PCF Isolation Segment v2.1 Release Notes

Known Issues

  • [Known Issue] The NSX-T tile versions 2.3.1 and lower are not compatible with IST. Upcoming release NSX-T 2.3.2 will address this issue.

Releases

NOTE: BREAKING CHANGE You must upgrade to PAS 2.1.10 or greater prior to installing IST 2.1.10 or higher

2.1.16

  • Bump ubuntu-trusty stemcell to version 3541.65
  • Bump cflinuxfs2 to version 1.255.0
Component Version
ubuntu-trusty stemcell3541.65
cf-app-sd0.5.0
cf-networking1.10.6
cflinuxfs21.255.0
consul195
diego1.35.12
garden-runc1.16.1
haproxy8.6.0
loggregator101.16
nfs-volume1.2.6
routing0.174.7
syslog-migration11.1.1

2.1.15

  • [Security Fix] Address leak of CF admin credentials into NFS broker bosh errand logs
  • [Bug Fix] Prevent container IPs from leaking by enforcing that TCP RST messages always have the cell ip as the source ip
  • Bump ubuntu-trusty stemcell to version 3541.61
  • Bump cf-networking to version 1.10.6
  • Bump cflinuxfs2 to version 1.249.0
  • Bump nfs-volume to version 1.2.6
Component Version
ubuntu-trusty stemcell3541.61
cf-app-sd0.5.0
cf-networking1.10.6
cflinuxfs21.249.0
consul195
diego1.35.12
garden-runc1.16.1
haproxy8.6.0
loggregator101.16
nfs-volume1.2.6
routing0.174.7
syslog-migration11.1.1

2.1.14

  • [Feature Improvement] Improve router pruning behavior when route integrity is enabled
  • Bump ubuntu-trusty stemcell to version 3541.57
  • Bump cf-networking to version 1.10.4
  • Bump cflinuxfs2 to version 1.245.0
  • Bump diego to version 1.35.12
  • Bump routing to version 0.174.7
Component Version
ubuntu-trusty stemcell3541.57
cf-app-sd0.5.0
cf-networking1.10.4
cflinuxfs21.245.0
consul195
diego1.35.12
garden-runc1.16.1
haproxy8.6.0
loggregator101.16
nfs-volume1.2.3
routing0.174.7
syslog-migration11.1.1

2.1.13

  • [Security Fix] Bump garden-runc to prevent malicious users from causing a denial of service for other apps
  • [Bug Fix] Fix unsafe logic in NFS unmount and drain code that may lead to deletion of files on remote NFS shares.
  • [Bug Fix] PAS 2.1.14 upgrade fails with Error: release 'cf-networking/1.10.2' has already been uploaded
  • [Bug Fix] Fix issue in loggregator where AZ names with special characters could cause metron agent job to fail

  • Bump cf-networking to version 1.10.3

  • Bump cflinuxfs2 to version 1.238.0

  • Bump garden-runc to version 1.16.1

  • Bump loggregator to version 101.16

  • Bump nfs-volume to version 1.2.3

  • Bump stemcell ubuntu-trusty to version 3541.49

Component Version
stemcell3541.49
cf-app-sd0.5.0
cf-networking1.10.3
cflinuxfs21.238.0
consul195
diego1.35.10
garden-runc1.16.1
haproxy8.6.0
loggregator101.16
nfs-volume1.2.3
routing0.174.6
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.12

  • [Feature Improvement] Enable capturing goroutine dumps from Diego components for troubleshooting
  • [Bug Fix] Fix issue in volume services that can cause application data loss when applications using the NFS volume service are scaled up or down

  • Bump diego to version 1.35.10

  • Bump stemcell ubuntu-trusty to version 3541.48

Component Version
stemcell3541.48
cf-app-sd0.5.0
cf-networking1.10.2
cflinuxfs21.235.0
consul195
diego1.35.10
garden-runc1.13.3
haproxy8.6.0
loggregator101.13
nfs-volume1.2.2
routing0.174.6
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.11

  • [Bug Fix] Prune router backends when they return a 502 and do not retry for 30 seconds
  • [Bug Fix] Prevent requests from timing out by settingRouter Timeout to Backends per request instead of per connection

  • Bump cflinuxfs2 to version 1.235.0

  • Bump routing to version 0.174.6

  • Bump stemcell ubuntu-trusty to version 3541.46

Component Version
stemcell3541.46
cf-app-sd0.5.0
cf-networking1.10.2*
cflinuxfs21.235.0
consul195
diego1.35.8
garden-runc1.13.3
haproxy8.6.0
loggregator101.13
nfs-volume1.2.2
routing0.174.6
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.10

  • NOTE: BREAKING CHANGE You must upgrade to PAS 2.1.10 or greater prior to installing IST 2.1.10 or higher

