LATEST VERSION: 1.10 - CHANGELOG
Pivotal Cloud Foundry v1.10

Pivotal Elastic Runtime v1.10 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2017.

Read more about the certified provider program and the requirements of providers.


Releases

1.10.10

  • Bumps stemcell to v3363.24.
  • Bumps cf-mysql-release to v34.8.0.
  • Bumps cflinuxfs2 rootfs to v1.123.0.
  • Resource Configuration now support custom VM templates that have CPU counts that are not a power of two.
  • The SAML Service Provider Certificate/Key Password is not properly obfuscated.
  • Patches Cloud Controller to resolve an issue where apps could become orphaned from their spaces.
  • Patches Cloud Controller to increase the application healthcheck timeout to 10 minutes.

Component Version
Stemcell3363.24
binary-offline-buildpack1.0.12
capi1.21.0*
cf252*
cf-autoscaling84.2
cf-mysql34.8.0
cf-networking0.18.0*
cflinuxfs21.123.0
consul165*
diego1.7.1*
dotnet-core-offline-buildpack1.0.18
etcd97
garden-runc1.2.0
go-offline-buildpack1.8.2
java-offline-buildpack3.16.1
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-offline-buildpack1.5.34
notifications35
notifications-ui28
php-offline-buildpack4.3.33
pivotal-account1.5.2
postgres13
push-apps-manager-release660.7.9
python-offline-buildpack1.5.18
routing0.146.0*
ruby-offline-buildpack1.6.39
service-backup18.0.4
staticfile-offline-buildpack1.4.6
uaa30.3
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.9

  • Bumps Apps Manager to v660.7.9 to support large custom-branding images.
  • Bumps Pivotal Account to v1.5.2 to support large custom-branding images.
  • Bumps Autoscaling to v84.2.
  • Bumps uaa-release to v30.3.
  • Replaces all buildpack releases with versions that provide cached buildpack assets.
  • Allows the UAA password expiry field to be configured via the Ops Manager API.
  • Allows the Apps Manager access token validity duration to be configured.
  • Allows S3 buckets located in regions other than us-east-1 can be used to store Internal MySQL backups.
  • Patches Cloud Controller to fix task completion callbacks.
  • Patches Loggregator to resolve issue with operator-provided cipher suites.

Component Version
Stemcell3363.20
binary-offline-buildpack1.0.12
capi1.21.0*
cf252*
cf-autoscaling84.2
cf-mysql34.2.0
cf-networking0.18.0*
cflinuxfs2-rootfs1.60.0
consul165
diego1.7.1*
dotnet-core-offline-buildpack1.0.18
etcd97
garden-runc1.2.0
go-offline-buildpack1.8.2
java-offline-buildpack3.16.1
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-offline-buildpack1.5.34
notifications35
notifications-ui28
php-offline-buildpack4.3.33
pivotal-account1.5.2
postgres13
push-apps-manager-release660.7.9
python-offline-buildpack1.5.18
routing0.146.0*
ruby-offline-buildpack1.6.39
service-backup18.0.4
staticfile-offline-buildpack1.4.6
uaa30.3
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.8

  • Resolves API version issue that prevented use of the CLI for isolation segments.
  • Bumps all buildpack releases to their latest versions.
  • Allows operators to specify DNS servers that differ from those provided in their BOSH configuration.
  • Patches a bug with event pagination in the Cloud Controller API.
  • Allows UAA SAML certificates to be configured.
  • Removes the Password Expiry field from the Authenication and Enterprise SSO form.
  • Adds the network.write scope to the cf UAA client to allow SpaceDevelopers to manage their Container Networking policy.
  • Exposes etcd timeout configurations on the Advanced Features form.
  • Container Networking will now properly support deployments with valid certificates.

Component Version
Stemcell3363.20
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2.0
cf-networking0.18.0*
cflinuxfs2-rootfs1.60.0
consul164
diego1.7.1*
dotnet-core-buildpack1.0.15
etcd97
garden-runc1.2.0
go-buildpack1.8.1
java-offline-buildpack3.16
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.32
notifications35
notifications-ui28
php-buildpack4.3.31
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.18
routing0.146.0*
ruby-buildpack1.6.37
service-backup18.0.3
staticfile-buildpack1.4.5
uaa30.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.7

  • Bumps stemcell to v3363.20.

