Unable to tunnel services with cf local stage & cf local run

[privettoli]

Hi,

I'm trying to use cf local with on-prem hosted Pivotal CF,
After successful cf login while executing

cf local stage app-dev-green -e -f app-dev-green -p ../target/app-0.0.1-SNAPSHOT.war

I have following errors:

Warning: unable to forward service: appdynamics-agent:appdynamics[0]
Warning: unable to forward service: config-server:p-config-server[0]
Warning: unable to forward service: redis-store:p-redis[0]
Warning: unable to forward service: config-server-keystore:user-provided[0]

So the problem that I experience is that tunneling of services doesn't work for me, because of firewall restrictions I'm unable to connect to the services from localhost with cf run,

I tried to investigate by reading the repo source code, I have a hypothesis that cf local is unable to get credentials required for staging the app with tunneling,

Please, point me to the right direction to solve the issue,

Thanks in advance,

[sclevine]

Hi @privettoli,

Are you able to cf ssh into app-dev-green?

[apapenko]

Hi @sclevine,
Thanks for paying attention to my question,

Yes, I'm able to cf ssh and that the current solution I use (with no cf local).

[brantstuns]

I am also experiencing the same issue with on-prem hosted PCF. I am able to connect with cf ssh as expected. The tunneling to our remote services appears to be failing when I try to stage with the -f option or stage and run with the -s option.

[sclevine]

The service forwarding (-f) logic may not work with all types of services. CF Local attempts to replace the domains in the local copy of the service bindings with tunneled ports on localhost. Can you try with a p-mysql database and see if that works? We're considering a different implementation of this that works seamlessly with all services by forwarding all of the egress traffic through the remote app.

Note that for security, the tunnels aren't active during cf local stage. CF Local replaces the service binding domains with the same values as launch, but it doesn't actually open the tunnels. So firewall rules would only affect the tunnels in the cf local run case. I realize that this may break certain services that need to be accessible during staging (ex. proprietary APM agents that are downloaded from service instances during staging), and we have plans to address that eventually.

[till]

What kind of services can be tunnelled to?

I have a few user-provided services that I use for service discovery in an application. The backend services are HTTP APIs. My frontend uses apps.internal to communicate to backend services, etc.. I can say that when I do the following, the user provided service "shows" up:

cf cups foo -p '{"url":"http://foo.internal:1234"}'

By showing up, I mean, I can decode the VCAP env variable and see that.

But then I am still unable to connect to it from my local app.

I tried:

$ cf local stage app -s app -f backend-service
$ cf local run app -s app -f backend-service

I keep seeing:

Warning: unable to forward service: foo:user-provided[0]
Warning: 'backend-service' app selected for service forwarding will not be used