Pivotal Application Service v2.2 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2019.

Read more about the certified provider program and the requirements of providers.


Releases

2.2.16

  • [Security Fix] Fix insecure gradle dependency in CredHub
  • [Bug Fix] Allow persistent disk size on backup and restore to be configured
  • Bump ubuntu-trusty stemcell to version 3586.100
  • Bump cflinuxfs2 to version 1.283.0
  • Bump credhub to version 1.9.12
Component Version
ubuntu-trusty stemcell3586.100
backup-and-restore-sdk1.12.0
binary-offline-buildpack-lts1.0.30
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.16
cf-autoscaling201.11
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.8
cflinuxfs21.283.0
consul195
credhub1.9.12
diego2.8.7
dotnet-core-offline-buildpack-lts2.2.5
garden-runc1.16.8
go-offline-buildpack-lts1.8.33
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.43
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.70
pivotal-account1.9.1
push-apps-manager-release665.0.32
push-usage-service-release666.0.12
pxc0.14.1
python-offline-buildpack-lts1.6.28
routing0.178.7
ruby-offline-buildpack-lts1.7.31
silk2.3.4
staticfile-offline-buildpack-lts1.4.39
statsd-injector1.3.0
syslog11.3.2
uaa60.13

2.2.15

  • [Feature Improvement] Reduce load on autoscaling database by adding indices to improve query efficiency
  • [Bug Fix] Increase TLS Certificate verification depth in Apps Manager to allow for longer certificate chains
  • [Bug Fix] Apps Manager correctly displays footer text when not set in Ops Manager
  • Bump ubuntu-trusty stemcell to version 3586.96
  • Bump capi to version 1.58.16
  • Bump cf-autoscaling to version 201.11
  • Bump cflinuxfs2 to version 1.280.0
  • Bump push-apps-manager-release to version 665.0.32
Component Version
ubuntu-trusty stemcell3586.96
backup-and-restore-sdk1.12.0
binary-offline-buildpack-lts1.0.30
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.16
cf-autoscaling201.11
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.8
cflinuxfs21.280.0
consul195
credhub1.9.9
diego2.8.7
dotnet-core-offline-buildpack-lts2.2.5
garden-runc1.16.8
go-offline-buildpack-lts1.8.33
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.43
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.70
pivotal-account1.9.1
push-apps-manager-release665.0.32
push-usage-service-release666.0.12
pxc0.14.1
python-offline-buildpack-lts1.6.28
routing0.178.7
ruby-offline-buildpack-lts1.7.31
silk2.3.4
staticfile-offline-buildpack-lts1.4.39
statsd-injector1.3.0
syslog11.3.2
uaa60.13

2.2.14

  • [Security Fix] Bump UAA to address CVE-2019-3775
  • [Feature Improvement] Improve error messages when installing buildpacks
  • [Feature Improvement] Increase performance for internal MySQL by setting the setting for innodb_flush_log_at_trx_commit from 1 to 2. This increases performance safely for clustered deployments. Single node might need to scale up to avoid the possibility of 1 second of data loss during deploys.
  • [Feature Improvement] Add support for tcp hitless reloads in haproxy to avoid connection reset errors
  • [Feature Improvement] Add ability to enable/disable gorouter hairpinning with Bypass security checks for route service lookup. This feature has potential security concerns, but may be needed for backwards compatibility. See Configuring Route Service Lookup.
  • [Bug Fix] Fix issue in which Apps Manager shows Invalid User as the username for space and organization members without usernames, such as UAA clients
  • Bump ubuntu-trusty stemcell to version 3586.93
  • Bump capi to version 1.58.15
  • Bump cf-autoscaling to version 201.10
  • Bump cf-syslog-drain to version 6.8
  • Bump cflinuxfs2 to version 1.279.0
  • Bump push-apps-manager-release to version 665.0.30
  • Bump routing to version 0.178.7
  • Bump uaa to version 60.13
Component Version
ubuntu-trusty stemcell3586.93
backup-and-restore-sdk1.12.0
binary-offline-buildpack-lts1.0.30
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.15
cf-autoscaling201.10
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.8
cflinuxfs21.279.0
consul195
credhub1.9.9
diego2.8.7
dotnet-core-offline-buildpack-lts2.2.5
garden-runc1.16.8
go-offline-buildpack-lts1.8.33
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.43
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.70
pivotal-account1.9.1
push-apps-manager-release665.0.30
push-usage-service-release666.0.12
pxc0.14.1
python-offline-buildpack-lts1.6.28
routing0.178.7
ruby-offline-buildpack-lts1.7.31
silk2.3.4
staticfile-offline-buildpack-lts1.4.39
statsd-injector1.3.0
syslog11.3.2
uaa60.13

2.2.13

  • [Feature Improvement] Operators can configure API Batch Size for the CF Syslog Drain Release
  • Bump ubuntu-trusty stemcell to version 3586.79
  • Bump cf-syslog-drain to version 6.7
  • Bump cflinuxfs2 to version 1.267.0
Component Version
ubuntu-trusty stemcell3586.79
backup-and-restore-sdk1.12.0
binary-offline-buildpack-lts1.0.30
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.11
cf-autoscaling201.9
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.7
cflinuxfs21.267.0
consul195
credhub1.9.9
diego2.8.7
dotnet-core-offline-buildpack-lts2.2.5
garden-runc1.16.8
go-offline-buildpack-lts1.8.33
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.43
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.70
pivotal-account1.9.1
push-apps-manager-release665.0.27
push-usage-service-release666.0.12
pxc0.14.1
python-offline-buildpack-lts1.6.28
routing0.178.5
ruby-offline-buildpack-lts1.7.31
silk2.3.4
staticfile-offline-buildpack-lts1.4.39
statsd-injector1.3.0
syslog11.3.2
uaa60.11

