PCF Isolation Segment v2.0 Release Notes

Releases

NOTE: If you have versions of PAS and IST prior to 2.0.15 installed, you will have to update them together when upgrading to 2.0.15+

2.0.16

  • Bump cflinuxfs2 to version 1.228.0
  • Bump stemcell to version 3468.55
Component Version
stemcell3468.55
cf-networking1.8.5
cflinuxfs21.228.0
consul195
diego1.32.5
garden-runc1.13.3
haproxy8.4.2
loggregator99.3
nfs-volume1.2.1
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.15

  • [Bug Fix] Docker image based app resource reporting correctly includes image size in disk usage

  • Bump diego to version 1.32.5

  • Bump loggregator to version 99.3

  • Bump stemcell to version 3468.54

Component Version
stemcell3468.54
cf-networking1.8.5
cflinuxfs21.227.0
consul195
diego1.32.5
garden-runc1.13.3
haproxy8.4.2
loggregator99.3
nfs-volume1.2.1
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.14

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification

  • Bump cflinuxfs2 version 1.227.0

Component Version
stemcell3468.51
cf-networking1.8.5
cflinuxfs21.227.0
consul195
diego1.32.3
garden-runc1.13.3
haproxy8.4.2
loggregator99.1
nfs-volume1.2.1
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.13

  • [Security Fix] Bump loggregator release for CVE-2018-1268 and CVE-2018-1269
  • [Bug Fix] bump consul to v195

    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump loggregator to version 99.1

  • Bump stemcell to version 3468.51

Component Version
stemcell3468.51
cf-networking1.8.5
cflinuxfs21.223.0
consul195
diego1.32.3
garden-runc1.13.3
haproxy8.4.2
loggregator99.1
nfs-volume1.2.1
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.12

  • [Security Fix] Bump diego to version 1.32.3
  • [Bug fix] bump nfs-volume-release to version 1.2.1
    • Fix incompatibility with new garden-runc release when using read-only NFS volume mounts
  • [Bug Fix] Bump garden to version 1.13.3
    • Fix issue with deleted files in application containers created from docker images
  • Bump cflinuxfs2 to version 1.219.0
  • Bump consul to version 193 to use go 1.9
  • Bump stemcell to version 3468.46
Component Version
Stemcell3468.46
cf-networking1.8.5
cflinuxfs21.219.0
consul193
diego1.32.3
garden-runc1.13.3
haproxy8.4.2
loggregator99\*
nfs-volume1.2.1
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.11

  • [Security Fix] Bump cflinuxfs2 to version 1.210.0:
  • [Security Fix] Bump cf-networking to version 1.8.5
    • Patch possible SQL injection attack
  • Update grootfs checkbox to indicate the recreating VMs is recommended
Component Version
Stemcell3468.42
cf-networking1.8.5
cflinuxfs21.210.0
consul187
diego1.32.2
garden-runc1.13.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.10

Component Version
Stemcell3468.42
cf-networking1.8.1
cflinuxfs21.201.0
consul187
diego1.32.2
garden-runc1.13.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.8\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.9

  • [Security Fix] Bumps garden-release to v1.13.1 for CVE-2018-1277.
  • [Feature Improvement] Bumps diego-release to v1.32.2 to add cell and instance identifiers in the container lifecycle logs.
Component Version
Stemcell3468.30
cf-networking1.8.1
cflinuxfs21.196.0
consul187
diego1.32.2
garden-runc1.13.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.7\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.8

  • [Security Fix] Bumps cflinuxfs2 to v1.196.0:
  • [Security Fix] Bumps stemcell to v3468.30:
  • [Bug Fix] Bumps syslog-migration-release to v10.0.2:
    • Prevent logs from blackbox from being written to the default syslog log files to prevent logs from being written to the disk 3 additional times.
    • Fix rfc5424 compatibility by ensuring only 1 space occurs between the message and the structured data.
Component Version
Stemcell3468.30
cf-networking1.8.1
cflinuxfs21.196.0
consul187
diego1.32.1
garden-runc1.12.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.7\*
syslog-migration10.0.2
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.7

  • [Feature Improvment] Bumps garden-runc-release to v1.12.1:
    • Includes fix for bug where users’ files could go missing in docker-based applications.
  • [Bug fix] Bump routing-release to 0.168.7:
    • Removes backends on any error.
    • Updates golang to v1.9.4.
Component Version
Stemcell3468.25
cf-networking1.8.1
cflinuxfs21.188.0
consul187
diego1.32.1
garden-runc1.12.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.7\*
syslog-migration10.0.1
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.6

Note: it is recommended that you re-create all VMs when upgrading to this release, due to the update to garden-runc-release. This will happen automatically if you are updating your stemcell. If not, you can check the “Recreate All VMs” checkbox on the Ops Manager Director > Director Config tab.

