VMware Tanzu Application Service for VMs v2.13 Release Notes

Page last updated:

This topic contains release notes for VMware Tanzu Application Service for VMs (TAS for VMs) v2.13.

TAS for VMs is certified by the Cloud Foundry Foundation for 2022.

For more information about the Cloud Foundry Certified Provider Program, see How Do I Become a Certified Provider? on the Cloud Foundry website.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.

Required Cloud Foundry Command-Line Interface (cf CLI) version: You must install cf CLI v7 or cf CLI v8 when upgrading to or using TAS for VMs v2.13.

For more information, see Upgrading to cf CLI v7 and Upgrading to cf CLI v8.


Releases

2.13.6

Release Date: 06/24/2022

Warning: Upcoming reduction in maintenance and security release coverage
In future patches, no sooner than July 1st 2022, some TAS components will become more strict about the protocols used in TLS communications, causing integrations with systems using older, insecure protocols to fail. Specifically, components that use Go will no longer support TLS 1.0 or 1.1, or certificates using SHA-1. Use supported TLS protocols to avoid breaking changes and continue receiving maintenance and security releases.

  • Bump diego to version 2.62.0
Component Version
ubuntu-xenial stemcell621.244
backup-and-restore-sdk1.18.42
binary-offline-buildpack1.0.45
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.22
bpm1.1.18
capi1.127.2
cf-autoscaling249.0.7
cf-cli1.38.0
cf-networking3.6.0
cflinuxfs30.301.0
credhub2.12.4
diego2.62.0
dotnet-core-offline-buildpack2.3.42
garden-runc1.20.6
go-offline-buildpack1.9.46
haproxy11.10.2
java-offline-buildpack4.49
log-cache2.11.11
loggregator106.6.7
loggregator-agent6.4.1
mapfs1.2.6
metric-registrar1.2.6
metrics-discovery3.0.13
mysql-monitoring9.15.0
nats44
nfs-volume7.1.1
nginx-offline-buildpack1.1.38
nodejs-offline-buildpack1.7.70
notifications62
notifications-ui40
php-offline-buildpack4.4.61
push-apps-manager-release676.0.2
push-offline-docs-release1.0.94
push-usage-service-release674.0.24
pxc0.41.0
python-offline-buildpack1.7.54
r-offline-buildpack1.1.29
routing0.233.0
ruby-offline-buildpack1.8.54
silk3.6.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.30
statsd-injector1.11.19
syslog11.7.10
system-metrics-scraper3.2.5
uaa74.5.41

2.13.5

Release Date: 06/09/2022

Warning: Breaking change
This version contains Diego 2.64.0, which bumps to Go 1.18. Go 1.18 no longer supports TLS 1.0 and 1.1 connections or certificates with a SHA-1 checksum. This is most likely to affect connections with external databases. We stated earlier that we wouldn’t bump to Go 1.18 until July 1, 2022. This TAS release with Diego 2.64.0 breaks that promise. We apologize. We are rolling back to Diego 2.62.0. If you already successfully deployed to this TAS release with Diego 2.64.0, then you are safe to continue using it.

