Isolation Segment v2.10 Release Notes

Page last updated:

This topic contains release notes for Isolation Segment v2.10.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.

Releases

2.10.28

Release Date: 08/10/2022

• Bump cf-networking to version 3.11.0
• Bump cflinuxfs3 to version 0.312.0
• Bump routing to version 0.236.0
• Bump silk to version 3.11.0
• Bump syslog to version 12.0.2

  ## What's Changed
  * Gorouter restart script waits for the gorouter to be running before reloading monit
  ## ✨  Built with go 1.17.12
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.235.0...0.236.0
          

2.10.27

Release Date: 07/18/2022

• Bump cf-networking to version 3.9.0
• Bump cflinuxfs3 to version 0.309.0
• Bump diego to version 2.62.0
• Bump routing to version 0.235.0
• Bump silk to version 3.9.0
• Bump syslog to version 12.0.1

  ## What's Changed
  * Gorouter healthchecker retries connection instead of monit (https://github.com/cloudfoundry/routing-release/pull/275)
  ## ✨  Built with go 1.17.11
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.234.0...0.235.0
          

  ## What's Changed
  * Gorouter: the metrics package now uses `lsof` to monitor file descriptors on MacOS @domdom82 https://github.com/cloudfoundry/gorouter/pull/312
  * 🐛 Bumped the `lager` dependency to resolve issues where the timeFormat flag was not honored, resulting in epoch timestamps vs human readable. Thanks @ameowlia!
  * Now tested with the bionic stemcell in CI
  ## ✨  Built with go 1.17.11
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.233.0...0.234.0
          

2.10.26

Release Date: 06/23/2022

Warning: Upcoming reduction in maintenance and security release coverage! In future patches, no sooner than July 1st 2022, some TAS components will become more strict about the protocols used in TLS communications, causing integrations with systems using older, insecure protocols to fail. Specifically, components built using the Go programming language will no longer support TLS 1.0 or 1.1, or certificates using SHA-1. In order to avoid breaking changes in this version line, (which has reached its End of General Support,) these components will no longer be updated with bug and security fixes in any patches that may be released. To continue receiving maintenance and security releases, upgrade to a version of TAS that remains in general support.

• Bump diego to version 2.62.0

2.10.25

Release Date: 06/09/2022

Warning: Breaking change. This version contains Diego 2.64.0, which bumps to Go 1.18. Go 1.18 no longer supports TLS 1.0 and 1.1 connections or certificates with a SHA-1 checksum. This is most likely to affect connections with external databases. We stated earlier that we wouldn’t bump to Go 1.18 until July 1, 2022. This TAS release with Diego 2.64.0 breaks that promise. We apologize. We are rolling back to Diego 2.62.0. If you already successfully deployed to this TAS release with Diego 2.64.0, then you are safe to continue using it.

• [Bug Fix] Sticky sessions no longer break when used with route-services that return HTTP 4xx/5xx responses
• Bump bpm to version 1.1.18
• Bump cf-networking to version 3.6.0
• Bump cflinuxfs3 to version 0.301.0
• Bump diego to version 2.64.0
• Bump garden-runc to version 1.20.6
• Bump loggregator-agent to version 6.0.10
• Bump metrics-discovery to version 3.0.13
• Bump routing to version 0.233.0
• Bump silk to version 3.6.0
• Bump syslog to version 11.7.10

  ## What's Changed
  * TCP Router: Add locking to the haproxy_reloader script to avoid haproxy reload/restart race conditions by @geofffranks in https://github.com/cloudfoundry/routing-release/pull/269
  * TCP Router: Bump HAProxy from 1.8.13 to 2.5.4 by @cunnie in https://github.com/cloudfoundry/routing-release/pull/266
  * Gorouter: fix proxy round tripper race condition by @ameowlia and @geofffranks  in https://github.com/cloudfoundry/gorouter/pull/318
  * Routing API: fix timestamp precision issue that caused routes to be pruned unexpectedly by @geofffranks in https://github.com/cloudfoundry/routing-api/pull/24
  *  Routing API: remove `golang.x509ignoreCN` bosh property by @geofffranks and @mariash
  * Routing API: fix bug that caused TCP Router's HAProxy to reload every minute by @jrussett in https://github.com/cloudfoundry/routing-api/pull/26.
  ## Manifest Property Changes
  | Job | Property  | Notes |
  | --- | --- | --- |
  | `routing-api` | `golang.x509ignoreCN` | This property exposed a go debug flag for go version 1.15. Since go 1.16 this go debug flag has had no affect. Removing this bosh property is part of our effort to keep our code base free of cruft. |
  ## ✨  Built with go 1.17.10
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.232.0...0.233.0
          

