Pivotal Application Service v2.3 Release Notes

Pivotal Cloud Foundry is certified by the Cloud Foundry Foundation for 2018.

Read more about the certified provider program and the requirements of providers.


Releases

2.3.4

  • [Security Fix] Update JDK to latest patch release for Autoscaler
  • [Security Fix] Address leak of CF admin credentials into NFS broker bosh errand logs
  • [Security Fix] Fix issue where policy server API responses did not contain X-Frame-Options and Content-Security-Policy
  • [Security Fix] Rotate diego intermediate CA before current certificate expires
  • [Feature Improvement] Allow TLS between usage-service and mysql to be turned off
  • [Feature Improvement] Improve performance of the system_report/service_usages endpoint in the usage-service to prevent potential 502 or 504 responses on larger deployments
  • [Feature Improvement] Update version number in link to docs page for Apps Manager
  • [Bug Fix] Show more helpful error message in Apps Manager when toggling on Autoscaler fails
  • [Bug Fix] Allow scaling of individual processes in multiprocess app when some processes are scaled to zero
  • [Bug Fix] Fix issue in usage service where database passwords and usernames were not properly escaped causing push-usage-service errand to fail
  • [Bug Fix] Fix issue where the CAPI sync job fails when TCP routes are being used
  • [Bug Fix] Fix issue where configured database connection timeout for silk was not applied when using an external database
  • Bump ubuntu-xenial stemcell to version 97.34
  • Bump cf-autoscaling to version 215
  • Bump cf-mysql to version 36.16.0
  • Bump cf-networking to version 2.12.3
  • Bump cf-smoke-tests to version 40.0.17
  • Bump cflinuxfs2 to version 1.249.0
  • Bump cflinuxfs3 to version 0.40.0
  • Bump mapfs to version 1.1.2
  • Bump nfs-volume to version 1.5.4
  • Bump push-apps-manager-release to version 666.0.15
  • Bump push-usage-service-release to version 667.0.13
Component Version
ubuntu-xenial stemcell97.34
backup-and-restore-sdk1.9.0
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
bpm0.11.0
capi1.66.3
cf-autoscaling215
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.16.0
cf-networking2.12.3
cf-smoke-tests40.0.17
cf-syslog-drain7.0
cflinuxfs21.249.0
cflinuxfs30.40.0
consul195
credhub1.9.5
diego2.18.0
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.28
haproxy8.9.0
java-offline-buildpack4.16.1
log-cache1.4.7
loggregator103.3
mapfs1.1.2
mysql-monitoring8.20.0
nats25
nfs-volume1.5.4
nodejs-offline-buildpack1.6.32
notifications-ui34
notifications52
php-offline-buildpack4.3.61
push-apps-manager-release666.0.15
push-usage-service-release667.0.13
pxc0.14.0
python-offline-buildpack1.6.21
routing0.179.3
ruby-offline-buildpack1.7.24
silk2.12.1
staticfile-offline-buildpack1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.8

2.3.3

  • [Security Fix] Bump UAA for CVEs
  • [Feature Improvement] Improve router pruning behavior when route integrity is enabled
  • [Feature Improvement] Operators can configure the default root filesystem for new applications created the platform
  • [Bug fix] push-usage-service errand fails when using a MySQL load balancer
  • [Bug fix] Enforce that max_valid_packages_stored and max_staged_droplets_stored be >= 1
  • [Bug Fix] Do not produce duplicate schedules when updating a schedule in Apps Manager
  • [Bug Fix] Update log-cache client in Autoscaler for backward compatibility when upgrading PAS
  • Bump ubuntu-xenial stemcell to version 97.28
  • Bump cf-autoscaling to version 214
  • Bump cf-smoke-tests to version 40.0.13
  • Bump cflinuxfs2 to version 1.245.0
  • Bump cflinuxfs3 to version 0.34.0
  • Bump push-apps-manager-release to version 666.0.13
  • Bump routing to version 0.179.3
  • Bump uaa to version 60.8
Component Version
ubuntu-xenial stemcell97.28
backup-and-restore-sdk1.9.0
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
bpm0.11.0
capi1.66.3
cf-autoscaling214
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.15.0
cf-networking2.12.2
cf-smoke-tests40.0.13
cf-syslog-drain7.0
cflinuxfs21.245.0
cflinuxfs30.34.0
consul195
credhub1.9.5
diego2.18.0
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.28
haproxy8.9.0
java-offline-buildpack4.16.1
log-cache1.4.7
loggregator103.3
mapfs1.0.1
mysql-monitoring8.20.0
nats25
nfs-volume1.5.3
nodejs-offline-buildpack1.6.32
notifications-ui34
notifications52
php-offline-buildpack4.3.61
push-apps-manager-release666.0.13
push-usage-service-release667.0.10
pxc0.14.0
python-offline-buildpack1.6.21
routing0.179.3
ruby-offline-buildpack1.7.24
silk2.12.1
staticfile-offline-buildpack1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.8

