LATEST VERSION: 2.1 - CHANGELOG
Pivotal Cloud Foundry v1.11

PCF Isolation Segment v1.11 Release Notes

Releases

1.11.30

Component Version
Stemcell3468.42
cf-networking0.25.0*
cflinuxfs21.188.0
consul187
diego1.23.8
garden-runc1.11.1
loggregator89.0.27*
nfs-volume1.0.6
routing0.160.24*
syslog-migration4.0.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.29

Component Version
Stemcell3468.42
cf-networking0.25.0*
cflinuxfs21.188.0
consul187
diego1.23.2
garden-runc1.11.1
loggregator89.0.27*
nfs-volume1.0.6
routing0.160.24*
syslog-migration4.0.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.28

  • [Security Fix] Bumps stemcell to v3468.30:
  • [Bug Fix] Bumps syslog-migration-release to v4.0.2:
    • Prevent logs from blackbox from being written to the default syslog log files to prevent logs from being written to the disk 3 additional times.
    • Fix rfc5424 compatibility by ensuring only 1 space occurs between the message and the structured data.
  • [Bug Fix] Bumps loggregator-release to v89.0.27 to fix Traffic Controller resource leaks when connections are slow.
  • [Feature Improvement] Adds field Custom syslog Configuration to specify custom logging rules in the System Logging tab. For more information, see custom syslog rules.
Component Version
Stemcell3468.30
cf-networking0.25.0*
cflinuxfs21.188.0
consul187
diego1.23.2
garden-runc1.11.1
loggregator89.0.27*
nfs-volume1.0.6
routing0.160.24*
syslog-migration4.0.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.27

  • [Bug fix] Bump routing-release to 0.160.24
    • Remove backends on any error to prevent 502 errors from being returned to clients
    • Updates golang to v1.9.4
  • [Bug Fix] Remove unneeded persistent disk from diego brain vms
Component Version
Stemcell3468.25
cf-networking0.25.0*
cflinuxfs21.188.0
consul187
diego1.23.2
garden-runc1.11.1
loggregator89*
nfs-volume1.0.6
routing0.160.24*
syslog-migration4.0.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.26

Note: it is recommended that you re-create all VMs when upgrading to this release, due to the update to garden-runc-release. This will happen automatically if you are updating your stemcell. If not, you can check the “Recreate All VMs” checkbox on the Ops Manager Director > Director Config tab.

Component Version
Stemcell3468.25
cf-networking0.25.0*
cflinuxfs21.188.0
consul187
diego1.23.2
garden-runc1.11.1
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4.0.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.25

  • [Security Fix] Patch routing-release for CVE-2018-1221.
  • [Bug Fix] Fix to ensure that Diego rep will always exit during evacuation, even if Garden destroy hangs during evacuation.
  • [Bug Fix] Patch syslog to prevent duplication from blackbox log forwarding.
  • [Feature Improvement] Enable Garden debug_listen_address to listen on a local interface.
Component Version
Stemcell3468.21
cf-networking0.25.0*
cflinuxfs21.181.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4.0.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.24

  • This release was intended to contain a fix to prevent duplication from blackbox log forwarding, but this did not take effect until the next release.
Component Version
Stemcell3468.21
cf-networking0.25.0*
cflinuxfs21.181.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4.0.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.23

  • [Security Fix] Bump stemcell to version 3468.21 to address issues:
  • [Security Fix] Bump cflinuxfs2-release to v1.181.0 to address issues:
  • [Feature Improvement] Bump syslog-migration-release to v4.0.1 and add a checkbox for log file forwarding through TCP to work around the Truncated Syslog Messages issue.
    • NOTE: Using TCP instead of the default UDP configuration may have a negative impact on performance.
Component Version
Stemcell3468.21
cf-networking0.25.0*
cflinuxfs21.181.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4.0.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.22

  • [Bug Fix] Patches loggregator-release to ensure traffic controller starts pprof server.
Component Version
Stemcell3445.22
cf-networking0.25.0*
cflinuxfs21.176.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.21

Component Version
Stemcell3445.22
cf-networking0.25.0*
cflinuxfs21.176.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.20

  • [Security Fix] Bumps the stemcell to v3445.19 to resolve the following security issues:
  • [Security Fix] Bumps cflinuxfs2-release to v1.176.0 for USN-3513-1.
  • [Bug Fix] Resolves an issue in container-networking where a component in the same network with mTLS can cause an sql injection on the DeleteEntry database handler.
  • [Feature] Bumps garden-runc-release to v1.10.0:
    • It is now possible to specify a ProcessSpec.Image. Processes can now have their own filesystem view.
    • Limitation: It is only possible to use ProcessSpec.Image and ProcessSpec.OverrideContainerLimits with unprivileged containers.
      This will be fixed in future releases.
    • Limitation: APIs such as BulkMetrics and Process.Signal may not work immediately after container.Run(ProcessSpec) returns for processes with Image and/or OverrideContainerLimits specified. This will be fixed in future releases.
    • Reduced log volume in BulkMetrics for large environments.
    • Correctly declares that bundles it creates are OCI Runtime Spec version 1.0.0 compliant.
  • The Garden property cleanup_process_dirs_on_wait is configured to true, to reduce the growth of directories in the Garden container.
Component Version
Stemcell3445.19
cf-networking0.25.0*
cflinuxfs21.176.0
consul187
diego1.23.2
garden-runc1.10.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.19