  ## What's Changed
  * Fixing issue #250: Return a 503 not a 404 when all instances down by @kecirlotfi in https://github.com/cloudfoundry/routing-release/pull/268 and https://github.com/cloudfoundry/gorouter/pull/314
  * Fixing issue https://github.com/cloudfoundry/gorouter/pull/315: Fix route service pruning by @geofffranks
  ## Manifest Property Changes
  | Job | Property | default | notes |
  | --- | --- | --- | --- |
  | `gorouter` | `for_backwards_compatibility_only.empty_pool_response_code_503` | `0s` | This property was added to enable https://github.com/cloudfoundry/routing-release/pull/268 |
  ## New Contributors 🎉
  * @kecirlotfi made their first contribution! Thanks so much!
  ## ✨  Built with go 1.17.9
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.231.0...0.232.0
          

2.10.24

Release Date: 04/20/2022

• Bump cf-networking to version 3.3.0
• Bump cflinuxfs3 to version 0.285.0
• Bump diego to version 2.62.0
• Bump metrics-discovery to version 3.0.10
• Bump silk to version 3.3.0

  - fix bug with large messages (#22)
  - bump-golang to v0.100.0(now 1.18)
          

2.10.23

Release Date: 03/31/2022

• [Security Fix] This release fixes CVE-2022-23806 and CVE-2022-23772.
• [Bug Fix] Resolve an issue resulting in tcp-router repeatedly respawning haproxy until it hits a forked process limit
• [Bug Fix] Resolves an issue where invalid seeded router group values should caused breaking changes
• [Bug fix] Remove x509ignoreCN option in Gorouter
• Bump cf-networking to version 3.1.0
• Bump cflinuxfs3 to version 0.279.0
• Bump diego to version 2.61.0
• Bump garden-runc to version 1.20.3
• Bump loggregator-agent to version 6.0.9
• Bump metrics-discovery to version 3.0.9
• Bump routing to version 0.231.0
• Bump silk to version 3.1.0

  ## Bug Fixes
  - Removed the x509ignoreCN property. Now that `gorouter` is built on golang 1.17, it
no longer has any effect on gorouter behavior, and was only adding to confusion in
the properties
  - Resolve an issue with route-registrar using the same TTL as it's RegistrationInterval
for tcp routes, leading to unnecessary churn of pruned + re-registered routes.
  - Resolve an issue with Routing API where upserts to tcp routes were causing change
events to be emitted when the only change was a bump in TTL. This led to an issue
where tcp-router was constantly reloading haproxy with every route's heartbeat
registration call.
  ## Manifest Property Changes
  | Job | Property | 0.230.0 | 0.231.0 |
  | --- | --- | --- | --- |
  | `gorouter` | `golang.x509ignoreCN` | false | No longer exists |
  |  `route_registrar` | `golang.x509ignoreCN` | false | No longer exists |
  | `tcp_router` | `golang.x509ignoreCN` | false | No longer exists |
  ### ✨ Built with golang 1.17.8
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.230.0...0.231.0
          

  ## Feature
  * update gorouter for prometheus scraping by @Benjamintf1 in https://github.com/cloudfoundry/routing-release/pull/258
  ## Bug Fix
  * Invalid seeded router group manifest values should no longer cause breaking changes by default by @ameowlia in https://github.com/cloudfoundry/routing-release/pull/261
  ### ✨ Built with golang 1.17.7
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.229.0...0.230.0
          

2.10.22

Release Date: 02/28/2022

• [Feature Improvement] Due to routing-release now being built with Golang 1.17, all certificates provided MUST contain SAN entries on them. The previous workaround of setting “Enable temporary workaround for certs without SANs” will no longer function.
• [Feature Improvement] Per Golang 1.17’s new and stricter IP parsing standards, any IP addrs with leading zeros in any octets will result in a BOSH template failure to allow operators to remove the leading zeros and try again (affects properties fed into diego-release, garden-runc-release, winc-release, nats-release, and routing-release),.
• [Bug Fix] Fixes an issue related to the parsing of the X-B3-TraceId and X-B3-SpanId HTTP headers
• [Bug Fix] Smoke tests support for TLSv1.3 only option
• Bump cflinuxfs3 to version 0.274.0
• Bump diego to version 2.58.1
• Bump garden-runc to version 1.19.33
• Bump loggregator-agent to version 6.0.8
• Bump metrics-discovery to version 3.0.8
• Bump routing to version 0.229.0
• Bump smoke-tests to version 4.5.0

2.10.21

Release Date: 02/07/2022

Note: This version of TAS for VMs contains a known issue that can cause application traces to break. See Gorouter Sets an Invalid X-B3-SpanID Header in Known Issues.

