Isolation Segment v2.11 Release Notes

Page last updated:

This topic contains release notes for Isolation Segment v2.11.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.


Releases

2.11.8

Release Date: 11/23/2021

  • [Bug Fix] Breaking Change: Any customers with gorouter certificates lacking a SubjectAltName extension will experience failures upon deployment. As a workaround to complete deployment while new certificates are procured, enable the “Enable temporary workaround for certs without SANs” property in the Networking section of the TAS tile. For more information on updating certs, see https://community.pivotal.io/s/article/Routing-and-golang-1-15-X-509-CommonName-deprecation?language=en_US
  • Bump bpm to version 1.1.15
  • Bump cf-networking to version 2.40.0
  • Bump cflinuxfs3 to version 0.264.0
  • Bump routing to version 0.226.0
  • Bump silk to version 2.40.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.15
cf-networking2.40.0
cflinuxfs30.264.0
diego2.53.0
garden-runc1.19.30
haproxy9.8.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.226.0
silk2.40.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.7

Release Date: 10/19/2021

  • Bump bpm to version 1.1.14
  • Bump cf-networking to version 2.39.0
  • Bump cflinuxfs3 to version 0.262.0
  • Bump routing to version 0.225.0
  • Bump silk to version 2.39.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.14
cf-networking2.39.0
cflinuxfs30.262.0
diego2.53.0
garden-runc1.19.30
haproxy9.8.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.225.0
silk2.39.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.6

Release Date: 09/30/2021

  • [Security Fix] Fixes an issue where BBS socket connections could be kept alive unnecessarily
  • [Feature Improvement] Disable Diego container proxy ALPN
  • Bump cflinuxfs3 to version 0.259.0
  • Bump diego to version 2.53.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.13
cf-networking2.38.0
cflinuxfs30.259.0
diego2.53.0
garden-runc1.19.30
haproxy9.8.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.224.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.5

Release Date: 09/16/2021

  • [Bug Fix] garden-runc - Fix handling reserved space on ext4 and generating bundle mounts when SMB volumes are present
  • Bump cflinuxfs3 to version 0.256.0
  • Bump garden-runc to version 1.19.30
  • Bump routing to version 0.224.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.13
cf-networking2.38.0
cflinuxfs30.256.0
diego2.50.0
garden-runc1.19.30
haproxy9.8.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.224.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.4

Release Date: 09/09/2021

  • [Security Fix] Gorouter built with Go 1.16.7 to address CVE-2021-36221
  • [Bug Fix] garden-runc - recover after cell restarts
  • Bump bpm to version 1.1.13
  • Bump cflinuxfs3 to version 0.252.0
  • Bump garden-runc to version 1.19.29
  • Bump loggregator-agent to version 6.3.4
  • Bump routing to version 0.221.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.13
cf-networking2.38.0
cflinuxfs30.252.0
diego2.50.0
garden-runc1.19.29
haproxy9.8.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.221.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.3

Release Date: 07/15/2021

  • [Feature Improvement] garden-runc - Enable usage of .NET diagnostic tools
  • [Bug Fix] Prevent tcp routes from using system component ports.
  • [Breaking Change] Gorouter sends all responses with transfer-encoded chunks. Some responses that were not chunked in previous versions now use transfer-encoded chunks. For more information, see Clients receive responses with no Content-Length header and a chunked encoded body after upgrading Tanzu Application Service for VMs in the Knowledge Base. (edited 20 Oct 2021)
  • Bump cf-networking to version 2.38.0
  • Bump cflinuxfs3 to version 0.249.0
  • Bump garden-runc to version 1.19.28
  • Bump metrics-discovery to version 3.0.6
  • Bump routing to version 0.216.0
  • Bump silk to version 2.38.0
  • Bump syslog to version 11.7.5
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.12
cf-networking2.38.0
cflinuxfs30.249.0
diego2.50.0
garden-runc1.19.28
haproxy9.8.0
loggregator-agent6.3.3
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume5.0.12
routing0.216.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.11.2

Release Date: 06/22/2021

  • [Security Fix] Bump some dependencies to resolve security vulnerabilities
  • Bump bpm to version 1.1.12
  • Bump cf-networking to version 2.37.0
  • Bump cflinuxfs3 to version 0.240.0
  • Bump loggregator-agent to version 6.3.3
  • Bump metrics-discovery to version 3.0.5
  • Bump silk to version 2.37.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.12
cf-networking2.37.0
cflinuxfs30.240.0
diego2.50.0
garden-runc1.19.25
haproxy9.8.0
loggregator-agent6.3.3
mapfs1.2.6
metrics-discovery3.0.5
nfs-volume5.0.12
routing0.213.0
silk2.37.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.0

