Pivotal Isolation Segment v2.8 Release Notes

Page last updated:

This topic contains release notes for Pivotal Isolation Segment v2.8.

Pivotal Platform is certified by the Cloud Foundry Foundation for 2021.

Read more about the certified provider program and the requirements of providers.

Releases

2.8.23

Release Date: 12/18/2020

• [Security Fix] Bump garden-runc-release to address CVE-2020-15257
• Bump ubuntu-xenial stemcell to version 621.94
• Bump cf-networking to version 2.35.0
• Bump cflinuxfs3 to version 0.216.0
• Bump garden-runc to version 1.19.18
• Bump routing to version 0.210.0
• Bump silk to version 2.35.0

2.8.22

Release Date: 11/17/2020

• No BOSH release bumps

2.8.21

Release Date: 11/04/2020

• Bump ubuntu-xenial stemcell to version 621.90
• Bump metrics-discovery to version 2.0.9

2.8.20

Release Date: 10/26/2020

• [Feature Improvement] Networking: Clarify that drain timeout should be lower than backend request timeout to reduce drain time during deploys
• [Bug Fix] Loggregator Agent Release - Prom Scraper metrics server names match
• Bump ubuntu-xenial stemcell to version 621.89
• Bump cf-networking to version 2.34.0
• Bump cflinuxfs3 to version 0.210.0
• Bump routing to version 0.208.0
• Bump silk to version 2.34.0

2.8.19

Release Date: 10/09/2020

• [Bug Fix] Remove “power_of_two” constraint from CPU resource definitions
• [BUG FIX] syslog-agent - Add ops man cert to use syslog ingestion for log-cache
• Bump ubuntu-xenial stemcell to version 621.85
• Bump cflinuxfs3 to version 0.208.0

2.8.18

Release Date: 09/21/2020

• Bump ubuntu-xenial stemcell to version 621.84
• Bump cflinuxfs3 to version 0.204.0
• Bump routing to version 0.207.0

2.8.17

Release Date: 09/10/2020

• [Security Fix] Fix for CVE-2020-5420: Improve Gorouter’s handling of invalid HTTP response codes
• [Feature Improvement] Gorouter aliases /healthz to /health in order to prevent downtime during upgrades
• Bump ubuntu-xenial stemcell to version 621.82
• Bump cf-networking to version 2.33.0
• Bump diego to version 2.48.0
• Bump nfs-volume to version 5.0.10
• Bump routing to version 0.206.0
• Bump silk to version 2.33.0

2.8.16

Release Date: 08/24/2020

• [Bug Fix] loggr-syslog-agent - Fix server alternative name
• [Bug Fix]: Return 502 TLS Handshake error for an unresponsive backend
• [Bug Fix] Bump garden-runc to v1.19.16
• Bump ubuntu-xenial stemcell to version 621.78
• Bump cflinuxfs3 to version 0.203.0
• Bump garden-runc to version 1.19.16
• Bump routing to version 0.205.0

2.8.15

Release Date: 08/07/2020

• [Bug Fix] Fix issue where requests to internal routes could fail due to incorrect case-sensitivity in DNS lookup in the service discovery controller.
• [Bug Fix] System Metrics Scraper/Prom Scraper — Fixes a bug that causes excess log volume and increases scrape interval to reduce metric volume
• Bump ubuntu-xenial stemcell to version 621.77
• Bump cf-networking to version 2.31.0
• Bump cflinuxfs3 to version 0.202.0
• Bump garden-runc to version 1.19.14
• Bump silk to version 2.31.0

2.8.14

Release Date: 07/16/2020

• [Security Fix] Fix for CVE-2020-15586: Bump golang to version 1.14.5 with a fix in the net/http/httputil package for an issue which could cause the Gorouter to crash if a malicious client sends specially crafted HTTP requests.
• Bump cflinuxfs3 to version 0.198.0
• Bump routing to version 0.203.0

