Cloud Docs Home > F5 Application Services Proxy Index

Set up the ASP ephemeral store - Marathon

The Application Services Proxy (ASP) shares non-persistent, or ephemeral, data across instances. It does so by way of a distributed, secure, key-value store called the Ephemeral Store. The ephemeral store is a Docker-based Marathon Application .

You can set up the ASP ephemeral store before you deploy the ASP in Marathon – OR – add the ephemeral store configurations to an existing ASP running v1.1.0.

Warning

The ephemeral store is not compatible with ASP v1.0.0. If you have a previous version of the ASP running, remove it and deploy a new Application running v1.1.0.

Set up authentication to the ephemeral store

All communications between clients and the ASP ephemeral store use SSL encryption. Perform the tasks in this section to set up the certificates required for authentication to the ephemeral store.

Generate root and user certificates

  1. Create the Root Certificate Authority for the ephemeral store. This is a self-signed rootCA certificate and key.

    openssl genrsa -out rootCA.key 2048
    openssl req -new -key rootCA.key -out rootCA.csr -subj "/CN=rootCA"
    openssl x509 -req -days 365 -in rootCA.csr -signkey rootCA.key -out rootCA.crt
    
  2. Create certificates for users. The ephemeral store uses these certificates to authenticate with the server.

    Attention

    • The common name (/CN) provided should match a username defined in the “ephemeral store user” parameter.
    • Use the Root Certificate to sign the user certificates (line 3 in the example below).

    openssl genrsa -out myuser.key 2048
    openssl req -new -key myuser.key -out myuser.csr -subj "/CN=myuser"
    openssl x509 -req -days 365 -in myuser.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out myuser.crt
    

Deploy the ephemeral store

Important

  • Each ephemeral store instance requires a dedicated node with 1 CPU and at least 1GB memory.
  • By default, the ephemeral store app deploys a cluster of five (5) instances. Do not deploy the ephemeral store with fewer than five instances or you may experience data loss.
  • The instances use HOST networking mode and connect to ports 8087, 4369, and 8099.
  1. Define the ephemeral store configurations in a JSON file.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    // NOTE: REMOVE COMMENTS BEFORE USING
    {
      "id": "ephemeral-store",
      "instances": 5,
      "cpus": 1,
      "mem": 1024,
      "container": {
        "type": "DOCKER",
        "docker": {
          "forcePullImage": true,
          "network": "HOST",
          "image": "f5networks/ephemeral-store:latest"
        }
      },
      "env": {
        "ORCHESTRATION": "marathon",
        // Replace "myUser" with the name of your ephemeral-store user
        // that matches the Common Name of the certificate generated for that user
        // Paste in the complete cert and key for the rootCA user
        "EPHEMERAL_STORE_USER": "{ \"name\" : \"myUser\", \"auth_mode\" : \"certificate\" }",
        "EPHEMERAL_STORE_ROOT_CA_CERT": "<root-ca-cert-in-PEM-format>",
        "EPHEMERAL_STORE_ROOT_CA_KEY": "<root-ca-key-in-PEM-format>"
      },
      "portDefinitions": [
        {
          "port": 8087,
          "protocol": "tcp",
          "labels": {
            "VIP_0": "ephemeral-store:8087"
          },
          "name": "proto"
        },
        {
          "port": 4369,
          "protocol": "tcp",
          "name": "epmd"
        },
        {
          "port": 8099,
          "protocol": "tcp",
          "name": "handoff"
        }
      ],
      "requirePorts": true
    }
    

    f5-ephemeral-store-marathon-example.json

  2. Upload the config file to the Marathon API server.

    $ curl -X POST -H "Content-Type: application/json" http://<marathon-uri>:8080/v2/apps -d @f5-ephemeral-store-marathon-example.json
    
  3. To verify creation, send a GET request to the Marathon API server.

    Tip

    You can pass the response through a pretty-print tool like jq for better readability.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    $ curl -X GET http://<marathon-uri>:8080/v2/apps/ephemeral-store | jq .
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  4079    0  4079    0     0   332k      0 --:--:-- --:--:-- --:--:--  362k
    {
      "app": {
        "id": "/ephemeral-store",
        "cmd": null,
        "args": null,
        "user": null,
        "env": {
          "ORCHESTRATION": "marathon",
          "EPHEMERAL_STORE_USER": "{ \"name\" : \"myuser\", \"auth_mode\" : \"certificate\" }",
          "EPHEMERAL_STORE_ROOT_CA_CERT": "-----BEGIN CERTIFICATE-----<redacted>-----END CERTIFICATE-----",
          "EPHEMERAL_STORE_ROOT_CA_KEY": "-----BEGIN RSA PRIVATE KEY-----<redacted>-----END RSA PRIVATE KEY-----"
        },
        "instances": 1,
        "cpus": 1,
        "mem": 1024,
        "disk": 0,
        "gpus": 0,
        "executor": "",
        "constraints": [],
        "uris": [],
        "fetch": [],
        "storeUrls": [],
        "backoffSeconds": 1,
        "backoffFactor": 1.15,
        "maxLaunchDelaySeconds": 3600,
        "container": {
          "type": "DOCKER",
          "volumes": [],
          "docker": {
            "image": "f5networks/ephemeral-store:latest",
            "network": "HOST",
            "portMappings": null,
            "privileged": false,
            "parameters": [],
            "forcePullImage": true
          }
        },
        "healthChecks": [],
        "readinessChecks": [],
        "dependencies": [],
        "upgradeStrategy": {
          "minimumHealthCapacity": 1,
          "maximumOverCapacity": 1
        },
        "labels": {},
        "acceptedResourceRoles": null,
        "ipAddress": null,
        "version": "2017-10-02T18:56:43.319Z",
        "residency": null,
        "secrets": {},
        "taskKillGracePeriodSeconds": null,
        "ports": [
          8087,
          4369,
          8099
        ],
        "portDefinitions": [
          {
            "port": 8087,
            "protocol": "tcp",
            "name": "proto",
            "labels": {
              "VIP_0": "ephemeral-store:8087"
            }
          },
          {
            "port": 4369,
            "protocol": "tcp",
            "name": "epmd",
            "labels": {}
          },
          {
            "port": 8099,
            "protocol": "tcp",
            "name": "handoff",
            "labels": {}
          }
        ],
        "requirePorts": true,
        "versionInfo": {
          "lastScalingAt": "2017-10-02T18:56:43.319Z",
          "lastConfigChangeAt": "2017-10-02T18:36:25.016Z"
        },
        "tasksStaged": 0,
        "tasksRunning": 0,
        "tasksHealthy": 0,
        "tasksUnhealthy": 0,
        "deployments": [
          {
            "id": "cceb4265-b60f-4b7a-bb76-96227a35ebb0"
          }
        ],
        "tasks": []
      }
    }
    

Next Steps

Once you’ve set up the ephemeral store, you can install and deploy the ASP.