  • [Bug Fix] Applications can use internal service discovery

  • Bump cf-app-sd to version 0.5.0

  • Bump cflinuxfs2 to version 1.228.0

  • Bump nfs-volume to version 1.2.2

  • Bump stemcell to version 3541.37

Component Version
stemcell3541.37
cf-app-sd0.5.0
cf-networking1.10.2*
cflinuxfs21.228.0
consul195
diego1.35.8
garden-runc1.13.3
haproxy8.6.0
loggregator101.13
nfs-volume1.2.2
routing0.174.2
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.9

  • [Bug Fix] Fix TLS pruning behavior for Gorouter
  • [Bug Fix] Docker image based app resource reporting correctly includes image size in disk usage

  • Bump diego to version 1.35.8

  • Bump loggregator to version 101.13

  • Bump routing to version 0.174.2

  • Bump stemcell to version 3541.36

Component Version
stemcell3541.36
cf-networking1.10.2*
cflinuxfs21.227.0
consul195
diego1.35.8
garden-runc1.13.3
haproxy8.6.0
loggregator101.13
nfs-volume1.2.1
routing0.174.2
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.8

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification

  • Bump cflinuxfs2 version 1.227.0

Component Version
stemcell3541.34
cf-networking1.10.2*
cflinuxfs21.227.0
consul195
diego1.35.6
garden-runc1.13.3
haproxy8.6.0
loggregator101.11*
nfs-volume1.2.1
routing0.174.1
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.7

  • [Bug Fix] bump consul to v195
    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • [Bug Fix] Increase fs.inotify limits to prevent app crashes at high container density on cells with the rep proxy enabled.

  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump diego to version 1.35.6

  • Bump stemcell to version 3541.34

Component Version
stemcell3541.34
cf-networking1.10.2*
cflinuxfs21.223.0
consul195
diego1.35.6
garden-runc1.13.3
haproxy8.6.0
loggregator101.11*
nfs-volume1.2.1
routing0.174.1
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.6

  • [Security Fix] Bump diego to version 1.35.5
  • [Bug fix] bump nfs-volume-release to version 1.2.1
    • Fix incompatibility with new garden-runc release when using read-only NFS volume mounts
  • [Bug Fix] Bump garden to version 1.13.3
    • Fix issue with deleted files in application containers created from docker images
  • Bump cflinuxfs2 to version 1.219.0
  • Bump consul to version 193 to use go 1.9
  • Bump stemcell to version 3541.30

Component Version
Stemcell3541.30
cf-networking1.10.2*
cflinuxfs21.219.0
consul193
diego1.35.5
garden-runc1.13.3
haproxy8.6.0
loggregator101.11*
nfs-volume1.2.1
routing0.174.1
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.5

  • [Security Fix] Bump cflinuxfs2 to version 1.210.0:
  • [Security Fix] Bump loggregator to version 101.11
    • Add strict application ID validation to TrafficController (CVE-2018-1268 CVE-2018-1269)
    • Stricter appID validation in TrafficController
    • Change RLP health endpoint to default to random port.
    • Metron health endpoint only listens on localhost
    • Bump go to 1.9.4
    • Fix doppler emitting multiple ingress metrics.
  • Update grootfs checkbox to indicate the recreating VMs is recommended
  • Bump cf-networking to version 1.10.2

Component Version
Stemcell3541.25
cf-networking1.10.2*
cflinuxfs21.210.0
consul191
diego1.35.4
garden-runc1.13.1
haproxy8.6.0
loggregator101.11*
nfs-volume1.2.0
routing0.174.1
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.4

Component Version
Stemcell3541.25
cf-networking1.10.1*
cflinuxfs21.201.0
consul191
diego1.35.4
garden-runc1.13.1
haproxy8.6.0
loggregator101.5*
nfs-volume1.2.0
routing0.174.1
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.3

  • [Security Fix] Bumps garden-release to v1.13.1 for CVE-2018-1277.
  • [Bug Fix] Updated console agent node_name to include BOSH id, to prevent two Diego cell instance groups with the same instance group name and index in different deployments from colliding.
  • [Feature Improvement] Bumps diego-release to v1.35.4 to add cell and instance identifiers in the container lifecycle logs.

Component Version
Stemcell3541.12
cf-networking1.10.1*
cflinuxfs21.196.0
consul191
diego1.35.4
garden-runc1.13.1
haproxy8.6.0
loggregator101.5*
nfs-volume1.2.0
routing0.174.0
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.2

  • [Security Fix] Bumps cflinuxfs2 to v1.196.0:
  • [Security Fix] Bumps stemcell to v3541.12:
  • [Bug Fix] Bumps syslog-migration-release to v11.1.1:
    • Prevent logs from blackbox from being written to the default syslog log files to prevent logs from being written to the disk 3 additional times.
    • Fix rfc5424 compatibility by ensuring only 1 space occurs between the message and the structured data.
  • [Feature Improvement] Bumps diego-release to v1.35.3 to remove file limits for Envoy.

