forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgcp-er-config.html.md.erb
322 lines (198 loc) · 16.1 KB
/
gcp-er-config.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
---
title: Deploying Elastic Runtime on GCP
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to install and configure Elastic Runtime for Pivotal Cloud Foundry (PCF) on Google Cloud Platform (GCP).
Before beginning this procedure, ensure that you have successfully completed the [Configuring Ops Manager Director on GCP](./cloudform-om-config.html) topic.
<p class="note"><strong>Note</strong>: If you plan to <a href="http://docs.pivotal.io/addon-ipsec/installing.html">install the PCF IPsec add-on</a>, you must do so before installing any other tiles. Pivotal recommends installing IPsec immediately after Ops Manager, and before installing the Elastic Runtime tile. </p>
## <a id='download-er'></a> Step 1: Download the Elastic Runtime Tile ##
1. If you have not already downloaded Elastic Runtime, log in to [Pivotal Network](https://network.pivotal.io/products/pivotal-cf), and click on **Pivotal Cloud Foundry Elastic Runtime**.
1. From the **Releases** drop-down, select the release to install.
1. Click on **PCF Elastic Runtime** to download the Elastic Runtime .pivotal file
## <a id='add-er'></a> Step 2: Add Elastic Runtime to Ops Manager ##
1. Navigate to the Pivotal Cloud Foundry Operations Manager Installation Dashboard.
1. Click **Import a Product** to add the Elastic Runtime tile to Ops Manager. This may take a while depending on your connection speed.
<p class="note"><strong>Tip</strong>: After you import a tile to Ops Manager, you can view the latest available version of that tile in the Installation Dashboard by enabling the Pivotal Network API. For more information, refer to the [Adding and Deleting Products](./add-delete.html#pivnet-api) topic.</p>
1. On the left, click the plus icon next to the imported Elastic Runtime product to add it to the Installation Dashboard.
1. Click the newly added **Elastic Runtime** tile in the Installation Dashboard.
<%= image_tag('images/er-tile.png') %>
## <a id='assign-az'></a> Step 3: Assign Availability Zones and Networks ##
1. Select **Assign AZ and Networks**. These are the Availability Zones that you [create](./gcp-om-config.html#az) when configuring Ops Manager Director.
1. Select an Availability Zone under **Place singleton jobs**. Ops Manager runs any job with a single instance in this Availability Zone.
1. Select one or more Availability Zones under **Balance other jobs**. Ops Manager balances instances of jobs with more than one instance across the Availability Zones that you specify.
<p class="note"><strong>Note</strong>: For production deployments, Pivotal recommends at least three Availability Zones for a highly available installation of Elastic Runtime.</p>
1. From the **Network** drop-down box, choose the network on which you want to run Elastic Runtime.
<%= image_tag("images/er-az.png") %>
1. Click **Save**.
## <a id='cname'></a> Step 4: Add DNS Records for Your Load Balancers ##
In this step you redirect queries for your domain to the IP addresses of your load balancers.
1. Locate the static IP addresses of the load balancers you created in [Preparing to Deploy PCF on GCP](./gcp-prepare-env.html):
* An HTTP(S) load balancer named `pcf-router`
* A TCP load balancer for WebSockets named `pcf-websockets`
* A TCP load balancer named `pcf-ssh`
* A TCP load balancer for the TCP router if you plan on enabling the TCP routing feature
<p class="note"><strong>Note</strong>: You can locate the static IP address of each load balancer by clicking its name under <strong>Networks > Load balancing</strong> in the GCP Console.</p>
1. Log in to the DNS registrar that hosts your domain. Examples of DNS registrars include Network Solutions, GoDaddy, and Register.com.