  • [Security Fix] Added Content-Security-Policy headers in UAA responses
  • [Bug Fix] Fix metric registrar secure scraping with isolation segments
  • [Bug Fix] Resolves an issue with Dynamic ASGs and ASG containing ‘ICMP any’ rules causing apps not to start
  • [Bug Fix] Sticky sessions no longer break when used with route-services that return HTTP 4xx/5xx responses
  • [Breaking Change] Syslog drains configured to use TLS now reject certificates signed with the SHA-1 hash function.
  • [Bug Fix/Improvement] Stop emitting debug metrics for agents and log-cache by default. Reduces load on logging system by >=720 metrics per vm per minute
  • Bump backup-and-restore-sdk to version 1.18.42
  • Bump binary-offline-buildpack to version 1.0.45
  • Bump bosh-system-metrics-forwarder to version 0.0.22
  • Bump bpm to version 1.1.18
  • Bump capi to version 1.127.2
  • Bump cf-autoscaling to version 249.0.7
  • Bump cf-networking to version 3.6.0
  • Bump cflinuxfs3 to version 0.301.0
  • Bump diego to version 2.64.0
  • Bump dotnet-core-offline-buildpack to version 2.3.42
  • Bump garden-runc to version 1.20.6
  • Bump go-offline-buildpack to version 1.9.46
  • Bump haproxy to version 11.10.2
  • Bump java-offline-buildpack to version 4.49
  • Bump log-cache to version 2.11.11
  • Bump loggregator to version 106.6.7
  • Bump loggregator-agent to version 6.4.1
  • Bump metric-registrar to version 1.2.6
  • Bump metrics-discovery to version 3.0.13
  • Bump nats to version 44
  • Bump nginx-offline-buildpack to version 1.1.38
  • Bump nodejs-offline-buildpack to version 1.7.70
  • Bump php-offline-buildpack to version 4.4.61
  • Bump push-apps-manager-release to version 676.0.2
  • Bump push-offline-docs-release to version 1.0.94
  • Bump push-usage-service-release to version 674.0.24
  • Bump python-offline-buildpack to version 1.7.54
  • Bump r-offline-buildpack to version 1.1.29
  • Bump routing to version 0.233.0
  • Bump ruby-offline-buildpack to version 1.8.54
  • Bump silk to version 3.6.0
  • Bump staticfile-offline-buildpack to version 1.5.30
  • Bump statsd-injector to version 1.11.19
  • Bump syslog to version 11.7.10
  • Bump system-metrics-scraper to version 3.2.5
  • Bump uaa to version 74.5.41
Component Version Release Notes
ubuntu-xenial stemcell621.244
backup-and-restore-sdk1.18.42
binary-offline-buildpack1.0.45
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.22
bpm1.1.18
capi1.127.2
cf-autoscaling249.0.7
cf-cli1.38.0
cf-networking3.6.0
cflinuxfs30.301.0
credhub2.12.4
diego2.64.0
dotnet-core-offline-buildpack2.3.42
garden-runc1.20.6
go-offline-buildpack1.9.46
haproxy11.10.2
java-offline-buildpack4.49
log-cache2.11.11
loggregator106.6.7
loggregator-agent6.4.1
mapfs1.2.6
metric-registrar1.2.6
metrics-discovery3.0.13
mysql-monitoring9.15.0
nats44
nfs-volume7.1.1
nginx-offline-buildpack1.1.38
nodejs-offline-buildpack1.7.70
notifications62
notifications-ui40
php-offline-buildpack4.4.61
push-apps-manager-release676.0.2
push-offline-docs-release1.0.94
push-usage-service-release674.0.24
pxc0.41.0
python-offline-buildpack1.7.54
r-offline-buildpack1.1.29
routing0.233.0
0.233.0
  ## What's Changed
  * TCP Router: Add locking to the haproxy_reloader script to avoid haproxy reload/restart race conditions by @geofffranks in https://github.com/cloudfoundry/routing-release/pull/269
  * TCP Router: Bump HAProxy from 1.8.13 to 2.5.4 by @cunnie in https://github.com/cloudfoundry/routing-release/pull/266
  * Gorouter: fix proxy round tripper race condition by @ameowlia and @geofffranks  in https://github.com/cloudfoundry/gorouter/pull/318
  * Routing API: fix timestamp precision issue that caused routes to be pruned unexpectedly by @geofffranks in https://github.com/cloudfoundry/routing-api/pull/24
  *  Routing API: remove `golang.x509ignoreCN` bosh property by @geofffranks and @mariash
  * Routing API: fix bug that caused TCP Router's HAProxy to reload every minute by @jrussett in https://github.com/cloudfoundry/routing-api/pull/26.
  ## Manifest Property Changes
  | Job | Property  | Notes |
  | --- | --- | --- |
  | `routing-api` | `golang.x509ignoreCN` | This property exposed a go debug flag for go version 1.15. Since go 1.16 this go debug flag has had no affect. Removing this bosh property is part of our effort to keep our code base free of cruft. |
  ## ✨  Built with go 1.17.10
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.232.0...0.233.0
          
