PCF v2.2 Feature Highlights
This topic highlights important new features included in Pivotal Cloud Foundry (PCF) v2.2.
Ops Manager v2.2 includes the following major features:
In time for the Ops Manager v2.2 release, Ops Manager API documentation is accessible publically through docs.pivotal.io. Previously, you could only access the Ops Manager API documentation through your own Ops Manager.
For v2.2 Ops Manager API documentation, see PCF Ops Manager API Reference.
Ops Manager now supports multiple vSphere vCenters on a single vSphere BOSH Director tile. This allows you to spread instances across regions without having to deploy and manage multiple PCF foundations.
For more information about how to add, edit, and delete vCenters, see Managing Multiple vSphere vCenters.
You can now choose to deploy a selection of tiles rather than all tiles in Ops Manager. This feature allows you to reduce the amount of change in any given deployment, which drastically reduces deployment time.
This feature is in beta for Ops Manager, and is generally available as an API endpoint. For more information, see Triggering an install process in the Ops Manager API documentation.
Note: Ops Manager is soliciting feedback for this feature. Submit feedback through your product architect or directly by emailing firstname.lastname@example.org.
Through the Ops Manager API, you can see Ops Manager’s manifest history. Manifest history is helpful for running
diff commands on manifests to see changes over time.
Pivotal officially supports Azure Stack.
Azure Stack is a hybrid cloud platform that lets you deliver Azure services from your own on-premise datacenter. For more information about Azure Stack, see What is Azure Stack? from the Microsoft Azure documentation.
Ops Manager now supports a special region in Azure called Azure China. Azure China is a physically separated instance of cloud services that is located in China and independently operated. For more information about Azure China, see What is Azure China 21Vianet? in the Azure China documentation.
For even greater security, Ops Manager sends user-specified credentials to BOSH CredHub on each deployment. For more information about where Ops Manager-specific credentials are stored, see BOSH CredHub.
For information about how this feature affects tile authors, see PCF v2.2 Partners Release Notice in the PCF Tile Developer Guide.
Ops Manager v2.2 supports secret text areas in tile configuration panes. This feature is useful for tiles that require PCF operators to enter multi-line credentials during configuration.
When a user enters text into a secret text area and clicks Save, the Ops Manager UI replaces the text with an
*. Additionally, users of the Ops Manager API can not retrieve text entered in secret text areas. Ops Manager stores this text in CredHub.
Tile authors can mark a text area as
secret by setting
type: secret and
display_type: text_area in the property blueprint for their tile.
For more information, see the Custom Forms and Properties section of the Tile Generator topic.
Operators can specify a custom trusted SSL certificate and key for the Ops Manager server so that traffic isn’t exposed to man-in-the-middle attacks when using Ops Manager.
By default, Ops Manager uses an auto-generated self-signed certificate. To change this configuration to your own SSL certificate, go to Settings from the Ops Manager Installation Dashboard and select the SSL Certificate pane. For more information about Ops Manager settings, see Settings Page in the Understanding the Ops Manager Interface topic.
Note: Custom SSL certificate and key is persisted between upgrades. Custom SSL only needs a one-time configuration.
You can configure a syslog server for Ops Manager logs. Logs include rails production logs, audit logs, UAA logs, nginx logs, and upstart logs for Ops Manager processes. Previous to this change, Ops Manager logs were not centralized in one accessible location. You also have the option to TLS-encrypt your logs.
For more information about configuring syslog for Ops Manager, see Settings Page in the Understanding the Ops Manager Interface topic.
Ops Manager now supports TLS communications for your internal blobstore. Ops Manager automatically generates and rotates TLS certifications for you.
To enable internal blobstore TLS communications, all of your tiles must have stemcells v3468 or later. You must also disable Allow Legacy Agents in the Director Config pane of the BOSH Director tile.
Ops Manager now allows you to configure a custom TLS certificate for an external MySQL database.
For more information, see the Director Config Page section of the Ops Manager Director installation topic for your IaaS.
If you have more than one PCF foundation, identification tags allow you to easily identify which foundation your VMs belong to when viewing your IaaS. You are able to set custom Identification Tags in the Director Config pane of your BOSH Director tile.
BOSH DNS is enabled for both app containers and PCF components in v2.2. In previous versions, Consul managed service discovery between PCF components, but Consul is being replaced by BOSH DNS. BOSH DNS lets app containers and PCF components look up services with the BOSH DNS service discovery mechanism. To support BOSH DNS, the Ops Manager Director colocates a BOSH DNS server on every deployed VM. This does not negatively impact performance.
