Pivotal Application Service v2.0 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


Note: Elastic Runtime has been renamed Pivotal Application Service.

Releases

NOTE: If you have versions of PAS and IST prior to 2.0.15 installed, you will have to update them together when upgrading to 2.0.15+

2.0.20

  • [Bug Fix] Apps manager: Fix crash on app page overview tab when spring health endpoint returns an array of objects instead of an array of strings

  • Bump cf-smoke-tests to version 40.0.6

  • Bump cflinuxfs2 to version 1.228.0

  • Bump push-apps-manager-release to version 663.0.25

  • Bump routing to version 0.168.9

  • Bump stemcell to version 3468.55

component version
stemcell3468.55
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.37
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests40.0.6
cf-syslog-drain2
cflinuxfs21.228.0
consul195
credhub1.6.10
diego1.32.5
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.4.2
java-offline-buildpack4.13.1
loggregator99.3
mysql-backup2.1.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui31
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release663.0.25
push-usage-service-release664.0.11
python-offline-buildpack1.6.18
routing0.168.9
ruby-offline-buildpack1.7.21
service-backup18.1.5
staticfile-offline-buildpack1.4.29
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.19

  • [Security Fix] Bump pivotal account to 1.8.8
  • [Feature Improvement] Loggregator agent egresses preferred tags instead of DeprecatedTags in loggregator envelopes. This fixes a high CPU issue in Doppler cluster.
  • [Feature Improvement] Fix issue where fileserver assets were not correctly invalidated in Diego cell caches after an upgrade
  • [Feature Improvement] capi /v2/info endpoint returns additional metadata for name, build and description
  • [Feature Improvement] Allow operators to configure application health check timeout in PAS
  • [Bug Fix] Apps using a Docker image from an insecure registry configured in the Private Docker Insecure Registry Whitelist can now be staged successfully.
  • [Bug Fix] Fix option “HAProxy requests but does not require client certificates.”
  • [Bug Fix] Fix intermittent errand failure in pivotal account
  • [Bug Fix] Bump Cloud Controller to no longer return a “503: Stats Server Unavailable error” when container metrics are not available.
  • [Bug Fix] Bump apps manager with changes
    • When creating new services, no longer show org-scoped services from other organizations
    • On the App page Overview tab, autoscaling state is now properly reflected
    • Fix manage autoscale link
  • [Bug Fix] Docker image based app resource reporting correctly includes image size in disk usage
  • [Bug Fix] Set cloud controller staging timeout value on all cloud controller jobs to allow large apps to stage before the timeout.

  • Bump capi to version 1.44.37

  • Bump diego to version 1.32.5

  • Bump java-offline-buildpack to version 4.13.1

  • Bump loggregator to version 99.3

  • Bump mysql-monitoring to version 8.20.0

  • Bump pivotal-account to version 1.8.8

  • Bump push-apps-manager-release to version 663.0.23

  • Bump stemcell to version 3468.54

component version
stemcell3468.54
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.37
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests40.0.5
cf-syslog-drain2
cflinuxfs21.227.0
consul195
credhub1.6.10
diego1.32.5
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.4.2
java-offline-buildpack4.13.1
loggregator99.3
mysql-backup2.1.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui31
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release663.0.23
push-usage-service-release664.0.11
python-offline-buildpack1.6.18
routing0.168.8\*
ruby-offline-buildpack1.7.21
service-backup18.1.5
staticfile-offline-buildpack1.4.29
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.18

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification
  • [Security Fix] Bump UAA for [CVE-2018-11047(https://www.cloudfoundry.org/blog/cve-2018-11047/)

  • Bump cflinuxfs2 version 1.227.0

  • Bump java-offline-buildpack version 4.13

  • Bump uaa version 52.10

component version
stemcell3468.51
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.34
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests40.0.5
cf-syslog-drain2
cflinuxfs21.227.0
consul195
credhub1.6.10
diego1.32.3\*
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.4.2
java-offline-buildpack4.13
loggregator99.1
mysql-backup2.1.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui31
php-offline-buildpack4.3.57
pivotal-account1.8.5
push-apps-manager-release663.0.21
push-usage-service-release664.0.11
python-offline-buildpack1.6.18
routing0.168.8\*
ruby-offline-buildpack1.7.21
service-backup18.1.5
staticfile-offline-buildpack1.4.29
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.17

  • [Feature Improvment] Cloud Controller logs CEF to file that can be picked up by syslog
  • [Feature Improvement] Allows PCF Metrics to be installed with both v1.5 and v1.4 versions to prevent dataloss.
  • [Bug Fix] Bump cf-smoke-tests-release to 40.0.5 to fix some flakiness
  • [Security Fix] Bump UAA for CVE 2018-11041
  • [Security Fix] Bump apps manager for CVE-2018-11044
    • Org Managers and Admins can leave organizations
  • [Security Fix] Bump loggregator release for CVE-2018-1268 and CVE-2018-1269
  • [Bug Fix] bump consul to v195
    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • [Bug Fix] Bump credhub to resolve issue where BBR restore could fail with clustered Credhub deployments

  • Bump binary-offline-buildpack to version 1.0.21

  • Bump capi to version 1.44.34

  • Bump cf-smoke-tests to version 40.0.5

  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump credhub to version 1.6.10