0.232.0
  ## What's Changed
  * Fixing issue #250: Return a 503 not a 404 when all instances down by @kecirlotfi in https://github.com/cloudfoundry/routing-release/pull/268 and https://github.com/cloudfoundry/gorouter/pull/314
  * Fixing issue https://github.com/cloudfoundry/gorouter/pull/315: Fix route service pruning by @geofffranks
  ## Manifest Property Changes
  | Job | Property | default | notes |
  | --- | --- | --- | --- |
  | `gorouter` | `for_backwards_compatibility_only.empty_pool_response_code_503` | `0s` | This property was added to enable https://github.com/cloudfoundry/routing-release/pull/268 |
  ## New Contributors 🎉
  * @kecirlotfi made their first contribution! Thanks so much!
  ## ✨  Built with go 1.17.9
  **Full Changelog**: https://github.com/cloudfoundry/routing-release/compare/0.231.0...0.232.0
          
ruby-offline-buildpack1.8.54
silk3.6.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.30
statsd-injector1.11.19
syslog11.7.10
system-metrics-scraper3.2.5
uaa74.5.41

2.13.4

Release Date: 04/21/2022

Note: This version of TAS for VMs contains a known issue that can cause applications to fail to start after upgrading. For information about resolving this issue, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.

  • Bump capi to version 1.127.1
  • Bump credhub to version 2.12.4
Component Version Release Notes
ubuntu-xenial stemcell621.224
backup-and-restore-sdk1.18.39
binary-offline-buildpack1.0.43
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.21
bpm1.1.16
capi1.127.1
cf-autoscaling248
cf-cli1.38.0
cf-networking3.3.0
cflinuxfs30.285.0
credhub2.12.4
2.12.4
  ### Security Fixes
  - Bump various dependencies.
          
2.12.3
  ### Security Fixes
  - Bump various dependencies.
          
2.12.1
  ### Security Fixes
  - Bump various dependencies.
          
2.12.0
  ### Security Fixes
  - Bump various dependencies.
  ### Bug Fixes
  - Fixes an issue where CredHub experiences downtime during certificate rotation process by making CredHub properly load concatenated mTLS CA certificates.
  ### Features
  - CredHub is now compatible with Postgres 13, 14.
          
2.11.1
  ### Dependency Bumps
  - Bumps log4j2 to 2.17.1
          
2.11.0
  ### Security Fixes
  - Further addresses [CVE with Log4j library](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and [its prior incomplete fix](https://github.com/advisories/GHSA-7rjr-3q55-vv33) by bumping to log4j2 2.16.0.
          
2.10.0
  ### Security Fixes
  - Addresses [CVE with Log4j library](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)
  ### Features
  - Adds a minimum duration server-level configuration fields for leaf and CA certificates: `certificates.leaf_minimum_duration_in_days` and `certificates.ca_minimum_duration_in_days`. When these fields are configured, if a request to generate or regenerate a certificate has a duration lower than the minimum, then the minimum duration is used instead. (https://github.com/cloudfoundry/credhub/pull/201)
          
diego2.62.0
dotnet-core-offline-buildpack2.3.41
garden-runc1.20.3
go-offline-buildpack1.9.42
haproxy11.10.1
java-offline-buildpack4.48.2
log-cache2.11.5
loggregator106.6.2
loggregator-agent6.3.8
mapfs1.2.6
metric-registrar1.2.4
metrics-discovery3.0.8
mysql-monitoring9.15.0
nats43
nfs-volume7.1.1
nginx-offline-buildpack1.1.37
nodejs-offline-buildpack1.7.69
notifications62
notifications-ui40
php-offline-buildpack4.4.59
push-apps-manager-release676.0.1
push-offline-docs-release1.0.71
push-usage-service-release674.0.23
pxc0.41.0
python-offline-buildpack1.7.53
r-offline-buildpack1.1.28
routing0.231.0
ruby-offline-buildpack1.8.53
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.29
statsd-injector1.11.18
syslog11.7.7
system-metrics-scraper3.2.4
uaa74.5.37

2.13.3 - Withdrawn

Warning: This release has been removed from VMware Tanzu Network due to an issue with the version of capi release included in the patch.

