Moving at the speed of startup
with Pivotal Cloud Foundry 1.11
July 19, 2017
Jared Ruckle @jaredruckle
Pieter Humphrey @pieterhumphrey

We believe transforming how the
world builds software will shape
the future of our world

Transforming
The Ops & Security Experience

4
Rotate, Repave, Repair
Cloud Native Security
Repair
■ App, Runtime, Server, OS within hrs of patch availability
Repave
■ Servers and Apps from known good state
Rotate
■ Credentials, API Keys, Secrets

Setting the stage for CredHub
5
A central point of control for credential lifecycle management
Ops Mgr deploys CredHub v1.0 in preparation for Pivotal’s planned changes to
credential management
■ Today: Credentials are created by Ops Mgr and present in BOSH manifest
files
■ PCF 1.11.x: Ops Mgr creates BOSH manifest files that request credentials
from CredHub at the time of deployment
■ First step towards Pivotal’s larger “rotate” vision
■ Compatible tiles being released incrementally during 1.11 patches

Single Sign-On Refresher
6
■ Integrates with any enterprise identity federation systems (using SAML/
OpenID Connect)
■ Presents associated IDMs in a Cloud Foundry Marketplace,
preconfigured for deployed applications to integrate with.
■ Converts complex SAML exchanges into basic OAuth tokens for
applications to consume.
■ Allow for rapid security enablement of Java Spring Applications as
Spring Security can process and enforce OAuth tokens.

New in Single Sign-On 1.4
7
Adding lots of new UI, easier onboarding
■ Admin User Management UI
■ OIDC Identity Provider Management UI
■ LDAP Identity Provider Management UI
■ UserInfo Roles/User Attribute (UI)
■ Required User Groups (Bootstrap Only)
■ Application Configuration Bootstrapping

NSX-V Security Group Integration
8
Leverage VMware networking for PCF
■ Operators use NSX-V Security
Groups to apply network security
policies to VMs that run PCF
components
■ Operators specify pre-existing
Security Group for each set of VMs -
BOSH applies Security Group when
creating VMs

Other Security improvements
9
OPSMan VM Hardening
■ The Ops Mgr VM is now built using the BOSH stemcell, rather than a
conventional Ubuntu base OS image
TLS based syslog of component logs
■ Transport component logs to syslog consumers over TLS
■ ERT now packages Pivotal’s syslog BOSH release
SHA2 checksums
■ Verify the data integrity of PCF ERT files by using each file's SHA2
checksum (rather than MD5 as in previous releases)

Container to Container Networking GA
10
Firewall Rules at application level, across containers
■ Use “zero trust” principles to improve your
security posture
■ Configure network permission policies between
applications
■ The feature lays the foundation for additional
providers like NSX and non-application
destination policy
■ Enable and disable inter-application
communication as a global policy
■ Developers specify which applications (and on
which ports) direct communication is permitted
B
C
A
https://cloudfoundry.org/meet-new-container-networking-stack-cloud-foundry/

BOSH Backup & Restore (BBR) beta
11
Backup and restore ERT
■ Replaces CFOps
■ BBR works for any
deployment or BOSH
director that implements
backup / restore.
■ Decentralized responsibility.
BOSH release authors
control their own logic.
■ Supports on-demand
instances.
■ Reduced downtime for
writing to ERT’s Cloud API
https://content.pivotal.io/blog/cloud-native-recovery-tool-bosh-backup-restore-now-available-in-public-beta

OpsMan Audit, Compliance and Logging
12
■ Apply Changes to BOSH Director only, defer
others (helps with BBR)
■ The BOSH CLI enables collection of OpsMan
logs from an instance group or all VMs in an
entire deployment at once, delivered as tarball
■ OpsMan VM logs all commands via linux auditD,
SSH and subequent user commands logged
■ BOSH Director sends logs to Syslog, for
external monitoring integration

13
Other Operational improvements
■ Azure Managed Disks for PCF
■ UAA and CC Databases to embedded mySQL
■ Default to HA configuration on Install