2.2.12

  • [Security Fix] Apps Manager verifies SSL certificates for endpoints to which it proxies. For environments using untrusted certificates, this may cause Apps Manager to show no content. To resolve this issue, see Apps Manager shows no content due to SSL validation issue.
  • [Feature Improvement] Increase the maximum number of connections for internal MySQL to 3500
  • [Feature Improvement] Change default lifetime of Apps Manager client UAA token to 1 hour
  • [Feature Improvement] Improve auctioneer cell-state logs in Diego Auctioneer
  • [Feature Improvement] Increase Tomcat max http header size to 14K
  • [Bug Fix] Fix BBR failures when backing up large blobs to unversioned S3 blobstores
  • [Bug Fix] Fix binding route services to apps
  • [Bug Fix] Fix concurrency bug in the Router’s route pool, which could manifest as a fatal error: “Unlock of unlocked RWMutex”
  • [Bug Fix] Fix bug in Apps Manager where space page, services tab shows a 500 error if the last operation of a service is null
  • [Bug Fix] Make header tabs focusable and clickable via keyboard navigation in Apps Manager
  • [Bug Fix] Improve garden init process to avoid edge cases that can lead to zombies
  • [Bug Fix] Add back Consul registration in PXC Proxy to fix issue that can cause API and Application downtime when upgrading from PAS 2.1.x.
  • [Bug Fix] Show (Deleted User) in Apps Manager rather than empty row for Cloud Controller users that do not exist in UAA
  • [Bug Fix] Fix failure to bind service to app with custom parameters in Apps Manager
  • opsmanager failed to upgrade srt 2.1 to 2.2
  • Bump ubuntu-trusty stemcell to version 3586.71
  • Bump backup-and-restore-sdk to version 1.12.0
  • Bump binary-offline-buildpack-lts to version 1.0.30
  • Bump capi to version 1.58.11
  • Bump cflinuxfs2 to version 1.260.0
  • Bump diego to version 2.8.7
  • Bump dotnet-core-offline-buildpack-lts to version 2.2.5
  • Bump garden-runc to version 1.16.8
  • Bump go-offline-buildpack-lts to version 1.8.33
  • Bump nodejs-offline-buildpack-lts to version 1.6.43
  • Bump php-offline-buildpack-lts to version 4.3.70
  • Bump push-apps-manager-release to version 665.0.27
  • Bump pxc to version 0.14.1
  • Bump python-offline-buildpack-lts to version 1.6.28
  • Bump routing to version 0.178.5
  • Bump ruby-offline-buildpack-lts to version 1.7.31
  • Bump staticfile-offline-buildpack-lts to version 1.4.39
  • Bump uaa to version 60.11
Component Version
ubuntu-trusty stemcell3586.71
backup-and-restore-sdk1.12.0
binary-offline-buildpack-lts1.0.30
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.11
cf-autoscaling201.9
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.6
cflinuxfs21.260.0
consul195
credhub1.9.9
diego2.8.7
dotnet-core-offline-buildpack-lts2.2.5
garden-runc1.16.8
go-offline-buildpack-lts1.8.33
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.43
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.70
pivotal-account1.9.1
push-apps-manager-release665.0.27
push-usage-service-release666.0.12
pxc0.14.1
python-offline-buildpack-lts1.6.28
routing0.178.5
ruby-offline-buildpack-lts1.7.31
silk2.3.4
staticfile-offline-buildpack-lts1.4.39
statsd-injector1.3.0
syslog11.3.2
uaa60.11

2.2.11

WARNING: Do not upgrade directly to this release from PAS v2.1.x. For more information, see Downtime when Upgrading from v2.1 to v2.2.7 or Later.

  • [Security Fix] Upgrade UAA to 60.9 to address CVE-2018-15754
  • [Feature Improvement] Improved logging and error handling for Diego Sync job
  • [Feature Improvement] Blobstore pre-start performance enhancement
  • [Bug Fix] Remove log noise from Reverse Log Proxy and TrafficController
  • [Bug Fix] Fix memory allocated to be multiplied by number of instances for each process on space page app tab
  • [Bug Fix] Ensure that the encoding used by Credhub is UTF-8
  • [Bug Fix] VXLAN-policy-agent now opens ports in non-ephemeral port range
  • [Bug Fix] Fix help text for TCP router ports because comma separated lists of ports are not supported
  • [Bug Fix] Ensure logs and metrics are forwarded by adding syslog_forwarder and loggregator_agent to VMs missing them
  • Bump ubuntu-trusty stemcell to version 3586.60
  • Bump capi to version 1.58.10
  • Bump cf-smoke-tests to version 40.0.40
  • Bump cflinuxfs2 to version 1.255.0
  • Bump credhub to version 1.9.9
  • Bump dotnet-core-offline-buildpack-lts to version 2.2.0
  • Bump go-offline-buildpack-lts to version 1.8.29
  • Bump loggregator to version 102.8
  • Bump nodejs-offline-buildpack-lts to version 1.6.34
  • Bump php-offline-buildpack-lts to version 4.3.64
  • Bump push-apps-manager-release to version 665.0.24
  • Bump python-offline-buildpack-lts to version 1.6.23
  • Bump ruby-offline-buildpack-lts to version 1.7.27
  • Bump silk to version 2.3.4
  • Bump staticfile-offline-buildpack-lts to version 1.4.35
  • Bump uaa to version 60.9
Component Version
ubuntu-trusty stemcell3586.60
backup-and-restore-sdk1.7.1
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.10
cf-autoscaling201.9
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.40
cf-syslog-drain6.6
cflinuxfs21.255.0
consul195
credhub1.9.9
diego2.8.4
dotnet-core-offline-buildpack-lts2.2.0
garden-runc1.16.1
go-offline-buildpack-lts1.8.29
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.8
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.34
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.64
pivotal-account1.9.1
push-apps-manager-release665.0.24
push-usage-service-release666.0.12
pxc0.14.0
python-offline-buildpack-lts1.6.23
routing0.178.4
ruby-offline-buildpack-lts1.7.27
silk2.3.4
staticfile-offline-buildpack-lts1.4.35
statsd-injector1.3.0
syslog11.3.2
uaa60.9

2.2.10

WARNING: Do not upgrade directly to this release from PAS v2.1.x. For more information, see Downtime when Upgrading from v2.1 to v2.2.7 or Later.

