Pivotal Elastic Runtime v1.11 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2017.

Read more about the certified provider program and the requirements of providers.


Releases

1.11.19

  • [Security Fix] Bumps cflinuxfs2-release to v1.166.0 to resolve USN-3475-1. Release Notes
  • [Bug Fix] Bumps cf-mysql-release to v36.9.0 to resolve an issue where IPsec causes mariadb_ctrl to be left in an Execution Failed state. Release Notes
  • [Bug Fix] Bumps consul-release to v187 to include a fix for Internationalized Domain Name encoding when specifying an availability-zone-specific service.
  • [Bug Fix] Bumps notifications-release to v37 to resolve a race condition in the cf CLI used during the deployment of the notifications service errand. Release Notes
  • [Security Fix] Patches Golang components in capi-release to pull in Golang v1.8.3.
  • [Bug Fix] Patches loggregator-release to introduce a circuit breaker when the Traffic Controller connects to the Doppler VMs.
  • [Bug Fix] Patches loggregator-release to ensure metron agents maintain availability-zone affinity when connecting to Doppler VMs.
  • [Bug Fix] Changes the scheme for the SAML Entity ID from http to https.

Component Version
Stemcell3445.16
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.9.0
cf-networking0.25.0*
cf-smoke-tests21
cflinuxfs21.166.0
consul187
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.4
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications37
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog11
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45.4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.18

  • [Security Fix] Bumps the stemcell to v3445.16 to resolve several security vulnerabilities:
  • [Security Fix] Bumps the cflinuxfs2-release to v1.165.0 to resolve several security vulnerabilities:
  • [Bug Fix] Bumps uaa-release to v45.4 to prevent a denial of service attack against the token revocation endpoint.
  • [Bug Fix] Patches loggregator-release to remove the totalReceivedMessageCount metric from the v2 API.
  • The logging level for the Cloud Controller, Cloud Controller Worker, and Cloud Controller Clock has been lowered from debug to info. This should help reduce log volume while still logging detailed Cloud Controller information.
  • [Bug Fix] Garden is now configured to destroy containers on start. This setting will cause the garden process to remove any containers that are already running when it starts. That action will prevent issues where containers that should no longer be running are left up to run.
  • The SAML Signature Algorithm field is now configurable outside of the Identity Provider option for SAML. This means that deployments using a non-SAML identity provider can still configure their SAML settings for SSO.
  • Operators can now opt-in to allowing remote administrator access to the internal MySQL database. This was previously enabled by default in releases prior to 1.11.3. In that release, cf-mysql was bumped to v36. That release brought a number of security improvments, including the ability to prevent remote administrator access to the database. Unfortunately, this was a feature that some operators had come to rely upon. The Elastic Runtime will now allow those operators to enable the feature on a selective basis.

Component Version
Stemcell3445.16
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.6.0
cf-networking0.25.0*
cf-smoke-tests21
cflinuxfs21.165.0
consul181
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.4
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications36
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog11
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45.4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.17

  • [Security Fix] Bumps cflinuxfs2-release to v1.161.0 to resolve multiple security issues. Release Notes
  • [Bug Fix] Bumps consul-release to v181 to ensure encrypt key rotation only occurs when the key changes.
  • [Bug Fix] Patches cf-networking-release to allow deployment against a MySQL database version < 5.7.
  • [Security Fix] Ensures Cloud Controller CEF logs are written to disk, and syslog. Logs now show up in /var/vcap/sys/log/cloud_controller_ng/security_events.log.

Component Version
Stemcell3445.11
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.6.0
cf-networking0.25.0*
cf-smoke-tests21
cflinuxfs21.161.0
consul181
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.4
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications36
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog11
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45.3
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.16

  • [Security Fix] Bumps cflinuxfs2-release to v1.158.0 to resolve multiple security issues. Release Notes

Component Version
Stemcell3445.11
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.6.0
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.158.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.4
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications36
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog11
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45.3
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.15

  • [Security Improvement] Bumps garden-runc-release to v1.9.4. Release Notes.
  • [Bug Fix] Bumps uaa-release to v45.3. Release Notes.
  • [Bug Fix] Bumps scalable-syslog-release to v11. Release Notes.
  • [Bug Fix] Resolves an issue with S3-compatible stores specifying the N/A region.
  • [Feature Improvement] Router now supports setting a Frontend Idle Timeout to maintain an open connection when clients support keep-alive. The default value is 900 seconds.