2.11.1

Release Date: 05/27/2021

  • [Feature] gorouter - Operator can limit CAs gorouter trusts when validating client certs to a specified list. For more information, see Configure Networking.
  • [Feature Improvement] Patch versions can be upgraded without a stemcell upgrade
  • [Feature Improvement] Adds support for SNI routes
  • [Feature Improvement] Adds per request metrics reporting, which makes metric frequency proportional to request frequency
  • [Bug Fix] Smoke Test allows the operator to provide the apps_domain property when deploying TAS and also properly configures user provided space when deploying an isolation segment
  • Bump bpm to version 1.1.11
  • Bump cf-networking to version 2.36.0
  • Bump cflinuxfs3 to version 0.238.0
  • Bump diego to version 2.50.0
  • Bump garden-runc to version 1.19.25
  • Bump loggregator-agent to version 6.2.1
  • Bump nfs-volume to version 5.0.12
  • Bump routing to version 0.213.0
  • Bump silk to version 2.36.0
  • Bump smoke-tests to version 4.3.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.11
cf-networking2.36.0
cflinuxfs30.238.0
diego2.50.0
garden-runc1.19.25
haproxy9.8.0
loggregator-agent6.2.1
mapfs1.2.6
metrics-discovery3.0.3
nfs-volume5.0.12
routing0.213.0
silk2.36.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.0

2.11.0

Release Date: March 30, 2021

Component Version
ubuntu-xenial stemcell621.113
bpm1.1.7
cf-networking2.35.0
cflinuxfs30.229.0
diego2.49.0
garden-runc1.19.18
haproxy9.8.0
loggregator-agent6.2.0
mapfs1.2.6
metrics-discovery3.0.3
nfs-volume5.0.11
routing0.211.0
silk2.35.0
smb-volume3.1.0
smoke-tests2.2.0
syslog11.7.0

About Isolation Segment

The Isolation Segment v2.11 tile is available for installation with Ops Manager v2.10.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in TAS for VMs Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

The Isolation Segment v2.11 tile is available with the release of Ops Manager v2.10. For more information, see the Ops Manager documentation.

To use the Isolation Segment v2.11 tile, you must install Ops Manager v2.10 and VMware Tanzu Application Service for VMs (TAS for VMs) v2.11 or later.

To install Isolation Segment v2.11, see Installing Isolation Segment.

New Features in Isolation Segment v2.11

Isolation Segment v2.11 includes the following major features:

Configure Trusted CAs for Gorouter

When validating requests using mutual TLS to back ends and route services, the Gorouter trusts multiple certificate authorities (CAs) by default. In Isolation Segment v2.11, you can configure which CA certificates the Gorouter trusts.

For more information, see Configure Networking in Installing Isolation Segment.

Breaking Changes

Option Removed: Disable SSL Certificate Verification for this Environment

In Isolation Segment v2.11.0 and later, the option to disable SSL certificate verification for an environment is removed.

Before you upgrade to Isolation Segment v2.11, you must deselect the option to disable SSL certificate verification in the Networking pane of the Isolation Segment tile. For more information, see Configure Networking in Configuring Isolation Segment.

If the Disable SSL certificate verification for this environment option is enabled when you try to upgrade to Isolation Segment, the upgrade fails with the following error:

attempt to upgrade to IST 2.11+ with Skip SSL Verification enabled, please disable
Skip SSL Verification prior to upgrade by un-checking "Disable SSL certificate
verification for this environment" under "Networking"

If you plan to automate the installation of Isolation Segment v2.11, you must remove references to the corresponding property .properties.skip_cert_verify.

Gorouter Update to Golang v1.15 Introduces Stricter Transfer-Encoding Header Standards in Isolation Segment v2.11.0 and Later

In Isolation Segment v2.11.0 and later, stricter header standards break Spring apps that incorrectly set the header.

For information about how to avoid this breaking change, see Applications on TAS for VMs get 502 chunked response error in the Knowledge Base. You must complete the resolution steps described in this Knowledge Base article before you upgrade to Isolation Segment v2.11.0 or later.

Note: This breaking change was also present in Isolation Segment v2.7.30, v2.8.24, v2.9.18, and v2.10.10. If you are on any of these versions or earlier, you must upgrade to Isolation Segment v2.7.31, v2.8.25, v2.9.19, or v2.10.11 before upgrading or jump upgrading to Isolation Segment 2.11.0 or later. For more information, see Applications on TAS for VMs get 502 chunked response error.

Known Issues

There are no known issues in this release of Isolation Segment.