller Database (CCDB). The topic also includes information about managing an isolation segment.
For more information about how isolation segments work, see the [Isolation Segments](../concepts/security.html#isolation-segments) section of the <Em>Understanding Cloud Foundry Security</em> topic.
##<a id='routing'></a> Step 1: (Optional) Configure Routing
By default, the Elastic Runtime Router handles traffic for your isolation segment. However, you can deploy a dedicated router for your isolation segment instead.
To deploy a dedicated router, perform the following steps:
1. Add a load balancer in front of the Elastic Runtime Router. The steps to do this depend on your IaaS, but the setup of the load balancer should mirror the setup of the load balancer for the Elastic Runtime Router that you configured in the Elastic Runtime tile.
1. Create a wildcard DNS entry for traffic routed to any app in the isolation segment. For example, `*.iso.example.com`.
1. Attach the wildcard DNS entry to the load balancer you created.
##<a id='install'></a> Step 2: Install the Tile
Perform the following steps to install the PCF Isolation Segment tile:
1. Download the product file from [Pivotal Network](https://network.pivotal.io/products/isolation-segment).
1. Navigate to `YOUR-OPSMAN-FQDN` in a browser to log in to the Ops Manager Installation Dashboard.
1. Click **Import a Product** and select the downloaded product file.
1. Under **PCF Isolation Segment** in the left column, click the plus sign.
##<a id='config'></a> Step 3: Configure the Tile
Perform the following steps to configure the PCF Isolation Segment tile:
1. Click the orange **PCF Isolation Segment** tile to start the configuration process.<br>
<%= image_tag('isolation-segment/pcf-isolation-segment.png') %>
1. Click **Assign AZs and Networks**.
<%= image_tag('isolation-segment/az-network.png') %>
1. Select an availability zone for your singleton jobs, and one or more availability zones to balance other jobs in.
1. Select a network. This network does not need to be the same network where you deployed Elastic Runtime. For most deployments, operators should create unique networks in which to deploy the Isolation Segment tile. These networks should maintain network reachability with the Diego components so that the cells can reach the Diego Brain and Diego Database VMs.
1. Click **Save**.
1. Click **Application Containers**.
<%= image_tag('isolation-segment/app-containers.png') %>
1. (Optional): Under **Private Docker Insecure Registry Whitelist**, enter one or more private Docker image registries that are secured with self-signed certificates. Use a comma-delimited list in the format `IP:Port` or `Hostname:Port`.
1. Under **Segment Name**, enter the name of your isolation segment. This name must be unique across your PCF deployment. You use this name when performing the steps in the [Create an Isolation Segment](../adminguide/isolation-segments.html#create-an-is) section of the <em>Managing Isolation Segments</em> topic to create the isolation segment in the Cloud Controller Database (CCDB).
1. Click **Networking**.
<%= image_tag('isolation-segment/networking1.png') %>
1. (Optional): Under **Router IPs**, enter one or more static IP addresses for the routers that handles this isolation segment. These IP addresses must be within the subnet CIDR block that you defined in the Ops Manager network configuration. If you have a load balancer, configure it to point to these IP addresses.
1. (Optional): Under **Applications Subnet**, enter a CIDR subnet mask specifying the range of available IP addresses to assign to your app containers. This must be different from the network used by the system VMs. Only modify the default value if you need to avoid address collision with a third-party service on the same subnet.
1. (Optional): Under **Applications Network Maximum Transmission Unit**, change the Maximum Transmission Unit (MTU). The default is `1454` bytes.
1. Under **TLS Termination Certificates**, select one of the following options:
* **Forward SSL to Isolation Segment Router with provided certificates**: Select this option if your deployment uses an external load balancer that can forward encrypted traffic to the Elastic Runtime Router for the isolation segment, or if you are running a development environment that does not require load balancing. Complete the fields for the **Router SSL Termination Certificate and Private Key** and **Router SSL Ciphers**.
* **Forward SSL to Isolation Segment Router with ERT Router certificates**: Select this option to inherit the certificates provided to the Elastic Runtime Router when you configured the Elastic Runtime tile. This option assumes an external load balancer is configured to forward encrypted traffic.
* **Forward unencrypted traffic to Elastic Runtime Router**: Select this option if your deployment uses an external load balancer that cannot forward encrypted traffic to the Elastic Runtime Router, or for a development environment that does not require load balancing.
<%= image_tag('isolation-segment/networking2.png') %>
1. Click **Save**.
1. (Optional): Edit the configurations in **Advanced Features** as desired.
1. If you are using a dedicated router for your isolation segment, click **Resource Config** and enter the wildcard DNS entry attached to your load balancer into the **Router** row under **Load Balancers**.
<%= image_tag('isolation-segment/resource-config.png') %>
1. (Optional): Edit the **Stemcell** configuration as desired.
1. Perform the steps in the [Create an Isolation Segment](../adminguide/isolation-segments.html#create-an-is) section of the <em>Managing Isolation Segments</em> topic to create the isolation segment in the Cloud Controller Database (CCDB).
1. Return to the Ops Manager Installation Dashboard and click **Apply Changes** to deploy the tile.
After the tile finishes deploying, see the [Managing Isolation Segments](../adminguide/isolation-segments.html) topic for more information about managing an isolation segment.
##<a id='copy'></a> Step 4: (Optional) Copy the Tile
If you want to create multiple isolation segments, perform the following steps to copy the PCF Isolation Segment tile with the Replicator tool:
1. Download the Replicator tool from the **Pivotal Cloud Foundry Isolation Segment** section of [Pivotal Network](https://network.pivotal.io/products/isolation-segment).
1. Navigate to the directory where you downloaded the Replicator tool.
1. Replicate the tile:
<pre class="terminal">
./replicator \
-name "YOUR-NAME" \
-path /PATH/TO/ORIGINAL.pivotal \
-output /PATH/TO/COPY.pivotal
</pre>
Replace the values above with the following:
* `YOUR-NAME`: Provide a unique name for the new PCF Isolation Segment tile. The name must be ten characters or less and only contain alphanumeric characters, dashes, underscores, and spaces.
* `/PATH/TO/ORIGINAL`: Provide the absolute path to the original PCF Isolation Segment tile you downloaded from Pivotal Network.
* `/PATH/TO/COPY`: Provide the absolute path for the copy that the Replicator tool produces.
1. Follow the procedures in this topic using the new `.pivotal` file, starting with [Step 1](#routing).