Component Version
Stemcell3468.25
cf-networking1.8.1
cflinuxfs21.188.0
consul187
diego1.29.0
garden-runc1.11.1
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10.0.1
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.5

  • [Security Fix] Patch routing-release for CVE-2018-1221.
  • [Bug Fix] Enable privileged containers to support upgrading from ERT 1.11 with apps that specify privileged containers.
  • [Bug Fix] Fix to ensure that Diego rep will always exit during evacuation, even if Garden destroy hangs during evacuation.
  • [Feature Improvements] New option in the Networking page to allow operators to enable Gorouter support for the PROXY protocol. This is disabled by default.
  • [Feature Improvement] Enable Garden debug_listen_address to listen on a local interface.
Component Version
Stemcell3468.21
cf-networking1.8.1
cflinuxfs21.181.0
consul187
diego1.29.0
garden-runc1.10.0
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10.0.1
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.4

  • [Bug Fix] Fix issue that causes Isolation Segment to fail on fresh install with Pivotal Application Services 2.0 with Route Services enabled. See the corresponding Knowledge Base for more information.
Component Version
Stemcell3468.21
cf-networking1.8.1
cflinuxfs21.181.0
consul187
diego1.29.0
garden-runc1.10.0
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10.0.1
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.3

  • [Security Fix] Bump stemcell to version 3468.21 to address issues:
  • [Security Fix] Bump cflinuxfs2-release to v1.181.0 to address issues:
  • [Bug Fix] Configure system logging to remove duplication of logs
  • [Feature Improvement] Bump syslog-migration-release to v10.0.1 and add a checkbox for log file forwarding through TCP to work around the Truncated Syslog Messages issue.
    • NOTE: Using TCP instead of the default UDP configuration may have a negative impact on performance.
Component Version
Stemcell3468.21
cf-networking1.8.1
cflinuxfs21.181.0
consul187
diego1.29.0
garden-runc1.10.0
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10.0.1
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.2

Component Version
Stemcell3468.17
cf-networking1.8.1
cflinuxfs21.176.0
consul187
diego1.29.0
garden-runc1.10.0
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.1

  • [Security Fix] Bumps cflinuxfs2-release to v1.176.0 for USN-3513-1.
  • [Feature] Bumps garden-runc-release to v1.10.0:
    • It is now possible to specify a ProcessSpec.Image. Processes can now have their own file system view.
    • Limitation: It is only possible to use ProcessSpec.Image and ProcessSpec.OverrideContainerLimits with unprivileged containers.
      This will be fixed in future releases.
    • Limitation: APIs such as BulkMetrics and Process.Signal may not work immediately after container.Run(ProcessSpec) returns for processes with Image or OverrideContainerLimits specified. This will be fixed in future releases.
    • Reduced log volume in BulkMetrics for large environments.
    • Correctly declares that bundles it creates are OCI Runtime Spec version 1.0.0 compliant.
  • The Garden property cleanup_process_dirs_on_wait is configured to true to reduce the growth of directories in the Garden container.
Component Version
Stemcell3468.13
cf-networking1.8.1
cflinuxfs21.176.0
consul187
diego1.29.0
garden-runc1.10.0
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.0.0

Warning: This release does not set the Garden property cleanup_process_dirs_on_wait to true, which can leave many directories in the depot for the Garden container. This will be set to true in the next release.

Component Version
Stemcell3468.13
cf-networking1.8.1
cflinuxfs21.175.0
consul187
diego1.29.0
garden-runc1.9.4
grootfs0.30.0
haproxy8.4.2
loggregator99\*
nfs-volume1.1.3
routing0.168.0
syslog-migration10
\* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v2.0 tile is available for installation with PCF v2.0.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v2.0 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v2.0.

New Features in PCF Isolation Segment v2.0

BOSH DNS Service Discovery for Application Containers (Beta)

In PCF v2.0, application containers look up services using the BOSH DNS service discovery mechanism.

