VMware Tanzu Application Service for VMs [Windows] v2.11 Release Notes

Page last updated:

This topic contains release notes for VMware Tanzu Application Service for VMs [Windows] v2.11.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs [Windows] containing that patch.

Warning: Windows stemcells v2019.44 and later include a version of tar that is incompatible with winfs2019-release v2.33.1 and earlier. For more information, see Windows Stemcell v2019.44 is Incompatible with winfs2019-release v2.33.1 and Earlier below.

Before you install the tile, review the Windows Stemcell Compatibility Matrix.

Releases

2.11.25

Release Date: 01/17/2023

• Bump diego to version 2.71.0
• Bump garden-runc to version 1.22.7
• Bump loggregator-agent to version 6.5.6
• Bump smoke-tests to version 4.8.2

  ## What's Changed
  * fix scraping with non-positive intervals to preserve non-scraping behavior by @Benjamintf1 in https://github.com/cloudfoundry/loggregator-agent-release/pull/174
  * updated some dependencies.
  **Full Changelog**: https://github.com/cloudfoundry/loggregator-agent-release/compare/v6.5.5...v6.5.6
          

  Port assets/ruby_simple to Ruby 3
          

v2.11.24

Release Date: 12/15/2022

• [Security Fix] Fix CVE-2022-31733: Unsecured Application Port
• Bump diego to version 2.70.0
• Bump envoy-nginx to version 0.14.0
• Bump hwc-offline-buildpack to version 3.1.27
• Bump loggregator-agent to version 6.5.5
• Bump metrics-discovery to version 3.2.4
• Bump winc to version 2.9.0
• Bump windowsfs-release to version 2.40.0

  * Add hwc 21.0.0, remove hwc 20.0.0
  for stack(s) windows2016, windows
  (https://www.pivotaltracker.com/story/show/183726731)
  * Bumps default version to match new HWC version
  * Bumps go.mod go version to 1.19
  Packaged binaries:
  | name | version | cf_stacks |
  |-|-|-|
  | hwc | 21.0.0 | windows, windows2016 |
  Default binary versions:
  | name | version |
  |-|-|
  | hwc | 21.0.0 |
  * Uncached buildpack SHA256: ae83488a72f50d1725fb37fc35e819133ed07af82d872b9fe7fb34e9de18b92e
  * Uncached buildpack SHA256: 2e2e474d7677112021cc892627eddef0768e28835b6ad98117a260ea022e4463
          

  - bump-golang to v0.114.0 for golang 1.19.4
  - Bump google.golang.org/grpc from 1.50.1 to 1.51.0 in /src
  - Bump github.com/valyala/fasthttp from 1.41.0 to 1.43.0 in /src
  - Bump github.com/onsi/ginkgo/v2 from 2.5.0 to 2.5.1 in /src
  - Bump github.com/onsi/gomega from 1.24.0 to 1.24.1 in /src
  - Bump github.com/prometheus/client_model from 0.2.0 to 0.3.0 in /src
  - Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1
          

  - bump-golang to v0.114.0 for golang 1.19.4
  - Bump github.com/nats-io/nats.go from 1.19.0 to 1.21.0 in /src
  - Bump google.golang.org/grpc from 1.50.1 to 1.51.0 in /src
  - Bump github.com/onsi/ginkgo/v2 from 2.5.0 to 2.5.1 in /src
  - Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 in /src
  - Bump github.com/onsi/gomega from 1.24.0 to 1.24.1 in /src
  - Bump golangci/golangci-lint-action from 3.3.0 to 3.3.1
          

v2.11.23

Release Date: 12/01/2022

v2.11.22

Release Date: 11/10/2022

• Bump envoy-nginx to version 0.13.0
• Bump garden-runc to version 1.22.5
• Bump windows-syslog to version 1.1.11
• Bump hwc-offline-buildpack to version 3.1.26
• Bump loggregator-agent to version 6.5.4
• Bump metrics-discovery to version 3.2.3
• Bump smoke-tests to version 4.8.1