1. Create **A records** with your DNS registrar that map domain names to the public static IP addresses of the load balancers located above:
<table border="1" valign="top">
<tr>
<th>If your DNS entry is:</th><th>Set to the public IP of this load balancer:</th><th>Required</th><th>Example</th>
</tr>
<tr>
<td>\*.YOURSYSTEMDOMAIN</td>
<td><code>pcf-router</code></td>
<td>Yes</td>
<td>\*.system.example.com</td>
</tr>
<tr>
<td>\*.YOURAPPSDOMAIN</td>
<td><code>pcf-router</code></td>
<td>Yes</td>
<td>\*.apps.example.com</td>
</tr>
<tr>
<td>doppler.YOURSYSTEMDOMAIN</td>
<td><code>pcf-websockets</code></td>
<td>Yes</td>
<td>doppler.system.example.com</td>
</tr>
<tr>
<td>loggregator.YOURSYSTEMDOMAIN</td>
<td><code>pcf-websockets</code></td>
<td>Yes</td>
<td>loggregator.system.example.com</td>
</tr>
<tr>
<td>ssh.YOURSYSTEMDOMAIN</td>
<td><code>pcf-ssh</code></td>
<td>Yes, to allow SSH access to apps</td>
<td>ssh.system.example.com</td>
</tr>
<tr>
<td>tcp.YOURDOMAIN</td>
<td>IP address of the TCP load balancer for TCP routing</td>
<td>No, only set up if you have enabled the TCP routing feature</td>
<td>tcp.example.com</td>
</tr>
</table>
1. Save changes within the web interface of your DNS registrar.
1. In a terminal window, run the following `dig` command to confirm that you created your A record successfully:
<pre class='terminal'>dig xyz.EXAMPLE.COM</pre>
You should see the A record that you just created:
<pre class='terminal'>
;; ANSWER SECTION:
xyz.EXAMPLE.COM. 1767 IN A 203.0.113.1</pre>
<p class='note'><strong>Note</strong>: You <strong>must</strong> complete this step before proceeding to Cloud Controller configuration. A difficult-to-resolve problem can occur if the wildcard domain is improperly cached before the A record is registered. </p>
## <a id='er-domain-config'></a> Step 5: Configure Domains ##
1. Select **Domains**.
<%= image_tag("domains.png") %>
1. Enter the system and application domains.
* The **System Domain** defines your target when you push apps to Elastic
Runtime.
* The **Apps Domain** defines where Elastic Runtime serves your apps.
<p class="note"><strong>Note</strong>: Pivotal recommends that you use the same domain name but different subdomain names for your system and app domains. For example, use <code>system.example.com</code> for your system domain, and <code>apps.example.com</code> for your apps domain.</p>
1. Click **Save**.
## <a id='networking'></a> Step 6: Configure Networking ##
<%= partial 'networking-gcp' %>
## <a id='application-containers-config'></a>Step 7: Configure Application Containers ##
<%= partial 'application_container_config' %>
## <a id='er-appdevctrl-config'></a>Step 8: Configure Application Developer Controls ##
<%= partial 'application_developer_controls' %>
## <a id='app-security'></a> Step 9: Review Application Security Groups ##
<%= partial 'application_security_group' %>
## <a id='er-auth-config'></a> Step 10: Configure Authentication and Enterprise SSO ##
<%= partial 'authsso_config' %>
## <a id='sys-db'></a>Step 11: Configure System Databases ##
You can configure Elastic Runtime to use the internal MySQL database provided with PCF, or you can configure an external database provider for the databases required by Elastic Runtime.
<p class="note"><strong>Note</strong>: If you are performing an upgrade, do not modify your existing internal database configuration or you may lose data. You must migrate your existing data first before changing the configuration. Contact Pivotal Support for help. See <a href="upgrading-pcf.html">Upgrading Pivotal Cloud Foundry</a> for additional upgrade information.</p>
###<a id='internal-db'></a> Internal Database Configuration
<%= partial 'ert_database_internal' %>
Then proceed to [Step 12: (Optional) Configure Internal MySQL](#internal-mysql) to configure high availability and automatic backups for your internal MySQL databases.
