Isolation Segment v2.12 Release Notes

Page last updated:

This topic contains release notes for Isolation Segment v2.12.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.


Releases

2.12.7

Release Date: 04/20/2022

Component Version Release Notes
ubuntu-xenial stemcell621.224
bpm1.1.16
cf-networking3.3.0
cflinuxfs30.285.0
diego2.62.0
garden-runc1.20.3
haproxy11.6.0
loggregator-agent6.3.11
v6.3.11
  - fix bug with large messages (#89)
  - bump-golang to v0.100.0(now 1.18)
          
mapfs1.2.6
metrics-discovery3.0.10
v3.0.10
  - fix bug with large messages (#22)
  - bump-golang to v0.100.0(now 1.18)
          
nfs-volume7.1.1
routing0.231.0
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
syslog11.7.7

2.12.6

Release Date: 03/31/2022

  • [Security Fix] This release fixes CVE-2022-23806 and CVE-2022-23772.
  • [Bug Fix] Resolve an issue resulting in tcp-router repeatedly respawning haproxy until it hits a forked process limit
  • [Bug Fix] Resolves an issue where invalid seeded router group values should caused breaking changes
  • [Bug fix] Remove x509ignoreCN option in Gorouter
  • Bump cf-networking to version 3.3.0
  • Bump cflinuxfs3 to version 0.279.0
  • Bump diego to version 2.61.0
  • Bump garden-runc to version 1.20.3
  • Bump loggregator-agent to version 6.3.10
  • Bump metrics-discovery to version 3.0.9
  • Bump routing to version 0.231.0
  • Bump silk to version 3.3.0
Component Version Release Notes
ubuntu-xenial stemcell621.224
bpm1.1.16
cf-networking3.3.0
cflinuxfs30.279.0
diego2.61.0
garden-runc1.20.3
haproxy11.6.0
loggregator-agent6.3.10
mapfs1.2.6
metrics-discovery3.0.9
nfs-volume7.1.1
routing0.231.0
0.231.0
  ## Bug Fixes
  - Removed the x509ignoreCN property. Now that `gorouter` is built on golang 1.17, it
no longer has any effect on gorouter behavior, and was only adding to confusion in
the properties
  - Resolve an issue with route-registrar using the same TTL as it's RegistrationInterval
for tcp routes, leading to unnecessary churn of pruned + re-registered routes.
  - Resolve an issue with Routing API where upserts to tcp routes were causing change
events to be emitted when the only change was a bump in TTL. This led to an issue
where tcp-router was constantly reloading haproxy with every route's heartbeat
registration call.
  ## Manifest Property Changes
  | Job | Property | 0.230.0 | 0.231.0 |
  | --- | --- | --- | --- |
  | `gorouter` | `golang.x509ignoreCN` | false | No longer exists |
  |  `route_registrar` | `golang.x509ignoreCN` | false | No longer exists |
  | `tcp_router` | `golang.x509ignoreCN` | false | No longer exists |
  ### ✨ Built with golang 1.17.8
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.230.0...0.231.0
          
0.230.0
  ## Feature
  * update gorouter for prometheus scraping by @Benjamintf1 in https://github.com/cloudfoundry/routing-release/pull/258
  ## Bug Fix
  * Invalid seeded router group manifest values should no longer cause breaking changes by default by @ameowlia in https://github.com/cloudfoundry/routing-release/pull/261
  ### ✨ Built with golang 1.17.7
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.229.0...0.230.0
          
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
syslog11.7.7

2.12.5

Release Date: 02/28/2022

  • [Feature Improvement] Due to routing-release now being built with Golang 1.17, all certificates provided MUST contain SAN entries on them. The previous workaround of setting “Enable temporary workaround for certs without SANs” will no longer function.
  • [Feature Improvement] Per Golang 1.17’s new and stricter IP parsing standards, any IP addrs with leading zeros in any octets will result in a BOSH template failure to allow operators to remove the leading zeros and try again (affects properties fed into diego-release, garden-runc-release, winc-release, nats-release, and routing-release),.
  • [Bug Fix] Fixes an issue related to the parsing of the X-B3-TraceId and X-B3-SpanId HTTP headers
  • [Bug Fix] Smoke tests support for TLSv1.3 only option
  • Bump cflinuxfs3 to version 0.274.0
  • Bump diego to version 2.58.1
  • Bump garden-runc to version 1.20.0
  • Bump loggregator-agent to version 6.3.8
  • Bump metrics-discovery to version 3.0.8
  • Bump routing to version 0.229.0
  • Bump smoke-tests to version 4.5.0
Component Version
ubuntu-xenial stemcell621.211
bpm1.1.16
cf-networking2.43.0
cflinuxfs30.274.0
diego2.58.1
garden-runc1.20.0
haproxy11.6.0
loggregator-agent6.3.8
mapfs1.2.6
metrics-discovery3.0.8
nfs-volume7.1.1
routing0.229.0
silk2.43.0
smb-volume3.1.0
smoke-tests4.5.0
syslog11.7.7

2.12.4

Release Date: 02/07/2022

Note: This version of TAS for VMs contains a known issue that can cause application traces to break. See Gorouter Sets an Invalid X-B3-SpanID Header in Known Issues.