Component Version
Stemcell3445.11
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.6.0
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.156.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.4
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications36
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog11
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45.3
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.14

  • [Security Fix] Bumps cflinuxfs2-release to v1.156.0 to resolve multiple security issues. Release Notes
  • [Security Fix] Bumps cf-mysql-release to v36.6 to patch vulnerabilities in Bundler and RubyGems CVE-2016-7954 CVE-2017-0902
  • [Security Fix] Resolves a remote code execution security vulnerability when the zip program is executed by the Cloud Controller.
  • [Security Fix] Resolves an issue with an incorrect Host header being set on incoming requests through the Router CVE Notice.
  • [Bug Fix] AppsManager will now show all Application Security Group rules.
  • [Bug Fix] Loggregator API counters will now include a correct delta.
  • Bumps the following buildpack releases:
  • [Stability Improvement] Changes the default for Galera MySQL state snapshot transfers (SST). Automatic SST is now enabled by default. Operators can disable this feature by visiting the “Internal MySQL” tab and checking the “Prevent node auto re-join” checkbox.
  • Operators can now specify a minimum supported TLS version for the Router and HAProxy.
  • The Cipher Suites for the Router and HAProxy are now required fields.

Component Version
Stemcell3445.11
binary-offline-buildpack1.0.14
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.6.0
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.156.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.24
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.6
java-offline-buildpack4.5
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.6
notifications36
notifications-ui28
php-offline-buildpack4.3.40
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.33
python-offline-buildpack1.5.24
routing0.160.0*
ruby-offline-buildpack1.6.47
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.14
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.13

  • [Security Fix] Bumps stemcell to v3445.11 to address USN-3420-2.
  • [Security Fix] Bumps cflinuxfs-release to v1.155.0 to address USN-3415-1.

Component Version
Stemcell3445.11
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.5.0
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.155.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.32
python-offline-buildpack1.5.20
routing0.160.0
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.12

  • [Bug Fix] Bumps apps-manager-release to v661.1.32 to resolve:
    • Several issues when viewing Apps Manager on Internet Explorer and Microsoft Edge browsers.
    • Communicating directly with Spring apps to retrieve heap dumps.
  • [Bug Fix] Patches loggregator to resolve the following:
    • The keep alive handler for websocket connections to TC is closing the connection early.
    • Separates internal cipher suite configurations.
    • When doppler crashes, metrons connected to it get “stuck”.
  • [Bug Fix] Disables inadvertent iptables logging when container networking is enabled.
  • [Bug Fix] Bumps cf-mysql-release to v36.5 to resolve an issue with Syslog configuration.
  • [Bug Fix] Prevents a race condition during upgrade by not allowing syslog configuration to be set in metron.

Component Version
Stemcell3421.20
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36.5.0
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.150.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89*
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.32
python-offline-buildpack1.5.20
routing0.160.0
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.11

  • [Security Fix] Bumps cflinuxfs2-release to v1.150.0 to resolve USN-3398-1.
  • [Bug Fix] Bumps cf-autoscaling-release to v93.1 Release Notes.
  • [Bug Fix] Bumps apps-manager-release to v661.1.31, including the following fixes:
    • The square logo will now display correctly in the header.
    • Users can now see shared private domains on the org domains tab.
  • [Bug Fix] Fixes a data migration in Cloud Controller to prune duplicate routes when upgrading to this version from a 1.10.x version of the Elastic Runtime.
  • [Bug Fix] Resolves an issue where deleting an application would not generate a TASK_STOPPED event for any tasks associated with that application.
  • [Feature Improvement] Operators can now configure a “Staging Timeout” to force Cloud Controller to wait for staging of applications that may take a very long time.
  • [Feature Improvement] The internal MySQL cluster now emits metrics via the Firehose. You can use cf nozzle to view those metrics as they are emitted. See Elastic Runtime MySQL KPIs for KPIs based on the metrics.

