forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig-er-vmware.html.md.erb
332 lines (218 loc) · 17 KB
/
config-er-vmware.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
---
title: Configuring PAS for vSphere
owner: RelEng
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to configure the Pivotal Application Service (PAS) components
that you need to run [Pivotal Cloud Foundry](https://network.pivotal.io/products/pivotal-cf) (PCF) for VMware vSphere.
<p class="note"><strong>Note</strong>: If you plan to <a href = "http://docs.pivotal.io/addon-ipsec/installing.html">install the IPsec add-on</a>, you must do so before installing any other tiles. Pivotal recommends installing IPsec immediately after Ops Manager, and before installing the PAS tile.</p>
## <a id='er-om-add'></a>Step 1: Add PAS to Ops Manager ##
1. If you have not already downloaded PAS, log in to [Pivotal Network](https://network.pivotal.io/products/pivotal-cf), and click on PAS.
1. From the **Releases** drop-down, select the release to install and choose one of the following:
1. Click PAS to download the PAS `.pivotal` file
1. Click PCF Small Footprint PAS to download the Small Footprint Runtime `.pivotal` file. For more information, see [Getting Started with Small Footprint Runtime](./small-footprint.html).
1. From the Available Products view, click **Import a Product**.
<%= image_tag("guide/import-prod.png") %>
1. Select the PAS `.pivotal` file that you downloaded from Pivotal
Network and click **Open**.
After the import completes, PAS appears in the Available Products
view.
1. In the Available Products view, hover over PAS and click **Add**.
<%= image_tag("guide/add-products.png") %>
1. Click the PAS tile in the Installation Dashboard.
<%= image_tag("images/er-tile.png") %>
## <a id='er-az-networks'></a>Step 2: Assign Availability Zones and Networks ##
1. Select **Assign AZs and Networks**. These are the Availability Zones that you [create](../customizing/vsphere-config.html#create-az) when configuring Ops Manager Director.
1. **(vSphere Only)** Select an Availability Zone under **Place singleton jobs**. Ops Manager runs any job with a single instance in this Availability Zone.
1. **(vSphere Only)** Select one or more Availability Zones under **Balance other jobs**. Ops Manager balances instances of jobs with more than one instance across the Availability Zones that you specify.
1. From the **Network** drop-down box, choose the network on which you want to run PAS.
<%= image_tag("er-az.png") %>
1. Click **Save**.
<p class="note"><strong>Note</strong>: When you save this form, a verification error displays because the PCF security group blocks ICMP. You can ignore this error.</p>
<%= image_tag("pcfaws/er-network-error.png") %>
## <a id='er-domain-config'></a>Step 3: Configure Domains ##
1. Select **Domains**.
<%= image_tag("domains.png") %>
1. Enter the system and application domains.
* The **System Domain** defines your target when you push apps to Elastic
Runtime.
* The **Apps Domain** defines where PAS should serve your apps.
<p class="note"><b>Note</b>: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. Doing so allows you to use a single wildcard certificate for the domain while preventing apps from creating routes that overlap with system routes. For example, name your system domain <code>system.EXAMPLE.com</code> and your apps domain <code>apps.EXAMPLE.com</code>.</p>
<p class="note"><strong>Note</strong>: You configured wildcard DNS records
for these domains in an earlier step.</p>
1. Click **Save**.
## <a id="networking"></a>Step 4: Configure Networking ##
1. Select **Networking**.
1. The values you enter in the **Router IPs** and **HAProxy IPs** fields depend on whether you are using HAProxy in your deployment. Use the table below to determine how to complete these fields.
