Pivotal Application Service v2.1 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


Releases

2.1.18

  • [Security Fix] Update JDK to latest patch release for Autoscaler
  • [Security Fix] Address leak of CF admin credentials into NFS broker bosh errand logs
  • [Feature Improvement] Improve performance of the system_report/service_usages endpoint in the usages-service to prevent potential 502 or 504 responses on larger deployments
  • [Bug Fix] Show more helpful error message in Apps Manager when toggling on Autoscaler fails
  • [Bug Fix] Prevent container IPs from leaking by enforcing that TCP RST messages always have the cell ip as the source ip
  • [Bug Fix] Fix login for users by not redirecting to the now removed Pivotal Account app.
  • [Bug Fix] Fix issue where the CAPI sync job fails when TCP routes are being used
  • Bump ubuntu-trusty stemcell to version 3541.61
  • Bump cf-autoscaling to version 118.9
  • Bump cf-mysql to version 36.16.0
  • Bump cf-networking to version 1.10.6
  • Bump cf-smoke-tests to version 40.0.17
  • Bump cflinuxfs2 to version 1.249.0
  • Bump nfs-volume to version 1.2.6
  • Bump push-apps-manager-release to version 664.0.22
  • Bump push-usage-service-release to version 666.0.12
Component Version
ubuntu-trusty stemcell3541.61
backup-and-restore-sdk1.5.3
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.49.13
cf-app-sd0.5.0
cf-autoscaling118.9
cf-backup-and-restore0.0.10
cf-cli1.5.0
cf-mysql36.16.0
cf-networking1.10.6
cf-smoke-tests40.0.17
cf-syslog-drain5.3
cflinuxfs21.249.0
consul195
credhub1.7.5
diego1.35.12
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.6.0
java-offline-buildpack-lts4.16.1
loggregator101.16
mysql-backup2.8.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.32
notifications-ui33
notifications44
php-offline-buildpack-lts4.3.61
pivotal-account1.9.1
push-apps-manager-release664.0.22
push-usage-service-release666.0.12
python-offline-buildpack-lts1.6.21
routing0.174.7
ruby-offline-buildpack-lts1.7.24
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.4

2.1.17

  • [Security Fix] Bump UAA for CVEs
  • [Feature Improvement] Remove deprecated Pivotal Account app
  • [Feature Improvement] Improve router pruning behavior when route integrity is enabled
  • [Bug fix] Enforce that max_valid_packages_stored and max_staged_droplets_stored be >= 1
  • [Bug Fix] Fix issue with Autoscaler would not function properly when using AWS RDS
  • [Bug Fix] Do not produce duplicate schedules when updating a schedule in Apps Manager
  • Bump ubuntu-trusty stemcell to version 3541.57
  • Bump cf-autoscaling to version 118.8
  • Bump cflinuxfs2 to version 1.245.0
  • Bump pivotal-account to version 1.9.1
  • Bump push-apps-manager-release to version 664.0.21
  • Bump routing to version 0.174.7
  • Bump uaa to version 55.4
Component Version
ubuntu-trusty stemcell3541.57
backup-and-restore-sdk1.5.3
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.49.13
cf-app-sd0.5.0
cf-autoscaling118.8
cf-backup-and-restore0.0.10
cf-cli1.5.0
cf-mysql36.11.0
cf-networking1.10.4
cf-smoke-tests40.0.10
cf-syslog-drain5.3
cflinuxfs21.245.0
consul195
credhub1.7.5
diego1.35.12
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.6.0
java-offline-buildpack-lts4.16.1
loggregator101.16
mysql-backup2.8.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack-lts1.6.32
notifications-ui33
notifications44
php-offline-buildpack-lts4.3.61
pivotal-account1.9.1
push-apps-manager-release664.0.21
push-usage-service-release666.0.11
python-offline-buildpack-lts1.6.21
routing0.174.7
ruby-offline-buildpack-lts1.7.24
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.4

2.1.16

  • [Feature Improvement] Split up networking policy server database migrations to reduce the risk of a failure causing a partial migration
  • [Feature Improvement] Improve error messages logged by Cloud Controller when there are Azure blobstore failures
  • [Feature Improvement] clock_global now defaults to 2 instances to be highly available
  • [Feature Improvement] Allow disabling connection pooling for autoscaler API & escape special characters in external database passwords
  • [Bug Fix] Prevent potential memory leak when Cloud Controller’s space summary endpoint is called under certain usage conditions
  • [Bug Fix] Fix manual configuration of load balancers for SSH to application containers on Small Footprint PAS (SF-PAS)
  • Bump ubuntu-trusty stemcell to version 3541.52
  • Bump capi to version 1.49.13
  • Bump cf-autoscaling to version 118.6
  • Bump cf-networking to version 1.10.4
  • Bump cf-smoke-tests to version 40.0.10
  • Bump cflinuxfs2 to version 1.242.0
  • Bump diego to version 1.35.12
  • Bump go-offline-buildpack-lts to version 1.8.28
  • Bump java-offline-buildpack-lts to version 4.16
  • Bump ruby-offline-buildpack-lts to version 1.7.24
Component Version
ubuntu-trusty stemcell3541.52
backup-and-restore-sdk1.5.3
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.49.13
cf-app-sd0.5.0
cf-autoscaling118.6
cf-backup-and-restore0.0.10
cf-cli1.5.0
cf-mysql36.11.0
cf-networking1.10.4
cf-smoke-tests40.0.10
cf-syslog-drain5.3
cflinuxfs21.242.0
consul195
credhub1.7.5
diego1.35.12
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.6.0
java-offline-buildpack-lts4.16
loggregator101.16
mysql-backup2.8.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack-lts1.6.32
notifications44
notifications-ui33
php-offline-buildpack-lts4.3.61
pivotal-account1.8.8
push-apps-manager-release664.0.20
push-usage-service-release666.0.11
python-offline-buildpack-lts1.6.21
routing0.174.6
ruby-offline-buildpack-lts1.7.24
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2