Note: In PCF v2.2, Consul and BOSH DNS are both available in PCF, but BOSH DNS is the only service used for DNS requests.
BOSH DNS is enabled by default. You can disable BOSH DNS if instructed to do so by Pivotal support. From the Ops Manager installation dashboard, click the Ops Manager tile. In the Director Config tab, select the Disable BOSH DNS server for troubleshooting purposes.
WARNING: Do not disable BOSH DNS without instructions from Pivotal support. Disabling BOSH DNS will also disable PKS, NSX-T, and several PAS features. If you disabled BOSH DNS in PCF v2.1, reenable it before upgrading to PCF v2.2.
The Change Log pane lists products as Unchanged when they remain deployed, but their configuration has not changed from a prior deployment, so Ops Manager did not re-deploy them.
For greater security, the SSH proxy now accepts a narrower range of ciphers, MACs, and key exchanges when you call
cf ssh from the CF CLI.
For internal system databases, PAS now supports a more secure Percona Server database with TLS-encrypted communication between server nodes, as well as the previous MariaDB option. See Migrating to Internal Percona MySQL for details.
WARNING: Migrating PAS internal databases to using TLS causes temporary downtime of PAS system functions. It does not interrupt apps hosted by PAS.
PAS now supports AWS instance profiles when you are configuring an S3 filestore. Either an instance profile or an access and secret key are required.
For more information, see the External or S3 Filestore section of the PAS installation topic for your IaaS.
PAS can now back up unversioned S3 buckets used for external file storage, saving backup artifacts to separate, dedicated backup buckets. For more information, see the External or S3 Filestore section the PAS installation topic for your IaaS.
You can now disable logging of client IP addresses in the Gorouter to comply with the General Data Protection Regulation (GDPR).
For more information about this feature, see Gorouter Logging Changes for GDPR Compliance in Pivotal Application Service v2.2 Release Notes.
You can now use a human- and machine-readable format, RFC 3339, for Diego timestamps in logs. RFC 3339 format also prevents the need for log aggregation systems to parse a complex timestamp.
New installations of the PAS, PAS for Windows, PAS for Windows 2012R2, and PCF Isolation Segment tiles now default to RFC 3339 format.
The Unix epoch format is set by default for upgrades to v2.2. You can enable the new timestamp format for Diego logs in the PAS tile.
For more information, see the Configure Application Containers section of the PAS installation topic for your IaaS.
Breaking Change: Before enabling RFC 3339 format for Diego logs, ensure that your log aggregation system anticipates the timestamp format change. If you experience issues, you can disable RFC 3339 format in the PAS tile.
In PAS v2.1, service discovery for container-to-container networking was an experimental feature that you could opt in to use. In PAS v2.2, this feature is enabled by default, and you can opt out of using it.
For more information about disabling service discovery for container-to-container networking, see the Configure Application Developer Controls section of the PAS installation topic for your IaaS.
PAS v2.2 allows you to configure the DNS search domains used in containers by entering a comma-separated list.
For more information, see the Container Networking section of the PAS installation topic for your IaaS.
Loggregator adds an in-memory caching layer for logs and metrics and provides a RESTful interface for retrieving them. Unlike the
cf logs APP-NAME --recent command, Log Cache gives you queryable, filterable data when you use it to retrieve recent logs for your apps.
For more information, see Enable Log Cache.
Breaking Change: If you disable Log Cache, App Autoscaler will fail. For more information about Log Cache, see Loggregator Introduces Log Cache.
PAS v2.2 adds the Don’t Forward Debug Logs checkbox, which disables forwarding of DEBUG syslog messages to external services.
The Don’t Forward Debug Logs checkbox is enabled in PAS v2.2 by default. For more information about this feature, see Forwarding of DEBUG Syslog Messages Disabled by Default
App Autoscaler now allows you to create custom autoscaling rules and scheduled limit changes for your apps through the App Autoscaler CLI.
For more information about the App Autoscaler CLI, see Using the App Autoscaler CLI.
The App Autoscaler UI is now integrated into Apps Manager. This enables users to configure autoscaling for their apps through Apps Manager.
For more information about scaling apps using App Autoscaler, see Scaling an Application Using App Autoscaler.
PCF Isolation Segment shares the New Format for Diego Timestamps feature in PAS.
PCF Isolation Segment shares the new DNS Search Domains feature in PAS.