<p class="note"><strong>Note</strong>: If you choose to assign specific IP addresses in either the <strong>Router IPs</strong> or <strong>HAProxy IPs</strong> field, ensure that these IP addresses are in the subnet that you configured for PAS in Ops Manager.</p>
<table border="1" class="nice" >
<tr>
<th><strong>Using HAProxy?</strong></th>
<th><strong>Router IPs Field</strong></th>
<th><strong>HAProxy IPs Field</strong></th>
</tr>
<tr>
<td>No</td>
<td><ol>
<li>Choose IP addresses from the subnet you configured in Ops Manager.</li>
<li>Enter these IP addresses in the <b>Router IPs</b> field. You should specify more than one IP address for high availability.</li>
<li>Configure your load balancer to forward requests for the domains that you have configured for your deployment to these IP addresses.</li>
</ol></td>
<td>Leave this field blank.</td>
</tr>
<tr>
<td>Yes</td>
<td>Leave this field blank.</td>
<td><ol>
<li>Choose IP addresses from the subnet you configured in Ops Manager.</li>
<li>Enter these IP addresses in the <b>HAProxy IPs</b> field. You should specify more than one IP address for high availability. </li>
<li>Configure your load balancer to forward requests for the domains you have configured for your deployment to these IP addresses.</li>
</ol>
</tr>
</table>
1. (Optional) In **SSH Proxy IPs**, add the IP address for your Diego Brain, which will accept requests to SSH into application containers on port `2222`.
1. (Optional) In **TCP Router IPs**, add the IP address(es) you would like assigned to the TCP Routers. You enable this feature at the bottom of this screen.
<%= image_tag 'images/ert_networking_ip_fields.png' %>
1. <%= partial 'haproxy_router_cert_config' %>
1. <%= partial 'min_tls_version' %>
1. <%= partial 'tls_cipher_suites_router' %>
1. <%= partial 'tls_cipher_suites_haproxy' %>
1. <%= partial 'haproxy_router_tls_forward' %>
1. <%= partial 'ssl_verification' %>
1. <%= partial 'http_disable' %>
1. <%= partial 'insecure_cookies' %>
1. <%= partial 'zipkin_enable' %>
1. By default, the PAS routers handle traffic for applications deployed to an isolation segment created by the PCF Isolation Segment tile. To configure the PAS routers to reject requests for applications within isolation segments, select the **Routers reject requests for Isolation Segments** checkbox.
<%= image_tag 'isolate-network.png' %>
Do not enable this option without deploying routers for each isolation segment. See the following topics for more information:
* [Installing PCF Isolation Segment](../customizing/installing-pcf-is.html)
* [Sharding Routers for Isolation Segments](../adminguide/routing-is.html#sharding-routers-isolation-segment)
1. <%= partial 'xforwarded_client_cert_xfcc' %>
1. <%= partial 'route_services' %>
1. <%= partial 'max_connections_backend' %>
1. Enter a value for **Router Max Idle Keepalive Connections**. See [Considerations for Configuring max\_idle\_connections](../adminguide/routing-keepalive.html#considerations).
<%= image_tag 'images/keepalive.png' %>
1. <%= partial 'router_timeout_backend' %>
1. <%= partial 'frontend_idle_timeout' %>
1. <%= partial 'lb_unhealthy_threshold' %>
1. <%= partial 'lb_healthy_threshold' %>
<%= image_tag 'images/router_lb_thresholds.png' %>
1. <%= partial 'http_headers_to_log' %>
1. <%= partial 'haproxy_request_max_buffer' %>
1. <%= partial 'protected_domains' %>
1. <%= partial 'app_mtu' %>
<%= image_tag 'images/ert_log_port_mtu.png' %>
1. The **Loggregator Port** defaults to `443` if left blank. Enter a new value to override the default.
1. <%= partial 'c2c-overlay' %>
1. <%= partial 'c2c-vxlan' %>
1. <%= partial 'log-app-traffic-enable' %>
1. <%= partial 'tcp_routing_enable' %>
1. Return to the top of the **Networking** screen. In **TCP Router IPs** field, make sure you have entered IP addresses within your subnet CIDR block. These will be the same IP addresses you configured your load balancer with in [Pre-Deployment Steps](../adminguide/enabling-tcp-routing.html), unless you configured DNS to resolve the TCP domain name directly to an IP you've chosen for the TCP router. You can enter multiple values as a comma-delimited list or as a range. For example, `10.254.0.1, 10.254.0.2` or `10.254.0.1-10.254.0.2`.