Release Date: 04/20/2022

Note: This version of TAS for VMs contains a known issue that can cause applications to fail to start after upgrading. For information about resolving this issue, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.

  • [Security Fix] This release fixes CVE-2022-23806 and CVE-2022-23772.
  • [Feature Improvement] Add option to configure CC BBR health check timeout
  • Bump backup-and-restore-sdk to version 1.18.39
  • Bump binary-offline-buildpack to version 1.0.43
  • Bump capi to version 1.127.1
  • Bump cflinuxfs3 to version 0.285.0
  • Bump credhub to version 2.12.2
  • Bump diego to version 2.62.0
  • Bump dotnet-core-offline-buildpack to version 2.3.41
  • Bump garden-runc to version 1.20.3
  • Bump go-offline-buildpack to version 1.9.42
  • Bump haproxy to version 11.10.1
  • Bump java-offline-buildpack to version 4.48.2
  • Bump nginx-offline-buildpack to version 1.1.37
  • Bump nodejs-offline-buildpack to version 1.7.69
  • Bump php-offline-buildpack to version 4.4.59
  • Bump push-offline-docs-release to version 1.0.71
  • Bump python-offline-buildpack to version 1.7.53
  • Bump r-offline-buildpack to version 1.1.28
  • Bump ruby-offline-buildpack to version 1.8.53
  • Bump staticfile-offline-buildpack to version 1.5.29
  • Bump uaa to version 74.5.37
Component Version Release Notes
ubuntu-xenial stemcell621.224
backup-and-restore-sdk1.18.39
binary-offline-buildpack1.0.43
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.21
bpm1.1.16
capi1.127.1
cf-autoscaling248
cf-cli1.38.0
cf-networking3.3.0
cflinuxfs30.285.0
credhub2.12.2
2.12.1
  ### Security Fixes
  - Bump various dependencies.
          
2.12.0
  ### Security Fixes
  - Bump various dependencies.
  ### Bug Fixes
  - Fixes an issue where CredHub experiences downtime during certificate rotation process by making CredHub properly load concatenated mTLS CA certificates.
  ### Features
  - CredHub is now compatible with Postgres 13, 14.
          
2.11.1
  ### Dependency Bumps
  - Bumps log4j2 to 2.17.1
          
2.11.0
  ### Security Fixes
  - Further addresses [CVE with Log4j library](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q) and [its prior incomplete fix](https://github.com/advisories/GHSA-7rjr-3q55-vv33) by bumping to log4j2 2.16.0.
          
2.10.0
  ### Security Fixes
  - Addresses [CVE with Log4j library](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q)
  ### Features
  - Adds a minimum duration server-level configuration fields for leaf and CA certificates: `certificates.leaf_minimum_duration_in_days` and `certificates.ca_minimum_duration_in_days`. When these fields are configured, if a request to generate or regenerate a certificate has a duration lower than the minimum, then the minimum duration is used instead. (https://github.com/cloudfoundry/credhub/pull/201)
          
diego2.62.0
dotnet-core-offline-buildpack2.3.41
garden-runc1.20.3
go-offline-buildpack1.9.42
haproxy11.10.1
java-offline-buildpack4.48.2
log-cache2.11.5
loggregator106.6.2
loggregator-agent6.3.8
mapfs1.2.6
metric-registrar1.2.4
metrics-discovery3.0.8
mysql-monitoring9.15.0
nats43
nfs-volume7.1.1
nginx-offline-buildpack1.1.37
nodejs-offline-buildpack1.7.69
notifications62
notifications-ui40
php-offline-buildpack4.4.59
push-apps-manager-release676.0.1
push-offline-docs-release1.0.71
push-usage-service-release674.0.23
pxc0.41.0
python-offline-buildpack1.7.53
r-offline-buildpack1.1.28
routing0.231.0
ruby-offline-buildpack1.8.53
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.29
statsd-injector1.11.18
syslog11.7.7
system-metrics-scraper3.2.4
uaa74.5.37

2.13.2

Release Date: 04/06/2022

Note: This version of TAS for VMs contains a known issue that can cause applications to fail to start after upgrading. For information about resolving this issue, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.

