In the App Containers pane, you configure microservice frameworks, private Docker registries, and other services that support your apps at the container level.

To configure the App Containers pane:

1. Select App Containers.

2. The Allow custom buildpacks check box governs the ability to pass a custom buildpack URL to the -b option of the cf push command. This check box is selected by default, letting developers use custom buildpacks when deploying apps. To disallow the use of custom buildpacks, deselect the Allow custom buildpacks check box. For more information about custom buildpacks, see Buildpacks.

3. The Allow SSH access to app containers check box controls SSH access to app instances. To allow SSH access across your deployment, select the Allow SSH access to app containers check box. To prevent all SSH access, deselect the Allow SSH access to app containers check box. For more information about SSH access permissions at the space and app level, see App SSH overview.

   Important To allow SSH traffic, ensure that port 2222 is open on your load balancer.

   You can give SSH access to an app only if an admin assigns you a Space Developer role in the space where the app runs. For more information, see Manage App Space Roles in Managing User Roles with Apps Manager.

4. To allow SSH access for new apps by default in spaces that allow SSH, select the Allow SSH access when an app is created check box. If you deselect this check box, developers can still allow SSH access after pushing their apps by running cf enable-ssh APP-NAME, where APP-NAME is the name of the app.

5. (Optional) To give apps that generally stay within their CPU entitlements priority access to extra CPU during CPU bursts, select the Allow CPU burst optimization check box. This check box is selected by default. When this check box is selected, apps that generally stay within their CPU entitlements have higher-priority access to extra CPU than apps that generally exceed their CPU entitlements. When this check box is deselected, all apps have equal access to extra CPU during CPU bursts. Whether you select or deselect this check box, all apps are always guaranteed the amount of CPU that is within their CPU entitlements.

6. Under Gorouter app identity verification, choose how the Gorouter verifies app identity to allow encryption and prevent misrouting:

   Caution This feature does not work if The Gorouter does not request client certificates is selected under Gorouter behavior for client certificate validation in the Networking pane.

   • The Gorouter uses TLS to verify app identity: Allows the Gorouter to verify app identity using TLS. This option is selected by default.
   • The Gorouter and apps use mutual TLS to verify each other’s identity: Allows your apps and the Gorouter to verify each other’s identity using mutual TLS (mTLS). This option deselects TCP routing because app containers accept incoming communication only from the Gorouter.

   For more information, see Preventing misrouting in HTTP Routing.

7. To configure TAS for VMs to run app instances in Docker containers, enter a comma-separated list of their IP address ranges in the Docker registry allow list field. For more information, see Using Docker Registries.

8. Under Diego Cell disk cleanup scheduling, select one of the following options:

   • Never clean up disk space: Diego Cells never schedule disk cleanups. VMware does not recommend selecting this option for production environments.
   • Routinely clean up disk space: Diego Cells schedule a disk cleanup whenever a container is created. Running the disk cleanup process this frequently can negatively impact Diego Cell performance.
   • Clean up disk space once usage fills disk: Diego Cells schedule a disk cleanup only when disk use encroaches on the space reserved for other jobs. If you select this option, enter in MB the amount of space that you want the garbage collection algorithm to keep free for other jobs in the Reserved disk space for other jobs field. For more information about the configuration options and how to configure a reserved amount, see Configuring Diego Cell Disk Cleanup Scheduling.

9. The Allow containerd delegation check box governs whether Garden delegates container create and destroy operations to the containerd tool. This check box is selected by default. To disallow Garden delegating container create and destroy operations to containerd, deselect the Allow containerd delegation check box. For more information about the containerd tool, see the containerd website.

10. For Maximum in-flight container starts, enter the maximum number of started instances you want to allow across all Diego Cells in your deployment. Entering 0 sets no limit. The default value is 200. For more information, see Set a maximum number of started containers in Configuring TAS for VMs for Upgrades.

11. Under NFSv3 volume services, select Allow or Do not allow. Deploying NFS volume services allows app developers to bind existing NFS volumes to their apps for shared file access. For more information, see Enabling Volume Services.

    Important In a new installation of TAS for VMs, he NFSv3 volume services check box is selected by default. When you upgrade from an earlier version of TAS for VMs, the NFSv3 volume services check box is automatically configured the same way it was configured in the earlier version.

12. (Optional) To configure LDAP for NFSv3 volume services:

    • For LDAP service account user, enter the user name of the service account in LDAP that manages volume services.
    • For LDAP service account password, enter the password for the service account.
    • For LDAP server host, enter the hostname or IP address of the LDAP server.
    • For LDAP server port, enter the LDAP server port number. If you do not specify a port number, Tanzu Operations Manager uses 389.
    • For LDAP user search base, enter the location in the LDAP directory tree from which any LDAP user search begins. The typical LDAP search base matches your domain name.
      For example, a domain named cloud.example.com typically uses ou=Users,dc=example,dc=com as its LDAP user search base.
    • (Optional) If your LDAP server supports TLS and you want to allow TLS connections from the NFS driver to your LDAP server, enter the root certificate from your CA certificate or your self-signed certificate in LDAP server CA certificate.

    Important UAA can parse only one certificate entered into this text box. If you enter multiple certificates, UAA uses only the first one you entered and ignores the rest. You need one root certificate or self-signed certificate.

13. (Optional) To deploy SMB volume services, select the Allow SMB volume services check box. Deploying SMB volume services allows developers to bind existing SMB shares to their apps. For more information, see Enabling Volume Services.

    Important If you deploy SMB volume services, you must set the SMB Broker Errand to On in the Errands pane.

14. (Optional) To force all SMB shares to mount with the noserverino mount option, select the Force noserverino mount option for SMB mounts check box.

15. (Optional) To modify the amount of time that health checks wait to receive a healthy response from an app before the app is declared unhealthy, enter the number of seconds you want the timeout period to last in Default health check timeout. If the health check does not receive a healthy response from a newly-started app within the configured timeout period, then the app is declared unhealthy. The default value is 60. The maximum value you can configure is 600.

    If you decrease the default health check timeout below its current value, existing apps with startup times greater than the new value might fail to start up.

16. (Optional) To limit the number of log lines an app instance can generate per second, select Enable under App log rate limit (deprecated) and enter an integer for Maximum app log lines per second. At minimum, VMware recommends using the default limit of 100. This feature is deactivated by default.

    Important This method of limiting log output from applications is deprecated. VMware recommends using the log rate limiting quota feature which provides more granular control over application log output.

17. Click Save.