Component Version
Stemcell3421.20
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93.1
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.150.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.8.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.31
python-offline-buildpack1.5.20
routing0.160.0
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.10

  • [Security Fix] Bumps stemcell to v3421.20 to resolve USN-3392-2.
  • [Security Fix] Bumps cflinuxfs2-release to v1.147.0 to resolve USN-3387-1 and USN-3388-1.

Component Version
Stemcell3421.20
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.147.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.30
python-offline-buildpack1.5.20
routing0.160.0
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.9

  • [Security Fix] Bumps stemcell to version 3421.19.
  • [Bug Fix] Bumps diego-release to v1.23.2 to resolve a number of issues including:
    • improving locket stability during MySQL updates which resolves the known issue Brief Unavailability of Application Management during Internal MySQL Database Updates
    • reporting the correct result of running tasks on Windows cells
    • resolution of a race condition in the process launching code that could cause process failures
    • improvements to the healthcheck error messaging
    • removing the extraneous “cancelled” message in logs when applications crash
    • prefixing process errors with their log source
    • removing exit codes from healthcheck output when an application fails its healthcheck
  • [Bug Fix] Cloud Controller will no longer maintain keepalive connections to the Router as it could cause errant 502 responses when making API calls.
  • Applications now have access to the certificate provided by the requester via the X-Forwarded-Client-Cert header. Configuration for this feature can be found on the Networking tab.
  • The regions listed on the File Storage form and the selector for Internal MySQL backups for S3-compatible blobstores now includes all available S3 regions.
  • Automated backup for the internal MySQL instances now includes support for GCP and Azure.

Component Version
Stemcell3421.19
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.145.0
consul167
diego1.23.2
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.31
python-offline-buildpack1.5.20
routing0.160.0
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.8

  • [Security Fix] Bumps stemcell to v3421.18 to resolve USN-3378-2.
  • [Security Fix] Bumps cflinuxfs2 to v1.145.0 to resolve multiple CVEs and USNs. Please see the release notes for more details.

Component Version
Stemcell3421.18
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.145.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.30
python-offline-buildpack1.5.20
routing0.157.0*
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.7

  • [Security Improvement] Operators can now choose to disable the recording of command history when running the mysql command on their Internal MySQL VMs. Unchecking the “Allow Command History” checkbox on the “Internal MySQL” tab will disable recording of that history into the .mysql_history file.
  • [Bug Fix] Bumps apps-manager-release to v661.1.30. In this version, the dependencies for Apps Manager are now properly vendored to support deployments on internetless environments.
  • [Bug Fix] Bumps uaa-release to v45. This version includes a patch to ensure that systems deployed on non-RFC 1918 networks will have their Router IPs automatically added to the whitelist of proxies for the UAA.
  • [Bug Fix] The smoke test errand will now correctly use the system organization to deploy its canary applications.
  • The components included in routing-release (gorouter, route_registrar, routing-api, tcp_emitter, and tcp_router) have been updated to run on Go v1.8.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.30
python-offline-buildpack1.5.20
routing0.157.0*
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.6

  • [Security Fix] Bumps apps-manager-release to v661.1.29. This release has the following updates:
    • Bumps nodejs to v6.11.1 to provide security fixes.
    • Includes org_id and org_name in usage report zip file.
    • Ensures Spring Actuator requests happen over HTTPS.
  • [Bug Fix] Includes AWS US East (Ohio) region in the region selector for Internal MySQL backups.
  • [Bug Fix] Specifies a more consistent cluster identifier, cf, for the Internal MySQL cluster when emitting metrics.
  • [Stability Improvement] Reduces the default for cc.droplets.max_staged_droplets_stored from 5 to 2. This will result in reduced blobstore utilization as the Cloud Controller will only keep 2 historic staged application droplets, in addition to the currently running application droplet. Garbage collection of expired droplets will occur the next time an application is staged.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.29
python-offline-buildpack1.5.20
routing0.157.0*
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.5

