PCF Ops Manager Release v2.0 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


How to Upgrade

The Upgrading Pivotal Cloud Foundry topic contains instructions for upgrading to Pivotal Cloud Foundry (PCF) Ops Manager v2.0.

2.0.13

  • [Feature] Makes Azure network and resource group matchers case-insensitive.
  • [Bug Fix] Backports GET /api/v0/staged/director/networks to older releases.
  • Upgrades to the newest version of bosh-system-metrics-server.

Ops Manager v2.0.13 uses the following component versions:

Component Version
Stemcell3468.42*
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0

2.0.12

  • [Security Fix] Bumps Stemcell to 3468.42
  • [Bug Fix] The credentials API endpoints for deployed products do not include secrets. For more information about these API endpoints, see Viewing available credentials and Fetching credentials in the Ops Manager API documentation.

Ops Manager v2.0.12 uses the following component versions:

Component Version
Stemcell3468.42*
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.11

  • [Security Fix] Bumps Stemcell to 3468.30
  • [Feature] You are now able to fetch availability zones (AZs) from the Ops Manager API. For more information, see Fetching availability zones in the Ops Manager API documentation.

Ops Manager v2.0.11 uses the following component versions:

Component Version
Stemcell3468.30*
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.10

  • [Security Fix] Bumps Stemcell to 3468.28.
  • [Feature] In the Director Config pane, you can now enter Excluded Recursors as a comma-separated list. This list specifies which IPs and ports you want to exclude from the DNS server. For more information, see Director Config Page.
  • [Bug Fix] Ops Manager sets a consistent entity ID in both SAML and non-SAML cases.

Ops Manager v2.0.10 uses the following component versions:

Component Version
Stemcell3468.28*
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.9

  • [Feature] The BOSH CLI is now upgraded to v3 in Ops Manager. You can now split cloud config and other configurations into multiple files. This change allows you to manage and evolve configurations separately. For more information on configuration management in BOSH, see Configs in the BOSH documentation.
  • Bumps Rubygems to v2.6.14.

Ops Manager v2.0.9 uses the following component versions:

Component Version
Stemcell3468.27
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.8

  • [Security Fix] Bumps stemcell to 3468.27.
  • Bumps BOSH Director to v264.10.0. This BOSH director bump relaxes errand checking behaviour that should make colocated errands work in more cases.

Ops Manager v2.0.8 uses the following component versions:

Component Version
Stemcell3468.27*
BBR SDK1.2.1
BOSH Director264.10.0*
BOSH DNS0.1.3
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.7

  • Bumps BOSH Director to v264.9.
  • Bumps BOSH DNS to v0.1.3.
  • [Bug Fix] Allows access to public AMI snapshots for Ops Manager KMS encryption. This feature was introduced in v2.0.4.

Ops Manager v2.0.7 uses the following component versions:

Component Version
Stemcell3468.25
BBR SDK1.2.1
BOSH Director264.9*
BOSH DNS0.1.3*
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.6

  • [Security Fix] Bumps stemcell to 3468.25.
  • Bumps BOSH Director to v264.8.

Ops Manager v2.0.6 uses the following component versions:

Component Version
Stemcell3468.25*
BBR SDK1.2.1
BOSH Director264.8*
BOSH DNS0.1.0
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.5

  • [Security Fix] Bumps stemcell to 3468.21.
  • Increases connection timeout to accommodate large installation exports.

Ops Manager v2.0.5 uses the following component versions:

Component Version
Stemcell3468.21*
BBR SDK1.2.1
BOSH Director264.7
BOSH DNS0.1.0
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.4

  • [Feature] For an Ops Manager AWS configuration, operators can specify a custom Key Management Service (KMS) encryption key to encrypt all the Elastic Block Store (EBS) volumes in AWS. To specify a KMS Key, enable Encrypt EBS Volumes in the AWS Config pane and enter your key in the new Custom Encryption Key field. For more information, see Configuring Amazon EBS Encryption.
  • [Security Fix] Bumps stemcell to 3468.19.
  • Bumps BOSH Director to v264.7.0.

