1.11.0

• Set up CI for silk-release
• Create silk-release with swappable parts of cf-networking-release
• An operator can upgrade to using silk-release and cf-networking-release
• Enhance Cats & Dogs to demo service discovery with phase 1 of service discovery
• cloudfoundry/cf-networking-release #33: CustomIPTablesCompatibilityTest should be skipped by default
• An operator can configure a BOSH property to indicate which interface to use for VXLAN traffic
• Properties in silk-release are not name spaced to cf-networking
• Cat& Dogs example apps are in their own github repo
• Fix in silk pipeline
• Tested with silk-release v0.1.0

1.10.0

This release enables a new feature that enables operators to run BOSH add-ons that modify iptables rules on cells.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

None

Significant Changes

iptables

• CF networking plays nice with add-ons that change iptables

Miscellaneous fixes and chores

• cloudfoundry/cf-networking-release #24: Samples README to remind diego defaults $PORT to 8080
• An app dev should be able to understand how to use Cats & Dogs to demo service discovery through updated documentation
• Investigate Toque-push failure
• Update CI to handle new bbl version
• Upgrade concourse to 3.8.0
• make smoke test org idempotently created
• tag docker images
• Styling for cats & dogs backend app
• Pin to newest cf-deployment-concourse task release
• delete trucker-test-upgrade
• cloudfoundry/cf-networking-release #32: Add optional skip_icmp_tests to acceptance-tests

1.9.0

The main change in this release is a patch to better handle database parameters in Silk.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

None

Significant Changes

Chores

• App dev should see new CLI commands in example app documentation instead of the plugin commands
• Bump golang1.9.2
• task_connectivity test does not work on all environments
• Move relevant CI parts from CI repo to cf-networking-release
• update containernetworking dependecies
• Run silk ci weekly
• Remove build-dev-mysql-ifb-image from ci
• set up firehose nozzle from beret -> datadog
• Add cf-app-sd-release to dashboard
• Fix broken deployments in CI

Silk database changes

• Private backlog silk controller story

1.8.0

• Move cf-networking-release out of incubator

1.7.0

Lots of small enhancements in this release - support for rootless mode, setting max open/idle connections on Silk controller and support for BBR on mySQL.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

New Properties

• An optional parameter has been added to turn on bosh backup and restore.
  By default, this property is set to false and backup and restore is turned off.
  • release_level_backup
• An optional parameter has been added to configure the max number of
  open and idle connections to the silk-controller database.
  • cf_networking.silk_controller.max_open_connections
  • cf_networking.silk_controller.max_idle_connections

Significant Changes

CLI

• Networking acceptance tests use CF CLI
• An operator uses the CF CLI instead of the plugin

BBR

• operator can use scripts deployed with a colocated job to backup the policy server database on postgresql

Rootless Mode

• Garden network-plugin api does not guarantee that it will run plugins as root

Enhancements

• add config flag to not run tests that require internet
• Set max open/idle connections in silk-controller
• bump go to 1.9

1.6.0

The primary change in this release is a change in the default directories for CNI plugins integrating into Cloud Foundry.

Give us feedback in the #container-networking channel on cloudfoundry.slack.com. Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

Changed Properties

• The value for cf_networking.garden_external_networker.cni_plugin_dir now defaults to /var/vcap/packages/cni/bin
• The value for cf_networking.garden_external_networker.cni_config_dir now defaults to /var/vcap/jobs/cni/config/cni

Significant Changes

Policies for Tasks

• Validate container networking works with tasks

Debugging Enhancements

• Policy server creates request ids

CNI

• The default configuration for CNI plugin and config is not silk specific

1.5.0

This release includes initial support for BBR. Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

Links Enabled
The policy-server now provides database connection info via a link which the new policy-server-internal job consumes:

• cf_networking.policy_server.database.type
• cf_networking.policy_server.database.username
• cf_networking.policy_server.database.password
• cf_networking.policy_server.database.port
• cf_networking.policy_server.database.name
• cf_networking.policy_server.database.host

New Properties

• REQUIRED: A new job policy-server-internal has been added. This job requires the following properties:
  • cf_networking.policy_server_internal.ca_cert
  • cf_networking.policy_server_internal.server_cert
  • cf_networking.policy_server_internal.server_key
    There are additional optional paramaters that can be set and are viewable in the spec file
• An optional parameter has been added to configure the path to the iptables kernel log for
  the iptables_logger.
  • cf_networking.iptables_logger.kernel_log_file

Removed Properties

• The policy-server job has removed the following properties:
  • cf_networking.policy_server.internal_listen_port
  • cf_networking.policy_server.ca_cert
  • cf_networking.policy_server.server_cert
  • cf_networking.policy_server.server_key

Changed Properties

• The consul.agent.services.policy-server property for the consul_agent job on the api instance group
  should be renamed to consul.agent.services.policy-server-internal.

