PCF Ops Manager v2.3 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


How to Upgrade

The Upgrading Pivotal Cloud Foundry topic contains instructions for upgrading to Pivotal Cloud Foundry (PCF) Ops Manager v2.3.

Releases

2.3.6

  • [Security Fix]: Bumps stemcell to 97.34 to resolve USN-3820-2.
  • [Security Fix]: Bumps active-job to 5.0.4 to resolve CVE-2018-16476.
  • [Security Fix]: Bumps Loofah to 2.2.3 to address a CVE.
  • [Security Fix]: Bumps Rack to 2.0.6 to address a CVE.
  • [New Feature]: A Pivotal-specific GUID appears in the global CPI options for Azure deployments. View this key/value pair in the CPI configururation of the BOSH Director manifest.
  • [New Feature]: Ops Manager operators with sufficient permissions to see credentials can send a GET to director/properties, director/iaas_configurations/guid, director/iaas_configurations, or products/guid/properties with the redact=false parameter to see an API response that includes credentials.
  • [New Feature]: GET /api/v0/pivotal_network/stemcell_updates works on both Windows and Xenial stemcells.
  • [New Feature]: You can download the product manifest for your last successful deployment.
  • [Bug Fix]: The API docs show instance_groups in some locations where they previously referenced jobs.
  • [Bug Fix]: Internal IDP metadata no longer changes when authentication protocols switch between internal authentication and SAML. Specifically, the ds:DigestValue and ds:SignatureValue values no longer change.
  • [Bug Fix]: The SAML certificate regenerates when authentication method changes from SAML to internal, rather than when SAML is enabled. This facilitates a greater number of authentication method workflows, including those which change Ops Manager metadata.
  • [Bug Fix]: Ops Manager captures changes to the database, including reversions to old passwords, more completely.
  • [Bug Fix]: Corrects the link to Pivotal Network from the API docs.
  • [Feature Improvement]: When a user who has not logged into Ops Manager is prompted to log in to view a page, logging in returns them to the page they tried to access, rather than the Installation Dashboard.
  • [Feature Improvement]: Adds API docs for GET and PUT to the ssh_banner_contents endpoint.

Ops Manager v2.3.6 uses the following component versions:

Component Version
Ops Manager2.3-build.212*
Stemcell97.34 (Xenial)*
BBR SDK1.7
BOSH Director267.8
BOSH DNS1.10
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.8
AWS CPI72
Azure CPI35.4
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50.0.3*
* Components marked with an asterisk have been updated.

2.3.5

  • [Security Fix]: Bumps Nokogiri to 1.8.5 to address CVE-2018-14404.
  • [Security Fix]: Bumps UAA to address CVE-2018-15761.
  • [Bug Fix]: Now Application Load Balancers (ALBs) also apply to the Director VM for AWS deployments.

Ops Manager v2.3.5 uses the following component versions:

Component Version
Ops Manager2.3-build.194*
Stemcell97.28 (Xenial)
BBR SDK1.7
BOSH Director267.8
BOSH DNS1.10
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.8*
AWS CPI72
Azure CPI35.4
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50
* Components marked with an asterisk have been updated.

2.3.4

  • [Bug Fix]: Bumps stemcell to resolve a Known Issue. You can now upload large files without Ops Manager timing out.

Ops Manager v2.3.4 uses the following component versions:

Component Version
Ops Manager2.3-build.188*
Stemcell97.28 (Xenial)*
BBR SDK1.7
BOSH Director267.8
BOSH DNS1.10
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.2
AWS CPI72
Azure CPI35.4
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50
* Components marked with an asterisk have been updated.

2.3.3

  • [Security Fix]: Bumps stemcell to 97.22 for periodic lower-severity security updates.
  • [New Feature]: Operators can tune the swap size as a percent of total memory size per instance group.
  • [Bug Fix]: Operators can change the Director Hostname without losing connection between BOSH Director and VMs.
  • [Bug Fix]: Stemcells no longer accidentally downgrade in rare cases when upgrading to a new OpsManager. This happened previously when a product had a newer stemcell patch than Ops Manager included during the upgrade.
  • [Bug Fix]: Operators can work around an expired SAML service provider cert by disabling and enabling SAML.
  • [Feature Improvement]: The expiring certificates endpoint (/api/v0/deployed/certificates) now includes information about the SAML service provider cert.
  • [Feature Improvement]: Importing products that use the future Unified Syslog feature warns operators that product syslog features will not be active in this version of Ops Manager.
  • [Bug Fix]: Dynamic JS pages now show the message from server-side errors instead of alert boxes with JavaScript errors (such as [Object object] or t.filter()).