  • [Security Fix] Update JDK to latest patch release for Autoscaler
  • [Security Fix] Address leak of CF admin credentials into NFS broker bosh errand logs
  • [Security Fix] Fix issue where policy server API responses did not contain X-Frame-Options and Content-Security-Policy
  • [Security Fix] Rotate diego intermediate CA before current certificate expires
  • [Feature Improvement] Improve performance of the system_report/service_usages endpoint in the usages-service to prevent potential 502 or 504 responses on larger deployments
  • [Feature Improvement] Fix error handling to report NFS mount failures in CF application logs
  • [Feature Improvement] Update version number in link to docs page for Apps Manager
  • [Bug Fix] Show more helpful error message in Apps Manager when toggling on Autoscaler fails
  • [Bug Fix] Allow scaling of individual processes in multiprocess app when some processes are scaled to zero
  • [Bug Fix] Prevent container IPs from leaking by enforcing that TCP RST messages always have the cell ip as the source ip
  • [Bug Fix] Fix issue where the CAPI sync job fails when TCP routes are being used
  • [Bug Fix] Fix issue where configured database connection timeout for silk was not applied when using an external database
  • [Bug fix] Fix race condition during installation of buildpacks
  • Bump ubuntu-trusty stemcell to version 3586.57
  • Bump capi to version 1.58.8
  • Bump cf-autoscaling to version 201.9
  • Bump cf-mysql to version 36.16.0
  • Bump cf-networking to version 2.3.3
  • Bump cf-smoke-tests to version 40.0.17
  • Bump cflinuxfs2 to version 1.249.0
  • Bump nfs-volume to version 1.2.6
  • Bump push-apps-manager-release to version 665.0.22
  • Bump push-usage-service-release to version 666.0.12
  • Bump silk to version 2.3.3
Component Version
ubuntu-trusty stemcell3586.57
backup-and-restore-sdk1.7.1
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.8
cf-autoscaling201.9
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.3.3
cf-smoke-tests40.0.17
cf-syslog-drain6.6
cflinuxfs21.249.0
consul195
credhub1.9.3
diego2.8.4
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.7
mysql-monitoring8.20.0
nats24
nfs-volume1.2.6
nodejs-offline-buildpack-lts1.6.32
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.61
pivotal-account1.9.1
push-apps-manager-release665.0.22
push-usage-service-release666.0.12
pxc0.14.0
python-offline-buildpack-lts1.6.21
routing0.178.4
ruby-offline-buildpack-lts1.7.24
silk2.3.3
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.8

2.2.9

WARNING: Do not upgrade directly to this release from PAS v2.1.x. For more information, see Downtime when Upgrading from v2.1 to v2.2.7 or Later.

  • [Security Fix] Bump UAA for CVEs
  • [Feature Improvement] Improve router pruning behavior when route integrity is enabled
  • [Feature Improvement] Operators can specify the Diego executor properties for memory usage and disk capacity in order to enable finer grained resource usage strategies
  • [Bug fix] Enforce that max_valid_packages_stored and max_staged_droplets_stored be >= 1
  • [Bug Fix] Do not produce duplicate schedules when updating a schedule in Apps Manager
  • Bump ubuntu-trusty stemcell to version 3586.52
  • Bump cflinuxfs2 to version 1.245.0
  • Bump push-apps-manager-release to version 665.0.20
  • Bump routing to version 0.178.4
  • Bump uaa to version 60.8
Component Version
ubuntu-trusty stemcell3586.52
backup-and-restore-sdk1.7.1
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.7
cf-autoscaling201.8
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.14.0
cf-networking2.3.1
cf-smoke-tests40.0.10
cf-syslog-drain6.6
cflinuxfs21.245.0
consul195
credhub1.9.3
diego2.8.4
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.7
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack-lts1.6.32
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.61
pivotal-account1.9.1
push-apps-manager-release665.0.20
push-usage-service-release666.0.11
pxc0.14.0
python-offline-buildpack-lts1.6.21
routing0.178.4
ruby-offline-buildpack-lts1.7.24
silk2.3.0
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.8

2.2.8

WARNING: Do not upgrade directly to this release from PAS v2.1.x. For more information, see Downtime when Upgrading from v2.1 to v2.2.7 or Later.

  • [Security Fix] log-cache no longer supports TLS 1.0 and TLS1.1
  • [Feature Improvement] Split up networking policy server database migrations to reduce the risk of a failure causing a partial migration
  • [Feature Improvement] Improve error messages logged by Cloud Controller when there are Azure blobstore failures
  • [Feature Improvement] Update name of the Small Footprint PAS tile shown on the tile in Ops Manager UI
  • [Feature Improvement] clock_global now defaults to 2 instances to be highly available
  • [Feature Improvement] Allow disabling connection pooling for autoscaler API & escape special characters in external database passwords
  • [Bug Fix] Prevent potential memory leak when Cloud Controller’s space summary endpoint is called under certain usage conditions
  • [Bug Fix] Fix manual configuration of load balancers for SSH to application containers on Small Footprint PAS (SF-PAS)
  • Bump ubuntu-trusty stemcell to version 3586.46
  • Bump capi to version 1.58.7
  • Bump cf-autoscaling to version 201.8
  • Bump cf-networking to version 2.3.1
  • Bump cf-smoke-tests to version 40.0.10
  • Bump cflinuxfs2 to version 1.242.0
  • Bump diego to version 2.8.4
  • Bump go-offline-buildpack-lts to version 1.8.28
  • Bump java-offline-buildpack-lts to version 4.16.1
  • Bump log-cache to version 1.4.7
  • Bump ruby-offline-buildpack-lts to version 1.7.24
Component Version
ubuntu-trusty stemcell3586.46
backup-and-restore-sdk1.7.1
binary-offline-buildpack-lts1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.7
cf-autoscaling201.8
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.14.0
cf-networking2.3.1
cf-smoke-tests40.0.10
cf-syslog-drain6.6
cflinuxfs21.242.0
consul195
credhub1.9.3
diego2.8.4
dotnet-core-offline-buildpack-lts2.1.5
garden-runc1.16.1
go-offline-buildpack-lts1.8.28
haproxy8.7.0
java-offline-buildpack-lts4.16.1
log-cache1.4.7
loggregator102.7
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack-lts1.6.32
notifications-ui33
notifications46
php-offline-buildpack-lts4.3.61
pivotal-account1.9.1
push-apps-manager-release665.0.19
push-usage-service-release666.0.11
pxc0.14.0
python-offline-buildpack-lts1.6.21
routing0.178.3
ruby-offline-buildpack-lts1.7.24
silk2.3.0
staticfile-offline-buildpack-lts1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.2

2.2.7

WARNING: Do not upgrade directly to this release from PAS v2.1.x. For more information, see Downtime when Upgrading from v2.1 to v2.2.7 or Later.