Component Version
Stemcell3363.20
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2.0
cf-networking0.16.0*
cflinuxfs2-rootfs1.60.0
consul159
diego1.7.9
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.2.0
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui28
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.4.4
uaa30.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.6

  • Bumps uaa-release to v30.1.

Component Version
Stemcell3363.15
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2.0
cf-networking0.16.0*
cflinuxfs2-rootfs1.60.0
consul159
diego1.7.1*
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.2.0
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui28
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.4.4
uaa30.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.5

  • Bumps garden-runc to v1.2.0 to fix compatibility with some anti-virus scanning software.
  • Bumps staticfile-buildpack-release to v1.4.4 to address CVE-2017-4970. More details can be found at pivotal.io/security.
  • Bumps consul-release to v159 to ensure TLS communication happens over TLS 1.2.
  • Patches bug in Gorouter that caused the router to crash when invalid X-CF-APP-INSTANCE headers were sent in a request.
  • Patches bug in Gorouter that prevented operators from specifying additional TLS cipher suites.
  • Updates the notifications-ui errand to allow operators to provide large custom branding logos.
  • Fixes the configuration for backup of Internal MySQL instances.
  • Bumps uaa-release to v30.

Component Version
Stemcell3363.15
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2.0
cf-networking0.16.0*
cflinuxfs2-rootfs1.60.0
consul159
diego1.7.1*
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.2.0
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui28
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.4.4
uaa30
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.4

  • Bumps the stemcell to version 3363.15.

Component Version
Stemcell3363.15
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2.0
cf-networking0.16.0*
cflinuxfs2-rootfs1.60.0
consul152*
diego1.7.7
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.1.1
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui27
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.3.18
uaa29
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.3

  • Bumps rootfs to v1.60.0 with stack 1.111.0 for low/medium security fixes
  • Bumps binary-buildpack-release to v1.0.11 to run compile.ps1 with Unrestricted execution policy
  • Expose BOSH manifest links on consul, cloud controller, nats
  • Patch routing-release to fix handling of zipkin headers

Component Version
Stemcell3363.14
binary-buildpack1.0.11
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2
cf-networking0.16.0*
cflinuxfs2-rootfs1.60.0
consul152*
diego1.7.1*
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.1.1
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui27
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.3.18
uaa29
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.2

  • Bumps the stemcell version to 3363.14.

Component Version
Stemcell3363.14
binary-buildpack1.0.10
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2
cf-networking0.16.0*
cflinuxfs2-rootfs1.59.0
consul152*
diego1.7.1*
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.1.1
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui27
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.3.18
uaa29
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.1

  • Bumps etcd-release to v97.
  • Bumps the rootfs to v1.59.0 with stack version 1.110.0.
  • Allows operators to toggle the invitations feature set for AppsManager.
  • Reduces the notifications polling interval in the autoscaling service to 5 seconds.
  • Resolves an issue that prevented MySQL VMs restarted outside of BOSH from rejoining the cluster.
  • Bumps the buildpack releases to their latest versions to patch any lingering security vulnerabilities or issues.
  • Operators can associate users with a Global Auditor Scope, allowing that user to have global read-only privileges across all orgs and spaces, with environment variables and service credentials redacted.
  • Patches loggregator to include metric for listeners.totalReceivedMessageCount.
  • Allows operators to specify HTTP headers that will be recorded in the GoRouter access logs.
  • Fixes a bug in the internal MySQL configuration that prevented notifications from being sent when the cluster went into a dataloss-prevention state.
  • Includes the cfdot Command Line Interface (CLI) tool on all Diego Cell VMs.
  • Bumps uaa-release to v29.