  • Bump dotnet-core-offline-buildpack to version 2.1.3

  • Bump go-offline-buildpack to version 1.8.25

  • Bump loggregator to version 99.1

  • Bump nodejs-offline-buildpack to version 1.6.28

  • Bump php-offline-buildpack to version 4.3.57

  • Bump push-apps-manager-release to version 663.0.21

  • Bump python-offline-buildpack to version 1.6.18

  • Bump ruby-offline-buildpack to version 1.7.21

  • Bump staticfile-offline-buildpack to version 1.4.29

  • Bump uaa to version 52.9

  • Bump stemcell to version 3468.51

component version
stemcell3468.51
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.34
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests40.0.5
cf-syslog-drain2
cflinuxfs21.223.0
consul195
credhub1.6.10
diego1.32.3\*
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.4.2
java-offline-buildpack4.12.1
loggregator99.1
mysql-backup2.1.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui31
php-offline-buildpack4.3.57
pivotal-account1.8.5
push-apps-manager-release663.0.21
push-usage-service-release664.0.11
python-offline-buildpack1.6.18
routing0.168.8\*
ruby-offline-buildpack1.7.21
service-backup18.1.5
staticfile-offline-buildpack1.4.29
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.9
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.16

  • [Security Fix] Bump diego to version 1.32.3
  • [Security Fix] Bump pivotal-account to version 1.8.5
  • [Bug fix] bump nfs-volume-release to version 1.2.1
    • Fix incompatibility with new garden-runc release when using read-only NFS volume mounts
  • [Bug Fix] Bump garden to version 1.13.3
    • Fix issue with deleted files in application containers created from docker images
  • [Bug Fix] Update autoscaler default instance count to 1 to avoid issue with distributed consensus
  • [Feature Improvement] Bump notifications-ui to version 33
    • Add cookie setting to notifications-ui for GDPR compliance
  • [Feature Improvement] CF Networking database connection timeouts are now configurable
  • [Feature Improvement] Max connections for the Internal MySQL Database are now configurable
  • Bump cflinuxfs2 to version 1.219.0
  • Bump consul to version 193 to use go 1.9
  • Bump dotnet-core-offline-buildpack to version 2.0.7
  • Bump go-offline-buildpack to version 1.8.23
  • Bump java-offline-buildpack to version 4.12.1
  • Bump nodejs-offline-buildpack to version 1.6.25
  • Bump php-offline-buildpack to version 4.3.56
  • Bump python-offline-buildpack to version 1.6.17
  • Bump ruby-offline-buildpack to version 1.7.19
  • Bump staticfile-offline-buildpack to version 1.4.28
  • Bump stemcell to version 3468.46
component version
stemcell3468.46
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.3\*
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.219.0
consul193
credhub1.6.5
diego1.32.3\*
dotnet-core-offline-buildpack2.0.7
garden-runc1.13.3
go-offline-buildpack1.8.23
haproxy8.4.2
java-offline-buildpack4.12.1
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.25
notifications44
notifications-ui31
php-offline-buildpack4.3.56
pivotal-account1.8.5
push-apps-manager-release663.0.20
push-usage-service-release664.0.11
python-offline-buildpack1.6.17
routing0.168.8\*
ruby-offline-buildpack1.7.19
service-backup18.1.5
staticfile-offline-buildpack1.4.28
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.15

  • [Security Fix] Bump cflinuxfs2 to version 1.210.0:
  • [Security Fix] Bump cf-networking to version 1.8.5
    • Patch possible SQL injection attack
  • Update grootfs checkbox to indicate the recreating VMs is recommended
  • Bump capi to version 1.44.3
    • Updated azure fog gems to improve reliability when using an azure blobstore
  • Bump nats to version 24
    • Bump go to 1.10.1
  • Bump push-apps-manager-release to version 663.0.20
    • Usage report page takes into account renamed spaces
    • Only show jobs for the app on the app page task tab
    • When detecting whether a service instance for the Scheduler service exists, take the current space into account
    • Fix bug that causes app to crash on app page settings tab
  • Bump java-offline-buildpack to version 4.12
component version
stemcell3468.42
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.3\*
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.5
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.210.0
consul187
credhub1.6.5
diego1.32.2\*
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.4.2
java-offline-buildpack4.12.0
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.18.0
nats24
nfs-volume1.1.3
nodejs-offline-buildpack1.6.23
notifications44
notifications-ui31
php-offline-buildpack4.3.54
pivotal-account1.8.2
push-apps-manager-release663.0.20
push-usage-service-release664.0.11
python-offline-buildpack1.6.15
routing0.168.8\*
ruby-offline-buildpack1.7.18
service-backup18.1.5
staticfile-offline-buildpack1.4.27
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.14

  • [Security Fix] Bump stemcell to v3468.42:
  • [Security Fix] Bump cflinuxfs2-release to v1.201.0:
  • [Feature Improvement] Bump routing-release to v0.168.8 to enable operator to disable logging of client IPs, in compliance with the EU General Data Protection Regulation (GDPR).
  • [Feature Improvement] Bump apps-manager-release to v663.0.19:
    • When binding a service instance, notify the user to restage their app from the CLI.
    • When logged-in user can see no apps, show “No results” instead of “Loading…” in the app search.
  • [Feature Improvement] Increase UAA session cookie max age to 8 hours.
  • Bump mysql-monitoring-release to v8.18.0.
  • Bumps the following buildpacks:
    • Nodejs-offline-buildpack to v1.6.23.
    • Php-offline-buildpack to v4.3.54.
    • Python-offline-buildpack to v1.6.15.
    • Ruby-offline-buildpack to v1.7.18.
component version
stemcell3468.42
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.32\*
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.201.0
consul187
credhub1.6.5
diego1.32.2\*
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.4.2
java-offline-buildpack4.10.0
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.18.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.23
notifications44
notifications-ui31
php-offline-buildpack4.3.54
pivotal-account1.8.2
push-apps-manager-release663.0.19
push-usage-service-release664.0.11
python-offline-buildpack1.6.15
routing0.168.8\*
ruby-offline-buildpack1.7.18
service-backup18.1.5
staticfile-offline-buildpack1.4.27
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.13