  • [Security Fix] Bump garden-runc to prevent malicious users from causing a denial of service for other apps
  • [Feature Improvement] Improve nfs blobstore pre-start performance
  • [Bug Fix] space and org managers can now view app logs in apps manager
  • [Bug Fix] Fix unsafe logic in NFS unmount and drain code that may lead to deletion of files on remote NFS shares.
  • [Bug Fix] PAS 2.1.14 upgrade fails with Error: release 'cf-networking/1.10.2' has already been uploaded
  • [Bug Fix] Fix issue in loggregator where AZ names with special characters could cause metron agent job to fail
  • [Bug Fix] Fix issue where the PAS tile could be incorrectly downloaded when upgrading SF-PAS via PivNet
  • [Bug Fix] Fix parse error for syslog rules when iptables logging is enabled

  • Bump binary-offline-buildpack-lts to version 1.0.27

  • Bump capi to version 1.58.5

  • Bump cf-cli to version 1.5.0

  • Bump cf-smoke-tests to version 40.0.9

  • Bump cf-syslog-drain to version 6.6

  • Bump cflinuxfs2 to version 1.238.0

  • Bump dotnet-core-offline-buildpack-lts to version 2.1.5

  • Bump garden-runc to version 1.16.1

  • Bump go-offline-buildpack-lts to version 1.8.27

  • Bump java-offline-buildpack-lts to version 4.15.1

  • Bump loggregator to version 102.7

  • Bump nfs-volume to version 1.2.3

  • Bump nodejs-offline-buildpack-lts to version 1.6.32

  • Bump php-offline-buildpack-lts to version 4.3.61

  • Bump push-apps-manager-release to version 665.0.19

  • Bump pxc to version 0.14.0

  • Bump python-offline-buildpack-lts to version 1.6.21

  • Bump ruby-offline-buildpack-lts to version 1.7.23

  • Bump staticfile-offline-buildpack-lts to version 1.4.32

  • Bump stemcell ubuntu-trusty to version 3586.43

Component Version
stemcell3586.43
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.5
cf-autoscaling201.3
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.9
cf-syslog-drain6.6
cflinuxfs21.238.0
consul195
credhub1.9.3
diego2.8.2
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.27
haproxy8.7.0
java-offline-buildpack4.15.1
log-cache1.4.4
loggregator102.7
mysql-monitoring8.20.0
nats24
nfs-volume1.2.3
nodejs-offline-buildpack1.6.32
notifications46
notifications-ui33
php-offline-buildpack4.3.61
pivotal-account1.9.1
push-apps-manager-release665.0.19
push-usage-service-release666.0.11
pxc0.14.0
python-offline-buildpack1.6.21
routing0.178.3
ruby-offline-buildpack1.7.23
staticfile-offline-buildpack1.4.32
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.6

  • [Security Fix] Prevent app developers from registering an NFS service broker that issues service bindings with uid and gid specified when LDAP is enabled
  • [Feature Improvement] Update BOSH DNS configuration to allow resolving BBS and Auctioneer servers on unhealthy VMs
  • [Feature Improvement] Operators can configure the maximum number of packages and droplets to store
  • [Feature Improvement] Operators can override connection timeout values for the cloud controller database to prevent downtime when MySQL proxy VMs are recreated
  • [Feature Improvement] Update PAS 2.2 with binary-buildpacks that have stack associations
  • [Bug Fix] Fix issue where the SF-PAS tile could be incorrectly downloaded when upgrading PAS via PivNet
  • [Bug Fix] Improve performance to reduce chance of failed database migrations during upgrades of usage service
  • [Bug Fix] Fixes and improvements for Apps Manager

    • When the Autoscaler is not installed, prevent a crash that occurs on the app page
    • When creating a space as admin, make the admin a member of the corresponding organization
    • Improved the display of service plan costs when costs are not integers as expected
    • Prevent a page crash that occurs when there are no upcoming scheduled limit changes
  • Bump binary-offline-buildpack to version 1.0.25

  • Bump push-apps-manager-release to version 665.0.18

  • Bump push-usage-service-release to version 666.0.11

  • Bump stemcell ubuntu-trusty to version 3586.42

Component Version
stemcell3586.42
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.25
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.4
cf-autoscaling201.3
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.8
cf-syslog-drain6.5
cflinuxfs21.235.0
consul195
credhub1.9.3
diego2.8.2
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.13.1
log-cache1.4.4
loggregator102.4
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.1
push-apps-manager-release665.0.18
push-usage-service-release666.0.11
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.3
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.5

  • [Security Fix] Bump usage service for CVE-2018-11086
  • [Security Fix] Bump apps manager for CVE-2018-11088
    • Fix security vulnerability: CVE-2018-11088
    • Fix typo in autoscaling flyout
    • Text changes to improve actuator integration with Steeltoe
    • Steeltoe heap dumps should have extension .dmp
    • Fix Spring endpoints not appearing in app actions dropdown for Spring 2.0 apps
    • Fix Spring “View Raw JSON” feature not appearing when git info not present on app
    • Fix occasionally incorrect display of app processes when scaling app memory or disk
    • Fix app remaining in “Starting…” state after scaling
    • Fix autoscale instance limits not refreshing in flyout after applying changes
  • [Bug Fix] Autoscaler uses https to communicate with log-cache instead of http
  • [Bug Fix] Configure PXC MySQL to listen on port that will not conflict with processes that get a random port (Small Footprint Only)
    • Change MySQL from listening on port 33306 to 13306 for Small Footprint PAS
  • [Feature Improvement] Do not back up resources bucket as it is not restored

    • The property .properties.system_blobstore.external.resources_bucket.value has been deprecated and will be removed in 2.3
  • Bump bosh-system-metrics-forwarder to version 0.0.15