  * Update libbuildpack
  Packaged binaries:
  | name | version | cf_stacks |
  |-|-|-|
  | hwc | 20.0.0 | windows, windows2016 |
  Default binary versions:
  | name | version |
  |-|-|
  | hwc | 20.0.0 |
  * Uncached buildpack SHA256: b9b2cec9ada73d9a2933a14e8e56f025c35b02d8bed7e74e20b093a23e13ec43
  * Uncached buildpack SHA256: f633f0f686fc9539ec8f4ef205e778c820602e51434730fd69f7caad4cfb3d4f
          

  * Update libbuildpack
  * Bump github.com/onsi/gomega from 1.19.0 to 1.20.2
  Packaged binaries:
  | name | version | cf_stacks |
  |-|-|-|
  | hwc | 20.0.0 | windows, windows2016 |
  Default binary versions:
  | name | version |
  |-|-|
  | hwc | 20.0.0 |
  * Uncached buildpack SHA256: 5a0c73cda7fe06118e554a93d78b0587f581e3eb2a4d108274814d372935469b
  * Uncached buildpack SHA256: fa7565740a5f73f2b87cbce06104517fcbc69bb513497ed8db492cb7d42f3dd1
          

  Create bosh final release 4.8.1
          

  Create bosh final release 4.8.0
          

  Create bosh final release 4.7.0
          

v2.11.21

Release Date: 10/12/2022

• [Feature Improvement] Add option for file logging and improved event logging. For more information about syslog, see Optional TAS for VMs [Windows] 3.0 compatible syslog option below.
• Bump envoy-nginx to version 0.12.0
• Bump garden-runc to version 1.22.4
• Bump windows-syslog to version 1.1.9
• Bump loggregator-agent to version 6.5.1
• Bump metrics-discovery to version 3.2.1
• Bump winc to version 2.8.0

v2.11.20

Release Date: 09/20/2022

• [Breaking Change] If you have configured an app log rate limit that measures app log rates in lines per second, Diego immediately drops app logs that exceed the app log rate limit. For more information, see Diego Drops App Logs That Exceed the App Log Rate Limit below.
• [Feature Improvement] Bump golang to 1.18 for diego, routing, cf-networking, and silk
• [Known Issue] If Git is not installed in the PATH environment variable for your Windows stemcell when you deploy TAS for VMs [Windows], you may encounter a version control system (VCS) stamping failure. For more information, see Windows Stemcells Without Git Installed Cause VSC Stamping Failures below.
• Bump diego to version 2.66.3
• Bump envoy-nginx to version 0.10.0
• Bump garden-runc to version 1.22.0
• Bump loggregator-agent to version 6.4.4
• Bump metrics-discovery to version 3.1.2
• Bump winc to version 2.7.0

v2.11.17

Release Date: 08/10/2022

• Bump loggregator-agent to version 6.4.3
• Bump metrics-discovery to version 3.1.1

v2.11.16

Release Date: 07/18/2022

• Bump diego to version 2.62.0
• Bump garden-runc to version 1.20.8
• Bump loggregator-agent to version 6.4.2
• Bump metrics-discovery to version 3.1.0

v2.11.15

Release Date: 06/23/2022

Warning: Upcoming breaking changes! In future patches, no sooner than July 1st 2022, some components will become more strict about the protocols used in TLS communications, causing integrations with systems using older, insecure protocols to fail. Specifically, components using the Go programming language will be updated to Go 1.18, and will no longer support TLS 1.0 and 1.1 connections or certificates with a SHA-1 checksum. This is most likely to affect connections with external databases. However, the pre-existing configuration for “TLS versions supported by the Gorouter” will still work. This change may not arrive all at once, as Go is used in systems throughout TAS. There will be a VMware Knowledge Base article about this change published prior to the changes rolling out. These changes will be clearly designated in the release notes of the versions they ship in; a version of this warning will appear on all patch versions until we are confident no systems remain to be updated.

• Bump diego to version 2.62.0

v2.11.14

Release Date: 06/09/2022

Warning: Breaking change. This version contains Diego 2.64.0, which bumps to Go 1.18. Go 1.18 no longer supports TLS 1.0 and 1.1 connections or certificates with a SHA-1 checksum. This is most likely to affect connections with external databases. We stated earlier that we wouldn’t bump to Go 1.18 until July 1, 2022. This TAS release with Diego 2.64.0 breaks that promise. We apologize. We are rolling back to Diego 2.62.0. If you already successfully deployed to this TAS release with Diego 2.64.0, then you are safe to continue using it.