2.3.2

  • [Security Fix] log-cache no longer supports TLS 1.0 and TLS1.1
  • [Feature Improvement] Improve error messages logged by Cloud Controller when there are Azure blobstore failures
  • [Feature Improvement] Update name of the Small Footprint PAS tile shown on the tile in Ops Manager UI
  • [Feature Improvement] The usage-service uses the shared CF CLI which can be updated independently
  • [Feature Improvement] clock_global now defaults to 2 instances to be highly available
  • [Feature Improvement] Allow disabling connection pooling for autoscaler API & escape special characters in external database passwords
  • [Bug Fix] Fix bug preventing users from restarting app via Apps Manager’s “Restart” button.
  • [Bug Fix] Prevent potential memory leak when Cloud Controller’s space summary endpoint is called under certain usage conditions
  • [Bug Fix] Fix issue in loggregator where AZ names with special characters could cause metron agent job to fail
  • [Bug Fix] Fix manual configuration of load balancers for SSH to application containers on Small Footprint PAS (SF-PAS)
  • Bump ubuntu-xenial stemcell to version 97.19
  • Bump capi to version 1.66.3
  • Bump cf-autoscaling to version 212
  • Bump cf-smoke-tests to version 40.0.10
  • Bump cflinuxfs2 to version 1.242.0
  • Bump cflinuxfs3 to version 0.29.0
  • Bump go-offline-buildpack to version 1.8.28
  • Bump java-offline-buildpack to version 4.16
  • Bump log-cache to version 1.4.7
  • Bump loggregator to version 103.3
  • Bump push-apps-manager-release to version 666.0.12
  • Bump push-usage-service-release to version 667.0.10
  • Bump ruby-offline-buildpack to version 1.7.24
Component Version
ubuntu-xenial stemcell97.19
backup-and-restore-sdk1.9.0
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
bpm0.11.0
capi1.66.3
cf-autoscaling212
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.15.0
cf-networking2.12.2
cf-smoke-tests40.0.10
cf-syslog-drain7.0
cflinuxfs21.242.0
cflinuxfs30.29.0
consul195
credhub1.9.5
diego2.18.0
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.28
haproxy8.9.0
java-offline-buildpack4.16
log-cache1.4.7
loggregator103.3
mapfs1.0.1
mysql-monitoring8.20.0
nats25
nfs-volume1.5.3
nodejs-offline-buildpack1.6.32
notifications-ui34
notifications52
php-offline-buildpack4.3.61
push-apps-manager-release666.0.12
push-usage-service-release667.0.10
pxc0.14.0
python-offline-buildpack1.6.21
routing0.179.2
ruby-offline-buildpack1.7.24
silk2.12.1
staticfile-offline-buildpack1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.2