  • [Security Fix] Provides a fix for CVE-2017-8033. This security vulnerability would have allowed attackers to escalate their privileges by pushing an application that could modify the files on the Cloud Controller VM.
  • [Security Fix] The Router will now validate the UAA token issuer field. This will prevent users with valid tokens belonging to an Identity Zone other than the default zone from escalating their privileges when making requests against system components.
  • [Bug Fix] Resolves an issue with UAA SAML Service Provider Key Password quoting.
  • [Stability Improvement] Operators can now configure the Cluster Probe Timeout for their Internal MySQL cluster. This property controls the maximum time a new MySQL node will search for an existing cluster before starting its own. Higher values for this property will help to maintain cluster quorum on slower or more loaded infrastructures.
  • Bumps nfs-volume-release to v1.0.6. Release Notes
  • Bumps the following buildpacks to their latest version:
  • Sets the default max-in-flight value for the Diego Cells to 4%. Operators can still use the Ops Manager API to configure this setting to fit their needs. The max-in-flight percentage for the Diego Cell job in the Elastic Runtime has been set to 10% since 1.9, but we’ve seen especially in larger environments that having the percentage this high can cause some problems:
    • Many simultaneous VM creates/deletes and BOSH blob updates can place significant stress on the underlying infrastructure, especially on vSphere which has a greater probability of being under-provisioned.
    • The cells that are draining are no longer available for allocation, resulting in a 10% decrease in total memory and disk capacity during the deployment. This can cause deployments to no longer have sufficient total capacity to run all the work, or to have insufficient headroom to place larger workloads successfully.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.22
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.5
java-offline-buildpack3.18
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.6
nodejs-offline-buildpack1.6.3
notifications36
notifications-ui28
php-offline-buildpack4.3.38
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.20
routing0.157.0*
ruby-offline-buildpack1.6.44
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.11
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.4

  • [Security Fix] Cloud Controller will now validate the UAA token issuer field. This will prevent users with valid tokens belonging to an Identity Zone other than the default zone from escalating their privileges when making requests against system components.
  • [Security Fix] Provides a fix for CVE-2017-8035. This security vulnerability would have allowed arbitrary files on the Cloud Controller VM to be downloaded by external API users.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.19
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.4
java-offline-buildpack3.17
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.5
nodejs-offline-buildpack1.5.36
notifications36
notifications-ui28
php-offline-buildpack4.3.34
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.19
routing0.157.0
ruby-offline-buildpack1.6.40
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.6
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.3

  • [Bug Fix] Bumps cf-backup-and-restore-release to v0.0.5. [Release Notes]
  • [Security Improvement] Bumps cf-mysql-release to v36. [Release Notes]
  • Bumps service-backup-release to v18.1.2. [Release Notes]
  • [Bug Fix] Bumps garden-runc-release to v1.9.0. [Release Notes] Resolves known issue with private docker image registries.
  • [Bug Fix] Adds the network.write group to UAA. This new UAA group will allow operators to give users with the SpaceDeveloper role the ability to manage Container Networking access policy.
  • [Improvement] Allows operators to scale their etcd instance count to 0.

    Do not scale the number of etcd instances to 0 until you have completed your upgrade to PCF Elastic Runtime 1.11.

    Scaling the etcd instances to 0 before performing the upgrade will result in significant downtime on both the management and application tiers.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.5
cf-mysql36
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.19
etcd104
garden-runc1.9.0
go-offline-buildpack1.8.4
java-offline-buildpack3.17
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.5
nodejs-offline-buildpack1.5.36
notifications36
notifications-ui28
php-offline-buildpack4.3.34
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.19
routing0.157.0
ruby-offline-buildpack1.6.40
scalablesyslog4
service-backup18.1.2
staticfile-offline-buildpack1.4.6
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.2