###<a id='create-dbs'></a> External Database Configuration
<%= partial 'ert_database_external' %>
## <a id='internal-mysql'></a> Step 12: (Optional) Configure Internal MySQL ##
<%= partial 'mysql_proxy_config_gcp' %>
## <a id='filestore'></a>Step 13: Configure File Storage ##
<%= partial 'filestore_config' %>
For production-level PCF deployments on GCP, Pivotal recommends selecting **External Google Cloud Storage**. For more information about production-level PCF deployments on GCP, see the [Reference Architecture for Pivotal Cloud Foundry on GCP](../refarch/gcp/gcp_ref_arch.html).
For additional factors to consider when selecting file storage, see the <a href="../opsguide/storage_considerations.html">Considerations for Selecting File Storage in Pivotal Cloud Foundry</a> topic.
### <a id='internal_filestore'></a> Internal Filestore
<%= partial 'filestore_internal' %>
### <a id='external_gcp'></a> External Google Cloud Storage
<%= partial 'filestore_gcp_config' %>
### <a id='other'></a> Other IaaS Storage Options
[Azure Storage](./azure-er-config.html#external_azure) and [External S3-Compatible File Storage](./cloudform-er-config.html#external_s3) are also available as file storage options, but are not recommended for a typical PCF on GCP installation.
## <a id='sys-logging'></a>Step 14: (Optional) Configure System Logging ##
If you are forwarding logging messages to an external Reliable Event Logging Protocol (RELP) server, complete the following steps:
1. Select **System Logging**.
<%= image_tag("cloudform/sys-logging.png") %>
1. If you want to include security events in your log stream, select the **Enable Cloud Controller security event logging** checkbox. This logs all API requests, including the endpoint, user, source IP address, and request result, in the Common Event Format (CEF).
1. Enter the IP address of your syslog server in **External Syslog Aggregator Hostname** and its port in **External Syslog Aggregator Port**. The default port for a syslog server is `514`.
<p class="note"><strong>Note</strong>: The host must be reachable from the Elastic Runtime network, accept TCP connections, and use the RELP protocol. Ensure your syslog server listens on external interfaces.</p>
1. Select an **External Syslog Network Protocol** to use when forwarding logs.
1. For the **Syslog Drain Buffer Size**, enter the number of messages the Doppler server can hold from Metron agents before the server starts to drop them. See the [Loggregator Guide for Cloud Foundry Operators](../loggregator/log-ops-guide.html) topic for more details.
1. Click **Save**.
## <a id='customize-apps-man'></a>Step 15: (Optional) Customize Apps Manager##
<%= partial 'custombranding' %>
## <a id='smtp'></a>Step 16: (Optional) Configure Email Notifications ##
Elastic Runtime uses SMTP to send invitations and confirmations to Apps Manager
users.
You must complete the **Email Notifications** page if you want to enable
end-user self-registration.
1. Select **Email Notifications**.
<%= image_tag("cloudform/smtp.png") %>
1. Enter your reply-to and SMTP email information.
1. For **SMTP Authentication Mechanism**, select `none`.
1. Click **Save**.
<p class='note'><strong>Note</strong>: If you do not configure the SMTP
settings using this form, the administrator must create orgs and users using
the cf CLI tool. See <a href="../adminguide/cli-user-management.html">Creating and Managing Users with the cf CLI</a> for more information.</p>
## <a id='ccdb-key'></a>Step 17: (Optional) Add CCDB Restore Key##
<%= partial 'restore_ccdb_key' %>
## <a id='config-smoke-test'></a>Step 18: Configure Smoke Tests##
<%= partial 'smoketests' %>
## <a id='advanced-features'></a>Step 19: (Optional) Enable Advanced Features ##
<%= partial 'advanced-features' %>
## <a id='errands'></a>Step 20: Configure Errands ##
<%= partial 'errands' %>
## <a id='config-lb'></a>Step 21: Configure Load Balancers ##
1. Navigate to the GCP Console and click **Load balancing**.
<%= image_tag('gcp/config-lb.png') %>
You should see the SSH load balancer, the HTTP(S) load balancer, the TCP WebSockets load balancer, and optionally, the TCP router that you created in the [Create Load Balancers in GCP](gcp-prepare-env.html#create_loadbalancers) section of the _Preparing to Deploy PCF on GCP_ topic.