  • [Security Fix] This release fixes CVE-2022-22965; note that the “fix” in the immediately prior version did not actually address the vulnerability, as Spring framework dependencies in UAA that should have been updated, were not. We have confirmed this version actually contains the dependency bumps, and that it is no longer vulnerable to our confirmed exploit. We consider this patch necessary for secure operation; see the VMware Security Advisory here for more details. This release also includes a new version of the Java Buildpack.
  • Bump java-offline-buildpack to version 4.48.2
  • Bump uaa to version 74.5.37
Component Version
ubuntu-xenial stemcell621.211
backup-and-restore-sdk1.18.34
binary-offline-buildpack1.0.42
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.21
bpm1.1.16
capi1.127.0
cf-autoscaling248
cf-cli1.38.0
cf-networking3.3.0
cflinuxfs30.274.0
credhub2.9.9
diego2.58.1
dotnet-core-offline-buildpack2.3.38
garden-runc1.20.0
go-offline-buildpack1.9.38
haproxy11.9.3
java-offline-buildpack4.48.2
log-cache2.11.5
loggregator106.6.2
loggregator-agent6.3.8
mapfs1.2.6
metric-registrar1.2.4
metrics-discovery3.0.8
mysql-monitoring9.15.0
nats43
nfs-volume7.1.1
nginx-offline-buildpack1.1.34
nodejs-offline-buildpack1.7.66
notifications62
notifications-ui40
php-offline-buildpack4.4.55
push-apps-manager-release676.0.1
push-offline-docs-release1.0.33
push-usage-service-release674.0.23
pxc0.41.0
python-offline-buildpack1.7.49
r-offline-buildpack1.1.25
routing0.231.0
ruby-offline-buildpack1.8.50
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.28
statsd-injector1.11.18
syslog11.7.7
system-metrics-scraper3.2.4
uaa74.5.37

2.13.1

Release Date: 03/31/2022

Note: This version of TAS for VMs contains a known issue that can cause applications to fail to start after upgrading. For information about resolving this issue, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.

  • [Security Fix] This release was intended to address CVE-2022-22965, but did not actually update the vulnerable dependencies. Upgrade to a more recent patch version instead. See the VMware Security Advisory here for more details.
  • Bump uaa to version 74.5.36
Component Version
ubuntu-xenial stemcell621.211
backup-and-restore-sdk1.18.34
binary-offline-buildpack1.0.42
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.21
bpm1.1.16
capi1.127.0
cf-autoscaling248
cf-cli1.38.0
cf-networking3.3.0
cflinuxfs30.274.0
credhub2.9.9
diego2.58.1
dotnet-core-offline-buildpack2.3.38
garden-runc1.20.0
go-offline-buildpack1.9.38
haproxy11.9.3
java-offline-buildpack4.48
log-cache2.11.5
loggregator106.6.2
loggregator-agent6.3.8
mapfs1.2.6
metric-registrar1.2.4
metrics-discovery3.0.8
mysql-monitoring9.15.0
nats43
nfs-volume7.1.1
nginx-offline-buildpack1.1.34
nodejs-offline-buildpack1.7.66
notifications62
notifications-ui40
php-offline-buildpack4.4.55
push-apps-manager-release676.0.1
push-offline-docs-release1.0.33
push-usage-service-release674.0.23
pxc0.41.0
python-offline-buildpack1.7.49
r-offline-buildpack1.1.25
routing0.231.0
ruby-offline-buildpack1.8.50
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.28
statsd-injector1.11.18
syslog11.7.7
system-metrics-scraper3.2.4
uaa74.5.36

2.13.0

Release Date: March 29, 2022

Note: This version of TAS for VMs contains a known issue that can cause applications to fail to start after upgrading. For information about resolving this issue, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.