  • [Security Fix] Bumps cflinuxfs2-rootfs to 1.33.0. [Release Notes]
  • [Bug Fix] Bumps nfs-volume-release to v1.0.5. [Release Notes]
  • Bumps mysql-monitoring-release to v8.3.0. [Release Notes]
  • Bumps cf-mysql-release to v35.1.
  • Configuring external system database will no longer scale down the internal mysql components. This allows a mixed database configuration where the system database is external but the UAA database may use internal MySQL. Starting in ERT 1.11.0, the UAA database is configured independently on the UAA form. MySQL instance counts for existing installations will not be affected by this change. Going forward, you will need to manually set the instance count to 0 for all MySQL VMs (MySQL Server, MySQL Proxy, and MySQL Monitor) if they are not in use.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.3
cf-mysql35.1
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.133.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.19
etcd104
garden-runc1.7.0
go-offline-buildpack1.8.4
java-offline-buildpack3.17
loggregator89
mysql-backup1.33.0
mysql-monitoring8.3.0
nats16
nfs-volume1.0.5
nodejs-offline-buildpack1.5.36
notifications36
notifications-ui28
php-offline-buildpack4.3.34
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.19
routing0.157.0
ruby-offline-buildpack1.6.40
scalablesyslog4
service-backup18.0.4
staticfile-offline-buildpack1.4.6
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.1

  • [Security Fix] Bumps stemcell to 3421.9.
  • [Security Fix] Bumps uaa-release to v41. [Release Notes]
  • [Security Fix] Bumps cflinuxfs2 to v1.126.0. [Release Notes]
  • Bumps the java buildpack to v3.17. [Release Notes]
  • Bumps diego-release to v1.18.1. [Release Notes]
  • [Bug Fix] Patches Cloud Controller to prevent a DB error when a staging response contains too many environment variables.
  • [Feature] Container-to-container networking will log iptables rules in the kernel log on each Diego Cell.
  • [Feature] All errands except smoke tests will default to run “when-changed”. Smoke tests will default to run every time.
  • Removes unnecessary persistent disk from Cloud Controller VM.
  • [Bug Fix] Resolves known issue with infrequent Diego cell rep crashes.

Component Version
Stemcell3421.9
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.3
cf-mysql35.0.1
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.126.0
consul167
diego1.18.1
dotnet-core-offline-buildpack1.0.19
etcd104
garden-runc1.7.0
go-offline-buildpack1.8.4
java-offline-buildpack3.17
loggregator89
mysql-backup1.33.0
mysql-monitoring8.1.3
nats16
nfs-volume1.0.3
nodejs-offline-buildpack1.5.36
notifications36
notifications-ui28
php-offline-buildpack4.3.34
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.19
routing0.157.0
ruby-offline-buildpack1.6.40
scalablesyslog4
service-backup18.0.4
staticfile-offline-buildpack1.4.6
statsd-injector1.0.28
syslog-migration4
uaa41
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.0

Component Version
Stemcell3421.3
binary-offline-buildpack1.0.13
capi1.28.0*
cf259*
cf-autoscaling93
cf-backup-and-restore0.0.3
cf-mysql35.0.1
cf-networking0.25.0
cf-smoke-tests21
cflinuxfs21.123.0
consul167
diego1.16.1
dotnet-core-offline-buildpack1.0.19
etcd104
garden-runc1.6.0
go-offline-buildpack1.8.4
java-offline-buildpack3.16.1
loggregator89
mysql-backup1.33.0
mysql-monitoring8.1.3
nats16
nfs-volume1.0.3
nodejs-offline-buildpack1.5.36
notifications36
notifications-ui28
php-offline-buildpack4.3.34
pivotal-account1.6.0
postgres17
push-apps-manager-release661.1.24
python-offline-buildpack1.5.19
routing0.157.0
ruby-offline-buildpack1.6.40
scalablesyslog4
service-backup18.0.4
staticfile-offline-buildpack1.4.6
statsd-injector1.0.28
syslog-migration4
uaa40
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Cloud Foundry Elastic Runtime v1.11 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v1.11, be aware of the following upgrade considerations:

  • You must upgrade first to a version of Elastic Runtime v1.10.x in order to successfully upgrade to v1.11.
  • Some partner service tiles may be incompatible with PCF v1.11. Pivotal is working with partners to ensure their tiles are being updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v1.11, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

About Advanced Features

The Advanced Features section of the Elastic Runtime tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

New Features in Elastic Runtime v1.11.0

This section describes new features of the release.

Apps Manager 508 Compliance

Apps Manager has improved its compliance with Section 508 of the Rehabilitation Act. Customers can now receive an approved Voluntary Product Accessibility Template (VPAT) for Apps Manager.