  • Bump cf-autoscaling to version 201.3

  • Bump cf-smoke-tests to version 40.0.8

  • Bump cflinuxfs2 to version 1.235.0

  • Bump log-cache to version 1.4.4

  • Bump pivotal-account to version 1.9.1

  • Bump push-apps-manager-release to version 665.0.17

  • Bump push-usage-service-release to version 666.0.10

  • Bump routing to version 0.178.3

  • Bump stemcell ubuntu-trusty to version 3586.40

Component Version
stemcell3586.40
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
capi1.58.4
cf-autoscaling201.3
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.8
cf-syslog-drain6.5
cflinuxfs21.235.0
consul195
credhub1.9.3
diego2.8.2
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.13.1
log-cache1.4.4
loggregator102.4
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.1
push-apps-manager-release665.0.17
push-usage-service-release666.0.10
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.3
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.4

  • [Feature Improvement] Improve performance for nfs-experimental readonly mounts and those that don’t set the uid and gid parameters
  • [Bug Fix] Fix autoscaler and smoke test failures when using database with timezone setting other than UTC
  • [Bug Fix] Fixes BBS communication with Locket issue on startup when deploying with BOSH DNS enabled
  • [Bug Fix] Apps manager: Fix spaces count on org page
  • [Bug Fix] Apps manager: When the autoscaler service fails to toggle, show an error flash message
  • [Bug Fix] Apps manager: A spacedeveloper can map a route without providing a hostname
  • [Bug Fix] Apps manager: Fix crash on app page overview tab when spring health endpoint returns an array of objects instead of an array of strings

  • Bump cf-autoscaling to version 201.1

  • Bump cf-smoke-tests to version 40.0.6

  • Bump cflinuxfs2 to version 1.229.0

  • Bump diego to version 2.8.2

  • Bump log-cache to version 1.3.0

  • Bump nfs-volume to version 1.2.2

  • Bump push-apps-manager-release to version 665.0.14

  • Bump routing to version 0.178.2

  • Bump stemcell to version 3586.27

Component Version
stemcell3586.27
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.11
capi1.58.4
cf-autoscaling201.1
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.6
cf-syslog-drain6.5
cflinuxfs21.229.0
consul195
credhub1.9.3
diego2.8.2
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.13.1
log-cache1.3.0
loggregator102.4
mysql-monitoring8.20.0
nats24
nfs-volume1.2.2
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.0
push-apps-manager-release665.0.14
push-usage-service-release666.0.2
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.2
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.3

  • [Feature Improvement] Loggregator agent egresses preferred tags instead of DeprecatedTags in loggregator envelopes. This fixes a high CPU issue in Doppler cluster.
  • [Feature Improvement] Fix issue where fileserver assets were not correctly invalidated in Diego cell caches after an upgrade
  • [Feature Improvement] capi /v2/info endpoint returns additional metadata for name, build and description
  • [Feature Improvement] Add the healthwatch_api_admin UAA client to allows access to the Healthwatch API
  • [Feature Improvement] Retry blobstore uploads when GCS returns transmission error
  • [Feature Improvement] Allow operators to configure application health check timeout in PAS
  • [Feature Improvement] Move encryption key field to the top of the Credhub page
  • [Bug Fix] Fix TLS pruning behavior for Gorouter
  • [Bug Fix] Apps using a Docker image from an insecure registry configured in the Private Docker Insecure Registry Whitelist can now be staged successfully.
  • [Bug Fix] Fix option “HAProxy requests but does not require client certificates.”
  • [Bug Fix] Bump apps manager with changes
    • When creating new services, no longer show org-scoped services from other organizations
    • Org Managers and Admins can leave organizations
    • When visiting Apps Manager on an environment where UAA has a self-signed SSL cert, do not blue screen, redirect to UAA login page.
  • [Bug Fix] Fix performance and data consistency issues in Log Cache.
  • [Bug Fix] Set cloud controller staging timeout value on all cloud controller jobs to allow large apps to stage before the timeout.

  • Bump capi to version 1.58.4

  • Bump diego to version 2.8.1

  • Bump java-offline-buildpack to version 4.13.1

  • Bump log-cache to version 1.4.0

  • Bump loggregator to version 102.4

  • Bump mysql-monitoring to version 8.20.0

  • Bump push-apps-manager-release to version 665.0.13

  • Bump routing to version 0.178.1

  • Bump stemcell to version 3586.26

Component Version
stemcell3586.26
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.11
capi1.58.4
cf-autoscaling201.0.0
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.5
cf-syslog-drain6.5
cflinuxfs21.227.0
consul195
credhub1.9.3
diego2.8.1
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.13.1
log-cache1.4.0
loggregator102.4
mysql-monitoring8.20.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.0
push-apps-manager-release665.0.13
push-usage-service-release666.0.2
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.1
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.2

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification
  • [Security Fix] Bump UAA for [CVE-2018-11047(https://www.cloudfoundry.org/blog/cve-2018-11047/)

  • Bump cflinuxfs2 version 1.227.0

  • Bump java-offline-buildpack version 4.13

  • Bump uaa version 60.2

Component Version
stemcell3586.24
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.11
capi1.58.1
cf-autoscaling201.0.0
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.5
cf-syslog-drain6.5
cflinuxfs21.227.0
consul195
credhub1.9.3
diego2.8.0
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.13
log-cache1.3.0
loggregator102.2
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.0
push-apps-manager-release665.0.11
push-usage-service-release666.0.2
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.0
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.1

  • [Feature Improvement] Allows PCF Metrics to be installed with both v1.5 and v1.4 versions to prevent dataloss.
  • [Bug Fix] Bump cf-smoke-tests-release to 40.0.5 to fix some flakiness
  • [Security Fix] Bump apps manager for CVE-2018-11044
    • When creating new services, no longer show org-scoped services from other organizations
    • Org Managers and Admins can leave organizations
  • [Security Fix] Bump loggregator release for CVE-2018-1268 and CVE-2018-1269
  • *** [Bug Fix]** bump consul to v195

    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • Bump binary-offline-buildpack to version 1.0.21

  • Bump cf-smoke-tests to version 40.0.5

  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump dotnet-core-offline-buildpack to version 2.1.3