Ops Manager v2.3.3 uses the following component versions:

Component Version
Ops Manager2.3-build.184*
Stemcell97.22 (Xenial)*
BBR SDK1.7
BOSH Director267.8*
BOSH DNS1.10
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.2
AWS CPI72
Azure CPI35.4
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50
* Components marked with an asterisk have been updated.

2.3.2

  • [Security Fix]: Bumps stemcell to 97.19 to address USN-3777-2.
  • [New Feature]: You can now configure custom DNS handlers via the Ops Manager API.
  • [New Feature]: You can now configure recursor timeouts via the Ops Manager API.

Ops Manager v2.3.2 uses the following component versions:

Component Version
Ops Manager2.3-build.170*
Stemcell97.19 (Xenial)*
BBR SDK1.7
BOSH Director267.7
BOSH DNS1.10
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.2
AWS CPI72
Azure CPI35.4
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50
* Components marked with an asterisk have been updated.

2.3.1

  • [Bug Fix]: You are now only prompted to unlock Ops Manager once when enabling Rescue Mode.
  • [Bug Fix]: Ops Manager sets the storage account type and Director ephemeral disk correctly for Azure deployments.
  • [Feature Improvement]: You can now deselect all tiles at once.

Ops Manager v2.3.1 uses the following component versions:

Component Version
Ops Manager2.3-build.167*
Stemcell97.18 (Xenial)
BBR SDK1.7
BOSH Director267.7*
BOSH DNS1.10*
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.2
AWS CPI72
Azure CPI35.4*
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50
* Components marked with an asterisk have been updated.

2.3.0

Ops Manager v2.3 uses the following component versions:

Component Version
Ops Manager2.3-build.146
Stemcell97.15 (Xenial)
BBR SDK1.7
BOSH Director267.6
BOSH DNS1.9
Metrics Server0.0.21
CredHub1.9.5
Syslog11.3
UAA60.2
AWS CPI72
Azure CPI35.2
GCP CPI27.0.1
OpenStack CPI39
vSphere CPI50

New Features in Ops Manager v2.3

Ops Manager v2.3 includes the following major features:

Ops Manager and BOSH Director Upgraded to Ubuntu 16.04 (Xenial Xerus)

Ops Manager v2.3 uses a Xenial stemcell based on Ubuntu 16.04 (Xenial Xerus).

The previously supported Trusty stemcells were based on Ubuntu 14.04 (Trusty Tahr). This distribution will reach end of general support (EOGS) in April 2019 and will no longer receive security updates.

Using Xenial stemcells in v2.3 ensures that Ops Manager users continue to have access to secure stemcells based on a Ubuntu distribution maintained by Canonical.

For more information on the impact of using Xenial stemcells in PCF, see Updates for Xenial Stemcell Support.

TLS for Internal Blobstore Enabled by Default

Ops Manager now enables TLS communications for the internal blobstore by default.

If you want to disable TLS for your internal blobstore, disable Enable TLS in the Director Config pane of the BOSH Director tile.

Multiple Data Centers on OpenStack

Ops Manager now allows you to configure multiple OpenStack data centers to a single BOSH Director.

You can add additional OpenStack configs in the OpenStack Config pane of your BOSH Director tile. For more information about how to add, edit, and delete OpenStack configs, see Managing Multiple Data Centers.

BOSH DNS is Required

BOSH DNS is enabled by default in PCF v2.3.

The option to disable BOSH DNS is no longer available in the Ops Manager UI or API.

WARNING: Upgrades to PCF v2.3 will fail if BOSH DNS is disabled. Enable BOSH DNS before upgrading to PCF v2.3.

BOSH DNS Certificate Authority Upgrades

BOSH DNS now comes with CAs that are valid for four years. These CAs will apply automatically when upgrading to v2.3.

To apply the CAs completely, you must upgrade to PCF v2.3 and then rotate all certificates in your installation. Follow the procedure below to rotate your certificates:

  1. Upgrade Ops Manager to v2.3.

  2. Click Apply Changes to distribute new CA to all VMs. Do not use Review Pending Changes to update your installation incrementally. Upgrade all tiles simultaneously.

  3. Use the Ops Manager API to POST /api/v0/certificate_authorities/active/regenerate.

  4. Apply Changes for all tiles simultaneously to rotate the certificates.

Disable Verifiers By Type with the Ops Manager API

You can disable verifiers by type with the Ops Manager API. Ops Manager provides this option for troubleshooting purposes. For example, your deployment may have a unique configuration that the verifier cannot detect. In this case, you can unblock your deployment by disabling the verifier.

