PCF Ops Manager v2.1 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


How to Upgrade

The Upgrading Pivotal Cloud Foundry topic contains instructions for upgrading to Pivotal Cloud Foundry (PCF) Ops Manager v2.1.

Releases

2.1.14

  • [Security Fix]: Operators get new certificate authorities (CAs) for BOSH DNS healthiness and the DNS API that are valid for four years. Operators can rotate existing CAs to longer-lived CAs. New installations generate leaf certificates from that CA. Use POST /api/v0/certificate_authorities/active/regenerate to rotate DNS healthiness leaf certificates.
  • [Bug Fix]: Ops Manager verifiers no longer time out when Ops Manager is configured with a proxy.
  • [UI Enhancement]: An error message appears when a file downloaded from Pivotal Network is invalid or corrupt.
  • Bumps BOSH Director to 265.11.0.

Ops Manager v2.1.14 uses the following component versions:

Component Version
Ops Manager2.1-build.361*
Stemcell3541.46
BBR SDK1.4.4
BOSH Director265.11.0*
BOSH DNS1.8.0
Metrics Server0.0.21
CredHub1.7.7
UAA55.2
AWS CPI69
Azure CPI35
GCP CPI27.0.1
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.13

  • [Security Fix] Bumps stemcell to 3541.46
  • [Bug Fix] Pivotal Network integrates successfully with Pivotal Application Service (PAS) tile and Small Footprint PAS.
  • Bumps Bosh Director to v265.10
  • Bumps Metrics Server to v0.0.21

Ops Manager v2.1.13 uses the following component versions:

Component Version
Stemcell3541.46*
BBR SDK1.4.4
BOSH Director265.10*
BOSH DNS1.8.0
Metrics Server0.0.21*
CredHub1.7.7
UAA55.2
AWS CPI69
Azure CPI35
GCP CPI27.0.1
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.12

  • [Security Fix] Bumps stemcell to 3541.44
  • Bumps BOSH Director to v265.9
  • Bumps BOSH DNS to v1.8
  • Bumps GCP CPI to v27.0.1

Ops Manager v2.1.12 uses the following component versions:

Component Version
Stemcell3541.44*
BBR SDK1.4.4
BOSH Director265.9*
BOSH DNS1.8.0*
Metrics Server0.0.17
CredHub1.7.7
UAA55.2
AWS CPI69
Azure CPI35
GCP CPI27.0.1*
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.11

  • [Security Fix] Bumps stemcell to 3541.37
  • Bumps BOSH Director to v265.7
  • Bumps BOSH DNS to v265.9
  • [Bug Fix] Private key is not returned when you GET the /iaas_configurations API endpoint.
  • [Bug Fix] UAA config remains mounted in RAM disk when image is recreated.
  • [Bug Fix] You can edit an Availability Zone (AZ) if it is unassociated with a product.
  • [Feature Improvement] Ops Manager verifies external databases with TLS.

Ops Manager v2.1.11 uses the following component versions:

Component Version
Stemcell3541.37*
BBR SDK1.4.4
BOSH Director265.7*
BOSH DNS1.8.0*
CredHub1.7.7
UAA55.2
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.10

  • [Security Fix] Bumps stemcell to 3541.35
  • Bumps BOSH Director to v265.4
  • [Bug Fix]: Fixes an error reading Unknown CPI error 'Unknown' with message 'execution expired' in 'create_vm' CPI method for deployments on Azure.

Ops Manager v2.1.10 uses the following component versions:

Component Version
Stemcell3541.35*
BBR SDK1.4.4
BOSH Director265.4*
BOSH DNS1.6.0
CredHub1.7.7
UAA55.2
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.9

  • [Bug Fix]: Fixes critical manifest generation grammar issue introduced in v2.1.8.

Ops Manager v2.1.8 is no longer available.

Ops Manager v2.1.9 uses the following component versions:

Component Version
Stemcell3541.35*
BBR SDK1.4.4
BOSH Director265.3.0
BOSH DNS1.6.0
CredHub1.7.7
UAA55.2*
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.8

WARNING: This release is no longer available for download. Upgrade to v2.1.9 instead. For more details, continue reading.

In Ops Manager v2.1.8, a bug caused PAS’s Diego cells to fail to trust all of the appropriate TLS certificates which were trusted previously.

The full impact of the bug has not yet been confirmed, but it is possible that it affects other tiles. Specifically, it affects tiles where the tile author used a multi-line string which contains multiple double-parenthesis expressions within the multi-line string inside the tile’s YAML definition file.