  • Bump go-offline-buildpack to version 1.8.25

  • Bump loggregator to version 102.2

  • Bump nodejs-offline-buildpack to version 1.6.28

  • Bump php-offline-buildpack to version 4.3.57

  • Bump push-apps-manager-release to version 665.0.11

  • Bump python-offline-buildpack to version 1.6.18

  • Bump ruby-offline-buildpack to version 1.7.21

  • Bump staticfile-offline-buildpack to version 1.4.29

Component Version
stemcell3586.24
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.21
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.11
capi1.58.1
cf-autoscaling201.0.0
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.5
cf-syslog-drain6.5
cflinuxfs21.223.0
consul195
credhub1.9.3
diego2.8.0
dotnet-core-offline-buildpack2.1.3
garden-runc1.13.3
go-offline-buildpack1.8.25
haproxy8.7.0
java-offline-buildpack4.12.1
log-cache1.3.0
loggregator102.2
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.28
notifications46
notifications-ui33
php-offline-buildpack4.3.57
pivotal-account1.9.0
push-apps-manager-release665.0.11
push-usage-service-release666.0.2
python-offline-buildpack1.6.18
pxc0.9.0
routing0.178.0
ruby-offline-buildpack1.7.21
staticfile-offline-buildpack1.4.29
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.0

Component Version
stemcell3586.24
backup-and-restore-sdk1.7.1
binary-offline-buildpack1.0.18
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.11
capi1.58.1
cf-autoscaling201.0.0
cf-backup-and-restore0.0.11
cf-mysql36.14.0
cf-networking2.3.0
cf-smoke-tests40.0.4
cf-syslog-drain6.5
cflinuxfs21.220.0
consul194
credhub1.9.3
diego2.8.0
dotnet-core-offline-buildpack2.0.7
garden-runc1.13.3
go-offline-buildpack1.8.23
haproxy8.7.0
java-offline-buildpack4.12.1
log-cache1.3.0
loggregator102.1
mysql-monitoring8.18.0
nats24
nfs-volume1.2.1
nodejs-offline-buildpack1.6.25
notifications46
notifications-ui33
php-offline-buildpack4.3.56
pivotal-account1.9.0
push-apps-manager-release665.0.9
push-usage-service-release666.0.2
python-offline-buildpack1.6.17
pxc0.9.0
routing0.178.0
ruby-offline-buildpack1.7.19
staticfile-offline-buildpack1.4.28
statsd-injector1.3.0
silk2.3.0
syslog11.3.2
uaa60
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Application Service (PAS) v2.2 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v2.2, be aware of the following upgrade considerations:

  • If you previously used an earlier version of PAS, you must first upgrade to PAS v2.1 to successfully upgrade to PAS v2.2.

  • Some partner service tiles may be incompatible with PCF v2.2. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v2.2, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

New Features in PAS v2.2

More Secure Cipher Suites for CF SSH Proxy

The CF SSH proxy accepts a narrower range of ciphers, MACs, and key exchanges. This change improves the security of CF SSH sessions.

These SSH proxy settings are not configurable in the PAS tile.

Note: This change may be incompatible with SSH clients other than cf ssh. See SSH Proxy Security Configuration for more information about the supported ciphers, MACs, and key exchanges.

TLS-Encrypted Option for Internal System Databases

For internal system databases, PAS now supports a more secure Percona Server database with TLS-encrypted communication between server nodes, as well as the previous MariaDB option. See Migrate to TLS Communication for details.

WARNING: Migrating PAS internal databases to using TLS causes temporary downtime of PAS system functions. It does not interrupt apps hosted by PAS.

Support for AWS Instance Profiles

PAS now supports AWS instance profiles when you are configuring an S3 filestore. Either an instance profile or an access and secret key are required.

For more information, see the External or S3 Filestore section of the PAS installation topic for your IaaS.

Unversioned S3 Buckets for Backups

PAS can now back up unversioned S3 buckets used for external file storage, saving backup artifacts to separate, dedicated backup buckets. For more information, see the External or S3 Filestore section of the PAS installation topic for your IaaS.

Gorouter Logging Changes for GDPR Compliance

Operators can now disable logging of client IP addresses in the Gorouter to comply with the General Data Protection Regulation (GDPR).

This setting, Logging of Client IPs in CF Router, is configured in the Networking pane of the PAS tile. You can disable logging of the X-Forwarded-For HTTP header only or of both the source IP address and the X-Forwarded-For HTTP header. By default, the Log client IPs option is set in PAS.

For more information about configuring the Logging of Client IPs in CF Router field, see the Configure Networking section of the PAS installation topic for your IaaS.

New Format for Timestamps in Diego Component Logs

The timestamps in the Diego component logs are now in a format compatible with RFC 3339. Log-level identifiers are also formatted as strings instead of numeric codes.

RFC 3339 timestamps are enabled by default for new PAS v2.2 deployments. Upgrades from earlier PAS versions retain the previous component log format with Unix epoch timestamps.

You can enable the new timestamp format for Diego logs in the PAS tile.

For more information, see the Configure Application Containers section of the PAS installation topic for your IaaS.

Breaking Change: Before enabling RFC 3339 format for Diego logs, ensure that your log aggregation system anticipates the timestamp format change. If you experience issues, you can disable RFC 3339 format in the PAS tile.

Task Placement More Resilient to Resource Unavailability

When memory or disk resources are temporarily unavailable, PAS no longer fails application and staging tasks immediately. Instead, it attempts several times to place the task on a Diego cell with sufficient capacity.

This temporary unavailability may occur when many application instances or tasks are being created or destroyed simultaneously or when the Diego Bulletin Board System (BBS) or auctioneer fails to communicate to one or more Diego cells.

For more information about Diego task allocation, see How Diego Balances App Processes.

Instance Identity Certificates Contain CF Org and Space IDs

The instance identity certificates provided to application instance and task containers now contain organizational units with their CF org and space IDs in the certificate subject name. Existing applications must be restarted after an upgrade to PAS v2.2 to receive these new identifiers.

For more information, see Using Instance Identity Credentials.

BOSH DNS Enabled By Default

BOSH DNS is enabled by default for both app containers and PCF components in PCF v2.2.

In previous versions, Consul managed service discovery between PCF components, but Consul is being replaced by BOSH DNS.

Note: In PCF v2.2, Consul and BOSH DNS are both available in PCF, but BOSH DNS is the only service used for DNS requests.

You can disable BOSH DNS if instructed to do so by Pivotal support. If you disabled BOSH DNS in PCF v2.1, reenable it before upgrading to PCF v2.2. For more information, see BOSH DNS Enabled By Default For App Containers and PCF Components.

WARNING: Do not disable BOSH DNS without instructions from Pivotal support. Disabling BOSH DNS will also disable PKS, NSX-T, and several PAS features.