Component Version
ubuntu-xenial stemcell621.211
backup-and-restore-sdk1.18.34
binary-offline-buildpack1.0.42
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.21
bpm1.1.16
capi1.127.0
cf-autoscaling248
cf-cli (v7/v8)*1.38.0
cf-networking3.3.0
cflinuxfs30.274.0
credhub2.9.9
diego2.58.1
dotnet-core-offline-buildpack2.3.38
garden-runc1.20.0
go-offline-buildpack1.9.38
haproxy11.9.3
java-offline-buildpack4.48
log-cache2.11.5
loggregator106.6.2
loggregator-agent6.3.8
mapfs1.2.6
metric-registrar1.2.4
metrics-discovery3.0.8
mysql-monitoring9.15.0
nats43
nfs-volume7.1.1
nginx-offline-buildpack1.1.34
nodejs-offline-buildpack1.7.66
notifications62
notifications-ui40
php-offline-buildpack4.4.55
push-apps-manager-release676.0.1
push-offline-docs-release1.0.33
push-usage-service-release674.0.23
pxc0.41.0
python-offline-buildpack1.7.49
r-offline-buildpack1.1.25
routing0.231.0
ruby-offline-buildpack1.8.50
silk3.3.0
smb-volume3.1.0
smoke-tests4.5.0
staticfile-offline-buildpack1.5.28
statsd-injector1.11.18
syslog11.7.7
system-metrics-scraper3.2.4
uaa74.5.34

* The cf-cli version corresponds to the commercial distribution on VMware Tanzu Network.

How to Upgrade

To upgrade to TAS for VMs v2.13, see Configuring TAS for VMs for Upgrades.

When upgrading to TAS for VMs v2.13, be aware of the following upgrade considerations:

  • If you previously used an earlier version of TAS for VMs, you must first upgrade to TAS for VMs v2.11 to successfully upgrade to TAS for VMs v2.13.

  • Upgrade the cf CLI to the latest cf CLI v7 release, the latest cf CLI v8 release, or the commercial cf CLI distribution available on VMware Tanzu Network.

  • Some partner service tiles might be incompatible with TAS for VMs v2.13. VMware is working with partners to ensure their tiles are updated to work with the latest versions of TAS for VMs.

    For information about which partner service releases are currently compatible with TAS for VMs v2.13, review the appropriate partners services release documentation at https://docs.pivotal.io or contact the partner organization that produces the tile.

New Features in TAS for VMs v2.13

TAS for VMs v2.13 includes the following major features:

Update the Destination App Protocol for Routes

In TAS for VMs v2.13.0, developers can update the destination protocol for app routes. After the destination protocol is updated, the app uses that protocol for all incoming and outgoing communications.

You can update the destination protocol using Apps Manager or cf CLI v8.

Before you can update the destination app protocol, you must enable HTTP/2 ingress and egress for the Gorouter. This option is enabled by default in the Networking pane of the TAS for VMs tile.

To update the destination app protocol in Apps Manager, see Change the Destination Protocol for a Route in Managing Apps and Service Instances Using Apps Manager.

To update the destination app protocol using cf CLI v8:

cf update-destination --app-protocol PROTOCOL APP-NAME APP-DOMAIN --hostname HOSTNAME

Where:

  • PROTOCOL is the app protocol you want to use. You can use http1 or http2.
  • APP-NAME is the name of your app. For example, my-app.
  • APP-DOMAIN is the domain name of your app. For example, app-domain.com.
  • HOSTNAME is the hostname of your app. For example, my-hostname.

For example:

$ cf update-destination --app-protocol http2 my-app app-domain.com --hostname my-hostname

Destination-protocol changed to http2
OK

The command above updates the destination protocol for my-app to HTTP/2.

TAS for VMs is Compatible with MySQL 8

TAS for VMs v2.13.0 supports MySQL 8 for external databases. Previous versions of TAS for VMs supported MySQL 5.7, which is expected to go out of support in 2023. If you use an external MySQL database with TAS for VMs v2.13, use a MySQL 8 database for improved security and a longer window of support.

TAS for VMs Components Use Golang v1.17

In TAS for VMs v2.13.0, several TAS for VMs components use Golang v1.17.

The following table lists the component releases that have been updated to use Golang v1.17:

Release First version that uses Golang v1.17
cf-networking 2.43.0
silk 2.43.0
diego 2.53.1
nats 41
garden-runc 1.19.31
routing 0.229.0

For important information, see Gorouter Certificates Require a SAN Extension in the Breaking Changes section.

Dynamic App Security Group Rules

TAS for VMs v2.13 introduces dynamic App Security Groups (ASGs).