Tile authors often use multi-line strings containing multiple double-parenthesis expressions to construct certificate chains for their BOSH manifests. This bug causes these strings to render incorrectly in the manifests.

The following is an example of a portion of a tile’s YAML file which will be affected by this bug:

trusted_certs: |
((( /cf/diego-instance-identity-root-ca.certificate )))
(( $ops_manager.ca_certificate ))
(( $ops_manager.trusted_certificates ))

This version of Ops Manager is no longer available on Pivotal Network. Upgrade to v2.1.9 instead.

  • [Bug Fix]: You can now delete an unused AZ in an installation after clicking Apply Changes.
  • [Feature Improvement]: Installation Dashboard and deployment status pages may load more quickly.
  • [Security Fix]: Bumps Nokogiri to 1.8.4 to remediate CVE-2017-15412.

Ops Manager v2.1.8 uses the following component versions:

Component Version
Stemcell3541.35*
BBR SDK1.4.4
BOSH Director265.3.0
BOSH DNS1.6.0
CredHub1.7.7
UAA55.2*
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.7

Ops Manager v2.1.7 uses the following component versions:

Component Version
Stemcell3541.34*
BBR SDK1.4.4*
BOSH Director265.3.0*
BOSH DNS1.6.0
CredHub1.7.7*
UAA55.1*
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI35
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.6

  • [Security] Remediates CVE-2018-11046.
  • [Bug Fix] You can now rotate SSL certificates without losing connection between BOSH Director and VMs.
  • [Bug Fix] You can now delete the only AZ in an installation.
  • [Bug Fix] You can now delete the only network in an installation.

Ops Manager v2.1.6 uses the following component versions:

Component Version
Stemcell3468.46
BBR SDK1.2.1
BOSH Director264.10.0
BOSH DNS1.6.0
CredHub1.6.5
UAA52.7
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI35
vSphere CPI45.1.0

2.1.5

  • [Bug Fix] Changes vSphere to v45.1
  • [Security Fix] Bumps stemcell to 3541.30
  • Bumps CredHub to v1.7.5

Ops Manager v2.1.5 uses the following component versions:

Component Version
Stemcell3541.30*
BBR SDK1.4.4
BOSH Director265.2
BOSH DNS1.6.0
CredHub1.7.5*
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1*
* Components marked with an asterisk have been updated.

2.1.4

WARNING: If you use a vSphere environment, Pivotal recommends that you skip v2.1.4 due to a major bug.

  • Bumps vSphere to v49
  • [Feature Improvement] Upgrades BOSH System Metrics Server Release to v0.0.17. PAS for Windows 2012R2 now emits BOSH VM metrics.
  • [Feature Improvement] Decrease upload time for large tiles and stemcells.
  • [Bug Fix] Helps alleviate Ruby’s susceptibility to high memory usage. May prevent the Ops Manager VM from running out of memory during a long VM lifecycle.
  • [Bug Fix] Ops Manager UI shows product job log download link only once per instance group rather than for all instances.
  • [Bug Fix] The Ops Manager API endpoint /api/v0/deployed/certificates now lists all RSA certificates.
  • [Bug Fix] Azure network and resource group matchers are case insensitive.
  • [Bug Fix] The Ops Manager API no longer has the service_network key.
  • [Bug Fix] The menu links are clickable in all subpages.
  • [Bug Fix] In the Stemcell Library, stemcells only apply to the tiles you select regardless of compatibility.

Ops Manager v2.1.4 uses the following component versions:

Component Version
Stemcell3541.25
BBR SDK1.4.4
BOSH Director265.2
BOSH DNS1.6.0
CredHub1.7.1
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI49*
* Components marked with an asterisk have been updated.

2.1.3

  • [Security] Bumps stemcell to 3541.25
  • Bumps BOSH DNS to 1.6.0
  • [Bug Fix] The credentials API endpoints for deployed products do not include secrets. For more information about these API endpoints, see Viewing available credentials and Fetching credentials in the Ops Manager API documentation.
  • Installation Dashboard includes new Azure logo when you have an Azure installation.

Ops Manager v2.1.3 uses the following component versions:

Component Version
Stemcell3541.25*
BBR SDK1.4.4
BOSH Director265.2
BOSH DNS1.6.0*
CredHub1.7.1
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.2

  • [Security] Bumps stemcell to 3451.12
  • [Feature] You are now able to fetch availability zones (AZs) from the Ops Manager API. For more information, see Fetching availability zones in the Ops Manager API documentation.