• Bump diego to version 2.64.0
• Bump garden-runc to version 1.20.6
• Bump loggregator-agent to version 6.4.1
• Bump metrics-discovery to version 3.0.13

v2.11.13

Release Date: 04/20/2022

• [Breaking Change] Syslog drains configured to use TLS now reject certificates signed with the SHA-1 hash function.
• Bump diego to version 2.62.0
• Bump hwc-offline-buildpack to version 3.1.24
• Bump loggregator-agent to version 6.3.11
• Bump metrics-discovery to version 3.0.10
• Bump winc to version 2.5.0

  - fix bug with large messages (#89)
  - bump-golang to v0.100.0(now 1.18)
          

  - fix bug with large messages (#22)
  - bump-golang to v0.100.0(now 1.18)
          

v2.11.12

Release Date: 03/31/2022

• [Feature Improvement] Move aggregate drains to the syslog-binding cache to improve deploy speed and reduce errors.
• Bump diego to version 2.61.0
• Bump garden-runc to version 1.20.3
• Bump hwc-offline-buildpack to version 3.1.23
• Bump loggregator-agent to version 6.3.10
• Bump metrics-discovery to version 3.0.9
• Bump windowsfs-release to version 2.35.0

v2.11.11

Release Date: 02/28/2022

• [Feature Improvement] Per Golang 1.17’s new and stricter IP parsing standards, any IP addrs with leading zeros in any octets will result in a BOSH template failure to allow operators to remove the leading zeros and try again (affects properties fed into diego-release, garden-runc-release, winc-release, nats-release, and routing-release),.
• [Bug Fix] Smoke tests support for TLSv1.3 only option
• Bump diego to version 2.58.1
• Bump envoy-nginx to version 0.9.0
• Bump garden-runc to version 1.20.0
• Bump hwc-offline-buildpack to version 3.1.22
• Bump loggregator-agent to version 6.3.8
• Bump metrics-discovery to version 3.0.8
• Bump smoke-tests to version 4.5.0

v2.11.10

Release Date: 02/08/2022

• [Security Fix] Diego - Bump containerd to v1.5.9 to fix CVE-2021-43816
• [Feature Improvement] TAS for VMs [Windows] supports compiled releases
• [Feature Improvement] Golang v1.17 contains stricter IP parsing standards, so syslog drains registered using user-provided services cannot contain IP addresses with leading zeros in any octets.
• [Bug Fix] windowsfs-release compilation issue - Cannot extract through symlink
• Bump diego to version 2.57.0
• Bump hwc-offline-buildpack to version 3.1.21
• Bump loggregator-agent to version 6.3.7
• Bump metrics-discovery to version 3.0.7
• Bump smoke-tests to version 4.4.0
• Bump windowsfs-release to version 2.33.2

v2.11.9 - Withdrawn

Warning: This release has been removed from VMware Tanzu Network due to a regression in Windows FS Injector 0.21.0.

Release Date: 12/15/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• [Bug Fix] Diego - Envoy v1.19 uses the original TCP connection pool so that it can accept more than 1024 downstream connections
• [Bug Fix] Smoke Tests uses specified domain for Isolation Segments
• Bump diego to version 2.54.0
• Bump loggregator-agent to version 6.3.5
• Bump smoke-tests to version 4.3.1

v2.11.8

Release Date: 11/23/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• Bump diego to version 2.53.1
• Bump hwc-offline-buildpack to version 3.1.20
• Bump windowsfs-release to version 2.31.0

v2.11.7

Release Date: 10/19/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• No BOSH release bumps

v2.11.6

Release Date: 09/30/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• [Security Fix] Fixes an issue where BBS socket connections could be kept alive unnecessarily
• [Feature Improvement] Disable Diego container proxy ALPN
• Bump diego to version 2.53.0