Ops Manager v2.0.4 uses the following component versions:

Component Version
Stemcell3468.19*
BBR SDK1.2.1
BOSH Director264.7*
BOSH DNS0.1.0
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.3

  • [Security Fix] Bumps stemcell to 3468.17.
  • Bumps UAA to v52.7
  • Bosh DNS release v0.1.0

Ops Manager v2.0.3 uses the following component versions:

Component Version
Stemcell3468.17*
BOSH Director264.6
BOSH DNS0.1.0*
CredHub1.6.5
UAA52.7*
AWS CPI69
Azure CPI35
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.2

  • The Default Security Group field on the Azure Config pane is now optional
  • Bumps Azure CPI to v35

Ops Manager v2.0.2 uses the following component versions:

Component Version
Stemcell3468.13
BOSH Director264.6
CredHub1.6.5
UAA52.4
AWS CPI69
Azure CPI35*
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.1

  • Operators can rotate the BOSH blobstore after a successful redeploy by editing the Access Key and Secret fields under S3 Compatible Blobstore in the Director Config section of the tile. Operators may want to rotate credentials because the old ones have been compromised or because their enterprise policy demands rotation after a specific time period.
  • On Azure, the Internet Connected checkboxes in the Resource Config section of the tile are now deselected by default. Pivotal recommends keeping these checkboxes deselected. For more information, see Step 8: Resource Config Page in Configuring Ops Manager Director on Azure.
  • [Security Fix] Bumps stemcell to 3468.13
  • Bumps BOSH Director to v264.6
  • Bumps AWS CPI to v69
  • Bumps vSphere CPI to v45.1.0
  • Bumps Azure CPI to v34
  • Bumps OpenStack CPI to v35

Ops Manager v2.0.1 uses the following component versions:

Component Version
Stemcell3468.13
BOSH Director264.6
CredHub1.6.5
UAA52.4
AWS CPI69
Azure CPI34
GCP CPI25.10.0
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.0

Ops Manager v2.0.0 uses the following component versions:

Component Version
Stemcell3468.11
BOSH Director264.3
CredHub1.6.5
UAA52.4
AWS CPI67
Azure CPI29
GCP CPI25.10.0
OpenStack CPI34
vSphere CPI45
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.


New Features in Ops Manager v2.0

Role-Based Access Control

Ops Manager v2.0 introduces support for role-based access control (RBAC). You can assign the following roles to determine which operators in your organization make deployment changes, view credentials, and manage user roles in Ops Manager:

  • Ops Manager Administrator
  • Full Control
  • Restricted Control
  • Full View
  • Restricted View

See Configuring Role-Based Access Control (RBAC) in Ops Manager for more information.

Custom Director Login Banner

In Ops Manager v2.0, operators can set a custom banner that every user sees when they log in to the BOSH Director. To set the banner, edit the Custom SSH Banner field in the Director Config page of the Ops Manager tile.

See the Director configuration topic for your IaaS for more information. For example, see Configuring Ops Manager on vSphere.

Azure Stack Support (Beta)

Operators can deploy Ops Manager v2.0 to Microsoft Azure in their own local datacenter using Azure Stack.

See Launching an Ops Manager Director Instance on Azure without an ARM Template for more information.

BOSH CLI Renamed

Similar to previous Ops Manager versions, the Ops Manager VM includes two versions of the BOSH CLI. In Ops Manager v2.0, both versions of the BOSH CLI have been renamed.

If you used BOSH CLI v2+ in earlier versions of Ops Manager, you ran commands using bosh2. In Ops Manager v2.0, run the same commands using bosh. For example, see the following table to compare the changes to the bosh vms command:

BOSH CLI Version PCF v1.12 PCF v2.0
BOSH CLI v1 bosh vms bosh-old vms
BOSH CLI v2+ bosh2 -e MY-ENV vms bosh -e MY-ENV vms

Many BOSH CLI v1 commands are incompatible with the BOSH Director. Pivotal recommends using BOSH CLI v2+ commands for compatibility with future versions of PCF.

BOSH NATS Traffic Uses TLS

The BOSH Director communicates with the agents in your deployment over NATS. For added security, Ops Manager v2.0 sends all NATS traffic using Transport Layer Security (TLS) encryption.

See Component: Messaging (NATS) for more information about NATS.

BOSH DNS Service Discovery (Beta) and Opt-Out Option

In PCF v2.0, application containers look up services using the BOSH DNS service discovery mechanism. To support this lookup, BOSH Director colocates a BOSH DNS server on every deployed VM.

Since the BOSH DNS feature is beta in PCF v2.0, Pivotal recommends that you deploy or upgrade your PCF v2.0 deployment first on a non-production environment.

