PCF Isolation Segment v1.11 Release Notes

Releases

1.11.14

  • [Security Fix] Bumps cflinuxfs2-release to v1.158.0 to resolve multiple security issues. Release Notes

Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.158.0
consul167
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.13

  • [Security Improvement] Bumps garden-runc-release to v1.9.4. Release Notes.
  • [Feature Improvement] Router now supports setting a Frontend Idle Timeout to maintain an open connection when clients support keep-alive. The default value is 900 seconds.

Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.156.0
consul167
diego1.23.2
garden-runc1.9.4
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.12

  • [Security Fix] Bumps cflinuxfs2-release to v1.156.0 to resolve multiple security issues. Release Notes
  • [Bug Fix] Loggregator API counters will now include a correct delta.
  • [Security Fix] Resolves an issue with an incorrect Host header being set on incoming requests through the Router CVE Notice.
  • Operators can now specify a minimum supported TLS version for the Router and HAProxy.
  • The Cipher Suites for the Router and HAProxy are now required fields.

Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.156.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.11

  • [Security Fix] Bumps stemcell to v3445.11 to address USN-3420-2.
  • [Security Fix] Bumps cflinuxfs-release to v1.155.0 to address USN-3415-1.

Component Version
Stemcell3445.11
cf-networking0.25.0
cflinuxfs21.155.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.10

  • [Bug Fix] Disables inadvertent iptables logging when container networking is enabled.

Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.150.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89*
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.9

  • [Security Fix] Bumps cflinuxfs2-release to v1.150.0 to resolve USN-3398-1.
  • [Feature Improvement] Operators can now configure a maximum number of idle connections for their Router VMs.

Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.150.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.8

  • [Security Fix] Bumps stemcell to v3421.20 to resolve USN-3392-2.
  • [Security Fix] Bumps cflinuxfs2-release to v1.147.0 to resolve USN-3387-1 and USN-3388-1.

Component Version
Stemcell3421.20
cf-networking0.25.0
cflinuxfs21.147.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.7

  • [Security Fix] Bumps stemcell to version 3421.19.
  • [Bug Fix] Bumps diego-release to v1.23.2 to resolve a number of issues including:
    • improving locket stability during MySQL updates
    • reporting the correct result of running tasks on Windows cells
    • resolution of a race condition in the process launching code that could cause process failures
    • improvements to the healthcheck error messaging
    • removing the extraneous “cancelled” message in logs when applications crash
    • prefixing process errors with their log source
    • removing exit codes from healthcheck output when an application fails its healthcheck
  • Applications now have access to the certificate provided by the requester via the X-Forwarded-Client-Cert header. Configuration for this feature can be found on the Networking tab.

Component Version
Stemcell3421.19
cf-networking0.25.0
cflinuxfs21.145.0
consul167
diego1.23.2
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.160.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.6

  • [Security Fix] Bumps stemcell to v3421.18 to resolve USN-3378-2.
  • [Security Fix] Bumps cflinuxfs2 to v1.145.0 to resolve multiple CVEs and USNs. Please see the release notes for more details.

Component Version
Stemcell3421.18
cf-networking0.25.0
cflinuxfs21.145.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.5

  • The components included in routing-release (gorouter, route_registrar, routing-api, tcp_emitter, and tcp_router) have been updated to run on Go v1.8.

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.4

  • [Security Fix] The Router will now validate the UAA token issuer field. This will prevent users with valid tokens belonging to an Identity Zone other than the default zone from escalating their privileges when making requests against system components.
  • [Bug Fix] Removes configuration of Container Overlay Subnet when configuring Container Networking. When left to the defaults, the networking would behave as expected. However, if an operator provided a value different from what was provided in the Elastic Runtime tile, the configuration would cause the Isolation Segment networking to fail.
  • Bumps nfs-volume-release to v1.0.6. Release Notes
  • Sets the default max-in-flight value for the Diego Cells to 4%. Operators can still use the Ops Manager API to configure this setting to fit their needs. The max-in-flight percentage for the Diego Cell job in the Elastic Runtime has been set to 10% since 1.10, but we’ve seen especially in larger environments that having the percentage this high can cause some problems:
    • Many simultaneous VM creates/deletes and BOSH blob updates can place significant stress on the underlying infrastructure, especially on vSphere which has a greater probability of being under-provisioned.
    • The cells that are draining are no longer available for allocation, resulting in a 10% decrease in total memory and disk capacity during the deployment. This can cause deployments to no longer have sufficient total capacity to run all the work, or to have insufficient headroom to place larger workloads successfully.

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.6
routing0.157.0*
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.3

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.9.0
loggregator89
nfs-volume1.0.5
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.2

  • [Security Fix] Bumps cflinuxfs2-rootfs to 1.33.0. Release Notes

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.133.0
consul167
diego1.18.1
garden-runc1.7.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.1

  • Bump stemcell to 3421.9.
  • Bump garden-runc to v1.7.0.
  • Bump diego-release to v1.18.1.
  • Bump cflinuxfs2-release to v1.126.0
  • Container-to-container networking will log iptables rules in the kernel log on each Isolated Diego Cell.

Component Version
Stemcell3421.9
cf-networking0.25.0
cflinuxfs21.126.0
consul167
diego1.18.1
garden-runc1.7.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.11.0

Component Version
Stemcell3421.3
cf-networking0.25.0
cflinuxfs21.123.0
consul167
diego1.16.1
garden-runc1.6.0
loggregator89
nfs-volume1.0.3
routing0.157.0
syslog-migration4
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v1.11 tile is available for installation with PCF v1.11.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v1.11 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v1.11.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment tile includes new functionality that may have certain constraints. Although these features are fully supported, Pivotal recommends caution when using them in production.

New Features in PCF Isolation Segment v1.11.0

This section describes new features of the release.

Override DNS Servers

By default, containers use the same DNS servers as the host. To override the DNS servers used by the containers of an isolation segment, enter a comma-separated list of servers in the DNS Servers field of the Application Containers section of the tile.

NFSv3 Volume Services

The tile supports NFSv3 volume services. NFS volume services allow application developers to bind existing NFS volumes to their applications for shared file access. For more information, see the Enabling NFS Volume Services topic.

To enable NFSv3 volume services, select Enable under Enabling NFSv3 volume services in the Application Containers section of the tile.

In a clean install of the tile, NFSv3 volume services will be enabled by default. In an upgrade, NFSv3 volume services will be set to the same setting as it was in the previous tile.

Container-to-Container Networking

The tile supports container-to-container-networking. To enable container-to-container networking, select Enable under Enabling the Container-to-Container network in the Networking section of the tile and complete the corresponding fields. For more information about container-to-container networking, see the Understanding Container-to-Container Networking topic.

System Logging

The Isolation Segment now emits BOSH component logs in a common syslog format following RFC5424. Additionally, syslog over TLS is now supported to allow operators to deliver their platform logs securely to their syslog aggregator.

The tile has a System Logging section that enables operators to configure syslog for the VMs deployed within the tile.

SHA2 Checksum

Operators can verify the data integrity of the Isolation Segment tile using the SHA2 checksum of the file, rather than the MD5 checksum used in previous releases.

Cell-local Route Emitters

The Route Emitter is now co-located on the Diego Cell for which it emits app routes. This improves the availability of the Route Emitter and reduces the impact of downtime from this component.

In previous versions of the Isolation Segment tile, Diego Cells relied on the Route Emitter component on the Diego Brain in the Elastic Runtime tile to notify the Router of application routes. If the Route Emitter became unavailable, routes could be lost from the Router route table.

Create a pull request or raise an issue on the source for this page in GitHub