2.3.1

  • [Feature] Add support for promQL range queries and use of app names to retrieve data in log-cache.
  • [Feature Improvement] log cache API now supports timestamps formatted as RFC3339 expected by by PCF Metrics
  • [Bug Fix] space and org managers can now view app logs in apps manager
  • [Bug Fix] Prevent cf push downtime while upgrading cf-networking-release
  • [Bug Fix] Fixes container create failure due to duplicate iptables chain name
  • [Bug Fix] Fixes slow app instance shutdown when using NSX-T for container networking
  • [Bug Fix] Fix issue where the PAS tile could be incorrectly downloaded when upgrading SF-PAS via PivNet
  • [Bug Fix] Fix parse error for syslog rules when iptables logging is enabled

  • Bump binary-offline-buildpack to version 1.0.27

  • Bump cf-networking to version 2.12.2

  • Bump cf-smoke-tests to version 40.0.9

  • Bump cflinuxfs2 to version 1.238.0

  • Bump cflinuxfs3 to version 0.25.0

  • Bump diego to version 2.18.0

  • Bump dotnet-core-offline-buildpack to version 2.1.5

  • Bump go-offline-buildpack to version 1.8.27

  • Bump log-cache to version 1.4.6

  • Bump nodejs-offline-buildpack to version 1.6.32

  • Bump php-offline-buildpack to version 4.3.61

  • Bump push-apps-manager-release to version 666.0.10

  • Bump python-offline-buildpack to version 1.6.21

  • Bump pxc to version 0.14.0

  • Bump ruby-offline-buildpack to version 1.7.23

  • Bump silk to version 2.12.1

  • Bump staticfile-offline-buildpack to version 1.4.32

  • Bump stemcell ubuntu-xenial to version 97.18

Component Version
stemcell97.18
backup-and-restore-sdk1.9.0
binary-offline-buildpack1.0.27
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
bpm0.11.0
capi1.66.1
cf-autoscaling210
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.15.0
cf-networking2.12.2
cf-smoke-tests40.0.9
cf-syslog-drain7.0
cflinuxfs21.238.0
cflinuxfs30.25.0
consul195
credhub1.9.5
diego2.18.0
dotnet-core-offline-buildpack2.1.5
garden-runc1.16.1
go-offline-buildpack1.8.27
haproxy8.9.0
java-offline-buildpack4.15
log-cache1.4.6
loggregator103.0
mapfs1.0.1
mysql-monitoring8.20.0
nats25
nfs-volume1.5.3
nodejs-offline-buildpack1.6.32
notifications52
notifications-ui34
php-offline-buildpack4.3.61
push-apps-manager-release666.0.10
push-usage-service-release667.0.9
pxc0.14.0
python-offline-buildpack1.6.21
routing0.179.2
ruby-offline-buildpack1.7.23
silk2.12.1
staticfile-offline-buildpack1.4.32
statsd-injector1.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

2.3.0

Component Version
stemcell97.16
backup-and-restore-sdk1.9.0
binary-offline-buildpack1.0.26
bosh-dns-aliases0.0.2
bosh-system-metrics-forwarder0.0.15
bpm0.11.0
capi1.66.1
cf-autoscaling210
cf-backup-and-restore0.0.11
cf-cli1.5.0
cf-mysql36.15.0
cf-networking2.12.0
cf-smoke-tests40.0.8
cf-syslog-drain7.0
cflinuxfs21.236.0
cflinuxfs30.23.0
consul195
credhub1.9.5
diego2.16.0
dotnet-core-offline-buildpack2.1.4
garden-runc1.16.1
go-offline-buildpack1.8.26
haproxy8.9.0
java-offline-buildpack4.15
log-cache1.4.4
loggregator103.0
mapfs1.0.1
mysql-monitoring8.20.0
nats25
nfs-volume1.5.3
nodejs-offline-buildpack1.6.30
notifications52
notifications-ui34
php-offline-buildpack4.3.59
push-apps-manager-release666.0.7
push-usage-service-release667.0.9
python-offline-buildpack1.6.20
pxc0.13.0
routing0.179.2
ruby-offline-buildpack1.7.22
silk2.12.0
staticfile-offline-buildpack1.4.31
statsd-injector1.3.0
syslog11.3.2
uaa60.2
* Components marked with an asterisk have been patched to resolve security vulnerabilities or fix component behavior.