2.1.15

  • [Security Fix] Bump garden-runc to prevent malicious users from causing a denial of service for other apps
  • [Feature Improvement] Improve nfs blobstore pre-start performance
  • [Bug Fix] space and org managers can now view app logs in apps manager
  • [Bug Fix] Fix unsafe logic in NFS unmount and drain code that may lead to deletion of files on remote NFS shares.
  • [Bug Fix] PAS 2.1.14 upgrade fails with Error: release 'cf-networking/1.10.2' has already been uploaded
  • [Bug Fix] Fix issue in loggregator where AZ names with special characters could cause metron agent job to fail
  • [Bug Fix] Fix issue where the PAS tile could be incorrectly downloaded when upgrading SF-PAS via PivNet

  • Bump binary-offline-buildpack-lts to version 1.0.27

  • Bump capi to version 1.49.11

  • Bump cf-cli to version 1.5.0

  • Bump cf-networking to version 1.10.3

  • Bump cf-smoke-tests to version 40.0.9

  • Bump cf-syslog-drain to version 5.3

  • Bump cflinuxfs2 to version 1.238.0

  • Bump dotnet-core-offline-buildpack-lts to version 2.1.5

  • Bump garden-runc to version 1.16.1

  • Bump go-offline-buildpack-lts to version 1.8.27

  • Bump java-offline-buildpack-lts to version 4.15.1

  • Bump loggregator to version 101.16

  • Bump mysql-backup to version 2.8.0

  • Bump nfs-volume to version 1.2.3

  • Bump nodejs-offline-buildpack-lts to version 1.6.32

  • Bump php-offline-buildpack-lts to version 4.3.61

  • Bump push-apps-manager-release to version 664.0.20

  • Bump python-offline-buildpack-lts to version 1.6.21

  • Bump ruby-offline-buildpack-lts to version 1.7.23

  • Bump staticfile-offline-buildpack-lts to version 1.4.32

  • Bump stemcell ubuntu-trusty to version 3541.49

Component Version
stemcell3541.49
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.11
cf-autoscaling118.5
cf-backup-and-restore0.0.10
cf-cli1.5.0
cf-mysql36.11.0
cf-networking1.10.3
cf-smoke-tests40.0.9
cf-syslog-drain5.3
cflinuxfs21.238.0
consul195
credhub1.7.5
diego1.35.10
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.27
haproxy8.6.0
java-offline-buildpack4.15.1
loggregator101.16
mysql-backup2.8.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack1.6.32
notifications44
notifications-ui33
php-offline-buildpack4.3.61
pivotal-account1.8.8
push-apps-manager-release664.0.20
push-usage-service-release666.0.11
python-offline-buildpack1.6.21
routing0.174.6
ruby-offline-buildpack1.7.23
staticfile-offline-buildpack1.4.32
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.14

  • [Security Fix] Prevent app developers from registering an NFS service broker that issues service bindings with uid and gid specified when LDAP is enabled
  • [Feature Improvement] Enable capturing goroutine dumps from Diego components for troubleshooting
  • [Feature Improvement] Update BOSH DNS configuration to allow resolving BBS and Auctioneer servers on unhealthy VMs
  • [Feature Improvement] Operators can configure the maximum number of packages and droplets to store
  • [Feature Improvement] Operators can override connection timeout values for the cloud controller database to prevent downtime when MySQL proxy VMs are recreated
  • [Bug Fix] Fix issue where the SF-PAS tile could be incorrectly downloaded when upgrading PAS via PivNet
  • [Bug Fix] Improve performance to reduce chance of failed database migrations during upgrades of usage service
  • [Bug Fix] Fix issue in volume services that can cause application data loss when applications using the NFS volume service are scaled up or down
  • [Bug Fix] Fixes and improvements for Apps Manager

    • When creating a space as admin, make the admin a member of the corresponding organization
    • Improved the display of service plan costs when costs are not integers as expected
    • When deleting an app, wait for the associated job to complete before closing the modal
  • Bump diego to version 1.35.10

  • Bump push-apps-manager-release to version 664.0.19

  • Bump push-usage-service-release to version 666.0.11

  • Bump stemcell ubuntu-trusty to version 3541.48

Component Version
stemcell3541.48
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.10
cf-autoscaling118.5
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2
cf-smoke-tests40.0.8
cf-syslog-drain5.1
cflinuxfs21.235.0
consul195
credhub1.7.5
diego1.35.10
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13.1
loggregator101.13
mysql-backup1.38.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release664.0.19
push-usage-service-release666.0.11
python-offline-buildpack1.6.18
routing0.174.6
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.13

  • [Security Fix] Bump usage service for CVE-2018-11086
  • [Security Fix] Bump apps manager for CVE-2018-11088
    • Fix security vulnerability: CVE-2018-11088
    • Fix crash on service page when bound app is deleted
    • Text changes to improve actuator integration with Steeltoe
    • Steeltoe heap dumps should have extension .dmp
    • Fix Spring endpoints not appearing in app actions dropdown for Spring 2.0 apps
    • Fix crash on space page, routes tab
    • Fix Spring “View Raw JSON” feature not appearing when git info not present on app
  • [Bug Fix] Prune router backends when they return a 502 and do not retry for 30 seconds
  • [Bug Fix] Prevent requests from timing out by settingRouter Timeout to Backends per request instead of per connection

  • Bump bosh-system-metrics-forwarder to version 0.0.15

  • Bump cf-smoke-tests to version 40.0.8

  • Bump cflinuxfs2 to version 1.235.0

  • Bump push-apps-manager-release to version 664.0.18

  • Bump push-usage-service-release to version 666.0.10

  • Bump routing to version 0.174.6

  • Bump stemcell ubuntu-trusty to version 3541.46

Component Version
stemcell3541.46
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.10
cf-autoscaling118.5
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.8
cf-syslog-drain5.1
cflinuxfs21.235.0
consul195
credhub1.7.5
diego1.35.8
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13.1
loggregator101.13
mysql-backup1.38.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release664.0.18
push-usage-service-release666.0.10
python-offline-buildpack1.6.18
routing0.174.6
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.12

  • [Bug Fix] Fix autoscaler and smoke test failures when using database with timezone setting other than UTC

  • Bump cf-autoscaling to version 118.5

  • Bump cflinuxfs2 to version 1.231.0

  • Bump stemcell ubuntu-trusty to version 3541.44

Component Version
stemcell3541.44
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.10
cf-autoscaling118.5
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.6
cf-syslog-drain5.1
cflinuxfs21.231.0
consul195
credhub1.7.5
diego1.35.8
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13.1
loggregator101.13
mysql-backup1.38.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release664.0.15
push-usage-service-release666.0.1
python-offline-buildpack1.6.18
routing0.174.3
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.11