Container-to-Container Networking

The Container-to-Container Networking feature in Elastic Runtime is out of beta. For more information, see the Container-to-Container Networking topic.

Volume Services

General support for volume services inside of application containers is out of beta. Additionally, the Elastic Runtime ships with an NFS Volume Service Broker.

For more information, see Using an External File System (Volume Services) and Enabling NFS Volume Services.

Increased Application Maximum Disk Quotas

For applications that require large amounts of disk, the maximum disk quota has been raised to 20GB. This will allow application developers to specify a disk size up to 20GB for their applications.

Operators should take note that applications with large disk settings can be difficult for Diego to find a placement for. If there is not enough disk on any of the Diego Cells, developers will see an “insufficient resources” error message. Ensuring your Diego Cells provide enough disk to accommodate these much larger application instances will be an important part of your resource planning.

Override DNS Servers

By default, containers use the same DNS servers as the host. To override the DNS servers used by the containers of an isolation segment, enter a comma-separated list of servers in the DNS Servers field of the Application Containers section of the tile.

Highly-Available Default Configuration

The Resource Configuration defaults have been changed to streamline the path to a production-ready deployment. The default instance count for each VM type in the deployment has been set to ensure an operator can deploy a highly-available Cloud Foundry out of the box.

This change will result in larger resource requirements for a default Elastic Runtime deployment. Operators should take this into account when deploying environments on constrained resources.

Component BOSH releases are SHA2-checksummed

BOSH now supports releases that include a SHA2-checksum of their contents. All the releases included in the Elastic Runtime have been checksummed with SHA2 for improved data integrity in the face of hash collisions.

BOSH Backup and Restore

The Elastic Runtime now includes support for the new BOSH Backup and Restore tool (bbr). Using bbr allow an operator to take a snapshot of their internal blobstore and databases.

Private Docker Registries

Application developers can now push Docker-based applications with images that are hosted on a private registry.

PCF can use private Docker repositories from various different Docker registries:

Registry Version
DockerHub and Docker Trusted Registry 1.11.0
Sonatype Nexus 1.11.0
VMWare Harbour 1.11.0
JFrog Artifactor 1.11.3
Google Container Registry (GCR) 1.11.3 (*)
EC2 Container Registry (ECR) Not Supported

* GCR can be used to host private Docker images for PCF. However, the passwords GCR issues are essentially access tokens which expire within an hour. This means that the initial application push will be successful but the application may later crash as PCF will not be able to contact GCR.

Common Syslog Formatting and Syslog over TLS

The Elastic Runtime now emits BOSH component logs in a common syslog format following RFC5424. Additionally, syslog over TLS is now supported to allow operators to deliver their platform logs securely to their syslog aggregator.

UAA supports SQL Server database

Operators can now independently configure their UAA service to store its data in an external SQL Server database. You can configure the UAA database in the UAA pane of the Elastic Runtime tile.

Important Note: UAA database configuration has been fully separated into the UAA tab to allow its independent configuration. Upon upgrade, settings will be migrated from the existing installation. Going forward, you must change both the UAA and System Database forms to keep their configuration in sync.

Improved Distributed Lock Management

In older versions of the Elastic Runtime, components that needed to maintain a distributed lock could leverage Consul to handle the locking mechanism. In 1.11, that locking mechanism has been replaced with a new service called locket. By switching to locket, the Elastic Runtime will be moving onto a more stable footing for its distributed locking needs.

UAA User Passwords Never Expire

As of v1.11, Elastic Runtime no longer provides the Number of Months Before Password Expires field in the Authentication and Enterprise SSO section. Instead, it sets the value to zero, which means that UAA user passwords for deployments using internal UAA never expire.

If you have set a non-zero password expiry, Elastic Runtime will set it to zero when you upgrade from v1.10 to v1.11.

Redirect URI Validation for OAuth Clients

Starting from v1.11, UAA validates the redirect URIs of OAuth clients to prevent open redirect attacks. A redirect URI is now a mandatory parameter for OAuth clients that use the authorization_code and implicit grant types to acquire an access token. For more information, see Known Issues.