1. Record the name of your SSH load balancer and your TCP WebSockets load balancer. For example, `pcf-ssh` and `pcf-websockets`.
1. Click your HTTP(S) load balancer. For example, `pcf-router`.
<%= image_tag('gcp/pcf-router.png') %>
1. Under **Backend services**, record the name of the backend service of the HTTP(S) load balancer. For example, `pcf-backend`.
1. In the **Elastic Runtime** tile, click **Resource Config**.
<%= image_tag("gcp/resource_config.png") %>
1. Under the **LOAD BALANCERS** column of the **Router** row, enter a comma-delimited list consisting of the name of your TCP WebSockets load balancer and the name of your HTTP(S) load balancer backend with the protocol prepended. For example, `tcp:pcf-websockets,http:pcf-backend`.
<p class="note"><strong>Note</strong>: Do not add a space between key/value pairs in the <code>LOAD BALANCER</code> field or it will fail.</p>
1. If you have enabled TCP routing in the <a href="#advanced-features">Advanced Features</a> pane and set up the <a href="./gcp-prepare-env.html#tcp_websockets_lb">TCP Load Balancer in GCP</a>, add the name of your TCP load balancer, prepended with <code>tcp:</code>, to the <strong>LOAD BALANCERS</strong> column of the <storng>TCP Router</strong> row. For example, <code>tcp:pcf-tcp-router</code>.
1. Under the **LOAD BALANCERS** column of the **Diego Brain** row, enter the name of your SSH load balancer prepended with `tcp:`. For example, `tcp:pcf-ssh`.
1. Verify that the **Internet Connected** checkbox for every job is checked to allow the jobs to reach the Internet. This gives all VMs a public IP address that enables outbound Internet access.
<p class="note"><strong>Note</strong>: If you want to provision a Network Address Translation (NAT) box to provide Internet connectivity to your VMs instead of providing them with public IP addresses, deselect the <strong>Internet Connected</strong> checkboxes. For more information about using NAT in GCP, see the <a href="https://cloud.google.com/compute/docs/networking">GCP documentation</a>.</p>
1. Click **Save**.
## <a id='disable-resources'></a>Step 21: (Optional) Scale Down and Disable Resources ##
<%= partial 'disable_resources' %>
## <a id='stemcell'></a>Step 22: Verify and Download Stemcell Version##
Verify whether Ops Manager is providing the stemcell version required by Elastic Runtime. If the correct version is already present, you do not need to download a new stemcell.
1. In the Elastic Runtime tile, select **Stemcell**.
1. Verify that the version indicated in the filename matches the version of stemcell required by Elastic Runtime.
* If Elastic Runtime detects that a stemcell `.tgz` file is present in the Ops Manager Director VM at `/var/tempest/stemcells/`, the Stemcell screen displays filename information.
<%= image_tag("stemcell_18.png") %>
* If Elastic Runtime cannot detect a stemcell `.tgz` file, the following message displays:
<%= image_tag("stemcell_not_found.png") %>
1. If the version of the stemcell file that is loaded does not match the required version listed in the <a href="http://network.pivotal.io">Pivotal Network</a> download page for Elastic Runtime, or cannot be found by Ops Manager, perform the following steps to download and import a new stemcell file:
1. Log in to the [Pivotal Network](https://network.pivotal.io/products/pivotal-cf) and click **Stemcells**.
1. Download the appropriate stemcell version targeted for your IaaS.
1. In the **Stemcell** section of the Elastic Runtime tile, click **Import Stemcell** to import the downloaded stemcell <code>.tgz</code> file.
## <a id='complete'></a>Step 23: Complete the Elastic Runtime Installation ##
1. Click the **Installation Dashboard** link to return to the Installation
Dashboard.
1. Click **Apply Changes**.
The install process generally requires a minimum of 90 minutes to complete.
The image shows the Changes Applied window that displays when the
installation process successfully completes.
<%= image_tag("cloudform/ops-manager-complete.png") %>