v2.11.5

Release Date: 09/17/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• [Bug Fix] garden-runc - Fix handling reserved space on ext4 and generating bundle mounts when SMB volumes are present
• Bump garden-runc to version 1.19.30
• Bump windowsfs-release to version 2.29.0

v2.11.4

Release Date: 09/09/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• [Bug Fix] garden-runc - recover after cell restarts
• Bump garden-runc to version 1.19.29
• Bump loggregator-agent to version 6.3.4
• Bump windowsfs-release to version 2.28.0

v2.11.3

Release Date: 07/15/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• Bump garden-runc to version 1.19.28
• Bump hwc-offline-buildpack to version 3.1.18
• Bump metrics-discovery to version 3.0.6
• Bump windowsfs-release to version 2.27.0

v2.11.2

Release Date: 06/22/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• [Security Fix] Bump some dependencies to resolve security vulnerabilities
• Bump loggregator-agent to version 6.3.3
• Bump metrics-discovery to version 3.0.5

v2.11.1

Release Date: 05/27/2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

• See Known Issues.
• [Feature Improvement] Patch versions can be upgraded without a stemcell upgrade
• [Bug Fix] Smoke Test allows the operator to provide the apps_domain property when deploying TAS and also properly configures user provided space when deploying an isolation segment
• Bump diego to version 2.50.0
• Bump garden-runc to version 1.19.25
• Bump loggregator-agent to version 6.2.1
• Bump smoke-tests to version 4.3.0
• Bump windowsfs-release to version 2.26.0

v2.11.0

Release Date: March 30, 2021

Note: Windows stemcells v2019.44 and later are not compatible with this version of TAS for VMs [Windows]. You must use a Windows stemcell version between v2019.0 and v2019.43 to install this release.

How to Upgrade

The TAS for VMs [Windows] v2.11 tile is available with the release of Ops Manager v2.10. For more information, see the Ops Manager documentation.

To use the TAS for VMs [Windows] v2.11 tile, you must install Ops Manager v2.10 and VMware Tanzu Application Service for VMs (TAS for VMs) v2.11 or later.

New Features in TAS for VMs [Windows] v2.11

There are no new features in this release of TAS for VMs [Windows].

Breaking Changes

TAS for VMs [Windows] v2.11 includes the following breaking change:

Diego Drops App Logs That Exceed the App Log Rate Limit

As of TAS for VMs [Windows] v2.11.20, if you have configured an app log rate limit that measures app log rates in lines per second, Diego immediately drops app logs that exceed the app log rate limit.

In TAS for VMs [Windows] v2.11.19 and earlier, Diego buffers and releases approximately 5 MB to 10 MB of app logs that exceed the app log rate limit. This behavior has changed in TAS for VMs [Windows] v2.11.20 because Diego has been upgraded to a newer version.

If this change in behavior causes parts of your deployment to fail, VMware recommends that you either modify any automated scripts that rely on app log output or increase the app log rate limit.

For more information about app log rate limits, see App Log Rate Limiting.

Optional TAS for VMs [Windows] 3.0 compatible syslog option

TAS for VMs [Windows] 3.0 includes changes to syslog forwarding. These changes include - Changes in syslog format to better match other tiles. - Allows securely forwarding logs with tls enabled. - Includes bosh logs to match other tiles and to aid in debugging and auditing the system.

These changes will only be enabled if you turn off compatibility_mode in the system logging window of the settings.

The formatting changes are detailed as follows: * The priority is changed from kernel/debug(7) to user/info(14). * The app name is changed from Microsoft-Windows-Security-Auditing to event_logger. * The process number is changed from a numerical process ID to rs2. * Logs contain structured data for instance and deployment details. * The event log JSON string includes additional fields. * In the event log JSON string, field names are written in camel case. * In the event log JSON string, fields may appear in a different order.

