PCF Isolation Segment v2.2 Release Notes

Known Issues

  • [Known Issue] The NSX-T tile versions 2.3.1 and lower are not compatible with IST. Upcoming release NSX-T 2.3.2 will address this issue.

Releases

NOTE: BREAKING CHANGE You must upgrade to PAS 2.2.3 or greater prior to installing IST 2.2.4 or higher

2.2.15

  • Bump ubuntu-trusty stemcell to version 3586.96
  • Bump cflinuxfs2 to version 1.281.0
Component Version
ubuntu-trusty stemcell3586.96
cf-networking2.3.3
cflinuxfs21.281.0
consul195
diego2.8.7
garden-runc1.16.8
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.7
silk2.3.4
syslog11.3.2
### 2.2.14 * **[Feature Improvement]** Add support for TCP hitless reloads in haproxy to avoid connection reset errors * **[Feature Improvement]** Add ability to enable/disable gorouter hairpinning * Bump ubuntu-trusty stemcell to version `3586.93` * Bump cflinuxfs2 to version `1.279.0` * Bump routing to version `0.178.7`
Component Version
ubuntu-trusty stemcell3586.93
cf-networking2.3.3
cflinuxfs21.279.0
consul195
diego2.8.7
garden-runc1.16.8
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.7
silk2.3.4
syslog11.3.2

2.2.13

  • Bump ubuntu-trusty stemcell to version 3586.79
  • Bump cflinuxfs2 to version 1.267.0
  • Bump diego to version 2.8.7
Component Version
ubuntu-trusty stemcell3586.79
cf-networking2.3.3
cflinuxfs21.267.0
consul195
diego2.8.7
garden-runc1.16.8
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.5
silk2.3.4
syslog11.3.2

2.2.12

  • [Bug Fix] Fix concurrency bug in the Router’s route pool, which could manifest as a fatal error: “Unlock of unlocked RWMutex”
  • [Bug Fix] Improve garden init process to avoid edge cases that can lead to zombies
  • Bump ubuntu-trusty stemcell to version 3586.71
  • Bump cflinuxfs2 to version 1.261.0
  • Bump garden-runc to version 1.16.8
  • Bump routing to version 0.178.5
Component Version
ubuntu-trusty stemcell3586.71
cf-networking2.3.3
cflinuxfs21.261.0
consul195
diego2.8.5
garden-runc1.16.8
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.5
silk2.3.4
syslog11.3.2

2.2.11

  • Bump ubuntu-trusty stemcell to version 3586.65
  • Bump cflinuxfs2 to version 1.258.0
  • Bump diego to version 2.8.5
Component Version
ubuntu-trusty stemcell3586.65
cf-networking2.3.3
cflinuxfs21.258.0
consul195
diego2.8.5
garden-runc1.16.1
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.4
silk2.3.4
syslog11.3.2

2.2.10

  • Bump ubuntu-trusty stemcell to version 3586.60
  • Bump cflinuxfs2 to version 1.255.0
  • Bump loggregator to version 102.8
  • Bump silk to version 2.3.4
Component Version
ubuntu-trusty stemcell3586.60
cf-networking2.3.3
cflinuxfs21.255.0
consul195
diego2.8.4
garden-runc1.16.1
haproxy8.7.0
loggregator102.8
nfs-volume1.2.6
routing0.178.4
silk2.3.4
syslog11.3.2

2.2.9

  • [Security Fix] Address leak of CF admin credentials into NFS broker bosh errand logs
  • [Security Fix] Rotate diego intermediate CA before current certificate expires
  • [Feature Improvement] Fix error handling to report NFS mount failures in CF application logs
  • [Bug Fix] Prevent container IPs from leaking by enforcing that TCP RST messages always have the cell ip as the source ip
  • Bump ubuntu-trusty stemcell to version 3586.57
  • Bump cf-networking to version 2.3.3
  • Bump cflinuxfs2 to version 1.249.0
  • Bump nfs-volume to version 1.2.6
  • Bump silk to version 2.3.3
Component Version
ubuntu-trusty stemcell3586.57
cf-networking2.3.3
cflinuxfs21.249.0
consul195
diego2.8.4
garden-runc1.16.1
haproxy8.7.0
loggregator102.7
nfs-volume1.2.6
routing0.178.4
silk2.3.3
syslog11.3.2