• [Security Fix] Bump routing release to 0.228.0 to address (CVE-2021-44716)
• [Feature Improvement] Golang v1.17 contains stricter IP parsing standards, so IP addresses with leading zeros in any octets cause a BOSH template failure. Operators can remove the leading zeros and try deploying again. This affects properties that feed into cf-networking-release, silk-release, loggregator-agent-release, and syslog-release. Syslog drains and metric registrar endpoints registered using user-provided services might also be affected.

2.10.20

Release Date: 12/15/2021

Note: This version of TAS for VMs contains a known issue that can cause application traces to break. See Gorouter Sets an Invalid X-B3-SpanID Header in Known Issues.

• [Bug Fix] Fix “pre-start scripts failed. Failed Jobs: policy-server” error Upgrading to CF Networking Release 2.40.0
• [Bug Fix] Enabling audit logging file rotation to reduce IO load during log rotation
• [Bug Fix] Smoke Tests uses specified domain for Isolation Segments
• Bump bpm to version 1.1.15
• Bump cf-networking to version 2.42.0
• Bump cflinuxfs3 to version 0.268.0
• Bump diego to version 2.54.0
• Bump metrics-discovery to version 3.0.7
• Bump routing to version 0.227.0
• Bump silk to version 2.41.0
• Bump smoke-tests to version 4.3.1

2.10.19

Release Date: 11/23/2021

• [Breaking Change] All Gorouter certificates require a SubjectAltName extension. If any Gorouter certificates lack a SubjectAltName, deployment fails. If you need to complete a deployment before configuring new Gorouter certificates, select Enable temporary workaround for certs without SANs in the Networking pane of the TAS for VMs tile. For more information about updating certificates, see Routing and Golang 1.15 X.509 CommonName deprecation in the Knowledge Base.
• Bump bpm to version 1.1.15
• Bump cf-networking to version 2.40.0
• Bump cflinuxfs3 to version 0.264.0
• Bump diego to version 2.53.1
• Bump routing to version 0.226.0
• Bump silk to version 2.40.0

2.10.18

Release Date: 10/20/2021

• Bump bpm to version 1.1.14
• Bump cf-networking to version 2.39.0
• Bump cflinuxfs3 to version 0.262.0
• Bump silk to version 2.39.0

2.10.17

Release Date: 09/29/2021

• [Security Fix] Fixes an issue where BBS socket connections could be kept alive unnecessarily
• [Feature Improvement] Disable Diego container proxy ALPN
• Bump cflinuxfs3 to version 0.259.0
• Bump diego to version 2.53.0

2.10.16

Release Date: 09/16/2021

• [Bug Fix] garden-runc - Fix handling reserved space on ext4 and generating bundle mounts when SMB volumes are present
• Bump cflinuxfs3 to version 0.256.0
• Bump garden-runc to version 1.19.30
• Bump routing to version 0.224.0

2.10.15

Release Date: 09/09/2021

• [Security Fix] Gorouter built with Go 1.16.7 to address CVE-2021-36221
• [Bug Fix] garden-runc - recover after cell restarts
• [Breaking Change] Gorouter sends all responses with transfer-encoded chunks. Some responses that were not chunked in previous versions now use transfer-encoded chunks. For more information, see Clients receive responses with no Content-Length header and a chunked encoded body after upgrading Tanzu Application Service for VMs in the Knowledge Base. (edited 20 Oct 2021)
• Bump bpm to version 1.1.13
• Bump cflinuxfs3 to version 0.252.0
• Bump garden-runc to version 1.19.29
• Bump routing to version 0.221.0

