PCF Isolation Segment v1.10 Release Notes

Page last updated:

Warning: Pivotal Cloud Foundry (PCF) v1.10 is no longer supported because it has reached the End of General Support (EOGS) phase. To stay up to date with the latest software and security updates, upgrade to a supported version.

Releases

1.10.31

Component Version
Stemcell3468.21
cflinuxfs21.181.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.30

Component Version
Stemcell3468.21
cflinuxfs21.181.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.29

Component Version
Stemcell3445.22
cflinuxfs21.171.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.28

  • [Security Fix] Bumps cflinuxfs2-release to v1.176.0 for USN-3513-1.
  • [Bug Fix] Patches loggregator-release to fix diodes data-race.
  • [Feature] Bumps garden-runc-release to v1.10.0:
    • It is now possible to specify a ProcessSpec.Image. Processes can now have their own filesystem view.
    • Limitation: It is only possible to use ProcessSpec.Image and ProcessSpec.OverrideContainerLimits with unprivileged containers.
      This will be fixed in future releases.
    • Limitation: APIs such as BulkMetrics and Process.Signal may not work immediately after container.Run(ProcessSpec) returns for processes with Image and/or OverrideContainerLimits specified. This will be fixed in future releases.
    • Reduced log volume in BulkMetrics for large environments.
    • Correctly declares that bundles it creates are OCI Runtime Spec version 1.0.0 compliant.
  • The Garden property cleanup_process_dirs_on_wait is configured to true, to reduce the growth of directories in the Garden container.

Component Version
Stemcell3445.19
cflinuxfs21.171.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.27

Component Version
Stemcell3445.19
cflinuxfs21.171.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.26

Component Version
Stemcell3445.17
cflinuxfs21.168.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.25

  • [Security Fix] Bumps cflinuxfs2-release to v1.166.0 to resolve USN-3475-1. Release Notes
  • [Bug Fix] Patches loggregator-release to introduce a circuit breaker when the Traffic Controller connects to the Doppler VMs.
  • [Bug Fix] Patches loggregator-release to ensure metron agents maintain availability-zone affinity when connecting to Doppler VMs.
  • [Bug Fix] Patches consul-release to include Internationalized Domain Name encoding when specifying an availability-zone-specific service.

Component Version
Stemcell3445.16
cflinuxfs21.166.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.24

  • [Security Fix] Bumps the stemcell to v3445.16 to resolve several security vulnerabilities:
  • [Security Fix] Bumps the cflinuxfs2-release to v1.165.0 to resolve several security vulnerabilities:
  • [Bug Fix] Bumps garden-runc-release to v1.9.4 to resolve several bugs. Please see the release notes for more details:
  • [Bug Fix] Patches loggregator-release to remove the totalReceivedMessageCount metric from the v2 API.
  • [Bug Fix] Patches consul-release to include a fix for parsing the resolvers list on Windows.
  • [Bug Fix] Garden is now configured to destroy containers on start. This setting will cause the garden process to remove any containers that are already running when it starts. That action will prevent issues where containers that should no longer be running are left up to run.

Component Version
Stemcell3445.16
cflinuxfs21.165.0
consul165*
diego1.7.1*
garden-runc1.9.4
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.23

  • [Security Fix] Bumps cflinuxfs2-release to v1.161.0 to resolve multiple security issues. Release Notes
  • [Bug Fix] Patches consul-release to ensure encrypt key rotation only occurs when the key changes.

Component Version
Stemcell3445.11
cflinuxfs21.161.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.22

  • [Security Fix] Bumps cflinuxfs2-release to v1.158.0 to resolve multiple security issues. Release Notes

Component Version
Stemcell3445.11
cflinuxfs21.158.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.21

  • [Bug Fix] Disables tracing in the gRPC components of Loggregator to prevent memory leak.