Component Version
Stemcell3363.10
binary-buildpack1.0.10
capi1.21.0*
cf252*
cf-autoscaling84.1
cf-mysql34.2
cf-networking0.16.0*
cflinuxfs2-rootfs1.59.0
consul152*
diego1.7.1*
dotnet-core-buildpack1.0.13
etcd97
garden-runc1.1.1
go-buildpack1.7.19
java-offline-buildpack3.14
loggregator77*
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.30
notifications35
notifications-ui27
php-buildpack4.3.29
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.6
python-buildpack1.5.16
routing0.146.0*
ruby-buildpack1.6.35
service-backup18.0.3
staticfile-buildpack1.3.18
uaa29
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.0

Component Version
Stemcell3363.10
binary-buildpack1.0.9
capi1.21.0*
cf252*
cf-autoscaling84
cf-mysql34
cf-networking0.16.0*
cflinuxfs2-rootfs1.50.0
consul152
diego1.7.1*
dotnet-core-buildpack1.0.11
etcd93
garden-runc1.1.1
go-buildpack1.7.18
java-offline-buildpack3.13
loggregator77
mysql-backup1.32.0
mysql-monitoring7.2.0
nats15
nfs-volume0.1.5
nodejs-buildpack1.5.29
notifications35
notifications-ui27
php-buildpack4.3.26
pivotal-account1.4.1
postgres13
push-apps-manager-release660.7.2
python-buildpack1.5.15
routing0.146.0*
ruby-buildpack1.6.34
service-backup18.0.3
staticfile-buildpack1.3.17
uaa27
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Cloud Foundry Elastic Runtime v1.10 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v1.10, be aware of the following upgrade considerations:

  • You must upgrade first to a version of Elastic Runtime v1.9.x in order to successfully upgrade to v1.10.
  • If you are currently using any of the following services in your PCF deployment, then you must upgrade and configure the tiles before upgrading to PCF v1.10:
    • RabbitMQ for PCF. Upgrade to RabbitMQ for PCF v1.7.13 or later, and deselect the Use non-secure communication for metrics checkbox. For more information about RabbitMQ for PCF, see the RabbitMQ for PCF documentation.
    • Redis for PCF. Upgrade to Redis for PCF v1.7.3 or later, and deselect the Use non-secure communication for metrics checkbox. For more information about Redis for PCF, see the Redis for PCF documentation.
  • Some partner service tiles may be incompatible with PCF v1.10. Pivotal is working with partners to ensure their tiles are being updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v1.10, review the appropriate partners services release documentation at http://docs.pivotal.io, or contact the partner organization that produces the tile.

About Advanced Features

The Advanced Features section of the Elastic Runtime tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

New Features in Elastic Runtime v1.10.0

This section describes new features of the release.

Container-to-Container Networking (Beta)

The Elastic Runtime tile offers a Container-to-Container Networking feature that puts applications in their own overlay network. This feature is currently in beta.

For more information, see the Container-to-Container Networking topic.

Volume Services (Beta)

This release provides general support for volume services inside of application containers.

Additionally, the Elastic Runtime ships with an NFS Volume Service Broker as a beta feature.

For more information, see Using an External File System (Volume Services) and Enabling NFS Volume Services.

Secure etcd Cluster

This release removes the etcd Proxy VM, ensuring all communication to the etcd cluster happens over a secure connection.

Cloud Foundry API Rate Limiting (Beta)

The CF API can enforce rate limits for users and clients.

Limits can be set for authenticated and unauthenticated clients and expire over a rolling hour-long window.

You can enable these API rate limits as a beta feature in the Advanced Features section of the Elastic Runtime tile.

For more information, see the Deploying Elastic Runtime topic for the IaaS where you are deploying PCF. For example, if you are deploying PCF on Google Cloud Platform (GCP), see the Deploying Elastic Runtime on GCP topic.

Cloud Foundry Diego Operator Toolkit

All Diego VMs now include an operator toolkit, known as cfdot, for interacting with your Diego components.

For more details about cfdot, see the cfdot documentation.

Multi-node Cloud Controller Clock

The Cloud Controller Clock has been outfitted to allow multiple instances of the VM to run in parallel.

Operators can scale the instance count for the VM to fit their needs. For example, operators might want to change the instance count to 2 or 3 so they have a clock in each availability zone.

For more information, see High Availability in Cloud Foundry.

Router Performance Improvements

The Routers can now be configured to maintain a number of keep-alive connections.

Reusing connections allows for HTTP performance improvements as the underlying connection does not need to be re-established on every request.

