In the App Containers pane, you configure microservice frameworks, private Docker registries, and other services that support your apps at the container level.
To configure the App Containers pane:
Select App Containers.
The Allow custom buildpacks check box governs the ability to pass a custom buildpack URL to the -b
option of the cf push
command. This check box is selected by default, letting developers use custom buildpacks when deploying apps. To disallow the use of custom buildpacks, deselect the Allow custom buildpacks check box. For more information about custom buildpacks, see Buildpacks.
The Allow SSH access to app containers check box controls SSH access to app instances. To allow SSH access across your deployment, select the Allow SSH access to app containers check box. To prevent all SSH access, deselect the Allow SSH access to app containers check box. For more information about SSH access permissions at the space and app level, see App SSH overview.
Important To allow SSH traffic, ensure that port 2222
is open on your load balancer.
You can give SSH access to an app only if an admin assigns you a Space Developer role in the space where the app runs. For more information, see Manage App Space Roles in Managing User Roles with Apps Manager.
To allow SSH access for new apps by default in spaces that allow SSH, select the Allow SSH access when an app is created check box. If you deselect this check box, developers can still allow SSH access after pushing their apps by running cf enable-ssh APP-NAME
, where APP-NAME
is the name of the app.
(Optional) To give apps that generally stay within their CPU entitlements priority access to extra CPU during CPU bursts, select the Allow CPU burst optimization check box. This check box is selected by default. When this check box is selected, apps that generally stay within their CPU entitlements have higher-priority access to extra CPU than apps that generally exceed their CPU entitlements. When this check box is deselected, all apps have equal access to extra CPU during CPU bursts. Whether you select or deselect this check box, all apps are always guaranteed the amount of CPU that is within their CPU entitlements.
Under Gorouter app identity verification, choose how the Gorouter verifies app identity to allow encryption and prevent misrouting:
Caution This feature does not work if The Gorouter does not request client certificates is selected under Gorouter behavior for client certificate validation in the Networking pane.
For more information, see Preventing misrouting in HTTP Routing.
To configure TAS for VMs to run app instances in Docker containers, enter a comma-separated list of their IP address ranges in the Docker registry allow list field. For more information, see Using Docker Registries.
Under Diego Cell disk cleanup scheduling, select one of the following options:
The Allow containerd delegation check box governs whether Garden delegates container create and destroy operations to the containerd tool. This check box is selected by default. To disallow Garden delegating container create and destroy operations to containerd, deselect the Allow containerd delegation check box. For more information about the containerd tool, see the containerd website.
For Maximum in-flight container starts, enter the maximum number of started instances you want to allow across all Diego Cells in your deployment. Entering 0
sets no limit. The default value is 200
. For more information, see Set a maximum number of started containers in Configuring TAS for VMs for Upgrades.
Under NFSv3 volume services, select Allow or Do not allow. Deploying NFS volume services allows app developers to bind existing NFS volumes to their apps for shared file access. For more information, see Enabling Volume Services.
Important In a new installation of TAS for VMs, he NFSv3 volume services check box is selected by default. When you upgrade from an earlier version of TAS for VMs, the NFSv3 volume services check box is automatically configured the same way it was configured in the earlier version.
(Optional) To configure LDAP for NFSv3 volume services:
389
.cloud.example.com
typically uses ou=Users,dc=example,dc=com
as its LDAP user search base.Important UAA can parse only one certificate entered into this text box. If you enter multiple certificates, UAA uses only the first one you entered and ignores the rest. You need one root certificate or self-signed certificate.
(Optional) To deploy SMB volume services, select the Allow SMB volume services check box. Deploying SMB volume services allows developers to bind existing SMB shares to their apps. For more information, see Enabling Volume Services.
Important If you deploy SMB volume services, you must set the SMB Broker Errand to On in the Errands pane.
(Optional) To force all SMB shares to mount with the noserverino
mount option, select the Force noserverino mount option for SMB mounts check box.
(Optional) To modify the amount of time that health checks wait to receive a healthy response from an app before the app is declared unhealthy, enter the number of seconds you want the timeout period to last in Default health check timeout. If the health check does not receive a healthy response from a newly-started app within the configured timeout period, then the app is declared unhealthy. The default value is 60
. The maximum value you can configure is 600
.
If you decrease the default health check timeout below its current value, existing apps with startup times greater than the new value might fail to start up.
(Optional) To limit the number of log lines an app instance can generate per second, select Enable under App log rate limit (deprecated) and enter an integer for Maximum app log lines per second. At minimum, VMware recommends using the default limit of 100
. This feature is deactivated by default.
Important This method of limiting log output from applications is deprecated. VMware recommends using the log rate limiting quota feature which provides more granular control over application log output.
Click Save.