2.8.13

Release Date: 07/09/2020

• Bump cflinuxfs3 to version 0.197.0

2.8.12

Release Date: 06/25/2020

• [Breaking Change] Incorrect HTTP(S) Proxy configuration breaks CredHub interpolation for apps. For more information, see Incorrect HTTP(S) Proxy Configuration Breaks CredHub Interpolation for Apps in Pivotal Isolation Segment v2.8.12 and Later below.
• [Breaking Change]: If you use the NSX-T Container Plugin (NCP) tile v3.0.1 or earlier, do not upgrade to this patch. The stemcell in this patch is not compatible with the NCP tile v3.0.1 and causes the openvswitch job to fail when you deploy.
• [Bug Fix] Add a new cache configuration to the NFS service allowing service instances to enable file attribute caching and achieve directory listing performance similar to the nfs-legacy service
• [Bug Fix] Remove invalid characters in hostnames in outgoing application syslog messages to comply with RFC 5424
• Bump ubuntu-xenial stemcell to version 621.76
• Bump cflinuxfs3 to version 0.195.0
• Bump diego to version 2.47.0
• Bump loggregator-agent to version 5.2.10
• Bump nfs-volume to version 5.0.9

2.8.11

Release Date: 06/11/2020

• [Bug Fix] Gorouter - Drain timeout always uses configured value
• [Bug Fix] Silk - Continue container networking during cell drain
• [Bug Fix] Loggregator Agent - Fix certificate issues for all agent metrics
• Bump cf-networking to version 2.30.0
• Bump cflinuxfs3 to version 0.191.0
• Bump routing to version 0.201.0
• Bump silk to version 2.30.0

2.8.10

Release Date: 06/03/2020

• [Feature] Allow egress traffic from apps to addresses on host via host_tcp_services
• [Bug Fix] Migrate services/intermediate_tls_ca to /services/tls_leaf for Maestro
• [Bug Fix] Add a new cache configuration to the NFS service allowing service instances to enable file attribute caching and achieve directory listing performance similar to the nfs-legacy service
• Bump cflinuxfs3 to version 0.189.0
• Bump nfs-volume to version 5.0.6

2.8.9

Release Date: 05/18/2020

• [Bug Fix] Fix scheduling bug in loggregator agent by upgrading to Go 1.14.2
• Bump ubuntu-xenial stemcell to version 621.74
• Bump cflinuxfs3 to version 0.179.0
• Bump loggregator-agent to version 5.2.9

2.8.8

Release Date: 05/05/2020

• [Security Fix] Update debian packages and source libraries in nfs and mapfs releases
• Bump ubuntu-xenial stemcell to version 621.71
• Bump cflinuxfs3 to version 0.178.0
• Bump mapfs to version 1.2.4
• Bump nfs-volume to version 5.0.5
• Bump smb-volume to version 3.0.1

2.8.7

Release Date: 04/22/2020

• [Feature] HAProxy can now be configured with custom certificate authorities
• [Bug Fix] Fix server_name value to use Common Name as metrics_agent_metrics_tls
• Bump ubuntu-xenial stemcell to version 621.64
• Bump cflinuxfs3 to version 0.175.0

2.8.6

Release Date: 04/07/2020

• [Bug Fix] garden-runc - bump to latest release in supported versions
• [Bug Fix] GoRouter correctly handles control characters in URLs
• [Bug Fix] Fix a memory leak and go-routine leak related to having multiple aggregate drains in Loggregator
• [Bug Fix] App developers now receive a 401 when using an expired access token with policy server
• Bump ubuntu-xenial stemcell to version 621.61
• Bump cf-networking to version 2.28.0
• Bump cflinuxfs3 to version 0.174.0
• Bump garden-runc to version 1.19.10
• Bump loggregator-agent to version 5.2.8
• Bump routing to version 0.199.0
• Bump silk to version 2.28.0

2.8.5

Release Date: 03/13/2020

• [Bug Fix] Fix DNS Interaction between Loggregator Agent and Doppler
• Bump ubuntu-xenial stemcell to version 621.59
• Bump cflinuxfs3 to version 0.169.0
• Bump loggregator-agent to version 5.2.7

2.8.4

Release Date: 03/02/2020

• [Feature] Support Maestro’s rotation capability by adding Services TLS CA to all App containers
• [Feature Improvement] Bring bug fixes and improvements in latest routing releases to all supported PAS versions
• [Bug Fix] Log only necessary information when auction scoring fails
• [Bug Fix] Fix Race Condition in Loggregator Agent
• Bump ubuntu-xenial stemcell to version 621.57
• Bump cflinuxfs3 to version 0.165.0
• Bump diego to version 2.44.0
• Bump loggregator-agent to version 5.2.6
• Bump routing to version 0.198.0

2.8.3

Release Date: 02/06/2020

• [Feature Improvement] Use the Diego logging format for the Garden job
• Bump ubuntu-xenial stemcell to version 621.51
• Bump cflinuxfs3 to version 0.160.0

