Pivotal Knowledge Base


Cloud Foundry "allow-access" Fails due to Issue with MySQL Version for Container Networking



In PCF 1.10 and PCF 1.11, When trying to use CF CLI with the network policy plugin for administering policies, the allow-access [0] command will fail with the following error:

$cf allow-access <SOURCE-APP> <DESTINATION-APP> --protocol <PROTOCOL> --port <PORT>
Allowing traffic from <SOURCE-APP> to <DESTINATION-APP> as admin... 
adding policies: 500 Internal Server Error: policies-create: database create failed

Problems creating policies are usually related to issues on the policy server virtual machines (VMs). When the policy server is backed by MySQL versions < 5.7, a user may see this error when trying to create a policy. If you troubleshoot further by looking at the policy-server logs you will see something like

"container-networking.policy-server.policies-create: database create failed","log_level":2,"data":
{"error":"creating destination: Error 1064: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near 'WHERE\n\t\tNOT
EXISTS (\n\t\t\tSELECT *\n\t\t\tFROM destinations\n\t\t\tWHERE group_id = ? AND ' at line 3"}}

NOTE: In 1.10 the policy server is co-located on the cloud controller VM(s) so `bosh ssh` onto the cloud controller VM and view the logs in /var/vcap/sys/log/policy-server/*. In 1.11 the policy server has it's own vm so `bosh ssh` onto the policy-server VM and view the logs in /var/vcap/sys/log/policy-server/*.


To resolve this issue, please upgrade Pivotal Cloud Foundry Elastic Runtime version to 1.10.33 [1] for PCF 1.10 and 1.11.17 for PCF version 1.11 

Additional Information

[1] https://docs.pivotal.io/pivotalcf/1-11/devguide/deploy-apps/cf-networking.html#create-policies

[2] https://docs.pivotal.io/pivotalcf/1-10/pcf-release-notes/runtime-rn.html#1.10.33

[3] https://docs.pivotal.io/pivotalcf/1-11/pcf-release-notes/runtime-rn.html#1.11.17


Powered by Zendesk