  • [Security Fix] Bumps stemcell version to 3445.19 for USN-3509-2.
  • [Security Fix] Bumps cflinuxfs2-release to v1.171.0 to resolve several security vulnerabilities:
  • [Bug Fix] Operators can now optionally disable Router Access logs. This will prevent the Router local disk from becoming filled when the Routers are experiencing increased incoming traffic.
  • [Feature Improvement] Operators can now specify the mutual TLS certificate validation behavior for the Router. The Router will request certificates by default, and validate them if provided. Additionally, operators can configure the Router to ignore certificates, or to require them with every request.
  • This release does not set the Garden property cleanup_process_dirs_on_wait to true, which can leave many directories in the depot for the Garden container. This will be set to true in the next release.
Component Version
Stemcell3445.19
cf-networking0.25.0*
cflinuxfs21.171.0
consul187
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.18

Component Version
Stemcell3445.17
cf-networking0.25.0*
cflinuxfs21.168.0
consul187
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.17

  • [Security Fix] Bumps cflinuxfs2-release to v1.166.0 to resolve USN-3475-1. Release Notes
  • [Bug Fix] Bumps consul-release to v187 to include a fix for Internationalized Domain Name encoding when specifying an availability-zone-specific service.
  • [Bug Fix] Patches loggregator-release to introduce a circuit breaker when the Traffic Controller connects to the Doppler VMs.
  • [Bug Fix] Patches loggregator-release to ensure metron agents maintain availability-zone affinity when connecting to Doppler VMs.
Component Version
Stemcell3445.16
cf-networking0.25.0*
cflinuxfs21.166.0
consul187
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.16

  • [Security Fix] Bumps the stemcell to v3445.16 to resolve several security vulnerabilities:
  • [Security Fix] Bumps the cflinuxfs2-release to v1.165.0 to resolve several security vulnerabilities:
  • [Bug Fix] Patches loggregator-release to remove the totalReceivedMessageCount metric from the v2 API.
  • [Bug Fix] Garden is now configured to destroy containers on start. This setting will cause the garden process to remove any containers that are already running when it starts. That action will prevent issues where containers that should no longer be running are left up to run.
Component Version
Stemcell3445.16
cf-networking0.25.0*
cflinuxfs21.165.0
consul181
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.15

  • [Security Fix] Bumps cflinuxfs2-release to v1.161.0 to resolve multiple security issues. Release Notes
  • [Bug Fix] Bumps consul-release to v181 to ensure encrypt key rotation only occurs when the key changes.
  • [Bug Fix] Patches cf-networking-release to allow deployment against a MySQL database version < 5.7.
Component Version
Stemcell3445.11
cf-networking0.25.0*
cflinuxfs21.161.0
consul181
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.14

  • [Security Fix] Bumps cflinuxfs2-release to v1.158.0 to resolve multiple security issues. Release Notes
Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.158.0
consul167
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.13

  • [Security Improvement] Bumps garden-runc-release to v1.9.4. Release Notes.
  • [Feature Improvement] Router now supports setting a Frontend Idle Timeout to maintain an open connection when clients support keep-alive. The default value is 900 seconds.
Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.156.0
consul167
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.12

  • [Security Fix] Bumps cflinuxfs2-release to v1.156.0 to resolve multiple security issues. Release Notes
  • [Bug Fix] Loggregator API counters will now include a correct delta.
  • [Security Fix] Resolves an issue with an incorrect Host header being set on incoming requests through the Router CVE Notice.
  • Operators can now specify a minimum supported TLS version for the Router and HAProxy.
  • The Cipher Suites for the Router and HAProxy are now required fields.
Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.156.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.11

  • [Security Fix] Bumps stemcell to v3445.11 to address USN-3420-2.
  • [Security Fix] Bumps cflinuxfs-release to v1.155.0 to address USN-3415-1.
Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.155.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.10

  • [Bug Fix] Disables inadvertent iptables logging when container networking is enabled.
Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.150.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.9

  • [Security Fix] Bumps cflinuxfs2-release to v1.150.0 to resolve USN-3398-1.
  • [Feature Improvement] Operators can now configure a maximum number of idle connections for their Router VMs.
Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.150.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.8

  • [Security Fix] Bumps stemcell to v3421.20 to resolve USN-3392-2.
  • [Security Fix] Bumps cflinuxfs2-release to v1.147.0 to resolve USN-3387-1 and USN-3388-1.
Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.147.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.7