For more information, see the Router Idle Keepalive Connections and the Deploying Elastic Runtime topic for the IaaS where you are deploying PCF. For example, if you are deploying PCF on Google Cloud Platform (GCP), see the Deploying Elastic Runtime on GCP topic.

Disable Default SSH Access for New Applications

Previously, application SSH access was previously enabled globally as a feature in Cloud Foundry.

In addition to the global setting, operators can now choose to disable SSH access for new applications.

Choosing to disable SSH access for new applications requires that developers enable SSH access on a per-application basis.

For more information, see Configuring SSH Access for PCF.

Azure Blobstore Support

The Elastic Runtime now supports using Azure Storage as a backend for the platform file storage.

For more information, see the Deploying Elastic Runtime on Azure topic.

Improvements Internal MySQL Diagnostics and Availability

The internal MySQL database cluster now includes healthcheck thresholds.

These thresholds can be configured to match your MySQL load balancer thresholds so that failover is seamless.

For information on internal MySQL load balancer configuration, see the Deploying Elastic Runtime topic for the IaaS where you are deploying PCF. For example, if you are deploying PCF on Google Cloud Platform (GCP), see the Deploying Elastic Runtime on GCP topic.

Additionally, the MySQL Monitor job now includes a tool called mysql-diag that provides some diagnostic information about your MySQL cluster.

For more information on the mysql-diag tool, see Diagnosing problems with Elastic Runtime MySQL or the Pivotal MySQL Tile or Running mysql-diag.

Global Container Max Inflight Configuration

Diego now provides a configuration option for limiting the number of containers allowed to be in a “starting” state at any one time.

By default, the setting limits the number of containers in the “starting” state to 200.

This setting prevents Diego from scheduling too much work for your platform to handle, preventing a possible cascading failure.

This configuration is available as the Max Inflight Container Starts on the Application Containers screen in Elastic Runtime.

To configure this feature, see Setting a Maximum Number of Started Containers.

For more information on preventing platform overload during upgrade, see also Upgrade Considerations for Selecting File Storage in Pivotal Cloud Foundry and Managing Diego Cell Limits During Upgrade topics.

gRPC in Loggregator

The Loggregator system now uses the gRPC protocol for secure and reliable communication between the Metron Agent and the Doppler, and between the Doppler and the Traffic Controller. This improves the stability and the performance of the Loggregator system.

Since Loggregator now uses the gRPC protocol, your deployment may see an increase in Loggregator message throughput.

For more information on scaling Dopplers, see the Upgrading Pivotal Cloud Foundry and Loggregator Guide for Cloud Foundry Operators topics.

Known Issues

This section lists known issues for PCF Elastic Runtime.

Router & Loggregator Cipher Suites Issue

In an effort to enforce more secure cipher suites for the common platform ingress / egress points at the Router and Loggregator, the default cipher suites for these components were limited to the following suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Normally, operators would have the option to override these defaults with their chosen cipher suites. However, in the process of setting these new default, the option to override the suites was removed. Patches to restore the override behavior will be forthcoming. See release notes above for more details about which releases provide these fixes.

cf logs Connection Issue

When tailing logs using the cf logs or cf logs --recent command, the cf CLI reports a connection issue. Users may encounter errors similar to the following:

Warning: error tailing logs
Error dialing loggregator server: websocket: bad handshake.
Please ask your Cloud Foundry Operator to check the platform configuration
(loggregator endpoint is wss://loggregator.example.com:443).

or

FAILED
Error dialing loggregator server: unexpected EOF
Please ask your Cloud Foundry Operator to check the platform configuration
(loggregator endpoint is wss://loggregator.example.com:443).

Solution: Upgrade to cf CLI version 6.23 or later. After you upgrade, if you still encounter the connection issue, make sure you log out and log in again using cf logout and cf login.

In PCF v1.10, the recommended metric for monitoring firehose message throughput is changing to DopplerServer.listeners.totalReceivedMessageCount.

  • As of ERT 1.10.0 DopplerServer.listeners.totalReceivedMessageCount is not an accurate metric for all possible firehose traffic. This is being patched.
  • As of ERT 1.10.1, DopplerServer.listeners.totalReceivedMessageCount can be expected to accurately represent a count of firehose message throughput.
Create a pull request or raise an issue on the source for this page in GitHub