ASGs are a collection of egress rules that specify the protocols, ports, and IP address ranges where app or task instances send traffic. Previously, updating an existing ASG required you to restart the app before the ASG went into effect.

Dynamic ASGs can automatically update security groups without requiring an app restart. If you have existing ASGs, you can run any of the security group cf CLI commands, including cf bind-security-group and cf update-security-group, and the changes apply automatically to any running apps.

To enable dynamic ASGs:

  1. Navigate to the Ops Manager Installation Dashboard and click the TAS for VMs tile.
  2. Select Networking.
  3. Select the Enable dynamic application security group changes checkbox.
  4. Click Save.

For more information about ASGs, see App Security Groups.

Configure Scaling Factors for App Autoscaler

In TAS for VMs v2.13.0, App Autoscaler can scale apps by one or more app instances based on autoscaling rules. In previous releases of TAS for VMs, App Autoscaler only scaled app instances up or down by one instance at a time. You can configure scaling factors using the App Autoscaler API or the App Autoscaler CLI plugin.

To configure scaling factors using the API, see Update an App Binding in Using the App Autoscaler API.

To configure scaling factors using the App Autoscaler CLI plugin, see Update Scaling Factors in Using the App Autoscaler CLI.

For more information, see About App Autoscaler.

Log Cache Uses Its Own Instance Group

In TAS for VMs v2.13.0, the Log Cache component runs on its own Log Cache instance group. Log Cache is no longer part of Doppler instances. Additionally, syslog ingress is enabled by default.

This change allows TAS for VMs to do the following:

  • Enable Log Cache to scale independently from Doppler. For example, to provide more memory for storing logs and metrics. You can reduce the memory allocation for Doppler instances.
  • Scale Log Cache to more than 40 VMs, because it is no longer limited by Doppler and TrafficController’s throughput and connection-based horizontal scaling limits.
  • Reduce the number of network hops required for logs and metrics to get to Log Cache.

For important information, see the related Breaking Change and Known Issue.

Rotate the Root CA and NATS CA Without Re-Creating All VMs

In Ops Manager v2.10.20 and later, operators can rotate the root certificate authority (CA) or NATS CA without re-creating all VMs. If you rotate these certificates in Ops Manager and click Apply Changes, Ops Manager updates the certificates on the VMs without re-creating the VMs.

For more information, see Rotating CAs and Leaf Certificates in the Ops Manager documentation.

Enable IMDSv2 in Ops Manager on AWS

Operators can configure Ops Manager v2.10.23 and later to require IMDSv2 on all BOSH-deployed VMs in Amazon Web Services (AWS). This Ops Manager feature is compatible with installations of TAS for VMs v2.13.0 and later.

For more information, see Enable IMDSv2 in Ops Manager in the Ops Manager documentation.

Enable One-Way TLS for Container-to-Container Communication

In TAS for VMs v2.13.0, developers can enable TLS for communication between app containers.

When you enable this feature, TLS is terminated at Envoy. Developers can continue to serve HTTP traffic on port 8080, and Envoy listens on port 61443 with a TLS certificate with a SAN that includes app internal routes. Envoy proxies this port to port 8080 inside the container. When a new route is mapped to the app, the certificate is updated without requiring an app restart.

Warning: this feature introduces a migration to the bbs database. Rolling back from this release will cause database issues.

Download Offline Tools in Air-Gapped Environments

In TAS for VMs v2.13.0, you can include documentation and cf CLI packages in Apps Manager that operators and developers can download in air-gapped environments. TAS for VMs v2.13.0 adds the post-deploy Offline Docs Errand.

To enable access to offline tools in air-gapped environments:

  1. Navigate to the Installation Dashboard and click the TAS for VMs tile.
  2. Select Apps Manager.
  3. Under Configure how developers access documentation, tools and pluggins when unable to connect to the internet, select the checkbox for Enable access to offline tools.
  4. Under Choose which CF CLI packages to include, select either CF CLI V7 or CF CLI V8.
  5. Click Save.
  6. Select Errands.
  7. Under Offline Docs Errand, select On from the dropdown.
  8. Click Save.
  9. Return to the Installation Dashboard.
  10. Click Review Pending Changes.
  11. Review the changes, and then click Apply Changes.