  • [Security Fix] Bump routing release to v0.228.0 to address (CVE-2021-44716)
  • [Feature Improvement] Golang v1.17 contains stricter IP parsing standards, so IP addresses with leading zeros in any octets cause a BOSH template failure. Operators can remove the leading zeros and try deploying again. This affects properties that feed into cf-networking-release, silk-release, loggregator-agent-release, and syslog-release. Syslog drains and metric registrar endpoints registered using user-provided services might also be affected.

  • Bump bpm to version 1.1.16

  • Bump cf-networking to version 2.43.0

  • Bump cflinuxfs3 to version 0.272.0

  • Bump diego to version 2.57.0

  • Bump loggregator-agent to version 6.3.7

  • Bump metrics-discovery to version 3.0.7

  • Bump routing to version 0.228.0

  • Bump silk to version 2.43.0

  • Bump smoke-tests to version 4.4.0

  • Bump syslog to version 11.7.7

Component Version
ubuntu-xenial stemcell621.198
bpm1.1.16
cf-networking2.43.0
cflinuxfs30.272.0
diego2.57.0
garden-runc1.19.30
haproxy11.6.0
loggregator-agent6.3.7
mapfs1.2.6
metrics-discovery3.0.7
nfs-volume7.1.1
routing0.228.0
silk2.43.0
smb-volume3.1.0
smoke-tests4.4.0
syslog11.7.7

2.12.3

Release Date: 12/15/2021

Note: This version of TAS for VMs contains a known issue that can cause application traces to break. See Gorouter Sets an Invalid X-B3-SpanID Header in Known Issues.

  • [Bug Fix] Fix “pre-start scripts failed. Failed Jobs: policy-server” error Upgrading to CF Networking Release 2.40.0
  • [Bug Fix] Diego - Envoy v1.19 uses the original TCP connection pool so that it can accept more than 1024 downstream connections.
  • [Bug Fix] Smoke Tests uses specified domain for Isolation Segments
  • Bump cf-networking to version 2.42.0
  • Bump cflinuxfs3 to version 0.268.0
  • Bump diego to version 2.54.0
  • Bump loggregator-agent to version 6.3.5
  • Bump routing to version 0.227.0
  • Bump silk to version 2.41.0
  • Bump smoke-tests to version 4.3.1
  • Bump syslog to version 11.7.6
Component Version
ubuntu-xenial stemcell~621
bpm1.1.15
cf-networking2.42.0
cflinuxfs30.268.0
diego2.54.0
garden-runc1.19.30
haproxy11.6.0
loggregator-agent6.3.5
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume7.1.1
routing0.227.0
silk2.41.0
smb-volume3.1.0
smoke-tests4.3.1
syslog11.7.6

2.12.2

Release Date: 11/23/2021

  • [Feature Improvement] Enable HTTP/2 for HAProxy
  • [Bug Fix] Breaking Change: Any customers with gorouter certificates lacking a SubjectAltName extension will experience failures upon deployment. As a workaround to complete deployment while new certificates are procured, enable the “Enable temporary workaround for certs without SANs” property in the Networking section of the TAS tile. For more information on updating certs, see https://community.pivotal.io/s/article/Routing-and-golang-1-15-X-509-CommonName-deprecation?language=en_US
  • Bump bpm to version 1.1.15
  • Bump cf-networking to version 2.40.0
  • Bump cflinuxfs3 to version 0.264.0
  • Bump diego to version 2.53.1
  • Bump haproxy to version 11.6.0
  • Bump routing to version 0.226.0
  • Bump silk to version 2.40.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.15
cf-networking2.40.0
cflinuxfs30.264.0
diego2.53.1
garden-runc1.19.30
haproxy11.6.0
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume7.1.1
routing0.226.0
silk2.40.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.12.1

Release Date: 10/20/2021

  • [Feature Improvement] HTTP/2 toggle disables Diego container proxy ALPN
  • Bump bpm to version 1.1.14
  • Bump cflinuxfs3 to version 0.262.0
Component Version
ubuntu-xenial stemcell621.0
bpm1.1.14
cf-networking2.38.0
cflinuxfs30.262.0
diego2.53.0
garden-runc1.19.30
haproxy11.4.4
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume7.1.1
routing0.224.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

2.12.0

Release Date: October 4, 2021

Component Version
ubuntu-xenial stemcell621.0
bpm1.1.13
cf-networking2.38.0
cflinuxfs30.259.0
diego2.53.0
garden-runc1.19.30
haproxy11.4.4
loggregator-agent6.3.4
mapfs1.2.6
metrics-discovery3.0.6
nfs-volume7.1.1
routing0.224.0
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
syslog11.7.5

About Isolation Segment

The Isolation Segment v2.12 tile is available for installation with Ops Manager v2.10.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in TAS for VMs Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

To install Isolation Segment v2.12, see Installing Isolation Segment.