Component Version
Stemcell3445.11
cflinuxfs21.156.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.20

  • [Security Fix] Bumps cflinuxfs2-release to v1.156.0 to resolve multiple security issues. Release Notes
  • [Security Fix] Resolves an issue with an incorrect Host header being set on incoming requests through the Router CVE Notice.
  • The Cipher Suites for the Router and HAProxy are now required fields.
  • Operators can now specify a minimum supported TLS version for the Router and HAProxy.

Component Version
Stemcell3445.11
cflinuxfs21.156.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.19

  • [Security Fix] Bumps stemcell to v3445.11 to address USN-3420-2.
  • [Security Fix] Bumps cflinuxfs-release to v1.155.0 to address USN-3415-1.

Component Version
Stemcell3445.11
cflinuxfs21.155.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.18

  • [Security Fix] Bumps cflinuxfs2-release to v1.150.0 to resolve USN-3398-1.
  • [Feature Improvement] Operators can now configure a maximum number of idle connections for their Router VMs.

Component Version
Stemcell3363.31
cflinuxfs21.150.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.17

  • [Security Fix] Bumps stemcell to v3363.31 to resolve USN-3392-2.
  • [Security Fix] Bumps cflinuxfs2-release to v1.147.0 to resolve USN-3387-1 and USN-3388-1.

Component Version
Stemcell3363.31
cflinuxfs21.147.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.16

  • [Security Fix] Bumps stemcell to version 3363.30.
  • [Bug Fix] Patches Diego components to resolve race condition in the buildpack and Docker launchers, as well as the diego-sshd process that could cause errant process failures.

Component Version
Stemcell3363.30
cflinuxfs21.145.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.15

  • [Security Fix] Bumps stemcell to v3363.29 to resolve USN-3378-2.
  • [Security Fix] Bumps cflinuxfs2 to v1.145.0 to resolve multiple CVEs and USNs. Please see the release notes for more details.

Component Version
Stemcell3363.29
cflinuxfs21.145.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.14

  • The components included in routing-release (gorouter, route_registrar, routing-api, tcp_emitter, and tcp_router) have been updated to run on Go v1.8.

Component Version
Stemcell3363.26
cflinuxfs21.133.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.13

  • [Security Fix] The Router will now validate the UAA token issuer field. This will prevent users with valid tokens belonging to an Identity Zone other than the default zone from escalating their privileges when making requests against system components.
  • Sets the default max-in-flight value for the Diego Cells to 4%. Operators can still use the Ops Manager API to configure this setting to fit their needs. The max-in-flight percentage for the Diego Cell job in the Elastic Runtime has been set to 10% since 1.10.0, but we’ve seen especially in larger environments that having the percentage this high can cause some problems:
    • Many simultaneous VM creates/deletes and BOSH blob updates can place significant stress on the underlying infrastructure, especially on vSphere which has a greater probability of being under-provisioned.
    • The cells that are draining are no longer available for allocation, resulting in a 10% decrease in total memory and disk capacity during the deployment. This can cause deployments to no longer have sufficient total capacity to run all the work, or to have insufficient headroom to place larger workloads successfully.

Component Version
Stemcell3363.26
cflinuxfs21.133.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.12

Component Version
Stemcell3363.26
cflinuxfs21.133.0
consul165*
diego1.7.1*
garden-runc1.9.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.11

  • [Security Fix] Bumps cflinuxfs2-rootfs to 1.33.0. Release Notes

Component Version
Stemcell3363.26
cflinuxfs21.133.0
consul165*
diego1.7.1*
garden-runc1.7.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.10

  • Bumps stemcell to 3363.26.
  • Patches routing-release to include ‘instanceIndex’ field in HttpStartStop metrics for gorouter.

Component Version
Stemcell3363.26
cflinuxfs21.126.0
consul165*
diego1.7.1*
garden-runc1.7.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.9

  • Bumps garden-runc to v1.7.0.
  • Patches diego-release to allow ICMP and UDP packet logging for security group rules.

Component Version
Stemcell3363.25
cflinuxfs21.126.0
consul165*
diego1.7.1*
garden-runc1.7.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.8

  • Bumps stemcell to v3363.25.
  • Bumps cflinuxfs2 rootfs to v1.126.0.

