Pivotal Knowledge Base

Follow

Cloud Foundry allow-access fails due to issue with MySQL version for container networking

Environment

Pivotal Cloud Foundry® (PCF) 1.10, 1.11

Symptom

In PCF 1.10 and PCF 1.11, When trying to use CF CLI with the network policy plugin for administering policies, the allow-access [0] command will fail with the following error:

$cf allow-access <SOURCE-APP> <DESTINATION-APP> --protocol <PROTOCOL> --port <PORT>
Allowing traffic from <SOURCE-APP> to <DESTINATION-APP> as admin... 
FAILED 
adding policies: 500 Internal Server Error: policies-create: database create failed

Problems creating policies are usually related to issues on the policy server VM(s). When the policy server is backed by MySQL versions < 5.7, a user may see this error when trying to create a policy. If you troubleshoot further by looking at the policy-server logs you will see something like 

{"timestamp":"1509378875.429716587","source":"container-networking.policy-server","message":
"container-networking.policy-server.policies-create: database create failed","log_level":2,"data":
{"error":"creating destination: Error 1064: You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near 'WHERE\n\t\tNOT
EXISTS (\n\t\t\tSELECT *\n\t\t\tFROM destinations\n\t\t\tWHERE group_id = ? AND ' at line 3"}}

NOTE: In 1.10 the policy server is co-located on the cloud controller VM(s) so `bosh ssh` onto the cloud controller vm and view the logs in /var/vcap/sys/log/policy-server/*. In 1.11 the policy server has it's own vm so `bosh ssh` onto the policy-server vm and view the logs in /var/vcap/sys/log/policy-server/*.

Resolution

To resolve this issue, please upgrade Pivotal Cloud Foundry Elastic Runtime version to 1.10.33 [1] for PCF 1.10 and 1.11.17 [2] for PCF 1.11 

Additional Information

[0] https://docs.pivotal.io/pivotalcf/1-11/devguide/deploy-apps/cf-networking.html#create-policies

[1] https://docs.pivotal.io/pivotalcf/1-10/pcf-release-notes/runtime-rn.html#1.10.33

[2] https://docs.pivotal.io/pivotalcf/1-11/pcf-release-notes/runtime-rn.html#1.11.17

Comments

Powered by Zendesk