For more information, see (Optional) Configure Custom Branding and Apps Manager in Configuring TAS for VMs.

Breaking Changes

TAS for VMs v2.13 includes the following breaking changes:

Log and Metric Topology Changes

In TAS for VMs v2.13, the Log Cache component runs on its own Log Cache instance group. Log Cache is no longer part of Doppler instances.

As a result of this change, Diego Cells with high logging volume might experience higher CPU usage than they did prior to this change.

When you upgrade to TAS for VMs v2.13, you might experience temporary difficulties getting logs and metrics from the cf CLI for apps that are pushed during the upgrade. This should not affect whether or not the app is able to be deployed. See the related Known Issue.

This change comes with the following considerations when you upgrade to TAS for VMs v2.13:

Breaking Change Recommended Action
Log Cache uses syslog ingress by default. Confirm that your instances, including those within Isolation Segments, are permitted to establish connections to Log Cache nodes on port 6067. You might need to update firewall rules to allow logs to flow directly from your instances to the Log Cache syslog server.
Underscaled Log Cache instances can fail with Out of Memory errors, which locks the BOSH Director. Scale up your Log Cache instance count. VMware recommends scaling up to match the number of VMs and amount of memory as your Doppler instances before the upgrade. Starting larger and then adjusting for actual use is safer than a deployment failure.
Service instance metrics might not be retrievable using the log-cache cf CLI plugin. Syslog ingestion is recommended. If you need to retrieve metrics from service tiles that do not support this feature, in the System Logging pane of the TAS for VMs tile, deselect the Enable Log Cache syslog ingestion checkbox.

Gorouter Certificates Require a SAN Extension

In TAS for VMs v2.13, all Gorouter certificates require a valid subjectAltName (SAN) extension. If any Gorouter certificates lack a SAN, Go clients cannot connect to servers and deployment fails.

Before you upgrade to TAS for VMs v2.13, you must:

  1. Verify that all certificates in Ops Manager use a valid SAN. If they do not, rotate your certificates using a valid SAN.
  2. Verify that all external systems that the Gorouter connects to have certificates with a valid SAN. If you use route services, this includes either the route services themselves or the load balancer in front of the route service.

For more information about updating certificates, see Routing and Golang 1.15 X.509 CommonName deprecation in the Knowledge Base.

Golang v1.17 Rejects IP Addresses with Leading Zeros

Golang v1.17 contains stricter IP parsing standards, so IP addresses with leading zeros in any octets cause a BOSH template failure. Operators can remove the leading zeros and try deploying again. This affects properties that feed into all releases that use Golang v1.17. For a complete list, see TAS for VMs Components Use Golang v1.17 above. Syslog drains and metric registrar endpoints that are registered using user-provided services might also be affected.

cf CLI v6 is Not Supported

TAS for VMs v2.13 does not support cf CLI v6. You must upgrade to cf CLI v7 or cf CLI v8.

To upgrade to a supported cf CLI version, see one of the following:

Known Issues

TAS for VMs v2.13 includes the following known issues:

Possible Downtime When Upgrading from Certain TAS for VMs Versions

If you are upgrading from one of the following TAS for VMs versions, you might experience a small amount of log and metric downtime during an upgrade to TAS for VMs v2.13. This downtime is more likely if you use Isolation Segments:

  • TAS for VMs v2.11.15 or earlier
  • TAS for VMs v2.12.8 or earlier

Apps Stop Running After Deploy when Using Dynamic ASGs with ICMP Any Rules

When dynamic ASGs are enabled, the vxlan policy agent is unable to clean up ASGs with ICMP any rules. Undocumented iptables behavior with ICMP any rules causes a cleanup failure, which causes a container creation failure, which prevents any apps from starting.

This results in a vxlan policy agent error:

  • iptables: Bad rule (does a matching rule exist in that chain?)

or

  • exit status 1: iptables: No chain/target/match by that name.

For more information this issue and how to mitigate it, see Apps stop running after a deploy when using dynamic ASGs with icmp any rule in the Knowledge Base.