Component Version
Stemcell3541.12
cf-networking1.10.1*
cflinuxfs21.196.0
consul191
diego1.35.3
garden-runc1.11.1
haproxy8.6.0
loggregator101.5*
nfs-volume1.2.0
routing0.174.0
syslog-migration11.1.1
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.1

  • [Maintenance] Bump stemcell to version 3451.9.
  • [Bug fix] Bump cf-networking-release to version 1.10.1:
    • Fixes issue where deploy would fail when configured to use the NSX-T CNI plugin.
  • [Bug fix] Bump routing-release to version 0.174.0:
    • Router gracefully falls back to non-TLS-enabled backends when encountering a retriable error with a TLS-enabled backend.

Component Version
Stemcell3541.9
cf-networking1.10.1*
cflinuxfs21.188.0
consul191
diego1.35.0
garden-runc1.11.1
haproxy8.6.0
loggregator101.5*
nfs-volume1.2.0
routing0.174.0
syslog-migration11.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.1.0

Component Version
Stemcell3541.8
cf-networking1.10.0
cflinuxfs21.188.0
consul191
diego1.35.0
garden-runc1.11.1
haproxy8.6.0
loggregator101.5*
nfs-volume1.2.0
routing0.172.0
syslog-migration11.1.0
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v2.1 tile is available for installation with PCF v2.1.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v2.1 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v2.1.

New Features in PCF Isolation Segment v2.1

Increased Resiliency, Consistency, and Security for HTTP Routing

You can now configure the Gorouter to use TLS for verifying app identity and communicating with app containers. This improves resiliency and consistency for app routes as well as increases security by encrypting data in flight from the Gorouter to back ends. To support app identification and communication over TLS, the platform must allocate more memory for app instances. CPU usage by the Gorouter and Diego cell VMs may also increase.

For information about enabling this feature, see Application Containers in the Installing PCF Isolation Segment topic.

For information about TLS support and Gorouter route consistency modes, see TLS to Apps and Other Back-End Services and Preventing Misrouting in the HTTP Routing topic.

Gorouter Keepalive Connections to Back Ends Enabled by Default

In PCF Isolation Segment v2.1, the Router Max Idle Keepalive Connections field in the Networking pane of the PCF Isolation Segment tile has been replaced by the Enable Keepalive Connections for Router checkbox. For more information about configuring keepalive connections, see Networking in the Installing PCF Isolation Segment topic.

To improve routing performance, the checkbox is enabled by default. When keepalive connections are enabled, Gorouter maintains established TCP connections to back ends. The maximum number of idle keepalive connections maintained by the Gorouter to all back ends is set to 49,000. For more information, see Keepalive Connections in the HTTP Routing topic.

HSTS Support for HAProxy

You can now enable HTTP Strict Transport Security (HSTS) for HAProxy. HSTS headers force browsers to use HTTPS exclusively to contact HAProxy for a period of time you specify.

For more information, see Secure Apps Domain with HAProxy.

Pre-Populated TLS Cipher Defaults for Gorouter and HAProxy

For new installations of PCF Isolation Segment, the TLS Cipher Suites for Router and TLS Cipher Suites for HAProxy fields in the Networking pane are automatically populated with the following values:

  • Defaults for Gorouter: ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • Defaults for HAProxy: DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384

Note: If you are using AWS Classic Load Balancers, see TLS Cipher Suite Support by AWS Load Balancers for information about configuring your AWS load balancers and Gorouter.

For upgrades, PCF Isolation Segment v2.1 populates the TLS Cipher Suites for Router and TLS Cipher Suites for HAProxy fields with the values specified in your previous version of the PCF Isolation Segment tile. For information about configuring these fields, see Networking in the Installing PCF Isolation Segment topic.

Improved System Performance for App Health Checks

This release changes how PCF Isolation Segment runs app health checks to improve system performance in resource-constrained environments, such as on-premise installations of PCF. This change does not impact the developer workflow for configuring app health checks.

Previously, health checks during app startup increased system load because they ran as a Garden process every two seconds. In addition, apps that started successfully could fail if slow system performance caused the app health check to time out. In some severe cases, such app failures caused additional resource consumption and a chain-reaction of app failures.

PCF Isolation Segment v2.1 resolves these issues through a new implementation that does not invoke a new process on every health check. The health check now runs as a long-lived process in the app container. Developers may see these processes if they access an app container using the cf ssh command and list the processes.

Known Issues

NSX-T v2.3.1 and Earlier Not Compatible with PCF Isolation Segment

The NSX-T tiles v2.3.1 and earlier are not compatible with PCF Isolation Segment. The Gorouters in an Isolation Segment are not given access in the firewall rules for NSX-T v2.3.1 and earlier, which prevents them from communicating with apps.

NSX-T v2.3.2 and later give access to the Gorouters in an Isolation Segment, and thus are compatible with PCF Isolation Segment.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment v2.1 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.