Service Discovery for Container-to-Container Networking Enabled By Default

In PAS v2.1, service discovery for container-to-container networking was an experimental feature that you could opt in to use. In PAS v2.2, this feature is enabled by default, and you can opt out of using it.

For more information about disabling service discovery for container-to-container networking, see the Configure Application Developer Controls section of the PAS installation topic for your IaaS.

DNS Search Domains

PAS v2.2 allows you to configure the DNS search domains to be used in containers by entering a comma-separated list.

For more information, see the DNS Search Domains configuration described in the Container Networking section of the PAS installation topic for your IaaS.

Pivotal Account Replaced by UAA

Prior to PAS v2.2, you could use Pivotal Account to create and manage user accounts. In PAS v2.2, PAS stops using Pivotal Account, and you can now create and manage user accounts through the UAA UI instead.

The Errands pane in the PAS tile replaces Pivotal Account Errand with the Delete Pivotal Account Application errand, which is configured to run automatically. For more information, see the Configure Errands section of the PAS installation topic for your IaaS.

Note: The Delete Pivotal Account Application errand does not delete the account database used by the app.

You can manually delete the account database that remains as an artifact in PAS MySQL by following these steps:

  1. Use bosh ssh to access one of the MySQL VMs in your deployment. See Advanced Troubleshooting with the BOSH CLI for instructions. For example:

    bosh ssh mysql/0
    
  2. Run the following command to start MySQL using the credentials in mylogin.cnf:

    mysql --defaults-file=/var/vcap/jobs/mysql/config/mylogin.cnf
    
  3. Run the following command to delete the account database:

    DROP database account;
    

Loggregator Adds Log Cache in PAS Advanced Features

Loggregator adds an in-memory caching layer for logs and metrics and provides a RESTful interface for retrieving them. Use Log Cache to query and filter logs.

Log Cache is colocated on the Doppler VMs. It speeds up the retrieval of data from the Loggregator system, especially for deployments with a large number of Dopplers. Log Cache uses the available memory on a device to store logs, and so may impact performance during periods of high memory contention.

For more information about Log Cache, see Enable Log Cache.

Breaking Change: If you use Pivotal Application Service’s App Autoscaler, Pivotal strongly recommends enabling Log Cache. App Autoscaler relies on Log Cache’s API endpoints to function properly. If you disable Log Cache, App Autoscaler will fail.

Breaking Change: Because of the addition of the log-cache process to the Doppler VM, the memory requirement for the Doppler VM has been increased to 4GB.

Syslog Draining for Service Instances (Beta)

The cf-drain-cli plugin now enables app developers to bind user-provided syslog drains to service instances. For more information, see the CF Drain CLI Plugin GitHub repository. If a service tile supports syslog drains, app developers can use this plugin to forward logs and metrics from their service instance to an external endpoint.

Forwarding of DEBUG Syslog Messages Disabled by Default

By default, PAS v2.2 does not forward DEBUG syslog messages to external services. The new Don’t Forward Debug Logs checkbox is configurable in the System Logging pane of the PAS tile.

For more information about configuring this checkbox, see the (Optional) Configure System Logging section of the PAS installation topic for your IaaS.

If you currently have a custom rule to filter out DEBUG syslog messages, you can delete it. Before deleting your custom rule, ensure the Don’t Forward Debug Logs checkbox is enabled in the PAS tile.

App Autoscaler UI Integrated into Apps Manager

The App Autoscaler UI is now integrated into Apps Manager. This enables users to configure autoscaling for their apps through Apps Manager. The new UI is based on the App Autoscaler API v2.0.

For more information about scaling apps using App Autoscaler, see Scaling an Application Using App Autoscaler.

Improved App Autoscaler CLI

The App Autoscaler CLI now supports creating custom autoscaling rules and scheduled limit changes for apps bound to the App Autoscaler service.

For more information about the App Autoscaler CLI, see Using the App Autoscaler CLI.

Updated App Autoscaler Metrics Collection Interval Values

This release updates the minimum, maximum, and default values for the Metrics Collection Interval used by the App Autoscaler in PAS. Updated minimum: 60 seconds. Updated maximum: 3600 seconds. Updated default: 120 seconds.

To configure this value, see the (Optional) Configure App Autoscaler section of the PAS installation topic for your IaaS.

App Autoscaler Verbose Logging

Verbose logs are now available for App Autoscaler. Verbose logs show specific reasons why App Autoscaler scaled the app, information on minimum and maximum instance limits, App Autoscaler’s status, and more. Verbose logs result in more detailed logs, but do not otherwise impact performance.

To enable verbose logs, select the Verbose Logging checkbox in the App Autoscaler pane.

For more information, see the (Optional) Configure App Autoscaler section of the PAS installation topic for your IaaS.

Improved Session Management Behavior in Apps Manager

Users are now logged out of Apps Manager when they log out of UAA or their UAA session expires. You can configure the Global Login Session Max Timeout and Global Login Session Idle Timeout values in the UAA pane of the PAS tile.

Health Check Invocation Timeout is Configurable via Cloud Controller V3 API

This V3 API endpoint allows users to change the duration of a health check invocation timeout. An invocation timeout is a period of time within a standard timeout period, during which a healthcheck assess the health of your app. A responsive app is marked as alive, but an unresponsive app is marked as dead.

By default, the health check invocation timeout is set to one second. Increasing the invocation timeout period allows health checks to perform complex actions that may exceed the default timeout setting. A longer invocation timeout period may prevent your app from being marked as dead when it is actually healthy.

Change the invocation timeout period with the invocation_timeout flag in the healthcheck API.

For more information, see The health_check object.

Selector-Based Subscripton Model and Reference Nozzles

You can request Firehose subscriptions that filter out all unspecified content using the Loggregator v2 API endpoint from the Reverse Log Proxy.

For examples of nozzles that use the Loggregator V2 API and consume only specified whitelisted metrics, see rlpreader and rlptypereader in the loggregator-tools repository.

For more information about this feature, see the V2 Subscriptions page of the loggregator-release repository.

Known Issues

Downtime when Upgrading from v2.1 to v2.2.7 or Later

Upgrading directly from PAS v2.1.x to v2.2.7 or later may cause significant app downtime. If you are upgrading from v2.1.x, Pivotal recommends that you upgrade to v2.2.6 or an earlier patch release of v2.2.x. Once you are on v2.2.6 or an earlier patch release of v2.2.x, you can then upgrade to v2.2.7.

