Try out our new feature for augmented traffic logging with org, space and app information! Instructions are here. This release also lays the groundwork for supporting port ranges in policy configuration. Try it out and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.
Take a look at known issues for current limitations and known issues.
Verified with the following:
Manifest Changes
New Properties
- An optional parameter has been added to configure the rate of logs by
iptables for accepted UDP packets. Before, logging was done per UDP
connection. Now, the rate defaults to 100 packets per second.cf_networking.iptables_accepted_udp_logs_per_secis the maximum number of
accepted udp packets logged by iptables per second, it should be
configured on thesilk-cnijob for ASGs or on thevxlan-policy-agent
job for C2C.
Significant Changes
Traffic logging enhancements
- Operators can see logs of egress network traffic with app/space/org GUIDs of the source in a file that can be forwarded via syslog
- ASG and c2c logging for UDP traffic is rate-limited
- Logs of egress network traffic include cell IP and GUIDs of the source in a file that can be forwarded via syslog
- Operators have instructions to consume augmented traffic logs in github
Port Ranges
- The internal API supports port ranges
- Policy server closes db connections on shutdown
- vxlan-policy-agent uses ports field to write iptables rules
Github Issues
- cloudfoundry-incubator/cf-networking-release #12: Is vtep port by default supposed to be 4789 or something else?
- cloudfoundry-incubator/cf-networking-release #13: cf-release docs contain wrong configuration
- remove http health check from cni wrapper