14
MANAGE UPDATE AUTOMATE RESPOND UPTIME OPTIMIZE
Running,
configuration,
troubleshooting,
and proactive
monitoring of the
PCF platform
Performing all
software updates to
Pivotal Cloud
Foundry
components and
supporting software
Completion of
automation requests
related to the
operations of PCF,
including installation
of new tiles for
supported services
24x7x365
15-minute response
time SLA for
emergency issues
(i.e., when the PCF
API is partially or
wholly inoperable)
99.99% API uptime
SLA, except for
during Maintenance
(see product terms
and conditions for
exceptions)
Maintaining and
updating the
underlying IaaS to
achieve optimal PCF
platform performance*
*Optional service; could be
provided and managed by
customer if preferred;
additional scoping
discussion required
Rackspace Managed Pivotal Cloud Foundry
Operations Solution that’s ready on Day 1
http://www.zdnet.com/article/rackspace-launches-pivotal-cloud-foundry-managed-service-
spins-up-managed-google-cloud-platform-beta/

Transforming
The Spring Experience

PCF Metrics 1.4: Custom Metrics
16
Visualize and filter metrics by AI, reduced VM footprint
■ Send application metrics to the Firehose,
and subsequently to PCF Metrics, for
time series visualization
■ Supports Spring Boot Actuator metrics
out-of-the-box

Spring Cloud Services 1.4
17
Microservice Infrastructure
■ Spring Cloud Services updated to Dalston
release
■ Config Server now supports Hashicorp Vault &
multiple config repos
■ Spring Cloud Data Flow 1.2 (beta tile for PCF
coming soon)
https://content.pivotal.io/blog/spring-cloud-services-supports-vault-multiple-backends-use-the-right-config-repo-for-the-job

Java Buildpack v4.1
18
Improvement memory management and OOM behavior
■ Improved JVM memory calculation, resulting in
fewer app terminations
■ Improved JVM Out of Memory Behavior - JVM
terminal failures now include useful
troubleshooting data: a histogram of the heap to
the logs
■ Memory calculator configuration is simplified, with
the use of standard Java memory flags.
https://www.cloudfoundry.org/just-released-java-buildpack-4-0/

19
Apps Manager & Spring Boot Actuators
New UI controls to create and manage these jobs
■ Boot Actuator Heap Dumps
■ Boot Actuator HTTP Request Traces
■ Boot Actuator Thread Dumps
■ Display custom /health heck
https://content.pivotal.io/blog/using-spring-boot-actuator-integrations-with-pivotal-cloud-foundry-111

Transforming
The Dev Experience

Support for Private Docker Repositories
21
Run your Docker packaged applications!
Docker registry
Diego Cells
Garden
runC
OAuth Server
(1) Get repository
manifest
(2) Requires token
- points to OAuth
server to use
(3) Request token
for repository
(4) Receive token
for repository
(5) Get repository
Manifest (w/ token)
rep Diego
Cloud
Controller
CLI
Stored
encrypted
Stored
encrypted

NFS v3 Volume Services GA
22
Supporting filesystem-based data services in PCF
What it is:
■ Access external NFS v3 filesystems as a service
■ Volume mount NFS v3 shares to apps
What this isn’t
■ Linux only, no Windows support yet
■ Docker apps have not been tested
■ Read-write support (read-only support is untested)
■ Access-control is left to the app developer, the user binding to the
service picks a UID to use with the NFS server (No LDAP
integration)
■ NFSv4 is not supported which also means that EFS is not
supported
■ No HA support (deploy one instance of your service broker)https://content.pivotal.io/blog/apps-that-depend-on-file-storage-bring-em-over-to-pivotal-cloud-foundry

Redis v1.8 on-demand
23
In-memory Key-Value / Cache for Pivotal Cloud Foundry
■ Operator enabled plans
■ Operator set Redis properties
■ Optimized for cache use cases
■ Quotas
■ App Developer provisioned instances
■ App Developer set Redis properties via arbitrary
parameters

mySQL 2.0 on-demand
24
Popular Relational DB for Pivotal Cloud Foundry
■ MySQL as an on-demand service
■ Metrics from service instances
■ Metrics from service broker
■ Backups to S3 compatible blobstores, via SCP,
GCS, or Azure
■ Optional audit and userstat logging

Scheduler beta: cron for Pivotal Cloud Foundry
25
Flexible scheduling for your modern applications
Schedule and execute Tasks in regular intervals
■ Common use cases: performing nightly updates
to e-commerce sites & database backups
■ Use with Spring Batch & Spring Cloud Task
microservices

26
Apps Manager improvements
New UI controls to create and manage these jobs
■ App Search
■ Declare Route Services
■ Task Usage Report

App Log Retention and capacity improvements
27
gRPC implementation
■ Scale App Logs with
Loggregator to 4M logs /
sec
■ Firehose and/or syslog
drains delivers log data

https://pivotal.io/event/pivotal-cloud-native-roadshow