1. <%= partial 'tcp_routing_disable' %>
1. Click **Save**.
## <a id='application-containers-config'></a>Step 5: Configure Application Containers ##
<%= partial 'application_container_config' %>
## <a id='er-appdevctrl-config'></a>Step 6: Configure Application Developer Controls ##
<%= partial 'application_developer_controls' %>
## <a id='app-security'></a>Step 7: Review Application Security Group ##
<%= partial 'application_security_group' %>
## <a id='uaa'></a>Step 8: Configure UAA ##
<%= partial 'uaa' %>
## <a id='er-auth-config'></a>Step 9: Configure Authentication and Enterprise SSO ##
<%= partial 'authsso_config' %>
## <a id='er-db-config'></a>Step 10: Configure System Databases ##
You can configure PAS to use the internal MySQL database provided with PCF, or you can configure an external database provider for the databases required by PAS.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data first before changing the configuration. Contact Pivotal Support for help. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information.</p>
###<a id='internal-db'></a> Internal Database Configuration
<%= partial 'ert_database_internal' %>
Then proceed to [Step 10: (Optional) Configure Internal MySQL](#internal-mysql) to configure high availability and automatic backups for your internal MySQL databases.
###<a id='create-dbs'></a> External Database Configuration
<%= partial 'ert_database_external' %>
## <a id='internal-mysql'></a> Step 11: (Optional) Configure Internal MySQL ##
<%= partial 'mysql_proxy_config' %>
## <a id='filestore-config'></a>Step 12: Configure File Storage ##
For production-level PCF deployments on vSphere, the recommended selection is **External S3-Compatible** and the use of an external filestore. For more information about production-level PCF deployments on vSphere, see the [Reference Architecture for Pivotal Cloud Foundry on vSphere](../refarch/vsphere/vsphere_ref_arch.html).
For more factors to consider when selecting file storage, see <a href="../opsguide/storage_considerations.html">Considerations for Selecting File Storage in Pivotal Cloud Foundry</a>.
### <a id='internal_filestore'></a> Internal Filestore
<%= partial 'filestore_internal' %>
### <a id='external_s3'></a> External S3 or Ceph Filestore
<%= partial 'filestore_s3_config' %>
### <a id='other'></a> Other IaaS Storage Options
[Google Cloud Storage](./gcp-er-config.html#external_gcp) and [Azure Storage](./gcp-er-config.html#external_azure) are also available as file storage options but have not been evaluated for typical PCF on vSphere installations.
## <a id='external-endpoints'></a>Step 13: (Optional) Configure System Logging ##
If you forward logging messages to an external Reliable Event Logging Protocol (RELP) server, complete the following steps:
1. Select the **System Logging** section that is located within your PAS **Settings** tab.
<%= image_tag("updated-system-logging.png") %>
1. Enter the IP address of your syslog server in **Address**.
1. Enter the port of your syslog server in **Port**. The default port for a syslog server is `514`.
<p class="note"><strong>Note</strong>: The host must be reachable from the PAS network, accept TCP connections, and use the RELP protocol. Ensure your syslog server listens on external interfaces.</p>
1. Select a **Transport Protocol** to use when forwarding logs.
1. If you plan to use TLS encryption when sending logs to the remote server, select **Yes** when answering the **Encrypt syslog using TLS?** question.
1. In the **Permitted Peer** field, enter either the name or SHA1 fingerprint of the remote peer.
1. In the **TLS CA Certificate** field, enter the TLS CA Certificate for the remote server.
1. For the **Syslog Drain Buffer Size**, enter the number of messages the Doppler server can hold from Metron agents before the server starts to drop them. See the [Loggregator Guide for Cloud Foundry Operators](../loggregator/log-ops-guide.html) topic for more details.
1. If you want to include security events in your log stream, select the **Enable Cloud Controller security event logging** checkbox. This logs all API requests, including the endpoint, user, source IP address, and request result, in the Common Event Format (CEF).
1. Click **Save**.
## <a id='customize-apps-man'></a>Step 14: (Optional) Customize Apps Manager##
<%= partial 'custombranding' %>
## <a id='smtp'></a>Step 15: (Optional) Configure Email Notifications ##
PAS uses SMTP to send invitations and confirmations to Apps Manager
users.