  • [Feature Improvement] Improve performance for nfs-experimental readonly mounts and those that don’t set the uid and gid parameters
  • [Bug Fix] Apps manager: When the autoscaler service fails to toggle, show an error flash message
  • [Bug Fix] Apps manager: A spacedeveloper can map a route without providing a hostname
  • [Bug Fix] Apps manager: Fix crash on app page overview tab when spring health endpoint returns an array of objects instead of an array of strings

  • Bump cf-smoke-tests to version 40.0.6

  • Bump cflinuxfs2 to version 1.228.0

  • Bump nfs-volume to version 1.2.2

  • Bump push-apps-manager-release to version 664.0.15

  • Bump routing to version 0.174.3

  • Bump stemcell to version 3541.37

Component Version
stemcell3541.37
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.10
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.6
cf-syslog-drain5.1
cflinuxfs21.228.0
consul195
credhub1.7.5
diego1.35.8
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13.1
loggregator101.13
mysql-backup1.38.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release664.0.15
push-usage-service-release666.0.1
python-offline-buildpack1.6.18
routing0.174.3
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.10

  • [Security Fix] Bump pivotal account to 1.8.8
  • [Feature Improvement] Loggregator agent egresses preferred tags instead of DeprecatedTags in loggregator envelopes. This fixes a high CPU issue in Doppler cluster.
  • [Feature Improvement] Fix issue where fileserver assets were not correctly invalidated in Diego cell caches after an upgrade
  • [Feature Improvement] capi /v2/info endpoint returns additional metadata for name, build and description
  • [Feature Improvement] Add the healthwatch_api_admin UAA client to allows access to the Healthwatch API
  • [Feature Improvement] Retry blobstore uploads when GCS returns transmission error
  • [Feature Improvement] Allow operators to configure application health check timeout in PAS
  • [Feature Improvement] Move encryption key field to the top of the Credhub page
  • [Bug Fix] Fix TLS pruning behavior for Gorouter
  • [Bug Fix] Apps using a Docker image from an insecure registry configured in the Private Docker Insecure Registry Whitelist can now be staged successfully.
  • [Bug Fix] Fix option “HAProxy requests but does not require client certificates.”
  • [Bug Fix] Fix intermittent errand failure in pivotal account
  • [Bug Fix] Bump Cloud Controller to no longer return a “503: Stats Server Unavailable error” when container metrics are not available.
  • [Bug Fix] Bump apps manager with changes
    • When creating new services, no longer show org-scoped services from other organizations
    • On the App page Overview tab, autoscaling state is now properly reflected
    • Fix manage autoscale link
  • [Bug Fix] Docker image based app resource reporting correctly includes image size in disk usage
  • [Bug Fix] Set cloud controller staging timeout value on all cloud controller jobs to allow large apps to stage before the timeout.

  • Bump capi to version 1.49.10

  • Bump diego to version 1.35.8

  • Bump java-offline-buildpack to version 4.13.1

  • Bump loggregator to version 101.13

  • Bump mysql-monitoring to version 8.20.0

  • Bump pivotal-account to version 1.8.8

  • Bump push-apps-manager-release to version 664.0.14

  • Bump routing to version 0.174.2

  • Bump stemcell to version 3541.36

Component Version
stemcell3541.36
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.10
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.5
cf-syslog-drain5.1
cflinuxfs21.227.0
consul195
credhub1.7.5
diego1.35.8
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13.1
loggregator101.13
mysql-backup1.38.0
mysql-monitoring8.20.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.8
push-apps-manager-release664.0.14
push-usage-service-release666.0.1
python-offline-buildpack1.6.18
routing0.174.2
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.9

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification
  • [Security Fix] Bump UAA for [CVE-2018-11047(https://www.cloudfoundry.org/blog/cve-2018-11047/)

  • Bump cflinuxfs2 version 1.227.0

  • Bump java-offline-buildpack version 4.13

  • Bump uaa version 55.2

Component Version
stemcell3541.34
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.6*
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.5
cf-syslog-drain5.1
cflinuxfs21.227.0
consul195
credhub1.7.5
diego1.35.6
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.13
loggregator101.11*
mysql-backup1.38.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.5
push-apps-manager-release664.0.12
push-usage-service-release666.0.1
python-offline-buildpack1.6.18
routing0.174.1
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.8

  • [Feature Improvement] Allows PCF Metrics to be installed with both v1.5 and v1.4 versions to prevent dataloss.
  • [Bug Fix] Bump cf-smoke-tests-release to 40.0.5 to fix some flakiness
  • [Security Fix] Bump UAA for CVE 2018-11041
  • [Security Fix] Bump apps manager for CVE-2018-11044
    • Org Managers and Admins can leave organizations
  • [Bug Fix] bump consul to v195
    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • [Bug Fix] Increase fs.inotify limits to prevent app crashes at high container density on cells with the rep proxy enabled.

  • Bump binary-offline-buildpack to version 1.0.21

  • Bump cf-smoke-tests to version 40.0.5

  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump diego to version 1.35.6

  • Bump dotnet-core-offline-buildpack to version 2.1.3

  • Bump go-offline-buildpack to version 1.8.25

  • Bump nodejs-offline-buildpack to version 1.6.28

  • Bump php-offline-buildpack to version 4.3.57

  • Bump push-apps-manager-release to version 664.0.12

  • Bump python-offline-buildpack to version 1.6.18

  • Bump ruby-offline-buildpack to version 1.7.21

  • Bump staticfile-offline-buildpack to version 1.4.29

  • Bump uaa to version 55.1

  • Bump stemcell to version 3541.34

Component Version
stemcell3541.34
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.6*
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests40.0.5
cf-syslog-drain5.1
cflinuxfs21.223.0
consul195
credhub1.7.5
diego1.35.6
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.6.0
java-offline-buildpack4.12.1
loggregator101.11*
mysql-backup1.38.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications44
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.8.5
push-apps-manager-release664.0.12
push-usage-service-release666.0.1
python-offline-buildpack1.6.18
routing0.174.1
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.1.0
syslog-migration11.1.1
uaa55.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.7