A fix for this issue is planned for v2.2.12.

For more information, see the following article in the Pivotal Knowledge Base: How to avoid app downtime while upgrading from PAS v2.1.x to v2.2.7.

CredHub Database Cannot be External on GCP

If your PAS deployment is on GCP and you want to use Runtime CredHub, you must select Internal for both your system databases and CredHub database. If you are using external system databases, you cannot use CredHub.

CredHub is not compatible with the external database option on GCP. GCP Cloud SQL presents its certificate in a way that CredHub refuses to connect to it.

App Autoscaler Smoke Test Errand Failure

When deploying PAS v2.2.x, the App Autoscaler smoke test errand may fail with the following error:

Autoscaler did not receive any metrics for disk_quota during the scaling window. Scaling down will be deferred until these metrics are available.

For a workaround, see the following KB article: App Autoscaler Smoke Test Errand fails to retrieve any metrics from logcache.

Apps Serve Routes After App Deletion Due to MySQL Errors

After an app is deleted, the app instances are not always cleaned up on Diego cells. Those instances continue to serve routes.

This error occurs when the Cloud Controller and Diego cells fall out of sync. You can resolve this issue by restarting the cloud_controller_clock process in the clock_global VM.

For more information, see the Knowledge Base article Apps Serve Routes Even After App Deletion Due To MySQL Errors.

Timeouts Connecting to GCS Blobstores Using Service Account Key Authentication

Pushing large apps may fail if you use Google Cloud Storage (GCS) as an external blobstore, and you authenticate to it with a GCS Service Account. This option is configured in the PAS tile File Storage pane, under Configure your Cloud Controller’s filesystem.

For more information, see the Knowledge Base article Timeouts connecting to GCS blobstores when configured to use service account key authentication.

Deploying PAS Runtime for Windows Results in an Access is Denied Error

This rare issue can occur when you deploy the PAS Runtime for Windows v2.2.

The error reads: Action Failed get_task: Task 5b085f4a-b56a-42e3-5974-f3876879397d result: Compiling package certsplitter_windows: Removing packages: Uninstalling package bundle: remove /var/vcap/data/packages/golang-windows/83bf1f4181665d2ee2c0118a56bd04764b8f56b0\go\bin\go.exe: Access is denied.

If you encounter this error, Pivotal recommends retrying the deployment until the error does not occur.

For more information, see the Knowledge Base article Deploying PAS for Windows Tile Results in an Access is Denied Error.

PAS Deployment Fails with Spring Cloud Services v1.5.5 and Earlier

If you are running Spring Cloud Services, you need to upgrade to Spring Cloud Services v1.5.6 or later before you can upgrade PCF to v2.2.

For more information, see the Knowledge Base article Spring Cloud Services Deployment fails with can’t resolve link error in PAS 2.2.

Some Components Use Go v1.9 to Avoid x.509 Cert Errors in v1.10

x509 certificate parsing in the Go language is stricter in v1.10 than it is in v1.9. As a result, certificates that many Pivotal customers generated with open-source tools and continue to use could cause errors if parsed by Go v1.10. To avoid this, some PAS v2.2 components use Go v1.9. PAS v2.2 includes both versions of the language.

Configuring a List of TCP Routing Ports

This section describes an issue and workaround related to configuring a list of TCP Routing Ports in the PAS tile UI.

Issue

You cannot enter a comma-separated list of ports in the TCP Routing Ports field of the PAS tile. If you enter a comma-separated list, the Routing API does not start. The TCP Routing Ports field allows entries in the following formats:

  • A single value, such as 1234
  • A range of values, such as 1234-5678

Workaround

If you want to configure a list of ports, Pivotal recommends following these steps:

Note: This procedure causes brief downtime for TCP apps listening on ports that you open after deploying PAS.

  1. Configure PAS with Enable TCP Routing selected.
  2. Enter one port you want to use in the TCP Routing Ports field.
  3. Deploy PAS.
  4. Use the Routing API to add all desired TCP ports by following the instructions in the Modify your TCP ports section of the Enabling TCP Routing topic. When using the Routing API, you can include a comma separated list of ports.

Loggregator Component Horizontal Scaling Thresholds

Above approximately 40 Doppler instances and 25 Traffic Controller instances, horizontal scaling is no longer useful for improving Loggregator Firehose performance. To improve performance, increase CPU resources for the existing Doppler and Traffic Controller instances to add vertical scale.

The Syslog Adapter now enforces a hard limit on how many application syslog drains it can service, therefore it is important to follow the scaling recommendations to ensure that all syslog drains can be serviced.

Apps Manager SSL Validation Cannot Be Disabled in v2.2.12 through v2.2.16

In v2.2.12 through v2.2.16, Apps Manager ignores the Disable SSL certificate verification for this environment PAS tile setting. For environments using SSL certificates signed by an untrusted certificate authority (CA), this may cause Apps Manager to show no content.

To resolve this issue, see Apps Manager shows no content due to SSL validation issue.

Apps Manager Only Allows One Intermediate Certificate Authority in v2.2.12–v2.2.14

In v2.2.12, v2.2.13, and v2.2.14, Apps Manager does not accept SSL certificates that have a signing chain with more than one intermediate certificate authority between the SSL certificate and the root certificate authority. This includes certificates from backend services such as the Cloud Controller API.

If there is more than one intermediate certificate authority, not counting the root certificate authority, the following happens:

  • Apps Manager does not show content.
  • The logs for Apps Manager include the text certificate chain too long.

If you must use an SSL certificate chain with more than one intermediate certificate authority in your environment, contact Pivotal Support to discuss options for working around this issue.

Cloud Controller Error Causes PCF Upgrade to Fail

With buildpacks now having stack associations, additional validation must be added while upgrading to PAS v2.2 and later. This can generate a new StacklessAndStackfulMatchingBuildpacksError error in the post-start scripts.

For more information and instructions for fixing this error, see Pivotal Cloud Foundry upgrade fails with a StacklessAndStackfulMatchingBuildpacksExistError Cloud Controller Error in the Pivotal Knowledge Base.

Create a pull request or raise an issue on the source for this page in GitHub