For more information, see Managing Ops Manager Verifiers.

Note: This is an advanced feature. Pivotal recommends contacting support before you disable Ops Manager verifiers.

Ops Manager Supports LDAP Authentication

Ops Manager supports Lightweight Directory Access Protocal (LDAP) for authentication, in addition to Security Assertion Markup Language (SAML).

For new Ops Manager installations, operators can configure LDAP authentication from the Welcome to Ops Manager page. See the LDAP Server section of the BOSH Director configuration topic for your IaaS for more information.

For existing Ops Manager installations, operators can configure LDAP authentication through the Ops Manager Settings page. For more information, see the Settings Page section of the Understanding the Ops Manager Interface topic.

Ops Manager on vSphere Supports SSH Key Authentication

You can now use an SSH key in addition to or instead of an admin password to boot Ops Manager on vSphere. Set the SSH key during vSphere environment configuration, in the same panel where you can set an admin password and custom hostname.

After uploading an OVF template to vSphere, set an admin password or SSH key in the Customize template section of the Deploy OVF Template panel. For more information, see Deploying BOSH and Ops Manager to vSphere.

Virtual Machines Running on OpenStack Can Boot From Cinder Volumes

If you use OpenStack, you can now boot VMs from a Cinder volume. Cinder is an open source block storage solution for OpenStack users. For more information, see Configuring BOSH Director on OpenStack.

Recreate All Persistent Disks

In the Director Config pane of the BOSH Director tile, you can Recreate All Persistent Disks. Enabling the checkbox forces BOSH to migrate and recreate all persistent disks without losing persistent disk data.

UI Improvements to Review Pending Changes

The Review Pending Changes page in the Ops Manager installation dashboard features UI improvements.

See the following changes:

  • You now cannot enable orange tiles for selective deployment. In Ops Manager v2.2, you can enable orange tiles but you cannot click Apply Changes.
  • When you enable a tile for selective deployment, its dependencies are also enabled. In Ops Manager v2.2, you must enable your tile dependencies manually.
  • When an update fails, a list of pending changes that did not complete appears on the Review Pending Changes page.
  • When you attempt to change a tile with an out-of-date stemcell, a message appears notifying you that the stemcell is out of date. Click this message to access the Stemcell Library.
  • When a tile is staged to be deleted, indicator text appears on that tile.
  • Apply Changes displays as Review Pending Changes when there are pending changes staged.
  • Stemcell changes appear in the Changes field for each tile.
  • When Review Pending Changes returns an error, the error message includes the name of the affected tiles.
  • The Beta label no longer appears on the Review Pending Changes page.
  • The Review Pending Changes page has minor UI improvements throughout.

For more information about the page UI, see Review Pending Changes Page.

API Improvements to Review Pending Changes

  • You can use GET /api/v0/staged/pending_changes to see stemcell changes in the Ops Manager API.
  • When the API returns an error, the error message includes the name of the affected products.
  • When an update fails, you can use GET /api/v0/staged/pending_changes to see a list of pending changes that did not complete.

For more information about the Review Pending Changes API endpoints, see the Ops Manager API documentation.

Advanced Features for Ops Manager Guide

A new guide in the Ops Manager documentation explains the behavior of some advanced features for Ops Manager. These features are for experienced operators only.

For more information, see Advanced Features for Ops Manager.

WARNING: Ops Manager Advanced Features are for skilled operators only. Pivotal recommends contacting Support before attempting to use these features.

Known Issues

Intermittent Tile Upload Failure

Note: This issue appears in Ops Manager v2.3.2 and v2.3.3. It is resolved in Ops Manager 2.3.4.

In some versions of Ops Manager v2.3, large tiles may fail to upload successfully. If you attempted to upload a large file via the om CLI, your upload may have failed due to Ops Manager’s built-in timeout feature.

This issue occurs due to a kernel regression introduced in Ops Manager v2.3.2 and will be remediated in a subsequent release.

PKS Compatibility with v2.3.0

If you have a PCF deployment with Ops Manager v2.2.x and PKS 1.2.x or earlier installed, you must upgrade to Ops Manager v2.3.1 or later. There is no compatible PKS version for Ops Manager v2.3.0. Also, ensure that you upgrade to PKS v1.2 before upgrading Ops Manager. For Ops Manager 2.2, PKS v1.2 is compatible with Ops Manager v2.2.2 and later.

Create a pull request or raise an issue on the source for this page in GitHub