  • [Security Fix] Bumps garden-release to v1.13.1 for CVE-2018-1277.
  • [Bug Fix] Bumps autoscaling-release to v104.3 to use CF CLI v6.36.1.
  • [Bug Fix] Bumps capi-release to v1.44.32 to prevent duplicate app usage events.
  • [Feature Improvement] Bumps diego-release to v1.32.2 to add cell and instance identifiers in the container lifecycle logs.
  • [Feature Improvement] Bumps apps-manager-release to v663.0.18:
    • Introduce custom memory limit setting for Apps Manager and invitation apps.
    • Show full page error when critical env vars are not set.
    • App last push time now reflects time of most recent ready package.
    • Introduce flag to hide app search bar.
    • App search bar queries apps only when focused.
    • Tell user to re-stage app after binding a service.
    • Fix invite member email input.
  • Bumps the following buildpacks:
    • Binary-offine-buildpack to v1.0.18.
    • Dotnet-core-offline-buildpack to v2.0.6.
    • Go-offline-buildpack to v1.8.21.
    • Java-offline-buildpack to v4.10.0.
    • Nodejs-offline-buildpack to v1.6.22.
    • Php-offline-buildpack to v4.3.53.
    • Python-offline-buildpack to v1.6.14.
    • Ruby-offline-buildpack to v1.7.16.
    • Staticfile-offline-buildpack to v1.4.27.
Component Version
Stemcell3468.30
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.32\*
cf-autoscaling104.3
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.196.0
consul187
credhub1.6.5
diego1.32.2\*
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.4.2
java-offline-buildpack4.10.0
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.22
notifications44
notifications-ui31
php-offline-buildpack4.3.53
pivotal-account1.8.2
push-apps-manager-release663.0.18
push-usage-service-release664.0.11
python-offline-buildpack1.6.14
routing0.168.7\*
ruby-offline-buildpack1.7.16
service-backup18.1.5
staticfile-offline-buildpack1.4.27
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.12

  • [Security Fix] Bumps cflinuxfs2 to v1.196.0:
  • [Security Fix] Bumps stemcell to v3468.30:
  • [Bug Fix] Bumps syslog-migration-release to v10.0.2:
    • Prevent logs from blackbox from being written to the default syslog log files to prevent logs from being written to the disk 3 additional times.
    • Fix rfc5424 compatibility by ensuring only 1 space occurs between the message and the structured data.
  • [Bug Fix] Fixes a bug that caused the Cloud Controller sync job to fail when pushing an app with TCP routing enabled, which causes Diego to not know if its desired state is consistent with Cloud Controller.
  • [Feature Improvement] Bumps capi-release to v1.44.31 to improve database connection validation.
Component Version
Stemcell3468.30
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.31\*
cf-autoscaling104.2
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.196.0
consul187
credhub1.6.5
diego1.32.1\*
dotnet-core-offline-buildpack2.0.1
garden-runc1.12.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.14
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.7\*
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.2
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.11

  • [Bug Fix] Bumps capi-release to v1.44.30 to prevent app upload from failing when the app has broken symlinks.
  • [Bug Fix] Bumps autoscaler-release to v104.2 to fix issue where brief periods of cloud controller downtime could cause autoscaler to become disabled.
  • [Bug Fix] Bumps apps-manager-release to v663.0.14:
    • Reintroduce cache busting for js/css files.
    • Fixed a bug that would cause apps manager to fail to load when environment variables contained newlines.
    • Fix headers for endpoints that we serve.
    • Updated the CF CLI that is used to push Apps Manager and Invitations.
  • [Feature Improvement] Updates the Small Footprint PAS tile name from “PCF Small Footprint” to “Small Footprint PAS”.
  • [Feature Improvement] Adds bosh-dns alias for UAA. This allows service brokers deployed as applications to resolve UAA’s DNS address and authenticate.
Component Version
Stemcell3468.25
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.30\*
cf-autoscaling104.2
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.188.0
consul187
credhub1.6.5
diego1.32.1\*
dotnet-core-offline-buildpack2.0.1
garden-runc1.12.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.14
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.7\*
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.10

  • [Bug fix] Bumps apps-manager-release to v663.0.11.
    • [IE] Fixes alignment of the app search bar in the header.
    • Checks if the user has permission to view autoscale bindings before making the request, which prevents the app page from having an error when refreshing.
    • Fixes a bug that prevented mid-level fetch tasks from being cleared when switching routes and on the 30 second refresh.
    • Fixes a bug that caused marketplace service plans to show “No price available”.
  • [Bug fix] Bumps uaa-release to v52.8:
    • Updates JDK version to 8u162.
  • [Security Fix] Bumps capi-release to 1.44.29:
    • CVE-2018-1266: Fixes random number guessing exploit.
    • Fixes buildpack pagination.
Component Version
Stemcell3468.25
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.29\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.188.0
consul187
credhub1.6.5
diego1.32.1\*
dotnet-core-offline-buildpack2.0.1
garden-runc1.12.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.11
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.7\*
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.8
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.9