  • [Security Fix] Bump diego to version 1.35.5
  • [Security Fix] Bump pivotal-account to version 1.8.5
  • [Bug fix] bump nfs-volume-release to version 1.2.1
    • Fix incompatibility with new garden-runc release when using read-only NFS volume mounts
  • [Bug Fix] Bump garden to version 1.13.3
    • Fix issue with deleted files in application containers created from docker images
  • [Feature Improvement] Bump credhub to version 1.7.5
    • Increases the max length of cert subject alternate names (SANs) from 64 to 253
  • [Feature Improvement] Bump notifications-ui to version 33
    • Add cookie setting to notifications-ui for GDPR compliance
  • [Feature Improvement] CF Networking database connection timeouts are now configurable
  • [Feature Improvement] Max connections for the Internal MySQL Database are now configurable
  • Bump cflinuxfs2 to version 1.219.0
  • Bump consul to version 193 to use go 1.9
  • Bump dotnet-core-offline-buildpack to version 2.0.7
  • Bump go-offline-buildpack to version 1.8.23
  • Bump java-offline-buildpack to version 4.12.1
  • Bump nodejs-offline-buildpack to version 1.6.25
  • Bump php-offline-buildpack to version 4.3.56
  • Bump python-offline-buildpack to version 1.6.17
  • Bump ruby-offline-buildpack to version 1.7.19
  • Bump staticfile-offline-buildpack to version 1.4.28
  • Bump stemcell to version 3541.30

Component Version
stemcell3541.30
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.6*
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.219.0
consul193
credhub1.7.5
diego1.35.5
dotnet-core-offline-buildpack2.0.7
garden-runc1.13.3
go-offline-buildpack1.8.23
haproxy8.6.0
java-offline-buildpack4.12.1
loggregator101.11*
mysql-backup1.38.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.25
notifications44
notifications-ui33
php-offline-buildpack4.3.56
pivotal-account1.8.5
push-apps-manager-release664.0.11
push-usage-service-release666.0.1
python-offline-buildpack1.6.17
routing0.174.1
ruby-offline-buildpack1.7.19
staticfile-offline-buildpack1.4.28
statsd-injector1.1.0
syslog-migration11.1.1
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.6

  • Update grootfs checkbox to indicate the recreating VMs is recommended
  • [Security Fix] Bump cflinuxfs2 to version 1.210.0:
  • [Security Fix] Bump loggregator to version 101.11
    • Add strict application ID validation to TrafficController (CVE-2018-1268 CVE-2018-1269)
    • Stricter appID validation in TrafficController
    • Change RLP health endpoint to default to random port.
    • Metron health endpoint only listens on localhost
    • Bump go to 1.9.4
    • Fix doppler emitting multiple ingress metrics.
  • Bump capi to version 1.49.6
    • Updated azure fog gems to improve reliability when using an azure blobstore
  • Bump cf-networking to version 1.10.2
  • Bump nats to version 24
    • Bump go to 1.10.1
  • Bump push-apps-manager-release to version 664.0.11
    • When mapping existing routes, show the path
    • Fixed transitioning from json editor to key value pair when given an empty string
    • Usage report page takes into account renamed spaces
    • Only show jobs for the app on the app page task tab
    • When detecting whether a service instance for the Scheduler service exists, take the current space into account
    • Fix bug that causes app to crash on app page settings tab
  • Bump java-offline-buildpack to version 4.12

Component Version
Stemcell3541.25
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.6*
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.2*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.210.0
consul191
credhub1.7.3
diego1.35.4
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.6.0
java-offline-buildpack4.12.0
loggregator101.11*
mysql-backup1.38.0
mysql-monitoring8.18.0
nats24
nfs-volume1.2.0
nodejs-offline-buildpack1.6.23
notifications44
notifications-ui31
php-offline-buildpack4.3.54
pivotal-account1.8.3
push-apps-manager-release664.0.11
push-usage-service-release666.0.1
python-offline-buildpack1.6.15
routing0.174.1
ruby-offline-buildpack1.7.18
staticfile-offline-buildpack1.4.27
statsd-injector1.1.0
syslog-migration11.1.1
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.5

  • [Security Fix] Bump stemcell to v3541.25:
  • [Security Fix] Bump cflinuxfs2-release to v1.201.0:
  • [Feature Improvement] Bump routing-release to v0.174.1 to enable operator to disable logging of client IPs, in compliance with the EU General Data Protection Regulation (GDPR).
  • [Feature Improvement] Bump apps-manager-release to v664.0.10:
    • When binding a service instance, notify the user to restage their app from the CLI.
    • When logged-in user can see no apps, show “No results” instead of “Loading…” in the app search.
  • [Feature Improvement] Bump autoscaling-release to v118.4 to add ability to view Autoscaler logs in app logs when LOG_VERBOSE is true.
  • Increase UAA session cookie max age to 8 hours.
  • Bump mysql-monitoring-release to v8.18.0.
  • Bumps the following buildpacks:
    • Nodejs-offline-buildpack to v1.6.23.
    • Php-offline-buildpack to v4.3.54.
    • Python-offline-buildpack to v1.6.15.
    • Ruby-offline-buildpack to v1.7.18.

Component Version
Stemcell3541.25
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.5*
cf-autoscaling118.4
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.1*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.201.0
consul191
credhub1.7.3
diego1.35.4
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.6.0
java-offline-buildpack4.10.0
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.18.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.23
notifications44
notifications-ui31
php-offline-buildpack4.3.54
pivotal-account1.8.3
push-apps-manager-release664.0.10
push-usage-service-release666.0.1
python-offline-buildpack1.6.15
routing0.174.1
ruby-offline-buildpack1.7.18
staticfile-offline-buildpack1.4.27
statsd-injector1.1.0
syslog-migration11.1.1
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.4