The following example shows the previous log format:

<7>1 2022-07-06T22:19:38.1413061Z 10.0.4.14 Microsoft-Windows-Security-Auditing 160 - - {"message":"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tVM-7F65ECCF-0D0$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x1f7c\r\n\tNew Process Name:\tC\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x248\r\n\tCreator Process Name:\tC\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","source":"Microsoft-Windows-Security-Auditing"}

The following example shows the new log format:

<14>1 2022-07-11T22:27:08.279742Z 10.0.4.12 event_logger rs2 - [instance@47450 az="us-central1-b" deployment="pas-windows-dfc8956c7081f9369571" director="" group="windows_diego_cell" id="d0564a0e-684f-4b58-99ee-6a59d1e7caf8"] {"MachineName":"vm-c5547227-c4fa-44ae-79d0-ee56f96e82a4","Data":[],"Index":162257,"Category":"(13312)","CategoryNumber":13312,"EventID":4688,"EntryType":8,"Message":"A new process has been created.\r\n\r\nCreator Subject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tVM-C5547227-C4F$\r\n\tAccount Domain:\t\tWORKGROUP\r\n\tLogon ID:\t\t0x3e7\r\n\r\nTarget Subject:\r\n\tSecurity ID:\t\tS-1-0-0\r\n\tAccount Name:\t\t-\r\n\tAccount Domain:\t\t-\r\n\tLogon ID:\t\t0x0\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x1590\r\n\tNew Process Name:\tC\r\n\tToken Elevation Type:\t%%1936\r\n\tMandatory Label:\t\tS-1-16-16384\r\n\tCreator Process ID:\t0x1120\r\n\tCreator Process Name:\tC\r\n\tProcess Command Line:\t\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.","Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-18","VM-C5547227-C4F$","WORKGROUP","0x3e7","0x1590","C:\\Windows\\System32\\wbem\\WMIC.exe","%%1936","0x1120","","S-1-0-0","-","-","0x0","C:\\bosh\\bosh-agent.exe","S-1-16-16384"],"InstanceId":4688,"TimeGenerated":"\/Date(1657578421000)\/","TimeWritten":"\/Date(1657578421000)\/","UserName":null,"Site":null,"Container":null}

Known Issues

TAS for VMs [Windows] v2.11 includes the following known issues:

Upgrades Fail When the Stemcell Does Not Change

If you upgrade to a version of TAS for VMs [Windows] that uses the same stemcell, TAS for VMs [Windows] can fail to create containers, causing the deployment to fail. If there are stemcell changes or if the Microsoft base layer changes, this error is unlikely to occur.

For more information, see Failure to create containers when upgrading with shared Microsoft base image in the VMware Tanzu Knowledge Base.

Smoke Tests Fail When Isolation Segment is Deployed

The Smoke Test errand runs extra, failing tests when TAS for VMs [Windows] is deployed with Isolation Segment. They are “Compute isolation disabled” and “Application Workflow Linux Applications”.

To work around this issue, disable Smoke Tests. For more information, see Windows Tile smoke-tests fails for isolation segment segments in the VMware Tanzu Knowledge Base.

Windows Stemcell v2019.44 is Incompatible with winfs2019-release v2.33.1 and Earlier

Windows stemcells v2019.44 and later include a newer version of tar that is incompatible with winfs2019-release v2.33.1 and earlier. TAS for VMs [Windows] deployments that use Windows stemcells v2019.44 and later cannot untar winfs2019-release v2.33.1 and earlier. Compatible Windows stemcells for winfs2019-release v2.33.1 and earlier include v2019.0 through v2019.43.

Windows Stemcells Without Git Installed Cause VSC Stamping Failures

If Git is not installed either on your Windows stemcell or in the PATH environment variable for your Windows stemcell when you deploy TAS for VMs [Windows] v2.11.20, you may see the following error:

Stderr:   Use -buildvcs=false to disable VCS stamping.

This occurs because some TAS for VMs [Windows] v2.11.20 use Go v1.18, which embeds VSC information in binaries. As a result, releases that contain .git files require that Git is installed either on your Windows stemcell or in the PATH for your Windows stemcell. If you do not have Git installed in either location and have not set the buildvcs property to false, Go v1.18 fails to build the release.

TAS for VMs [Windows] v2.11.20 contains windows2019fs-release. Because windows2019fs-release contains .git files, deployments of TAS for VMs [Windows] v2.11.20 using Windows stemcells that do not have Git installed on them or in their PATH fail with the VSC stamping error above.