  • [Feature Improvment] Bump garden-runc-release to v1.12.1:
    • Includes fix for bug where users’ files could go missing in docker-based applications.
  • [Bug fix] Bumps routing-release to 0.168.7:
    • Removes backends on any error to prevent 502 errors from being returned to clients.
    • Updates golang to v1.9.4.
  • [Bug Fix] Removes unneeded persistent disk from diego brain vms.
Component Version
Stemcell3468.25
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.27\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.188.0
consul187
credhub1.6.5
diego1.32.1\*
dotnet-core-offline-buildpack2.0.1
garden-runc1.12.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.10
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.7\*
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.8

  • [Feature Improvement] Bumps apps-manager to 663.0.10, which uses nginx and the staticfile buildpack.
  • [Bug Fix] Bumps capi-release to version 1.44.27
    • API no longer loads all users into an array in memory
  • [Bug Fix] Bumps diego-release to version 1.32.1
    • Docker app lifecycle allows unsigned manifests
  • [Bug Fix] Cloud controller is configured to set cc.diego.pid_limit to 0 (unlimited) so that application instances which created many threads do not crash. The previous limit was defaulting to 1024.
Component Version
Stemcell3468.25
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.27\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.188.0
consul187
credhub1.6.5
diego1.32.1\*
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.10
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.0
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.7

Note: Due to an update to garden-runc-release, Pivotal recommends that you re-create all VMs when you upgrade to PAS v2.0.7 and later without also updating your stemcell. See Some Upgrades Require VM Re-Create for details.

  • [Security Fix] Bumps stemcell from version 3468.21 to version 3468.25 to address issues:
  • [Security Fix] Bumps cflinuxfs2-release from v181.0 to v1.188.0 to address issues:
  • [Feature Improvement] Bumps garden-runc-release to v1.11.1 which includes grootfs root filesystem by default.
  • [Feature Improvement] Patches cloud controller so users with admin_read_only scope can view stats for apps, which is needed by the cf v3-apps command.
  • [Bug Fix] Fix link to documentation in apps manager UI
Component Version
Stemcell3468.25
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.188.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.8
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.0
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.6

  • [Security Fix] Patches routing-release for CVE-2018-1221.
  • [Bug Fix] Enables privileged containers to support upgrading from ERT 1.11 with apps that specify privileged containers.
  • [Bug Fix] Fix to ensure that Diego rep will always exit during evacuation, even if Garden destroy hangs during evacuation.
  • [Feature Improvements] Bump mysql-backup-release to v2 in recognition of the fact that v1.38.0 required TLS. See other changes here
  • [Feature Improvements] New option in the Networking page to allow operators to enable Gorouter support for the PROXY protocol. This is disabled by default.
  • [Feature Improvement] Enable Garden debug_listen_address to listen on a local interface.
  • [Feature Improvement] Adds credentials for Healthwatch alerts.
Component Version
Stemcell3468.21
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.181.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.10.0
go-offline-buildpack1.8.16
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup2.1.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.8
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.0
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.5

  • [Security Fix] Bumps apps-manager-release to v663.0.8 to fix vulnerability that allowed arbitrary file access on server.
  • [Bug Fix] Bumps usage-service-release to v664.0.11 to increase memory footprint to avoid occasional crashes.
  • [Bug Fix] Patches diego-release to resolve the following:
    • Allows HTTP-based health check on an HTTP endpoint that expects TLS-terminated traffic.
    • Fixes issue that prevented Windows apps sub-process logs from being captured.
  • [Feature Improvement] Patches uaa-release to add healthwatch.admin group to the UAA admin user and healthwatch_ui client, to allow configuration of alert thresholds on Healthwatch.
  • Bumps buildpacks to latest versions, including:
    • dotnet-core-offline-buildpack to v2.0.1.
    • go-offline-buildpack to v1.8.16.
    • java-offline-buildpack to v4.8.
    • nodejs-offline-buildpack to v1.6.15.
    • php-offline-buildpack to v4.3.48.
    • python-offline-buildpack to v1.6.7.
    • ruby-offline-buildpack to v1.7.11.
    • staticfile-offline-buildpack to v1.4.21.
Component Version
Stemcell3468.21
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.181.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.10.0
go-offline-buildpack1.8.16
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.8
loggregator99\*
mysql-backup1.38.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.2
push-apps-manager-release663.0.8
push-usage-service-release664.0.11
python-offline-buildpack1.6.7
routing0.168.0
ruby-offline-buildpack1.7.11
service-backup18.1.5
staticfile-offline-buildpack1.4.21
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.4

  • [Security Fix] Bumps stemcell to version 3468.21 to address issues:
  • [Security Fix] Bumps cflinuxfs2-release to v1.181.0 to address issues:
  • [Security Fix] Patches capi-release to fix issue where refresh tokens are not accepted where access tokens are required.
  • [Feature Improvement] Bumps syslog-migration-release to v10.0.1 and add a checkbox for log file forwarding through TCP to work around the Truncated Syslog Messages issue.
    • NOTE: Using TCP instead of the default UDP configuration may have a negative impact on performance.
  • [Bug Fix] Adds missing TLS configuration to Grootfs config
  • [Bug Fix] Garden is now configured to destory containers on startup
  • [Bug Fix] Bumps mysql-monitoring-release to v8.14.0
Component Version
Stemcell3468.21
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.181.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack1.0.30
garden-runc1.10.0
go-offline-buildpack1.8.13
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.7.1
loggregator99\*
mysql-backup1.38.0
mysql-monitoring8.14.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.10
notifications44
notifications-ui31
php-offline-buildpack4.3.43
pivotal-account1.8.2
push-apps-manager-release663.0.5
push-usage-service-release664.0.10
python-offline-buildpack1.6.1
routing0.168.0
ruby-offline-buildpack1.7.5
service-backup18.1.5
staticfile-offline-buildpack1.4.18
statsd-injector1.0.30
syslog-migration10.0.1
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.3