Ops Manager v2.1.2 uses the following component versions:

Component Version
Stemcell3451.12*
BBR SDK1.4.4
BOSH Director265.2
BOSH DNS1.3.0
CredHub1.7.1
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.1

  • [Security] Bumps stemcell to 3451.10
  • [Feature] The BOSH CLI is now upgraded to v3 in Ops Manager. You can split cloud configs and other configurations into multiple files. This change allows you to manage and evolve configurations separately. For more information on configuration management in BOSH, see Configs in the BOSH documentation.
  • [Feature] In the Director Config pane, you can now enter Excluded Recursors as a comma-separated list. This list specifies which IPs and ports you want to exclude from the DNS server. For more information, see Director Config Page.
  • [Bug Fix] Ops Manager sets a consistent entity ID in both SAML and non-SAML cases.
  • Bumps BOSH Director to v265.2

Ops Manager v2.1.1 uses the following component versions:

Component Version
Stemcell3451.10*
BBR SDK1.4.4
BOSH Director265.2*
BOSH DNS1.3.0
CredHub1.7.1
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.

2.1.0

Ops Manager v2.1.0 uses the following component versions:

Component Version
Stemcell3541.8
BBR SDK1.4.4
BOSH Director265.1
BOSH DNS1.3.0
CredHub1.7.1
UAA55
AWS CPI69
Azure CPI35
GCP CPI27
OpenStack CPI37
vSphere CPI45.1.0
* Components marked with an asterisk have been updated.


New Features in Ops Manager v2.1

Stemcell Library

Use the new Stemcell Library to import stemcells, stage stemcells, and view the stemcell versions associated with each product.

In Ops Manager v2.0 and earlier, stemcell management capabilities are located within each tile. For v2.1, the Stemcell Library provides centralized stemcell management from the Installation Dashboard used for all products.

For more information about the Stemcell Library, see Importing and Managing Stemcells.

Create Custom VM Extensions

You can create and manage custom VM extensions through the Ops Manager API. Custom VM extensions allow you to assign a group of IaaS-specific cloud_properties to a custom VM extension name. You can then assign this custom VM extension to jobs. For more information about custom VM extensions, see Managing Custom VM Extensions.

Azure Stack Support (Beta)

Operators can deploy Ops Manager v2.0 to Microsoft Azure in their own local datacenter using Azure Stack. Azure Stack support is in beta for Ops Manager v2.0 and should not be used in production.

AWS KMS Encryption Available for BOSH and Ops Manager VMs

Operators can specify a custom AWS Key Management Service (KMS) encryption key to encrypt all the Elastic Block Store (EBS) volumes in AWS for BOSH VMs and the Ops Manager VM. You can use this feature to meet data-at-rest encryption requirements or as a security best practice. There is no performance penalty for using encrypted EBS volumes. Pivotal advises all users of PCF on AWS to enable encryption.

To encrypt BOSH and all present and future product VMs, enable Encrypt EBS Volumes in the AWS Config pane of the BOSH Director. To encrypt the Ops Manager VM, you need to re-launch Ops Manager with a new Amazon Machine Image (AMI).

For more information about how to encrypt BOSH and Ops Manager VMs, see Configuring Amazon EBS Encryption.

Configure an External CredHub Encryption Provider

In the Director Config pane of an installation, you now have the option to select a CredHub Encryption Provider to store your encryption keys. For Ops Manager v2.1, you only have the option to select internal storage or a Luna Hardware Security Module (HSM). For more information about configuring your CredHub encryption provider, see the Director Config Page section of the Ops Manager Director installation topic for your IaaS.

Multiple Read-Only Users Can Be Logged In Simultaneously

Ops Manager users with Full View and Restricted View permissions can be logged in simultaneously. Previous to this change, only one user at a time could view Ops Manager.

For security purposes, operators with write access still cannot be logged into Ops Manager simultaneously. For more information about operator roles and permissions, see Configuring Role-Based Access Control (RBAC) in Ops Manager.

Create a Custom Banner

From the Ops Manager settings, you can now add a custom banner to communicate important messages to operators. In the new Custom Banner pane, enter text in the Banner UI field to create a banner that appears on each page of the Ops Manager UI. If you enter text in the SSH Banner field, that text appears to each operator who shells into Ops Manager. For more information about navigating Ops Manager settings, see the Settings Page of the Ops Manager Director installation topic for your IaaS.

GCS Blobstore Available for External File Storage

You now have the option to select a Google Cloud Storage (GCS) blobstore as your external file storage. With this new feature, Pivotal now recommends you select the GCS Blobstore option for the Blobstore Location if you install Ops Manager with GCP. For more information, see the Director Config Page section of the Configuring Ops Manager Director on GCP topic.

