Permalink
Fetching contributors…
Cannot retrieve contributors at this time
265 lines (183 sloc) 10.8 KB
---
title: Managing Isolation Segments
owner: CAPI
---
<div class="quick-links">
<ul>
<li><a href="#requirements">Requirements</a></li>
<li><a href="#overview">Overview</a></li>
<% if vars.product_name == 'CF' %>
<li><a href="#segment-manifest">Add Isolation Segment to Deployment Manifest</a></li>
<% end %>
<li><a href="#create-an-isolation-segment">Create an Isolation Segment</a></li>
<li><a href="#lists">Retrieve Isolation Segment Information</a>
<ul>
<li><a href="#list_is">List isolation segments</a></li>
<li><a href="#list_is_org">Display isolation segments enabled for an org</a></li>
<li><a href="#list_is_space">Show the Isolation Segment Assigned to a Space</a></li>
</ul>
</li>
<li><a href="#delete_is">Delete an Isolation Segment</a></li>
<li><a href="#relationships">Manage Isolation Segment Relationships</a>
<ul>
<li><a href="#enable_org_is">Enable isolation segments for an org</a></li>
<li><a href="#remove_org_is">Disable isolation segments for an org</a></li>
<li><a href="#set_org_default_is">Set the default isolation segment for an org</a></li>
<li><a href="#assign_iso_seg">Assign an isolation segment to a space</a></li>
<li><a href="#reset_space">Reset the isolation segment assignment for a space</a></li>
</ul>
</li>
</ul>
</div>
This topic describes how operators can isolate deployment
workloads into dedicated resource pools called isolation segments.
## <a name='requirements'></a> Requirements
You must have the [v.6.26.0](https://github.com/cloudfoundry/cli/releases/tag/v6.26.0) version or later of the [Cloud Foundry Command Line Interface (cf CLI)](../cf-cli/install-go-cli.html) installed to manage isolation segments.
Target the API endpoint of your deployment with `cf api` and log in with `cf login` before performing the procedures in this topic. <%= vars.api_endpoint_book %>
## <a name='overview'></a> Overview
<% if vars.product_name == 'CF' %>
To enable isolation segments, an admin can pass in a custom operations file with the BOSH CLI. For the example file used in this topic, see the [cf-deployment](https://github.com/cloudfoundry/cf-deployment/blob/master/operations/test/add-persistent-isolation-segment-diego-cell.yml) repository in GitHub.
<% else %>
<%= vars.isolation_segments_intro %>
<% end %>
After an admin creates a new isolation segment, the admin can then create and manage relationships between the orgs and spaces of a Cloud Foundry deployment and the new isolation segment.
<% if vars.product_name == 'CF' %>
## <a name="segment-manifest"></a>Add Isolation Segment to Deployment Manifest
To add an isolation segment to your deployment manifest, do the following:
1. Write a custom operations file. The operations file defines an instance group that supports isolation segments.
For a working example, see the [cf-deployment](https://github.com/cloudfoundry/cf-deployment/blob/master/operations/test/add-persistent-isolation-segment-diego-cell.yml) repository in GitHub. The example sets the following instance group properties:
* Name as `isolated-diego-cell`
* Placement tag as `persistent_isolation_segment`
<p class="note"><strong>Note</strong>: When you use the cf CLI, the name of the isolation segment corresponds to the placement tag you specify in the operations file. The commands throughout this topic use <code>my_segment</code> as an example isolation segment name.</p>
1. Apply the custom operations file when you deploy Cloud Foundry.
```
bosh -e MY-ENV -d cf deploy cf-deployment/cf-deployment.yml \
-v system_domain=YOUR-DOMAIN \
-o cf-deployment/operations/CUSTOM-OPS-FILE.yml
```
Where:
- `MY-ENV` is your environment alias. For more information about creating an environment alias for BOSH v2 or later, see [Environments](https://bosh.io/docs/cli-envs/) in the BOSH documentation.
- `CUSTOM-OPS-FILE` is your operations file.
<% end %>
## <a name="create-an-is"></a>Create an Isolation Segment
<%= vars.isolation_segments_create %>
To register an isolation segment with Cloud Controller, use the cf CLI.
<%= vars.isolation_segments_note %>
The following command creates an isolation segment named `my_segment`:
<pre class="terminal">
$ cf create-isolation-segment my_segment
</pre>
If successful, the command returns an `OK` message:
<pre class="terminal">
Creating isolation segment my_segment as admin...
OK
</pre>
## <a name="lists"></a> Retrieve Isolation Segment Information
The `cf isolation-segments`, `cf org`, and `cf space` commands retrieve information about isolation segments. The isolation segments you can see depends on your role, as follows:
* **Admins** see all isolation segments in the system.
* **Other users** only see the isolation segments that their orgs are entitled to.
### <a name="list_is"></a> List Isolation Segments
The following request returns a list of the isolation segments that are available to you:
<pre class="terminal">
$ cf isolation-segments
</pre>
For example, the command returns results similar to the following:
<pre class="terminal">
Getting isolation segments as admin...
OK
name orgs
my_segment org1, org2
</pre>
### <a name="list_is_org"></a> Display Isolation Segments Enabled for an Org
An admin can entitle an org to multiple isolation segments.