2.8.2

Release Date: 01/16/2020

• [Bug Fix] mapfs - Fix error when appending to a file
• Bump ubuntu-xenial stemcell to version 621.41
• Bump cflinuxfs3 to version 0.153.0

2.8.1

Release Date: 12/26/2019

• [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for syslog release
• [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for garden-runc release
• [Security Fix] CVE-2019-17596 - Fix panic upon an attempt to process network traffic containing an invalid DSA public key for loggregator releases
• [Feature] Expose all platform metrics on Prometheus endpoints
• [Bug Fix] Passwords containing commas no longer cause the SMB volume service to crash at startup with a “mount failed” error
• Bump ubuntu-xenial stemcell to version 621.29
• Bump cflinuxfs3 to version 0.151.0
• Bump garden-runc to version 1.19.9
• Bump loggregator-agent to version 5.2.1
• Add new release metrics-discovery at version 2.0.2
• Bump smb-volume to version 2.1.1
• Bump syslog to version 11.6.1

2.8.0

Release Date: 12/09/2019

• See New Features in Pivotal Isolation Segment v2.8
• See Breaking Changes
• [Feature Improvement] Upgrade Routing, Networking, and Silk releases to use go 1.13 release
• [Feature Improvement] Add syslog log-cache aggregate drain
• Bump cf-networking to version 2.27.0
• Bump cflinuxfs3 to version 0.150.0
• Bump routing to version 0.196.0
• Bump silk to version 2.27.0

About Pivotal Isolation Segment

The Pivotal Isolation Segment v2.8 tile is available for installation with Pivotal Platform v2.8.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different Pivotal Platform deployments but avoids redundant management and network complexity. For more information about isolation segments, see Isolation Segments in PAS Security.

For more information about using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

To install Pivotal Isolation Segment v2.8, see Installing Pivotal Isolation Segment.

To install Pivotal Isolation Segment v2.8, you must first install Pivotal Platform v2.8.

New Features in Pivotal Isolation Segment v2.8

Pivotal Isolation Segment v2.8 includes the following major features:

Diego Sets Container CPU Weight Property Equal to Container Memory Limit

Diego sets the CPU weight property on the containers it creates to a number equivalent to the container memory limit. This allows Garden to calculate the AbsoluteCPUEntitlement metric, which is the CPU entitlement for the container. With AbsoluteCPUEntitlement, Garden can produce accurate CPU usage metrics that are relative to AbsoluteCPUEntitlement.

For more information about the AbsoluteCPUEntitlement metric, see Diego Container Metrics in Container Metrics. For information about the Cloud Foundry CPU Entitlement Plugin, an experimental plugin that allows you to examine the CPU usage of PAS apps relative to their CPU entitlement, see the Cloud Foundry CPU Entitlement Plugin repository on GitHub.

SMB Volume Services Enabled by Default

SMB volume services are enabled by default. When SMB volume services are enabled, app developers can bind existing SMB shares to apps for shared file access.

To disable SMB volume services in the Pivotal Isolation Segment tile, select Advanced Features and clear the Enable SMB volume services checkbox.

For more information, see Advanced Features in Installing Pivotal Isolation Segment.

For general information about volume services, see Using an External File System (Volume Services).

NFS Broker Uses CredHub as Backing Store

NFS Broker uses CredHub as its backing store, rather than an internal Pivotal Application Service (PAS) database. Because BOSH Backup and Restore (BBR) no longer backs up NFS Broker, the nfsbroker-bbr job is removed.

For more information about CredHub, see CredHub.

Use Pivotal Isolation Segment to Improve Upgrades for Large Foundations

You can use the Pivotal Isolation Segment tile to deploy a separate group of Diego Cells without isolating the Diego Cell capacity from other apps.

This approach helps separate the upgrade of the PAS control plane from the upgrade of the Diego Cells. Further, it splits the upgrade of the Diego Cells into smaller groups. This helps operators of large foundations by making upgrades more manageable. It does not affect developers pushing apps to PAS.

To use this feature, go to the Compute and Networking Isolation pane in the Pivotal Isolation Segment tile and select None for Tag name for Diego Cell blocks.

For more information, see Compute and Networking Isolation in Installing Pivotal Isolation Segment.

Support for Pushing Container Images Hosted in AWS ECR

When you push container images hosted in AWS Elastic Container Registry (ECR) with the Cloud Foundry CLI (cf CLI), you can provide the access key ID and secret for an AWS IAM user as a Docker username and password as part of the cf push command. Apps are able to then continuously restart and restage successfully.