  • [Bug Fix] Bumps uaa-release to v52.7.
  • [Bug Fix] Bumps apps-manager-release to v663.0.5 to resolve a number of issues:
    • Fixed 404 page footer in IE.
    • Fixed styling in accounting report download button.
    • Fetch all routes for spaces instead of just the first page.
  • [Bug Fix] Patches capi-release to fix task sync issue that causes some tasks to mistakenly appear as failed when they actually succeeded.
  • [Bug Fix] Bumps usage-service-release from v664.0.10 to fix issues with logging error output in the Bosh errand to push the app-usage-service.
  • [Feature Improvement] The SAML 'Entity Id Override’ field has been moved from the Authentication and Enterprise SSO tab to the UAA tab in Ops Manager, to accompany the other SAML fields in the UAA tab.
Component Version
Stemcell3468.17
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.176.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack1.0.30
garden-runc1.10.0
go-offline-buildpack1.8.13
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.7.1
loggregator99\*
mysql-backup1.38.0
mysql-monitoring8.13.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.10
notifications44
notifications-ui31
php-offline-buildpack4.3.43
pivotal-account1.8.2
push-apps-manager-release663.0.5
push-usage-service-release664.0.10
python-offline-buildpack1.6.1
routing0.168.0
ruby-offline-buildpack1.7.5
service-backup18.1.5
staticfile-offline-buildpack1.4.18
statsd-injector1.0.30
syslog-migration10
uaa52.7
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.2

Component Version
Stemcell3468.17
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.176.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack1.0.30
garden-runc1.10.0
go-offline-buildpack1.8.13
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.7.1
loggregator99\*
mysql-backup1.38.0
mysql-monitoring8.13.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.10
notifications44
notifications-ui31
php-offline-buildpack4.3.43
pivotal-account1.8.2
push-apps-manager-release663.0.4
push-usage-service-release664.0.9
python-offline-buildpack1.6.1
routing0.168.0
ruby-offline-buildpack1.7.5
service-backup18.1.5
staticfile-offline-buildpack1.4.18
statsd-injector1.0.30
syslog-migration10
uaa52.4
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.1

  • [Security Fix] Bumps cflinuxfs2-release to v1.176.0 for USN-3513-1.
  • [Feature Improvement] Bumps mysql-monitoring-release to v8.13.0 to add disk usage metrics as a percentage.
  • [Feature Improvement] Bumps mysql-backup-release to v1.38.0 which enables mutual TLS between the backup node and server.
  • [Feature Improvement] Application containers can be configured not to use BOSH DNS with the Disable BOSH DNS server for troubleshooting purposes checkbox on the director config in Ops Manager.
  • [Bug Fix] Bumps java-offline-buildpack to v4.7.1 to address an issue with multiple java-offline-buildpacks being included, which may cause deployments to have different versions of java-offline-buildpack installed.
  • [Feature] Bumps garden-runc-release to v1.10.0:
    • It is now possible to specify a ProcessSpec.Image. Processes can now have their own filesystem view.
    • Limitation: It is only possible to use ProcessSpec.Image and ProcessSpec.OverrideContainerLimits with unprivileged containers.
      This will be fixed in future releases.
    • Limitation: APIs such as BulkMetrics and Process.Signal may not work immediately after container.Run(ProcessSpec) returns for processes with Image and/or OverrideContainerLimits specified. This will be fixed in future releases.
    • Reduced log volume in BulkMetrics for large environments.
    • Correctly declares that bundles it creates are OCI Runtime Spec version 1.0.0 compliant.
  • Increased disk size on clock_global VMs from 2GB to 20GB to address scenarios where disk utilization is too high. This may be addressed in a future release.
Component Version
Stemcell3468.13
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.176.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack1.0.30
garden-runc1.10.0
go-offline-buildpack1.8.13
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.7.1
loggregator99\*
mysql-backup1.38.0
mysql-monitoring8.13.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.10
notifications44
notifications-ui31
php-offline-buildpack4.3.43
pivotal-account1.8.2
push-apps-manager-release663.0.4
push-usage-service-release664.0.9
python-offline-buildpack1.6.1
routing0.168.0
ruby-offline-buildpack1.7.5
service-backup18.1.5
staticfile-offline-buildpack1.4.18
statsd-injector1.0.30
syslog-migration10
uaa52.4
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.0

Component Version
Stemcell3468.13
backup-and-restore-sdk1.2.1
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.44.0\*
cf-autoscaling104
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.8.1
cf-smoke-tests39
cf-syslog-drain2
cflinuxfs21.175.0
consul187
credhub1.6.5
diego1.29.0
dotnet-core-offline-buildpack1.0.30
garden-runc1.9.4
go-offline-buildpack1.8.13
grootfs0.30.0
haproxy8.4.2
java-offline-buildpack4.6
loggregator99\*
mysql-backup1.37.0
mysql-monitoring8.12.0
nats22
nfs-volume1.1.3
nodejs-offline-buildpack1.6.10
notifications44
notifications-ui31
php-offline-buildpack4.3.43
pivotal-account1.8.2
push-apps-manager-release663.0.4
push-usage-service-release664.0.9
python-offline-buildpack1.6.1
routing0.168.0
ruby-offline-buildpack1.7.5
service-backup18.1.5
staticfile-offline-buildpack1.4.18
statsd-injector1.0.30
syslog-migration10
uaa52.4
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Application Service (PAS) v2.0 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v2.0, be aware of the following upgrade considerations:

  • To successfully upgrade to PAS v2.0, you must first upgrade to a version of Elastic Runtime v1.12.