You can opt out of deploying BOSH DNS servers on every VM by selecting the Disable BOSH DNS server for troubleshooting purposes option in Operations Manager. For more information on this configuration option, see the Configuring Ops Manager Director instructions for your IaaS. For example, if you are deploying PCF on GCP, see Configuring Ops Manager Director on GCP.

For more information about disabling BOSH DNS, see Disabling or Opting Out of BOSH DNS in PCF in the Pivotal Knowledge Base.

BOSH System Metrics Server Colocated on BOSH Director

Ops Manager v2.0 colocates the new BOSH Metrics Server on the BOSH Director and includes a UAA client with the correct authorities and scopes. This colocation allows BOSH system metrics to flow into the Loggregator system by default.

For more information about this feature, see the BOSH System Metrics Forwarder section in the Overview of the Loggregator System topic and BOSH System Metrics Available in Loggregator Firehose in the PAS Release Notes.

VMware NSX-T Networking Support

Ops Manager v2.0 adds support for VMware NSX-T networking. NSX is a networking solution for VMware that provides a firewall, load balancing, and NAT/SNAT services for PCF. NSX-T is intended to work across multiple clouds and provide networking for container platforms. Previous versions of Ops Manager supported NSX-V.

When you upgrade from a previous version of Ops Manager with NSX networking enabled, Ops Manager defaults to NSX-V. The NSX-T integration is only for fresh installs of PCF. You can enable NSX-T networking by selecting NSX-T in the new NSX Mode dropdown menu of the vCenter Config pane.

See Configuring Ops Manager on vSphere for more information.

Operators can additionally use the NSX Manager to configure policies for PCF applications. See the NSX-T Container Plug-in for Kubernetes and Cloud Foundry - Installation and Administration Guide for more information.

Note: You must have NSX-T v2.1 installed to use this integration.

Note: The IPSec add-on is not supported with NSX-T.

Breaking Change: If you opt out of the BOSH DNS feature, your PCF deployment cannot support NSX-T networking.

Ops Manager Minimum Disk Size Warning

In Ops Manager v2.0, the web interface displays a warning banner if the Ops Manager appliance VM disk is less than 50 GB in size. If this warning appears, resize your Ops Manager VM disk to 50 GB or larger.

See the Ops Manager installation topic for your IaaS for more information:

Configure Colocated Errands

Tile authors can configure the errands defined in their product tile to run on existing VMs in a deployment. Colocated errands run faster than traditional errands and use fewer resources, including disk and IP space.

See Tile Errands in the PCF Tile Developers Guide for more information.

Configure Tiles with Runtime Configs

Tile authors can include runtime_configs as a top-level key in tile metadata to define global deployment configurations. Named runtime config settings apply to all VMs in a deployment.

Version v2.0 of Ops Manager supports defining any number of runtime_configs in an existing tile. Tile authors can also create a tile that includes a runtime config only and does not define any job types or errands.

See Managing Runtime Configs in the PCF Tile Developers Guide for more information.

Named Manifests

Ops Manager v2.0 supports specifying and rendering named manifests in a collection property. For more information, see the named_manifest section of the Product Template Reference topic.

Bug Fixes

  • [Bug Fix] Ops Manager v2.0 fixes a bug where the UI showed a confusing name for a collection record starting with a certificate.
  • [Bug Fix] Ops Manager v2.0 fixes a bug where the stemcell hardening work unexpectedly blocked non-root access to ping Ops Manager, resulting in a verification error.
  • [Bug Fix] Ops Manager v2.0 fixes a bug where changes could not be applied until BOSH Director was deployed.
  • [Bug Fix] Ops Manager v2.0 fixes a bug where the dashboard took a long time to load.
  • [Bug Fix] Ops Manager v2.0 fixes a bug where BOSH Director failed to create certifications because the BOSH agent certification was created for the wrong network.

Known Issues

AWS KMS Encryption Requires Manual Refresh

If you select Encrypt EBS Volumes in the AWS Config pane of your AWS BOSH Director tile, only future BOSH-deployed VMs are encrypted. To manually trigger current BOSH VMs to encrypt their persistent disks, ephemeral disks, and root separately, you must make the following changes:

For persistent disks In the Resource Config pane, bump the persistent disk of each job.
For ephemeral disks In the Director Config pane, enable Recreate all VMs for the next deployment.
For the root disk Stage new stemcells.

This known issue will not affect you if you enable Encrypt EBS Volumes on your first deploy.

For more information about the AWS KMS feature introduced in v2.0.4, see Configuring Amazon EBS Encryption.

Create a pull request or raise an issue on the source for this page in GitHub