To install Isolation Segment v2.12, you must first install Ops Manager v2.10. For more information, see the Ops Manager documentation.

New Features in Isolation Segment v2.12

Isolation Segment v2.12 includes the following major features:

Gorouter Supports TLS v1.3

In Isolation Segment v2.12, the Gorouter supports TLS v1.3. New installations of Isolation Segment use TLS v1.3 for the Gorouter by default. If you are upgrading to Isolation Segment v2.12, the Gorouter uses TLS v1.2 by default.

You can select which versions of TLS that the Gorouter uses when you configure Isolation Segment. Selecting support for TLS v1.3 only is a beta feature in Isolation Segment v2.12.

For more information, see (Beta) Gorouter Can Support TLS v1.3 Connections Only in the Breaking Changes section.

Gorouter Supports HTTP/2

Breaking Change: See Envoy Advertises HTTP/2 Support Over ALPN in the Breaking Changes section.

In TAS for VMs v2.12 and later, HTTP/2 support is enabled by default. HTTP/2 is the second major version of the the HTTP protocol.

HTTP/2 features the following improvements over HTTP/1.1:

  • Uses a binary data format instead of plain text
  • Compresses headers
  • Multiplexes multiple HTTP requests over a single TCP connection

Together, these improvements can improve response times for some apps.

For more information about the HTTP/2 protocol, see RFC 7540.

For information about configuring support for HTTP/2 in TAS for VMs, see Configuring HTTP/2 Support.

For information about routing HTTP/2 traffic to your TAS for VMs apps, see Routing HTTP/2 and gRPC Traffic to Apps.

Breaking Changes

Isolation Segment v2.12 includes the following breaking changes:

(Beta) Gorouter Can Support TLS v1.3 Connections Only

TLS v1.3 is not compatible with some versions of Java. If you configure Isolation Segment to support TLS v1.3 only, you might encounter errors with Java apps. For more information, see JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 in the JDK Bug System.

The tile property that controls the TLS version in Isolation Segment changes in TAS for VMs v2.12. You must update any stored configuration files to reflect the change.

Envoy Advertises HTTP/2 Support Over ALPN

Envoy, the Diego container proxy, advertises HTTP/2 support using Application-Layer Protocol Negotiation (ALPN) for all apps. Internal clients that access the Envoy TLS port directly must negotiate down to HTTP/1.1 for apps that do not support HTTP/2. The Envoy TLS port is typically 61001. Clients that connect to apps using the Gorouter are not affected.

Gorouter No Longer De-chunks Short Chunked Responses

In previous versions of TAS for VMs, the Gorouter de-chunked short chunked responses, set a Content-Length header, and sent a traditional body. This capability was available when Gorouter used Golang v1.15, which is out of support.

For versions of TAS for VMs that contain routing-release v0.214.0 and later, the Gorouter uses Golang v1.16 which sends a chunked response. If your clients or proxies that access apps cannot handle a chunked response, or expect a Content-Length header, they break.

For more information, see Clients receive responses with no Content-Length header and a chunked encoded body after upgrading Tanzu Application Service for VMs in the Knowledge Base.

Known Issues

Isolation Segment v2.12 includes the following known issue:

HAProxy Does Not Support HTTP/2

HAProxy is not configured to support HTTP/2 ingress traffic. HAProxy also does not send HTTP/2 traffic to the Gorouter, even when HTTP/2 is enabled.

To work around this issue, you can use an external load balancer to support HTTP/2 traffic. For more information, see Configure Load Balancers in Configuring HTTP/2 Support.

This issue is resolved in TAS for VMs v2.12.2 and later.

Gorouter Sets an Invalid X-B3-SpanID Header

An issue with the Gorouter’s implementation of X-B3-SpanId and X-B3-TraceId headers can cause invalid span IDs to be set after updating the X-B3-TraceId header to the new 16-byte standard. As a result, some applications and libraries invalidate the X-B3-SpanId value, breaking traces of the application.

This issue affects versions of TAS for VMs that contain routing-release v0.227.0 and v0.228.0.