How to Upgrade

The procedure for upgrading to Pivotal Application Service (PAS) v2.3 is documented in the Upgrading Pivotal Cloud Foundry topic.

When upgrading to v2.3, be aware of the following upgrade considerations:

  • If you previously used an earlier version of PAS, you must first upgrade to PAS v2.2 to successfully upgrade to PAS v2.3.

  • You must enable GrootFS before upgrading to PAS v2.3. To enable GrootFS, go to Application Containers in PAS and select Enable the GrootFS container image plugin for Garden RunC. Pivotal recommends recreating all VMs when enabling GrootFS. To recreate all VMs, go to Director Config in the BOSH Director tile and select Recreate all VMs.

  • Some partner service tiles may be incompatible with PCF v2.3. Pivotal is working with partners to ensure their tiles are updated to work with the latest versions of PCF.

    For information about which partner service releases are currently compatible with PCF v2.3, review the appropriate partners services release documentation at https://docs.pivotal.io, or contact the partner organization that produces the tile.

  • Because PAS v2.3 contains an additional root filesystem and associated buildpacks, its product file size is 3.2 GB larger than PAS v2.2, totaling 12.6 GB. As a result, it may require additional time to download than previous versions of PAS.

New Features in PAS v2.3

Xenial Stemcells

PAS v2.3 uses a stemcell based on Ubuntu 16.04 (Xenial Xerus).

Earlier versions’ stemcells were based on Ubuntu 14.04 (Trusty Tahr). The Trusty distribution will reach end of general support (EOGS) in April 2019 and will no longer receive security updates.

Using Xenial stemcells in v2.3 ensures that PAS users continue to have access to secure stemcells based on a Ubuntu distribution maintained by Canonical.

For more information on the impact of using Xenial stemcells in PCF, see Updates for Xenial Stemcell Support.

cflinuxfs3 Stack and Compatible Buildpacks

See the following sections to learn more about cflinuxfs3 and compatible buildpacks:

Overview

  • What’s new in 2.3?
    • PAS v2.3 adds the following:
      • A new stack, cflinuxfs3, based on Ubuntu 18.04 (Bionic Beaver).
      • A new set of buildpacks that are compatible with cflinuxfs3.
    • cf CLI v6.39.0 adds the following to support the association between stacks and buildpacks:

      Note: PCF v2.2.0 added support for buildpack and stack association provided by CAPI v1.58.0. See Stack Association for more information.

      • The output of the cf buildpacks command has a stacks column.
      • The following commands now accept a -s flag for specifying a stack: cf delete-buildpack, cf rename-buildpack, and cf update-buildpack.
        This is useful if there are two buildpacks of the same name that use a different stack.
  • Changes to cflinuxfs2
    • PAS v2.3 still includes the cflinuxfs2 stack and compatible buildpacks. However, cflinuxfs2 is based on Ubuntu 14.04 (Trusty Tahr), which reaches end of general support (EOGS) in April 2019. After that date, it will no longer receive security updates.

Using cflinuxfs3 in v2.3 ensures that PAS users continue to have access to a secure stack based on a Ubuntu distribution maintained by Canonical.

Guidance for Operators

  • Scale Cloud Controller if necessary:
    • The new set of buildpacks are 2.7 GB. The buildpack packages are stored on the Cloud Controller VM. If your ephemeral disk usage is already high, you may need to increase the persistent disk of the Cloud Controller VM to accommodate the new buildpacks.
  • Migrate apps to cflinuxfs3:
    • Ensure developers migrate their apps and push any new apps using the cflinuxfs3 stack by running cf push APP-NAME -s cflinuxfs3. For more information, see Changing Stacks. When changing stacks, developers may see errors related to new or changed libraries. If they do, they must update their app accordingly.
  • Assign a stack to custom buildpacks:
    • Associate custom buildpacks in your PAS deployment with a stack to prevent them from having a missing stack record. To do this, ensure that your buildpack specifies a stack as a top level property in its manifest and then update it with the cf update-buildpack command. See Creating Custom Buildpacks. Buildpacks with a missing stack record will continue to work, but they are more manageable when associated with a stack.
  • Modify custom buildpacks for cflinuxfs3:
    • Modify any custom buildpacks that are compatible with cflinuxfs2 to be compatible with cflinuxfs3, and package them with the —stack cflinuxfs3 option provided by the buildpack packager. Upload the new cflinuxfs3 compatible buildpack using the cf create-buildpack command.
    • Confirm that you do not create any new custom buildpacks that depend on cflinuxfs2. Use cflinuxfs3 instead.