Component Version
Stemcell3363.25
cflinuxfs21.126.0
consul165*
diego1.7.1*
garden-runc1.2.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.7

  • Bumps stemcell to v3363.24.
  • Bumps cflinuxfs2 rootfs to v1.123.0.

Component Version
Stemcell3363.24
cflinuxfs21.123.0
consul165*
diego1.7.1*
garden-runc1.2.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.6

  • Patches Loggregator to resolve issue with operator-provided cipher suites.

Component Version
Stemcell3363.20
cflinuxfs2-rootfs1.60.0
consul164
diego1.7.1*
garden-runc1.2.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.5

  • Allows operators to specify DNS servers that differ from those provided in their BOSH configuration.

Component Version
Stemcell3363.20
cflinuxfs2-rootfs1.60.0
consul164
diego1.7.1*
garden-runc1.2.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.4

  • Bumps stemcell to v3363.20.
  • Bumps garden-runc to v1.2.0 to fix compatibility with some anti-virus scanning software.
  • Patches bug in Gorouter that caused the router to crash when invalid X-CF-APP-INSTANCE headers were sent in a request.
  • Patches bug in Gorouter that prevented operators from specifying additional TLS cipher suites.

Component Version
Stemcell3363.20
cflinuxfs2-rootfs1.60.0
consul159
diego1.7.1*
garden-runc1.2.0
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.3

  • Bumps consul-release to v159 to ensure TLS communication happens over TLS 1.2.

Component Version
Stemcell3363.15
cflinuxfs2-rootfs1.60.0
consul159
diego1.7.1*
garden-runc1.1.1
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.2

  • Bumps stemcell to version 3363.15.
  • Bumps the rootfs to v1.60.0 which provides stack version 1.111.0.

Component Version
Stemcell3363.15
cflinuxfs2-rootfs1.60.0
consul152*
diego1.7.1*
garden-runc1.1.1
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.1

  • Patches an issue with the naming of the router VM. See the note below for more details.
  • Bumps the rootfs to v1.59.0 which provides stack version 1.110.0.

The routers use consul for service discovery and necessarily require that their local consul agent join the larger Elastic Runtime consul cluster to send and receive service discovery updates. Membership in the cluster is managed by name and IP address.

The Elastic Runtime routers will register with a name like “router-1” or “router-4”, indicating their job name and VM index. Unfortunately, the Isolation Segment Tile routers use the same name to register themselves with the cluster and thus result in a naming collision.

This naming collision causes the routers in the Isolation Segment and the routers in the Elastic Runtime to fight for membership in the cluster. This instability can eventually cause the routers to become unavailable.

To resolve this, we have released a new version of the Isolation Segment tile that ensures that the consul members are properly namespaced.

Upgrading from 1.10.0 to 1.10.1 is still supported, although you will experience router downtime while this upgrade occurs. The routers with the conflicting names will be removed, and a new set of routers will be created with a dedicated namespace for the Isolation Segment tile. In the time between the removal of the old routers, and the addition of the new routers, you will not be able to route traffic to the Isolation Segment applications through the dedicated Isolation Segment routers.

If you are only using compute isolation and not deploying the dedicated routing VMs, this issue does not apply to your deployment. The primary, “shared” ERT routing tier will experience no loss of application routing during this upgrade.

Component Version
Stemcell3363.10
cflinuxfs2-rootfs1.59.0
consul152
diego1.7.1
garden-runc1.1.1
loggregator77*
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.10.0

Component Version
Stemcell3363.10
cflinuxfs2-rootfs1.50.0
consul152
diego1.7.1*
garden-runc1.1.1
loggregator77
routing0.146.0*
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

PCF Isolation Segment is a new tile available for installation with PCF v1.10.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information on using isolation segments in your deployment, see Managing Isolation Segments.

How to Install

The procedure for installing PCF Isolation Segment v1.10 is documented in Installing PCF Isolation Segment.

To install a PCF Isolation Segment, you must first install PCF v1.10.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.