Note: Port 8853 is the destination port for communications between BOSH DNS health processes. Ensure your firewall rules allow TCP traffic on port 8853 for all VMs running BOSH DNS. For more information, see BOSH DNS Network Communications.

To support this lookup, BOSH Director colocates a BOSH DNS server on every deployed VM. This colocation is a prerequisite for migrating completely to BOSH DNS in a future release of PCF. However, this colocation does not impact the current behavior of DNS for Cloud Foundry components in PCF v2.0. System components still use consul to discover and locate other Cloud Foundry components.

You can opt out of deploying BOSH DNS in PCF v2.0. For more information, see the Ops Manager v2.0 Release Notes and Disabling or Opting Out of BOSH DNS in PCF in the Pivotal Knowledge Base.

Gorouter and HAProxy Trust the Diego Instance Identity Intermediate CA

The trust between the Gorouter and HAProxy enables mutual authentication between applications that are running on PCF. The Gorouter and HAProxy are configured with the root certificate authority. This occurs automatically within PCF.

Gorouter and HAProxy Trust Additional CAs

When validating client requests using mutual TLS, the Gorouter trusts multiple certificate authorities (CAs) by default. Operators can now configure the Gorouter and HAProxy to trust custom CAs in addition to well-known, public CAs and Ops Manager Director Trusted Certificates. For more information about configuring this feature, see Installing PCF Isolation Segment.

Gorouter and HAProxy Support Multiple Certificates

You can now add more than one certificate for the Gorouter and HAProxy in the Networking configuration pane. This improves security and removes the need to reissue the existing certificate when you want to add TLS support for custom domains. The Gorouter and HAProxy use SNI to determine the correct certificate to present in a TLS handshake. For more information, see the Multiple Certificates section of Securing Traffic into Cloud Foundry.

XFCC Support for Deployments that Terminate TLS at HAProxy

PCF now supports XFCC header configuration for deployments that terminate TLS for the first time at HAProxy. In addition, the selection options for this configuration field have been renamed to reflect differences in XFCC configuration based on TLS termination entry points. For more information about configuring this feature, see Installing PCF Isolation Segment.

VMware NSX-T Networking Support

PCF Isolation Segment v2.0 adds support for VMware NSX-T networking. NSX is a networking solution for VMware that provides a firewall, load balancing, and NAT/SNAT services for PCF. NSX-T is intended to work across multiple clouds and provide networking for container platforms. Previous versions of PCF Isolation Segment supported NSX-V networking.

To use NSX-T networking, you must install the NSX-T tile.

WARNING: The NSX-T integration is only for fresh installs of PCF. You cannot upgrade an existing deployment to use NSX-T, and there is no upgrade path from NSX-V to NSX-T.

To enable NSX-T networking for your PCF installation, do the following:

  1. In the Ops Manager Director tile > vCenter Config pane, select NSX-T from the NSX Mode drop-down menu. See Step 2: vCenter Config Page in Configuring Ops Manager Director on vSphere for more information.

  2. Import and configure the NSX-T tile, but do not click Apply Changes. You must install the NSX-T tile after you install the Ops Manager Director tile. You must install the NSX-T tile before you install the PAS tile.

  3. In the PCF Isolation Segment tile > Networking pane, under Container Network Plugin Interface, select External.

  4. Click Apply Changes after installing and configuring the NSX-T and PAS tiles.

Operators can additionally use the NSX Manager to configure policies for PCF applications. For more information, see the NSX-T Container Plug-in for Kubernetes and Cloud Foundry - Installation and Administration Guide .

Note: You must have NSX-T v2.1 installed to use this integration.

Note: The IPsec add-on is not supported with NSX-T.

Breaking Change: If you opt out of the BOSH DNS feature, your PCF deployment cannot support NSX-T networking.

Known Issues

Isolation Segment Fails on Fresh Install with Route Services

In Isolation Segment v2.0.0 to v2.0.3, when installing Isolation Segment with Pivotal Application Services where route services are enabled, the deployment will fail due to a missing router-route-services-secret credential. This issued is fixed in Isolation Segment v2.0.4.

For more information, see the corresponding Knowledge Base article.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment tile includes new functionality that may have certain constraints. Although these features are fully supported, Pivotal recommends caution when using them in production.

Create a pull request or raise an issue on the source for this page in GitHub