Guidance for Tile Developers

See Tile Authors Must Manually Migrate Apps to cflinuxfs3.

BOSH Process Manager

Starting in v2.3, most PAS components use BOSH Process Manager (BPM).

BPM is a layer between BOSH and the jobs running on PAS component VMs. It improves the way processes run on VMs by isolating colocated jobs. With the exception of networking, BPM namespaces operating system resources so a job cannot view or interact with the processes of another job. This provides a security barrier such that if a job on a VM is compromised, the incident is limited to just that job rather than all jobs on the same machine.

BPM also includes resource limiting capability. This prevents any one job from using too much operating system resources and impacting colocated jobs.

For more information about BPM, see the bpm-release repository.

Service Instance Sharing

Developers can share instances of their services across spaces and orgs, enabling apps in different spaces to use the same service instance. Sharing service instances streamlines service provisioning and improves security and auditing.

Enabling Service Instance Sharing explains how operators enable service instance sharing, and Sharing Service Instances explains how developers use the feature.

App Service Discovery Updates

PAS v2.3 includes the following updates to app service discovery:

  • App service discovery is enabled by default and no longer configurable. The Enable app service discovery checkbox no longer appears in the Application Developer Controls pane.
  • You can now configure the internal domain used for service discovery using the Internal Domain field in the Application Developer Controls pane. This field defaults to apps.internal.

For more information, see Configure Application Developer Controls in Deploying PAS on GCP Using Terraform as an example.

HTTP Router Uses TLS By Default in New Deployments

In new installations of PAS v2.3, the HTTP router (Gorouter) uses TLS by default to communicate with application containers. This configuration improves resiliency and consistency for application routes. If you are upgrading to PAS v2.3, PAS retains its previous setting for HTTP communication to apps. TLS is now the default setting.

Configure this setting in the PAS tile > Application Containers pane.

For more information, see Increased Resiliency, Consistency, and Security for HTTP Routing in the PAS v2.1 release notes.

Remove Deprecated Garden Image Plugin Option

WARNING: If you do not have GrootFS enabled, you must enable it before upgrading to PAS v2.3. See How to Upgrade above.

Garden creates app containers in PAS and includes an image plugin that prepares the filesystem for the container. PCF v1.12 introduced GrootFS as the default image plugin to replace the previous built-in functionality, garden-shed, which used an obsolete layer filesystem (AUFS) that lacked support from the Linux Kernel community.

Though GrootFS is the default image plugin in v1.12 through v2.2, at one time PAS provided an option in the Application Containers pane for operators to disable GrootFS and use garden-shed. However, garden-shed is deprecated and PAS v2.3 removes the option to use it.

For more information about GrootFS in PCF, see the following topics:

Create Container-to-Container Networking Policies in Apps Manager

Operators and Developers can click Networking in Apps Manager to set container-to-container networking polices. To set container-to-container networking polices you must have the network.admin or network.write UAA scope.

For more information, see Create Container-to-Container Networking Policies.

Create Custom and Compare Rules for Autoscaling in Apps Manager

Apps Manager includes two new options when adding a scaling rule in the Manage Autoscaling pane:

  • Custom: Scale based on a custom metric.
  • Compare: Scale based on the result of dividing one custom metric by another.

For more information, see Scaling Rules in Scaling an Application Using App Autoscaler.