  • [Security Fix] Bumps garden-release to v1.13.1 for CVE-2018-1277.
  • [Bug Fix] Resolves an issue where BBR could not support any individual blob that was greater than 5GB in size when configuring external S3 versioned blobstores.
  • [Bug Fix] Bumps backup-and-restore-sdk to v1.5.3 to ensure that external blob stores with custom CA certs can be backed up and restored.
  • [Bug Fix] Bumps credhub-release to v1.7.3 to resolve an issue where the CredHub job could not be backed up with BBR when colocated with backup-and-restore-sdk-release’s database-backup-restorer job from v1.5.3.
  • [Bug Fix] Bumps autoscaling-release to v118.3 to use CF CLI v6.36.1.
  • [Bug Fix] Bumps capi-release to v1.49.5 to prevent duplicate app usage events.
  • [Bug Fix] Updated console agent node_name to include BOSH id, to prevent two Diego cell instance groups with the same instance group name and index in different deployments from colliding.
  • [Feature Improvement] Bumps diego-release to v1.35.4 to add cell and instance identifiers in the container lifecycle logs.
  • [Feature Improvement] Bumps apps-manager-release to v664.0.9:
    • Introduce custom memory limit setting for Apps Manager and invitation apps.
    • Show full page error when critical env vars are not set.
    • App last push time now reflects time of most recent ready package.
    • Introduce flag to hide app search bar.
    • App search bar queries apps only when focused.
    • Tell user to re-stage app after binding a service.
    • Fix invite member email input.
  • Bumps the following buildpacks:
    • Binary-offine-buildpack to v1.0.18.
    • Dotnet-core-offline-buildpack to v2.0.6.
    • Go-offline-buildpack to v1.8.21.
    • Java-offline-buildpack to v4.10.0.
    • Nodejs-offline-buildpack to v1.6.22.
    • Php-offline-buildpack to v4.3.53.
    • Python-offline-buildpack to v1.6.14.
    • Ruby-offline-buildpack to v1.7.16.
    • Staticfile-offline-buildpack to v1.4.27.

Component Version
Stemcell3541.12
backup-and-restore-sdk1.5.3
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.5*
cf-autoscaling118.3
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.1*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.196.0
consul191
credhub1.7.3
diego1.35.4
dotnet-core-offline-buildpack2.0.6
garden-runc1.13.1
go-offline-buildpack1.8.21
haproxy8.6.0
java-offline-buildpack4.10.0
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.16.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.22
notifications44
notifications-ui31
php-offline-buildpack4.3.53
pivotal-account1.8.3
push-apps-manager-release664.0.9
push-usage-service-release666.0.1
python-offline-buildpack1.6.14
routing0.174.0
ruby-offline-buildpack1.7.16
staticfile-offline-buildpack1.4.27
statsd-injector1.1.0
syslog-migration11.1.1
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.3

  • [Security Fix] Bumps cflinuxfs2 to v1.196.0:
  • [Security Fix] Bumps stemcell to v3541.12:
  • [Bug Fix] Bumps push-apps-manager-release to v664.0.5:
    • Updates the CF CLI.
    • Increases memory per instance from 64 MB to 128 MB.
  • [Bug Fix] Bumps syslog-migration-release to v11.1.1:
    • Prevent logs from blackbox from being written to the default syslog log files to prevent logs from being written to the disk 3 additional times.
    • Fix rfc5424 compatibility by ensuring only 1 space occurs between the message and the structured data.
  • [Bug Fix] Fixes a bug that caused the Cloud Controller sync job to fail when pushing an app with TCP routing enabled, which causes Diego to not know if its desired state is consistent with Cloud Controller.
  • [Feature Improvement] Bumps capi-release to v1.49.4 to improve database connection validation.
  • [Feature Improvement] Bumps diego-release to v1.35.3 to remove file limits for Envoy.

Component Version
Stemcell3541.12
backup-and-restore-sdk1.4.2
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.4*
cf-autoscaling118.2
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.1*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.196.0
consul191
credhub1.7.1
diego1.35.3
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.6.0
java-offline-buildpack4.8
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.16.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.3
push-apps-manager-release664.0.5
push-usage-service-release666.0.1
python-offline-buildpack1.6.7
routing0.174.0
ruby-offline-buildpack1.7.11
staticfile-offline-buildpack1.4.21
statsd-injector1.1.0
syslog-migration11.1.1
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.2

  • [Bug Fix] Bumps capi-release to v1.49.3 to prevent app upload from failing when the app has broken symlinks.
  • [Bug Fix] Bumps apps-manager-release to v664.0.4 to fix endpoint headers.
  • [Bug Fix] Updates Small Footprint PAS to add uaa tag to UAA route registrar so router metrics can be filtered for the UAA component.

Component Version
Stemcell3541.9
backup-and-restore-sdk1.4.2
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.3*
cf-autoscaling118.2
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.1*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.188.0
consul191
credhub1.7.1
diego1.35.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.6.0
java-offline-buildpack4.8
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.16.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.3
push-apps-manager-release664.0.4
push-usage-service-release666.0.1
python-offline-buildpack1.6.7
routing0.174.0
ruby-offline-buildpack1.7.11
staticfile-offline-buildpack1.4.21
statsd-injector1.1.0
syslog-migration11.1.0
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.1

  • [Maintenance] Bumps stemcell to version 3451.9.
  • [Bug Fix] Bumps cf-networking-release to version 1.10.1:
    • Fixes issue where deploy would fail when configured to use the NSX-T CNI plugin.
  • [Bug Fix] Bumps routing-release to version 0.174.0:
    • Router gracefully falls back to non-TLS-enabled backends when encountering a retriable error with a TLS-enabled backend.
  • [Bug Fix] Bumps apps-manager-release to v664.0.3:
    • Fixes a bug when running a task that forced users to change the memory and disk before the task could be run.
    • Fixes a bug that caused Apps Manager to send invalid parameters to services instances when binding to apps.
    • Introduces React error boundaries on app tabs to prevent full-page crashes.
    • Fixes a bug that prevented Apps Manager from showing traces for Spring Boot apps using Spring Boot 2.0+.
    • Fixes a bug that caused a full page crash when deleting an org.
    • [IE] fixed visual bugs in the marketplace search and in the org usage repot header.
    • [IE] Fixes alignment of the app search bar in the header.
    • Checks if the user has permission to view autoscale bindings before making the request, which prevents the app page from having an error when refreshing.
    • Fixes a bug that prevented mid-level fetch tasks from being cleared when switching routes and on the 30 second refresh.
    • Fixes a bug that caused marketplace service plans to show “No price available”.
    • Fixes a bug preventing the binding of UPS instances to apps.
    • Fixes a bug preventing the submission of UPS instance updates when changing only URLs and not credential parameters.
    • Reintroduces cache busting for js/css files.
    • Fixes a bug that would cause apps manager to fail to load when environment variables contained newlines.
  • [Bug Fix] Bumps autoscaling-release to v118.2:
    • Fixes issue where brief periods of cloud controller downtime could cause autoscaler to become disabled.
  • [Security Fix] Bumps mysql-release to v36.11.0:
    • Allows rotation of passwords for pre-seeded users.
    • Updates MariaDB to 10.1.30 and other dependencies for security fixes.
  • [Feature Improvement] Bumps mysql-monitoring-release to v8.16.0:
    • Improvements for CPU utilization monitoring, query reporting and mysql-diag.
    • Full release notes
  • [Feature Improvement] Adds UAA client for the Noisy Neighbor Nozzle.
  • [Security Fix] Bumps capi-release to v1.49.2:
    • CVE-2018-1266: Fix random number guessing exploit.
    • Internal routes for apps are no longer automatically generated.
  • [Bug Fix] Updates identity client to fix issue where it would be unable to send invitation emails.
  • [Feature Improvement] Adds uaa tag to UAA route registrar so router metrics can be filtered for the UAA component.
    • Note: This improvement was made to PAS only. The same change will be made to SF-PAS in the next patch release.