  • Some partner service tiles may be incompatible with PCF v2.0. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v2.0, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

New Features in PAS v2.0

BOSH DNS Service Discovery for Application Containers (Beta)

In PCF v2.0, application containers look up services using the BOSH DNS service discovery mechanism.

Note: Port 8853 is the destination port for communications between BOSH DNS health processes. Ensure your firewall rules allow TCP traffic on 8853 for all VMs running BOSH DNS. For more information, see BOSH DNS Network Communications.

To support this lookup, BOSH Director colocates a BOSH DNS server on every deployed VM. This colocation is a prerequisite for migrating completely to BOSH DNS in a future release of PCF. However, this colocation does not impact the current behavior of DNS for Cloud Foundry components in PCF v2.0. System components still use consul to discover and locate other Cloud Foundry components.

You can opt out of deploying BOSH DNS in PCF v2.0. For more information, see the Ops Manager v2.0 Release Notes and Disabling or Opting Out of BOSH DNS in PCF in the Pivotal Knowledge Base.

BOSH System Metrics Available in Loggregator Firehose

PCF now forwards BOSH health metrics generated for all VMs in a deployment to the Loggregator Firehose by default. For more information about this feature and its implementation, see the BOSH System Metrics Forwarder section in the Overview of the Loggregator System.

The new flow of BOSH component metrics cannot be disabled. Therefore, if you are currently using the PCF JMX Bridge tile or the BOSH HM Forwarder to consume them, you may receive duplicate data. To prevent this, you can do the following:

For guidance information about configuring Ops Manager Director, see the Ops Manager installation topic for your IaaS.

Metric Namespace Difference in JMX Bridge

Because BOSH component metrics now come from the Firehose, their namespaces are different in PCF JMX Bridge. For an explanation of how metric names differ between PCF 2.0 and earlier versions, see the following table.

PCF Version Explanation
1.12 and earlier Example Metric:
system.healthy
Description:
The BOSH Director delivers the metric name. The metric is nested in the tree structure by deployment name, VM name, VM instance number, and attributes for that VM instance. The sub-node of VM instance number is always named null.
Reference Image:
2.0 Example Metric:
bosh-system-metrics-forwarder.system.healthy
Description:
The Firehose delivers the metric name. The tree shows the VM GUID instead of the VM instance number and the sub-node is always empty. This namespacing affects all previous BOSH health metrics.
Reference Image:

Gorouter and HAProxy Trust the Diego Instance Identity Intermediate CA

The trust between the Gorouter and HAProxy enables mutual authentication between applications that run on PCF. The Gorouter and HAProxy are configured with the root certificate authority. This occurs automatically within PCF.

Gorouter and HAProxy Trust Additional CAs

When validating client requests using mutual TLS, the Gorouter trusts multiple certificate authorities (CAs) by default. Operators can now configure the Gorouter and HAProxy to trust custom CAs in addition to well-known, public CAs and Ops Manager Director Trusted Certificates.

For more information about configuring this feature, see the PAS installation topic for your IaaS.

Gorouter and HAProxy Support Multiple Certificates

You can now add more than one certificate for the Gorouter and HAProxy in the Networking configuration pane. This improves security and removes the need to reissue the existing certificate when you want to add TLS support for custom domains. The Gorouter and HAProxy use SNI to determine the correct certificate to present in a TLS handshake. For more information, see the Multiple Certificates section of Securing Traffic into Cloud Foundry.

XFCC Support for Deployments that Terminate TLS at HAProxy

PCF now supports XFCC header configuration for deployments that terminate TLS for the first time at HAProxy. In addition, the selection options for this configuration field have been renamed to reflect differences in XFCC configuration based on TLS termination entry points. For more information, see the PAS installation topic for your IaaS.

Migration of Internal Credentials to BOSH CredHub

Several internal credentials, the secret and simple_credentials that PAS uses for inter-component communication, are now generated and stored in BOSH CredHub instead of the Ops Manager database.

This is part of an ongoing effort to migrate all credentials to BOSH CredHub, which will reduce the amount of places credentials are stored, aid in credential rotation, and increase security. For information about the internal credentials that were migrated to BOSH CredHub in 1.12, see the Migration of Internal Credentials to BOSH CredHub section of the Pivotal Elastic Runtime v1.12 Release Notes topic.

To access the following credentials, you must use the CredHub CLI or the Ops Manager API instead of accessing the Credentials tab of the PAS tile. For instructions about retrieving PAS credentials, see Retrieving Credentials from Your Deployment.

  • .autoscaling.broker_credentials
  • .autoscaling.encryption_key
  • .backup-prepare.backup_encryption_key
  • .diego_database.bbs_encryption_passphrase
  • .nfs_server.blobstore_secret
  • .notifications.encryption_key
  • .push-pivotal-account.encryption_key
  • .push-usage-service.secret_token
  • .router.route_services_secret
  • .properties.consul_encrypt_key
  • .nats.credentials

VMware NSX-T Networking Support

PAS v2.0 adds support for VMware NSX-T networking. NSX is a networking solution for VMware that provides a firewall, load balancing, and NAT/SNAT services for PCF. NSX-T is intended to work across multiple clouds and provide networking for container platforms. Previous versions of PAS supported NSX-V networking.

To use NSX-T networking, you must install the NSX-T tile.