2.10.14

Release Date: 07/15/2021

• [Feature Improvement] garden-runc - Enable usage of .NET diagnostic tools
• [Bug Fix] Prevent tcp routes from using system component ports.
• Bump cf-networking to version 2.38.0
• Bump cflinuxfs3 to version 0.249.0
• Bump garden-runc to version 1.19.28
• Bump metrics-discovery to version 3.0.6
• Bump routing to version 0.216.0
• Bump silk to version 2.38.0

2.10.13

Release Date: 06/22/2021

• [Security Fix] Bump some dependencies to resolve security vulnerabilities
• Bump bpm to version 1.1.12
• Bump cf-networking to version 2.37.0
• Bump cflinuxfs3 to version 0.241.0
• Bump loggregator-agent to version 6.0.6
• Bump metrics-discovery to version 3.0.5
• Bump silk to version 2.37.0

2.10.12

Release Date: 05/27/2021

• [Feature Improvement] Patch versions can be upgraded without a stemcell upgrade
• [Feature Improvement] Adds per request metrics reporting, which makes metric frequency proportional to request frequency
• [Bug Fix] Smoke Test allows the operator to provide the apps_domain property when deploying TAS and also properly configures user provided space when deploying an isolation segment
• Bump bpm to version 1.1.11
• Bump cf-networking to version 2.36.0
• Bump cflinuxfs3 to version 0.238.0
• Bump diego to version 2.50.0
• Bump garden-runc to version 1.19.25
• Bump routing to version 0.213.0
• Bump silk to version 2.36.0
• Bump smoke-tests to version 4.3.0

2.10.11

Release Date: 03/31/2021

• [Breaking Change] This restores the breaking change originally found in 2.10.9 and temporarily remediated in 2.10.10: Gorouter update to Golang v1.15 introduces stricter transfer-encoding header standards. Stricter header standards break Spring apps that incorrectly set the header. For more information, see Applications on TAS for VMs get 502 chunked response error in the Knowledge Base.
• [Feature] gorouter - Operator can limit CAs gorouter trusts when validating client certs to a specified list. For more information, see Configure Networking.
• Bump ubuntu-xenial stemcell to version 621.115
• Bump cflinuxfs3 to version 0.227.0
• Bump diego to version 2.49.0
• Bump routing to version 0.212.0

2.10.10

Release Date: 02/19/2021

• [Temporary Remediation] Gorouter - Emit log, emit metric, and don’t error when an app response contains a duplicate “Transfer-Encoding: chunked” header. This is a stop gap to discover which apps are sending invalid responses. For more information, see Applications on TAS for VMs get 502 chunked response error in the Knowledge Base.
• Bump ubuntu-xenial stemcell to version 621.101
• Bump cflinuxfs3 to version 0.223.0
• Bump routing to version 0.211.1

2.10.9

Release Date: 12/18/2020

• [Breaking Change] Gorouter update to Golang v1.15 introduces stricter transfer-encoding header standards. Stricter header standards break Spring apps that incorrectly set the header. For more information, see Applications on TAS for VMs get 502 chunked response error in the Knowledge Base.
• [Security Fix] Bump garden-runc-release to address CVE-2020-15257
• Bump ubuntu-xenial stemcell to version 621.94
• Bump cf-networking to version 2.35.0
• Bump cflinuxfs3 to version 0.216.0
• Bump garden-runc to version 1.19.18
• Bump routing to version 0.210.0
• Bump silk to version 2.35.0

2.10.8

Release Date: 11/18/2020

• No BOSH release bumps

2.10.7

Release Date: 11/04/2020

• [Bug Fix] Downgrade haproxy to prevent blackbox failure
• Bump ubuntu-xenial stemcell to version 621.90
• Bump metrics-discovery to version 3.0.3

2.10.6

Release Date: 10/26/2020

• [Feature Improvement] Networking: Clarify that drain timeout should be lower than backend request timeout to reduce drain time during deploys
• [Bug Fix] Loggregator Agent Release - Prom Scraper metrics server names match
• Bump ubuntu-xenial stemcell to version 621.89
• Bump cf-networking to version 2.34.0
• Bump cflinuxfs3 to version 0.210.0
• Bump routing to version 0.208.0
• Bump silk to version 2.34.0

2.10.5

Release Date: 10/09/2020

• [Feature] The v7 cf CLI is the default CLI
• [Bug Fix] Remove “power_of_two” constraint from CPU resource definitions
• [BUG FIX] syslog-agent - Add ops man cert to use syslog ingestion for log-cache
• Bump ubuntu-xenial stemcell to version 621.85
• Bump cflinuxfs3 to version 0.208.0

