PCF Isolation Segment v1.12 Release Notes

Releases

1.12.4

  • [Security Fix] Bumps cflinuxfs2-release to v1.158.0 to resolve multiple security issues. Release Notes

Component Version
Stemcell3445.11
cf-networking1.4.1
cflinuxfs21.158.0
consul173
diego1.25.3
garden-runc1.9.4
grootfs0.25.0
haproxy8.4.1
loggregator96
nfs-volume1.0.9
routing0.163.0
syslog-migration8
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.12.3

  • [Security Improvement] Bumps garden-runc-release to v1.9.4. Release Notes.

Component Version
Stemcell3445.11
cf-networking1.4.0*
cflinuxfs21.156.0
consul173
diego1.25.3
garden-runc1.9.4
grootfs0.25.0
haproxy8.4.1
loggregator96
nfs-volume1.0.9
routing0.163.0
syslog-migration8
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.12.2

  • [Security Fix] Bumps cflinuxfs2-release to v1.156.0 to resolve multiple security issues. Release Notes
  • [Security Fix] Resolves an issue with an incorrect Host header being set on incoming requests through the Router CVE Notice.
  • [Bug Fix] Bumps haproxy-boshrelease to v8.4.1 to resolve an issue with certificate/key concatenation Release Notes.
  • [Feature] Bumps diego-release to v1.25.3 to include support for Azure MySQL Release Notes.
  • [Feature] Patches cf-networking-release to include support for Azure MySQL.
  • Changes the default “Router Max Connections Per Backend” from unlimited to 500.
  • [Feature] Operators can now configure a “Frontend Idle Timeout” for the Router and HAProxy.:w

Component Version
Stemcell3445.11
cf-networking1.4.0*
cflinuxfs21.156.0
consul173
diego1.25.3
garden-runc1.9.3
grootfs0.25.0
haproxy8.4.1
loggregator96
nfs-volume1.0.9
routing0.163.0
syslog-migration8
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.12.1

  • [Security Fix] Bumps stemcell to v3445.11 to address USN-3420-2.
  • [Security Fix] Bumps cflinuxfs-release to v1.155.0 to address USN-3415-1.

Component Version
Stemcell3445.11
cf-networking1.4.0
cflinuxfs21.155.0
consul173
diego1.25.1
garden-runc1.9.3
grootfs0.25.0
haproxy8.4.0
loggregator96
nfs-volume1.0.9
routing0.162.0
syslog-migration8
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

1.12.0

Component Version
Stemcell3445.7
cf-networking1.4.0
cflinuxfs21.146.0
consul173
diego1.25.1
garden-runc1.9.3
grootfs0.25.0
haproxy8.4.0
loggregator96
nfs-volume1.0.9
routing0.162.0
syslog-migration8
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v1.12 tile is available for installation with PCF v1.12.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v1.12 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v1.12.

New Features in PCF Isolation Segment v1.12.0

This section describes new features of the release.

HAProxy

You can now use an HAProxy for the Isolation Segment tile that is independent from the Elastic Runtime HAProxy. The Isolation Segment tile includes its own HAProxy VM, which uses the haproxy-boshrelease. For information on the configuration options for HAProxy, see the Networking section of Installing PCF Isolation Segment.

See the Isolation Segment installation instructions for more information.

Router Sharding Mode

This release includes support for router sharding between the Elastic Runtime and Isolation Segment tiles. In addition to compute isolation, operators can now configure networking isolation for their isolation segments. Alternatively, operators can deploy the Isolation Segment tile for the purpose of using its routers for the Elastic Runtime tile.

You can configure this feature using the following fields:

  • Elastic Runtime tile: Routers reject requests for Isolation Segments checkbox
  • Isolation Segment tile: Router Sharding Mode selector

See the Isolation Segment installation instructions for more information.

Router Configuration Options

The Networking pane of the Isolation Segment tile now includes the following fields for the router. Additionally, the default instance count for the Router VM is now set to 3 in the Resource Config pane.

  • Router Max Idle Keepalive Connections
  • Disable SSL certificate verification for this environment
  • HTTP Headers to Log
  • Disable insecure cookies on the Router
  • Enable Zipkin tracking headers on the router
  • Router Timeout to Backends
  • Load Balancer Unhealthy Threshold
  • Load Balancer Healthy Threshold
  • Max Connections Per Backend

See the Isolation Segment installation instructions for more information about each field.