WARNING: The NSX-T integration is only for fresh installs of PCF. You cannot upgrade an existing deployment to use NSX-T, and there is no upgrade path from NSX-V to NSX-T.

To enable NSX-T networking for your PCF installation, do the following:

  1. In the Ops Manager Director tile > vCenter Config pane, select NSX-T from the NSX Mode drop-down menu. See Step 2: vCenter Config Page in Configuring Ops Manager Director on vSphere for more information.

    1. Import and configure the NSX-T tile, but do not click Apply Changes. You must install the NSX-T tile after you install the Ops Manager Director tile. You must install the NSX-T tile before you install the PAS tile.
  2. In the Networking pane of the PAS tile, under Container Network Plugin Interface, select External.

  3. Click Apply Changes after installing and configuring the NSX-T and PAS tiles.

Operators can additionally use the NSX Manager to configure policies for PCF applications. See the NSX-T Container Plug-in for Kubernetes and Cloud Foundry - Installation and Administration Guide for more information.

Note: You must have NSX-T v2.1 installed to use this integration.

Note: The IPsec add-on is not supported with NSX-T.

Breaking Change: If you opt out of the BOSH DNS feature, your PCF deployment cannot support NSX-T networking.

Secure Service Instance Credentials (Beta)

The PAS tile now includes its own runtime CredHub VM to securely store the service instance credentials that apps use to access services. Previously, PCF could only use the Cloud Controller database for storing these credentials.

Enabling this feature requires the following:

The Spring Cloud Services tile is the first service to support storing its instance credentials in runtime CredHub.

For more information about CredHub in PCF, see the CredHub Documentation.

Breaking Change: If you opt out of the BOSH DNS feature, your PCF deployment cannot support Secure Service Instance Credentials feature.

Release-Level Backup and Restore

PAS v2.0 includes support for release-level backup and restore. BOSH Backup and Restore (BBR) now backs up each PAS component using scripts specific to the component. This new flow ensures services stop using the component database before it is backed up and improves the correctness of the backup. The steps to backup and restore with BBR are unchanged. For more information about component and service availability during backup, see PAS Component Availability During Backup

Colocated Errands on Instance VMs

The PAS tile no longer includes individual errand VMs. Instead, the errand jobs are colocated on other VMs in the deployment. Colocated errands run faster than traditional errands and use fewer resources, including disk and IP space. These errands are now set to always run by default.

Context Objects for Service Bindings

A context object is sent to service brokers when provisioning a service instance containing platform-specific information, such as the organization and space GUIDs. PAS v2.0 adds the same context object to binding requests. If the service broker wants to make decisions based on the organization or space GUIDs in which the binding is created, it can do so.

For more information, see Open Service Broker API.

Syslog Scheduler Highly Available During Zone Outage

The Syslog Scheduler is now scalable. The number of Syslog Scheduler instances defaults to 2. This is the minimum number of instances necessary to make the syslog drain highly available.

Option to Enable Metrics Forwarder on Apps Manager

Apps Manager includes a new option to bind the Metrics Forwarder service to an application. To do so, go to Services and click Add a Service.

Option to Enable PCF Scheduler on Apps Manager

Apps Manager includes a new option to bind the PCF Scheduler service to an application. To do so, go to Services and click Add a Service.

Option to Enable App Autoscaler on Apps Manager

Apps Manager includes a new option to bind the App Autoscaler service to an application. To do so, go to Services and click Add a Service. To access the configuration panel for App Autoscaler, click Manage.

Apps Manager Shows Multiple Buildpacks

In Apps Manager, the app page Settings tab shows multiple buildpacks for apps pushed with multiple buildpacks.

Mappings Endpoint Integrated in Apps Manager

Apps Manager now integrates the Spring Boot Actuator /mappings endpoint. This endpoint displays the endpoints an app serves and other related details. For more information, see Using Actuators.

Terraform Templates for Installing PCF

The PAS v2.0 release on Pivotal Network includes Terraform template downloads. Terraform is a tool for creating and updating infrastructure resources that helps provide a better and more consistent PCF install experience on multiple IaaS providers. PCF internal development teams maintain and test Terraform templates in many scenarios.

This release includes templates for GCP and AWS. If you are installing PCF on either of these IaaS providers, you can use the Terraform templates to automatically create the necessary infrastructure resources. For instructions, see the following topics:

Option to Enable Self-Service Network Policies

Operators can now enable self-service network policies for Space Developers. Prior to this release, enabling access occurred on either a per-developer or per-group basis. For more information about enabling this feature, see the Installing Pivotal Cloud Foundry topic for your IaaS.

Known Issues

Disabling HTTP for Routers Causes Failures for Routes Bound to Internal Route Services

In all versions of PAS v2.0, disabling the HTTP listener for the Gorouter and HAProxy will cause clients to receive 502 responses for requests to routes that are bound to a route services that are run as apps on the platform. Route services that are run externally are not impacted.

To support route services run as apps on ERT, HTTP must remain enabled.

Cells Using GrootFS Fail to Run Privileged-Container Apps

In PAS v2.0.0 through v2.0.5, Diego cells using the GrootFS component fail to run application instances whose internal specifications require a privileged container. This defect affects buildpack-based applications last started on Elastic Runtime v1.8 or earlier.

To resolve this issue, take any one of the following actions:

  • Deploy PAS v2.0.6 or later,
  • Redeploy PAS wih GrootFS disabled, or
  • Manually restart any apps that are affected.

Tasks Unreliable

There is a bug in the Cloud Controller that affects the operation of tasks. Any time a user runs a task, the following may happen:

  • The task cancels before completing.
  • The task is reported as a failure even if it finishes successfully.