2.2.8

  • [Feature Improvement] Improve router pruning behavior when route integrity is enabled
  • Bump ubuntu-trusty stemcell to version 3586.52
  • Bump cflinuxfs2 to version 1.245.0
  • Bump routing to version 0.178.4
Component Version
ubuntu-trusty stemcell3586.52
cf-networking2.3.1
cflinuxfs21.245.0
consul195
diego2.8.4
garden-runc1.16.1
haproxy8.7.0
loggregator102.7
nfs-volume1.2.3
routing0.178.4
silk2.3.0
syslog11.3.2

2.2.7

  • [Bug Fix] Logs marked as “DEBUG” are no longer forwarded by default
  • Bump ubuntu-trusty stemcell to version 3586.46
  • Bump cf-networking to version 2.3.1
  • Bump cflinuxfs2 to version 1.242.0
  • Bump diego to version 2.8.4
Component Version
ubuntu-trusty stemcell3586.46
cf-networking2.3.1
cflinuxfs21.242.0
consul195
diego2.8.4
garden-runc1.16.1
haproxy8.7.0
loggregator102.7
nfs-volume1.2.3
routing0.178.3
silk2.3.0
syslog11.3.2

2.2.6

  • [Security Fix] Bump garden-runc to prevent malicious users from causing a denial of service for other apps
  • [Bug Fix] Fix unsafe logic in NFS unmount and drain code that may lead to deletion of files on remote NFS shares.
  • [Bug Fix] Fix issue in loggregator where AZ names with special characters could cause metron agent job to fail
  • [Bug Fix] Fix parse error for syslog rules when iptables logging is enabled

  • Bump cflinuxfs2 to version 1.238.0

  • Bump garden-runc to version 1.16.1

  • Bump loggregator to version 102.7

  • Bump nfs-volume to version 1.2.3

  • Bump stemcell ubuntu-trusty to version 3586.43

Component Version
stemcell3586.43
cf-networking2.3.0
cflinuxfs21.238.0
consul195
diego2.8.2
garden-runc1.16.1
haproxy8.7.0
loggregator102.7
nfs-volume1.2.3
routing0.178.3
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.5

  • Bump cflinuxfs2 to version 1.235.0
  • Bump routing to version 0.178.3
  • Bump stemcell ubuntu-trusty to version 3586.42

Component Version
stemcell3586.42
cf-networking2.3.0
cflinuxfs21.235.0
consul195
diego2.8.2
garden-runc1.13.3
haproxy8.7.0
loggregator102.4
nfs-volume1.2.2
routing0.178.3
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.4

NOTE: BREAKING CHANGE You must upgrade to PAS 2.2.3 or greater prior to installing IST 2.2.4 or higher

  • [Bug Fix] Applications can use internal service discovery

  • Bump cflinuxfs2 to version 1.228.0

  • Bump diego to version 2.8.2

  • Bump nfs-volume to version 1.2.2

  • Bump routing to version 0.178.2

  • Bump stemcell to version 3586.27

Component Version
stemcell3586.27
cf-networking2.3.0
cflinuxfs21.228.0
consul195
diego2.8.2
garden-runc1.13.3
haproxy8.7.0
loggregator102.4
nfs-volume1.2.2
routing0.178.2
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.3

  • [Bug Fix] Fix TLS pruning behavior for Gorouter

  • Bump diego to version 2.8.1

  • Bump loggregator to version 102.4

  • Bump routing to version 0.178.1

  • Bump stemcell to version 3586.26

Component Version
stemcell3586.26
cf-networking2.3.0
cflinuxfs21.227.0
consul195
diego2.8.0
garden-runc1.13.3
haproxy8.7.0
loggregator102.4
nfs-volume1.2.1
routing0.178.1
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.2

  • [Feature Improvement] Add ability to configure HAproxy client certificate verification

  • Bump cflinuxfs2 version 1.227.0

Component Version
Stemcell3586.24
cf-networking2.3.0
cflinuxfs21.227.0
consul195
diego2.8.0
garden-runc1.13.3
haproxy8.7.0
loggregator102.2
nfs-volume1.2.1
routing0.178.0
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.1