Scalable Syslog

Loggregator now uses the Scalable Syslog BOSH release to support streaming app logs to syslog-compatible aggregation or analytics services. This new delivery method has the following benefits:

  • Decouples syslog drains from the Firehose
  • Prevents log loss in the Firehose that previously resulted from syslog drains competing for the resources used to deliver logs
  • Provides high message reliability for syslog drains
  • Maintains the UX of binding an app to a syslog drain service through Cloud Foundry user-provided services (CUPS)

For more information about Scalable Syslog in PCF, see Overview of the Loggregator System.

Known Issues

This section lists known issues for PCF Elastic Runtime.

Brief Unavailability of Application Management during Internal MySQL Database Updates

Fixed in ERT 1.11.9.

This issue applies only to Elastic Runtime deployments using an internal MySQL database with more than one MySQL instance. When updating this MySQL database deployment, some application management operations such as cf push may become unavailable for up to 15 seconds, as may the Routing API. Application instances will continue to run, however, and their routes will remain registered. This period of unavailability results from certain Elastic Runtime components losing their leader-election locks and being able to reclaim the lock only after the 15-second lock expiration time. This availability issue will be fixed in a forthcoming patch release.

App Autoscaler Panic

The App Autoscaler service can panic due to an issue with leader election. To avoid this issue, operators must manually scale the App Autoscaler service down to one instance before starting the upgrade to PCF v1.11. For more information, see the Scale Down App Autoscaler section of the Upgrading Pivotal Cloud Foundry topic.

If you fail to complete this procedure prior to the upgrade and the App Autoscaler service panics, follow the instructions in the Autoscaler failing on SQL query Knowledge Base article to restore the service.

Loggregator Metrics

Reverse Log Proxy (RLP) and Traffic Controller emit metrics tagged with a hard-coded deployment name. Because the components do not allow the deployment name to be configured, Metron cannot properly tag the metrics. This affects the following metrics:

  • loggregator.rlp.ingress
  • loggregator.rlp.dropped
  • loggregator.rlp.egress
  • loggregator.trafficcontroller.ingress

A patch is planned to fix this issue and apply the deployment name consistently.

Mount Location Bug

If you have the VOLUME ["/some/data/dir"] directive in your image, ensure your "mount" section in your bind JSON matches what is in the Dockerfile, such as "mount":"/some/data/dir".

See this example Dockerfile on GitHub for reference.

This only works if the path in question is in an already existing root level folder. For example, "/var/some/random/path" works, but "/some/random/path" causes your app to crash at startup. This limitation is caused by an aufs bug.

Private Docker Registry Support for ECR, GCR and JFrog Artifactory

Fixed in ERT 1.11.3.

The private Docker registry support referenced above does not currently support Amazon EC2 Container Registry, Google Cloud Platform Container Registry, or JFrog Artifactory. Future patches will bring support for these registries.

UAA Redirect URIs

A redirect URI is now a mandatory parameter for the authorization_code and implicit grant types, which is required to submit an access request. When using the UAA API or UAAC and declaring OAuth clients in the manifest, make sure at least one redirect URI is specified. Existing OAuth clients that do not provide this information will get an error when accessing the /oauth/authorize endpoint. See the example below:

{
"error": "invalid_client",
"error_description": "authorization_code grant type requires at least one redirect URL."
}

Redirect URIs should start with http or https. A subdomain regex is supported only in the first part of the base domain:

  • https://*.apps.com is supported.
  • https://*.apps.com* is not supported.
  • https://*.apps*.com* is not supported.

Failed Upgrade In Large Deployments

Upgrades of large deployments to Elastic Runtime v1.11 may fail due to a timeout while updating PostgreSQL. If the upgrade fails, redeploy.

For more information, see the “Deploying ERT 1.11 fails to due to a timeout while updating PostGreSQL” Knowledge Base article.

Diego Cell Rep Crashes

Fixed in ERT 1.11.1.

In ERT 1.11.0, the Diego cell rep process will infrequently crash as a result of a race condition when buffering health-check logs for application instances. The application instances on that cell will be rescheduled when the rep process is restarted or when the Diego system notices that its presence has expired, typically within 15 seconds of the rep process crashing.

Create a pull request or raise an issue on the source for this page in GitHub