Preventing Duplicated BOSH Component Metrics in PCF JMX Bridge

PCF now forwards BOSH health metrics generated for all VMs in a deployment to the Loggregator Firehose by default. See BOSH Component Metrics Available in Loggregator Firehose for more information.

The new flow of BOSH component metrics cannot be disabled. Therefore, if you are currently using the PCF JMX Bridge tile to consume them, you may receive duplicate data. To prevent this, delete JMX Provider IP Address in Director Config of your Ops Manager Director tile.

Deleting the IP address means that BOSH component metrics will no longer be sent to JMX Bridge using the direct connection from the BOSH Director to the JMX Provider. As these BOSH component metrics are now available in JMX Bridge by default through its Firehose nozzle, breaking the prior direct connection by deleting the JMX Provider IP address prevents the duplication of BOSH metrics for JMX Bridge consumers.

PAS Forwards High Volume of DEBUG Log Messages

PAS forwards a high volume of DEBUG syslog messages from UAA and other system components to an external service. To remediate this issue, you can filter out log messages that contain "DEBUG" in their body by using the if ($msg contains "DEBUG") then stop custom syslog rule.

For information about enabling syslog forwarding and configuring custom syslog rules in PAS, see Enable Syslog Forwarding in the Configuring Logging in PAS topic and Exclude Logs With Certain Content in the Customizing Platform Log Forwarding topic.

Truncated Syslog Messages

Note: This issue is remediated when you select the Use TCP for file forwarding local transport option. For more information, see System Logging.

If the total length of a syslog message transported locally from a PCF system component (for example, the Cloud Controller or a Diego cell) is greater than 1,024 bytes, the packet is truncated before it reaches RSYSLOG installed on every BOSH VM instance.

The truncation is caused by the following:

  • In PCF v2.0, a job writes log messages to a file in the /var/vcap/sys/log directory, and then syslog-migration-release forwards the messages to RSYSLOG. For reading log files from the /var/vcap/sys/log directory into RSYSLOG, the release uses blackbox. Because blackbox is configured to send log messages over UDP, it causes the underlying library to respect the message length restrictions of RFC 3164 and truncate packets. For more information, see syslog Message Parts in the RFC 3164 documentation.

  • Prior to switching to syslog-migration-release in PCF v1.11, when a job generated a log message, it typically wrote the message in two locations: to the /var/vcap/sys/log directory and to RSYSLOG. For writing log messages directly to RSYSLOG, jobs used logger, an Ubuntu utility.

    In PCF v2.0, RSYSLOG receives two copies of each log message: one is from blackbox, and one is from the logger utility. Log messages sent through logger may be truncated as explained below:

    • If jobs are using the default version of logger installed on the stemcell, logs longer than 1 KB are truncated because the utility has a hard-coded message length limit.
    • If jobs are using a newer version of logger without this restriction or other tool to communicate with RSYSLOG over UDP, the truncation may not happen.

As mentioned above, jobs write system logs to the /var/vcap/sys/log directory. You can download full log lines from the directory files using Ops Manager.

Read-Only Volume Mounts Display as “rw”

Due to an underlying kernel defect, read-only volume mounts display as "mode": "rw" when you view the VCAP_SERVICES environment variable for your app.

For more information about binding a volume service, see Using an External File System (Volume Services).

Restore from Automated Backup of Internal MySQL Not Supported

If you configure PAS to use Internal MySQL, ensure that you select Disable Automated Backups of MySQL under the Automated Backups Configuration field. Pivotal does not support restoring the internal MySQL database from a full backup because it degrades the Galera MySQL cluster.

To back up and restore the internal MySQL database, you must use BOSH Backup and Restore (BBR). See Backing Up and Restoring Pivotal Cloud Foundry for information on using BBR.

BBR provides the following advantages over the Automated Backup Configuration:

  • BBR locks the necessary APIs as part of the backup procedure. This release-level backup ensures correctness. See PAS Component Behavior During Backup.
  • BBR backs up the MySQL cluster and the blobstore together so that they are consistent.
  • BBR eliminates the need to manually remove the silk database table after restore.

For more information on this issue, see the following Pivotal Knowledge Base article: Restore from PAS Automated Database Backup is Not Supported in 1.11 and later.

UAA Request Latency Metric Not Emitted

The gorouter.latency.uaa metric is only emitted in PCF v2.0.11 or later. For more information about the gorouter.latency.uaa metric, see UAA Request Latency in Key Performance Indicators.

Configuring Multiple TCP Routing Ports

This section describes an issue and workaround related to configuring multiple TCP Routing Ports in the PAS tile UI.

Issue

You cannot enter a comma-separated list of ports in the TCP Routing Ports field of the PAS tile. If you enter a comma-separated list, the Routing API does not start. The TCP Routing Ports field allows entries in the following formats:

  • A single value, such as 1234
  • A range of values, such as 1234-5678

Workaround

If you want to configure multiple ports, Pivotal recommends following these steps:

Note: This procedure causes brief downtime for TCP apps listening on ports that you open after deploying PAS.

  1. Configure PAS with Enable TCP Routing selected.
  2. Enter one port you want to use in the TCP Routing Ports field.
  3. Deploy PAS.
  4. Use the Routing API to add all desired TCP ports by following the instructions in the Modify your TCP ports section of the Enabling TCP Routing topic. When using the Routing API, you can include a comma separated list of ports.

About Advanced Features

The Advanced Features section of the PAS tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Create a pull request or raise an issue on the source for this page in GitHub