  • [Security Fix] Bump loggregator release for CVE-2018-1268 and CVE-2018-1269
  • [Bug Fix] bump consul to v195

    • Includes golang 1.9.7, removes golang 1.8.*.
    • Deploying v193 could fail on some deployments due to a conflict with other tiles that compiled the release differently
    • Fixes intermittent consul DNS issues on Windows Cells
  • Bump cflinuxfs2 to version 1.223.0

  • Bump consul to version 195

  • Bump loggregator to version 102.2

Component Version
Stemcell3586.24
cf-networking2.3.0
cflinuxfs21.223.0
consul195
diego2.8.0
garden-runc1.13.3
haproxy8.7.0
loggregator102.2
nfs-volume1.2.1
routing0.178.0
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.2.0

Component Version
Stemcell3586.24
cf-networking2.3.0
cflinuxfs21.220.0
consul194
diego2.8.0
garden-runc1.13.3
haproxy8.7.0
loggregator102.1
nfs-volume1.2.1
routing0.178.0
silk2.3.0
syslog11.3.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

About PCF Isolation Segment

The PCF Isolation Segment v2.2 tile is available for installation with PCF v2.2.

Isolation segments provide dedicated pools of resources where you can deploy apps and isolate workloads. Using isolation segments separates app resources as completely as if they were in different CF deployments but avoids redundant management and network complexity.

For more information about using isolation segments in your deployment, see the Managing Isolation Segments topic.

How to Install

The procedure for installing PCF Isolation Segment v2.2 is documented in the Installing PCF Isolation Segment topic.

To install a PCF Isolation Segment, you must first install PCF v2.2.

New Features in PCF Isolation Segment v2.2

Gorouter Logging Changes for GDPR Compliance

Operators can now disable logging of client IP addresses in the Gorouter to comply with the General Data Protection Regulation (GDPR).

This setting, Logging of Client IPs in CF Router, is configured in the Networking pane of the PCF Isolation Segment tile. You can disable logging of the X-Forwarded-For HTTP header only or of both the source IP address and the X-Forwarded-For HTTP header. By default, the Log client IPs option is set in PCF Isolation Segment.

For more information about configuring the Logging of Client IPs in CF Router field, see Networking in the Installing PCF Isolation Segment topic.

New Format for Timestamps in Diego Component Logs

The timestamps in the Diego component logs are now in a format compatible with RFC 3339. Log-level identifiers are also formatted as strings instead of numeric codes.

RFC 3339 timestamps are enabled by default for new v2.2 deployments. Upgrades from earlier versions retain the previous component log format with Unix epoch timestamps.

You can enable the new timestamp format for Diego logs in the Pivotal Application Service (PAS) tile.

For more information, see the Configure Application Containers section of any IaaS-specific PAS configuration topic, such as Deploying PAS on AWS.

Breaking Change: Before enabling RFC 3339 format for Diego logs, ensure that your log aggregation system anticipates the timestamp format change. If you experience issues, you can disable RFC 3339 format in the PAS tile.

DNS Search Domains

PCF Isolation Segment allows you to configure the DNS search domains used in containers by entering a comma-separated list.

For more information, see the DNS Search Domains configuration described in the Container Networking section of any IaaS-specific PAS configuration topic, such as Deploying PAS on AWS.

Known issues

NSX-T v2.3.1 and Earlier Not Compatible with PCF Isolation Segment

The NSX-T tiles v2.3.1 and earlier are not compatible with PCF Isolation Segment. The Gorouters in an Isolation Segment are not given access in the firewall rules for NSX-T v2.3.1 and earlier, which prevents them from communicating with apps.

NSX-T v2.3.2 and later give access to the Gorouters in an Isolation Segment, and thus are compatible with PCF Isolation Segment.

About Advanced Features

The Advanced Features section of the PCF Isolation Segment v2.2 tile includes new functionality that may have certain constraints.

Although these features are fully supported, Pivotal recommends caution when using them in production.

Create a pull request or raise an issue on the source for this page in GitHub