This update allows the cf CLI to successfully pull container images hosted in ECR with valid AWS Identity and Access Management (IAM) user credentials.

For more information, see Amazon Elastic Container Registry (ECR) in Deploying an App with Docker.

Mutual TLS Added to Loggregator Endpoints and Components

Mutual TLS is added to the Loggregator, Loggregator Agent, and Log Cache endpoints. It is also added to the Leadership Election job. This provides additional security between these endpoints and metric scrapers.

For more information about Loggregator components, see Loggregator Architecture. For more information about the Leadership Election job and metric scraping, see the System Metrics repository on GitHub.

V2 Firehose Can Be Disabled

You can disable the Loggregator V2 Firehose by deselecting the Enable V2 Firehose checkbox in the System Logging pane of the PAS tile. This shuts down VMs used for the V2 Firehose, such as Dopplers and Reverse Log Proxies. After you disable the V2 Firehose, you can delete these VMs from your deployment to save resources.

Warning: If you disable the V1 or V2 Firehose, you must disable the Smoke Test Errand or the deploy fails. For more information, see Disable the Smoke Test Errand If You Disable the Firehose in the Pivotal Application Service v2.8 release notes.

For more information, see Configure System Logging in Configuring PAS.

Aggregate Drain for Metrics and App Logs

When an aggregate log and metric drain is configured in PAS, Pivotal Isolation Segment sends logs and metrics to the Loggregator Log Cache syslog server through the aggregate log and metric drain instead of the Loggregator Firehose. This allows you to disable the Firehose and delete related VMs, such as Dopplers and Reverse Log Proxies. For more information about disabling the Firehose, see V2 Firehose Can Be Disabled.

To enable an aggregate log and metric drain for your foundation, add a comma-separated list of syslog endpoints to the Aggregate log and metric drain destinations field in the System Logging pane of the PAS tile. For more information, see Configure System Logging in Configuring PAS.

About Advanced Features

The Advanced Features section of the Pivotal Isolation Segment v2.8 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Breaking Changes

Pivotal Isolation Segment v2.8 includes the following breaking changes:

Incorrect HTTP(S) Proxy Configuration Breaks CredHub Interpolation for Apps in Pivotal Isolation Segment v2.8.12 and Later

In Pivotal Isolation Segment v2.8.12 and later, apps that have an incorrect HTTP(S) Proxy configuration fail to stage or restart due to a CredHub interpolation error.

Before you upgrade to Pivotal Isolation Segment v2.8.12 or later, you must fix the HTTP(S) Proxy configuration of any impacted applications:

1. Determine whether your apps are impacted by following the resolution procedure in Knowledgebase Article 9305.
2. Update all impacted apps to use the recommended proxy settings that are documented in Configuring Proxy Settings for All Apps.
3. Restart modified apps.

Segment Name Property Is Renamed

The property .isolated_diego_cell.placement_tag is renamed .properties.compute_isolation and includes three new inputs. This may impact your platform automation scripts.

.properties.compute_isolation contains the following inputs:

• .properties.compute_isolation.disabled to disable compute isolation

• .properties.compute_isolation.enabled to enable compute isolation

• .properties.compute_isolation.enabled.isolation_segment_name to add a placement tag for your Diego Cells when compute isolation is enabled

You must update any platform automation scripts that include .isolated_diego_cell.placement_tag to use the new .properties.compute_isolation name and inputs. You must either disable compute isolation or enable compute isolation and specify a placement tag with these inputs.

For more information, see Compute and Networking Isolation in Pivotal Isolation Segment v2.8 Release Notes.

For guidance on setting configuration values, see Compute and Networking Isolation in Installing Pivotal Isolation Segment.

Compute Isolation Must Be Enabled If Networking Isolation Is Enabled

In the Pivotal Isolation Segment v2.8 tile, you cannot disable compute isolation and enable networking isolation at the same time. In the Compute and Network Isolation pane, you can disable compute isolation by selecting Disable under Compute isolation. If you disable compute isolation, you must set Router sharding mode to No isolation segment. If Compute isolation is disabled and Router sharding mode is set to Isolation segment only, the apps in your isolation segment fail to schedule.

Compute isolation is enabled by default. However, isolation segments do not require compute isolation. For more information, see Compute and Networking Isolation in Pivotal Isolation Segment v2.8 Release Notes.

For more information about configuring or disabling compute and networking isolation, see Compute and Networking Isolation in Installing Pivotal Isolation Segment.

Known Issues

There are currently no known issues in Pivotal Isolation Segment v2.8.