  • [Security Fix] Bumps stemcell to version 3421.19.
  • [Bug Fix] Bumps diego-release to v1.23.2 to resolve a number of issues including:
    • improving locket stability during MySQL updates
    • reporting the correct result of running tasks on Windows cells
    • resolution of a race condition in the process launching code that could cause process failures
    • improvements to the healthcheck error messaging
    • removing the extraneous “cancelled” message in logs when applications crash
    • prefixing process errors with their log source
    • removing exit codes from healthcheck output when an application fails its healthcheck
  • Applications now have access to the certificate provided by the requester via the X-Forwarded-Client-Cert header. Configuration for this feature can be found on the Networking tab.
Component Version
Stemcell3421.19
cf-networking0.25.0
cflinuxfs21.145.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.6

  • [Security Fix] Bumps stemcell to v3421.18 to resolve USN-3378-2.
  • [Security Fix] Bumps cflinuxfs2 to v1.145.0 to resolve multiple CVEs and USNs. Please see the release notes for more details.
Component Version
Stemcell3421.18
cf-networking0.25.0
cflinuxfs21.145.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.5

  • The components included in routing-release (gorouter, route_registrar, routing-api, tcp_emitter, and tcp_router) have been updated to run on Go v1.8.
Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.4

  • [Security Fix] The Router will now validate the UAA token issuer field. This will prevent users with valid tokens belonging to an Identity Zone other than the default zone from escalating their privileges when making requests against system components.
  • [Bug Fix] Removes configuration of Container Overlay Subnet when configuring Container Networking. When left to the defaults, the networking would behave as expected. However, if an operator provided a value different from what was provided in the Elastic Runtime tile, the configuration would cause the Isolation Segment networking to fail.
  • Bumps nfs-volume-release to v1.0.6. Release Notes
  • Sets the default max-in-flight value for the Diego Cells to 4%. Operators can still use the Ops Manager API to configure this setting to fit their needs. The max-in-flight percentage for the Diego Cell job in the Elastic Runtime has been set to 10% since 1.10, but we’ve seen especially in larger environments that having the percentage this high can cause some problems:
    • Many simultaneous VM creates/deletes and BOSH blob updates can place significant stress on the underlying infrastructure, especially on vSphere which has a greater probability of being under-provisioned.
    • The cells that are draining are no longer available for allocation, resulting in a 10% decrease in total memory and disk capacity during the deployment. This can cause deployments to no longer have sufficient total capacity to run all the work, or to have insufficient headroom to place larger workloads successfully.
Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.3

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.5
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.2

  • [Security Fix] Bumps cflinuxfs2-rootfs to 1.33.0. Release Notes
Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.7.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.1

  • Bump stemcell to 3421.9.
  • Bump garden-runc to v1.7.0.
  • Bump diego-release to v1.18.1.
  • Bump cflinuxfs2-release to v1.126.0
  • Container-to-container networking will log iptables rules in the kernel log on each Isolated Diego Cell.
Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.126.0
consul167
diego1.18.1
garden-runc1.7.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.0

Component Version
Stemcell3421.3
cf-networking0.25.0
cflinuxfs21.123.0
consul167
diego1.16.1
garden-runc1.6.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v1.11 tile is available for installation with PCF v1.11.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v1.11 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v1.11.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment tile includes new functionality that may have certain constraints. Although these features are fully supported, Pivotal recommends caution when using them in production.

New Features in PCF Isolation Segment v1.11.0

This section describes new features of the release.

Override DNS Servers

By default, containers use the same DNS servers as the host. To override the DNS servers used by the containers of an isolation segment, enter a comma-separated list of servers in the DNS Servers field of the Application Containers section of the tile.

NFSv3 Volume Services

The tile supports NFSv3 volume services. NFS volume services allow application developers to bind existing NFS volumes to their applications for shared file access. For more information, see the Enabling NFS Volume Services topic.

To enable NFSv3 volume services, select Enable under Enabling NFSv3 volume services in the Application Containers section of the tile.

In a clean install of the tile, NFSv3 volume services will be enabled by default. In an upgrade, NFSv3 volume services will be set to the same setting as it was in the previous tile.

Container-to-Container Networking

The tile supports container-to-container-networking. To enable container-to-container networking, select Enable under Enabling the Container-to-Container network in the Networking section of the tile and complete the corresponding fields. For more information about container-to-container networking, see the Understanding Container-to-Container Networking topic.

System Logging

The Isolation Segment now emits BOSH component logs in a common syslog format following RFC5424. Additionally, syslog over TLS is now supported to allow operators to deliver their platform logs securely to their syslog aggregator.

The tile has a System Logging section that enables operators to configure syslog for the VMs deployed within the tile.

SHA2 Checksum

Operators can verify the data integrity of the Isolation Segment tile using the SHA2 checksum of the file, rather than the MD5 checksum used in previous releases.

Cell-local Route Emitters

The Route Emitter is now co-located on the Diego Cell for which it emits app routes. This improves the availability of the Route Emitter and reduces the impact of downtime from this component.

In previous versions of the Isolation Segment tile, Diego Cells relied on the Route Emitter component on the Diego Brain in the Elastic Runtime tile to notify the Router of application routes. If the Route Emitter became unavailable, routes could be lost from the Router route table.

Create a pull request or raise an issue on the source for this page in GitHub