2.10.4

Release Date: 09/21/2020

• Bump ubuntu-xenial stemcell to version 621.84
• Bump cflinuxfs3 to version 0.204.0
• Bump routing to version 0.207.0

2.10.3

Release Date: 09/09/2020

• [Security Fix] Fix for CVE-2020-5420: Improve Gorouter’s handling of invalid HTTP responses
• [Feature Improvement] Gorouter aliases /healthz to /health in order to prevent downtime during upgrades
• Bump ubuntu-xenial stemcell to version 621.82
• Bump cf-networking to version 2.33.0
• Bump diego to version 2.48.0
• Bump nfs-volume to version 7.0.4
• Bump routing to version 0.206.0
• Bump silk to version 2.33.0
• Bump smoke-tests to version 2.2.0

2.10.2

Release Date: 08/24/2020

• [Bug Fix] loggr-syslog-agent - Fix server alternative name
• [Bug Fix]: Return 502 TLS Handshake error for an unresponsive backend
• [Bug Fix] Bump garden-runc to v1.19.16
• Bump ubuntu-xenial stemcell to version 621.78
• Bump cflinuxfs3 to version 0.203.0
• Bump garden-runc to version 1.19.16
• Bump routing to version 0.205.0

2.10.1

Release Date: 08/08/2020

• [Bug Fix] Fix issue where requests to internal routes could fail due to incorrect case-sensitivity in DNS lookup in the service discovery controller.
• [Bug Fix] System Metrics Scraper/Prom Scraper — Fixes a bug that causes excess log volume and increases scrape interval to reduce metric volume
• Bump ubuntu-xenial stemcell to version 621.77
• Bump cf-networking to version 2.31.0
• Bump cflinuxfs3 to version 0.202.0
• Bump garden-runc to version 1.19.14
• Bump silk to version 2.31.0

2.10.0

Release Date: July 31, 2020

• See New Features in Isolation Segment v2.10
• See Breaking Changes

About Isolation Segment

The Isolation Segment v2.10 tile is available for installation with Ops Manager v2.10.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different Ops Manager deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in TAS for VMs Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

To install Isolation Segment v2.10, see Installing Isolation Segment.

To install Isolation Segment v2.10, you must first install Ops Manager v2.10.

New Features in Isolation Segment v2.10

Isolation Segment v2.10 includes the following major features:

Aggregate Syslog Drains Contain Logs Only

When you configure an aggregate syslog drain in Isolation Segment v2.10, by default you receive logs only. You do not also receive metrics. By not including metrics alongside logs, your syslog drain uses fewer resources and reduces network traffic between TAS for VMs components and your external logging service.

If you want the aggregate drain to send metrics along with logs, you can modify your drain URLs.

To continue to see metrics in your drains after upgrading to Isolation Segment v2.10:

1. Navigate to the Ops Manager Installation Dashboard.
2. Click the Isolation Segment tile in the Installation Dashboard.
3. Select System Logging.
4. For Address, enter the hostname or IP address of the syslog server and append ?include-metrics-deprecated=true. For example, https://syslog-server.com:123?include-metrics-deprecated=true.
5. Click Save.

For more information about configuring aggregate syslog drains, see Configure System Logging in Configuring TAS for VMs.

Configurable Sticky Session Cookie Names

You can supply sticky session cookie names for the Gorouter to use when handling sticky sessions. The Gorouter uses these cookies to support session affinity, or sticky sessions. For more information, see Session Affinity in HTTP Routing.

By default, the Gorouter uses JSESSIONID. Some apps require a different session name. For example, Spring WebFlux requires SESSION for the session cookie name.

To supply cookie names, see Configure Networking in Installing Isolation Segment.

Breaking Changes

There are no breaking changes in this release of Isolation Segment.

Known Issues

Isolation Segment v2.10 includes the following known issues:

Gorouter Sets an Invalid X-B3-SpanID Header

An issue with the Gorouter’s implementation of X-B3-SpanId and X-B3-TraceId headers can cause invalid span IDs to be set after updating the X-B3-TraceId header to the new 16-byte standard. As a result, some applications and libraries invalidate the X-B3-SpanId value, breaking traces of the application.

This issue affects versions of TAS for VMs that contain routing-release v0.227.0 and v0.228.0.