Simplified TLS Configuration

The point of entry options on the Isolation Segment tile Networking pane have been restructured to be more understandable and flexible. Operators no longer need to configure the Router or HAProxy separately as both components are configured using the same options. This includes the following changes:

  • Gorouter and HAProxy always listen for TLS requests. You provide an SSL certificate for both Gorouter and HAProxy using a single field.
  • HAProxy forwards all requests to Gorouter over TLS by default. You can optionally disable this feature.
  • You can configure the minimum version of TLS for Gorouter and HAProxy with a single field.
  • You can provide a list of CAs to HAProxy for it to validate the Gorouter certificate.
  • You can optionally disable the HTTP listener for both Gorouter and HAProxy with a single checkbox.
  • You can specify TLS cipher suites for HAProxy and Gorouter independently.

Mutual TLS Headers on Inbound Application Traffic

Gorouter can now forward the X-Forwarded-Client-Cert header to app instances when provided. Alternatively, operators can configure Gorouter to forward the header only when the mutual TLS connection from the client can be validated. Additionally, operators may now configure Gorouter to overwrite the XFCC header with the client certificate received in mTLS handshakes.

This configuration is available in the Networking pane under Configure the CF Router support for the X-Forwarded-Client-Cert header. See the Isolation Segment installation instructions for more information.

Support for Logging All App Traffic

Operators can enable logging of all accepted and denied packets due to ASGs or container-to-container networking policies. This provides more visibility into app traffic, including denied traffic.

Operators configure this global logging in the Networking pane of the Isolation Segment tile under the Log traffic for all accepted/denied application packets field. See the App Traffic Logging section for more information.

Introducing GrootFS

GrootFS is the new container image management plugin for Garden-runC. It helps with the filesystem isolation of Garden-runC containers, image caching, and disk quota enforcement. GrootFS replaces the previous built-in functionality, which used an obsolete layer filesystem (AUFS) that lacks support from the Linux Kernel community. Additionally, GrootFS uses OCI standards for container images.

For more information about GrootFS in PCF, see the following topics:

Garden Disk-Cleanup

Operators using PCF Isolation Segment can now configure the Garden and GrootFS cleanup thresholds independently of the Elastic Runtime tile. The Application Containers pane of the Isolation Segment tile now includes the following selector: Docker Images Disk-Cleanup Scheduling on Cell VMs.

Diego Cell Max-in-Flight Default

This release lowers the default max-in-flight percentage on Diego Cells to 4%. Previously, this value was set to 10%, which can cause the following issues in larger environments:

  • Many simultaneous VM creates/deletes and BOSH blob updates placing significant stress on the underlying infrastructure, especially on vSphere which has a greater probability of being under-provisioned.
  • Cells that are draining are no longer available for allocation, resulting in a 10% decrease in total memory and disk capacity during deployment. This can cause deployments to no longer have sufficient total capacity to run all work, or to have insufficient headroom to place larger workloads successfully.

Operators can still use the Ops Manager API to configure this setting to fit their needs. For more information about this property, see Managing Diego Cell Limits During Upgrade.

Secure Communication Between Diego and Loggregator

Diego Cells now use the Metron API v2. This gRPC-based API supports mutual TLS authentication and secures the communication path between the Diego rep and Loggregator.

NFSV3 Volume Services with LDAP

Operators can now configure LDAP for NFSv3 volume services. Using LDAP secures the NFSV3 volume service by preventing a developer from binding to an NFS share using an arbitrary UID and potentially gaining access to sensitive data stored by another user or app. If you enable LDAP support, developers must provide credentials for any user they wish to bind as. See Enabling NFS Volume Services.

Application Instance Identity Credentials

The instance identity system in Diego provides each app container with a PEM-encoded X.509 certificate and PKCS #1 RSA private key. The values of the environment variables CF_INSTANCE_CERT and CF_INSTANCE_KEY contain the absolute paths to the certificate and private key files. The validity period is 3 years for the Instance Identity root and 2 years for the intermediate CA certificates.

See the App Instance Container Identity Credentials section for more information.

Container-to-Container Networking Updates

Container-to-container networking is now always enabled. The commands are integrated with the cf CLI and now include the option to specify a port range when adding and removing policies. See Create Policies for Container-to-Container Networking.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment tile includes new functionality that may have certain constraints. Although these features are fully supported, Pivotal recommends caution when using them in production.

Create a pull request or raise an issue on the source for this page in GitHub