Run `cf org ORG-NAME` command to view the isolation segments that are available to an org. Replace `ORG-NAME` with the name of your org.
For example:
<pre class="terminal">
$ cf org my-org
</pre>
The command returns results similar to the following:
<pre class="terminal">
Getting info for org my-org as user@example.com...
name: my-org
domains: example.com, apps.example.com
quota: paid
spaces: development, production, sample-apps, staging
isolation segments: my_segment, my_other_segment
</pre>
### <a name="list_is_space"></a> Show the Isolation Segment Assigned to a Space
Only one isolation segment can be assigned to a space.
Run `cf space SPACE-NAME` to view the isolation segment assigned to a space. Replace `SPACE-NAME` with the name of the space.
For example:
<pre class="terminal">
$ cf space staging
</pre>
The command returns results similar to the following:
<pre class="terminal">
name: staging
org: my-org
apps:
services:
isolation segment: my_segment
space quota:
security groups: dns, p-mysql, p.mysql, pcf-redis, public_networks, rabbitmq, ssh-logging
</pre>
## <a name="delete_is"></a> Delete an Isolation Segment
<p class="note"><strong>Note</strong>: An isolation segment with deployed apps cannot be deleted.</p>
Only admins can delete isolation segments.
Run `cf delete-isolation-segment SEGMENT-NAME` to delete an isolation segment. Replace `SEGMENT-NAME` with the name of the isolation segment. If successful, the command returns an `OK` message.
For example:
<pre class="terminal">
$ cf delete-isolation-segment my_segment
Deleting isolation segment my_segment as admin...
OK
</pre>
## <a name="relationships"></a> Manage Isolation Segment Relationships
The commands listed in the sections below manage the relationships between isolation segments, orgs, and spaces.
### <a name="enable_org_is"></a> Enable an Org to Use Isolation Segments
Only admins can enable orgs to use isolation segments. Run `cf enable-org-isolation ORG-NAME SEGMENT-NAME` to enable the use of an isolation segment. Replace `ORG-NAME` with the name of your org, and `SEGMENT-NAME` with the name of the isolation segment.
For example:
<pre class="terminal">
$ cf enable-org-isolation org2 my_segment
</pre>
If an org is entitled to use only one isolation segment, that isolation segment does not automatically become the default isolation segment for the org. You must explicitly [set the default isolation segment](#set_org_default_is) of an org.
### <a name="remove_org_is"></a> Disable an Org from Using Isolation Segments
<p class="note"><strong>Note</strong>: You cannot disable an org from using an isolation segment if a space within that org is assigned to the isolation segment. Additionally, you cannot disable an org from using an isolation segment if the isolation segment is configured as the default for that org.</p>
Run `cf disable-org-isolation ORG-NAME SEGMENT-NAME` to disable an org from using an isolation segment. Replace `ORG-NAME` with the name of your org, and `SEGMENT-NAME` with the name of the isolation segment.
For example:
<pre class="terminal">
$ cf disable-org-isolation org1 my_segment
</pre>
If successful, the command returns an `OK` message:
<pre class="terminal">
Removing entitlement to isolation segment my_segment from org org1 as admin...
OK
</pre>
### <a name="set_org_default_is"></a> Set the Default Isolation Segment for an Org
_This section requires [cf CLI v6.29.0](https://github.com/cloudfoundry/cli/releases/tag/v6.29.0) or later._
Only admins and org managers can set the default isolation segment for an org.
When an org has a default isolation segment, apps in its spaces belong to the default isolation segment
unless you assign them to another isolation segment.
You must restart running applications to move them into the default isolation segment.
Run `cf set-org-default-isolation-segment ORG-NAME SEGMENT-NAME` to set the default isolation segment for an org. Replace `ORG-NAME` with the name of your org, and `SEGMENT-NAME` with the name of the isolation segment.
For example:
<pre class="terminal">
$ cf set-org-default-isolation-segment org1 my\_segment
Setting isolation segment my_segment to default on org org1 as admin...
OK
</pre>
To display the default isolation segment for an org, use the `cf org` command.
### <a name="assign_iso_seg"></a> Assign an Isolation Segment to a Space
Admins and org managers can assign an isolation segment to a space. Apps in that space start in the specified isolation segment.
To assign an isolation segment to a space, you must first enable the space's org to use the isolation segment. See [Enable an Org to Use Isolation Segments](#enable_org_is)
Run `cf set-space-isolation-segment SPACE-NAME SEGMENT-NAME` to assign an isolation segment to a space. Replace `SPACE-NAME` with the name of the space, and `SEGMENT-NAME` with the name of the isolation segment.
For example:
<pre class="terminal">
$ cf set-space-isolation-segment space1 my_segment
</pre>
### <a name="reset_space"></a> Reset the Isolation Segment Assignment for a Space
Admins can reset the isolation segment assigned to a space to use the org's default isolation segment.
Run `cf reset-space-isolation-segment SPACE-NAME` to the assign the default isolation segment for an org to a space. Replace `SPACE-NAME` with the name of the space.
For example:
<pre class="terminal">
$ cf reset-space-isolation-segment space1
</pre>