Gorouter to Cloud Controller Traffic is Encrypted

In PAS v2.3, traffic between the Gorouter and Cloud Controller is encrypted. To ensure there is no downtime while upgrading from v2.2 to v2.3, download the latest patch for v2.2. This patch contains the configuration router.backends.enable_tls: true in the Gorouter manifest.

Mutual TLS App Identity Verification

In the Application Containers pane of PAS v2.3, the new option Router and applications use mutual TLS to verify each other’s identity configures the Gorouter and app containers to verify each other’s identities through mutual TLS (mTLS).

With the Router uses TLS to verify application identity option, the Gorouter uses a one-way TLS handshake to verify the identity of the app container, but the app container does not verify the identity of the Gorouter. The new mTLS option increases security over one-way TLS by ensuring that the Gorouter is the only client that can communicate with app instances.

Breaking Change: Enabling mTLS creates certain limitations. For more information, see Limitations with Mutual TLS App Identity Verification in the Known Issues section.

Experimental NFS Volume Service Supports NFSv4

PAS includes nfs and nfs-experimental services for mounting apps to NFS volumes. nfs-experimental mounts use a different mounting strategy that increases performance with faster read/write speeds and asynchronous communication.

The nfs-experimental service now supports mounting apps to NFSv4 volumes. You can specify your desired NFS protocol using the version parameter when creating a service instance.

For instructions on using nfs-experimental, see NFS Volume Service.

NFS LDAP Configuration Updates

The LDAP configuration for NFS in the PAS Application Containers pane includes the following updates:

  • You can optionally enter a LDAP Server CA Cert if your LDAP server supports TLS and you want to enable secure connections from the NFS driver to your LDAP server.
  • The LDAP User Fully-Qualified Domain Name has been renamed to LDAP User Search Base for clarity and consistency with LDAP UAA configuration in the Authentication and Enterprise SSO pane.

See Enable Volume Services.

Create Private Domains in Apps Manager

Admins and Org Managers can click Add a Domain in Apps Manager to create a new private domain. For more information, see Domains.

Delete Route and App Simultaneously with Apps Manager

When you click Delete App in the View Settings tab of your app, you are now prompted with the option to delete the routes associated with your app.

For more information about locating Delete App in Apps Manager, see View Settings.

Name Service Bindings in Apps Manager

You can now give binding names to service bindings in Apps Manager.

For more information, see the Bind or Unbind a Service section of the Managing Apps and Services Using Apps Manager topic.

Remove Consul Agent

In PAS v2.3, PAS component VMs no longer include the consul_agent job. PAS component VMs can now only use BOSH DNS for service discovery.

However, the consul_server VM continues to exist in PAS deployments to support any service or partner tiles that still require communication with Consul.

BBR Improvements for External S3-Compatible Filestore

PAS v2.3 no longer backs up the resources bucket in external S3-compatible filestores. This improvement decreases the total size of your backup and the downtime of the Cloud Foundry API when you back up or restore your PAS deployment with BBR.

PAS v2.3 removes the following:

  • The resources_backup_bucket property from the tile configuration
  • The Backup Resources Bucket Name field in the External S3-Compatible Filestore section of the File Storage pane from the PAS UI

Enable Backup and Restore for External Azure Blobstores

PAS v2.3 introduces support for backing up and restoring external Azure blobstores. When you select the External Azure Storage option in the PAS tile, you can now enable backup and restore by selecting the Enable backup and restore checkbox. Before you can enable backup and restore for external Azure blobstores, you must enable Soft Delete.

For more information, see the External Azure Storage section of Deploying PAS on Azure.

Azure Blobstore Can Be Restored to a Separate Storage Account

You can now restore your Azure blobstore to containers in a different Azure storage account than the account where you take backups. For more information about configuring this feature in the Restore from Storage Account and Restore using Access Key fields of the PAS tile, see the External Azure Storage section of Deploying PAS on Azure.

Backup Prepare Node Renamed to Backup Restore Node

The backup-prepare instance group has been renamed to backup_restore. The Resource Config pane in the PAS tile now shows Backup Restore Node instead of Backup Prepare Node.