Component Version
Stemcell3541.9
backup-and-restore-sdk1.4.2
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.2*
cf-autoscaling118.2
cf-backup-and-restore0.0.10
cf-mysql36.11.0
cf-networking1.10.1*
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.188.0
consul191
credhub1.7.1
diego1.35.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.6.0
java-offline-buildpack4.8
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.16.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.3
push-apps-manager-release664.0.3
push-usage-service-release666.0.1
python-offline-buildpack1.6.7
routing0.174.0
ruby-offline-buildpack1.7.11
staticfile-offline-buildpack1.4.21
statsd-injector1.1.0
syslog-migration11.1.0
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.0

Component Version
Stemcell3541.8
backup-and-restore-sdk1.4.2
binary-offline-buildpack1.0.15
bosh-dns-aliases0.0.1
bosh-system-metrics-forwarder0.0.11
capi1.49.0*
cf-autoscaling118
cf-backup-and-restore0.0.10
cf-mysql36.10.0
cf-networking1.10.0
cf-smoke-tests39
cf-syslog-drain5.1
cflinuxfs21.188.0
consul191
credhub1.7.1
diego1.35.0
dotnet-core-offline-buildpack2.0.1
garden-runc1.11.1
go-offline-buildpack1.8.16
haproxy8.6.0
java-offline-buildpack4.8
loggregator101.5*
mysql-backup1.38.0
mysql-monitoring8.15.0
nats22
nfs-volume1.2.0
nodejs-offline-buildpack1.6.15
notifications44
notifications-ui31
php-offline-buildpack4.3.48
pivotal-account1.8.3
push-apps-manager-release664.0.0
push-usage-service-release666.0.1
python-offline-buildpack1.6.7
routing0.172.0
ruby-offline-buildpack1.7.11
staticfile-offline-buildpack1.4.21
statsd-injector1.1.0
syslog-migration11.1.0
uaa55
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Application Service (PAS) v2.1 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v2.1, be aware of the following upgrade considerations:

  • If you previously used an earlier version of PAS, you must first upgrade to PAS v2.0 to successfully upgrade to PAS v2.1.

  • Some partner service tiles may be incompatible with PCF v2.1. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v2.1, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

New Features in PAS v2.1

Support for S3 Server-Side Encryption with AWS KMS

Operators can now configure PAS to use server-side encryption with AWS Key Management Service (KMS) for S3 blobstores. This is an optional configuration in the File Storage configuration pane in PAS. For more information, see Deploying PAS on AWS.

BBR Backs Up External S3 Versioned Blobstores

BBR can back up external blobstores that are S3-compatible and have versioning enabled. The backup artifact is a list of version IDs, rather than a copy of the blobs, so replication of the blobstore is recommended.

BBR Supports External Databases

PAS backups can be stored using external MySQL databases. Previously, backups had to be stored using the internal MySQL databases. Now, you can host PAS backups with an external MySQL service. For a complete list of supported databases, see Supported External Databases in the Configuring Cloud Foundry for BOSH Backup and Restore (Experimental) topic. For more information on backing up backend PCF components with BBR, see the Backing Up Pivotal Cloud Foundry with BBR topic.

Cloud Controller Blobstore on GCS Supports Service Accounts

PAS v2.1 supports the use of service accounts with GCS for Cloud Controller blob storage and backup. For more information, see Fog with Google Cloud Storage with a Service Account.

Increased Resiliency, Consistency, and Security for HTTP Routing

You can now configure the Gorouter to use TLS for verifying app identity and communicating with app containers. This improves resiliency and consistency for app routes as well as increases security by encrypting data in flight from the Gorouter to back ends.

TLS routing requires an additional 32 MB of RAM capacity on your Diego cells per app instance, as well as additional CPU capacity. Pivotal recommends you adjust your RAM and CPU capacity before upgrading PCF if you want to enable TLS routing to back ends. Check the total amount of Diego cell memory available to allocate in your environment, and if it is less than 32 MB times the number of running app instances, scale out your Diego cells.

You may see an increase of memory and CPU usage for your Gorouters after enabling TLS routing. Check the total amount of memory and CPU usage of the Gorouters in your environment, and if they are close to the size limit, consider scaling out your Gorouters before enabling TLS routing.

For information about enabling this feature, see the PAS installation topic for your IaaS.

For information about TLS support and Gorouter route consistency modes, see TLS to Apps and Other Back End Services and Preventing Misrouting in the HTTP Routing topic.

Gorouter Keepalive Connections to Back Ends Enabled by Default

In PAS v2.1, the Router Max Idle Keepalive Connections field in the Networking pane of the PAS tile has been replaced by the Enable Keepalive Connections for Router checkbox. For more information about configuring keepalive connections, see the Deploying PAS topic for your IaaS.

To improve routing performance, the checkbox is enabled by default. When keepalive connections are enabled, the Gorouter maintains established TCP connections to back ends. The maximum number of idle keepalive connections maintained by the Gorouter to all back ends is set to 49,000. For more information, see Keepalive Connections.

HSTS Support for HAProxy

You can now enable HTTP Strict Transport Security (HSTS) for HAProxy. HSTS headers force browsers to use HTTPS exclusively to contact HAProxy for a period of time you specify.

For more information, see Secure Apps Domain with HAProxy.