You must complete the **Email Notifications** page if you want to enable end-user
self-registration.
1. Select **Email Notifications**.
<%= image_tag("cloudform/smtp.png") %>
1. Enter your reply-to and SMTP email information
1. Verify your authentication requirements with your email administrator and use
the **SMTP Authentication Mechanism** drop-down menu to select `None`, `Plain`,
or `CRAMMD5`.
If you have no SMTP authentication requirements, select `None`.
1. Click **Save**.
<p class="note"><strong>Note</strong>: If you do not configure the SMTP settings using this form, the administrator must create orgs and users using the cf CLI tool. See <a href="../adminguide/cli-user-management.html">Creating and Managing Users with the cf CLI</a> for more information.</p>
## <a id='config-cc'></a>Step 16: Configure Cloud Controller##
<%= partial 'cloud-controller' %>
## <a id='config-smoke-test'></a>Step 17: Configure Smoke Tests ##
<%= partial '_smoketests' %>
## <a id='er-advanced'></a>Step 18: (Optional) Enable Advanced Features ##
<%= partial 'advanced-features' %>
## <a id='er-errands'></a>Step 19: Configure Errands ##
<%= partial 'errands' %>
## <a id='resources'></a>Step 20: (Optional) Configure Resources ##
<p class="note"><strong>Note</strong>: Ops Manager <%= vars.current_major_version %> defines specific instance types with preset sizes for CPU, memory, and disk space. Ops Manager 1.6 and earlier required custom sizes for these three resources. With the upgrade from 1.6 to 1.7, each instance adopts the type that most closely matches its previous sizes. To change these resource allocations, select a different instance <code>type</code> under <strong>Resource Config</strong>.</p>
PAS defaults to a highly available resource configuration. However, you may still need to perform additional procedures to make your deployment highly available. See the [Zero Downtime Deployment and Scaling in CF](../concepts/high-availability.html) and the [Scaling Instances in PAS](../opsguide/scaling-ert-components.html) topics for more information.
If you do not want a highly available resource configuration, you must scale down your instances manually by navigating to the **Resource Config** section and using the drop-down menus under **Instances** for each job.
<%= image_tag("images/vcloud-vchs/resource_config-v.png") %>
By default, PAS also uses an internal filestore and internal databases.
If you configure PAS to use external resources, you can disable the
corresponding system-provided resources in Ops Manager to reduce costs and
administrative overhead.
Complete the following procedures to disable specific VMs in Ops Manager:
1. Click **Resource Config**.
1. If you configure PAS to use an external S3-compatible filestore,
edit the following fields:
* **File Storage**: Enter `0` in **Instances**.
1. If you selected **External** when configuring the UAA and System databases, edit the following fields:
* **MySQL Proxy**: Enter `0` in **Instances**.
* **MySQL Server**: Enter `0` in **Instances**.
* **MySQL Monitor**: Enter `0` in **Instances**.
* **Cloud Controller Database**: Enter `0` in **Instances**.
* **UAA Database**: Enter `0` in **Instances**.
1. If you are using an External Load Balancer instead of HAProxy, enter `0` in the **Instances** field for **HAProxy**.
1. Click **Save**.
## <a id='stemcell'></a>Step 21: Configure Stemcell ##
1. Select **Stemcell**.
This page displays the stemcell version that shipped with Ops Manager.
<%= image_tag("stemcell.png") %>
You can also use this page to import a new stemcell version. You only need to import a new Stemcell if your Ops Manager does not already have the Stemcell version required by PAS.
## <a id='complete'></a>Step 22: Complete the PAS Installation ##
1. Click the **Installation Dashboard** link to return to the Installation
Dashboard.
1. Click **Apply Changes**. If the following ICMP error message appears, click
**Ignore errors and start the install**.
<%= image_tag("cloudform/install-error.png") %>
The install process generally requires a minimum of 90 minutes to complete.
The image shows the Changes Applied window that displays when the
installation process successfully completes.
<%= image_tag("cloudform/ops-manager-complete.png") %>