WARNING: The persistent disk attached to the existing Backup Prepare Node will not be migrated to the new Backup Restore Node. Any data that you have stored on the previous persistent disk may be lost after upgrade.

Bind all Apps in a Space to a Syslog Drain

The cf drain-space command, enabled by the CF Drain CLI Plugin, binds a syslog drain to all apps in a space. Previously, you could only run cf drain to bind each app to the drain individually.

This feature provides the following:

  • Backwards compatibility for all supported PAS tiles
  • App, space, and org names in the drain
  • Automatic binding of new apps pushed to the space
  • Support for logs and metrics from apps

See the cf-drain-cli repository for more information.

Apps Manager Polling Interval Configuration

In addition to the Apps Manager Polling Interval field introduced in a PAS v2.2 patch release, PAS v2.3 includes an App Details Polling Interval field. This field controls the rate at which Apps Manager polls for data when a user views the Overview page of an app.

PAS provides these fields as a way to temporarily reduce load on the Cloud Controller API. Pivotal recommends that you do not keep these fields modified as a long term fix because it can degrade Apps Manager performance.

For more information, see Apps Manager Config Page.

Known Issues

CredHub Database Cannot be External on GCP

If your PAS deployment is on GCP and you want to use Runtime CredHub, you must select Internal for both your system databases and CredHub database. If you are using external system databases, you cannot use CredHub.

CredHub is not compatible with the external database option on GCP. GCP Cloud SQL presents its certificate in a way that CredHub refuses to connect to it.

Limitations with Mutual TLS App Identity Verification

Mutual TLS app identity verification disables TCP routing and cf ssh to app containers by only accepting incoming communication from the Gorouter.

To support mutual TLS app identity verification, you need v2.3 or later of both PAS and PCF Isolation Segment (IST). The Gorouter and cell components in PCF v2.2 and earlier do not support mTLS handshakes.

Neither TLS nor mTLS app identity verification is available for Windows cells at this time.

Buildpacks Missing or Not Installed

On fresh installs of PAS v2.3, some buildpacks may be missing. For upgrades to PAS v2.3, some buildpacks may not have been upgraded. For more information about the symptoms, cause, and resolution to this issue, see Buildpacks are missing or not installed in PAS 2.3 in the Pivotal Knowledge Base.

Neither TLS nor mTLS app identity verification is available for Windows cells at this time.

Configuring a List of TCP Routing Ports

This section describes an issue and workaround related to configuring a list of TCP Routing Ports in the PAS tile UI.

Issue

You cannot enter a comma-separated list of ports in the TCP Routing Ports field of the PAS tile. If you enter a comma-separated list, the Routing API does not start. The TCP Routing Ports field allows entries in the following formats:

  • A single value, such as 1234
  • A range of values, such as 1234-5678

Workaround

If you want to configure a list of ports, do the following:

Note: This procedure causes brief downtime for TCP apps listening on ports that you open after deploying PAS.

  1. Configure PAS with Enable TCP Routing selected.

  2. Enter one port you want to use in the TCP Routing Ports field.

  3. Deploy PAS.

  4. Use the Routing API to add all desired TCP ports by following the instructions in the Modify your TCP ports section of the Enabling TCP Routing topic. When using the Routing API, you can include a comma separated list of ports.

Containers Live Briefly after Apps are Deleted or Downsized

When you delete or scale down an app, the container instance may continue running for a couple of minutes after cf apps and other CLI commands indicate that the instance no longer exists.

This may cause the following:

  • After deletion, the container may briefly continue to appear in the IaaS dashboard.
  • Resource usage may go down to reflect container deletion only after a brief delay.
  • Acceptance tests that check for immediate container deletion may fail.

Loggregator Component Horizontal Scaling Thresholds

Above approximately 40 Doppler instances and 20 Traffic Controller instances, horizontal scaling is no longer useful for improving Loggregator Firehose performance. To improve performance, increase CPU resources for the existing Doppler and Traffic Controller instances to add vertical scale.

Create a pull request or raise an issue on the source for this page in GitHub