Note: After you deploy Ops Manager, you cannot change the blobstore location.

Integrate Azure Application Gateway Load Balancers

In the Resource Config pane of the Azure configuration dashboard, you can enter an Azure Application Gateway for your load balancer.

To learn more about Azure Application Gateway, see Overview of Application Gateway in the Azure documentation.

To learn more about configuring your load balancer for Azure, see the Resource Config Page section of the Configuring Ops Manager on Azure topic.

Note: This feature is not recommended for production use. The Azure load balancer does not support an override port in the healthcheck configuration.

Add Multiple Clusters to Availability Zones

In the vSphere configuration dashboard, you can now add multiple clusters to an Availability Zone (AZ) with the new Add Cluster button. For more information about configuring AZs, see the Create Availability Zone Page section of the Configuring Ops Manager on vSphere topic.

IP Address Management (IPAM) Removed

Ops Manager no longer reserves a range of IPs for dynamic allocation. Instead, only the BOSH Director manages IP allocation. This change is to keep IP management in a central location without redundancy.

As a result of removing IPAM from Ops Manager, see the following changes:

  • Ops Manager no longer picks and reserves a range of static IPs. IP allocation is handled by BOSH.
  • To optionally reserve specific IPs, enter IPs in the Static IPs pane of your product tile.
  • With restrictions now removed, you have more options to expand your network. See Expand Your Network with Additional Subnets below.
  • The Service Network checkbox in the Create Networks pane has been removed.
  • You get an ignorable warning when you click Apply Changes if the Static IPs you enter for your tile are not in the same network or AZ that is assigned to the tile.
  • You get an ignorable warning when you click Apply Changes if the Static IPs you enter for your tile overlap with other tiles.
  • You get an ignorable warning when you click Apply Changes if you enter a CIDR range that is not large enough to deploy the staged tiles.
  • For tile authors, static_ip and dynamic_ip are now ignored. Ops Manager gets static IPs from the static_ips property.

Expand Your Network with Additional Subnets

In the Create Networks pane of Ops Manager, you can add additional subnets to your network. Each AZ can now have more than one subnet.

This feature is only available if you have already deployed Ops Manager. For more information, see Expanding Your Network with Additional Subnets.

VPC Verifier Removed from AWS Configuration

When you configure Ops Manager for AWS, you do not need to provide a Virtual Private Cloud (VPC) ID.

Associate AWS ALBs with Jobs

From the Resource Config pane of an AWS installation, you can associate an AWS Application Load Balancer (ALB) to a job. For more information, see Resource Config Page in the Configuring BOSH Director on AWS topic.

Known Issues

DNS Server Hangs or DNS Lookups Fail

With BOSH DNS, every BOSH-deployed VM has a DNS server. In large PCF installations, this DNS server may hang or DNS lookups may fail when the VM experiences too many DNS lookups in a short amount of time.

This error is caused by a race condition and deadlock in the VM’s DNS server.

To fix this problem, run monit on the VM with failing DNS to restart its bosh-dns process.

Azure Load Balancer Does Not Support Override Port

The Azure Application Gateway feature is currently not recommended for production use. The Azure load balancer does not support an override port in the healthcheck configuration. For more information about this feature, see Integrate Azure Application Gateway Load Balancers above.

AWS KMS Encryption Requires Manual Refresh

If you select Encrypt EBS Volumes in the AWS Config pane of your AWS BOSH Director tile, only future BOSH-deployed VMs are encrypted. To manually trigger current BOSH VMs to encrypt their persistent disks, ephemeral disks, and the root separately, you must make the following changes:

For persistent disks In the Resource Config pane of your BOSH Director tile, bump the persistent disk of each job.
For ephemeral disks In the Director Config pane of your BOSH Director tile, enable Recreate all VMs for the next deployment.
For the root disk In the Stemcell Library, stage new stemcells for the next deployment.

This known issue does not affect you if you enable Encrypt EBS Volumes during your first deployment.

For more information about the AWS KMS feature, see AWS KMS Encryption Available for BOSH and Ops Manager VMs.

Bug Fixes

  • Ops Manager now validates inventory service vSphere vCenter privileges. For more information about this breaking change, see Additional vSphere Permission Validation in the PCF v2.1 Breaking Changes release notes.

  • Ops Manager sets a consistent entity ID in both SAML and non-SAML cases.

Create a pull request or raise an issue on the source for this page in GitHub