Pre-Populated TLS Cipher Defaults for Gorouter and HAProxy

For new installations of PAS v2.1, the TLS Cipher Suites for Router and TLS Cipher Suites for HAProxy fields in the Networking pane are automatically populated with the following values:

  • Defaults for Gorouter: ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Defaults for HAProxy: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

Note: If you are using AWS Classic Load Balancers, see TLS Cipher Suite Support by AWS Load Balancers for information about configuring your AWS load balancers and Gorouter.

For upgrades, PAS populates the TLS Cipher Suites for Router and TLS Cipher Suites for HAProxy fields with the values specified in your previous version of the PAS tile. For information about configuring these fields, see the PAS installation topic for your IaaS.

Enable PROXY Protocol Support in CF Router

In the PAS networking pane, you can now enable support for PROXY protocol in CF Router. This checkbox is disabled by default. For more information, see the PAS installation topic for your IaaS.

Named Service Bindings

You now have the option of giving your service binding a name when you create it. For more information, see Named Service Bindings in the Delivering Service Credentials to an Application topic.

Runtime CredHub Can Use HSMs

You can configure Hardware Security Modules (HSMs) for runtime CredHub through Ops Manager. An HSM provides an additional layer of security by storing keys separately from the CredHub server.

For more information about configuring HSMs for runtime CredHub, see the PAS installation topic for your IaaS.

Improved System Performance for App Health Checks

This release changes how PAS runs app health checks to improve system performance in resource-constrained environments, such as on-premise installations of PAS. This change does not impact the developer workflow for configuring app health checks.

Previously, health checks during app startup increased system load because they ran as a Garden process every two seconds. In addition, apps that started successfully could fail if slow system performance caused the app health check to time out. In some severe cases, such app failures caused additional resource consumption and a chain-reaction of app failures.

PAS v2.1 resolves these issues through a new implementation that does not invoke a new process on every health check. The health check now runs as a long-lived process in the app container. Developers may see these processes if they access an app container using the cf ssh command and list the processes.

Custom SAML Entity ID for Tiles

To enable tiles to set a custom SAML entity ID, independent of whether PAS itself uses an external SAML identity provider, the Entity ID Override field in the Authentication and Enterprise SSO pane of the PAS tile has been moved to the UAA pane and renamed to SAML Entity ID Override.

cf CLI Errors on Multi-Origin User Ambiguity

If multiple CF user accounts from different origins share a username, the commands that manage Space and Org user roles return an error instead of operating on the first account returned. See Identical Usernames in Multiple Origins for details.

Apps Manager Introduces the Enter JSON Toggle

You can now use JSON for key-value entries in the Apps Manager UI. For information about managing apps and service instances in Apps Manager, see Managing Apps and Service Instances Using Apps Manager.

View and Scale Processes in Apps Manager

To support changes in CAPI v3, Apps Manager now displays the individual processes within apps and allows the user to scale each process independently. You can find this display in the Processes and Instances section of your app dashboard in the Overview pane.

For more information on scaling each process, see Scale an App in the Managing Apps and Service Instances Using Apps Manager topic.

App Autoscaler Metrics

The App Autoscaler can use two new metrics for automatically scaling app instance counts:

  • Memory Utilization: The average RAM percentage used for all instances of the app.
  • RabbitMQ Depth: The length of a specified RabbitMQ queue.

See Scaling Rules for additional context.

App Autoscaler CLI

The App Autoscaler CLI lets you create and manage App Autoscaler rules from a shell or programmatically, as an alternative to the PCF App Autoscaler UI in Apps Manager. See Using the App Autoscaler CLI for details.

The App Autoscaler CLI has the following known issues:

  • It does not work when more than one Autoscaler instance is running in the same space.
  • It cannot enable and disable individual scaling rules, unlike the App Autoscaler pane in Apps Manager or the App Autoscaler API.
  • It cannot create scheduled limit changes, unlike the App Autoscaler pane in Apps Manager or the App Autoscaler API.
  • It may output odd characters when the CF_COLOR environment variable is not set to false in monochrome shell windows.

Stage a Droplet on a Stopped App

You can now push an app with --no-start to automatically stage a droplet for when you start the app through Apps Manager. Previous to this change, Apps Manager produces an error if you push an app with --no-start and then start the app with Apps Manager.

Container Metrics Included in Syslog Drains

Container metrics can now be delivered in create-user-provided-service (CUPS) syslog drain bindings. To configure the Include container metrics in Syslog Drains checkbox, navigate to the System Logging pane of the PAS tile. For more information, see CF Syslog Drain Release.

GrootFS Is Merged with Garden and Enabled by Default

GrootFS, the Garden file system manager, has merged with the Garden codebase. For more information about GrootFS, see Garden RootFS (GrootFS).

By default, the GrootFS container image plugin is enabled, but if you experience performance issues, you can roll back to the image plugin built into Garden RunC. To disable the GrootFS container image plugin, navigate to the Application Containers pane and deselect the Enable the GrootFS container image plugin for Garden RunC checkbox.

Noisy Neighbor Nozzle

The Noisy Neighbor Nozzle is a Loggregator Firehose nozzle and CLI tool to help you identify apps producing a large number of logs.

For more information, see Noisy Neighbor Nozzle.

Service Instance Sharing (Beta)

PAS v2.1 supports service instance sharing across orgs and spaces. For more information, see Sharing Service Instances (Beta) and Enabling Service Instance Sharing.

About Advanced Features

Container-to-Container Service Discovery

Apps can find each others’ internal addresses using BOSH DNS, to communicate directly container-to-container. Enable this feature in the PAS tile by selecting the Enable Service Discovery for Apps checkbox in the Application Developer Controls pane.

Retired Features

Removal of Automated Backup Configuration for Internal MySQL

Starting in PCF v2.1, the PAS tile no longer includes the Automated Backups Configuration field. This option has been removed because it is not possible to restore the internal MySQL database from a full backup without degrading the Galera MySQL cluster.

To back up and restore the internal MySQL database, you must use BOSH Backup and Restore (BBR). See Backing Up and Restoring Pivotal Cloud Foundry for information on using BBR.

BBR provides the following advantages over the Automated Backup Configuration:

  • BBR locks the necessary APIs as part of the backup procedure. This release-level backup ensures correctness. See PAS Component Behavior During Backup.
  • BBR backs up the MySQL cluster and the blobstore together so that they are consistent.
  • BBR eliminates the need to manually remove the silk database table after restore.