Significant Changes

CLI Changes

• CLI can discover CF networking API endpoints and versions

BBR Changes

• An operator can lock the policy server so policies cannot be added/deleted
• operator can use scripts deployed with a colocated job to restore the policy server database on mysql
• operator can use scripts deployed with a colocated job to lock and unlock the policy server API
• operator can use scripts deployed with a colocated job to backup the policy server database on mysql

Chores

• error response functions should take logger as an arg
• Fix "connection refused" in postgres-tests
• bump the go-sql-driver

1.4.0

CF networking policies now support port ranges in addition to a single port in policy configuration. In addition, the silk controller provides a link for the silk daemon to configure the overlay network for cf-networking.

Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues. Verified with the following:

• CF deployment

Manifest Changes

Links Enabled
The silk-controller job now provides two properties via links which the silk-daemon job consumes:

• cf_networking.network
• cf_networking.subnet_prefix_length
  ** This means you are able to remove the properties (listed above) from the silk-daemon job. **

If your deployment contains more than a single instance group that has the silk-controller job,
then you will need to explicitly name the cf_network link. For more information,
see the documentation.

New Properties

• An optional parameter has been added to configure the port of the metron agent for
  the iptables_logger. This port will be used to forward metrics. Previously, no such
  port existed.
  • cf_networking.iptables_logger.metron_port

Significant Changes

Port Ranges

• As an operator I would like to specify a range of ports in policy configuration APIs
• As an operator I would like to specify a range of ports in policy configuration CLI
• As an operator I would like to see a range of ports in policy configuration CLI
• As an operator I would like to remove access for a range of ports in policy configuration CLI

Optimizations

• Operators can configure a single property to change the overlay network
• policy-server and silk-controller work with MySQL 5.6
• Operators should see info on resource consumption of log forwarder in github

Logging Enhancemetns

• Iptables-logger logs a metric for uptime
• fix flaky iptables logger tests
• iptables logger is running in a cf-release deployment

Chores

• allow running ifb tests on a dev workstation
• Fix issue with unbound running security groups on mitre
• Rename GetRoutableLeases to GetActiveLeases
• Policy-server wrappers use http.Request.Context for passing values

1.3.0

Try out our new feature for augmented traffic logging with org, space and app information! Instructions are here. This release also lays the groundwork for supporting port ranges in policy configuration. Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

New Properties

• An optional parameter has been added to configure the rate of logs by
  iptables for accepted UDP packets. Before, logging was done per UDP
  connection. Now, the rate defaults to 100 packets per second.
  • cf_networking.iptables_accepted_udp_logs_per_sec is the maximum number of
    accepted udp packets logged by iptables per second, it should be
    configured on the silk-cni job for ASGs or on the vxlan-policy-agent
    job for C2C.

Significant Changes

Traffic logging enhancements

• Operators can see logs of egress network traffic with app/space/org GUIDs of the source in a file that can be forwarded via syslog
• ASG and c2c logging for UDP traffic is rate-limited
• Logs of egress network traffic include cell IP and GUIDs of the source in a file that can be forwarded via syslog
• Operators have instructions to consume augmented traffic logs in github

Port Ranges

• The internal API supports port ranges
• Policy server closes db connections on shutdown
• vxlan-policy-agent uses ports field to write iptables rules

Github Issues

• cloudfoundry-incubator/cf-networking-release #12: Is vtep port by default supposed to be 4789 or something else?
• cloudfoundry-incubator/cf-networking-release #13: cf-release docs contain wrong configuration
• remove http health check from cni wrapper

Miscellaneous

• Golang 1.8.x upgrade
• drain and pre-start clean up all potentially leftover cf-networking state

1.2.0

CF networking is officially part of cf-deployment! You do not need a separate ops-file to include cf-networking in your deployment. This release also adds new capabilities for bandwidth limiting and logging enhancements for ASGs and container networking.

Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

Manifest Changes

New Properties

• Optional parameters have been added to the silk-cni job to limit the
  bandwidth in and out of containers.
  • cf_networking.rate is the rate in Kbps at which traffic can leave and
    enter a container.
  • cf_networking.burst is the burst in Kb at which traffic can leave and
    enter a container.
  • Both of these parameters must be set in order to limit bandwidth. If
    neither one is set, then bandwidth is not limited.
  • The burst must high enough to support the given rate. If burst is not
    high enough, then creating containers will fail.
• An optional parameter has been added to configure the rate of logs by
  iptables for denied packets. Before, this rate was hardcoded to 2 packets
  per minute. Now, the rate defaults to 1 packet per second.
  • cf_networking.iptables_denied_logs_per_sec is the maximum number of
    denied packets logged by iptables per second, it should be configured on
    the silk-cni job.

Significant Changes

Port Ranges

• External APIs are ready for supporting port ranges

Logging

• c2c logs for accepted packets use conntrack
• An operator can change the sampling time of deny logging
• ASG logging works for accepted traffic that match UDP and ICMP whitelist rules

Bandwidth Limiting

• Operators can configure bandwidth limits for apps

Deployment Changes

• cf-networking is in cf-deployment

Documentation

• As an operator I know the options to enable self-service
• Update docs based on boxes & lines

Bug Fixes

• cf list-access fails for non-admin users when there are policies for more than 50 unique apps
• cloudfoundry-incubator/cf-networking-release #8: Make add route work for Linux
• CF CLI plugin version number matches release version