forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_application_container_config.html.md.erb
37 lines (24 loc) · 5.08 KB
/
_application_container_config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
1. Select **Application Containers**.
<%= image_tag("../images/docker-registry-ert.png") %>
1. The **Enable Custom Buildpacks** checkbox governs the ability to pass a custom buildpack URL to the `-b` option of the `cf push` command. By default, this ability is enabled, letting developers use custom buildpacks when deploying apps. Disable this option by disabling the checkbox. For more information about custom buildpacks, refer to the [buildpacks](../buildpacks/) section of the PCF documentation.
1. The **Allow SSH access to app containers** checkbox controls SSH access to application instances. Enable the checkbox to permit SSH access across your deployment, and disable it to prevent all SSH access. See the [Application SSH Overview](../devguide/deploy-apps/app-ssh-overview.html) topic for information about SSH access permissions at the space and app scope.
1. If you want enable SSH access for new apps by default in spaces that allow SSH, select **Enable SSH when an app is created**. If you deselect the checkbox, developers can still enable SSH after pushing their apps by running `cf enable-ssh APP-NAME`.
1. To enable the Gorouter to verify app identity using TLS, click **Router uses TLS to verify application identity**. To enable the Gorouter and your apps to verify each other's identity using TLS, click **Router and applications use mutual TLS to verify each other's identity**. Verifying app identity using TLS improves resiliency and consistency for app routes. For more information about Gorouter route consistency modes, see [Preventing Misrouting](../concepts/http-routing.html#consistency) in _HTTP Routing_.
<p class='note breaking'><strong>Breaking Change:</strong> If you have mutual TLS app identity verification enabled, app containers accept incoming communication only from the Gorouter. This disables <code>cf ssh</code> and TCP routing.</p>
<p class='note'><strong>Note:</strong> To support mutual TLS app identity verification, you need v2.3 or later of both PAS and PCF Isolation Segment (IST). The Gorouter and cell components in PCF v2.2 and earlier do not support mTLS handshakes.</p>
1. You can configure Pivotal Application Service (PAS) to run app instances in Docker containers by supplying their IP address ranges in the **Private Docker Insecure Registry Whitelist** textbox. See the [Using Docker Registries](../opsguide/docker-registry.html) topic for more information.
1. Select your preference for **Docker Images Disk-Cleanup Scheduling on Cell VMs**. If you choose **Clean up disk-space once threshold is reached**, enter a **Threshold of Disk-Used** in megabytes. For more information about the configuration options and how to configure a threshold, see [Configuring Docker Images Disk-Cleanup Scheduling](../opsguide/config-cell-cleanup.html).
1. Enter a number in the **Max Inflight Container Starts** textbox. This number configures the maximum number of started instances across the Diego cells in your deployment. For more information about this feature, see [Setting a Maximum Number of Started Containers](../adminguide/max-container-starts.html).
1. Under **Enabling NFSv3 volume services**, select **Enable** or **Disable**. NFS volume services allow application developers to bind existing NFS volumes to their applications for shared file access. For more information, see the [Enabling NFS Volume Services](../opsguide/enable-vol-services.html) topic.
<p class="note"><strong>Note:</strong> In a fresh install, NFSv3 volume services is enabled by default. In an upgrade, NFSv3 volume services is set to the same setting as it was in the previous deployment.</p>
1. (Optional) To configure LDAP for NFSv3 volume services, do the following:
<%= image_tag("../images/er-config-app-vol-svc.png") %>
* For **LDAP Service Account User**, enter the username of the service account in LDAP that will manage volume services.
* For **LDAP Service Account Password**, enter the password for the service account.
* For **LDAP Server Host**, enter the hostname or IP address of the LDAP server.
* For **LDAP Server Port**, enter the LDAP server port number. If you do not specify a port number, Ops Manager uses 389.
* For **LDAP Server Protocol**, enter the server protocol. If you do not specify a protocol, Ops Manager uses TCP.
* For **LDAP User Search Base**, enter the location in the LDAP directory tree from which any LDAP User search begins. The typical LDAP Search Base matches your domain name. <br>For example, a domain named `cloud.example.com` typically uses the following LDAP User Search Base: `ou=Users,dc=example,dc=com`.
* For **LDAP Server CA Cert**, you can optionally enter a certificate if your LDAP server supports TLS and you want to enable TLS connections from the NFS driver to your LDAP server. Paste in the root certificate from your CA certificate or your self-signed certificate.
1. Select the **Format of timestamps in Diego logs**, either **RFC3339 timestamps** or **Seconds since the Unix epoch**. Fresh PAS v2.2 installations default to **RFC3339 timestamps**, while upgrades to PAS v2.2 from previous versions default to **Seconds since the Unix epoch**.
1. Click **Save**.