Known Issues

CredHub Database Cannot be External on GCP

If your PAS deployment is on GCP and you want to use Runtime CredHub, you must select Internal for both your system databases and CredHub database. If you are using external system databases, you cannot use CredHub.

CredHub is not compatible with the external database option on GCP. GCP Cloud SQL presents its certificate in a way that CredHub refuses to connect to it.

Intermittent cf push Timeouts with Google Cloud Storage with Service Account

PAS on Google Cloud Platform can use Google Cloud Storage (GCS) authenticated with Google Service Account as its filestore. You configure this in the PAS tile > File Storage pane.

With this external filestore configuration, GCS with Google Service Account, PAS v2.1 intermittently experiences timeouts when you cf push apps. The failures may occur more frequently when you push large apps that require storing or retrieving larger files.

NSX-T Container Plugin Fails to Install with PAS

The VMware NSX-T Container Plug-in tile v2.1.0.x and v2.1.2 fail to install with PAS v2.1. The output of the error may be as follows:

oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/nsx-ujo/ncp.ini

Traceback (most recent call last):

  File "/usr/local/bin/ncp", line 10, in <module>

    sys.exit(main())

  File "/usr/local/lib/python2.7/dist-packages/nsx_ujo/cmd/ncp.py", line 11, in main

    nsx_log_adaptor.init_log('nsx-container-ncp', 'ncp')

  File "/usr/local/lib/python2.7/dist-packages/nsx_ujo/common/nsx_log_adaptor.py", line 134, in init_log

    cfg.CONF(args=sys.argv[1:], default_config_files=[constants.NCP_INI_PATH])

  File "/usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py", line 2493, in __call__

    self._namespace._files_permission_denied)

oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/nsx-ujo/ncp.ini

Until a fix is available in a patch release of VMware NSX-T Container Plug-in for PCF v2.1, Pivotal recommends that you use PAS v2.0 if NSX-T CNI integration is a requirement.

PAS Install Fails When NSX-T Container Plug-In is Selected

PAS v2.1.0 fails to install when configured to use the NSX-T plugin. The output of the error is as follows:

Task 47 | 14:12:38 | Preparing deployment: Preparing deployment (00:00:01)
                   L Error: Colocated job 'cni' is already added to the instance group 'diego_cell'.
Task 47 | 14:12:39 | Error: Colocated job 'cni' is already added to the instance group 'diego_cell'.

PAS v2.1.1 fixes this issue and is available on Pivotal Network, but NSX-T Container Plugin v2.1.0 does not install with PAS v2.1.1, as described above. Until a fix is available in a patch release of VMware NSX-T Container Plug-in for PCF v2.1, Pivotal recommends that you use PAS v2.0 if NSX-T CNI integration is a requirement.

SAML Identity Provider Must Be Manually Disabled

If you want to switch from SAML to another identity provider such as LDAP or an internal user store, you must manually disable your SAML identity provider using the UAA API. For more information about disabling your SAML identity provider, see the Disabling SAML Identity Provider When Switching Identity Providers for PCF 2.1 Knowledge Base article.

Read-Only Volume Mounts Display as “rw”

Due to an underlying kernel defect, read-only volume mounts display as "mode": "rw" when you view the VCAP_SERVICES environment variable for your app.

For more information about binding a volume service, see Using an External File System (Volume Services).

Service Tiles Fail to Push Apps

This issue affects PCF v2.1 and previous versions of the product.

By default, the system domain in the system org is a shared domain. The default system domain is the first domain displayed when you run the cf domains command.

If you have made this system domain private, the following tiles may fail to push apps, such as smoke tests, or fail altogether:

  • Metrics Forwarder for PCF
  • Scheduler for PCF
  • Spring Cloud Services for PCF

These tiles assume that the default system domain is a shared domain. For more information about shared and private domains, see Domains in the Routes and Domains topic.

PAS Forwards High Volume of DEBUG Log Messages

PAS forwards a high volume of DEBUG syslog messages from UAA and other system components to an external service. To remediate this issue, you can filter out log messages that contain "DEBUG" in their body by using the if ($msg contains "DEBUG") then stop custom syslog rule.

For information about enabling syslog forwarding and configuring custom syslog rules in PAS, see Enable Syslog Forwarding in the Configuring Logging in PAS topic and Exclude Logs With Certain Content in the Customizing Platform Log Forwarding topic.

UAA Request Latency Metric Not Emitted

The gorouter.latency.uaa metric is not currently emitted in PCF v2.1. For more information about the gorouter.latency.uaa metric, see UAA Request Latency in Key Performance Indicators.

PCF v2.1 Not Emitting BOSH VM Metrics for Windows Diego Cells

BOSH VM metrics are not being emitted for Windows Diego cells in PCF v2.1.

525 Handshake Failures When Connecting to Back Ends

If you disable TLS from verifying back end identity and redeploy PCF after having already enabled it in your previous deployment, and the deployment has apps with more than one instance, you might see an increase in the number of 525 Handshake Failure errors. Pivotal recommends you do not disable TLS to validate identity once it has already been enabled.

Configuring a List of TCP Routing Ports

This section describes an issue and workaround related to configuring a list of TCP Routing Ports in the PAS tile UI.

Issue

You cannot enter a comma-separated list of ports in the TCP Routing Ports field of the PAS tile. If you enter a comma-separated list, the Routing API does not start. The TCP Routing Ports field allows entries in the following formats:

  • A single value, such as 1234
  • A range of values, such as 1234-5678

Workaround

If you want to configure a list of ports, Pivotal recommends following these steps:

Note: This procedure causes brief downtime for TCP apps listening on ports that you open after deploying PAS.

  1. Configure PAS with Enable TCP Routing selected.
  2. Enter one port you want to use in the TCP Routing Ports field.
  3. Deploy PAS.
  4. Use the Routing API to add all desired TCP ports by following the instructions in the Modify your TCP ports section of the Enabling TCP Routing topic. When using the Routing API, you can include a comma separated list of ports.

Loggregator Component Horizontal Scaling Thresholds

Above approximately 40 Doppler instances and 20 Traffic Controller instances, horizontal scaling is no longer useful for improving Loggregator Firehose performance. To improve performance, increase CPU resources for the existing Doppler and Traffic Controller instances to add vertical scale.

Create a pull request or raise an issue on the source for this page in GitHub